The NSA Scandal: How Uncle Sam Can Read All Your Private Data Without Your Consent (And How to Stop It)
Hello again fellow hackers. How many of you remember the NSA scandal that Edward Snowden leaked a few years ago? Many people were shocked, including myself. In fact, it was the sole reason I started hacking in the first place.
Some of us want to steal money from banks with hacking, others want to change the world for the better, then there are people who want to become a hacker to earn a living out of it, etc. But some of us just want to take their privacy back. And this article is meant especially for those people! In this article, I will be covering how uncle Sam reads, watches, and listens, and what gives him the right to do so, as well as how the future will look, and how to avoid it.
The USA PATRIOT act, or it's full name: "Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001" (woah, what a mouth full!), is the unique law that gives the NSA the permission to spy on any infrastructure owned by the US. This law was originally created to prevent terrorism attacks in the US after 9/11, by giving the NSA the ability to spy. The Patriot Act was signed by President George W. Bush on October 26, 2001. The Patriot Act consists of 10 titles, but I'm not going to get too detailed. If you want to read more about this act, you can always read the Wikipedia page.
The scary thing about this law is that it pretty much ignores country borders. With "any American infrastructure", I really mean "any American infrastructure".
Without getting into too much detail, because I could easily write an entire book about the Patriot Act, the Patriot Act simply gives the US government the permission to read and access the data of anyone they find suspicious without question, as long as they are on their infrastructure. But this goes much further. The Patriot Act also allows something called "mass surveilance". Which basically means that pretty much everything is recorded and stored, but not accessed when not needed. Even if it is for the law, this is still a huge invasion of your online privacy. So basically, even if you haven't done anything wrong, you are still being watched by "Big Brother".
Think you are safe from Uncle Sam's prying eyes because you don't live in the US? Think again. Like i said, the Patriot Act applies to ALL US infrastructure! What this basically means is that any kind of technology made by the US can be looked into by the US government, regardless of where it is deployed. A perfect example of this is the Windows OS. Windows is developed by Microsoft, which is based in the US, so Microsoft falls under the US law. That means that the NSA can request any data they have about their customers, whether they are US citizens or not. And just to give you a heads up: 95% of the internet (not servers) runs Windows. Can you see where this is going?
Then there is also the thing that daughter companies based outside the US, but who's main company is based in the US, also fall under this law. An example is Mojang, which has been purchased by Microsoft quite some time ago. Like I mentioned above, Microsoft is a company based in the US, and technically, Mojang is a part of Microsoft. Which means that the NSA can easily demand backdoors/logs of Minecraft, for example.
What about companies that are not based in the US, but offer services in the US? The services they provide within the US also fall under this law. An example is CyberGhost. They are VPN providers based in Romania, but they have servers in the US aswell. The NSA can demand logs of their servers that are based in the US. CyberGhost claims that they don't keep any logs, but the NSA can still demand a backdoor in the US servers if they want to, let alone that they can force the ISP of those servers to sniff the traffic coming out of the servers. And even if your real IP is still hidden by the server, when the NSA finds any kind of criminal content in those sniffs, i don't think CyberGhost will have a good time if they refuse to hand over any logs, because they don't have them.
Besides, does anyone remember that time when a member of LulzSec got arrested, even when he was using the VPN service called "HideMyAss"? Said VPN service claimed that they never handed over any logs to anyone, let alone even keep them. And yet, when the officials came knocking on their door, they suddenly had logs and handed them all over. The thing i am trying to say is: just because a VPN service says it doesn't keep logs, does not mean they actually do. Don't trust anyone!
And last but not least: tourists in the US can also be spied on by the NSA. Despite them being from another nationality, their phone and other communications uses the US infrastructure as long as they are in the US. Which means the NSA can also spy on them. This makes sense to me actually, because the patriot act was originally created to spot terrorists. And every outsider that is in the US can be a potential terrorist.
This is strategically ingenious in my eyes. The US government probably knew they controlled most of the monopoly on the digital market, so they took advantage of this.
This is mostly a reminder to everyone asking to hack something for them, and especially the ones who brag on here about "that they hacked a large company", both publicly in forum posts, or in private messages. As explained here in OTW's article, WonderHowTo (Null-Byte's home) is based in the US and falls under US law. This means it also falls under the Patriot Act. So if you ask someone to hack something for you on here, or brag to someone about "how you hacked a bank and stole 900 million USD", just know that the FBI is just one call away to obtain all of your info on here. Wether it are public forum posts, or private messages.
And this doesn't apply to WonderHowTo/Null-Byte alone. This applies to basically any website based in the US, a website that is owned by a company based in the US, a website that is owned by a daughter company, who's main company is based in the US, etc...
Okay, i think i now made clear that the reach of the NSA goes FAR beyond what we expected. But despite it's reach being almost unlimited, it ISN'T unlimited! NSA spying can be easily overcome by... well... not using anything that is from the US!
But that is actually quite hard, because almost everything in the IT industry is some sort of American product. So here are a few tips that will keep you out of uncle Sam's reach:
Staying Hidden Outside the US
Not being in the US already gives you a big advantage, but it is not enough. So here is what you should do to increase your chances of anonymity:
Try to avoid products from the US. This is, i think, the best solution to NSA spying. By simply not using any digital US products or services based in the US, the NSA also can't spy on you, because those services don't fall under US law. Try to use Windows as less as possible, but go for a Linux distro not based in the US. Linux is open source, so it is also less likely to be backdoored. (We will get to that later).
Be careful what you do when using US-based services. Using an US based service (like WHT) is inevitable eventually. So when you use an US based service, be carefull what you click, read, post, send, and whatnot. The NSA most likely won't spy constantly on said service, but they easily could be. So keep that in mind.
Use as much open source as you can. Open source projects are less likely to be backdoored, because the source code is publicly availible. So what you should do is get the source code of said program, look up how to compile/build it, and then compile/build it yourself.
Encryption is your friend. Many cloud services are based in the US. So if you ever need to store a file on a server that is in the US or owned by an American company, MAKE SURE TO ENCRYPT IT! I recommend encrypting your files with AES-256 (i will make a how-to on this in the future).
It never hurts to use a proxy. Even if you are outside the US, you shouldn't connect to any US-based server with your real IP. You don't need to set up an encrypted connection (unless you have an US-based ISP, but we will get into that later.), so just a single proxy will do. 2 countries that would never hand over anything to the US, regardless of what happens, are definitely Russia and China. But both of said countries aren't known for being the most privacy friendly countries. My recommendation is Sweden, because Sweden seems to take internet privacy pretty seriously, and they have a really solid privacy law.
Use a different password when using an US-based service. This is a tip i really recommend. When you use any kind of US based service (like Skype, your Microsoft account, etc...), use a different password than your normal password. Those services might be backdoored, so just be careful.
Staying Hidden Inside the US
You are from the US, but still want to escape from the grip your government has on you? Don't worry, because it is even possible for you to slip under big brother's hands! Except following above tips, all you need to do extra is encrypt your internet traffic, so the NSA can't sniff your traffic. This can be done by either using a VPN you trust, or I2P (I don't trust TOR anymore after the various deep web busts).
Another thing you should keep in mind, is that it is not only your internet traffic that is being sniffed, but also your phone calls, text messages, what TV channel you watch, and whatnot is recorded when you are in the US.
Use a trustworthy VPN. Don't trust anyone blindly, but you should still use a VPN service. I recommend CyberGhost VPN. But make sure you select a server outside the US, because otherwise, nothing will really help. Consider using a server located in Sweden, as i mentioned earlier, they are a very friendly country when it comes to privacy.
Use I2P with an exit node outside the US. I'd recommend this method over a VPN, actually. Why? Because the NSA might find it suspicious that you are using a VPN, and in the case of a VPN, they can talk to the company. If you are using a VPN outside of the US, they can't be forced to follow the patriot act, but you are better to take the sure for the unsure (i don't know if that actually makes any sense): when you use I2P, the NSA will also spot that you are using I2P, but since I2P is a decentralized (peer to peer) network, they can't track it back to an organization. You just need to make sure that your exit node is not located in the US, because then you might be vulnerable to a certain attack where the NSA can decrypt all the traffic going through the 3 nodes. if all 3 nodes are in the US, that means you are likely to be watched on. To check if your exit node is outside the US, simply go to an IP checking site after you configured your web browser to use I2P, and then locate the country of the IP address using a service like IP tracker.
Hold sensitive conversations through I2P. The NSA can spy on your cellphone calls too. Sadly, i don't know of any workarounds for that. If you want to tell something to someone and you don't want anyone to see it, you should use IRC with I2P. Allen Freeman wrote a really good article to do just that.
Okay, I've been targeting the US for the entire article now. But unfortunately, the US isn't the only country that spies on it's citizens. Germany for example, despite having a strong privacy law, also have an anti-terrorism program, that is not too different from the patriot act. Germany is just an example. I think France, the UK, The Netherlands, Spain, and other countries also have an anti-terrorism program.
The reason I wrote solely about the NSA is because 1. it is the most known case of cyber-espionage and 2., the NSA putted it of in an enormous scale!
So regardless of where you live, you should keep my tips in mind. You will never be truly anonymous, but you can be almost untraceable if you keep my tips in mind, and put some of your own effort into it as well, which brings me to the next point:
I think the headline says it. If you are really paranoid and you don't want anyone following you, you should abandon social media like facebook and twitter (or don't use your real name on the latter). Most famous black- and greyhats got busted simply because they made these mistakes. They routed all their connections through the TOR or I2P network, they encrypted their entire hard drive, but they made the single mistake of bragging about their attacks on social media.
There is good news everyone, it looks like the Patriot Act is going to be replaced with the Freedom Act. In fact, it already got replaced on June 2, 2015!
The bad news is, the only thing that pretty much changed in this law is that the Freedom Act will be more transparent. What this means is that we will get to know more about how the spying is carried out. But the ways of spying probably won't change. So you would still do good following my tips.
And I also doubt that the NSA will follow this new act. Honestly, I think it is simply a decoy to make up for Snowden's releases.
No. Because there is still something called "freedom of speech", and the US allows me to criticize their government. I can hate the NSA as much as I want. And teaching you all how to hide from the NSA is also free speech. I am not trying to motivate any of you to do illegal things with the tips I taught you today. This may be the good time to put on a little disclaimer: I am not responsible for anything you might do with this knowledge. Whatever you do, it is your responsibility.
There is a good documentary about Edward Snowden and the NSA called "citizenfour". If you want to get to know more about the subject, or just want to kill some time with a good documentary, I really recommend this documentary. Here is a trailer, for those who are curious:
This is it guys, my longest article yet. I spent 4 days (yes, 4 DAYS!) writing this article. So I really hope you all enjoyed the read. If there is anything you thought that was missing or you have any questions, feel free to PM me or to comment below!