What IS still probably unreadable by NSA/GCHQ, if anything? (Guesses?)

[kylie]

     Not here for the politics just now...  Just wondering if anyone really thinks they know.  If all the recent reporting based on Snowden documents is based on reports of actual government capabilities, then what is likely to still be secure?  I must admit this article struck me a little given the recent discussion of switching Elliquiy to all HTTPS, as well.  For example:

The files show that the National Security Agency and its UK counterpart GCHQ have broadly compromised the guarantees that internet companies have given consumers to reassure them that their communications, online banking and medical records would be indecipherable to criminals or governments.

     British intel claims that since 2010, they have gained unprecedented levels of access to previously unreadable, encrypted material from Hotmail, Google, Yahoo and Facebook.  Combined with wiretaps of fiberoptic cables, this makes for a huge trove of info that the users believed was secure.

     NSA hosts a standards agency used to vet software for US government use, which in fact inserts backdoors into encryption software.  Moreover, NSA receives info on the design of other common encryption software -- and sometimes forces the addition of vulnerabilities -- through "industry relationships."

"Project Bullrun deals with NSA's abilities to defeat the encryption used in specific network communication technologies. Bullrun involves multiple sources, all of which are extremely sensitive." The document reveals that the agency has capabilities against widely used online protocols, such as HTTPS, voice-over-IP and Secure Sockets Layer (SSL), used to protect online shopping and banking.

     Snowden has said that certain unspecified, strong encryption systems are still effective IF the computers using them are generally well-secured as a unit.

.....   So if all this is true, what would strong encryption entail?  What is generally safe, if not HTTPS and not necessarily those shopping sites holding your bank account or those large providers holding your email?  Ahem.

[kylie]

     Realized after that, the Guardian also did a side column on security recommendations.

Still, would be interested in simpler recommendations (or other software packages that suit their broad recommendations), which people might know.

Mostly, I'm curious whatever is still actually safe -- or more safe.

[Tamhansen]

Tbh there's quite a bit of doubt that anything is safe from government agencies. Though Prism might be limited, I'd be surprised if there aren't at least five or six back up programmes.

A good point he makes. Write sensitive information on an unconnected device. Encrypt and send. But even then if they'd want the info they'd get it.

The reality is, you can be paranoid about his, but the NSA simply doesn't care about 99% of the info on the net. Or rather they don't have the resources to care. So your info is quite likely safe, simply because it doesn't meet their criteria, and gets dumped.

If you really want to avoid detection, go back to pen and paper

One other tip I always give people is, make it expensive as hell for them to get your info. One simple way to do that is by creating as much traffic as you can. If people start doing this en masse, it will become less cost effective for agencies to gather data.

[Inkidu]

Tbh there's quite a bit of doubt that anything is safe from government agencies. Though Prism might be limited, I'd be surprised if there aren't at least five or six back up programmes.

A good point he makes. Write sensitive information on an unconnected device. Encrypt and send. But even then if they'd want the info they'd get it.

The reality is, you can be paranoid about his, but the NSA simply doesn't care about 99% of the info on the net. Or rather they don't have the resources to care. So your info is quite likely safe, simply because it doesn't meet their criteria, and gets dumped.

If you really want to avoid detection, go back to pen and paper

One other tip I always give people is, make it expensive as hell for them to get your info. One simple way to do that is by creating as much traffic as you can. If people start doing this en masse, it will become less cost effective for agencies to gather data.

Because humans have never had a history of escalation in anything. :3

Yeah, it might make it cost-ineffective, or it might cause them to create some kind of new data-gathering program. I always bank on the latter.

[Vekseid]

The NSA doesn't intercept gmail by talking to Google. They intercept nearly all e-mail by sitting on transit providers.

This also means that if we switched to https, the NSA or other monitoring agencies could still read private messages and threads if they got sent out in notices. I could turn that off, too, but people like that ability even if they keep responding to the mails directly.

There ought to be a push for encryption on the relay level, but so far that hasn't been on the table yet.

     Not here for the politics just now...  Just wondering if anyone really thinks they know.  If all the recent reporting based on Snowden documents is based on reports of actual government capabilities, then what is likely to still be secure?  I must admit this article struck me a little given the recent discussion of switching Elliquiy to all HTTPS, as well.  For example:

     British intel claims that since 2010, they have gained unprecedented levels of access to previously unreadable, encrypted material from Hotmail, Google, Yahoo and Facebook.  Combined with wiretaps of fiberoptic cables, this makes for a huge trove of info that the users believed was secure.

     NSA hosts a standards agency used to vet software for US government use, which in fact inserts backdoors into encryption software.  Moreover, NSA receives info on the design of other common encryption software -- and sometimes forces the addition of vulnerabilities -- through "industry relationships."

     Snowden has said that certain unspecified, strong encryption systems are still effective IF the computers using them are generally well-secured as a unit.

.....   So if all this is true, what would strong encryption entail?  What is generally safe, if not HTTPS and not necessarily those shopping sites holding your bank account or those large providers holding your email?  Ahem.

[kylie]

    Curious, do you still think it would be useful to switch to https across the board? 

Does that bring other improvements, or is it worthwhile just to keep some people from snooping, perhaps at the easiest level?

[Vekseid]

It stops e.g. Firesheep at coffee shops, bypasses non-dns based censorship (and your hosts file can handle that), etc.

[susiesparkle]

Realistically? Nothing.


About the only way to ensure data are unreadable is to physically destroy the disk on which it is written. Even that isn't entirely foolproof, it's concievable that one could reverse engineer the contents through manually reading the state of each part of the disk and gradually piecing it together.


The only way to ensure data doesn't get into the wrong hands is to not store it in the first place.


You can't read data that doesn't exist.


That isn't to say things like https and disk encryption are useless. They'll certainly render information unreadable to your average thief, so such technologies are still worthwhile. And they will in general at least slow down these alphabet agencies a little. Any delay is useful if it could mean the difference between capture and escape.

[Tamhansen]

Because humans have never had a history of escalation in anything. :3

Yeah, it might make it cost-ineffective, or it might cause them to create some kind of new data-gathering program. I always bank on the latter.

It doesn't really matter what data gathering they use. The more info that's out there the more resources are needed to sift through it. And in the end the NSA, like any other government branch, needs to show that their expenses are validated by result.

Even the search for terrorists has its limits. Don't believe for a second that the government will 'spare no expense' After all spending money on your safety will anger the fiscal conservatives.

But as I said earlier. Yes the NSA can read your e-mail, your posts on Elliquiy, and even if they really wanted to your diary. But the result isn't worth the expense, so unless you're planning a terrorist attack or assassinating the president,  the info just gets stored until the servers are filling up, and then flushed.

[Cheka Man]

I doubt NSA/GCHQ are very interested in my roleplays, somehow.