Risk
6/12/2013
12:59 PM
50%
50%

7 Tips To Avoid NSA Digital Dragnet

These apps will keep your cell phone calls under wraps -- if the NSA hasn't already found a way to break them.

3. Silent Circle, For Encrypted Voice, Email And More.

Silent Circle is a relatively new and well-reviewed service for providing encrypted voice communications domestically. In the wake of the Prism scandal and "massive demand," the company announced that it's dropped the price of its annual subscription package for four services: encrypted mobile calls, encrypted text messaging, encrypted VoIP audio and video calls, and encrypted email. The company says it's been independently audited to ensure there are no backdoors for eavesdropping on service users.

One caveat with the service, however, is that for communications to remain fully encrypted in transit, they must be made between two Silent Circle subscribers. Still, that might appeal to businesses or activists worried about their communications being intercepted, or the identity of people they're speaking with tracked.

4. Redphone, For Secure Android Calls, Texts.

Android users, meanwhile, can get secure voice calls and texts via open source software from WhisperSystems. Redphone enables encrypted calling between two devices that use the software. TextSecure encrypts texts. Both applications have been audited to ensure they don't contain backdoors. As with Silent Circle, one caveat is that people on both sides of the conversation must be using the software.

5. PGP, For Data Encryption.

What else is possible? PGP -- or its open source equivalent GPG -- can be used to encrypt data and emails, but many people find it difficult to use. Notably, Snowden had to send a homemade video to Greenwald, showing him how to set it up.

6. Power Down Your Phone.

Mobile phone users can pull a Jason Bourne and remove the battery from their cell phone when they're not using it, thus preventing the device from pinging cell towers and revealing their approximate location. But as soon as you put the battery back in, you'll be trackable again, because the network has to reach your phone to provide voice and data services.

As Christopher Soghoian, principal technologist and senior policy analyst for the ACLU's Speech, Privacy and Technology Project, told the Post, "The laws of physics will not let you hide your location from the phone company."

7. Expect Metadata To Be Captured.

For any unencrypted call made using your cellphone, the metadata can be -- and probably is being -- intercepted. From an intelligence standpoint, metadata is a goldmine: one Nature study suggests that by cross-referencing "human mobility" metadata, only four location points -- involving location and time -- are required to uniquely identify someone 95% of the time.

In other words, there's no way to use a mobile phone and avoid metadata capture.

The services detailed above, however, will at least encrypt your communications, avoiding capture via programs such as Prism. That said, they carry usability caveats, as well as integrity worries: what if the NSA's cryptographic capabilities already allow it to successfully defeat those services, or it's found an exploitable vulnerability that accomplishes the same result?

Then again, if you think about these things too much, you might want to join the tinfoil hat crowd. At a certain point, anyone who opts for encrypted communications will have to trust in the available, audited tools.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mathew
50%
50%
Mathew,
User Rank: Apprentice
6/14/2013 | 8:48:02 AM
re: 7 Tips To Avoid NSA Digital Dragnet
More good advice (besides VPN): "Figure out what you are trying to protect (and from whom), separate it from everything else, and then select tools, techniques and procedures that will enable you to protect it."
http://grugq.github.io/blog/20...
Mathew
50%
50%
Mathew,
User Rank: Apprentice
6/14/2013 | 8:46:33 AM
re: 7 Tips To Avoid NSA Digital Dragnet
I don't know, but you'd imagine they'd have taken care of landlines ages ago.
HildyJ
50%
50%
HildyJ,
User Rank: Apprentice
6/13/2013 | 3:46:01 PM
re: 7 Tips To Avoid NSA Digital Dragnet
If you are truly concerned, buy a prepaid phone that can be refilled with cards available at a grocery store. Use cash. Then keep the battery out and don't use it from your home or office. Add this to the Information Week tips and you should be reasonably safe.

Broad surveillance like the NSA's is best at catching stupid people. The kind that would email an al-Qaeda website and ask how to join.
Terabyte Net
50%
50%
Terabyte Net,
User Rank: Apprentice
6/13/2013 | 12:35:39 PM
re: 7 Tips To Avoid NSA Digital Dragnet
Taking the battery out is nice but some of the most popular phones do not allow that any more, say iPhone, Razr, etc... Wonder if Apple and Motorola are working with the Feds on phone design? Just sayin'...
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-9728
Published: 2015-08-31
The UDF filesystem implementation in the Linux kernel before 3.18.2 does not validate certain lengths, which allows local users to cause a denial of service (buffer over-read and system crash) via a crafted filesystem image, related to fs/udf/inode.c and fs/udf/symlink.c.

CVE-2014-9729
Published: 2015-08-31
The udf_read_inode function in fs/udf/inode.c in the Linux kernel before 3.18.2 does not ensure a certain data-structure size consistency, which allows local users to cause a denial of service (system crash) via a crafted UDF filesystem image.

CVE-2014-9730
Published: 2015-08-31
The udf_pc_to_char function in fs/udf/symlink.c in the Linux kernel before 3.18.2 relies on component lengths that are unused, which allows local users to cause a denial of service (system crash) via a crafted UDF filesystem image.

CVE-2014-9731
Published: 2015-08-31
The UDF filesystem implementation in the Linux kernel before 3.18.2 does not ensure that space is available for storing a symlink target's name along with a trailing \0 character, which allows local users to obtain sensitive information via a crafted filesystem image, related to fs/udf/symlink.c and...

CVE-2015-1333
Published: 2015-08-31
Memory leak in the __key_link_end function in security/keys/keyring.c in the Linux kernel before 4.1.4 allows local users to cause a denial of service (memory consumption) via many add_key system calls that refer to existing keys.

Dark Reading Radio
Archived Dark Reading Radio
Another Black Hat is in the books and Dark Reading was there. Join the editors as they share their top stories, biggest lessons, and best conversations from the premier security conference.