encrypt it

National Security Agency (NSA)
defending our nation – securing the future
employees: 30,000 – 40,000
(includes 1000 “system administrators”)
budget: $11,000 million (estimate)
director: general Keith B. Alexander, U.S. Army
also known as: No Such Agency, Never Say Anything
NSA Utah data centre
cost: $2,000 M
power cost: $40M per yer
area: 100,000m3
100 petaflops
1 yottabyte (estimate)
1 YB = 1000000000000000000000000 bytes
= 10008 bytes
= 1024 bytes
= 1000 zettabytes
= 1 trillion terabytes.
wer nichts zu verbergen hat, hat nichts zu befürchten
"the damage, on a scale of 1 to 10, is a 12,"
a former NSA official, quoted on nbc news, 3rd sept 2013
boundless Informant: the NSA's secret tool to track global
surveillance data
at a hearing of the senate intelligence
committee in march this year,
democratic senator Ron Wyden asked
James Clapper, the director of
national intelligence: "does the NSA
collect any type of data at all on
millions or hundreds of millions of
americans?"
"no sir" replied Clapper.
"Der Hauptpunkt, den ich unterstreichen möchte, ist, dass weder ich
noch die Mitarbeiter der NSA ein Interesse daran haben, irgendetwas
anderes zu tun als sicherzustellen, dass wir Terroranschläge verhindern",
sagte Obama bei einer kurzfristig einberufenen Pressekonferenz im
Weißen Haus am 9. August.
…
Die geheimen Papiere, die der SPIEGEL einsehen konnte, belegen, wie
systematisch die Amerikaner andere Staaten und Institutionen wie die
EU, die internationale Atomenergiebehörde (IAEA) in Wien und die
Vereinten Nationen attackieren. Sie zeigen, wie die NSA das interne
Computernetzwerk der Europäer zwischen New York und Washington
infiltrierte, von den eigenen Botschaften im Ausland aus abhört und in die
Videokonferenzschaltungen der Uno-Diplomaten eindringt. Die
Überwachung ist intensiv und gut organisiert - und sie hat mit
Terrorabwehr wenig bis nichts zu tun.
White House press secretary Jay Carney issued a statement that said
the US "is not monitoring and will not monitor" the German chancellor's
communications. The Guardian, 10th October
as one slide indicates, the ability to search HTTP activity by
keyword permits the analyst access to what the NSA calls
"nearly everything a typical user does on the internet".
why does it matter?
auch Unschuldige werden Opfer von Hexenjagden
dass Hexenjagden auf Andersdenkende auch in (vermeintlich)
freiheitlich demokratisch ausgelegten Systemen stattfinden, hat die
McCarthy-Ära in den USA hinlänglich gezeigt. Bekanntlich wurden
auch "Unschuldige" zu Opfern des Anti-Kommunismus-Terrors.
Jede Information über mich kann in die Hände von Verrückten
gelangen und für eine Hexenjagd verwendet werden.
Würdest du dein Verhalten ändern, wenn dir jemand immer, an jeden Tag 24 Stunden
lang, 7 Tage in der Woche, über die Schulter schaut?
●Würdest du deinem Nachbarn sagen was du verdienst? - oder einfacher: Was verdienst
du?
●Warum schließt du deine Haustür ab? - oder genauer: Warum machst du deine Haustür
hinter dir zu?
●Würdest du jedem sagen wann du das letzte Mal Sex hattest? - oder einfacher: Hattest
du heute schon Sex? ... dann lächle ...
●Hast du schon mal gelogen um etwas zu verbergen?
●Würdest du im Urlaub einen FKK-Strand benutzen oder nackt baden? Wenn "Nein"
Warum nicht?
●Warum willst auf ein verbrieftes Menschenrecht verzichten? (Info: Alle diese
Schnüffelstaaten haben die Menschenrechsdeklaration unterschrieben.)
●Hattest du heute schon Stuhlgang?
●Würdest du auf einer Raststätte eine Toilette ohne Tür benutzen?
●Hast du einen Vibrator?
●Wie hoch ist dein Sparguthaben?
●Wieviel hattest du in diesem Monat in der Lohntüte? - oder heute: Was Stand auf deiner
Gehaltsabrechnung als Auszahlungsbetrag?
●Hast du schon mal ....?
●bitte ergänzen ...
●
what can you do?
encrypt it
"encryption works properly implemented strong crypto systems are one
of the few things that you can rely on." Edward Snowden
trust the math encryption is your
friend use it well, and do your best to
ensure that nothing can compromise it.
that's how you can remain secure even
in the face of the NSA. Bruce Schneier
encryption and key exchange
●
●
●
Alice wants to send Bob a secret message
they need to exchange a “key” in order to encode/decode the
message
there are different ways of doing this
symmetric encryption
Alice
Bob
Secret
message
Dear Bob,
I hope...
Secret
message
Dear Bob,
I hope...
564AC768D
83A6570D5
4FFE5648D
65DB2AA90
…..
564AC768D
83A6570D5
4FFE5648D
65DB2AA90
…..
asymmetric encryption
public-key
Bob
large random
number
key generation
prgramme
private key
public key
Alice
asymmetric encryption
Alice
Bob
Secret
message
Dear Bob,
I hope...
Secret
message
Dear Bob,
I hope...
564AC768D
83A6570D5
4FFE5648D
65DB2AA90
…..
564AC768D
83A6570D5
4FFE5648D
65DB2AA90
…..
practical examples
●
websites – https
●
sending documents – PGP mail
●
document storage – Truecrypt
●
safe web surfing – TOR
●
the best solution....
https encrypts web pages
there are different ways of exhanging keys, some better
than others
RSA is public/private key model
but private key is stored on the server and can be
discovered
perfect forward secrecy exchanges a random key so that
it cannot be discovered
Staying at the forefront of email security and reliability: HTTPS-only and 99.978%
availability
Posted: Thursday, March 20, 2014
Posted by Nicolas Lidzborski, Gmail Security Engineering Lead
Your email is important to you, and making sure it stays safe and always available is
important to us. As you go about your day reading, writing, and checking messages, there
are tons of security measures running behind the scenes to keep your email safe, secure,
and there whenever you need it.
Starting today, Gmail will always use an encrypted HTTPS connection when you check or
send email. Gmail has supported HTTPS since the day it launched, and in 2010 we made
HTTPS the default. Today's change means that no one can listen in on your messages as
they go back and forth between you and Gmail’s servers—no matter if you're using public
WiFi or logging in from your computer, phone or tablet.
In addition, every single email message you send or receive—100% of them—is
encrypted while moving internally. This ensures that your messages are safe not only
when they move between you and Gmail's servers, but also as they move between
Google's data centers—something we made a top priority after last summer’s revelations.
email encryption
gmail
where is the encryption?
usually Alice to gmail
and gmail to Bob
better is Alice to Bob
end to end
Alice
Bob
pretty good privacy (pgp)
developed by Phil Zimmerman in 1991 and spread freely across
the “Internet”
in feb 1993 he was investigated for “munitions export without a
licence”
he founded pgp inc, bought by nai and then by symantec
commercial solution
also open pgp or gnu privacy guard gpg
open source solution
truecrypt
●
●
●
●
●
creates a virtual encrypted disk within a file and mounts it as a real disk
encrypts an entire partition or storage device such as USB flash drive or
hard drive
encrypts a partition or drive where windows is installed (pre-boot
authentication)
encryption is automatic, real-time (on-the-fly) and transparent
provides plausible deniability, in case an adversary forces you to reveal the
password
●
hidden volume
●
hidden operating system
Tor Project
Tor was started as the Onion Routing Project of the
US Navy. The object was to protect government
communications
The NSA does not like it now.....
Bruce Schneier solution air gap
•
•
•
•
•
•
•
•
•
after you install it, don't connect your computer to the internet
(even with wireless!)
don't trust encryption software from big vendors (bitlocker)
minimum software: open office, pdf reader, text editor, truecrypt
bleachbit
turn off all autorun
don't transfer executables if you can avoid it
use trusted media (that you have bought yourself)
write once media (cd) better than writeable media like usb stick
use the smallest devices you can
encrypt everything
contact
jon@nicholas.ch
links
showden timeline http://www.heise.de/extras/timeline/
first article in the guardian:
http://www.theguardian.com/world/2013/jun/06/us-tech-giants-nsa-data
tor stinks presentation http://www.theguardian.com/world/interactive/2013/oct/04/tor-stinks-nsapresentation-document
NSA against smartphones http://www.spiegel.de/spiegel/print/d-111320266.html
EFF surveillance self-defence https://ssd.eff.org/
truecrypt http://truecrypt.org
tor project http://torproject.org
gnupg http://gnupg.org
gpgmail https://gpgtools.org/
piratenpartei https://wiki.piratenpartei.de/HowTo_Emails_verschlüsseln_mit_PGP_mit_Thunderbird
c't briefgeheimnis http://www.heise.de/artikel-archiv/ct/2014/04/086_Briefgeheimnis
Bruce Schneier – a guide to staying secure, air gaps
https://www.schneier.com/essay-450.html
https://www.schneier.com/blog/archives/2013/10/air_gaps.html