Many people today are living in surveillance states with weak citizen protection and persecution of citizens who blow the whistle on state wrongdoing, rapid erosion of privacy, criminalisation of failure to turn state informer, or even counselling resistance, and attacks on the free press, all without oversight by the public.
That’s Australia. Things are worse in Yemen, India, China, Russia, Saudi Arabia, etc. I’ll go ahead here and say that I think that on balance strong encryption is a good idea to have in society as one bulwark against surveillance societies and also for just plain safety of business communication. In practice, we all use consumer-grade encryption, even the army. There are some interesting options for solidarity in software designers, as Eleanor Saitta points out, or you might say, design challenges stringent enough that our quisling tech sector will be unlikely to rise to them.
🏗 link to particular risks for each state.
For any of these anti-journalist states, you need hardcore security.
Firstly avoid corporate surveillance
[Patrick Merer, How to use facebook if you are a repressive regime. Bear in mind even notionally democratic regimes Facebook provides your data to the police without warrants
What you might use to get around this
EFF’s Surveillance Self Defense course is a good starting point.
They talk you through the theory and practice of different types of security, modelling the risks you face and trying to minimise them for different scenarios.
Maciej Cegłowski observes, discussing the related problem of securing political campaigns:
Campaigns have small budgets and operate in an unusually hostile environment. Not only are there people whose job it is to attack campaigns, but those people enjoy their work, get a government pension when they retire, and live happy, fulfilled professional lives.
I presume (hope?) he’s talking about hostile foreign actors but who knows these days?
OK, there is a lot to do, but let’s start with the basic. First, minimise your exposure to corporate surveillance.
Next you probably want to lock down of your computer. Maybe lock down one a little bit and also get a second, hardcore locked-down computer for your secret stuff.
You need to fix this to avoid getting profiled in the first place. Constantly leaking info if you don’t kick it in the pants. See DNS servers.
There’s a lot of fiddling in ssh.
To secure it in particular, you need to beat 1024 bit DH keys sigh. NSA is reading your comms with keys shorter than 2048 bits.
researchers Alex Halderman and Nadia Heninger presented compelling research suggesting that the NSA has developed the capability to decrypt a large number of HTTPS, SSH, and VPN connections using an attack on common implementations of the Diffie-Hellman key exchange algorithm with 1024-bit primes. […] In this post, we present some practical tips to protect yourself from the surveillance machine, whether you’re using a web browser, an SSH client, or VPN software.
USB is another security nightmare. See e.g. Badusb
(explanation for the busy),
One imagines that if the DIY world can so readily destroy you via USB then the
state actors are pretty good at it.
Oh, Thunderbolt is broken too.
Essentially, peripherals are a disaster.
Countering such attacks? USB condoms such as
USG could probably help if you need to
use USB, which you do.
That is, if you don’t mind carrying a large, inconvenient device whose job is to
reduce the functionality and speed of your peripherals.
Few of us feel like we are likely enough to be targeted that this is worth
doing, although as the cost of these attacks drops lower,
that might change.
Hardened Desktop OS
See hardened OSes.
See hardened smartphones.
The future will ruin fashion! One day vintage will mean something different.
Confuse automated surveillance by being weird. (while at the same time attracting non-automated surveillance.) I have mixed feeling about this. Effective? Practical? 🤷♂ Fun? 🤘
How can you keep your data secret if a state actor is compromising the very hardware of the servers that store your information, or just network security in general is a disaster because of terribly and ubiquitous decision. NB even if you don’t buy the Bloomberg article, there’s no reason to suppose it won’t eventually be true
- Don’t leave your computer unattended, because things like PoisonTap mean that anyone who can get to your USB port can log on to your websites.
- Do you really need Bluetooth? It’s probably not secure, turn it off if you don’t.
- Prism break is a chaotic jumble of solutions for secure communication. Excellent reference, although it really needs to incorporate some idea of how popular their suggested solutions are; after all, most of these things are only of any damn use if your friends also use ’em.
- Quick guide to the basics of encryption (or how about one with stick figures)