On Mon, Jun 2, 2014 at 8:06 AM, Dale <[email protected]> wrote: > Now that is wicked. Like I said, this could get crazy.
Meh. I don't encrypt my disks for desktops at home. My Chromebook comes encrypted out-of-the-box (no doubt the NSA can have it unlocked on request). If I had any other laptops I'd probably use full-disk encryption of some kind on it. My threat model for disk encryption is that somebody steals my laptop and wants to rummage for passwords/credit card numbers/etc. If they stole my desktop they'd probably give up when they find the data is stored on btrfs in raid1 mode, and even the vanilla ext4 backup disk probably would deter them, but if they're stealing my desktop they're probably stealing my passport, birth certificates, and all that other good stuff anyway. As far as the NSA sending Ninjas through the windows goes, I really see the threat there as having two levels. One is that the NSA does pervasive monitoring of virtually everything they can get their hands on to look for trends/etc. The other is that the NSA has a specific interest in you, for whatever reason. For general NSA monitoring simply using https/TLS/etc is about as good as you're going to get. Chances are they aren't interested in attacking your PC due to the economics of it, and if they use zero-days widely there is a risk of them being detected (and thus the bug they exploit gets fixed and they have to find another). They probably read any unencrypted packets that go through a router at any of the big choke points - probably a substantial part of the total volume crossing the internet. They probably do not store most of that data - they look for whatever they look for and discard the rest. They probably have root on major service provider networks (either with or without cooperation), so they're reading your Gmail/Facebook/etc, so they really don't care if you use https to connect to those services. If you're a target of interest then the gloves come off, depending on just how interesting you are. Most likely you're going to be targeted for a remote exploit with professional management of a rootkit on your devices. All your network traffic might be captured and retained. If you're really interesting they might send the ninjas at night. You get all those nice value-added-services like pre-installed rootkits in any hardware you buy, probably from any vendor as long as it passes through a country that is US-friendly (which is just about everywhere). If you're looking to evade general monitoring your best bet is to not communicate with anybody who isn't as paranoid as you are. You probably should refrain from posting on lists like this one, as they are recording the people you correspond with to determine what sort of person you are. Honestly, you're best off not using the Internet at all, since there isn't anybody you can talk to who won't leak everything to the NSA unwittingly. However, the reality is that most of us are pretty boring, so the NSA probably doesn't care what we do. If you're looking to evade specific monitoring then I don't know what to tell you. They targeted the Iranian uranium enrichment program and that was behind a sneakernet. I suspect that they have different levels of effort for various targets. For example, Snowden revealed that the NSA looks to root boxes belonging to sysadmins who have access to services they're interested in - so if they wanted to poke around on the Gentoo forum logs to find IPs they might look to root members of infra, even though the members of infra aren't of interest otherwise. I run a tor relay and I wouldn't be surprised if they rooted my box as a result - rooting all the tor relays would allow them to de-anonymize tor completely. Sure, you can wire up the door to drop your server in a vat of acid, but that doesn't help if they have a zero-day for your server. Honestly, I just don't worry about it. If they want to root me, I doubt worrying about it is going to change anything. I'd rather if they didn't, or if they are going to do it anyway I wish that I could just ask them to send me a copy of my data so that I could stop worrying about running my own backups. Rich
