The question is: What can ordinary citizens do to throw sand in the gears of the surveillance state?
posted by anemone of the state at 8:34 PM on August 27, 2013 [4 favorites]

They can support the press. They can make it a prime voting issue. They can encrypt their communications. They can talk about it with friends. They can raise awareness. They can demand their rights. And they can learn about the history of surveillance, and the many many missteps security organizations have made -- it doesn't take many of those to start to figure out that these guys are not godlike rational actors with all our best interests at heart, and while there are certainly decent hard-workers, there are also dangerous paranoid kooks whose justifications, reasoning and actions are secret because they cannot survive sunlight and fresh air.
posted by JHarris at 8:51 PM on August 27, 2013 [9 favorites]

And encourage your friends to use encryption. Use Tor Browser instead of Firefox. Torchat is as easy to use as AIM. GPG4Win alongside Thunderbird (or Claws Mail) isn't much harder.
posted by anemone of the state at 9:07 PM on August 27, 2013 [5 favorites]

The intelligence community seems to be waging a frontal assault on the press.

The stakes are incredibly high. The freedom of the press is at stake.

Press institutions that defend the intelligence community (both in the US and the UK) will be rewarded. CBS is among those carrying water for the NSA.

Those that diligently report the state of global ubiquitous surveillance will be ruthlessly hounded and punished. We have seen the beginning of this.

It is time for the populace to not only carefully scrutinize the actions of its governments, but also of its press institutions.
posted by el io at 9:26 PM on August 27, 2013 [5 favorites]

Assange wrote about this technique several years ago.

It works on all conspiracies -- whether they're 'good' ones or 'bad' ones.
posted by empath at 9:27 PM on August 27, 2013 [1 favorite]

This (great) article is less about Snowden and more about the role of the press and how that is changing.

It's also chilling as hell. For the first time I had the feeling the lines of division and conflict have changed from geopolitical boundaries to purely ideological ones. For the first time (for me) the term Orwellian is coming into focus as being the appropriate one.

Also, the comments after the article are really good.
posted by From Bklyn at 11:18 PM on August 27, 2013 [1 favorite]

As to 'what we can do' I would think the most effective is to defund. The contractors are working for money, not 'love of country,' after all.
posted by From Bklyn at 11:20 PM on August 27, 2013

If you do not believe in the growing surveillance society, then you must act against it. Start with your personal actions, use strong encryption, educate yourself on the nature & practice of surveillance, speak against it, vote against it, fund against it. Only action will count.
The surveillance society works because, there is a will, an economy and compliant populace. Sounds like a three legged stool to me.
posted by Agent_X_ at 5:52 AM on August 28, 2013 [1 favorite]

Use Tor Browser instead of Firefox.

What is the relative speed of Tor Browser compared to Firefox?
posted by Going To Maine at 5:54 AM on August 28, 2013

Use Tor Browser instead of Firefox.

Look, I'm as upset about the domestic surveillance as anyone, but this is terrible advice for your average internet user. Successful use of Tor relies on assuming that everything passing from an exit node is monitored. Do you really think your average user is going to give up their Facebook and Gmail? Do you think they'll really be willing to deal with bandwidth rates from 10 years ago?

Given the widespread capture of data by the NSA, do you really think that all traffic coming out of or going into Tor is unmonitored? Research papers have shown that you can do flow analysis on inflows and outflows from the tor network to correlate users with traffic. I think it's a pretty good assumption that the NSA has some capability to do this.
posted by bfranklin at 5:55 AM on August 28, 2013 [3 favorites]

This should probably go in Ask, but I'll mention it here: is it safe to run a Tor relay node in the US? The EFF's page on this is two years old and it's hard to find any more recent info.

I do not have the cojones to run an exit node but I'd like to contribute with a relay node if I can.
posted by Aizkolari at 6:47 AM on August 28, 2013

Add one more item to your list of what ordinary citizens can do, JHarris: Spend money on well-reported news. Seriously. It takes time and a lot of hard work to do journalism right, which means it takes money. It also takes money to fight back when bureaucrats throw sand in the gears. One of the reasons journalism is hurting so much today is that nobody wants to pay for it, or pay to defend it. Not the media moguls, not the ordinary citizens. And this assault is not just about national governments targeting high-profile journalists. It's also happening in South Succotash, where City Hall has caught on to the fact that the Morning Throwaway has cut its reporting staff to the point where nobody really has time to dig for a story, or push back when a clerk decides to make some files unavailable. So much crap appears on screen or in print because it can be produced quickly and cheaply. Why pay somebody to investigate a problem when you can use the same money to put a bunch talking pundits in front of the camera, or run a feature on which place serves the best burger?

We all cheer when some media outlet shines a light into a dark place. But actually pay a few dollars for the magazine in which it appears? Eh, we'll just wait for someone to post it on Metafilter and read it for free. Then we'll complain about the fact that so few media outlets are doing good work.
posted by Longtime Listener at 6:49 AM on August 28, 2013 [4 favorites]

And honestly, the only thing that an average citizen can do to throw sand in the gears of the surveillance state is to vote in and advocate on behalf of people that will change things.

As has been said: if the adversary in your threat model is a government agency, pick a different adversary. You don't have the funds or the resources to compete with a three letter agency if they choose to monitor you, full stop.

As an experiment, let's look at what I, a person that does security engineering for a living, would do to harden my machine against the NSA:

My best solution for assurance of security at the moment is running a well partitioned Qubes OS installation out of one of several truecrypt volumes on an Aegis Secure Key. I haven't done the research to identify a product yet, but I'd also consider purchasing a hardware RNG to provide assurance on key generation for encryption operations.

For authentication, I'm currently using a Yubikey, but if I were trying to buy myself time against a government agency I'd probably shell out the extra cash for something that's FIPS 140-2 validated (and yes, I realize the irony and potential risk in using something validated to a government standard against the government).

Qubes has partitions for secure and insecure storage, anonymous (n.b., anonymous, NOT secure) browsing, amongst others. I'd have a sandbox with a bogus VM network for opening any and every file, assuming that every single thing touching my machine is malicious until proven otherwise.

Asymmetric keys would be generated using RSA rather than DSA. Key lengths are maximized. Everything would be using very long, randomly generated passphrases protected in a Keepass DB that I need the Yubikey to access.

I'd be running a default-deny egress ruleset, and I'd be running an application layer proxy firewall for every single unencrypted protocol that was allowed out. I'd also be running an IPS to intercept and block any shenanigans with encrypted protocols, such as old versions of SSH or null cipher selection over TLS.

Application hardening is also a big thing and goes way beyond what I can readily slap in a comment box. Suffice to say I'd be using things like HTTPSEverywhere and tools to block tracking cookies in browsers, and appropriate measures for other applications (like disabling Java).

In spite of all this ridiculous, I'd pretty much be screwed by any side channel attack the NSA could pull off. Hardware keystroke logger? I'm screwed, absent only working off of a trusted laptop that I always keep with me.

Computing outside a Faraday cage? Screwed. Okay, let's put one of those in the basement.

Computing without enough soundproofing so that someone can't hear my keystrokes with a directional microphone? Screwed, because now they've got my passwords. Okay, now I need a _really loud_ white noise generator whenever I compute.

What if the NSA briefly brings me in for questioning and empties my pockets? How do I know my Yubikey hasnt been replaced with a compromised one? That the hardware RNG isn't compromised? Can't exactly order a new one, since the NSA can screw with the mail.

Admittedly, all of this is assuming a threat model where the NSA is actively interested in you. It's hard for me to believe, though, that piecemeal methods of protecting yourself against casual surveillance will be sufficient against the continuously improving capabilities of the NSA.

Seriously, go vote and get other people to vote. You're going to run out of money LONG before the NSA runs out of ways to compromise whatever you're doing.
posted by bfranklin at 6:55 AM on August 28, 2013 [21 favorites]

The question is: What can ordinary citizens do to throw sand in the gears of the surveillance state?

There's a time when the operation of the machine becomes so odious, makes you so sick at heart, that you can't take part! You can't even passively take part! And you've got to put your bodies upon the gears and upon the wheels…upon the levers, upon all the apparatus, and you've got to make it stop! And you've got to indicate to the people who run it, to the people who own it, that unless you're free, the machine will be prevented from working at all!

Well, I'm on a list now.
posted by entropicamericana at 7:34 AM on August 28, 2013 [3 favorites]

No, article, they detained Miranda to find out what, exactly, Snowden had, since they haven't been able to track that very well. Of course they want to know that (and now probably do). The answer is better encryption - did you know you can encode as pictures? Or use that method they use for https. Or encode as QR codes?
posted by maiamaia at 2:02 PM on August 28, 2013

Hey, if someone wants to get cozy on that moving gear over there I'll take one of these levers...

So I'm wondering what happened with the tuesday deadline the uk gov was given by a judge to explain why it needs to go through Miranda's usb sticks, etc. Read somewhere that Tuesday wasn't the *exact* date but...
posted by whorl at 2:43 PM on August 28, 2013

What are the chances that the NSA can't break whatever encryption is available to the public?

It's very unlikely that they can. Used properly, GPG is phenomenally strong.

The point of ordinary people using TOR and strong encryption is to make it difficult for the security state to spy on everybody. The current dragnet panopticon is made possible by the fact that most of the worlds' citizens have entrusted their communications to a few companies, which have collaborated with intelligence agencies- from the root certificate authorities down. Start using real encryption and they have to spy on you the old fashioned way, which is much more expensive.
posted by anemone of the state at 5:00 PM on August 28, 2013 [1 favorite]

If it is more expensive to monitor the new chunk of people using encryption will that just make them hire more personnel and make mission creep that much worse?

While their budget is classified, Wikipedia states the NSA is "estimated to be the largest of U.S. intelligence organizations in terms of personnel and budget" which is sourced from this book whose author was given "unprecedented access" by NSA director Hayden .
posted by whorl at 5:24 PM on August 28, 2013

The question is: What can ordinary citizens do to throw sand in the gears of the surveillance state?

Nothing.
posted by NSA at 8:43 PM on August 28, 2013 [2 favorites]

>> What are the chances that the NSA can't break whatever encryption is available to the public?

> It's very unlikely that they can. Used properly, GPG is phenomenally strong.

To quote Schneier from _Applied Cryptography_:

One of the consequences of the second law of thermodynamics is that a certain amount of energy is necessary to represent information. To record a single bit by changing the state of a system requires an amount of energy no less than kT, where T is the absolute temperature of the system and k is the Boltzman constant. (Stick with me; the physics lesson is almost over.)

Given that k = 1.38×10-16 erg/°Kelvin, and that the ambient temperature of the universe is 3.2°Kelvin, an ideal computer running at 3.2°K would consume 4.4×10-16 ergs every time it set or cleared a bit. To run a computer any colder than the cosmic background radiation would require extra energy to run a heat pump.

Now, the annual energy output of our sun is about 1.21×1041 ergs. This is enough to power about 2.7×1056 single bit changes on our ideal computer; enough state changes to put a 187-bit counter through all its values. If we built a Dyson sphere around the sun and captured all its energy for 32 years, without any loss, we could power a computer to count up to 2192. Of course, it wouldn't have the energy left over to perform any useful calculations with this counter.

But that's just one star, and a measly one at that. A typical supernova releases something like 1051 ergs. (About a hundred times as much energy would be released in the form of neutrinos, but let them go for now.) If all of this energy could be channeled into a single orgy of computation, a 219-bit counter could be cycled through all of its states.

These numbers have nothing to do with the technology of the devices; they are the maximums that thermodynamics will allow. And they strongly imply that brute-force attacks against 256-bit keys will be infeasible until computers are built from something other than matter and occupy something other than space.
posted by felch at 1:07 AM on August 29, 2013

felch, that's an interesting quotation, but I don't have the technical background to know whether it is bogus or not. What I do know is that the FBI was able to decrpyt the encrypted data of, for instance, Robert Hanssen, who you can bet was using good encryption, so why should I have comfort that they wouldn't be able to decrpyt an email I sent

If it's a quote from Schneier, it's probably safe to proceed under the assumption that it's correct. Schneier is pretty much the Chuck Norris of crypto.

Schneier's quote, though, assumes that the password is long and truly random (which Hanssen's probably was not), and that a brute force search is conducted, meaning that there is no efficient crypto attack against the algorithm. Note, that in crypto parlance, "efficient" means "less than brute force."

Current recommendations are to use GPG keys of 2048 bits. That said, once the eliptical curve cryptography (ECC) algorithm patents run out, expect to see a mass move to the Suite B ECC ciphers.
posted by bfranklin at 7:10 AM on August 29, 2013

Schneier assumes best practice. That your passphrase (not password) has enough bits.

You should also make the distinction: locks of any kind are not made to keep people out. They are made to make the delay of getting in impractical.

Sloppy keys are crackable, that's all you need to remember.
posted by felch at 8:58 PM on August 29, 2013 [2 favorites]

That your passphrase (not password) has enough bits.

Since we're being pedantic, passphrases are a subset of passwords that are long (as I just so happened to qualify my use of password). And the issue is that it needs to have enough bits of entropy, not enough bits.
posted by bfranklin at 6:09 AM on August 30, 2013

These numbers have nothing to do with the technology of the devices; they are the maximums that thermodynamics will allow. And they strongly imply that brute-force attacks against 256-bit keys will be infeasible until computers are built from something other than matter and occupy something other than space.

Or they could have back-doors in the OS of whoever needs to read whatever is encrypted. Or on the guy encrypting it.
posted by empath at 7:22 PM on September 5, 2013 [1 favorite]

"Maybe the real state secret is that spies aren't very good at their job and don't know much about the world" - Adam Curtis, BUGGER
posted by jeffburdges at 3:24 PM on September 8, 2013

Britain's GCHQ hacked Belgian state telecoms firm Belgacom (via)
posted by jeffburdges at 5:34 AM on September 20, 2013