I've been asking myself this question for the better part of the past 48 hours as the revalations of the latest Snowden release and Spiegel report have started to sink in and I'm terrified.
The report is lengthy, but a fantastic source of information. If you haven't read it, then here's a summary of the incredibly terrifying reveals:
VPNs, trusted by companies and individuals worldwide for a secure and encrypted tunnel, are basically worthless. The agencies program was expected to decrypt 100K VPN connections an hour by the end of 2011. It's 2014.
SSH, can sometimes be decrypted by NSA programs. SSH is used by both people and machines to securely speak to computers.
HTTPS (SSL), the technology we all use and trust(ed) to browser the web "securely," was found to be one of the most trivial tasks for the NSA crack and snoop information.
The people who are meant to be protecting the internet standards, are most likely being influenced by NSA Agents: "(...) agents travel to the meetings of the Internet Engineering Task Force (IETF) (...) to gather information but presumably also to influence the discussions there."
The NSA "(...) intercept[s] computers on the way to their targets, open[s] them and insert[s] spy gear before they even reach their destination, a process they call interdiction." Igor Skochinsky demonstrated a few months back the backdoors that exist in your processor. (Memory scrambling included to cover their tracks).
Any single one of those points would be terrifying on its own. Together they paint a picture of a very unsecure web and application experience for the average user.
There are a few key points of comfort to take away from the report.
Truecrypt has given the NSA "major" problems. While development was abandoned last year, it remains secure and there has been talk of new people picking up where the old team left off.
TOR, used with certain other tools, has proved to be catostrophic in their search for information. TOR, luckily, is now fairly accessible. The more difficult part for the average user is proper setup and use.
Advance Encryption Standard (AES), for now, also has remained difficult although they are actively working on techniques. Difficult does not mean impossible either.
OTR, or Off-the-Record instant messaging encryption standard, is mentioned as having no decrypt available.
PGP, is still safe. They have yet to be able to decrypt one of the most widely used end-to-end encryption standards -- most often used in email. (You can find my public key here.)
ZRTP, used for voice calling in apps like RedPhone, is still safe and they have not been able to crack it.
One MAJOR point to remember with all of these protocols the report states, "Experts agree it is far more difficult for intelligence agencies to manipulate open source software programs than many of the closed systems developed by companies like Apple and Microsoft. Since anyone can view free and open source software, it becomes difficult to insert secret back doors without it being noticed."
Open source advocates have been saying this for decades, but this only serves to be a very stark lesson in how important it is to true open source communities over corporations. Corporations like Apple, Google, Microsoft, Facebook, and 5 others are confirmed to have data accessed (trivially as the report states) by the NSA.
Although 6 fantastic technologies listed above, have proven to be major impedients to their efforts, they don't cover a LOT of use cases.
HTTPS and VPN insecurity should by far be the most concerning for the majority of people. Each person alone probably uses HTTPS alone (unknowingly) a few hundred times a day (SSL/TSL handshake).
Sure, I and others with solid technology backgrounds can connect through the TOR network, encrypt every single email with PGP, keep our drives encrypted with Truecrypt, and use OTR protocols for our IMs --- but what about the billions of casual web browsers? Do they no longer deserve their right to privacy because they didn't have these skills? Even in my own life, what if I just want to log onto my banking portal without them sniffing my password? What technologies can replace these to give us our basic right to privacy back? Now that we know, where do we go from here?
Find an innaccuracy? Agree? Disagree? I'm on Twitter @codelitt or in the comments.
Download our Incubator Resources
We’re known for sharing everything!
Save more time, get more done!
Innovate from the inside
YOU MIGHT ALSO LIKE