Open Source Privacy Tools NSA Can't Crack: OTR, PGP, RedPhone, Tor And Tails

In a recent talk at the Chaos Communication Congress, Jacob Appelbaum, who is a core member of the Tor Project and is now working with Der Spiegel and Laura Poitras to analyze the Snowden documents, unveiled some documents showing which tools NSA couldn't crack.

OTR

OTR (Off The Record) is a crypto protocol best known for its ability to encrypt every message with a new key (a feature called Perfect Forward Secrecy) and to have plausible deniability (in that it can't be proven you were the one sending the message). The protocol is used in multiple clients, including in Pidgin, Jitsi or Adium for desktop, or in mobile clients such as CryptoCat or ChatSecure.

TextSecure used to use it as well, until it changed to the more modern Axolotl protocol (recently adopted by Whatsapp as well), which has the advantage of asynchronous conversations (you can leave someone messages even if they are offline). With OTR-based clients, the users need to be online to receive the messages. The Snowden documents didn't say anything about TextSecure's Axolotl because they date from 2012 or before, when Axolotl didn't exist.

PGP

The PGP (Pretty Good Privacy) protocol invented by Phil Zimmerman (who is now working at Silent Circle) is more than two decades old, but it seems to have stood the test of time. The Snowden documents unveiled by Appelbaum and Laura Poitras showed how the NSA can't decrypt PGP, either.

PGP does have at least two major weaknesses, though; one is technical, and the other is related to the user experience. PGP messages can't be "forward secure," so if a key is stolen, then all previous messages can be decrypted. As for the UX issue, it's well known by now that Glenn Greenwald almost missed the reporting on the Snowden documents by not being able to set up PGP properly. Right now it's too hard to use for most people.

Fortunately, there are multiple individuals and companies working on making it easier. One of these companies is Google, which is working on the "End-to-End" extension for email. However, we're probably at least a year away from a public release, and we also don't know yet if it will remain as secure as using the original PGP or if it will introduce new vulnerabilities along with a new easier-to-use design. So far it looks promising, though.

RedPhone

In the documents seen by Jacob Appelbaum, RedPhone is labeled as "Catastrophic" in terms of how easy it is to break. RedPhone, along with its Signal variation for iOS, is an encrypted voice app that uses the ZRTP protocol, invented by Phil Zimmerman, Jon Callas (both at Silent Circle), and other security researchers. It's also what Silent Circle's "Silent Phone" uses as well.

Tor

Tor is a network of over 5,000 relays that redirect user traffic, enabling online anonymity. Tor and the Tor browser seem to have posed many problems for NSA, in general making it very difficult to track people. However, we know from recent busts such as the ones involving Silk Road, that if specifically targeted by the NSA, Tor users can be identified.

Sometimes that happens because the targets don't update to the latest version of the Tor browser with all the latest patches, while other times they simply make mistakes they aren't supposed to make, such as logging in with accounts that can be linked to their real names and addresses. Overall, Tor still remains the most privacy-friendly and censorship-resistant tool out there for the vast majority of people.

Tails

Tails is a Linux distribution that has been customized to work only through Tor to make it harder for those trying to snoop on a certain person to identify who they are. It should go without saying that a machine running Tails shouldn't be your main machine, because if you log in to Facebook or Gmail from it, then that whole anonymity provided by the system becomes pointless.

For extra security, Tails can be used from a DVD, ensuring no malware that's meant to expose you can be written to it. Then, every time you use Tails it will be like using a clean install of it.

What seems to tie all of these projects together is that none of them are written and maintained by large corporations with billions of dollars in profits. It's not Apple, Google, Microsoft or Facebook's security that's stopping NSA, but some free open source tools written by individuals who are putting the brakes on NSA's mass surveillance programs.

Reconstructing narratives - transparency in the service of justice

Follow us @tomshardware, on Facebook and on Google+.

Create a new thread in the US News comments forum about this subject
This thread is closed for comments
17 comments
    Your comment
  • yumri
    I highly doubt that the NSA cant hack them it is more likely they are just working on it and cannot do it correctly in all cases as of yet. This is because the NSA hires the best and the brightest of the hackers in the nation that will work for them of course within the restrants of the employment agreement.
    Anyways the NSA is infamous for haveing massively overkill computers set one onto a algithim for a private and public key and give it a few hours as if they are with a computing computer not just a storeage computer they are able to crack it. In that because they are open source the ways which they work can be used against them if needed just it will take alot longer than unenypted messages or even MD5 or SHA-256 encyptioned messages as they are easier for computers to crack.
    -6
  • derekullo
    Tomshardware ran an article a few years ago about the biggest danger to encryption is not from graphics cards or processors, but from cheap services like the amazon cloud. I'm sure the NSA has their own cloud or at the very least has a large block of servers rented from amazon for their own personal use.
    0
  • yumri
    @derekullo with how well they are funded i will not be surprised if they hand their own inhouse compute server farm for it to keep the results out of the hands of whoever or whatever the cloud service might sell or leak them too.
    1