How Badly Do You Want Privacy?

S o you want to be a whistle blower. Just gen up a strong PGP key, hide your IP address with Tails and the Tor browser (running off your USB stick), and use a secure email such as Hushmail (www.hushmail.com) or Hide My Ass (www.hidemyass.com). Make sure you're using HTTPS. Done, yes? So, why did Edward Snowden have to flee? Not only did he know that they would find him sooner or later, but that it would be sooner with the available technology. There are lots of holes in technology-dependent solutions. Even an anonymizing network such as Tor is theoretically vulnerable to passive analysis. With far-reaching network access and enough computing power, the routing can be determined. The security agencies claim they can't. Go ahead and trust this if you wish. But let's look at the other vulnerabilities. First, there are government hack attacks. A previous " Peering " column 1 mentioned the AdLeaks technology that would defeat passive detection by an agency such as the US National Security Agency (NSA). But any computer (that you know of) is subject to attack. If they can get into the machine at either end of a communication , your communications are compromised. And usually you don't really know how secure the machine on the other end is. Even if the server is really secure, they can attack the client. One feature of AdLeaks is that they won't know which client to attack. But this is still a vulnerability. The major western security agencies claim that they haven't been able to break the main Tor protocol, but they've been successful in attacking the users' computers and even Tor servers. 2 (By the way, they make such attacks on the Tor system even though it's partially funded by the US government.) Within the US, the FBI has been successful in installing malware on some servers to learn the real IP address of users, most notably in breaking Silk Road and shutting down hundreds of Tor network nodes, but also in some other cases. They've declined to be more specific in how they accomplished this hacking. Second, the government's job is made easier by the fact that software is eternally imperfect and there are always exploits. Anyone depending upon HTTPS was probably disappointed by the Heartbleed bug. Anyone thinking this won't ever happen again is simply ignoring the history of HTTPS bugs. We can hear …