Rixstep
 About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Home » Learning Curve

PRISM: Staying Under the Radar

Turn yourself into a needle in a stack of needles.


Get It

Try It

The biggest danger through PRISM, said Edward Snowden, is getting caught in the sights of the NSA. The NSA will collect data on everything. And everyone. Everywhere. They'll even transcribe voice communications and index them.

That's a lot of data. The long term danger is they have the data and won't be getting rid of it anytime soon. Their Bluffdale complex will hold half the universe.

And if they ever get you on the radar, you'll be cooked whether you think you did anything 'wrong' or not.

But first they have to get you on the radar. They have to notice you. There's just too much data out there otherwise. Of course they have search filters to look for the more common telltale signs - if you're part of one of the infrequent terrorist groups that pop up.

But make no mistake. And don't listen to charlatans like Eric Schmidt who insist that you have nothing to fear if you've done nothing 'wrong'. At the end of the day, it's not about that at all. It's about the data being out there in the first place. It's about your privacy. In the US, it's about abiding by amendments to the constitution.

You have a right to your privacy.

The Ugly Nine

People read your email. Not just the recipients. A lot of other people can read it. System admins at your ISP or your webmail provider can read it. There are cases on record where 'private' correspondence has been sold to commercial interests.

But nothing goes up against the Ugly Nine: the corporations known to cooperate with the NSA and let them in at a very low level - below and before any encryption.

AOL Apple Facebook Google Microsoft PalTalk Skype Yahoo YouTube

That's not fully nine independent corporations. YouTube is a part of Google. Skype is a part of Microsoft. Some of these nine corporations - AOL, Apple, Google, Microsoft, Yahoo - have webmail and other cloud services.

You need to get away from these corporations. Get far away. Someone might recommend using GPG or PGP and staying where you are, but as Julian Assange pointed out, that can get you on the NSA radar pretty fast.

ES: I mean you have a staff. You have to talk to them.
JA: Yeah.
ES: Call them? I mean I assume you can do email and all that, no?
JA: I don't use email.
ES: Why not, because it's...?
JA: Too dangerous. And encrypted email is possibly even worse, because it is such a flag for end point attacks.

Microsoft, Skype, Hotmail, Live, Outlook, et al

Be especially suspicious of Microsoft. Not only is their lack of security legendary, but they're colluding with the NSA in a very special way - giving the NSA access to your Skype traffic under your encryption layer.

But be suspicious of them all. Yahoo? Already notorious. Google, Gmail, and YouTube? Don't be evil? AOL? You'd think most people would know by now. They're all members of the 'Ugly Nine'. And new members may be recruited at any time.

So what do you do? You get out of the mainstream. Get out of the US. Stay under the radar by choosing a more discreet webmail service. Most important of all: choose a webmail service that doesn't require a data trail. Don't choose a paid service - your credit card is a data trail. Don't choose a service that wants a previous email address somewhere else. And don't connect with anything but Tor.



Apple's services are of course also out of the question. They also have that huge data centre in North Carolina on its way. App Store customers are stuck with it, iTunes users are stuck with it, and Apple developers are stuck with it. As if they don't already have enough on their plate.

Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers' names, mailing addresses, and/or email addresses may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then.

The 'intruder' might not be able to 'access' 'encrypted' data, but don't count on the NSA being as helpless. So Apple fans must consider themselves under surveillance. Most will ignore and ask for Kool-Aid refills, but still the same.

Get Off Windows!

Truer words were never spoken. They're repeated year after year after year. Almost every concerned white hat security expert in the world has unequivocally condemned Windows - and not just for its current condition, but for its endemic weaknesses, being an 'ad hoc' system not built for Internet use and not built with security in mind.

Windows has no security model built into its architecture, no overriding fundamental principle for security. It's impossible to implement security 'after the fact' with a system not built with it in mind. The exercise becomes in such case a type of 'Keystone Kops' comedy, with Microsoft chasing the 'bad guys' inside their perimeter where no self-respecting operating system would ever allow them to be in the first place.

Most of the technology revealed by WikiLeaks on 1 December 2011 applies primarily (or exclusively) to Windows machines with their renowned vulnerabilities. It's much more difficult to attack an OS X box or a Linux box remotely.

Apple's OS X might have its foibles, as Apple's infamous 'user experience engineers' are continually hatcheting away at security in the name of 'user friendly', but OS X is still a Unix (a FreeBSD).

Perhaps the most secure box of all would be a DIY Linux or FreeBSD where you inspect the source code yourself and build your own kernel and utilities. Most people will of course not go this route.

Stay Out of Scandinavia!

Rick Falkvinge and the Swedish Pirate Party made a big deal of this at the time: Sweden's infamous 'Lex Orwell' legislation.



The Swedish FRA law (aka 'Lex Orwell') gives the Swedish signals surveillance agency FRA the official right to pick up all traffic passing over Swedish borders. Most experts realise the FRA had been doing this all along, albeit surreptitiously. The FRA law now gives them the official right to do it - the law makes it 'legal'.

Most Russian traffic passes through Sweden. This traffic is then 'sold' to the NSA.

But all traffic entering or exiting Sweden is picked up in much the same way the NSA and Britain's GCHQ do.

GPG or PGP encryption might help, but again, as Julian Assange pointed out, that in itself might put you on the radar.

[Of course there's a tipping point when most Internet users begin using encryption. But the world isn't anywhere near there yet. And may never be.]

Spilt Milk

There's nothing can be done with what's already out there. There's no point in deleting all your webmail messages. The NSA already have them. And don't try to find comfort in the lie that your government won't spy on you because of some obscure piece of legislation. The NSA aren't officially allowed to spy on US citizens. But they still do. The GCHQ aren't supposed to spy on British citizens either. But the NSA and GCHQ often spy on each other's citizens and then exchange the data.

Edward Snowden recently made the sensational claim that he could spy on the president of the United States if he wanted. His claim was widely refuted and debunked in government circles. But of course it turned out he was right.

Snowden Quotes

Something to ponder as you start reorganising your digital life.

  1. 'The majority of people in developed countries spend at least some time interacting with the Internet, and governments are abusing that necessity in secret to extend their powers beyond what is necessary and appropriate.'
  2. 'I believe that at this point in history, the greatest danger to our freedom and way of life comes from the reasonable fear of omniscient state powers kept in check by nothing more than policy documents.'
  3. 'The government has granted itself power it is not entitled to. There is no public oversight. The result is people like myself have the latitude to go further than they are allowed to.'
  4. 'I can't in good conscience allow the US government to destroy privacy, Internet freedom, and basic liberties for people around the world with this massive surveillance machine they're secretly building.'
  5. 'The NSA has built an infrastructure that allows it to intercept almost everything.'
  6. 'With this capability, the vast majority of human communications are automatically ingested without targeting. If I wanted to see your emails or your wife's phone, all I have to do is use intercepts. I can get your emails, passwords, phone records, credit cards.'
  7. 'Any analyst at any time can target anyone. Any selector, anywhere. I, sitting at my desk, certainly had the authorities to wiretap anyone, from you or your accountant, to a federal judge, to even the President.'
  8. 'To do that, the NSA specifically targets the communications of everyone. It ingests them by default. It collects them in its system and it filters them and it analyses them and it measures them and it stores them for periods of time simply because that's the easiest, most efficient, and most valuable way to achieve these ends. So while they may be intending to target someone associated with a foreign government, or someone that they suspect of terrorism, they are collecting your communications to do so.'
  9. 'They're intent on making every conversation and every form of behaviour in the world known to them.'
  10. 'Even if you're not doing anything wrong, you're being watched and recorded. It's getting to the point where you don't have to have done anything wrong, you simply have to eventually fall under suspicion from somebody, even by a wrong call, and then they can use this system to go back in time and scrutinise every decision you've ever made, every friend you've ever discussed something with, and attack you on that basis, to sort of derive suspicion from an innocent life.'
  11. 'Allowing the US government to intimidate its people with threats of retaliation for revealing wrongdoing is contrary to the public interest.'
  12. 'Everyone everywhere now understands how bad things have gotten. And they're talking about it. They have the power to decide for themselves whether they're willing to sacrifice their privacy to the surveillance state.'
  13. 'I do not want to live in a world where everything I do and say is recorded. That is not something I am willing to support or live under.'
  14. 'I don't want to live in a world where there's no privacy, and therefore no room for intellectual exploration and creativity.'
  15. 'I have no intention of hiding who I am because I know I have done nothing wrong.'

No Garden Variety

This isn't your garden variety security breach. It's not some witless company that exposes customer data through URLs. It's not a foolish Apple enhancement that backfires. It's not hidden malware in Debian. It's not one of the myriad Microsoft Windows system flaws turned into a viral malware nightmare.

This is something everyone's considered all along but probably found it better to not think about too much. Social sites and online mail providers (even ISPs) had your data all along, but you counted on them treating it with discretion, on not being evil about it.

Now you find out what's really been going on. Hearing members of the US Senate say it's old hat, that they've always known, is hardly consolation - on the contrary, people are instead justifiably wondering about their duly elected representatives who seem themselves to be part of the conspiracy.

Stay off the big information highways. Avoid the 'Ugly Nine'. Exit your browser regularly, get rid of all cookies, and run a good script for good measure. You should exit and restart Safari, then remove the remaining cookies, then exit and run the script.

These are the Safari locations you want to get to on OS X.

/var/folders/*/*/*/com.apple.Safari
~/Library/Caches/com.apple.Safari/SafeBrowsing.db
~/Library/Caches/com.apple.Safari/Webpage\ Previews/*
~/Library/Caches/Metadata/Safari/*
~/Library/Caches/Safari/*
~/Library/Safari/Databases
~/Library/Safari/Downloads.plist
~/Library/Safari/History*
~/Library/Safari/LastSession.plist
~/Library/Safari/LocalStorage/*
~/Library/Safari/TopSites.plist

Run those targets against 'rm -fr' and send any burps to 2>/dev/null.

Use Tracker to help create cleanup scripts for other browsers. Use the Xfile Test Drive if you're not a registered user.

Staying Under The Radar

So how do you stay under the radar?

  1. Are you on Facebook? GET OFF. NOW.
  2. Get a webmail account you can trust.

A webmail account you can trust does not include anything from Apple, Google, or Microsoft. Or any of the 'nine'. Or anything that looks like a prospective target. You need to get out of North America. Or the UK. Find a small place somewhere.

You'll have to find the sites for yourself. If any site is suggested, the NSA might be onto it in no time.

There are two ways to go about getting secure webmail.

  1. Find a site that doesn't require an external verification.
  2. Find a site that does require one.

You might find sites in category 'B' are nicer to use. No worry: find one in category 'A' first, sign up, then use it as reference for your 'nice site' in category 'B'.

The important thing is there should be no data trails.

Encourage your friends to use the same scheme and same sites. Mail going from one account to another on the same site will rarely get onto the Internet. That makes you safer still.

And consider using GPG/PGP for your mail, but remember the caveats above.

Always Use Tor

Always use Tor for accessing your new webmail sites - especially when signing up.

Some of these webmail services offer up your sender IP for no good reason, so be sure to send mail to yourself so you can see. Check as well what happens when sending mail between two secure providers. And always use Tor to send mail. No one will be able to trace you.

Opt out of static IP with your ISP if you can. Keep track of what your IP is. Some providers change the IP regularly. If yours never changes, then cold boot your router from time to time and then check your IP again.

The following script will give you both your gateway and your public IP.

printf 'Gateway: '; netstat -nr | grep default | awk '{print $2}';
printf ' Public: '; curl -s http://checkip.dyndns.org | awk '{print $6}' | awk 'BEGIN {FS="<"} {print $1}'

Try putting that in a CLIX script. (Yes CLIX is free too.)



So have a good fun summer. Don't be paranoid. But don't be stupid either.

See Also
NY Times: US Secretly Collecting Records of Verizon Calls
Guardian: NSA collecting phone records of millions of Verizon customers daily
Guardian: NSA Verizon Court Order
Guardian: Verizon forced to hand over telephone data - full court ruling
Falkvinge: Told You So: If You Have Been Using A Centralised Comms Service You Were Wiretapped
Guardian: UK gathering secret intelligence via covert NSA operation
Guardian: Glenn Greenwald on Security and Liberty

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.