Risk
6/12/2013
12:59 PM
50%
50%

7 Tips To Avoid NSA Digital Dragnet

These apps will keep your cell phone calls under wraps -- if the NSA hasn't already found a way to break them.

3. Silent Circle, For Encrypted Voice, Email And More.

Silent Circle is a relatively new and well-reviewed service for providing encrypted voice communications domestically. In the wake of the Prism scandal and "massive demand," the company announced that it's dropped the price of its annual subscription package for four services: encrypted mobile calls, encrypted text messaging, encrypted VoIP audio and video calls, and encrypted email. The company says it's been independently audited to ensure there are no backdoors for eavesdropping on service users.

One caveat with the service, however, is that for communications to remain fully encrypted in transit, they must be made between two Silent Circle subscribers. Still, that might appeal to businesses or activists worried about their communications being intercepted, or the identity of people they're speaking with tracked.

4. Redphone, For Secure Android Calls, Texts.

Android users, meanwhile, can get secure voice calls and texts via open source software from WhisperSystems. Redphone enables encrypted calling between two devices that use the software. TextSecure encrypts texts. Both applications have been audited to ensure they don't contain backdoors. As with Silent Circle, one caveat is that people on both sides of the conversation must be using the software.

5. PGP, For Data Encryption.

What else is possible? PGP -- or its open source equivalent GPG -- can be used to encrypt data and emails, but many people find it difficult to use. Notably, Snowden had to send a homemade video to Greenwald, showing him how to set it up.

6. Power Down Your Phone.

Mobile phone users can pull a Jason Bourne and remove the battery from their cell phone when they're not using it, thus preventing the device from pinging cell towers and revealing their approximate location. But as soon as you put the battery back in, you'll be trackable again, because the network has to reach your phone to provide voice and data services.

As Christopher Soghoian, principal technologist and senior policy analyst for the ACLU's Speech, Privacy and Technology Project, told the Post, "The laws of physics will not let you hide your location from the phone company."

7. Expect Metadata To Be Captured.

For any unencrypted call made using your cellphone, the metadata can be -- and probably is being -- intercepted. From an intelligence standpoint, metadata is a goldmine: one Nature study suggests that by cross-referencing "human mobility" metadata, only four location points -- involving location and time -- are required to uniquely identify someone 95% of the time.

In other words, there's no way to use a mobile phone and avoid metadata capture.

The services detailed above, however, will at least encrypt your communications, avoiding capture via programs such as Prism. That said, they carry usability caveats, as well as integrity worries: what if the NSA's cryptographic capabilities already allow it to successfully defeat those services, or it's found an exploitable vulnerability that accomplishes the same result?

Then again, if you think about these things too much, you might want to join the tinfoil hat crowd. At a certain point, anyone who opts for encrypted communications will have to trust in the available, audited tools.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mathew
50%
50%
Mathew,
User Rank: Apprentice
6/14/2013 | 8:48:02 AM
re: 7 Tips To Avoid NSA Digital Dragnet
More good advice (besides VPN): "Figure out what you are trying to protect (and from whom), separate it from everything else, and then select tools, techniques and procedures that will enable you to protect it."
http://grugq.github.io/blog/20...
Mathew
50%
50%
Mathew,
User Rank: Apprentice
6/14/2013 | 8:46:33 AM
re: 7 Tips To Avoid NSA Digital Dragnet
I don't know, but you'd imagine they'd have taken care of landlines ages ago.
HildyJ
50%
50%
HildyJ,
User Rank: Apprentice
6/13/2013 | 3:46:01 PM
re: 7 Tips To Avoid NSA Digital Dragnet
If you are truly concerned, buy a prepaid phone that can be refilled with cards available at a grocery store. Use cash. Then keep the battery out and don't use it from your home or office. Add this to the Information Week tips and you should be reasonably safe.

Broad surveillance like the NSA's is best at catching stupid people. The kind that would email an al-Qaeda website and ask how to join.
Terabyte Net
50%
50%
Terabyte Net,
User Rank: Apprentice
6/13/2013 | 12:35:39 PM
re: 7 Tips To Avoid NSA Digital Dragnet
Taking the battery out is nice but some of the most popular phones do not allow that any more, say iPhone, Razr, etc... Wonder if Apple and Motorola are working with the Feds on phone design? Just sayin'...
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7241
Published: 2014-12-19
The TSUTAYA application 5.3 and earlier for Android allows remote attackers to execute arbitrary Java methods via a crafted HTML document.

CVE-2014-7249
Published: 2014-12-19
Buffer overflow on the Allied Telesis AR440S, AR441S, AR442S, AR745, AR750S, AR750S-DP, AT-8624POE, AT-8624T/2M, AT-8648T/2SP, AT-8748XL, AT-8848, AT-9816GB, AT-9924T, AT-9924Ts, CentreCOM AR415S, CentreCOM AR450S, CentreCOM AR550S, CentreCOM AR570S, CentreCOM 8700SL, CentreCOM 8948XL, CentreCOM 992...

CVE-2014-7267
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the output-page generator in the Ricksoft WBS Gantt-Chart add-on 7.8.1 and earlier for JIRA allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-7268.

CVE-2014-7268
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the data-export feature in the Ricksoft WBS Gantt-Chart add-on 7.8.1 and earlier for JIRA allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-7267.

CVE-2014-8272
Published: 2014-12-19
The IPMI 1.5 functionality in Dell iDRAC6 modular before 3.65, iDRAC6 monolithic before 1.98, and iDRAC7 before 1.57.57 does not properly select session ID values, which makes it easier for remote attackers to execute arbitrary commands via a brute-force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.