In my previous entry, I expressed some difficulties I was having with the Microsoft ecosystem. Since then, a lot has changed. In case you’ve been living under a rock or are a time traveller, there is strong evidence from multiple sources that the NSA has backdoors or compromises into most commercial software and Internet security products. Man-In-The-Middle attacks are being run against major Internet services. And in relevance to my previous entry, there’s strong evidence that Microsoft actively helps the US government with early disclosure of security flaws, encryption backdoors, and quite possibly a backdoor into Windows itself.
A lot of this isn’t terribly new information. The NSAKEY variable was discovered in 1999, after all. Previously, however, all we had were rumors, suspicions and conspiracy theories. Now we have confirmation and as close to hard proof as we’re likely to get in the near future.
So, I did some thinking and some staring at the vast horde of technology laying around my apartment. (I’m more than a little bit of a hoarder when it comes to kit. I rarely throw kit away because I almost always find a use for it eventually.)
The end result is that I’ve decomm’d the Surface and taken it to work for work-related Windows stuff. No personal data goes there. I’ve ripped Win8 off my Dell XPS 12 and reimaged it with Ubuntu 13, with a LUKS encrypted drive and ecryptfs encrypted home tree. (I’ll have a post about this soon. Getting Linux onto the XPS 12 has some tricks I’ve not found documented elsewhere.)
On the data side, I’ve taken everything down from cloud providers, moved to git-annex and a hosted bare-metal server in Europe. None of my data remains in the cloud and there now exists no unencrypted copy of my data.
I’ve always had a personal VPN hosted in Europe but I’m using it a lot more these days.
My phone is now an HTC One running Cyanogenmod. It does not sync data to the cloud and I sync data to/from it using USB.
My email is still currently in the hands of a US provider but that’s mainly because setting up SMTP and IMAP is a pain in the ass. It’s pretty much last on my list to self-host. I have, however, switched back to mutt+gpg.
At home, I’ve replaced my commercial firewall kit with a handrolled Linux based firewall/server. DNS is routed out via Europe given Verizon’s cooperation with the NSA on so-called “metadata” surveillance. I’m also heavily using TOR, particularly when not at home.
I don’t need a comments section to hear you ask “What the shit do you have that’s interesting enough to warrant all this?”
As Aaron Schwartz and others have discovered, the Computer Fraud and Abuse Act is old and vague enough that us geeks probably commit multiple felonies a day and don’t even know it. Ever keep a copy of a former employer’s code after you left? BAM! Ever give your HBO GO password to a relative? BAM! Ever evade an IRC channel ban by changing your IP? BAM! A single indictment would not only likely ruin my career but it would give the government complete access to my data and gear.
I’m not particularly worried about being a target though and I’m not worried that men in black are going to bust down my door. But it’s the principle of the matter. I don’t want random people, government or no, to have access to my data and systems without my express permission for each use. And if The Man does decide that I’m interesting, they’ll have a high barrier of entry to my life. (Yes, I am ignoring Rubber Hose decryption.)
It’s also a matter of hygiene. You bathe, brush your teeth, wash your hair not as a response to a specific problem or incident. You do these things to prevent specific problems or incidents. You lock the doors of your house not because you see thieves waiting outside but because there might be.
I’m locking the doors of my data and software not because the men in black are lurking outside my door. I’m locking the doors of my data and software because I know they are lurking in my ISP, in US cloud services. I know they are dumping my data for offline processing by supercomputers. I know that some Booz-Allen contractor is running queries against databases containing my Google search history.
I know they are watching and I choose to at least make their lives more difficult.