|(Photo credit: Wikipedia)|
With Prism we learned that the NSA made deals with big technology companies like Google, Microsoft and Yahoo to get direct server access to your data. In a recent revelation on Wired we learned that the NSA prefers to gain control over routers, and networking devices rather than workstation so they can gather data from multiple sources rather than just one. In the latest NSA revelation, we learn of a program called Project Bullrun which once again shows collusion with technology companies, this time to help them put a backdoor into commercial encryption solutions, primarily (From what I can tell) SSL.
Let us also not forget what Snowden said himself in an Ask Me Anything session on Reddit:
Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.So with all of these revelations I've come to the following three conclusions about the NSA's capabilities, and what we can still do to protect our privacy:
- You can't trust commercial security, you MUST use Open Source (Unless it's issued by the NSA).
- SSL/TLS is not good enough. You must use alternative non-commercial encryption methods where you control the key generation, and web of trust (Such as using GPG).
- Endpoint security is paramount! End-to-end encryption is not enough, you must harden your systems.