Encryption?
Sarcasm? Satire? Txt-speak?
Using encryption? That means the US spooks have you on file
Anyone who encrypts their emails or uses secure instant message services runs the risk of having their communications stored by the US National Security Agency, according to the latest leaks from former NSA sysadmin Edward Snowden. The Guardian has published two more explosive documents which set out what sort of information …
-
-
-
Monday 24th June 2013 11:20 GMT theblackhand
Re: Encryption?
For simple messages
Usually the spelling will be incorrect
Check for simple typos
Kindergarten-grade mistakes
You should also be aware of grammar errors
Obvious word substitutions
Usually this will allow the intended message to be seen clearly once the mistakes are removed
Narrowing the possibilities
Selecting the useful information
Although, maybe the message is more subtle.....
-
-
Friday 21st June 2013 15:39 GMT Robert Carnegie
Re: Reminds me of the rules
Actually, the currency that Ford Prefect liked to pay in, to which the rules applied, was "Writing a favourable review in The Hitch Hiker's Guide to the Galaxy".
Also, he preferred not to use the "really wants to" clause, because then you had to suck up to the editor... or something like that.
So he used an American Express (technically not credit) card, which of course was refused, at which point usually his life was threatened, not technically.
But your point seems to stand. If there aren't strict rules strictly enforced to stop the spooks doing whatever they like, then they will. The public needs to be protected by having everybody, including the spooks, know what those rules are.
Otherwise the data will be used e.g. to interfere with voter registration. To attack democracy directly. It -will-. There is minuscule voter fraud of illegal votes being cast, but copious fraud of false counting -and- of denying citizens the right to vote, either illegally or because they're black or Hispanic. Yes, in the U.S.
Homosexuals, trade unionists, feminists, and opponents of foreign dictatorships also can be targeted in various ways.
When un-free countries become free, we are usually told that one of the first things that the liberated mob does is to rampage into the secret police headquarters and destroy the secret files.
Americans should do the same - now.
-
Monday 24th June 2013 12:39 GMT Tom 13
Re: Otherwise the data will be used e.g. to interfere with voter registration
Ah yes, the racsist canard. Oh, and there's the confirmation: Homosexuals, trade unionists, feminists, too. In other words, none of the people who've actually been illegally targeted by the current regime in the known scandals. Oh, and let's not forget the outright lie that There is minuscule voter fraud of illegal votes being cast given the results of Democrats in New Jersey being thrown into jail on just those charges, or precincts near Chicago and Philadelphia where 105% of the total population voted even though we rarely exceed 50% of registered voters casting ballots even though we barely have something 45% of the total eligible voting population registered.
-
Monday 24th June 2013 13:35 GMT Wzrd1
Re: Reminds me of the rules
"When un-free countries become free, we are usually told that one of the first things that the liberated mob does is to rampage into the secret police headquarters and destroy the secret files.
Americans should do the same - now."
What a great idea! Revolt, then destroy the evidence of crimes committed by the previous regime.
As for the rest, that is a nice synopsis of American history, especially during the McCarty era, with the House UnAmerican Activities Committee, a more aptly named committee there never was.
-
-
Friday 21st June 2013 15:18 GMT Michael H.F. Wilkinson
Steganography?
Any image (large) might contain some subtly hidden message (just replace the least significant bits of the image with bits from a compressed, encrypted file). Even this crude method can be very hard to detect, as a compressed file is already close to noise in its bit patterns (high entropy signal). Any high entropy signal can be considered suspect for that reason (photon-noise-limited astronomical images spring to mind)
The NSA are of course aware of steganography, and could use this to suggest any media file is suspect. The only problem they then face is tracking all such data.
Me, paranoid?
-
Friday 21st June 2013 16:43 GMT silent_count
Re: Steganography?
I note the clever way you've used steganogrphy*, in your otherwise innocuous message, to demonstrate your point.
Incidentally, I wonder if it will become fashionable to periodically send emails containing blocks of RNG-generated text just to spite the NSA, who'll then waste resources storing and trying to decipher them.
* I agree, by the way. It really is a travesty that Paris Hilton hasn't swept the Nobel Prize awards.
-
-
Saturday 22nd June 2013 10:07 GMT Cheshire Cat
Re: Steganography?
I think you're referring to the old UseNet "NSA Line Eater" trick of adding "food for the line eater" as your first post line. The original reason was to circumvent a bug in netnews that deleted the first line of a posting; later it was changed to put words like "russia", "nukes" or "kibo" into the line to trigger grepping routines.
BB because...
-
-
Saturday 22nd June 2013 13:43 GMT jubtastic1
Re: Steganography?
A long time ago on an internet far far away I was an Admin on the forum for a MMOG, we had a spate of users leaking secure bits of the forums via screen-grabs, so I replaced the forums 'reply' button, an icon of a document on a blue button, with a PHP script that produced an image that was identical save for the users forumID and IP address being encoded in the dots representing words on the icon. Nobody noticed the difference and because the reply icon was above and below each post it was likely to end up on a screen grab.
A separate script decoded the cropped icons from screen-grabs and coped with jpeg compression just fine to reveal the user.
\o for Pacifica
-
-
-
-
Saturday 22nd June 2013 07:11 GMT Michael H.F. Wilkinson
Re: scare tactic
If you can get your hands on a good one-time pad (least significant pits of camera noise will do) you have a provably safe encryption, because the (truly random) key is as long as the message. Quantum computing does not help one jot. Trying all keys gives you (apart from a load of rubbish) all possible plain-text messages of the given length, and all possible zip/rar/tgz/bz2/... files of the same length, exploding the possible space of intelligible solutions further. Somewhere in that humongous space of solutions is the right one, but you have no way of telling which one is correct.
The only problem is transmitting the key over a secure channel. That is not that difficult: store these random bits steganographically on a DVD or Blu-Ray disc containing footage of the kids playing, and take them personally to the intended person when visiting them on holidays.
-
Saturday 22nd June 2013 09:09 GMT Suricou Raven
Re: scare tactic
I've considered that as an idea for a super-secure VPN for corporate laptops. Have a trusted computer at the office generate a giant OTP. One copy goes on the VPN server, and one on the company laptop before the trip to China. Packets from the laptop to the VPN server are XORed starting at the beginning of the OTP, packets going the other way are XORed starting at the end. So long as the laptop is maintained physically secure, it'd be unbreakable. Eventually the OTP would be depleted, but that's just a matter of having a large enough pad - you could easily use a hundred-gig pad these days, which is plenty to last for the duration of a business trip.
-
-
-
Monday 24th June 2013 11:02 GMT Lee D
Re: scare tactic
And anyone of interest can just apply some stupidly high level of encryption, and thus just create more work for them and still stay, relatively, secure. It's really not that hard to use something ludicrous like 8192bit TLS, for example. It's just a matter of time on encryption/decryption and on modern machines you'll barely notice it and nothing's THAT time-critical.
But doing so increases the brute-force cracking time exponentially to the point where you could network the world and still chase a few millennia. Decyrpting crypto is NOT about brute-force techniques, that's the dumbest thing in the whole world to even try (given that you have no idea what encryption algorithm or keysize to even start with). It's about getting the data in other ways (e.g. subverting traffic routes, feeding false certificates, etc.), clever tricks and have people on staff who can find the holes. That's a whole different board game. As such, you don't want to waste your computing power decrypting someone's Facebook access when you could have just (for example), subpoeaned Facebook.
I honestly don't buy all this "spooks with acres of datacentre" junk. Sorry, I treat it how it sounds - a military-issued misinformation to deter enemies. Same for just about everything that's come out of GCHQ lately (i.e. the last ten years). Crying that we don't have enough power, Jim, and just need a few billion in funding to spend on supercomputers. Cracking crypto by brute-force really isn't worth it, not for criminals, not for militaries, not for anyone. Anyone with a brain will be using encryption of a type / keysize that it's just infeasible with all the datacentres in the world. And every false positive costs you SO much in terms of wasted effort that it's just ridiculous. And those people organising their terrorism on some 128-bit SSL-secured website? There are much better ways in for a DAMN SPYING AGENCY than messing about trying to brute-force the private key.
If they have those kind of datacentres, they are using them for statistical analysis. Big data set, powerful computer churning over it to find correlations, not brute-forcing someone's Twitter session when they could just ask Twitter. Think "Google", not "The Matrix".
And if the NSA etc. were THAT good, they wouldn't need feeds inside Facebook et al. When that was announced I just laughed. If they wanted to do see Facebook traffic, and it was as illegal as it is, and they HAD acres of supercomputers decrypting PKE communications, they'd know Facebook's private key before they ever had to put any box into a datacentre and keep lots of people privy to the secret, and from then on decryption is basically "free".
Even if the key changes, store data, brute-force the new key, decrypt all the data once you've broken it. And then even Facebook wouldn't know that what was happening was being decrypted en-route, and only the major transit sections would ever need to have any knowledge of the NSA's actions. But, no. Let's stick a box in a datacentre where a thousand people work and swear them to silence illegally.
These people, including GCHQ, are not doing their jobs if what they say is true. But these people are hired to be entirely 100% deceptive for a living. I wouldn't even be surprised if any such "box" was basically filled with two house bricks and a battery for the flashing LED. We're dealing with people whose job is to be deceptive, reassure the public about security, deter the enemy, but only as a SIDELINE to their real work. Which isn't brute-forcing SSL keys, but being inside the very groups they want to monitor, and breaking SSL entirely via weaknesses, side-hacks and all sorts of other avenues. You can bet that some researcher at GCHQ knew about BEAST attacks, Debian-based key weakness etc. years before anyone else did. Hell, they kept the very existence of PKI secret for decades until it was "reinvented".
If this "acres of datacentre" junk is true, I'm VERY VERY disappointed in whatever agency runs it. If the "tapping-direct-into-Facebook-etc." is true, I'm even more disappointed. If GCHQ etc. are actually sitting there brute-forcing keys as a matter of routine rather than as the last resort on the very tail of something they know is absolutely critical, after all of their side-methods have knocked down the problem by several orders of magnitude, then I feel very, very sorry for what they've become. Not because of the privacy issues, but just that "spying" has been so watered down that it's brawn over brains, in some of the very agencies that cracked, invented and pioneered these techniques in the first place.
GCHQ was 5 years ahead of anyone else, even the top published mathematicians in the world, and didn't tell anyone until 25 years later. If we've really been reduced to just letting a large computer churn through a stupidly unfiltered dataset and trying to brute-force SSL sessions, then that speaks more for the UK education system than anything else at all.
I don't doubt for a second, though, that GCHQ et al wouldn't try to give you that impression, and actually go to the effort of creating a physical datacentre that does very little, just to be a target for some other nation, while sitting on ways to get this information and break this encryption without having to lift a damn finger.
Hell, if I was GCHQ, I'd be inside (or behind!) Truecrypt, Tor, Bitcoin, and just about everything else related. I wouldn't be touching Facebook with a bargepole, except to spread misinformation.
-
Monday 24th June 2013 13:53 GMT Wzrd1
Re: scare tactic
"I honestly don't buy all this "spooks with acres of datacentre" junk."
Sorry to break it to you, but they do have such datacenters. Note the plural. I've looked upon one with my own eyes.
The NSA hires more mathematicians than any other entity in the world. They also hire more programmers than any other entity in the world.
They also own more supercomputers than any other entity in the world.
Their budget is part of the DoD budget, much of it a black budget.
That said, they're part of the DoD, so one data processing term is operable: GIGO.
Or most commonly, garbage in, nothing out.
-
-
-
-
-
-
Friday 21st June 2013 16:46 GMT Anonymous Coward
Re: So.....
They have a test based on their estimate of probability that you are in the U.S. So while using a U.S. exit point will help, it's not an absolute guarantee of success. Also, if they are reading your communications and you are rattling on about spending the weekend in Liverpool or something, then you are hosed because they will automatically put you in the "foreign" category.
Also, using a U.S. exit point probably exponentially increases the chance that you get hoovered up by GCHQ, becuase now you are in the non-British bucket. How well GCHQ's surveilllance works and under what rules I could not say, beyond that they get slapped around some if they are caught snooping on Brits.
-
-
Friday 21st June 2013 17:42 GMT Anonymous Coward
Re: So.....
It is all conditional probability aka Bayes analysis.
Old good google conditional probability algo applied to network data (via map-reduce). If that algo spits out that you are of interest you will never get off their database until the end of your life. Those guidelines contain enough backdoors for them to always keep everything from you.
The interesting bit is that algo works of BIG DATA. LOTS OF DATA. This makes all the claims about only 2000 requests very very difficult to believe
-
-
Friday 21st June 2013 15:50 GMT NomNomNom
Vindication
Well well well, so all those people over the years telling me to use encryption turn out to have a load of egg on their faces. I shouldn't gloat, but lets just say it's been a running battle with some of these clowns, especially the self-appointed security "experts".
I have always refused to use encryption for good reason. It's not that I can't figure out how to encrypt my emails, it's just that I always knew deep down that I couldn't trust encryption. Call it intuition or a natural eye for security if you will. We see it in films all the time some whizkids breaking supposedly unbreakable encryptions.
I've always preferred to hide my secrets using more secure and harder to detect means. For example if I need to send a secret message to one of my contacts, I send them a perfectly innocent looking email:
"Hi, what's for tea tonight?"
If the NSA read that they'd just think it was a harmless email. But my contact knows to press the secret keyboard code CTRL-A which will reveal hidden text. Hidden text I have planted at the end of the email by setting the outlook editor to write in white font on white background. For extra security when data is particularly sensitive I print out the emails and post them by snail mail. My contacts then scan them in at the other end. Even if the NSA get hold of the paper in transit they can't use CTRL-A on it even if they knew about CTRL-A (perhaps they do, perhaps they don't, that's just the risk I take. That said I wouldn't put it past Microsoft to have told them about it)
While some have scoffed at my security arrangements, note that in 10 years my communications have never been hacked. I only mention this now because I no longer use this system, I have a much better one. Sorry, not telling :)
This topic is closed for new posts.
