Sophos Cloud Optix
It’s a year since the name Edward Snowden became world famous and a year since we learned that the USA’s National Security Agency has infiltrated the internet like an aggressive fungal mycelium.
In the time since then, the internet population has tried a variety of treatments to rid itself of the newly discovered but deep-rooted infection.
Some people looked to their politicians. Unfortunately the organs of power in the USA didn’t have much appetite for strong medicine.
At the very height of the scandal, the US congress opted to ignore the problem and, in the political equivalent of avoiding the doctor to shield themselves from bad news, declined to limit the NSA’s data collection.
Things have looked a little less unpromising of late but laws passed by congress to protect US citizens from their own government (rules that rely on spies obeying the law) are no salve for the 96% of the world’s population that live outside US borders.
Some zealous private citizens tried to starve the infection. Recognising that even malign living things need water, they attempted, unsuccessfully, to dry up the well and overheat the NSA’s unbelievably thirsty data centres.
The first acts of the tech community were no better. The organisers of DEF CON opted for the silent treatment and tore up the federal government’s party invites while Black Hat attendees fought back with booing.
Thankfully, quieter, more sober heads have come to the fore since then and realised that staying healthy will require regular, ongoing and unexciting exercise.
Dull but vitally important projects like LibreSSL and the Open Crypto Audit have emerged to protect the integrity of the internet’s immune system – the strength and vitality of its cryptography – from lethargy and neglect.
Of course, work of those projects can only protect us if we make data encryption a regular part of our own daily lives.
That last part, using and demanding encryption in our daily lives, is where Reset The Net comes in.
5 June 2014 is Reset The Net, a day to take back our privacy by using strong encryption whenever and wherever we can and insisting that the organisations we rely upon do so too. The Reset The Net pledge reads:
On June 5, I will take strong steps to protect my freedom from government mass surveillance. I expect the services I use to do the same.
Reset the Net isn’t the first attempt to organise a day of taking back our privacy.
In February 2014 a grassroots collective tried to mark the first anniversary of the death of Aaron Swartz with a day of anti-surveillance activity called The Day We Fight Back.
The campaign was a well meant but futile and toothless attempt to emulate Swartz’s successful anti-SOPA campaign.
There was no Fight in the Fight Back, just posturing and protest.
I wanted The Day We Fight Back to be something I could get behind but it wasn’t.
Highly organised government surveillance will not be challenged by the most dilute form of modern technical homeopathy, changing our Twitter avatars.
Less sedentary protesters were urged to contact their congressmen but, as I mentioned earlier, changing the law in the USA will never be the answer for at least 96% of us.
I was also convinced that we should broaden our horizons and assume that countries other than the USA are tapping and spying on internet traffic.
The post-Snowden media conversation has been almost exclusively focused on what the NSA is doing (or, more correctly, what one man knew about what the NSA was doing around 2008, the era of Windows Vista).
It’s the only evidence we have, so it’s treated like the only evidence that exists but, as Carl Sagan reminded us:
Absence of evidence is not evidence of absence!
We would be fools to assume that stopping the NSA and safeguarding our privacy are the same thing.
I argued at the time that our only viable defence, the only way to really Fight Back, would be by adopting or contributing to projects that improve our use of encryption.
Fancy let’s-all-join-hands graphics aside, Reset The Net is exactly that. It’s everything that I wanted The Day We Fight Back to Be.
In a word, useful.
You can join in by looking at the Reset The Net Privacy Pack, a handy list of everyday software that uses encryption, and ways to turn on the encryption you already have.
For our part we have decided to join in with Reset The Net by offering our entire site over HTTPS.
From now on you can choose to read every page of your favourite computer security news website over an encrypted connection.
bla bla bla bla …
Interesting, but what is there that PC users can do to set their systems to use suitable encryption? The link leads only to a page telling us what to do to protect IM but many people do not use that and instead want privacy protection for everyday activities done while connected to the internet. I use FF 29.0.1 so I think that helps in the way it works and I’ve added the HTTPS Everywhere extension (but saw that others are having problems like me with getting the XML format rules as an installable file!). So what else should we be doing as users?
The NoScript and RequestPolicy (and HTTPS everywhere) addons are a good start.
Keep in mind, it takes a bit of time setting it up the first time for all your regular sites.
But what setting up is there to do, none is mentioned and I haven’t found any ‘settings’ dialogs!
For NoScript and RequestPolicy you have to click the icons and whitelist the addresses you want to allow. You can further go into the options for each addon and tweak how much more strict it will be etc.
Take a look at Tor. It has a browser and a proxy server. The browser is based on Firefox so you’ll already know your way around that.
When you’re feeling bolder you might try routing other things you do through the proxy.
I don’t know anything about ‘tor’ nor how it helps security. FF 29.0.1 is the latest version so I’m sticking with that for now. What I want to know is how to improve security, not change for gchanges sake.
Shouldn’t this be something everyone is trying to do everyday anyway?
Yes, properly implemented encryption is one of the strongest defenses against all manner of cybercrime, so it absolutely should be a core piece of normal online security.
One reason I like Reset the Net is because it gets people talking about online security and asking the right questions who otherwise wouldn’t think about it. It also lights a fire under many service providers who may not have prioritized encryption as an option before.
If a side-effect of all this is that spammers have a tougher time, ACH and wire fraud activities experience a dip and botnets become a little less pervasive then so much the better, right?
That’s good for pushing back against dragnet surveillance but it’s good for so much more too, no matter what your views are on the NSA.
Win-win!
Should I be terrified?
Has GCHQ read my last text message telling my wife I was just going to drive home from work? Has NSA read my last email telling an online shop to send me a black tablet computer, not a white one?
I just can’t see GCHQ getting excited. I can’t see them moving another analyst over from the team that monitors comms from Jihadists in Somalia to suspected bombers in London, just to ensure 24/7 coverage of my communications. How many staff am I supposed to think they have monitoring my every move?
People need to have a realistic threat model.
Google will read my mail (if I ever use them). Some crook will read it if I’m willing to start telling them my bank details or logins. I do need encryption and other measures to defend against these threats.
NSA just isn’t interested.
What you guys over pond don’t get is that these agencies will continue to work at their assigned duties forever. They will never stop, they will never give in. And if they stop even one death it was worth it.
What we should be complaining about is the data that marketers, credit vetting agencies, banks ,and search engines get for free. They have far more data on you than the three letter scary folks.
Go ahead and encrypt it is a good idea to protect your transmission all the way to the website that you freely give it all up in.
Try and get a loan or establish credit, no encryption will help you there.
So take back your privacy all the way to the bank, where you will give it all up anyway.
“From now on you can choose to read every page of your favourite computer security news website over an encrypted connection.”
That is ridiculous. You can now *choose* to read every page over an encrypted connection? If the default is still an unsecured connection, then Sophos is emphatically *not* doing its part to support the Reset the Net movement. HTTPS with perfect forward secrecy *by default* should be the norm on all websites, especially blogs that focus on security and privacy like Naked Security. Anything less than that should be viewed as a protest against Reset the Net.
If Sophos is proud that security is now an option — but insecurity is still the default — then I am very disillusioned, indeed. Shame on you.
We need a Cold Boot to the Internet.
The human race has become addicted and enslaved to it.
In real_time nobody goes anywhere anymore ,
just watching pictures on machines where we spend trillions of $$ to.
Instead of going to space we’re just hanging behind a machine watching pictures which are photoshopped.
Nothing is Real anymore.
Ok for FF type “about:config” in the URL without the quotes. In the search type “ssl3” no quotes. Toggle everything to false that doesn’t have 256 in the preference name. Exit and restart FF. Go to Fortify.net. Click on SSL check. It should read as the very higest AES 256 bit encryption. If it doesn’t, go back and make sure you toggled everything to false that doesn’t have 256 in the preference name.