Open Source Plug Heard on NPR

I was surprised this past week to hear a plug for using open source software on the morning news program on NPR. The piece was about NSA code cracking and encryption circumvention, sorry I can't find a link now. Bruce Schneier also suggests using open source software in his recent essays:
The NSA deals with any encrypted data it encounters more by subverting the underlying cryptography than by leveraging any secret mathematical breakthroughs. [...] As was revealed today, the NSA also works with security product vendors to ensure that commercial encryption products are broken in secret ways that only it knows about. We know this has happened historically: CryptoAG and Lotus Notes are the most public examples, and there is evidence of a back door in Windows. [...] Closed-source software is easier for the NSA to backdoor than open-source software.
Here are Bruce Schneier's 5 security tips:
  1. Hide in the network. Implement hidden services. Use Tor to anonymize yourself.
  2. Encrypt your communications. Use TLS. Use IPsec.
  3. Assume that while your computer can be compromised, it would take work and risk on the part of the NSA – so it probably isn't. If you have something really important, use an air gap.
  4. Be suspicious of commercial encryption software, especially from large vendors. My guess is that most encryption products from large US companies have NSA-friendly back doors, and many foreign ones probably do as well.
  5. Try to use public-domain encryption that has to be compatible with other implementations. For example, it's harder for the NSA to backdoor TLS than BitLocker, because any vendor's TLS has to be compatible with every other vendor's TLS, while BitLocker only has to be compatible with itself, giving the NSA a lot more freedom to make changes.
Here are some bits of software he uses: Stay safe out there on those interwebs!

1 comment:

  1. Bruce Schneier Fact Number 211
    When Bruce Schneier was a kid he would talk to his friends across the yard using tin cans connected by a string. The messages on that string were 4096-bit RSA encrypted.