The Living Thing / Notebooks :

Confidentiality online, state surveillance edition

Many people today are living in surveillance states with weak citizen protection and persecution of citizens who blow the whistle on state wrongdoing, rapid erosion of privacy, criminalisation of failure to turn state informer, or even counselling resistance, and attacks on the free press, all without oversight by the public.

That’s Australia. Things are worse in Yemen, India, China, Russia, Saudi Arabia, etc where accessing the open internet is a crime. TODO: link to particular risks for each state.

What you might use to get around this

EFF’s Surveillance Self Defense course is a good starting point.

They talk you through the theory and practice of different types of security, modelling the risks you face and trying to minimise them for different scenarios. I recommend them, especially if you don’t face the same risks that I face.

My own threat model for state surveillance

So, I’m concerned with the recent behaviour of the Australian state. As a bit of largely irrelevant background here, I am not a tinfoil-hat libertarian who thinks that all state power is a priori bad. I think there is a role for police and security services. Indeed, I’m not a fan of acts of terrorism, which are one of the things that can exploit encrypted communication.

At the same time, I think that any power tends to accumulate, including state power, and as such needs to be balanced by checks and oversights. In an in-principle democratic state like Australia, that means democratic oversight, which seems to being ant-mined by the state for partisan convenience. After a series of uses of the Federal Police for partisan political ends, the government has responded by granting themselves increased power to seize information while criminalising public oversight of that power, and consolidating power in the hands of fewer people. This trend suggests it is worth investing in state-resistant infrastructure now, while we still can.

Open source encrypted communications

So, it is harder, for now, for states to inject spyware into open-source systems than into closed commercial ones. Not impossible, mind you, and it will get easier as the backdoor infrastructure improves. Note also that many linux kernels include suspicious closed-source drivers and so on. Anyway, let’s have a look at some in-principle ways to set up open-source communication mechanisms, which we might suppose are at the very least troublesome.

I’m going to dump a bunch of stuff here while thinking it through. These will be nerdy notes, to be whipped into a more pedagogic introduction later..

Security-focussed free software!

(Quotes are taken from distrowatch.com unless otherwise stated

qubes os:

Qubes OS is a security-oriented, Fedora-based desktop Linux distribution whose main concept is “security by isolation” by using domains implemented as lightweight Xen virtual machines. It attempts to combine two contradictory goals: how to make the isolation between domains as strong as possible, mainly due to clever architecture that minimises the amount of trusted code, and how to make this isolation as seamless and easy as possible.

Is this very much better than ordinary hardened distros? Not sure. It certainly burns lots of CPU cycles in maintaining security.

tails:

The Amnesic Incognito Live System (Tails) is a Debian-based live DVD/USB with the goal of providing complete Internet anonymity for the user. The product ships with several Internet applications, including web browser, IRC client, mail client and instant messenger, all pre-configured with security in mind and with all traffic anonymised. To achieve this, Incognito uses the Tor network to make Internet traffic very hard to trace.

Tails is low on features, but that might mean it’s harder to hack. If you don’t mind decreasing your security, you can install extra software.

heads is admirably crazy paranoid and aims to one-up tails

heads is a privacy-focused Linux distribution designed to make it easy for users to access the Internet anonymously using the Tor network. heads is based on Devuan and features only free (libre) software. The Linux kernel has had non-free blobs removed.

However their release schedule is slowish.

linux kodachi

Linux Kodachi is a Debian-based distribution which can be run from a DVD or USB thumb drive. The distribution filters all network traffic through a VPN and the Tor network, obscuring the user’s network location. The distribution attempts to clean up after itself, removing traces of its use from the computer.

Not sure about the provenance for kodachi or the weird build-in VPN. But if it were secure it would be very convenient. possibly install from source would be wise? But that claims to be version 3.7 not the version 5.5 now being distributed. Red flag.

How much do you trust the distro package maintainer though? (Just one guy is credited for e.g. Kodachi.) Would you rather build from source? In principle you can do this for any open source OS, but it’s a right pain in the arse in general. The chain of trust is long with many links.

Distros like Gentoo/funtoo and archlinux support source builds in principle - but they are not setup in secure mode, so you have work ahead of you to get these safe, presuming you are qualified to make them safe.

Gentoo:

Gentoo Linux is a versatile and fast, completely free Linux distribution geared towards developers and network professionals. Unlike other distros, Gentoo Linux has an advanced package management system called Portage. Portage is a true ports system in the tradition of BSD ports, but is Python-based and sports a number of advanced features including dependencies, fine-grained package management, “fake” (OpenBSD-style) installs, safe unmerging, system profiles, virtual packages, config file management, and more.

Funtoo:

Funtoo Linux is a Gentoo-based distribution developed by Daniel Robbins (the founder and former project leader of Gentoo Linux) and a core team of developers, built around a basic vision of improving the core technologies in Gentoo Linux. Funtoo Linux features native UTF-8 support enabled by default, a git-based, distributed Portage tree and Funtoo overlay, an enhanced Portage with more compact mini-manifest tree, automated imports of new Gentoo changes every 12 hours, GPT/GUID boot support and streamlined boot configuration, enhanced network configuration, up-to-date stable and current Funtoo stages - all built using Funtoo’s Metro build tool.

Arch:

Arch Linux is an independently developed, x86_64-optimised Linux distribution targeted at competent Linux users. It uses ‘pacman’, its home-grown package manager, to provide updates to the latest software applications with full dependency tracking. Operating on a rolling release system, Arch can be installed from a CD image or via an FTP server. The default install provides a solid base that enables users to create a custom installation. In addition, the Arch Build System (ABS) provides a way to easily build new packages, modify the configuration of stock packages, and share these packages with other users via the Arch Linux user repository.

DNS

Constantly leaking info if you don’t kick it in the pants. See DNS servers.

SSH

There’s a lot of fiddling in ssh.

To secure it in particular, you need 1024 bit DH keys sigh. NSA is reading your comms with keys shorter than 2048 bits.

researchers Alex Halderman and Nadia Heninger presented compelling research suggesting that the NSA has developed the capability to decrypt a large number of HTTPS, SSH, and VPN connections using an attack on common implementations of the Diffie-Hellman key exchange algorithm with 1024-bit primes. […] In this post, we present some practical tips to protect yourself from the surveillance machine, whether you’re using a web browser, an SSH client, or VPN software.

There are more steps to secure ssh.

OSs

Use a paranoid, security-first OS such as Qubes, which can even weather, e.g. certain BadUSB attacks.

USB

USB is another security nightmare. See e.g. Badusb Malware: O.MG cable (explanation for the busy), Poisontap, lanturtle usbarmory

Countering it? USB condoms such as USG do a partial job. That is, if you don’t mind carrying a large, slow inconvenient device that only supports a small fraction of the functionality you are used to. Very few of us feel like we are likely enough to be targeted that this is worth doing, although as the cost of these attacks drops to nothing, we might expect that to change.