Ben Nagy posted the following very sensible message on the DailyDave mailinglist:
Recently, a lot of people have been talking and possibly even thinking about the “cryptopocalypse”, surveillance, and the ideal rate of exchange between liberty and safety. I have been vaguely seeking the ideal derisive verse for a while, but this morning I finally realised that it has already been sung.
“When you believe in things that you don’t understand, then you suffer.”
– Stevie Wonder 
Without quibbling over minor points, I think it’s reasonable to view the period since 2001 as one where privacy and fundamental individual liberties have been at a steady ebb. Some might characterise it as the ‘theft’ of those things by Governments, but really, it’s not. It has been driven by fear, and the belief that “The Government” can provide protection against Dark Forces. However, it’s not the steady advance of ridiculous legislation that I want to focus on. Those shavings of liberty can be counted where they fell, as a simple matter of public record.
What’s interesting is the use of the tools that these Governments already have. Nothing fundamental changed in the last few months. The NSA, GCHQ, MI5, DSD didn’t SUDDENLY ramp up any ops. They haven’t gone rogue. They’ve just been doing the same thing they’ve been doing for years, because people ASKED them for protection, but weren’t too bothered about asking for details. They may not have even had a concept of the missions of these organisations, except as a nebulous part of “Government”. They believed in things that they did not, fundamentally, understand, and now we all suffer.
So now we, the super smart computer crowd, get to be all smug and “I told you so!”, because we called it, just like that guy with no pants and a bird in his beard.
What I find hilarious, however, is the reaction. “Tor is the BEST tool that fails to fix a different but related problem!”, “You should all use CryptoCat because I say sorry every time I screw up!”, “Hemlis messenger is totes unbreakable, and has nice graphic design!”, “5 Weird Tips to NSA-proof YOUR life!”, “Try Silent Circle! We have Beards!”
All of this rubbish is just as much Security Theatre as the shoe removals, crotch-gropings and warrantless detention we’ve been enduring at airports. Statically, you’re just not a target, so it’s ALL going to be as “100% Effective” as Werewolf Repellent. So go nuts, I guess. Use CraptoCat inside TorBB to update your location on Facebook. Whatever.
If you happen to actually BE a person of interest, however, “better than nothing” is actually worse than nothing. If you had zero crypto, you might actually think about the content and traffic / timing patterns of your comms. If you had no ‘anonymisation’ then you might actually give a shit when and from where you connect. In either case you might give some measure of incredibly serious thought to:
– The known capabilities of your anticipated adversary
– Your operating risk
– Your worst case outcome
Because if you don’t have a strong mental picture of these things BEFORE you start deploying tools and being all crypto-ninja-slash-stealth-sexy-leopard, then you’re going to see exactly what that worst case outcome looks like from the inside.
I’m not saying it’s “impossible”. I’m just saying (to quote The Grugq) “Nobody’s going to go to jail for you”, and that includes the authors of these new (and old) “spook-proof” tools. The hard truth is that the only way to stay ‘safe’ from state-level actors is going to involve a consistently disciplined regimen of tools, techniques and procedures, and any software that claims to make it “easy” is flat-out lying.
Don’t outsource understanding.
“When you believe in things that you don’t understand, then you suffer. Superstition aint the way.”
( please now allow the best Clav riff EVER to stick in your head )
(and if you need this WHY ARE YOU SO YOUNG??)