Gentoo Archives: gentoo-user

From: Rich Freeman <rich0@g.o>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
Date: Mon, 02 Jun 2014 13:27:57
Message-Id: CAGfcS_=LiZGETvJjVb-rau=MkrYQTXRSvUYH3M_A1DUoF0L-bA@mail.gmail.com
In Reply to: Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet? by Dale
1 On Mon, Jun 2, 2014 at 8:06 AM, Dale <rdalek1967@×××××.com> wrote:
2 > Now that is wicked. Like I said, this could get crazy.
3
4 Meh. I don't encrypt my disks for desktops at home. My Chromebook
5 comes encrypted out-of-the-box (no doubt the NSA can have it unlocked
6 on request). If I had any other laptops I'd probably use full-disk
7 encryption of some kind on it.
8
9 My threat model for disk encryption is that somebody steals my laptop
10 and wants to rummage for passwords/credit card numbers/etc. If they
11 stole my desktop they'd probably give up when they find the data is
12 stored on btrfs in raid1 mode, and even the vanilla ext4 backup disk
13 probably would deter them, but if they're stealing my desktop they're
14 probably stealing my passport, birth certificates, and all that other
15 good stuff anyway.
16
17 As far as the NSA sending Ninjas through the windows goes, I really
18 see the threat there as having two levels. One is that the NSA does
19 pervasive monitoring of virtually everything they can get their hands
20 on to look for trends/etc. The other is that the NSA has a specific
21 interest in you, for whatever reason.
22
23 For general NSA monitoring simply using https/TLS/etc is about as good
24 as you're going to get. Chances are they aren't interested in
25 attacking your PC due to the economics of it, and if they use
26 zero-days widely there is a risk of them being detected (and thus the
27 bug they exploit gets fixed and they have to find another). They
28 probably read any unencrypted packets that go through a router at any
29 of the big choke points - probably a substantial part of the total
30 volume crossing the internet. They probably do not store most of that
31 data - they look for whatever they look for and discard the rest.
32 They probably have root on major service provider networks (either
33 with or without cooperation), so they're reading your
34 Gmail/Facebook/etc, so they really don't care if you use https to
35 connect to those services.
36
37 If you're a target of interest then the gloves come off, depending on
38 just how interesting you are. Most likely you're going to be targeted
39 for a remote exploit with professional management of a rootkit on your
40 devices. All your network traffic might be captured and retained. If
41 you're really interesting they might send the ninjas at night. You
42 get all those nice value-added-services like pre-installed rootkits in
43 any hardware you buy, probably from any vendor as long as it passes
44 through a country that is US-friendly (which is just about
45 everywhere).
46
47 If you're looking to evade general monitoring your best bet is to not
48 communicate with anybody who isn't as paranoid as you are. You
49 probably should refrain from posting on lists like this one, as they
50 are recording the people you correspond with to determine what sort of
51 person you are. Honestly, you're best off not using the Internet at
52 all, since there isn't anybody you can talk to who won't leak
53 everything to the NSA unwittingly. However, the reality is that most
54 of us are pretty boring, so the NSA probably doesn't care what we do.
55
56 If you're looking to evade specific monitoring then I don't know what
57 to tell you. They targeted the Iranian uranium enrichment program and
58 that was behind a sneakernet. I suspect that they have different
59 levels of effort for various targets. For example, Snowden revealed
60 that the NSA looks to root boxes belonging to sysadmins who have
61 access to services they're interested in - so if they wanted to poke
62 around on the Gentoo forum logs to find IPs they might look to root
63 members of infra, even though the members of infra aren't of interest
64 otherwise. I run a tor relay and I wouldn't be surprised if they
65 rooted my box as a result - rooting all the tor relays would allow
66 them to de-anonymize tor completely. Sure, you can wire up the door
67 to drop your server in a vat of acid, but that doesn't help if they
68 have a zero-day for your server.
69
70 Honestly, I just don't worry about it. If they want to root me, I
71 doubt worrying about it is going to change anything. I'd rather if
72 they didn't, or if they are going to do it anyway I wish that I could
73 just ask them to send me a copy of my data so that I could stop
74 worrying about running my own backups.
75
76 Rich