Okay so with the upcoming snoopers charter thingy (by which I mean the Investigatory Powers Act) going on in the UK a few people have asked for some thoughts on security and the net. Now I’m a sysadmin, I’m not a security expert, I’ve got a working knowledge of things so I can give an overview but may wind up wrong on some points.To start with there are some good places to read up on general privacy and security issues with the net, The Electronic Freedom Foundation (EFF) while mainly US based are worth a read. They specifically have a whole section on Surveillance Self Defense that gives a good overview of everything and is probably better reading than this post, it helps give background on how to secure your data, browsing, communications, and avoid getting generally surveilled including a Security Starter Pack. The Security In A Box project also have some guides on general methods of securing communications, stored data, phones, social media accounts and a whole bunch of things. I’ve not read them in depth but had a skim and they looked okay. Bruce Schneier is also worth reading on security, both physical and electronic.
For more specifically UK based news try The Open Rights Group (ORG) who are specifically doing work on the snoopers charter. The infamous El Reg also has a bunch of news about security stuff and snoopers charter (e.g. that they’re talking about crypto backdoors as well).
Okay that aside here’s some words on security. The snoopers charter offers bulk data collection and attempts to link it together into useful descriptions of large swathes of the population. So all your traffic may be inspected, metadata may be kept, analysis of gatherings of people, and “Internet Connection Records” of which sites and things you visit. This is combined with legal powers to hack your device and install spyware, and give them the option to lean on people to include back doors for the security services. TL;DR a giant fishing expedition.
From what I can tell security is complex, its a balance between achieving security, and convenience of doing things, Ellison’s Law states “The userbase for strong cryptography declines by half with every additional keystroke or mouseclick required to make it work” which seems to hold true. Security ideally needs to be like backups, something that just works as best it can in the background – but the issue is that it only has to fail once when an attackers looking and that can create major problems.
What Can Be Attacked
Now the attack surface of the average user is quite large. Think about email as a classic example. You have multiple devices (a desktop machine at home, maybe a laptop, a mobile phone, perhaps reading it from a browser on your work desktop) , and each of those devices often connecting through multiple networks (your laptop connects from home or the coffee shop or the hotel you visit, your phone auto-connects to your wifi at home and work and auto syncs data). On top of that when you send an email it goes from your machine and into the mail network via a server (which is another point for attack) and then your mail which is openly readable at every hop bounces through a handful of servers on the way to your recipient. Your communication is then dependent upon how your recipient receives it, and the security of their networks and devices as well. It doesn’t matter how well you lock up your end if your recipient is bad with theirs, theoretically an omnipresent attacker can just snaffle it at the other end as well. You may want to have a look at Tails OS, which is a portable Linux distro designed to help increase your chances of security and anonymity.
Anyway, trying to keep this ramble practical and not paranoid you basically need to think about what it is that you’re doing, and how it is that this may leak data (see EFFs intro to threat modelling). For web browsing and general communication you need to worry about a few things, primarily I’m going to break these down into: Traffic, DNS, Client Software, and End Service/Recipient.
Your packets have to go somewhere, think of the net like a network of tin-can-telephones. Your machine talks to its router, that talks to a bigger router, that talks to another part of the net, which talks to a smaller router, that talks to the server you’re communicating too. Now each of these hops that is inside the UK can be intercepted and logged according to the snoopers charter. Now each of these links can be encrypted, or you can have your machine encrypt the data itself so that only the other end can decrypt it.
Basically to secure things you need either a VPN or a proxy, methods of routing your data via a third party to disguise the origin. You can either buy an account with a VPN provider, or you can host your own (the easiest method is to rent a Virtual Private Server (VPS) then install something like OpenVPN, VPN Over SSH, StrongSwan, or even just Squid over an SSH tunnel in a pinch) then you communicate along an encrypted pipe to them, they make connections further out to your actual destination. Now under the snoopers charter this will help reduce your visibility but may not completely remove it as if the VPN is UK based then the government may still be logging the communication on both sides and try and link it up. The better thing about a commercial VPN is that it has a lot of users, so your connections will be one of many so it’ll be harder to separate yours out, if you run your own relay then once the connection from you->proxy is established then connections from proxy->the-world may be assumed to be you.
The EFF have a guide to choosing VPNs. ORG have an article “Can a VPN protect you from government surveillance?” (Nick Pearson) which covers how in many ways a VPN has to comply with the same laws as an ISP so may not protect you in some ways from surveillance. There’s about a dozen VPN review sites out there and I’ve not really looked into it too deeply but take the advice from EFF/ORG in working out which to choose. e.g. here’s an article discussing various VPNs in review. Including if they accept payment in bitcoin and what sort of logs they need to keep.
Now you can shake this up a bit by adding in the use of TOR, this is an example of a mix network, where your client has a map of the network, and wraps your communications in layers of encryption like an onion. Each hop unwraps a layer, and sees the instructions of where to forward the packet for its next hop. However there are a number of issues and attacks against TOR, including some services block its exit nodes to reduce abuse, some attackers specifically run malicious exit nodes to monitor communications coming through them, and there is work to find the exit nodes so they can be monitored.
This will be short, basically all the traffic goes via numerical IP addresses, however what you type and interact with are DNS names (www.google.com for example). DNS is the glue that links names to numbers. When your client wants to communicate with something it needs to use DNS to look up the IP address for it, then send packets to that IP address, hence control of DNS means control of who you’re really talking too, and it also gives a great way of monitoring which services you’re communicating with.
Basically you need to make sure that your VPN also secures DNS, or run your own DNS server somewhere you have a secure link too. You can use Google’s DNS Servers which may be in another country, which at least would probably put your DNS data outside GCHQ harvesting (doubtful) and squarely into NSA harvesting.
Okay this is a big subject but I’m going to skim it because its too big (see the EFFs Communicating With Others section). The client software reads and writes data that is sent over the internet by the operating system. Now the client can chose not to send this in the clear and wrap it in encryption at the client end, something only the server at the other end can decrypt, but there are problems.
If your client is a web browser it can leak information via cookies, and it can interact with servers that don’t support strong encryption (Let’s Encrypt is removing this excuse), and it can run various plugins and scripts that can leak data too. So basically make sure your browsers up to date, install plugins like NoScript/ScriptNo, Privacy Badger, HTTPS Everywhere, Disconnect Me, and uBlock. Watch for which services you interact with support encryption and which don’t.
For real time communication then there’s a number of options, and basically you need to work out the security balance that works for you because there’s no point using a secure service that no one you know can be convinced to use, but if you have to use an insecure service you can work out what steps you can take to make it better, and think about what you transmit over it.
Google hangouts and Facebook Messenger can be accessed over the web and mobile clients. However they have issues in that all their data is unencrypted, stored remotely, and the companies involved may be complying with government regs to ship out meta data and other things. They are however convenient and a good way of getting in touch with people, so think about if you’re happy to make that trade off. For more secure things there’s options like Signal (which offers secure IM and VOIP), Chat Secure, and even WhatsApp can be secured a bit, however the EFF has concerns. There’s also XMPP as a generalised IM protocol (think of it a bit like email for instant messenging, you have an name@server style address and any server can pass messages to any other) and you can secure it further with OTR which i believe (but I’ve not tested in a while) can be used to add a layer of security on top of other protocols it speaks – like the weird isolated XMPP that Google hangouts uses.
Email is the other big one that people use for a lot of communications. If you use an organisation to provide your email then make sure they support IMAPS (IMAP over SSL) and also HTTPS for webmail. If you want to try and protect the contents of your mail (or provide some assurances against spoofing) and there’s a security tool that layers on top of regular email called Pretty Good Privacy (PGP). PGP can be used to sign your mails (thus proving they are from your key) and/or encrypt your mails (thus meaning on the recipient(s) can see the bodies). Now as discussed above even if the body of your mail is secured using PGP then the metadata (to, from, date, subject, clients, servers its been through) can all be picked apart for interesting information to help connect people together. See The EFF’s “How to use PGP for Windows”, and “Encryption Works: How to Protect Your Privacy in the Age of NSA Surveillance” by Micah Lee. If you’re concerned that your email provider will provide a pile of metadata to GCHQ (which any company operating on a wide scale inside the UK probably will) you can, just as with the VPN above run your own email server, by renting a VPS for a few pounds a month in a country with acceptable privacy laws and installing software and configuring it yourself. This does open you up to risks of making mistakes and exposing your data, or not updating things and having your VPS compromised, You can reduce these risks by trying solutions like Mail-in-a-box which attempt to give a simple email server configuration including webmail and encryption without too much user intervention.
The downside to things like PGP and OTR is that you can lose communications. OTR has forward secrecy in that even if you have the key you can’t go back and get into previous communications after a while. So if your IM client doesn’t log somewhere uncrypted then you lose the records of things you’ve said (you can log to an encrypted disk partition as an option). PGP doesn’t have this feature but does mean you can’t read communications secured with that key if you lose it. So if you lose your PGP key then all your communications, all your personal words and pictures and things from friends secured with it in your inbox are gone – there’s basically no way to decrypt those and get them back until technology advances enough to break into them (don’t bet on this being too soon).
End Service / Recipient
Something that the previous sections have sort of mentioned is the security of your communications on the wire is one thing, but security and prevention of surveillance also depend upon what your end service and recipient do with the data you give them.
Other users will keep your IMs and emails forever, probably saved onto a harddisk of a machine that you hope is being patched and kept up to date, maybe backed up onto USB sticks, maybe saved into the cloud. You have to work out what sort of things you want to say to what sorts of people based on how well they store their data.
Large organisations that operate inside the UK are going to comply with the Governments bulk data harvesting. Furthermore places like social media sites are already doing their own bulk data harvesting and generating of user link graphs and all kinds of things purely because that is their business model – harvesting your data and selling it to advertisers.
All organisations may also store data insecurely, and may get compromised themselves. Leaks of data and account details are a part of life these days depressingly.
So, whirlwind tour of people who know more than me, and general suggestions that security is about compromises and about working out what you’re comfortable sharing where (e.g. maybe decide to just keep Facebook for petitions and amusing cat pictures and transmit awesome photos or personal commentary over email or secure enough IM), and getting informed about the issues and where the risks are.
If you want to reduce your visibility in bulk surveillance then look at how you use the net – browsing, chatting, emailing, playing games. Keep all your devices patched and don’t neglect mobile devices. Mask your data through a VPN, or TOR, use end to end security with HTTPS, OTR, and PGP. Don’t forget about your DNS traffic. Find an IM method that gives a good enough balance of privacy/security for the data you put on it. Sign your emails with PGP and encourage other people to do the same (you can sign but not encrypt to help people get used to seeing it and provide proof you’re not spoofing).
If you feel competent then try and run a service for yourself, if not try and research and find out which providers are going to give you the risk reduction you feel comfortable with.
Encourage other people to talk about privacy and join the Open Rights Group :)