Since the NSA revelations began coming a couple of times a week for the past month, an all too common set of dialogues has been cropping up again and again and again in practically every forum that one would care to visit. While the discussion itself isn't perfectly replicated the overall pattern is. It goes something like this:
- Brief description of vulnerability. Mitigating tactic.
- Mention of a vulnerability elsewhere in the user's system.
- Description of a slightly more esoteric vulnerability.
- Use another system.
- Encrypt everything.
- Quantum computer.
- Use Tor.
- Tor can't protect against country-level surveillance.
- NSA backdoor.
- The NSA has thousands of 0-day exploits stockpiled for everything from my Commodore-64 to Cray Unicos.
- Mention of a highly esoteric hardware level attack.
- Malware used to surreptitiously dump contents of RAM, including crypto keys.
- Evil Maid Attack.
- Mention of a backdoored software development chain compromising the software as it's compiled.
- See? I told you! NSA backdoor!
- Open source software is safer.
- CryptoCat vulnerability that received stupid amounts of press coverage.
- Mention of circuitry backdoored at the factory.
- Link to unclassified US military research paper about backdoored circuitry discovered in the field.
- We're all screwed.
- User never posts again, presumably because they've given up on the Internet.
The implicit assumption here is that every single user on the Net is being overseen by a neigh omniscent government agency that, at the drop of a hat will crack your computer and go rifling through everything you've ever written, posted, sent, or thought to look for a reason to throw a black bag over your head and drag you to Guantanamo Bay. There is no way to prove or disprove such an assertion, just as there is no way to prove or disprove that a particular server hasn't been compromised. There is a further assumption that everybody online - you, me, your friendly neighborhood sysadmin, the folks who run your ISP, and everybody else out there - are presumed to be potentially dangerous, which is why we're all under surveillance. I can't refuse that assertion, either, because there is a wealth of evidence that suggests that this is, in fact the case. When you have a state apparatus trying to fight a fourth generation war but the very nature of the world we live in now operates in a fifth generation mode by default, the only real strategy that has any hope of succeeding is to treat everybody as a potential enemy combatant.
In all of these discussions, very few people (if any) openly talk about risk management, or the process of figuring out what risks you're taking with a given hardware and software configuration, which are high, medium, or low priority, which are irrelevant, and figuring out what to do about it. Any vulnerability that we know of is assumed to be actively and aggressively exploited by agencies unknown (read: intelligence agencies) for the purpose of information collection. Any shred of basic common sense (such as installing updates when they're made available) never even blows past the discussion, and if it does nobody seems to notice (they certainly don't respond if they see it).
News flash, denizens of the Internet: Nothing is perfect. Nothing. People seem to want to eliminate any and all risk entirely, i.e., they want perfect safety and security. There is no such thing, nor will there ever be such a thing. None of the existing models, from time based security to language theoretic security to game theory say anything about eliminating the possibility of being pwned. Risks and dangers can be analyzed, mitigated, and planned for but you can never catch all of the edge and corner cases.
Another implicit assumption made in this body of discourse seem to be that all of everybody's encrypted comms are being decrypted and read for content, when in fact this is only half true. For all intents and purposes, all of our comms are, in fact, being intercepted but there is no evidence at all that they are being successfully decrypted. In fact, a good case has been made for discarding a large double-digit percentage of the traffic because it's simply not useful. To an intel agency, who's running a torrent of the latest Hollywood blockbuster or is downloading porn isn't particularly useful. Realtime communications - two-way, three-way, more-way voice, video, and text chat - are where people are interacting with one another and making plans. That is, unless we start seeing orders to deep cover operatives to start blowing up airplanes or releasing biochemical weapons on public mass transit lines spoken by the actors in porn clips, in which case rule 34 will be proven to be a fundamental law of the universe. But I digress.
Additionally, a basic assumption of cryptography since Elizabethan times is that your communications are being intercepted by a silent, passive attacker. The point of encrypting traffic is to make all of those already intercepted communications as difficult as possible for the attacker to make any sense of. If you send a signal of any kind, there is a non-zero probability that someone who isn't the intended recipient will hear it. Them's the breaks. If you don't want anybody to know you're there, then you can't act or speak because you'd be leaking bits of information. It should also be pointed out that it's recently been confirmed that it's easier to dodge crypto entirely by compromising the endpoints rather than trying to break the cryptosystems themselves, so there's no guarantee that encryption will keep you safe. Several of the surveillance oriented malware strains I've run into out there have been designed to do just this - grab content just before encryption and just after decryption.
One last thing: Sufficiently paranoid and motivated agencies don't need reasons to kidnap you and fly you to a black site to be imprisoned and tortured for years. Your surly tweets and blog posts would just be icing on the cake if they decided you were a threat. Skin color has been shown to be more than sufficient. Where you go to worship if you worship is a reasonable justification today. If somebody who can get away with it thinks they need to disappear you, they will do so regardless of how much information they have actually collected on you.
So, where does this leave us? What course of action shall we take?
Beats the hell out of me.
There. I said it.
The only advice I can give you is this: Use your brains, that's what you've got them for. Consider what you actually, really do: Are you writing software? Are you politically active? Are you a researcher or a scientist? Do you work in a sensitive field, like information security, aerospace engineering, or consulting? Do you do human rights volunteer or professional work? Great. For what you actually do, what is the worst that could happen if you got pwned somehow? What would happen if your notes or your pre-commit codebase were corrupted? What about your list of contacts at work? What would happen if your contact list fell into the hands of people who could commit murder and get away with it? In what industry do you write your software for? Do people who could be shot at use your software? Do you say anything that could get you or they people you work with arrested? These are hard questions to answer but you have to ask them, and follow up on any other questions that come to mind.
Plan your strategy from there. Start with keeping your kit patched, move on to keeping your kit hardened, and then start thinking about how you use it all. Don't stop this process. When updates come out, install and test them. Do everything the same way each and every time, without fail. If it seems too hard to do every time, suck it up and do it anyway. If you get lazy, you'll screw up. If you screw up, you lose.