| 1 |
On Mon, Jun 2, 2014 at 8:06 AM, Dale <rdalek1967@×××××.com> wrote: |
| 2 |
> Now that is wicked. Like I said, this could get crazy. |
| 3 |
|
| 4 |
Meh. I don't encrypt my disks for desktops at home. My Chromebook |
| 5 |
comes encrypted out-of-the-box (no doubt the NSA can have it unlocked |
| 6 |
on request). If I had any other laptops I'd probably use full-disk |
| 7 |
encryption of some kind on it. |
| 8 |
|
| 9 |
My threat model for disk encryption is that somebody steals my laptop |
| 10 |
and wants to rummage for passwords/credit card numbers/etc. If they |
| 11 |
stole my desktop they'd probably give up when they find the data is |
| 12 |
stored on btrfs in raid1 mode, and even the vanilla ext4 backup disk |
| 13 |
probably would deter them, but if they're stealing my desktop they're |
| 14 |
probably stealing my passport, birth certificates, and all that other |
| 15 |
good stuff anyway. |
| 16 |
|
| 17 |
As far as the NSA sending Ninjas through the windows goes, I really |
| 18 |
see the threat there as having two levels. One is that the NSA does |
| 19 |
pervasive monitoring of virtually everything they can get their hands |
| 20 |
on to look for trends/etc. The other is that the NSA has a specific |
| 21 |
interest in you, for whatever reason. |
| 22 |
|
| 23 |
For general NSA monitoring simply using https/TLS/etc is about as good |
| 24 |
as you're going to get. Chances are they aren't interested in |
| 25 |
attacking your PC due to the economics of it, and if they use |
| 26 |
zero-days widely there is a risk of them being detected (and thus the |
| 27 |
bug they exploit gets fixed and they have to find another). They |
| 28 |
probably read any unencrypted packets that go through a router at any |
| 29 |
of the big choke points - probably a substantial part of the total |
| 30 |
volume crossing the internet. They probably do not store most of that |
| 31 |
data - they look for whatever they look for and discard the rest. |
| 32 |
They probably have root on major service provider networks (either |
| 33 |
with or without cooperation), so they're reading your |
| 34 |
Gmail/Facebook/etc, so they really don't care if you use https to |
| 35 |
connect to those services. |
| 36 |
|
| 37 |
If you're a target of interest then the gloves come off, depending on |
| 38 |
just how interesting you are. Most likely you're going to be targeted |
| 39 |
for a remote exploit with professional management of a rootkit on your |
| 40 |
devices. All your network traffic might be captured and retained. If |
| 41 |
you're really interesting they might send the ninjas at night. You |
| 42 |
get all those nice value-added-services like pre-installed rootkits in |
| 43 |
any hardware you buy, probably from any vendor as long as it passes |
| 44 |
through a country that is US-friendly (which is just about |
| 45 |
everywhere). |
| 46 |
|
| 47 |
If you're looking to evade general monitoring your best bet is to not |
| 48 |
communicate with anybody who isn't as paranoid as you are. You |
| 49 |
probably should refrain from posting on lists like this one, as they |
| 50 |
are recording the people you correspond with to determine what sort of |
| 51 |
person you are. Honestly, you're best off not using the Internet at |
| 52 |
all, since there isn't anybody you can talk to who won't leak |
| 53 |
everything to the NSA unwittingly. However, the reality is that most |
| 54 |
of us are pretty boring, so the NSA probably doesn't care what we do. |
| 55 |
|
| 56 |
If you're looking to evade specific monitoring then I don't know what |
| 57 |
to tell you. They targeted the Iranian uranium enrichment program and |
| 58 |
that was behind a sneakernet. I suspect that they have different |
| 59 |
levels of effort for various targets. For example, Snowden revealed |
| 60 |
that the NSA looks to root boxes belonging to sysadmins who have |
| 61 |
access to services they're interested in - so if they wanted to poke |
| 62 |
around on the Gentoo forum logs to find IPs they might look to root |
| 63 |
members of infra, even though the members of infra aren't of interest |
| 64 |
otherwise. I run a tor relay and I wouldn't be surprised if they |
| 65 |
rooted my box as a result - rooting all the tor relays would allow |
| 66 |
them to de-anonymize tor completely. Sure, you can wire up the door |
| 67 |
to drop your server in a vat of acid, but that doesn't help if they |
| 68 |
have a zero-day for your server. |
| 69 |
|
| 70 |
Honestly, I just don't worry about it. If they want to root me, I |
| 71 |
doubt worrying about it is going to change anything. I'd rather if |
| 72 |
they didn't, or if they are going to do it anyway I wish that I could |
| 73 |
just ask them to send me a copy of my data so that I could stop |
| 74 |
worrying about running my own backups. |
| 75 |
|
| 76 |
Rich |
Archives