I was alerted to the EFF’s Surveillance Self-Defense (SSD) Project yesterday by Dr. Infosec’s blog and felt compelled to post my own thoughts on this. In a nutshell, the project (still in “beta” BTW) is intended to educate people about government inspection of their data and communications, what the law says about it, and what you can do about it.
I’d love to think I have some “non-security” people reading this blog. If that’s you, and you’re reading this, please know that this is NOT the paranoid ranting of a security geek, this applies to all American citizens, and at some point you’ll need to understand this just like everyone else, if not for your personal data then most definitely for business data that you’re a custodian for (on a work laptop, for instance).
For my fellow security crazies, welcome. Pull up a chair. Let’s chat. I’m going to provide a brief synopsis of the program’s major categories with my thoughts on each.
Risk Management: In this section, the project breaks down concepts that all security folks know and understand well. The first is your assets – what are you trying to protect? Once you know that, you’ll need to understand the threats to your assets, in a few dimensions – the confidentiality, integrity, and availability of your assets should be obvious. The other categories that threats could impact include consistency (are the assets always behaving the same way?), control (is management of the assets controlled?), and audit (can i assess the security of the assets?).Then you need to assess the risk to your assets based on the threats – how likely is it that the threats will manifest, and what damage would ensue? For example, if you are a regular international traveler, it’s highly likely that at some point your laptop will be inspected by border agents somewhere. Finally, know your adversaries. US customs agents? Industrial spies? Wily h@x0rz? The voices in your head? You get the drift. All of these components will paint the risk picture you need to understand how to better defend yourself.
Data Stored on your Computer: This section first lays out what the government can do (here in the US). First things first – the Fourth Amendment stands strong! You should demand a lawyer if anyone tries to search you or anything in your possession. This right has not been suspended by the Patriot Act or any other government mandate, and it applies to any person in the US, citizen or not. There’s a discussion of the Reasonable Expectation of Privacy covered in this Amendment, as well. A great point about laptops – they are considered opaque containers, and thus are protected:
“Laptops, pagers, cell phones and other electronic devices are also protected. Courts have generally treated electronic devices that hold data as if they were opaque containers.”
More about different types of search and seizure are listed, and the information about warrantless searches is really important for us all to understand. Bottom line – when traveling, seraching your laptop without a warrant is considered “routine” and can be performed without a warrant!
One solution to this problem is to bring a blank “traveling” laptop and leave your personal information at home. You could then access the information that you left at home over the internet by using a VPN or other secure method to connect to a server where you’ve stored the information.
However, bringing a clean laptop means more than simply dragging files into the trash. Deleting files will not remove them from your hard drive.
Another solution is to use password-based disk encryption to prevent border agents from being able to read your files. However, if an agent asks you for your password, and threatens to detain you or seize your machine for further investigation, most travelers will just give in and offer the password. The consequences of refusing to disclose a password under those circumstances are difficult to predict with certainty, but non-citizens would face a significant risk of being refused entry to the country. Citizens cannot be refused entry, but could be detained until the border agents decide what to do.
The other major “chunk” of this section talks about what you can do to protect yourself. Here’s a quick and dity list:
- Develop a data destruction and disposal policy – includes items like clearing your browser and IM cache, shredding CDs, and actually deleting data permanently on hard drives.
- Master the basics of data protection: Use authentication and access controls
- Learn how to use passwords: All sorts of password tips – including a controversial one from Chuck Norris, I mean Bruce Schneier, to keep passwords written down in your wallet.
- Encrypt data: ‘Nuff said.
- Protect against malware: Again, ’nuff said.
Data on the Wire: As in the previous section, this one is broken into two sub-categories titled “What can the government do?” and “”What can I do to protect myself?” In a nutshell this section drills into wiretaps, pen register and “trap and trace” devices, etc. The section on how to protect yourself was really good. A few things I learned:
- Any “wire” communications (voice, VoIP like Skype, and cell) are more protected than email or SMS. No wiretap == no bueno for the govt in a court.
- SMS is risky – easy to intercept, possible for the govt to use without a probably cause warrant, etc. Now I’m going to have to educate all my crazy anti-govt friends to use Skype. Dammit.
- The Triggerfish mobile tracking technology can pinpoint your cell phone’s location when you’re not using it, and often even if it’s turned off. To be safe, you should remove the battery altogether.
The remaining sections deal with storage of information by 3rd parties, foreign intelligence and terrorism investigations (where you get tortured with pictures of Dick Cheney naked) and defensive technology. This last section is perhaps the most valuable to n00bs – it covers lots of fundamentals on browsers, encryption, anti-malware, email and IM, wireless, etc.
Highly recommended. If you are new to the EFF overall, consider donating – I do annually, and it’s a good cause.