|Home » Security
Schneier's Guide to Evading the NSA
But don't run Windows yourself.
LONDON (Rixstep) — Bruce Schneier's the man who years ago told the world 'GET OFF WINDOWS FFS' but who simultaneously explained that he personally wouldn't do it. Today, several years later, one of the world's most renowned security gurus is still (personally) on the platform of choice for black hats to spread their viruses, trojans, worms, and whatnot.
Our friend Bruce might be back to feudalism when it comes to security, but he's got a great idea how one can evade the NSA in this age of carpet surveillance.
Of Spies and Air Gaps
Actually Bruce didn't disconnect either. What he instead recommends is establishing an air gap.
An air gap is just what it sounds like - it's a gap of air. Between a computer connected to the Internet and another that's not. That second computer is where you keep your precious information.
Several of the big WikiLeaks releases were kept on disconnected computers. Schneier says bin Laden used one. The dropbox designed by Aaron Swartz has one. The air gap is not a new concept. But according to Schneier, it's something everyone should be thinking about today. The idea is you can sacrifice the computer connected to the Internet. That malware and spy software could have a more difficult time extending to the disconnected machine.
'There are a lot of systems that use - or should use - air gaps', writes Schneier. 'Classified military networks, nuclear power plant controls, medical equipment, avionics, and so on.'
Air gaps can be breached. The bad guys have to rely on a bit of stupidity on the part of the target, but that's usually not hard to come by. Stuxnet jumped an air gap; agent.btz jumped air gaps in US military networks; and how many Windows users know how to defeat AUTORUN.INF?
But whatever - herewith Bruce's ten pointers for gapping to stymie No Such Agency.
Mind the Gap
- Connect as little as possible during setup. System setup is a ridiculous situation on Windows, not so much on more sophisticated computers. Bringing a Windows machine up to date has been likened to sprinting through a minefield to get to a bomb shelter.
- Install as little software as possible. Why? To reduce the attack area. Schneier installs only OpenOffice, a PDF reader, a text editor, TrueCrypt, and BleachBit. [Why the eminent programmer doesn't write his own editor is a mystery; BeachBit is a copy of Radsoft's E3 Security Kit but it's also for Linux; why Schneier can't chill and use a Mac some of the time is another great mystery.]
- Don't connect again. That special computer that is. Sure, if you want that machine to be Windows, go ahead, sucker.
- Install new software over the air gap. Whether this really helps isn't certain. Malware that attaches to Windows executables is going to be fine wherever it ends up. One gets the feeling Schneier doesn't want to admit there's a hole in the dike.
- Turn off autorun. What better way to infect a machine? Note this is Windows-only. Stuxnet spread that way. Sony put a rootkit on their music CDs and tried to spread it through AUTORUN.INF. Figure out how to turn it off permanently. The old shift key trick might still work, but don't trust it.
- Bring document files only to your air-gapped computer. This goes hand in hand with #2. And Schneier is right that MS Office files and PDFs can be dangerous, so minimise their use as well.
- Use only trusted media for file transfers. Buy your USB sticks yourself and keep an eye on them.
- RW optical disks are safer than thumbs. Why? Because you can hear when malware is working on a disk.
- Use the smallest possible storage media for file transfers. This to limit what malware can find room with.
- Consider encrypting everything. Schneier likes whole-disk encryption. (But he also uses TrueCrypt.)
'Yes, all this is advice for the paranoid', writes Schneier. One wonders if that is really true. A lot of Schneier's advice seems to be about Windows computers. And Bruce Schneier is the one who told us years ago to get off Windows. Except he never does.
Things are a lot simpler than Schneier would have you believe. Go to the Wintel in the corner and pull the plugs. All of 'em. Then air-gap all you want. But use a system that gives you a fighting chance.
Radsoft Product Gallery: E3 Security Kit
When It Comes to Security, We're Back to Feudalism
Guardian: NSA surveillance: A guide to staying secure
Wired: Want to Evade NSA Spying? Don't Connect to the Internet
Guardian: The US government has betrayed the Internet. We need to take it back