Four ways the Guardian could have protected Snowden – by THE NSA

Spooks' own advice lays out exactly how this crypto wypto hypto thing works

SANS - Survey on application security programs

3. How to shift the data securely

It's time for your source to package up the goods to leak: your contact can either use your public key to asymmetrically encrypt the files using PGP or if you've somehow agreed upon a key (typically generated from a pass-phrase) that is utterly secret between you two, then consider symmetric encryption using AES-256.

If this symmetric key falls into the wrong hands, then the jig is up, whereas in asymmetric encryption, you just have to be responsible for your own private key. Having said that, using AES-256 to encrypt your leaked data (once you have it) on removable storage, perhaps steganographically inside a video or TrueCrypt volume, is essential.

Encrypting files, once they've been archived into a zip or tarball for convenience's sake, is just a simple command line away. For symmetric, try:

gpg --output totallyinnocent.txt --symmetric leakedsecrets.pdf

...or for asymmetrically use:

gpg --output totallyinnocent.txt --encrypt --hidden-recipient Friend leakedsecrets.pdf

In the latter case, the source must have added the public key for Friend (that's you) using gpg --import. GnuPG is completely documented.

Of course, you'll need to exchange public keys. To avoid having to rely on encrypted instant messaging systems (such as OTR), publish your public key online, in the open. The first communication you may get from your leaker is an encrypted message from a throwaway email account from a Wi-Fi hotspot, and unfortunately such data is likely to set off triggers within the spooks' internet surveillance systems. The chase will be on immediately.

Once the leaker has encrypted her data, it's time to transfer it. Don't use email. Don't even consider uploading the file to a server across the open web, even if the data is encrypted: with the global internet dragnet in operation, you do not want to accidentally reveal your source by allowing spooks to realise the association between the two of you. (Life is made easier if your source outs himself, like Edward Snowden did, but then life hasn't been easy for him since.)

So consider using Tor, first backed by the US Navy for secure communications and then developed by the Electronic Frontier Foundation (EFF) and others. This is a system that routes connections through a mesh of computers joined up to the Tor network: your connection goes into an entry node, through a randomly selected path, jumping from machine to machine, until it reaches an exit node, which connects to the outside world. The exact path taken is decided by the user's software and cryptographically shielded to prevent someone from tracing you back through the network.

The computer you eventually connect to outside the Tor network will only see a connection from the exit node – and, yes, this node can snaffle your network traffic so that's why we encrypt everything just in case someone compromised it (use a secure VPN if you wish, but that's beyond the scope of this piece).

How Tor works is best described with illustrations, such as the one below from the EFF, which has an excellent guide here.

How Tor works by the EFF

Unfortunately, as noted computer security researcher The Grugq pointed out, the NSA and GCHQ will have all the entry and exit points of Tor covered:

The financial cost of compromising the Tor network is not even a rounding error in a nation state budget. It is the equivalent of a portion of the change found in the couch. Further more, Tor is not new. It isn’t as if nation state level adversaries just woke up last week, “holy shit, this Tor thing! We better get on that!”

The trick, in El Reg's opinion, is to get the data transferred before the spooks put a crack team on you and your mole to swipe the keys or otherwise prevent the leak. So, if you're persevering, set up a hidden service, which allows your source to securely connect to your server across the Tor mesh. See, no need to fly a data mule through Heathrow.

4. Using hidden services

Take a clean, secured new PC and hook it up to the internet far away from your other networks; run an SSL protected web or FTPS server and allow your leaker to anonymously upload files to it, effectively creating your own personal drop box.

Agree on a time and date to do this, and pull the plug once the deed is done. And do this after the source has fled to a country without a US extradition treaty, such as Ecuador.

Then you can transfer the encrypted data, via removable media, to your clean not-networked VM to decrypt with the private key you've kept away from everything. Publish the juicy details before someone can slap an injunction on you, officials turn up and demand some computers are smashed up, or armies of state-sponsored hackers try to raid your setup for all the data you hold.

So that's your air gap. Those are the hoops you need to jump through. You may as well hide some secret encrypted data in a video, put it on a DVD, and post it first class.

And, lest your humble hack hasn't made his point strong enough, you're up against a nation state, not some credit-card stealing hacker; even if you don't believe spies can record conversations in rooms using lasers pointed at windows, they have resources.

As The Grugq concluded after the Snowden scandal broke, you're dealing with plenty of unknowns:

Practicing effective counterintelligence on the internet is an extremely difficult process and requires planning, evaluating options, capital investment in hardware, and a clear goal in mind. If you just want to “stay anonymous from the NSA”, or whomever … good luck with that. My advice? Pick different adversaries.

Speaking of which, let's not forget the tech giants holding all our data for years. The big cloud providers know everything about us, although Google and its fellows insist that staff access to netizens' personal data is highly restricted.

As one UK government security staffer complained to El Reg even before the NSA PRISM firestorm kicked off: "You would not believe the hoops we have to jump through to access an email, all the legal paperwork that needs completing, when Google has everyone on file and no one blinks an eye." ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story


Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.