Originally Posted on August 3, 2013:
I readily admit that I am way off schedule when it comes to the timeliness of my blog posts, especially concerning Edward Snowden, the NSA and domestic spying. That being said, I still want to take a moment and discuss a couple of open issues remaining from my last post on this subject. Specifically, I want to talk about techniques and options being employed or discussed to avoid the prying eyes of the NSA or other government entities, and whether or not those techniques and options are viable or worthwhile.
Any discussion on how to hide or mask activity on the Internet begins and ends with encryption. People all over the country are clamoring to install and configure some form of encryption software or hardware to protect emails, web browsing history, file transfers, and any other form of communication over the wire. Sign ups and usage of VPN solutions like ProXPN have skyrocketed over the last few months, seeing growth patterns in the hundreds and thousands of percentage points. HTTPS site conversions are taking place at an astounding rate. Encrypted email solutions are flying off the virtual shelves as individuals start to fill their key rings and expand their circles of trust. Yet, with all of this activity, I think it is important that we start with a very important and yet somewhat basic question – Is encryption necessary or even worthwhile?
For those of you hoping to avoid the intrusions of the federal government or trying to “stay off the radar”, I believe the obvious answer is a resounding “no”. First of all, the federal government has openly admitted that their justification for capturing and analyzing Internet traffic takes into account encryption. Specifically, federal officials have admitted that encrypted Internet traffic, by its very nature, is considered suspicious and warrants investigation. So the use of encryption in almost any form places you squarely on the radar of those you are trying to avoid. Secondly, the federal government is one of the few entities on the planet with the resources to brute force encryption keys through the use of large computer clusters and emerging quantum computing techniques. The federal government also has the ability to go after corporately controlled private keys via the courts to decrypt certain traffic streams. Given these resources, you may have no good option to protect your data even if you were willing to paint that large “encrypted” target on your back.
So does this mean that you should give up on encryption or other techniques to protect your data? The answer to that question is also a resounding “no”. Encryption has its place and its value, but it should be used in a specific, targeted manner. Consider where encryption does have inherent value – protection against most private entities, financial fraud, identity fraud, corporate espionage , etc. The following are a few of the areas where I believe encryption is vital:
• Personal financial transactions – use certified and verified sites that employ strong encryption for banking and other financial transactions. • Corporate network access – use IPSEC VPN’s to access corporate network segments and resources, especially from public places and via wireless connections. • Sensitive correspondence – use public/private key email solutions like PGP to protect sensitive emails and text messages, especially communications involving PII or PHI. • Smartphones – deploy passcodes or better yet passphrases on your smartphone and encrypt the data stores when possible to protect against lost or stolen devices. Far too much personal information including passwords and credentials exist on our smartphones today
These are just a few of the security controls I believe every person should consider deploying in their day to day lives, but they will not necessarily protect you from a motivated and financially powerful nation state. At this point, when it comes to the federal government and the NSA I am not sure we have any great options to stem the tide of potentially pilfered domestic information. I believe the conversation itself is our best tool. Speak out. Talk to your Congressman. Write. Blog. Continue to help the general populous understand what is at stake. Only when the public is informed, educated and motivated will real change take place. Until then, good luck.
Comentarios