GCHQoogle: so much for "Don't be evil"Another day, another set of terrifying revelations about how we’re all being spied on.

So, what have we learnt from this?

Bruce Schneier has a nice summary, but in short, from what I understand, the situation is as follows:

Firstly, the bad news is that if the NSA or GCHQ want in, there is very little you can do. They simply have far too many resources; they have lists of exploitable vulnerabilities for every network connected device you own, have techniques to break into your wifi, own the root SSL certificates so they can hijack your HTTPS session, can reconstruct the electromagnetic emissions from your monitor into a picture, can root kit your mac, windows PC, games console and turn any mobile phone into a bug… and if all of that fails, they can just kick your door down.

The point is that these are all resource intensive things to do and don’t scale very well, plus there is a much higher chance of discovery. This is why they’ve concentrated on communication interception as a primary attack vector.

Some good news is that it looks very much like the actual encryption algorithms themselves – with a few possible exceptions – haven’t been broken (yet). Instead, as many of us who have been watching this unfold have suspect, they’ve been concentrating on weaknesses in the implementation of these algorithms; exploiting existing bugs (which have often been reported to them by industry partners or spies), or by deliberately creating bugs in implementations, or by circumventing the encryption altogether and getting access to the companies that hold the data on our behalf.

The fact that good crypto is probably still good is little consolation since, because of the engineered vulnerabilities, the cryptographic technologies that protects our privacy, medical and banking records, and the systems that run our entire economy, have still been compromised. Presumably this is what Theresa May meant when they said they could “Handle HTTPS”.

Even if you believe that the security services are brave noble and true defenders of our liberty, it is the height of naiveté to believe that a security hole will only be exploited by us but not them. It is only a matter of time before some other power, or even just plain ordinary crackers, exploit the same security holes to steal your identity or the contents of your bank account.

What can be done

The latest leaked documents do offer a glimmer of hope; by their own admission, the techniques they are deploying are massively vulnerable to disruption (so much so that it seems employees at GCHQ are under strict orders to not even speculate about how information is obtained). It seems that countermeasures, if adopted by the population at large, could very well be effective.

The first thing to do is get political; write to your MP, join the EFF and ORG etc. The security services have gone rogue, but that is a political problem which needs a political solution.

However, in the same way that while we have laws against burglary we still lock the door, we need to change up the way we conduct business on the internet.

This and earlier leaks have made abundantly clear that we absolutely can not trust cloud services, proprietary software products or software that communicates using closed proprietary protocols. Windows, OSX, Skype, Facetime, GMail, Facebook, etc, have all been compromised to some extent or another. Strongly consider moving over to Free software alternatives for your software, since the peer review process inherent in the development process makes them a much harder target to compromise.

Perform regular security audits; keep up to date with patches, and adopt a multi-layered approach to security that mixes protecting your electronic borders with detecting breaches when they occur. Do not rely on proprietary antivirus software to protect you, they’ve been compromised.

Remember, if they really want you, they can have you, so fundamentally the technical countermeasures we adopt should be focussed on changing the economics of mass surveillance. If significant portions of the population stopped using cloud services like Gmail and Google docs, and moved towards a self hosted solution, there would be no tempting large cache of data that could be sucked up. If everyone made more extensive use of strong crypto (and really, there is NO excuse to still be sending things cleartext), then we dramatically increase the effort required to surveil the population at large.

If we can deny them these cheap attack vectors, then we force them to use the much more expensive vectors mentioned above which, crucially, do not scale to the population at large. We don’t remove the ability of the security services to monitor the handful of genuine bad guys out there, but we prevent the possibility of any fishing expeditions, and crucially we stop some future government using mass surveillance via the internet as a tool of oppression.

I have a lot of things to do, for various people, at various times. If you’re anything like me, you find this rather stressful and much of your time is wasted by simply trying to work out what to do next.

This blog post will describe some of the ways I’ve used tools available online to dramatically reduce my stress levels and make sure that I never lose track of what I’m meant to be doing.

The Tools:

This is what you’ll need, and also what I use – of course, other tools exist.

  • A Task List: I use Remember The Milk (free/$25pa) to keep track of tasks – its simple to use, pretty fully featured and I can get at my task list on multiple platforms; web, computer and phone.
  • A Calendar: I use Google Calendar – it’s free, cloud based and transparently integrates with my iPhone, iPad and computer through webcal.
  • ifttt to trigger actions based on certain events and provide extra automation (which I’ve talked a bit about before).

Setting up your task lists

Much of how I use my task list is influenced by this great post over on the Remember the Milk blog, and I’ve made my own tweaks.

Here are the main points:

  1. Create a Personal and Work list to track the day to day stuff.
  2. Create a list for any project or task which can be broken down into more than a few tasks.
  3. Any item which depends on another task gets tagged with “depends”
  4. Create a smart list “not tag:depends” and call it “Next Actions” to give a summary of your next tasks.
  5. Create a smart list “tag:depends” and call it “Review – Pending tasks” to give you an overview of tasks which you can’t do yet.
  6. Create a smart list “(NOT addedWithin:"1 week") AND due:never” and call it “Review – Stale tasks” to help you keep track of any loose ends.
  7. Review the contents of these lists regularly (you might want to schedule a repeat task to remind you).

I also find it helpful to create a smart list called “Today” (“dueWithin:"1 day of today" or dueBefore:now“) to list stuff that has to be done today, or that you want to do today. Before I go to bed at night I go through my tasks an assign myself stuff to do for the coming day.

The nice thing about this is I start the day with a ready made plan of action to work through, and unlike the default RTM “Today” overview view this task also shows overdue items which have rolled over from the previous day.

Setting up the calendar

Google calendar can be used natively or through their (ever increasingly sophisticated) web interface. How you use the calendar should be fairly obvious, but setting it up to use natively or on a smart phone is less so.

Essentially, you want to find the ical link for the calendar you’re using (available under calendar settings) and then link to it on each device.

Done right, this means you can view and add events to your calendar from any device and have it synchronise automatically across them.

This ubiquitousness is important, and it allows you to capture the task’s pertinent information (when, where and set reminders in time to get there) as soon as you find out about an event – meaning you only need to remember the task once, and you will never again double book yourself!

Automate all you can

A lot of the automation is dependant on your tasks and what you need to get done, but here are some ideas:

  • Use ifttt to put things in your task list or calendar based on certain external events – for example, an important blog post, if tomorrow is a snow day or any number of other things.
  • Use recurring tasks to set up maintenance schedules for your car (or perhaps more importantly a self examination routine for your own body).
  • Never let a project go stale by adding recurring tasks to prompt you to drop an item from the project on the “Today” list. Always move towards your goal!

Key concepts:

So in summary, by capturing information straight away and automating as much as we can we never need to lose track of the disparate threads of our lives. The goal of all this being to reduce everything down to a system, one that requires as little thought as possible from you.

  1. Capture the task or appointment into your system as soon as you think of it. I always am either near my computer or iPhone, so this is easy.
  2. Store the information in a place that is secure but available everywhere, so cloud based systems are really handy here.
  3. Automate as much as you can.

Have a stress free day!

Image from the film “Memento”.