É agora, que o
Brasil tem que ter a sua independência digital, de países como os
Estados Unidos da América (EUA), e dos países aliados aos EUA na
espionagem: Inglaterra, Austrália, Canadá e Nova Zelândia.
Mais
independência digital não significa deixar de se conectar aos EUA e
também aos países aliados aos EUA na espionagem: Inglaterra, Austrália,
Canadá e Nova Zelândia, por exemplo: O Google (
http://pt.wikipedia.org/wiki/Google) e o Facebook (
http://pt.wikipedia.org/wiki/Facebook),
tem a sua matriz mundial, nos EUA, e ninguém, no Brasil ou no Mundo,
deixou de usar o Google ou o Facebook, por causa da espionagem, a maior
parte do uso da internet no Brasil e no Mundo, se concentra no Google e
no Facebook.
Então, qual é a solução?
A solução é o Brasil, continuar a ter conexões e rotas de forma segura: usando somente, MPLS VPN
http://en.wikipedia.org/wiki/MPLS_VPN, em conjunto com o IPv6 Nativo (IPv6-only, conforme o
RIPE-554, em
português, em
inglês), e também, em conjunto com o, DNSSEC (
http://pt.wikipedia.org/wiki/DNSSEC ,
http://registro.br/suporte/faq/faq8.html).
E de forma estável e rápida: usando somente, como base, fibra óptica de
alta velocidade de transmissão, com tecnologias de pacotes Ethernet de
100 Gbit/s e Wavelength Division Multiplexing (WDM), podendo chegar até
10 Terabits por segundo, ou mais, se usar essa técnica, em conjunto,
pode se chegar a 20,30,40, 50, e quantos mais, Terabits por segundo,
forem necessário (
http://www.cpqd.com.br/pesquisa-desenvolvimento/sistemas-opticos-avancados-redes-10terabits),
aos EUA e também aos países aliados aos EUA na espionagem: Inglaterra,
Austrália, Canadá e Nova Zelândia, e também com qualquer outro lugar,
dentro (a nível Nacional) ou fora (a nível Internacional) do Brasil.
Mais a diferença, é que agora, o
Brasil tem que ter o controle de sua internet, com uma ligação
alternativa e redundante, se ligando de forma direta com a Europa (por
cabo submarino óptico
http://pt.wikipedia.org/wiki/Cabo_submarino ,
http://www.cablemap.info/ ,
http://www.submarinecablemap.com/ , usando ELLA
http://www.ella-int.eu/
para o Brasil se ligar direto a Europa (adicionar Suécia), para uso
acadêmico e comercial, a partir dos 100 Terabits por segundo, e usando a
Alternative Routes número 2 (Santos, Canary Isles, Portugal, Fortaleza,
páginas 38 e 39:
http://www.ella-int.eu/index.php/documents/doc_download/42-d7-1-1-communication-and-marketing-material ,
http://www.ella-int.eu/index.php/documents),
fazendo tudo o que foi sugerido aqui, e tudo o que eu vai ser sugerido a
seguir, o Brasil vai ter a sua independência digital dos EUA e dos
países
aliados dos EUA na espionagem: Inglaterra, Austrália, Canadá e Nova
Zelândia.
Ter
e usar: internet, Tier 1 network, Tier 2 network,
Tier 4 Data center, servidores e infraestrutura de rede e Tecnologia da
Informação - unificada e integrada, com hospedagem física e fixa no
Brasil com domínios .br e conectados, a partir de 20 Gb/s, como PIX (Ponto de Interconexão ou ponto de acesso ao PTTMetro), em ATM (Acordo
de Tráfego Multilateral, public peering), LG (Looking Glass) e
Trânsito, com suporte ao IPv6 Nativo (IPv6-only, conforme o
RIPE-554, em
português, em
inglês):
A nível Nacional, as redes:
Sendo totalmente independente dos Estados
Unidos da América (EUA) e dos países aliados aos EUA na espionagem:
Inglaterra, Austrália, Canadá e Nova Zelândia.
Fonte:
Português:
http://g1.globo.com/politica/noticia/2013/09/petrobras-foi-alvo-de-espionagem-de-agencia-dos-eua-aponta-documento.html
http://veja.abril.com.br/noticia/brasil/governo-americano-espionou-petrobras-diz-fantastico
http://g1.globo.com/fantastico/noticia/2013/10/ministerio-das-minas-e-energia-esta-na-mira-de-espioes-americanos-e-canadenses.html
Inglês:
http://g1.globo.com/fantastico/noticia/2013/09/nsa-documents-show-united-states-spied-brazilian-oil-giant.html
http://www.theguardian.com/world/2013/sep/09/nsa-spying-brazil-oil-petrobras
http://g1.globo.com/fantastico/noticia/2013/10/american-and-canadian-spies-target-brazilian-energy-and-mining-ministry.html?id=2013/10/american-and-canadian-spies-target-brazilian-energy-and-mining-ministry.html&type=noticia§ion=fantastico&hash=3
ECHELON, Sistema Echelon de espionagem global,
controlado pela a NSA (Agência de Segurança Nacional / National Security Agency, a
NSA opera sob a jurisdição do Departamento de Defesa que se reporta ao Diretor de Inteligência Nacional dos EUA,
http://pt.wikipedia.org/wiki/Ag%C3%AAncia_de_Seguran%C3%A7a_Nacional), dos EUA, e seus aliados: Reino Unido
(Inglaterra), Austrália, Canadá e Nova Zelândia:
Português:
http://pt.wikipedia.org/wiki/Echelonhttp://www.espacoacademico.com.br/022/22ccosta.htm
Inglês:
http://en.wikipedia.org/wiki/ECHELON
http://www.bibliotecapleyades.net/ciencia/echelon04.htm
O Brasil tem que ter e usar: ELLA (
Estudo de Viabilidade para um link direto da Europa com a América Latina (Brasil) / Feasibility Study for a direct
Europe
Link with
Latin
America (Brazil) ), Tails Linux (Tor Project) e Parted Magic Linux (TrueCrypt).
Sobre o ELLA (
Estudo de Viabilidade para um link direto da Europa com a América Latina / Feasibility Study for a direct
Europe
Link with
Latin
America):
http://www.ella-int.eu/
Sobre o Tails Linux (
Tor Project):
https://tails.boum.org/
Sobre o Parted Magic Linux (
TrueCrypt - Criptografia: Encryption Algorithms: AES-Twofish-Serpent 256 bits e Hash Algorithms: Whirlpool):
http://partedmagic.com/
Sobre Tier 4 Data center:
http://en.wikipedia.org/wiki/Data_center
O Brasil, tem que ter uma
internet com mais: segurança, privacidade, estabilidade, confiabilidade,
qualidade, velocidade, unificada, integrada, e com mais rotas Nacionais
e Internacionais.
Schneier on Security
A blog covering security and security technology.
September 15, 2013
How to Remain Secure Against the NSA
Now that we have enough details about how the >NSA eavesdrops on the Internet, including
today's disclosures of the NSA's deliberate weakening of cryptographic systems, we can finally start to figure out how to protect ourselves.
For the past two weeks, I have been working with the Guardian on NSA
stories, and have read hundreds of top-secret NSA documents provided by
whistleblower Edward Snowden. I wasn't part of today's story -- it was
in process well before I showed up -- but everything I read confirms
what the Guardian is reporting.
At this point, I feel I can provide some advice for keeping secure against such an adversary.
The primary way the NSA eavesdrops on Internet communications is in
the network. That's where their capabilities best scale. They have
invested in enormous programs to automatically collect and analyze
network traffic. Anything that requires them to attack individual
endpoint computers is significantly more costly and risky for them, and
they will do those things carefully and sparingly.
Leveraging
its secret agreements
with telecommunications companies—all the US and UK ones, and many
other "partners" around the world -- the NSA gets access to the
communications trunks that move Internet traffic. In cases where it
doesn't have that sort of friendly access, it does its best to
surreptitiously monitor communications channels: tapping undersea
cables, intercepting satellite communications, and so on.
That's an enormous amount of data, and the NSA has equivalently
enormous capabilities
to quickly sift through it all, looking for interesting traffic.
"Interesting" can be defined in many ways: by the source, the
destination, the content, the individuals involved, and so on. This data
is funneled into the vast NSA system for future analysis.
The NSA collects much more
metadata
about Internet traffic: who is talking to whom, when, how much, and by
what mode of communication. Metadata is a lot easier to store and
analyze than content. It can be extremely personal to the individual,
and is enormously valuable intelligence.
The Systems Intelligence Directorate is in charge of data collection,
and the resources it devotes to this is staggering. I read status
report after status report about these programs, discussing
capabilities, operational details, planned upgrades, and so on. Each
individual problem -- recovering electronic signals from fiber, keeping
up with the terabyte streams as they go by, filtering out the
interesting stuff -- has its own group dedicated to solving it. Its
reach is global.
The NSA also
attacks network devices directly: routers, switches, firewalls, etc. Most of these devices have
surveillance capabilities
already built in;
the trick is to surreptitiously turn them on. This is an especially
fruitful avenue of attack; routers are updated less frequently, tend not
to have security software installed on them, and are generally ignored
as a vulnerability.
The NSA also devotes considerable resources to attacking endpoint computers. This kind of thing is done by its TAO --
Tailored Access Operations
-- group. TAO has a menu of exploits it can serve up against your
computer -- whether you're running Windows, Mac OS, Linux, iOS, or
something else -- and a variety of tricks to get them on to your
computer. Your anti-virus software won't detect them, and you'd have
trouble finding them even if you knew where to look. These are hacker
tools designed by hackers with an essentially unlimited budget. What I
took away from reading the Snowden documents was that if the NSA wants
in to your computer, it's in. Period.
The NSA deals with any encrypted data it encounters more by
subverting the underlying cryptography than by leveraging any secret
mathematical breakthroughs. First, there's a lot of bad cryptography out
there. If it finds an Internet connection protected by MS-CHAP, for
example, that's easy to break and recover the key. It exploits poorly
chosen user passwords, using the same
dictionary attacks hackers use in the unclassified world.
As was
revealed today,
the NSA also works with security product vendors to ensure that
commercial encryption products are broken in secret ways that only it
knows about. We know this has happened historically:
CryptoAG and
Lotus Notes are the most public examples, and there is evidence of a back door in
Windows.
A few people have told me some recent stories about their experiences,
and I plan to write about them soon. Basically, the NSA asks companies
to subtly change their products in undetectable ways: making the random
number generator less random, leaking the key somehow, adding a common
exponent to a public-key exchange protocol, and so on. If the back door
is discovered, it's explained away as a mistake. And as we now know, the
NSA has enjoyed enormous success from this program.
TAO also hacks into computers to recover long-term keys. So if you're
running a VPN that uses a complex shared secret to protect your data
and the NSA decides it cares, it might try to steal that secret. This
kind of thing is only done against high-value targets.
How do you communicate securely against such an adversary? Snowden
said it
in an online Q&A soon after he made his first document public:
"Encryption works. Properly implemented strong crypto systems are one of
the few things that you can rely on."
I
believe this is true, despite today's revelations and tantalizing hints of "
groundbreaking cryptanalytic capabilities"
made by James Clapper, the director of national intelligence in another
top-secret document. Those capabilities involve deliberately weakening
the cryptography.
Snowden's follow-on sentence is equally important: "Unfortunately,
endpoint security is so terrifically weak that NSA can frequently find
ways around it."
Endpoint means the software you're using, the computer you're using
it on, and the local network you're using it in. If the NSA can modify
the encryption algorithm or drop a Trojan on your computer, all the
cryptography in the world doesn't matter at all. If you want to remain
secure against the NSA, you need to do your best to ensure that the
encryption can operate unimpeded.
With all this in mind, I have five pieces of advice:
- Hide in the network. Implement hidden services.
Use Tor to anonymize yourself. Yes, the NSA targets Tor users, but it's
work for them. The less obvious you are, the safer you are.
- Encrypt your communications. Use TLS. Use IPsec. Again, while it's true that the NSA targets encrypted connections
-- and it may have explicit exploits against these protocols -- you're
much better protected than if you communicate in the clear.
- Assume that while your computer can be compromised, it would take work and risk on the part of the NSA -- so it probably isn't.
If you have something really important, use an air gap. Since I started
working with the Snowden documents, I bought a new computer that has never
been connected to the Internet. If I want to transfer a file, I encrypt
the file on the secure computer and walk it over to my Internet
computer, using a USB stick. To decrypt something, I reverse the
process. This might not be bulletproof, but it's pretty good.
- Be suspicious of commercial encryption software, especially from large vendors.
My guess is that most encryption products from large US companies have
NSA-friendly back doors, and many foreign ones probably do as well. It's
prudent to assume that foreign products also have foreign-installed
backdoors. Closed-source software is easier for the NSA to backdoor than
open-source software. Systems relying on master secrets are vulnerable
to the NSA, through either legal or more clandestine means.
- Try to use public-domain encryption that has to be compatible with other implementations.
For example, it's harder for the NSA to backdoor TLS than BitLocker,
because any vendor's TLS has to be compatible with every other vendor's
TLS, while BitLocker only has to be compatible with itself, giving the
NSA a lot more freedom to make changes. And because BitLocker is
proprietary, it's far less likely those changes will be discovered.
Prefer symmetric cryptography over public-key cryptography. Prefer
conventional discrete-log-based systems over elliptic-curve systems; the
latter have constants that the NSA influences when they can.
Since I started working with Snowden's documents, I have been using
GPG,
Silent Circle,
Tails,
OTR,
TrueCrypt,
BleachBit, and a few other things I'm not going to write about. There's an undocumented encryption feature in my
Password Safe program from the command line; I've been using that as well.
I understand that most of this is impossible for the typical Internet
user. Even I don't use all these tools for most everything I am working
on. And I'm still primarily on Windows, unfortunately. Linux would be
safer.
The NSA has turned the fabric of the Internet into a vast
surveillance platform, but they are not magical. They're limited by the
same economic realities as the rest of us, and our best defense is to
make surveillance of us as expensive as possible.
Trust the math. Encryption is your friend. Use it well, and do your
best to ensure that nothing can compromise it. That's how you can remain
secure even in the face of the NSA.
This essay previously appeared in the Guardian.
EDITED TO ADD: Reddit
thread.
Someone somewhere commented that the NSA's "groundbreaking
cryptanalytic capabilities" could include a practical attack on RC4. I
don't know one way or the other, but that's a good speculation.
Posted on September 15, 2013 at 8:11 AM
Fonte:
https://www.schneier.com/blog/archives/2013/09/how_to_remain_s.html