Edward Snowden Explains How To Reclaim Your Privacy

Snowden is a traitor and an idiot.

One thing I surprisingly didn’t see mentioned in this article, or anywhere in the comments section, is the idea of utilizing a VPN (Virtual Private Network), which can filter out a lot of the unwanted prodding of corporations and entities into our activities, usually executed via the implementation of adware and scripts from third-party sources. Especially if you’re using a public network, setting up a VPN can be absolutely critical to (better) securing the transmission of data, and rules can be implemented to filter out the unwanted transmission of data to various sources. Other than obvious culprits such as Google, Facebook, and Twitter, there are hundreds, if not thousands, of entities that are complicit – Amazon, Scorecard Research, Taboola, Outbrain, and Plista are just a few examples of these. Some of them claim to simply cater to your interests under the guise of “Content Delivery Networks”, or CDNs, but you better believe (or at least, assume) that they are busy collecting very personal info about you.

In a nutshell (the actual details are complex, esp. if you’re not tech-savvy), VPNs are usually set up at home, as a waypoint of data transmission, even while you’re thousands of miles away. Your devices have to be configured to redirect traffic through the VPN that you have set up, so that the data transmitted to and from the internet is filtered. End-to-end encryption can be utilized, so that the data is securely transmitted between the device and VPN waypoint. Now, could this method be vulnerable to failing? In theory, probably – I’m not an expert enough, to say that it is foolproof. But this method is much better than going at it without a VPN implementation of some kind, IMHO.

Anyone who needs to get “advice” from a Fool like Snowden who couldn’t do the job he signed up for, and instead became a “hero” to similarly addled Fools, isn’t too bright. Oh well. We knew that already. Snowden is a clear example of the low intellect and lack of values some Contractors bring to the table. Stay where you are Edward. Nobody who has “values” needs you around. You and Putin still Buds? I’ll bet you take off your shirts and ride around on farm animals together. Be careful what you do together though. Sarah Palin can see you from her front porch.

Micah and Mr. Snowden: I don’t see you addressing the potential threats of compromised compilers and compromised processors.

Open source software requires that you can trust compilers. Any compiler can have its binaries replaced by binaries that seem to work properly but insert malicious functionality into compiled code. The compromised compiler can be configured either (a) to insert malicious functionality into each new program it compiles, or (b) to insert malicious functionality only when a specific configuration of text is found in the source code. If a compromised compiler is asked to recompile itself from source, it produces a binary that’s still compromised. I’d like to have credible assurance that some compiler is being regularly checked to ensure that its binaries aren’t compromised in this way. As it is, if I download gcc from the Free Software Foundation I don’t know if I can trust it. Gcc, after all, is a high-value target for any major intelligence agency, and a sophisticated attacker could find ways to compromise it by hacking into the relevant machines or into certain internet connections. If the pro-privacy community was doing this kind of vetting even for one product, like gcc, I’d feel that we’d taken an important step towards the kind of resilience we need.

Compromised processors (including both CPUs and other chips which can function as processors) are another high-value target for intelligence agencies, and I’d expect to see some agencies working on trying to compromise the commonly-used ones at the source. Just because we don’t want it to be true doesn’t mean they won’t do it, since it’s such a high-value target. The compromise could be done by voluntary arrangement with the manufacturer, by National Security Letter, or (if you’re really daring and sophisticated) by hacking into the manufacturer’s systems and altering their designs a la Stuxnet without the manufacturer even noticing (easier to do with an unsophisticated manufacturer of a non-CPU processor). Of course, the compromised processor would still function normally in 99.999+% of situations. The good news is that it doesn’t seem completely out of the question that citizens could develop techniques that keep data safe even with a potentially compromised processor. Ideally the processors themselves should be vetted at a hardware level. Again, just because we don’t want to deal with such a deep compromise doesn’t mean it won’t happen.

But if the pro-privacy community is going to start doing some serious vetting, I think it’s better to start by making sure we have trustworthy compilers, and put off processors until later since they’re a little harder. If we don’t do the vetting, the time will come when the internet is used by the enemies of freedom to delete data and disrupt communications, making the development of trustworthy technology impossible.

I notice that many in the security sector seem to continue to promote Google products, Edward Snowden included (as evidenced by his use of Google+ for video lectures and support of Google Play apps), despite their revealed and admitted intrusion into privacy. I have converted to using a BlackPhone with Private OS just to keep Google out of my phone. But even BlackPhone is now putting Chrome on its phones.

Also, many privacy advocates recommend the use of apps that can only be obtained from Google Play. It is no secret that these app repositories can and have been hacked and also require that the user get a Google account. The companies that promote these apps insist on users obtaining them from google play rather than a secure FTP.

As a relatively intelligent and somewhat well-informed person I have concluded that there must be an INCREDIBLE amount of cognitive dissonance going on with security and privacy advocates for them to promote anything Google. (I am considering using Signal).

Can you please provide a technically sound reason why it is safe to use Google products and maintain the privacy standards that are now required in today’s age of government surveillance? i feel like I must be missing something.

Secondary to this is why security products like ProtonMail, which suffered one of Switzerland’s largest DDOS attacks in history to prevent its use, and BlackPhone (with its Private OS) are not being promoted among privacy advocates.

I would appreciate any feedback from privacy advocates that can help me understand this apparent disconnect.

Islamic State Muslims say “thank you”:

https://pbs.twimg.com/media/CT2zFYdWcAA9mtB.jpg

Hey, Snowdon. How does it feel to be one of the main reasons why so many died in Paris? The blood of those kids is on your hands. Welcome to the new world of Edward Snowdon: Where philosophy triumphs over intelligence and realism.

It’s remarkable that the State Dept can give themselves the right to revoke a native citizen’s passport without any kind of due process whatsoever.

ISIS would like to send a sincere thank you to Edward Snowden for helping them keep their communication private. It has 120+ bodies to show for it. Congratulations!

I am not computer savvy but I trust Edward Snowden and thank him and the rest of the team for there sacrifice and courage.

Micah, Ed,

I’m extremely disappointed that you and other people are recommending Signal for privacy against the NSA, GCHQ etc without mentioning the huge caveats that come with it. It’s almost a JTRIG operation to convince everyone to blindly install it and hope they’ll have privacy. Not everything works like magic. In fact it’s dangerous to just blindly use this program and hope you are secure.

1. If you want to use Signal you have to install it via the Google Play store or Apple iOS store. That’s the only option Open Whisper Systems offer. Have you heard of IRRITANT HORN? You must have, The Intercept posted an article on it (theintercept.com/2015/05/21/nsa-five-eyes-google-samsung-app-stores-spyware/). Also Google and Apple are PRISM partners. How can you possibly recommend to millions of readers that they install Signal without giving any warning about this? The majority will just install it from the app stores and get infected with malware. I guarantee every install of this privacy app from an app store is infected with NSA malware. It’s a prime target for it. Everyone interested in privacy so everyone downloading it gets lulled into a false sense of security by installing it.

If you want real security you HAVE to compile Signal from source and load it manually onto your device. Then I hope you’re running a custom ROM of Android that you also compiled from source and hardened it afterwards with a firewall and restricted app permissions. I won’t go into closed design baseband processors (fsf.org/blogs/community/replicant-developers-find-and-close-samsung-galaxy-backdoor) or phone hardware issues in this post but I will summarize and say you can’t have any meaningful security against an intelligence agency using a current smartphone device. Period.

If you need ideas for a useful article about secure phone communications, figure out how to compile Signal from source and how to install it manually. Write up a guide on how people can do this. I wish companies like Open Whisper Systems would compile reproducible builds and make them available for download as Android Package Files. Then sign those builds and the source code with GPG. They should then publish their GPG key ID and fingerprint in the blockchain using Namecoin and Onename.

2. If you’re going to do end-to-end crypto properly you need to cryptographically verify who you’re talking to. That means meeting in person and comparing public key fingerprints. Last time I used Signal with a programming colleague of mine that also works on cryptographic software we found the UI for this in Signal to be unusable. It forced us to install some third party app to scan QR codes. Then we had to try figure out how to scan the other persons code and view your own fingerprint / code to compare it. It was all very confusing. At any rate I guarantee 99% of people using Signal are vulnerable to MITM attack because a) they don’t know that they should be doing this verification and b) this verification system is horribly unusable. They could honestly make it more usable by ditching the QR code nonsense or coming up with a logical verification flow just showing the fingerprints as hexadecimal symbols.

3. The encryption and protocol used in Signal is just the bog standard stuff from NIST that the NSA obviously wants everyone to use so they can secretly surveil them. Everyone missed the Der Spiegel memo where they mention they have in-house attacks against AES (spiegel.de/international/germany/bild-1010361-793640.html). Research more into the special relationship between NIST and NSA. Who really had the final say in the selection of the winning algorithms in the AES or SHA3 competitions? I’ll give you a hint, it wasn’t an open, auditable, public vote. You might have noted Blackphone now has a standard non-NIST cipher suite of Curve3617, Twofish and Skein (cdn.arstechnica.net/wp-content/uploads/2015/09/Screenshot_2015-09-25-12-21-56-980×1742.png). This trumps whatever is in Signal by a country mile. Although the real state of the art these days is cascade ciphers. Only real anti-surveillance programs offer cascade ciphers, for example TrueCrypt. That was so good the government found the developers and forced them to shut it down.

To sum up, Signal is probably good enough for stopping the average Joe from reading your messages. It does absolutely nothing to stop Five Eyes surveillance.

I wish The Intercept would stop redacting important stuff in their documents. Let’s see which cryptographic algorithms are actually safe. If Ed didn’t have access to that information, put a call out for a whistleblower from inside the senior cryptanalysis team at NSA to come forward and leak documents (ECI information) to The Intercept. The world needs to know which ciphers are actually safe in order to be safe. Do they actually have a quantum computer already? Then we will know for sure and can create real security to counteract their actual capability. At the moment it’s all unknown. For now don’t trust any one algorithm on its own. Use programs which offer a cipher cascade. Even consider exchanging symmetric keys personally to chat with someone. You can’t trust public key algorithms these days. The main ones are vulnerable to quantum computers and the quantum safe ones are unproven and unstudied.

Signal for Android permissions require your contacts, identity, access to read and write your SIM card, read phone log files, read your calendar, know your location, read your storage and photos, we your camera and mic, and basically everything else worrisome on the phone. This is not the app for your personal phone, maybe a burner phone.

Seems to me that Ed isn’t doing to well, at least in the photo, he looks like he’s lost some weight and is in need of some sunshine. I use a VPN, Tor, a Mac with extra firewall and such but I know the only way to be safe is to just unplug. A VM machine? an air-gap machine? Faraday Cages? geez, to go to those extremes seems to me a bit over-board for the regular user…suppression leads to oppression…I write to my members of congress and ask how I can help them address certain issues, I really would like to help them, they need it, jokes on me right? but pushing the envelope is a good thing…I think old Pat Henry said it best all those years ago…if I disappear or whatever at least I know I tried…in some cases I have lots to hide, so I throw the door wide open, in doing so most think I’m just some cracked pot…2015 sure is fun ain’t it?

NBC nightly news “terror analyst” floats the possibility that encryption might be the reason officials “missed” the Paris attacks.

Does SIgnal work if the people you’re texting don’t use it?

Forgive me for lack of relevance but I want to just say this someplace where somebody might hear it:

So, yeah, I was trying to post some comments on Salon. ( I know, why? right? I have an old account from back in the day (when GG used to be a columnist there, and I find their coverage of the Democratic race for president especially egregious, and find their audience even more annoying….yes, I was trying to pick a fight).

So I discovered empirically this amazingly unethical thing Salon.com is doing, and I want to share it here.

After I sign in to my old account (not using Facebook for example), supposedly all is well. I post comments on two different threads. As far as I can tell, they are appearing right in the middle of the thread conversations.

I checked into Salon a bit later on another computer WITHOUT logging in, and guess what? My comments are nowhere.

Going back to the earlier computer, I log in, and there my comments are — ha ha, no. Nobody likes them, but nobody argues with them either, or acknowledges them.

Because they aren’t there. What I find so funny about this is that Salon wants me to think I am posting things to their site, but they don’t actually put them up. I suppose you will have to try this for yourself to see if it is true, but it might not work for various reasons — SOMEBODY is able to post there, rather obviously.

I thought it was a perfect metaphor for a kind of Fantasy Island bubble, where an internet commenter merrily types away, imagining others somewhere are reading the comments……but nobody is.

Anyway. cheers all, keep up the good work Intercept!

It’s real easy to poo poo these suggestions if you’ve never had any serious threats or attacks to your system or networks. In 2013 I was attacked with weaponized malware for six months that followed me from computer to computer. It took a years and a half to defeat it and regain access and control of my systems and accounts and damn near ruined my life. I suspect the culprits to be a corporate/government alliance.

The diseased minds of the mind control torture sub -humans go into a frantic panic as soon as I visit this site. The planes just revved up decibel levels of their sonic systems in an attempt to harass and terrorize.

A month ago, I posted a comment on Mr. Bamford’s story. As soon as I left the library, they remotely paralyzed my diaphragm while simultaneously forcing gastric acid up the eosophagus for maximal insult.

While I coughed violently from the burning acid, I also could not breathe due to the unresponsive diaphragm. The lungs simply had no way of expanding to fill up with air. It was horrifying to listen to my own desperate gasps for air.

Just before passing out, they released the hold on my diaphragm and I took a deep breath.

The point here is that these ops are imbecilic. I had no intention of writing about torture here today, but they had to blanket the space with incredible harassment and terrorizing aerial sounds just for coming here, leaving me with no choice but to be bold and expose their filth. Cowardice is a non-choice for me.

What I wanted to know was this: where does Micah buy his Faraday bag?

ES, there is nothing like home I know, but if you ever come back, they will saturate your body with nanodevices which they will use to manipulate your entire physiology with, creating painfull spasm of every smooth and skeletal muscle.

They will vibrate the devices all over your head and face in patterns that simulate nematode and small insect locomotions. They will access every major nerve and inflict unspeakable pain directly on it. They will relax sphincter muscles at will so that you urinate or defecate on yourself without the ability to control any of it. They will deliver electric shocks remotely to your genitals. And they will do everything possible to ruin your closest relationships with your loved ones so as to compound the psychogjcal pain.

And that will just be the beginning…
Please do not willingly subject yourself to this by ever coming back.

This is why I like apps like ShazzleMail, because they’re low friction. It doesn’t require you to re-order your life. It doesn’t require you to change your method of communications. You can use it right now to talk to your friends. ShazzleMail is a free private email service that turns your phone into your server. Sen all emails privately with no password required! If you are looking for a business encrypted option the use ShazzlePRO, its $7 a month and its safe, fast and secured!

Thanks for this detailed interview. It’s good advice for people not yet interested in privacy.

Could you also share your opinion on encrypted email like https://tutanota.com ?

I know I should be using pgp, but most of my friends don’t…

Hi Micah, Ed et al,
I’ve a bit of problem with blindly recommending Signal in the current form. Currently OpenWhisper only provides it through the Google Play store. I know they’ve a good reason for it (security updates through a controlled channel), but that requires everyone to have a Google Account. I don’t have one and I don’t want one. Plus I’m a user of a Google free Android phone. Google already has too much tracking data about me. While I don’t think that Google cares about me personally, they still collect the data and as we know they were a fruitful target.

The other point is of course the userbase in your peer group. Of course we can only start to convince others by going ahead. But that takes time. In the meantime I’m happy that we’ve a rather big userbase of Threema in Europe.

One thing most browser users don’t understand is that any website you navigate to can collect the URL of the website you came from. That information is passed along and available from all current browsers by default, as I understand it.

So, I’m on someone else’s machine, using Firefox that is completely locked-down with Java turned off, Ghostery, Ad-Blocker, HTTPS Everywhere (each open source), and all unnecessary Ad-ons and extensions removed, or I’m using Tails, and Tor as well – across a VPN no less. I’m doing all the right things.

BUT, I’m presently looking at the website “www.gay-gay-gaygay-GAY” You know, either baring my soul or having a curious laugh. From that website I type into the URL box “ConservativePride” and hit ctrl-enter. Conservative Pride, who I have a persistent login relationship with, (or Gmail/Outlook/Hotmail/Yahoo, etc.) now has in the logs that I visited a gay website just prior, and can use that information in any way they chose – in perpetuity. It may have been a fluke. It may have happened many times over the life of my User_ID. It is entirely up to them to decide what that personal information means.

It seems to me not many people understand this persistent, systematic, leakage of information, not even some hardened pros, unless they’ve worked in online analytics where that information is used en masse every day, albeit generally the thicker end of the long-tail.

How many people habitually create a new tab before going to a new website? I’m not even sure if that sufficiently stops the broadcast of prior website information. Are regularly updated Google/MS/Yahoo search plugins open source, and can they surreptitiously transmit historic information sourced across tabs?

It’s been rumored that Tor has been compromised. http://arstechnica.com/tech-policy/2015/11/tor-director-fbi-paid-carnegie-mellon-1m-to-break-tor-hand-over-ips/ While I love Tor and think it is a worthy project there is a large probability that its also been broken. http://www.techradar.com/us/news/internet/web/tor-anonymity-compromised-by-researchers-1300922

REI Stores sell radio-blocking credit card wallets, the same technology also could be used for cell-phones, tablets or any computer.

There is probably a bigger demand for such a product than most of us would think. Today there are blacklisting centers in each and every state called “Fusion Centers” that harass innocent Americans every day using cell-phone tracking, credit card alerts (every time you fill up with gas).

Essentially we have defeated most foreign terrorism but the agencies are still receiving the terrorism dollars – so federal, state and local governments have “mission-creeped” to include people they simply dislike for First Amendment protected exercises – in order to keep the financial gravy-train flowing.

Such a product would help deter these Title 18 “color of law” crimes since there is currently no agency to enforce this law breaking by government officials. In other it gives the victims of government harrassment more control over when they are harassed for non-wrongdoing and non-crimes.

This is an example of the type of radicalization which can take place when two people find a copy of the US Constitution online. They begin talking about unreasonable searches and inalienable rights. The next thing you know, they are using the Tor browser to flaunt their privacy.

Privacy is Piracy – trying to steal back your identity from the government. Everybody has a government issued ID; it doesn’t belong to you.

As stated in Wikipedia,”Radicalization (or radicalisation) is a process by which an individual or group comes to adopt increasingly extreme political, social, or religious ideals and aspirations that (1) reject or undermine the status quo…”. Status quo, for those not familiar with Latin means ‘The U.S. Government’. The status quo demands you be pushed, filed, stamped, indexed, briefed, debriefed, and numbered (h/t The Prisoner). This is all quite reasonable, so pause and reflect before stepping down the slippery path of privacy that leads to radicalization.

Great article! One concern I have about no-cloud password solutions such as KneePass is what if my computer blows up? Would I have to go to each website I have an account and reset the password? If that’s the case, getting my email back would be a pain as well.

Otherwise thanks again for the article. I read a while back on the Intercept to use Signal and now that its out for Android I hope more people start using it!

I just installed signal for my android mobile. It seems to be working well. But, unless I am reading it wrong, wikipedia seems to be saying that signal no longer delivers encrypted messages. Is this right?

when everybody uses Ad-blockers – who will pay the bill? so far its mostly the ad-business which pays for most of the free online-content or its platforms (e.g. theguardian or twitter or facebook rely havily on the advertising industry). anyone a solution?

I encourage the young and tech savvy to find “shelter from the storm” as they can. Like Mister Snowden I was in Special Forces training and made it through, not tougher just luckier lots of people got hurt. As for me I do much in the open and use my real name. I hope they are watching and wasting their time. If some poor lonely NSA girl has got nothing better to do than checkout my old “stuff” I am ready for my close-up.

Super article, but all I understood is that electronically I’m as naked as a jay bird. Other than that none of it made sense to me because I’m just a dummy and the terms and items you discussed are way over my protruding brow. Hang tough Snowden, keep kicking them in the balls.

It is very funny but the article is completely FAKE and post completely FAKE information. Signal uses your phone number for validation and also has backdoor, TOR is completely 100% intercepted. I think Snowden is trying to help NSA to continue monitoring people with this tricks.

Thanks for the article. I was just wondering why there was no mention of VPN use. Is there a particular reason? Because from my experience there are fewer easier ways to help protect your privacy than a ‘good’ VPN and ease of use seems to be an important part of this article.
Or is it just because the article is trying to focus only on open source, free services?

Snowden blows the whistle on tyrannical over reaching surveillance in the land of the free and the home of the brave and now he has to live in fucking Russia to be safe. How is that for ironic.

I think our biggest problem right now is really the timidity amid the ranks of the free speech defenders. Oh, the ACLU and such are great organizations — but how many of them will actually go out there and say that banning child pornography is unconstitutional? Or to point out the stupidity of such a ban when it perpetuates what is said to be a multi-billion dollar market in kidnapping children and photographing them for black market distribution? Or to review the history of “obscenity”, and how the court arbitrarily drew a line beyond which it wouldn’t pass, so that now, kids all over America have to worry that by taking the wrong picture of themselves on their new cell phone, they will get a lifetime brand as a sex offender – even though an adult would not be prosecuted for the same thing?

Because the David Camerons of the world, every one of them USES that bait – uses our condemnation of pedophiles not because of the wrong they do, but out of the purely eugenic notion that what is sick must be exterminated. They expect us to be driven not by compassion for the child harmed but by self-righteous condemnation of the offender for succumbing to urges that we happen luckily not to feel ourselves. They take that and put it up as the reason why criminals should have no safe space to poison minds, by which they mean all your fancy-dancy encryption toys.

And the truth is, the real world is out there riding ahead of the ACLU. The free speech defenders won’t go into court and say that there is child porn that passes the Miller test. But if you go on Wikipedia and look up some ancient pedo like von Gloeden, they actually do display the pictures he took of kids he was screwing, because they have historical and artistic significance. Sanger called in the FBI to investigate them, but they never did anything about it – because they KNOW that a court challenge would force a recognition that that (very flimsy) constitutional protection ought to be expanded.

Now I’m not saying that this one issue would put them entirely out of business, no: after all, they are investing hugely in the idiot industry of lockdowns and evacuations every time some moron on 4chan or YikYak says “Don’t go to school in Antarctica tomorrow, you might get eaten by a walrus.” Nor would we be able to end such a stupid censorship policy without concomitant reforms, such as recognizing that a rapist taking a photo of his victim should expect to forfeit his copyright to the victim at the instant of his crime. (True, I also have a plan to abolish copyright, but I can’t write a book in your comments section) But if we stop believing that the Crusader castles on the hills above us will be there forever, maybe we can dream of a day we don’t live under their guns.

Why does the Intercept use trackers?
If everyone used Tor and or Ad blockers the trackers don’t track.
You rightly say dont allow trackers.
But the question remains , who is pushing the Intercept to use Trackers and why.
All the government need do is get one of those secret letters and the Intercept would be force to hand over that information and it would not be allowed to tell its viewers, it did so.
Who makes the call on the trackers?