Over 700 Million People Taking Steps to Avoid NSA Surveillance

There's a new international survey on Internet security and trust, of "23,376 Internet users in 24 countries," including "Australia, Brazil, Canada, China, Egypt, France, Germany, Great Britain, Hong Kong, India, Indonesia, Italy, Japan, Kenya, Mexico, Nigeria, Pakistan, Poland, South Africa, South Korea, Sweden, Tunisia, Turkey and the United States." Amongst the findings, 60% of Internet users have heard of Edward Snowden, and 39% of those "have taken steps to protect their online privacy and security as a result of his revelations."

The press is mostly spinning this as evidence that Snowden has not had an effect: "merely 39%," "only 39%," and so on. (Note that these articles are completely misunderstanding the data. It's not 39% of people who are taking steps to protect their privacy post-Snowden, it's 39% of the 60% of Internet users -- which is not everybody -- who have heard of him. So it's much less than 39%.)

Even so, I disagree with the "Edward Snowden Revelations Not Having Much Impact on Internet Users" headline. He's having an enormous impact. I ran the actual numbers country by country, combining data on Internet penetration with data from this survey. Multiplying everything out, I calculate that 706 million people have changed their behavior on the Internet because of what the NSA and GCHQ are doing. (For example, 17% of Indonesians use the Internet, 64% of them have heard of Snowden and 62% of them have taken steps to protect their privacy, which equals 17 million people out of its total 250-million population.)

Note that the countries in this survey only cover 4.7 billion out of a total 7 billion world population. Taking the conservative estimates that 20% of the remaining population uses the Internet, 40% of them have heard of Snowden, and 25% of those have done something about it, that's an additional 46 million people around the world.

It's probably true that most of those people took steps that didn't make any appreciable difference against an NSA level of surveillance, and probably not even against the even more pervasive corporate variety of surveillance. It's probably even true that some of those people didn't take steps at all, and just wish they did or wish they knew what to do. But it is absolutely extraordinary that 750 million people are disturbed enough about their online privacy that they will represent to a survey taker that they did something about it.

Name another news story that has caused over ten percent of the world's population to change their behavior in the past year? Cory Doctorow is right: we have reached "peak indifference to surveillance." From now on, this issue is going to matter more and more, and policymakers around the world need to start paying attention.

Related: a recent Pew Research Internet Project survey on Americans' perceptions of privacy, commented on by Ben Wittes.

This essay previously appeared on Lawfare.

EDITED TO ADD (12/15): Reddit thread.

EDITED TO ADD (12/16): Slashdot thread.

EDITED TO ADD (1/23): This essay has been translated into German.

Posted on December 15, 2014 at 6:07 AM • 77 Comments

Comments

zoliDecember 15, 2014 6:43 AM

I would read something about how life changed inside NSA and other TLA security services...that affects life of billions.

My bet is that life has been changed to a better direction among those ~700 million people than inside NSA and other countries' agencies, unfortunatelly.

WilsonDecember 15, 2014 6:47 AM

Sony employees seem (almost) faultless: they didn't give away info on the internet, but to their employer, even if a little of the spilled data come from personal use of the corporate mail (but the damage didn't come from the employer, so the risk was the same using any popular mail service), the big part is made of actual work mail and personal data given to the HR: they had no choice.

keinerDecember 15, 2014 7:02 AM

War is over, we have lost, as pointed out in the 1st Friday squid post

http://www.nextgov.com/cybersecurity/2014/12/congress-quietly-bolsters-nsa-spying-intelligence-bill/101076/?oref=ng-dropdown

http://www.theglobaldispatch.com/congress-passes-expansion-of-surveillance-without-a-warrant-or-oversight-52335/


And this time no one will come and save us, no "good boys" left this time. This is even worse than McCarthy and Watergate and shooting JFK and 911 together...

Democracy is a Java app running on the OS of the world. And the OS is MONEY...

Wallstreet bought them and the NSA is their new army.

Good night and goodbye...

ThothDecember 15, 2014 8:17 AM

@keiner
War is not lost. You choose how you want to communicate securely or insecurely. How we climb the ladder of power is by our own wills and circumstances. Although we are swept by the waves of events and turbulences, we can decide in some sense what we can do about it.

The OS of the World is collective thoughts of everyone, not just the rich and powerful. The rich and powerful made use of loopholes and chances while the others just whine. An advise is to those who feel that they must act is to sit down and observe the waves and directions. When it is time to commit changes, be swift and forceful like the lightning.

Congress and the agencies are a bunch of enterprising people who seek chances and dare take risks while sacrificing whatever not needed. Change have to be made to perceptions first. Perception drives motivation and motivation drives actions.

Again I would emphasize proper knowledge for the masses. Cryptography and security made simple and stupid as much as possible. There are lots of apps out there that are not engineered with care and without much planning. What can be done is a list of common mistakes which is something like this (http://tozny.com/blog/encrypting-strings-in-android-lets-make-better-mistakes/).

Next is to show how to do it properly and concisely which is what we lack. Most well designed crypto libs simply throw together a few algorithms with side channel prevention mechanisms and dump them on Github. What we need is explanations on exactly why certain steps are taken and why certain design choices are done.

Knowledge on how to draw up a secure communication protocol if the need arises according to best practices (not the best idea to create yet another protocol) and how to actually go about it with guidelines and reasons again. Replay attacks, oracle attacks, message modification and interceptions ... etc ...

Secure hardware. (Nick P, Clive Robinson, RobertT and myself) have been promoting hardware based defenses. Why certain hardware designs are helpful and what are the possible downfalls. Just need to search for our names and a lot of stuff would appear (especially Nick P).

Proper OPSEC designs for keymat handling is especially important and (Nick P, Clive Robinson and myself) have been listing methods on the posts.

The rest is how someone takes all these information and put them together to help themselves and others.

vDecember 15, 2014 8:37 AM

It's important to remind ourselves that just because mass electronic surveillance is relatively easy it doesn't make it effective.
Back in the 30's Rejewski, Rozycki and Zygalski worked on breaking Enigma codes even though their boss had a code book - the course of history would be very different had Poland taken the easy route and told them not to bother with their decoding work.
I simply don't think anybody has done a cost/benefit analysis of surveillance of every citizen to find the 1 in 250,000+ miscreants; and if they've done the analysis I don't believe they're filtering results rapidly enough to be a timely resource.
Mass surveillance is tick box intelligence - it gets big budgets and feeds incompetence - real intelligence is something else; something altogether more useful.

mikeDecember 15, 2014 8:54 AM

I have to say I don't think you're managing the numbers right, but doesn't matter. 23k users over some billion. There are some lacks.
My point is: people may have taken steps to protect their privacy or may not, maybe they don't know how to do it (as you said). But there's a little group of people who really cares, takes steps and now how to do it; and they build tools to enhance our privacy, and teach us how we should do things.
Of course people need to be more aware about their privacy and how it could be compromised, but without the knowledge it's useless. The first impact has to be in IT professionals.

AnontinaDecember 15, 2014 10:07 AM

The scary thing is how deep does the wormhole go? Recall project MKULTRA of the CIA which had descriptions of mass psychological manipulations of a public through various media. Many wonder what kind of other secrets are out there?

keinerDecember 15, 2014 10:15 AM

@Toth Thanx for your reply, but to be true: I'm not really convinced that anything is safe, as soon as it's inside a computer.

Let's have a simple example: A site-to-site openVPN tunnel employing Camellia, preshared keys. Would you consider such communication to be safe, after all we know about NSA, openSSL etc. pp.?

And with IPsec tunnel you are not better off in the end...

Where to start and were to end, in a world largely not interested in surveillance and how to get rid of it?

I wrote to all my customers (in a somewhat sensitive area unrelated to IT) about 8 (eight!) years ago, suggesting to consider that all electronic communication is unsafe after 911. I offered pgp and S/MIME encryption for eMails. Nobody even replied. 1-2 years ago some started data exchange via some sort of cloud services, mostly via companies known to be involved in heavy US-spying... OMG...

And it'S getting worse day-by-day. Some want to sell me MS-Office password encryption as the latest stuff in IT security. Some days I'm close to Parkinson's from persistent shaking my head over the latest news from all these "business pro's"---

JacobDecember 15, 2014 11:07 AM

@keiner

All is not lost, and there is a knight in a shining armour coming to save us:

U.S. Patent 8898784 - "Device for and method of computer intrusion anticipation, detection, and remediation" - with detailed methods and procedures to render malware infiltration ineffective. Straight from the horse's mouth by Gen. (Ret) Keith B. Alexander, lead inventor (!)

http://cryptome.org/2014/12/nsa-alexander-patent-14-1125.pdfhttp://cryptome.org/2014/12/nsa-alexander-patent-14-1125.pdf

P.S. I thought that Gen. Alexander was a high-level Administrator without much time or knowledge for the intricacies of transport layers and intrusion choreography.
I wonder if having his name first on the patent application is kind of an honorary placement or he actually found the time, while running the NSA, for some basic research too.

TheNewWorldIsHereDecember 15, 2014 11:11 AM

The World Will Never Be The Same Again

As best I can determine, the existing Congress & Administration, and all 3 letter spy agencies, have just declared that all citizens of the U.S are deemed worthy of be considered criminals or terrorists. Together with their recent approval of a massive spending bill that provides benefits to those in political & corporate power, along with the bill(s) that completely eradicate the concept of due process and any formerly held concepts of privacy or freedom of speech, under what used to be the Constitution, this nation as it once existed, is now undone.

This is totalitarianism at its worst; worse than communism, worse than fascism, worse than any socialist state we have known. In the past, most laws passed by Congress have made criminals out of honest citizens (they have never passed a law making honest citizens out of criminals). Now, all citizens are considered criminals worthy of massive monitoring.

Of course, the overlords are exempted. And, where is the money coming from to pay for all of this? Slave labor camps come to mind, but dressed up as low cost or no cost local labor with little pay and no benefits. Yet, tax money seems to be the base now but what is the base in the future? Of course, what future?

Signing off…

blaughwDecember 15, 2014 11:24 AM

More important than individual users changing their behavior is the move to SSL for everyday services. We all know this, but Joe Sixpack has no idea the steps Google and Microsoft have taken to protect their customers. He also has no idea what 0-999 NSLs issued to Company XYZ means, none of us do.

This is an important distinction, because we cannot ever rely on end users to take security seriously.

It's not that "merely 39%" of people give a shit about Snowden, it's that nobody gives a shit about security when it requires them to do something differently. I would be surprised if "merely 39%" of people could open their PC and identify any particular component.

MikeADecember 15, 2014 11:50 AM

Congress makes "honest citizens" out of criminals all the time. They just did it again with the weakening of Dodd-Frank as part of "must pass" legislation. And the "no such thing as an illegal wiretap" stuff they snuck through while everyone was distracted by that and the Torture Report. Now, if you mean they don't do it for criminals that aren't their buddies or paymasters, OK, I'd agree.

Meanwhile, on the subject of "We need simple, secure tools for normal people", the problem of producing them is the "easy" part. The problem of telling folks about them among a storm of propaganda and misinformation is the trick. If I had a cure for death, you _might_ find it on the 27th page of search results, preceded by an ocean of penis-pills and Canadian Pharmacies. And if you tried to get to my site, either your ISP would redirect the DNS response or my ISP would be forced to take it down with a false DMCA request.

SasparillaDecember 15, 2014 12:49 PM

I have to say, I'm still astounded that there is almost no U.S. press coverage (tech sites that have followed this all or mainstream newspapers) of a law passing that formalizes spying on on U.S. citizen electronic communications. It's extremely weird...obviously they know and are not running it.

@v "It's important to remind ourselves that just because mass electronic surveillance is relatively easy it doesn't make it effective."

Very true v, but I don't think real effectiveness really matters a nit in all this (otherwise this would have all been destroyed after Boston) - in the end it'll be about the agencies/govt. thinking they know what their citizens are doing, buying, communicating - "thinking" and the end game will be holding them accountable for that communicating/buying/thinking (true effectiveness won't matter for that).

Its hard to imagine what McCarthy or Hoover or Nixon would have done with these powers the government has given itself over the last 13 years.

@TheNewWorldIsHere "This is totalitarianism at its worst; worse than communism, worse than fascism, worse than any socialist state we have known. "

JMHO, I don't think we're at a point in the U.S. where it worse than those things, yet, but I do believe the table has now been set for someone to come to power and do dreadful (possibly irreversible) things to our country and citizenry. Our job is to get our country/world off this path before that happens - which is going to be tough as this path seems very self reinforcing.

SoWhatDidYouExpectDecember 15, 2014 1:16 PM

@jacob

Anything that Gen. Alexander peddles comes spy enabled. After all, that is the work he did. Why would they let him out into the public to defeat the spy agency agenda? Answer: they didn't. He is out there as a shill to advance their agenda (and charge money for it so there is something to pay the bills when taxpayer money runs out).

JustinDecember 15, 2014 1:27 PM

Unfortunately, there are no steps Average Joe can take to avoid NSA surveillance. Just be aware that it does take place and do not enter sensitive personal information in a computer and do not browse sensitive topics on the internet. But we often don't even know what "sensitive" is until it's too late.

Using alternative OSs like Linux or OpenBSD (like I do) makes one a target, although it otherwise vastly improves security. Reading or posting on Bruce's blog makes one a target. Using technology like TOR makes one a target---you might be able to obfuscate which sites you are visiting with TOR, but you cannot hide the fact that you are using TOR. Once a target, always a target. We don't have the high-assurance technology to avoid targeted actions directed at compromising our computers.

Depending what the intelligence agencies find out about us---maybe nothing more than too much knowledge or interest in certain areas---they can and do take measures such as Zersetzung.

Harry FuecksDecember 15, 2014 4:32 PM

A prime example of the type of measure being taken by Europeans is Threema - a secure alternative to WhatsApp from Switzerland. Techcrunch reported on it back in Feb 2014 http://techcrunch.com/2014/02/21/bye-bye-whatsapp-germans-switch-to-threema-for-privacy-reasons/ right after Facebook bought WhatsApp. More impressive is, since then, they've help top spots on the German, Austrian and Swiss app stores e.g. "#1 paid app in Social Networking" - you need a lot of downloads to achieve that consistently for 10 months solid.

Milo M.December 15, 2014 5:04 PM

@Jacob:

Keith graduated from West Point, which isn't usually a high tech incubator, but there are exceptions.

https://www.nsa.gov/about/leadership/bio_alexander.shtml

He got an MS from the Naval Postgraduate School in Monterey in 1983. His thesis, co-authored with an Annapolis graduate (Caution -- 146 MB -- maybe that big to make room for all of the viruses):

http://edocs.nps.edu/npspubs/scholarly/theses/1983/Sep/83Sep_Alexander.pdf

This is also the only MS thesis that NPS posts on their web site for 1983. Either a sparse year, or some other motivation for posting this.

DanielDecember 15, 2014 5:56 PM

I know Bruce means well bit I am not buying it. First, according to the link below there are roughly 3.0 billion people who use the internet. That means only 24% of people on the internet have changed their behavior because of Snowden. Even if we assume some quanta of people were already security savvy there is no way we get to the notion that the majority of people care about privacy. This is an important point in places that are at least superficially democracies--if the majority can't apply pressure nothing will change.

http://www.internetworldstats.com/stats.htm

The second major problem is that even among those who care about privacy not all privacy is created equal. For example, even though the number of users running Tor has doubled in the last year, their population still remains at roughly two million users world wide. So out of three billion internet users only two million are using the best on-line security available. That is to say that out of the 700 million who are "doing something" as a result of Snowden 99% of them aren't doing anything that is likely to actually help them against the NSA. In fact, I'd argue that much of what these people are doing--such as avoiding certain websites--is more security theater than anything else. Changing their passwords more frequently (39% in the survey) doesn't help if the password are weak.

So if I'm the NSA I would have to look at this data and be delighted. Most internet users still don't care about privacy, even after Snowden, and the ones who do care almost all of them aren't doing anything that remotely hinders NSA operations.

Sancho_PDecember 15, 2014 6:16 PM

The 39% of 60% is the very least interesting finding of that survey.
That the press loves to cite this figure is disappointing but was to anticipate.
Why would one think they (the press) would have more knowledge than the average computer user?

The average user simply doesn’t know how to take steps to protect when even “experts” (who is that?) don’t know how to protect their server.
Try to bail out the boat using a scoop for noodles, good luck.

I concur with @blaughw: While the average user still doesn’t know what it means most services have already switched to https, having a tremendous effect on surveillance and changed much more that 23% (39 of 60) of traffic snooped on fibers. Ouch!

BTW, how would you explain https without revealing the flawed CA concept, just making fools out of “experts”?

What’s much more interesting from that survey will have a huge impact in the (not so far) future:

“[Only] 36% of users would trust the U.S. to play an important role in running the Internet.”

That’s a bummer.
How come?
Ask the elite, probably by a survey?

CorbinDecember 15, 2014 6:27 PM

Encrypt all the things with a VPN. Use a VPN like Ipvanish or Strong Vpn. OpenVPN 256 bit encryption is still strong enough that the NSA has to store it and hack at it for years, if not forever, to get at your stream.

AnuraDecember 15, 2014 6:52 PM

@Corbin

If you use TLS, OpenVPN provides perfect forward secrecy using Ephemeral Diffie-Hellman keys. As long as your Diffie-Hellman keys are at least 2048 bits, to the best of our knowledge the NSA cannot crack historical messages, and break real-time messages only by attacking the client or server directly.

If you use a static key, then usually it will be randomly generated once and then manually shared. This is secure until one of the clients or the server is compromised, then all pass communication can be decrypted.

I greatly prefer using OpenVPN+TLS with client certificates for authentication.

Paulo MarquesDecember 15, 2014 7:22 PM

Well, it hasn't affected me, really. I mean, it wasn't a surprise and I already hated the erosion of rights and the security theater.
And there's not much I can do that is practical, anyway, that I can see. HTTPS is pointless, VPNs cost money and probably don't guarantee much, I can encrypt my emails because no one will know what to do with them, and so on an so forth.
So yeah, sadly, it didn't affect me.

Clive RobinsonDecember 15, 2014 7:24 PM

@ Bruce,

I think you might be underestimating the impact of these 700million people on the likes of the NSA.

Whilst I agree what they maybe doing is inefective against the likes of the NSA, it's not an "all or nothing" game for the NSA it's a "something for a cost" game.

If those 700million increase their individual cost to the NSA by even 1USD/year it's a significant outcome.

My view point with regards the NSA et al is that they will always work the legal angles in their favour because that has low cost for them, thus what we need to do is find technical solutions that raise the cost to these agencies faster than technological advances reduce them.

Provided we can keep their costs rising whilst technology costs to us fall then eventually their budget will become to big to be supportable and their wings will get clipped.

Whilst crypto does offer a very significant way to raise the NSA costs it is usually poorly implemented in some way which gives the NSA a way in. Thus we should be looking at ways to make our crypto implementations more "water tight" and finding ways to deal with issues surounding the likes of CA's such that easy NSA ways in get blocked.

At the end of the day even if we cannot beat them, increasing their costs has the knock on effect of reducing our costs, because their increased spending will bring manufacturing prices down.

Nick PDecember 15, 2014 7:38 PM

@ Harry Fuecks

Thanks for the link on that. Great product looks like. Like me, they picked Switzerland for its data protection laws and strong beliefs in privacy. They're in Germany, though, so they're at risk of BND coming after them if they get popular enough. I plan to evaluate their crypto paper in near future and maybe get the product.

@ Milo M.

A very technical thesis. Unsurprising: Alexander was actually my favorite Director because he was a geek, had degrees in actual science, and even had a Star Trek bridge. Then running all kinds of military organizations before landing at top of NSA. Ideal guy I thought. Then, he put it all to use tearing up all our technology for SIGINT enabling. (sighs) I do give him credit, though, as the digital version of a Bond villain for America. Putin is the physical world version and catching up to Alexander in the digital realm.

At least all countries haven't moved in this direction. Still a few democracies holding out.

@ Daniel

I agree. Most of what's going on just helps the NSA or isn't a real obstacle. Even if diversity of apps can help, the platforms and network providers are oligopolies that further use a lot of similar libraries and protocols. So, NSA just aims under the apps or server software. Boom. The few doing something better are in the U.S. or countries doing the same thing. The risk of subversion is sky high for them. So, the very best that can be done is harden FOSS or centralized proprietary services with secure protocols in countries that don't force backdoors. And how do we know that's what they're actually doing vs subverting it for 3rd parties in another country? Not an easy question to answer.

z009vDecember 15, 2014 8:17 PM

@Anontina re: '...how deep does the wormhole go?'

On that, it is conceivable that software technology development in general has been shaped to suit the ends of spy agencies. Think BULLRUN, but scaled up to the level of software architecture theory.

For example, the so-called principle of "information hiding" never sounded like a good thing to me when building software modules. Yet this buzz phrase was often spoken by promoters of OOP tools. Could this just be a projection of "the need to know" principle of spying into the domain of software development? Is the long game to compartmentalize *all* knowledge on that basis?

Post-Snowden, I wonder if there will be an attempt to extend spy agency protocols to all levels of society.

TheNewWorldIsHerDecember 15, 2014 8:18 PM

@MikeA:

They didn't make them honest citizens...they just made them non-prosecutable.

ThothDecember 15, 2014 8:46 PM

@keiner
If you are thinking S/MIME or PGP related over emails, it's still as unsafe as ever and so is encrypted VPNs and such. TFC is a good example of a good direction of research. Building secure hardware from easy to find electronics at your electronics store. Just need to have some breadboard, connectors, electronic parts, soldering stuff and knowledge on engineering and computing (which a lot of non-tech guys dream of learning but are too busy). More research is required on this part.

@Liviu Spiroiu
Very true.

Nick PDecember 15, 2014 9:08 PM

@ z009v

Good software architecture always makes things worse for them if people are actively vetting the code. Information hiding, for instance, was created by David Parnas: an academic who promoted good software engineering practices among other interesting things (see Wikipedia). That technique was used in many early exemplar systems that NSA certified to the "we give up for now" level of security. The technique also has a common sense thing about it: external modules that don't use a thing shouldn't be able to see or mess with it. Why you'd cite this great principle as something we should worry about is beyond me.

The irony is that the military, defense contractors, NSA, and certain companies already published most of what you need to defeat them in the past. Surely one must expand that to include attacks and issues discovered since then. However, my anti-government privacy solutions extensively leveraged what was in U.S. and European publications in a way that's still effective against most of the leaked TAO catalog. Says a lot for such methods.

Far as development practices, the market influences it and in ways that drive quality/security down. Because of this, the NSA just has to pay people to look for the flaws in such products. Such flaws are the common denominator of commercial/FOSS software and are often the same category of problems. This means bug hunters get more efficient as they don't have to get too creative to find the ways in. Then, the NSA also has via FBI help the legal authority to force backdoors. Nice shortcut around any good development or security engineering processes.

So, NSA doesn't need to change programming practices. It already sucks so much that they can just leech off the insecurity that the market forces and human nature perpetuate. Then they can compel, fund, or black bag their way into more "SIGINT enabling" via their partners. The situation couldn't be better for them. The strong development processes, like one you criticized, are actually some of the only things holding them back. Better if adopted.

JustinDecember 15, 2014 9:23 PM

@ z009v

For example, the so-called principle of "information hiding" never sounded like a good thing to me when building software modules. Yet this buzz phrase was often spoken by promoters of OOP tools. Could this just be a projection of "the need to know" principle of spying into the domain of software development? Is the long game to compartmentalize *all* knowledge on that basis?

It sounds like you are arguing against general principles of secure, reliable software. "Information hiding" simply enables a higher level of abstraction in order to develop software modules that interact in a well-defined manner without unintended side effects. Web browsers, for example, compartmentalize certain information based on same-origin policies. These principles are very necessary in software development. Without them lies spaghetti code, chaos, insecurity, and unreliability.

TomDecember 15, 2014 11:26 PM

"Snowden Revelations" have no doubt forced some changes. Blanket surveillance, by definition, is all or nothing. Even a 3% crack in the blanket, can remendously reduce its effectiveness.

What this could mean is that targetted surveillance is made into a premium. Goodies on the TAO catalog, and other stuff sold by semi-private vendors, they're gonna be having great years.

65535December 16, 2014 1:04 AM

It is hard to quantify the effects of the Snowden documents – but there is no doubt that some effect – to some degree - was felt by business users and the Average Joe.

Getting to specifics, I note that the NSA collects between 3 billion to 5 Billion mobile phone GPS locations and so called “meta-data”. NSA is keen on mobile phones. Thus, I have greatly reduced my use of mobile phones and am cautions about those who use them around me.

The second item is tracking credit card and banking transactions and how to deal with them. I have started to use a cash system to reduce the attack surface of my transaction trail.

Third, I have greatly reduced my use so called Search engines that report directly to the NSA. That would include greatly reducing my use of Giggle and their email products. There are plenty of other search engines out there using https.

Fourth, email is still a big problem. Most people are still using Giggle, Yapoo and M$ email. I am avoiding those.

I have now started to void all mention of PII data and even names in unsecured emails. Since lavabit is gone I have to use other semi-secure email services on rotating basis.

Tor is fairly good but very limited with business customers. Some customers run their own email servers - which a task to because of Active Directory or Directory Services and DNS, DHCP, self-signed certificates + security templates. That part must be improved.

If any of you know of a good secure email service let me know [Yes, I have used PGP and GPG but business customers have not widely adopted them].

I still don’t know what to make of the Truecrypt situation. I have noticed some use older versions and others that have discontinued its use.

There is a greater awareness of "security" since the Snowden documents - on me and my business associates - the rest of world will have to improve.

AndyDecember 16, 2014 2:18 AM

If anything I'd say the figures are on the high side. I really don't think that many people particularly care about what the NSA, CIA, GCHQ, etc. are up to. If anything, the vast majority of people who've heard of Snowden, Assange, et al, are angry with these people for what they've done.

The vast majority of the population are law-abiding citizens and have nothing to worry about. When I've made this point in the past, people have countered with "so you don't mind some dude in the NSA reading through your emails when he's bored?". Frankly, no. The guy doesn't know me from Adam, and I have nothing to hide. And let's face it, there's more chance of winning the lottery than him picking my particular mailbox to have a peak at.

MarkelDecember 16, 2014 3:11 AM

@65535:

CitizenFour grossed $2M over 6 weeks, so I'd say the impression made by Snowden is relatively insignificant outside of InfoSec world.

Experts often stress the importance (and haplessness) of endpoint security, so I suspect that's an area where we will see more "personalized attacks" targetting specific villains that were suspected to be non-law abiding citizens.

HUMINT aspect will probably see more budget from the powers that be, US Govt? Five Eyes? That is probably good as it keeps people on their jobs and mouths fed, which reduce their incentive to go rogue and be harmful to our society.

65535December 16, 2014 4:04 AM


@ Markel : “CitizenFour grossed $2M over 6 weeks, so I'd say the impression made by Snowden is relatively insignificant outside of InfoSec world.”

On a monetary basis it looks small. But, the massive spying machine is being exposed slowly but surely.

“Experts often stress the importance (and haplessness) of endpoint security, so I suspect that's an area where we will see more "personalized attacks" targetting specific villains that were suspected to be non-law abiding citizens.” –Markel

I agree. Although the Australian guy on a killing spree [and on bail] was not stopped by the huge spy machine - oddly enough.

From my perspective the largest “endpoints” pool is the mobile tablet and mobile phone pools. I believe it to be the most dangerous. It has a high attack surface due to the many “apps” and GPS devices. Further, the number unskilled users are growing each day.

That why I would recommend reducing or negating the use of mobile devices until there is some hard privacy rules in place. I have and some of my companions have dramatically reduced used of mobile phones. And, some of my friends use metallic plastic bags when forced to carry said mobile devices [to avoid GPS tracking].

I think you need to start some place with security. I see the mobile market the place to do so.

“HUMINT aspect will probably see more budget from the powers that be...“ -Markel

True. But, as it stands there are more of us than them.

I am disappointed at the newly passed funding bill that gives a huge amount of invasive search power and funding to these “Agencies” for the near term. I am still shocked that Senator(s) on our side of the political fence promoting these unlawful “Agencies” and expanding their reach [cough… Feinstein and crew] - it’s like being stabbed in the back by your own friends.

Mark HammDecember 16, 2014 6:24 AM

@65535

I'm not worried about phone GPS, nor do I care to VPN it, because I suspect there are trickier ways for HUMINT to locate your whereabouts as long as your phone is signalling. In addition to that, there is no reason for HUMINT to be interested, so the need is moot in my experience.

Mobile phones are also well-covered by blanket surveillance, as the phone itself is limited in resource to perform anything fancy. You have a limited device running on low link against super computing. It won't miss much.

Bob S.December 16, 2014 8:11 AM

Re: VPN.

I have a subscription to an American VPN that uses American servers, purportedly. However, my network monitor tells me everything is routed through Germany.

Duh!

ThothDecember 16, 2014 8:23 AM

@65535
I am not sure how ready the mobile market is for high assurance computing. If it were that easy, we would have a couple more of high assurance phones. Probably someone is trying their best... who knows...

Maybe the first steps we can take is to have some form of open source community high assurance chip design here ?

The best that mobile computing can do for now is to use virtualized workspace and a microSD secure element smartcard. That's about as secure as it can go. The microSD smartcard can be backdoored chip so that leaves virtualized workspace as the only defense and you need to root the phone or device (must likely) to install some form of virtualized workspace if it does not have one built inside it. Not very assuring....

h2oDecember 16, 2014 8:23 AM

One impact - not measured by the survey - is IMHO even more significant:

For CEOs worldwide, Snowden changed the game. The threat level for "attacks on corporate communication and data" (spied/manipulated/...) changed from "potential/abstract threat" to "documented, verifyable and a real danger".

It will be interesting to watch what will happen as a result...

SteveDecember 16, 2014 10:06 AM

One wonders how much of this putative NSA-avoiding behavior is nothing more than "privacy theater" -- the inconveniencing of oneself to no discernible effect.

z009vDecember 16, 2014 10:25 AM

@Nick P

Thanks for the reference to David Parnas on 'information hiding', and your other comments.

My only response is to observe that 40 years ago the focus was on organizing information for efficient processing, not hiding it.

Data fields were carefully laid out in records on coding pads. When you saw the word ABEND on a fan-fold printout, it was knowing how information was organized in memory that allowed you to make sense of the core dump printout that followed.

@Justin

It can be taken as a given that people at this forum are interested in secure and reliable software.

Balkanizing software with internal bulkheads increases the attack surface because every layer of hiding makes it necessary to write extra code for later revealing what is hidden.

My more main point is to ask the question about how much civilian software development has been retarded to give information superiority to the NSA. We now have a new way of interpreting computing history.

DanielDecember 16, 2014 12:25 PM

@zoo9v "Balkanizing software with internal bulkheads increases the attack surface because every layer of hiding makes it necessary to write extra code for later revealing what is hidden."

That is only true if the attacker is coming from the outside. But if the attacker is coming from the inside, for example, they have hacked your BIOS or your disk controller then Balkanizing software does nothing.

This is a point Nick P made earlier and it needs to be emphasized frequently. The NSA does not need to engage in regimental warfare, when they are targeting a specific individual it's guerrilla warfare. If they can't attack the software, they attack the hardware, if they can't attack the hardware or software the attack the implementation (OpSec). Too many people increase the attack surface on the window while leaving the door unlocked.

DanielDecember 16, 2014 2:02 PM

http://herculesandtheumpire.com/2014/12/16/posner-pisses-off-plenty-of-people-on-privacy/

The above post is in reference to Judge Posner's recent comments about privacy by another Federal Judge.

"I don’t agree with a lot of what Judge Posner has to say on privacy and free speech. That said, perhaps I have signed too many search warrants for electronic data and Title III interception orders for wiretaps and bugs, but I pretty much agree with him on one point. We should not fear the government scooping up too much information in pursuit of crime or in furtherance of the national security. On the contrary, we should fear that a risk averse government will seek to scoop up too little."

He goes on to say that federal judges tend to see the world in "paranoid terms".

I said it before and I'll say it again, so long as the Courts have the government's back there is little that can be done about privacy in America.

JustinDecember 16, 2014 2:11 PM

"Balkanizing software with internal bulkheads increases the attack surface because every layer of hiding makes it necessary to write extra code for later revealing what is hidden."

I don't think that's quite the way to look at it. Those "internal bulkheads" make software more modular, so for one thing parts of it could be swapped out. Take a file system for instance. The details of how files are organized on disk for the most part do not matter to programs that just want to open, read, write, and close files, so programs are not allowed to read and write directly to/from disk---they have to use the specific function provided by the operating system for handling files. Linux offers a choice of several file systems, ext3, ext4, or ReiserFS for example. As long as programs can open, close, read, and write files, they do not need to know how the files are actually organized on the disk, and they do not need the privileges to actually read and write data directly on the disk---they just use the functions provided by the operating system.

The details of how a lower layer (the file system) works are hidden from the layers above it (user programs). "Need to know" is enforced with a "principle of least privilege." Each layer is complete and self-contained as much as possible so higher layers do not need to know how it is implemented.

Writing extra code to reveal what is hidden is the wrong way to do it and in fact should be impossible in a well-designed system---if your program "needs to know" certain information that is normally hidden, then there should be a well-defined interface for providing that information given the appropriate privileges.

As far as history goes, some of the very first uses of computers were to crack German codes and simulate the atomic bomb---so principles of "information hiding," "need to know," "least privilege," etc. probably were very important, albeit later, when operating systems came to be developed. Things like this decrease the attack surface, not increase it, and they give information superiority to the owner/users of the computer, not necessarily the NSA.

Nick PDecember 16, 2014 2:36 PM

I'll add that information hiding and loop-free layering were required for Orange Book B3 and A1 systems, the only ones top INFOSEC experts considered secure [enough]. The requirement is still in EAL6-7 standards. Published work from such projects showed how the requirement greatly reduced both the number of defects and the time it took to find them. So, modules + information hiding are the only proven way to make highly secure systems on COTS hardware. And it's helped greatly on specialized tagged and capability hardware.

In short, a truly best practice in software development.

MoronsDecember 16, 2014 2:59 PM

700 million users take steps to avoid NSA surveillance. NSA doesn't notice because they aren't looking for cat pics.

Moron MajorityDecember 16, 2014 4:27 PM

Andrew 2:18, parroting NSA propaganda.

"the vast majority of people who've heard of Snowden, Assange, et al, are angry with these people for what they've done."

Unsubstantiated assertion drawing on Andrew's emotional telepathy or something. Are the vast majority of you surprised to learn you're angry? And at rights defenders, not at government lawbreakers? Do you like it when Andrew puts words in your mouth?

Andrew has another insight into the vast majority:

"law-abiding citizens and have nothing to worry about." This is an idea for dopes, associating the meaningless cop-level nonsense "nothing to worry about" with the vaguely heartwarming "law-abiding citizens." This kind of slogan will work for cops, because cop exams have IQ cutoffs, or for grunts, the dregs of the labor market, constrained to sign up to get their balls blown off. But it flops when you try to put it over on people with any kind of education.

The DoD personas do a lot of this fake opinion stuff, modeling stupid ideas in the faint hope that some other-directed mental defective will pick it up. Who is their intended audience? Maybe this is the best they can do, when they try to think. That would explain why a couple dozen drunken whoring wogs made fools of them on 9/11.

J.R.December 16, 2014 4:46 PM

@ Andy

The vast majority of the population are law-abiding citizens and have nothing to worry about. When I've made this point in the past, people have countered with "so you don't mind some dude in the NSA reading through your emails when he's bored?". Frankly, no. The guy doesn't know me from Adam, and I have nothing to hide.

Search for the string "Three felonies a day" and see what you come up with.

Here's a quote from Cardinal Richilieu, the prime minister for Louis XIII of France, "Give me but six lines written by the most honourable of men, and I will find in them some to have him hanged."

BTW, do you have curtains or window blinds? If so, why --if you have nothing to hide?

d33tDecember 16, 2014 5:08 PM

"From now on, this issue is going to matter more and more, and policymakers around the world need to start paying attention."

I sincerely hope this statement turns up to be true. I am excited to see the new developments / implementations coming from cryptographers in the future as a deterrent to mass, state sanctioned surveillance.

As far as things I've changed in terms of behaviors, I do tend to run many browsers at once, some proxied, some not, and tend to research subjects or go down search pathways that are not easily stuffed into demographics. Since NSA activities have not been shown to have thwarted any "terrorism", I think these breaches of civil rights have been for the sake of designing better, more tailored propaganda for the purpose of manufacturing consent. Pretty much exactly on par with Google's advertising campaigns that leverage surveillance for steering ads to the "right" users. A fun game I play with some of my careless gmail connected pseudonyms, is to see how outlandish we can make the ads get. Every so often it's worth an extra laugh. If you can't play games with tyranny, what fun is it then?

Since NSA intends to hold on to any encrypted data indefinitely, I figure, why not encrypt way more stuff for fun and practice? Maybe even encrypt big old cats of /dev/urandom (don't use the good stuff for pranks) and send them as gifts via gmail and hotmail yahoo etc. I love bcrypt for this. We've started to encrypt all kinds of silly business related (not confidential) bits. We have also built a couple of offshore semi-encrypted (certificate / smart card / ssl / websocket) telephony based on webrtc recently. We will probably launch them for public use in a few months with a big warning to mind your data. HTML5 and WSS are still pretty unproven in my book for staking your life on your crypto. Having the systems offshore and encrypted will likely force permanent storage ... since they will store it all they want anyhow, why not make it fun and expensive to store / parse?

An alternative to TOR would be cool. It appears to be an awesome technology, but still gives me the creeps. Things that are paid for by governments are automatically suspect in my world. Not because of shoddy engineering, as I'm sure TOR is well engineered, but because of other vectors of attack and tracking / gaming through strategies not known to the public.

I remember arguments with NIST people at conferences about the lack of an "approved" NRBG for feeding PRNG's. Remember the link to "hotbits" or whatever it was? Likely still linked, it's been a while. Pretty much anything stamped for approval by NIST is out. Sorry guys and gals.

Has anyone ever rekindled interest in the Hasty Pudding Cipher? I like the "spice" idea. I wrote Richard Schroeppel to ask for the latest fixed source, but never heard back. We have some incomplete source. Perhaps HPC combined with entropy gathered from physics would be a cool combo? A good addition to an arsenal of other good crypto like blowfish, twofish and threefish et al?

I have begun to think that escape from having my metadata analyzed is not possible right now. Very true for telephones and other related tech. A lot of the gear out there routing traffic is either easy to compromise, or flat out "open flapped" in transit. Better to encrypt as often as possible.

Hard to say about the Mozilla CA that is being talked about. A real non-profit CA is important. Self signed certs have become difficult to use and implement with today's modern browsers. We've been finding that out the hard way with this web based telephone thingy.

I've started research and gathering data on the "accidental" exploitation of metadata / content that has likely been vacuumed up by intelligence agencies that contains fragments of medical records not authorized for eyes outside of storage providers etc. Opinions as to the likely breach of law look promising. They will likely have to change the laws again to allow medical records to fall into the fold without warrant / court order. It's a long shot, but isn't all privacy now?

Thanks Bruce for the good news. Happy Holidays to all.

MitchellDecember 16, 2014 5:45 PM

@ Bob S.

I'd even gestimate a vast majority of these offshore VPNs are bought and owned by intel agencies of various sorts.

Why hire HUMINT when you can buy up VPNs? Somebody's gotta be laughing at a cost-efficiency graph somewhere.

ThothDecember 16, 2014 6:40 PM

@Steve
You said:
One wonders how much of this putative NSA-avoiding behavior is nothing more than "privacy theater" -- the inconveniencing of oneself to no discernible effect.

Reason is simple. People are either bad at figuring where to start (non-domain people) or the trenches NSA have dug in is too deep. NSA have literally infiltrated so much aspect of our privacy, the only way around is to rebuild the entire system from ground-up. Hardware, software, toolchains, OS ... etc ... just to remove their influences. A lot of non-domain people are working on INFOSEC or COMSEC projects, writing crypto codes and not knowing how to approach crypto properly. That's another risk.

Some merchants are selling Anti-NSA stuff due to the hype and that is the true "Privacy Theater" that is going on. Only way to handle the Privacy Theater is to try and filter out the noises by ... education. And which person (education) is saying the right thing ? Yup ... infinite loop ...

Why is it still important to push back NSA's attempts to gobble the world when they are close to omnipresent ? They have certain things they can do and certain things they cannot do as they are still bounded by the laws of physics.

It is very tedious to fear of so much things but the basic preservation of our own rights are still important.

ThothDecember 16, 2014 6:53 PM

@d33t
You said:

Since NSA intends to hold on to any encrypted data indefinitely, I figure, why not encrypt way more stuff for fun and practice? Maybe even encrypt big old cats of /dev/urandom

P2P redundancy and traffic analysis resistant methods would probably just encrypt a bunch of pointless stuff and broadcast them across the network. P2P across HTTP channels, FTP channels ... open channels with a bunch of really random stuff would be fun.

One way is to create a GNUnet or Retroshare plugin that does that.

Just don't crash someone's computer with all the random stuff :) .

In regards to Hasting Pudding, I think it was simply hasty shelved !!!

It was definitely a very advanced cipher beyond it's time and people doing the AES competition find that it's nonsense because who wants a random weird cipher appearing as a candidate that does a bunch of weird stuff like variable length blocks and key sizes. They are too focused on getting to the top positions of the competition and naturally didn't bother to take a good look at HPC.

After the AES competition, ciphers with tweakable properties appeared and one of the ones is the Threefish/Skein ciphers with tweakable properties.

Hey surprise ! The people who glance and walk pass HPC as a nonsense cipher suddenly took a look and decided to do something along the line of tweakable cihers which HPC proposed.

We are way late on tweakable cipher research (thanks to the AES competition where it was rigged by the NSA). All eyes at the time were focusing on breaking Rijndael and other candidates and few were looking at something innovative like tweakable ciphers until way after the AES competition and close to the SHA3 competition where Skein and Threefish made their appearances with tweakable functionalities to a very limited extend.

I would say HPC is still the modern working grand daddy of tweakable block ciphers and deserves it's place somewhere in the history of cryptography (which may probably irks those orthodox cryptographers a lot).

d33tDecember 16, 2014 8:06 PM

@Thoth

You said:

"P2P redundancy and traffic analysis resistant methods would probably just encrypt a bunch of pointless stuff and broadcast them across the network"

Precisely my interest in the Webrtc phone. I love the fact that it is a disposable web page as well. Certs are only used for quick login and remove the need for passwords for one time use accounts. The entire system is built with open source warez. Every call drops P2P!! Given they are all encrypted, the more people that use the system, the more expensive it will be for NSA (American Public). Maybe people will finally get mad and demand their rights back? The cert serial is your "phone number". No personal data is retained, and you can dump or move your cert at will. I love how easy all of this is made via htaccess and a little scripting.

You also said:

"I would say HPC is still the modern working grand daddy of tweakable block ciphers and deserves it's place somewhere in the history of cryptography (which may probably irks those orthodox cryptographers a lot)."

I absolutely agree that HPC was wrongfully passed over and is a beautiful unicorn worth attention. I intend to change that coming up. In fact we just got some high powered help for the holidays! HPC is next on my list of fun things to do. I wonder if there is anything more to the disappearance of HPC into the mists of time? I have an archive with the fixed and unfixed code. We will need to do some work to bring it alive. I think at one point it may have been included into the Linux kernel as well. I have to wait to dig in again, too busy right now. Working on the foundation for proper crypto right now. A ten year project that has finally yielded prime results. HPC was reported to have worked quickly on 64 bit machines.

I'd like to incorporate some stenography into the telephone system interface. Years ago, around 2004, we built a document creation app for web browsers that stored docs in the DjVu and MrSid formats. OCR is possible. Layers of fake data in the form of images is also possible. The great thing about these images, is that one can make documents that are information rich and reduce them to very small files as well as encrypt them. The compression worked nicely and has always been a very little known competitor to pdf. Leveraging the P2P nature of Webrtc, file sharing will be easy. As well as text messaging etc. One of us is working on a conferencing solution as well. All of this stuff works well when it works, but Poodle and Heartbleed stopped development for months. Recently the project was resurrected.

We found a library in javascript that renders Webrtc video into moving ASCII as well. It's pretty fun to watch! You can still recognize the human on the other side, but the background is obscured. Great fun.

Thank you for your reply!

ThothDecember 16, 2014 8:29 PM

@d33t
In a block cipher, your probability permutations are the size of your blocks ... 2^BlockSizeBits regardless your key size. The key size governs how much keymats would be use to transform your block size but in the end if you have 256 bits keys and one round only consumes 32 bit keys or so due to the algo, the 256 bit keys are to prevent the bruteforce attack over guessing keys. In the end the "randomness" and "hiding effect" is determined by your block size.

HPC took an interesting route into making the block size variable which kind of irks people off because it does not make any sense at that time.

Let's look at a 128 bit block size of modern block ciphers, which you have 2^128 bit entropy regardless of key sizes. Imagine the block cipher as a whole is a 2^128 bit lookup table (regardless you are using SPN, ARX, Feistel ...). Let's look at how many bits a 2^128 bit block cipher can give entropy to: 3.4028236692093846346337460743177e+38 bits. That is hell of a lot of entropy.

People are saying 64 bit blocks are not cool anymore. SO let's look at 2^64 which is 18446744073709551616 bits.

Once the data hits the max number, it starts to re-iterate itself and you can start to see patterns which you would need to re-key before it runs dry of itself.

What if you are going to encrypt a short string of passwords, would you really need so much entropy ? It is something good to have but if the passwords are stored in a database, you would find that encrypting that password may turn into bloat in some circumstances.

The idea of HPC is to enable fitting into different scenarios and use cases. If you want to encrypt hard disk, 128 bit blocks would be the go-to solution. Anything tiny, a 64 bit block might suffice. There are many tweakable block ciphers these days after HPC made it into one of the 15 ciphers for AES competition. Would Blowfish still hold protecting short secrets ? Quite likely unless you are trying to do full disk encryption on a media more than 4GB.

I might be wrong so a skilled cryptographer can advise on this part.

Connecting over TLS to a webpage and having a Javascript that randomly play "games" with each other as Javascript-based keep alive messages can be rather fun. The server or client can over time as the other party to do some computation and reply with valid answers (these are all meaningless) and it can turn into a confusion party.

d33tDecember 16, 2014 9:06 PM

@Thoth

You said:

"Connecting over TLS to a webpage and having a Javascript that randomly play "games" with each other as Javascript-based keep alive messages can be rather fun. The server or client can over time as the other party to do some computation and reply with valid answers (these are all meaningless) and it can turn into a confusion party."

Those are great games! Meaningless form data injected into meaningful form data and some basic obfuscation before encryption works pretty smoothly and costs little.

You also said:

"The idea of HPC is to enable fitting into different scenarios and use cases."

I think it is this flexibility that caught my eye. I think it is good to have alternatives to the great ciphers that already exist in usable form. Machines have grown up a lot since the 1990's. I like the idea of consuming large amounts of entropy as well. It is everywhere all the time waiting to be used.

I hope this continues forth: https://ciphershed.org I liked to use Truecrypt. It was especially fun with smart cards. Storing a small encrypted file right on a smart card with Truecrypt was really easy.

requiredDecember 16, 2014 9:49 PM

@TheNewWorldIsHer December 15, 2014 8:18 PM
"honest citizens" was in quotations
I believe that MikeA meant that making "honest citizens" in the way that washing a turd makes it a "clean turd".

requiredDecember 16, 2014 9:55 PM

@Sasparilla
Its hard to imagine what McCarthy or Hoover or Nixon
Cheney is Goebbels is McCarthy is Sheldon Adelson is Putin is Ted Cruz is...
but I see everything as proportional. Defenses are proportional to attacks.

65535December 17, 2014 3:08 AM

“The best that mobile computing can do for now is to use virtualized workspace and a microSD secure element smartcard. That's about as secure as it can go. The microSD smartcard can be backdoored chip so that leaves virtualized workspace as the only defense and you need to root the phone or device (must likely) to install some form of virtualized workspace if it does not have one built inside it. Not very assuring...” -Thoth

I hear you.

The need to root a phone is do-able… but, some major carriers will void your warranty or disallow you on their networks [even though a high court opinion said it was legal to root a phone].

vas pupDecember 17, 2014 11:56 AM

New fiber to protect your privacy (passport, credit/debit cards, etc):http://www.bbc.com/news/technology-30513497

SnoopyDecember 17, 2014 1:17 PM

@Andy

The vast majority of the population are law-abiding citizens and have nothing to worry about. When I've made this point in the past, people have countered with "so you don't mind some dude in the NSA reading through your emails when he's bored?". Frankly, no. The guy doesn't know me from Adam, and I have nothing to hide. And let's face it, there's more chance of winning the lottery than him picking my particular mailbox to have a peak at.

No, the vast majority of people just don't realize how invasive the NSA is.

Even the most law-abiding citizen would object if the police had an officer following him around 24/7, notepad in hand, writing down every place we go, even which room in their own house they go to (GPS data is precise enough for that), whom we talk to, what we buy, to whom we send letters (according to Snowden, the NSA has USPS record every single physical letter for posterity), what we read in libraries or online.

Any police agency that did that would be, justifiedly, accused of stalking.

Yet when the same thing happens invisibly electronically, people don't worry about it? That tells me that people are only aware of it in the abstract, not in the concrete.

ThothDecember 17, 2014 9:24 PM

@vas pup
Cheapest way to not be RFID-pwned is not to bring it out in the first place or to ask a bank to disable wireless payment (not assured method to simply disable wireless functions).

All of these payment industry stuff uses obscurity instead of true security to do their "Secure Banking". You have to sign NDAs and funny contracts to even get a step into thier walled garden. No banking is secure (that's the mantra of this age).

keinerDecember 18, 2014 9:22 AM

@Bob S. routed through Germany? So the BND can do what is not allowed for NSA on US citizens and NSA does the same with Germans for the NSA. Absolutely cool. I would send them all to a nice Russian Gulag for the rest of their lives...

Security of VPN

document/2014/03/12/vpn-voip-exploitation-hammerchant-hammerstein/

vas pupDecember 18, 2014 9:51 AM

@Thoth • December 17, 2014 9:24 PM. I am with you on poor banking privacy. Just imaging what some folks pissed off by banks (I am not talking about respected Canadian banks) could do in the same way as North Korea to Sony Pictures. If they disclose all dirty tricks/communication of tycoons of financial sector - not bad (mapping Snowden's revelation on spying within US), but if they bring down banking function itself (stealing IDs for pure fraud, disclose details of your banking transactions, etc in mass) it would be terrible for all of us (same as 9/11 affected air line industry).
E.g., you do not need VanEck emission to be intercepted out the banking terminals because they are on the first floor with transparent windows facing sidewalks. Walk around downtown of big city around US and get confirmation. You just take binocular and catch all information. Some banks introduced wireless keypad to enter SS# as verification tool. Somebody standing next to you could intercept this transmission. I hope, this transmission is encrypted.
Yeah, but with all security banks are reactive not proactive because they do not have intention to invest in brains (like Bruce's) to mitigate their security vulnerability, why do that if gov back them up with tax payer's money.

65535December 19, 2014 2:31 AM

“…USPS record every single physical letter for posterity.” –Snoopy

And, that is a hot button issue! I would like to see better privacy from the USPS [plus Fedex and UPS].

“Some banks introduced wireless keypad to enter SS# as verification tool. Somebody standing next to you could intercept this transmission.” –vas pup

Yes, I have seen the need to enter social security numbers at banks. If the bank leaks your social security number you are in for a huge headache – not to mention financial loss. I believe the social security number leads to almost all of an individual’s private data. The banks must stop this practice.

stevenDecember 20, 2014 3:55 PM

Among those who did care, some would react more strongly than others, with consequences reaching far beyond themselves.

I cancelled all online services with US companies, and no longer recommend them to business clients. I'm moving the services I need closer to home - to the EU, to the UK, even into my home. I've noticed large UK companies already taking this view with respect to storing customer data.

I might decline to work for the US tech giants, who were indirectly complicit in this through their business model of mass collection of valuable data, which was subsequently available for government seizure through whatever means. Corporate culture may not change, but the massive rollout of TLS in the wake of this should at least provide some benefit to us.

I was motivated to learn how open-source software implements security and crypto, to work on it, to try to get it into as many people's hands as possible and see it used habitually. I know I'm not alone in this, and some brilliant work already come to fruition in the past year such as LibreSSL.

Internet UserDecember 24, 2014 6:46 AM

My view on the Internet changed a lot.

Back in the 90s it felt like a homey nerd paradise. This changed around 2000 were it turned into the wild west (in my impression). Still okay, everything possible, just watch out! Spammers, phishers and malware are everywhere.

The Snowden relevations changed that view drastically. Now it basically turned into a war zone under enemy control. You only move in there in full camouflage and under cover fire. So the idea of uploading personal data to US cloud companies sounds as absurd to me as buying real estate in AF for living there.

Most people don't understand, that the Internet isn't the friendly place, it used to be. May be the war will end some day, but currently "doing stuff online" is something I avoid as much as possible.

AnontinaDecember 27, 2014 3:56 PM

@z009v What I was referring to by MKULTRA was mass mind control mechanisms via drugs, secret media manipulation (e.g. subliminal messages), and any other higher than high tech means available. MKULTRA was the code name given to an illegal and clandestine program of experiments on human beings, made by the CIA and was declassified later so there is a bunch of info about it online now.

MaxNovember 15, 2015 6:03 PM

Many people are turning towards VPNs form improved privacy and to avoid prying eyes from others like NSA. More governments are introducing censorship around the world. The Internet is no longer the free medium it once was and it certainly very risky. Nowadays you never know who or what can steal your personal information.

VPNs are also useful if you travel a lot or need to access certain websites which are blocked from your location. So it's ideal when choosing the location which you want to appear to be in by just choosing an IP. For more info on VPNs please visit https://zoogtv.com/resources/why-use-us-vpn.

ShahirApril 1, 2016 9:02 PM

Statistically speaking, "common man is a fool"; so I don't see what all the fuss is about: you're trying to avoid something that, in the larger scheme of things, is (maybe not exactly, but) at least partly what's accommodating that freedom in the first place.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.