When Strong Encryption Isn’t Enough to Protect Our Privacy
By Bill Blunden
Feb 26 2015
“None of the claims of what comsec works is to be taken saltless: Tor, OTR, ZTRP are lures.” —Cryptome , Dec. 30, 2014
In the aftermath of Edward Snowden’s disclosures, the American public has been deluged with talking points that advocate strong encryption as a universal solution for protecting our privacy. Unfortunately the perception of strong encryption as a panacea is flawed. In this report I’ll explain why strong encryption isn’t enough and then present some operational guidelines which can be used to enhance your online privacy. Nothing worthwhile is easy. Especially sidestepping the Internet’s global Eye of Providence.
Anyone who reads through privacy recommendations published by the Intercept  or the Freedom of the Press Foundation  will encounter the same basic lecture. In a nutshell they advise users to rely on open source encryption software, run it from a CD-bootable copy of the TAILS operating system, and route their Internet traffic through the TOR anonymity network.
This canned formula now has a degree of official support from, of all places, the White House. A few days ago during an interview with Re/Code, President Obama assured  listeners that “there’s no scenario in which we don’t want really strong encryption.” It’s interesting to note how this is in stark contrast to public admonishments  by FBI director James Comey this past October for key escrow encryption, which is anything but strong.
So it would appear that POTUS is now towing a line advocated by none other than whistler-blower Snowden who asserted  that “properly implemented strong crypto systems are one of the few things that you can rely on.”
Only there’s a problem with this narrative and its promise of salvation: When your threat profile entails a funded outfit like the NSA, cyber security is largely a placebo.
Down To the Metal
A report  released by Moscow-based anti-virus vendor Kaspersky Lab proves that, despite the self-congratulatory public relations messaging of Google or Apple, strong encryption might not be the trendy cure-all it’s cracked up to be. The NSA has poured vast resources into hacking hardware platforms across the board, creating firmware modifications  that allow U.S. spies to “capture a machine’s encryption password, store it in ‘an invisible area inside the computer’s hard drive’ and unscramble a machine’s contents.”
On a side note, Kaspersky Lab is one of two companies authorized  by Russian security service to provide anti-virus technology to the Russian government. The company’s founder, Eugene Kaspersky, a former  Soviet intelligence officer himself, has links to the Russian Federal Security Service, or FSB. So it makes sense that the one company with the audacity and skill to publicly showcase a global espionage program by the NSA would also be a company aligned with a countervailing power center outside of the United States.
Anyway, when it comes to bare-metal skullduggery there are plenty  of proof-of-concept  examples available in the public domain. But these experiments are nothing compared to the slick production-level malware deployed by NSA spies. When the Pentagon aims for information dominance it doesn’t screw around. Hence blind trust in encryption software is exposed as a sort of magical thinking.
Some people would argue that the NSA’s hardware hacks aren’t a big deal because they’re used selectively for targeted intrusions. One problem with this stance is that spy gear has a habit of filtering down into the underworld because spies and crooks are kindred spirits who often work together. Another problem is that the NSA is actively working to industrialize  attacks so that they can be pulled off on a mass scale against large swathes  of users. The recent discovery of pre-installed malware  on Lenovo PCs should offer an unsettling hint  of where spies and their front companies are taking things.
Face it, an intelligence agency that makes off  with the encryption keys from a large multinational company that manufactures billions of SIM cards each year is an agency that’s doing much more than just small-scale targeted hardware attacks. They want to “collect it all.”
OPSEC Is Law
“Iraqi Assault to Retake Mosul from Islamic State Is Planned for Spring” —New York Timesheadline, Feb. 20, 2015
Given the sorry state of software engineering and the sheer scope of clandestine subversion programs, if spies want to root your machine they’ll probably find a way. The Internet is akin to a vast swamp in the Deep South. Users wade through a hostile murky environment surrounded by alligators prowling silently just below the surface.
And don’t think that tools like Tor  will protect you. The FBI has demonstrated repeatedly that it can unmask  Tor users with exploits. The FBI’s collection of cyber scalps includes  a high-ranking cyber security director who probably thought his game was tight. The litany of Tor’s failures have led security researchers to conclude  that, “Tor makes you stick out as much as a transgender Mongolian in the desert.”
Hence when going toe-to-toe with spies from the NSA’s Office of Tailored Access Operations  or, heaven forbid, its more daunting CIA brethren in the Special Collection Service , operational security (OPSEC) becomes essential. This isn’t cynical “privacy nihilism” but rather clear-headed contingency planning. Once the NSA owns a computer the only things that stands between the user and spies is OPSEC. It takes groundwork, patience and (most of all) discipline. Even the professionals get this wrong. And when they do the results can be disastrous.
For a graphic illustration of this contemplate the case of Ross Ulbricht, the creator of Silk Road. The celebrated Tor anonymity network did very little to stop the feds from getting a bead on him. To make matters worse you’d think Ulbricht would know better  to work with his back to the room so the feds could sneak up on him before he could log off, leaving his encrypted laptop in a decidedly vulnerable state.
It didn’t help that the Silk Road’s servers were configured to auto-login certain client machines and that Ulbricht’s laptop just happened to be connected to the Silk Road servers as a full administrator. Ditto that for Bitcoin wallets on the aforementioned laptop which allowed law enforcement agents to trace over $13 million in Bitcoins to Ulbricht.