back to article Using encryption? That means the US spooks have you on file

Anyone who encrypts their emails or uses secure instant message services runs the risk of having their communications stored by the US National Security Agency, according to the latest leaks from former NSA sysadmin Edward Snowden. The Guardian has published two more explosive documents which set out what sort of information the …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge

Encryption?

Sarcasm? Satire? Txt-speak?

0
0
jai
Silver badge

Re: Encryption?

Owhay aboutway igpay atinlay?

8
0
Devil

@ Ole Jul - Re: Encryption?

<fnord>Be careful, those are automatic trigger words.</fnord>

0
0
Big Brother

Re: Encryption?

Spelling mistakes, gramatical errors.

Hidden words

INcorrect captiisation

They can apply it to anything

4
0
Paris Hilton

Re: Encryption?

pooksay avehay orkway hattay utoay ithway heirtay ainframemay!

-

arispay ustjay ecausebay

3
0
Facepalm

Re: Encryption?

So they're tracking all Canadian email then, ay?

6
0
Bronze badge

Re: Encryption?

Spelling mistakes, gramatical errors.

Hidden words

INcorrect captiisation

Anything by amanfrommars.

We're all doomed!

0
0
Silver badge
Meh

Re: Encryption?

Simple solution to this has been around for years, just write a letter.

2
1
Bronze badge
Angel

Re: Encryption?

For simple messages

Usually the spelling will be incorrect

Check for simple typos

Kindergarten-grade mistakes

You should also be aware of grammar errors

Obvious word substitutions

Usually this will allow the intended message to be seen clearly once the mistakes are removed

Narrowing the possibilities

Selecting the useful information

Although, maybe the message is more subtle.....

0
0
Facepalm

Reminds me of the rules

for the use of Ford Prefects corporate credit card: only if the researcher's life is threatened, there is a particularly rare and valuable bit of information to be acquired and no other means would do or when he really, really wants to.

Bit fuzzy? Never . . .

7
0

Re: Reminds me of the rules

Actually, the currency that Ford Prefect liked to pay in, to which the rules applied, was "Writing a favourable review in The Hitch Hiker's Guide to the Galaxy".

Also, he preferred not to use the "really wants to" clause, because then you had to suck up to the editor... or something like that.

So he used an American Express (technically not credit) card, which of course was refused, at which point usually his life was threatened, not technically.

But your point seems to stand. If there aren't strict rules strictly enforced to stop the spooks doing whatever they like, then they will. The public needs to be protected by having everybody, including the spooks, know what those rules are.

Otherwise the data will be used e.g. to interfere with voter registration. To attack democracy directly. It -will-. There is minuscule voter fraud of illegal votes being cast, but copious fraud of false counting -and- of denying citizens the right to vote, either illegally or because they're black or Hispanic. Yes, in the U.S.

Homosexuals, trade unionists, feminists, and opponents of foreign dictatorships also can be targeted in various ways.

When un-free countries become free, we are usually told that one of the first things that the liberated mob does is to rampage into the secret police headquarters and destroy the secret files.

Americans should do the same - now.

29
4
Anonymous Coward

Re: Reminds me of the rules

"Homosexuals, trade unionists, feminists..... can be targeted in various ways."

Sounds good. When are we building our Golgafrinchan Ark B?

0
4
Silver badge

Re: Otherwise the data will be used e.g. to interfere with voter registration

Ah yes, the racsist canard. Oh, and there's the confirmation: Homosexuals, trade unionists, feminists, too. In other words, none of the people who've actually been illegally targeted by the current regime in the known scandals. Oh, and let's not forget the outright lie that There is minuscule voter fraud of illegal votes being cast given the results of Democrats in New Jersey being thrown into jail on just those charges, or precincts near Chicago and Philadelphia where 105% of the total population voted even though we rarely exceed 50% of registered voters casting ballots even though we barely have something 45% of the total eligible voting population registered.

0
2
Bronze badge

Re: Reminds me of the rules

"When un-free countries become free, we are usually told that one of the first things that the liberated mob does is to rampage into the secret police headquarters and destroy the secret files.

Americans should do the same - now."

What a great idea! Revolt, then destroy the evidence of crimes committed by the previous regime.

As for the rest, that is a nice synopsis of American history, especially during the McCarty era, with the House UnAmerican Activities Committee, a more aptly named committee there never was.

0
0
Bronze badge

Re: Otherwise the data will be used e.g. to interfere with voter registration

"Ah yes, the racsist canard. Oh, and there's the confirmation: Homosexuals, trade unionists, feminists, too. "

Do look up the Red Scare I and II, then look up McCarthyism. Then, look up J. Edgar Hoover.

0
0
Silver badge
Black Helicopters

Steganography?

Any image (large) might contain some subtly hidden message (just replace the least significant bits of the image with bits from a compressed, encrypted file). Even this crude method can be very hard to detect, as a compressed file is already close to noise in its bit patterns (high entropy signal). Any high entropy signal can be considered suspect for that reason (photon-noise-limited astronomical images spring to mind)

The NSA are of course aware of steganography, and could use this to suggest any media file is suspect. The only problem they then face is tracking all such data.

Me, paranoid?

14
0
Bronze badge
Paris Hilton

Re: Steganography?

I note the clever way you've used steganogrphy*, in your otherwise innocuous message, to demonstrate your point.

Incidentally, I wonder if it will become fashionable to periodically send emails containing blocks of RNG-generated text just to spite the NSA, who'll then waste resources storing and trying to decipher them.

* I agree, by the way. It really is a travesty that Paris Hilton hasn't swept the Nobel Prize awards.

3
0
Anonymous Coward

Re: Steganography?

There was a fad, many years ago* of adding "trigger" words to your email signature to bamboozle the spooks monitoring email traffic.

*Circa the late 90s iirc.

6
0
Silver badge
Angel

Re: Steganography?

There's an idea... embed your messages in a porn stream.. That way the snoops would have to trawl through the 90% of the internet dedicated to that particular pastime ... ;)

2
0
Paris Hilton

Re: Steganography?

I think I still have one of my email clients configured with an X-SpookWords: header.

0
0
Big Brother

Re: Steganography?

I think you're referring to the old UseNet "NSA Line Eater" trick of adding "food for the line eater" as your first post line. The original reason was to circumvent a bug in netnews that deleted the first line of a posting; later it was changed to put words like "russia", "nukes" or "kibo" into the line to trigger grepping routines.

BB because...

1
0
Big Brother

Re: Steganography?

A long time ago on an internet far far away I was an Admin on the forum for a MMOG, we had a spate of users leaking secure bits of the forums via screen-grabs, so I replaced the forums 'reply' button, an icon of a document on a blue button, with a PHP script that produced an image that was identical save for the users forumID and IP address being encoded in the dots representing words on the icon. Nobody noticed the difference and because the reply icon was above and below each post it was likely to end up on a screen grab.

A separate script decoded the cropped icons from screen-grabs and coped with jpeg compression just fine to reveal the user.

\o for Pacifica

1
0

Re: Steganography?

Plot twist: storage manufacturers have been spent years emailing terabytes of "encrypted" data around, lacing the meta-data with trigger words. NSA was forced splash out on multi-million dollar data warehouses to accommodate this suspect "chatter".

1
1
Silver badge

Re: Steganography?

According to various rumours, that's been happening since the early 1990s on Usenet.

Apparently there are some rather interesting nazi-related textfiles buried in all those pics of Claudia Schiffer too.

0
0
g e
Silver badge
Pint

So use TOR or VPN's _more_

There has to be a point where they can no longer store all encrypted stuff as quickly as they can find it.

At which point their heads explode, obviously.

Friday pintday.

2
2
Silver badge

Re: So use TOR or VPN's _more_

It turns out the human condition is amenable to planet-scale deduplication:basically we all bitch about the same things so you don't need as much storage space as you'd think.

12
0
Coat

Re: So use TOR or VPN's _more_

>...

At which point their heads explode, obviously.

...<

No, they'll just stop routing the suspicious, encrypted ATM requests to HSBC until they've caught up.

Just kidding.

Oh, wait . . .

4
0
Anonymous Coward

Re: So use TOR or VPN's _more_

is -that- what happened to HSBC this afternoon? ;)

0
0
Silver badge

Re: So use TOR or VPN's _more_

Well given that they have been laundering trillions of dollars of money for Mexican drug cartels, that's maybe not such a daft idea.

1
0

Re: So use TOR or VPN's _more_

the Utah Data Center supposedly has a ultimate capacity of 5 zetabytes. which is 5000000 petabytes. thats enough storage to hold ALL internet traffic for 5 years. and keep all major disk manufactures bottom line happy for a couple years while its populated.

0
1
Silver badge

scare tactic

The implication is: if you don't use encryption then we won't keep your emails. I would not fall for that one.

17
2

Re: scare tactic

Me neither. So they store it. But they can't read it, at least until quantum computers are available. So what are they going to use it for. A source of random numbers?

5
1
Silver badge
Black Helicopters

Re: scare tactic

If you can get your hands on a good one-time pad (least significant pits of camera noise will do) you have a provably safe encryption, because the (truly random) key is as long as the message. Quantum computing does not help one jot. Trying all keys gives you (apart from a load of rubbish) all possible plain-text messages of the given length, and all possible zip/rar/tgz/bz2/... files of the same length, exploding the possible space of intelligible solutions further. Somewhere in that humongous space of solutions is the right one, but you have no way of telling which one is correct.

The only problem is transmitting the key over a secure channel. That is not that difficult: store these random bits steganographically on a DVD or Blu-Ray disc containing footage of the kids playing, and take them personally to the intended person when visiting them on holidays.

2
0
Silver badge

Re: scare tactic

I've considered that as an idea for a super-secure VPN for corporate laptops. Have a trusted computer at the office generate a giant OTP. One copy goes on the VPN server, and one on the company laptop before the trip to China. Packets from the laptop to the VPN server are XORed starting at the beginning of the OTP, packets going the other way are XORed starting at the end. So long as the laptop is maintained physically secure, it'd be unbreakable. Eventually the OTP would be depleted, but that's just a matter of having a large enough pad - you could easily use a hundred-gig pad these days, which is plenty to last for the duration of a business trip.

0
0

Re: scare tactic

read up on the Utah Data Center. they are building some SERIOUS crypto cracking supercomputer clouds to go with their 5 zettabyte storage farm.

1
0
Silver badge

Re: scare tactic

And anyone of interest can just apply some stupidly high level of encryption, and thus just create more work for them and still stay, relatively, secure. It's really not that hard to use something ludicrous like 8192bit TLS, for example. It's just a matter of time on encryption/decryption and on modern machines you'll barely notice it and nothing's THAT time-critical.

But doing so increases the brute-force cracking time exponentially to the point where you could network the world and still chase a few millennia. Decyrpting crypto is NOT about brute-force techniques, that's the dumbest thing in the whole world to even try (given that you have no idea what encryption algorithm or keysize to even start with). It's about getting the data in other ways (e.g. subverting traffic routes, feeding false certificates, etc.), clever tricks and have people on staff who can find the holes. That's a whole different board game. As such, you don't want to waste your computing power decrypting someone's Facebook access when you could have just (for example), subpoeaned Facebook.

I honestly don't buy all this "spooks with acres of datacentre" junk. Sorry, I treat it how it sounds - a military-issued misinformation to deter enemies. Same for just about everything that's come out of GCHQ lately (i.e. the last ten years). Crying that we don't have enough power, Jim, and just need a few billion in funding to spend on supercomputers. Cracking crypto by brute-force really isn't worth it, not for criminals, not for militaries, not for anyone. Anyone with a brain will be using encryption of a type / keysize that it's just infeasible with all the datacentres in the world. And every false positive costs you SO much in terms of wasted effort that it's just ridiculous. And those people organising their terrorism on some 128-bit SSL-secured website? There are much better ways in for a DAMN SPYING AGENCY than messing about trying to brute-force the private key.

If they have those kind of datacentres, they are using them for statistical analysis. Big data set, powerful computer churning over it to find correlations, not brute-forcing someone's Twitter session when they could just ask Twitter. Think "Google", not "The Matrix".

And if the NSA etc. were THAT good, they wouldn't need feeds inside Facebook et al. When that was announced I just laughed. If they wanted to do see Facebook traffic, and it was as illegal as it is, and they HAD acres of supercomputers decrypting PKE communications, they'd know Facebook's private key before they ever had to put any box into a datacentre and keep lots of people privy to the secret, and from then on decryption is basically "free".

Even if the key changes, store data, brute-force the new key, decrypt all the data once you've broken it. And then even Facebook wouldn't know that what was happening was being decrypted en-route, and only the major transit sections would ever need to have any knowledge of the NSA's actions. But, no. Let's stick a box in a datacentre where a thousand people work and swear them to silence illegally.

These people, including GCHQ, are not doing their jobs if what they say is true. But these people are hired to be entirely 100% deceptive for a living. I wouldn't even be surprised if any such "box" was basically filled with two house bricks and a battery for the flashing LED. We're dealing with people whose job is to be deceptive, reassure the public about security, deter the enemy, but only as a SIDELINE to their real work. Which isn't brute-forcing SSL keys, but being inside the very groups they want to monitor, and breaking SSL entirely via weaknesses, side-hacks and all sorts of other avenues. You can bet that some researcher at GCHQ knew about BEAST attacks, Debian-based key weakness etc. years before anyone else did. Hell, they kept the very existence of PKI secret for decades until it was "reinvented".

If this "acres of datacentre" junk is true, I'm VERY VERY disappointed in whatever agency runs it. If the "tapping-direct-into-Facebook-etc." is true, I'm even more disappointed. If GCHQ etc. are actually sitting there brute-forcing keys as a matter of routine rather than as the last resort on the very tail of something they know is absolutely critical, after all of their side-methods have knocked down the problem by several orders of magnitude, then I feel very, very sorry for what they've become. Not because of the privacy issues, but just that "spying" has been so watered down that it's brawn over brains, in some of the very agencies that cracked, invented and pioneered these techniques in the first place.

GCHQ was 5 years ahead of anyone else, even the top published mathematicians in the world, and didn't tell anyone until 25 years later. If we've really been reduced to just letting a large computer churn through a stupidly unfiltered dataset and trying to brute-force SSL sessions, then that speaks more for the UK education system than anything else at all.

I don't doubt for a second, though, that GCHQ et al wouldn't try to give you that impression, and actually go to the effort of creating a physical datacentre that does very little, just to be a target for some other nation, while sitting on ways to get this information and break this encryption without having to lift a damn finger.

Hell, if I was GCHQ, I'd be inside (or behind!) Truecrypt, Tor, Bitcoin, and just about everything else related. I wouldn't be touching Facebook with a bargepole, except to spread misinformation.

3
0
Bronze badge

Re: scare tactic @Lee D. Acres of datacentres

It wouldn't surprise me if they did have acres of datacentres - it's not like they would use public cloud for all that analysis - or would they...?!!!

0
0
Bronze badge

Re: scare tactic

"I honestly don't buy all this "spooks with acres of datacentre" junk."

Sorry to break it to you, but they do have such datacenters. Note the plural. I've looked upon one with my own eyes.

The NSA hires more mathematicians than any other entity in the world. They also hire more programmers than any other entity in the world.

They also own more supercomputers than any other entity in the world.

Their budget is part of the DoD budget, much of it a black budget.

That said, they're part of the DoD, so one data processing term is operable: GIGO.

Or most commonly, garbage in, nothing out.

0
0
WTF?

So.....

If I use a VPN to connect to a US exit point and send an encrypted email, they WONT put me on the list? Am I reading that right?

0
0

Re: So.....

My reading of that case is:

If it's a VPN where they deem that it 'could' be that you are not in the US then, citizen or not, they may pop you into their database for 5 years until they can establish otherwise.

2
0
Silver badge
Black Helicopters

Re: So.....

They have a test based on their estimate of probability that you are in the U.S. So while using a U.S. exit point will help, it's not an absolute guarantee of success. Also, if they are reading your communications and you are rattling on about spending the weekend in Liverpool or something, then you are hosed because they will automatically put you in the "foreign" category.

Also, using a U.S. exit point probably exponentially increases the chance that you get hoovered up by GCHQ, becuase now you are in the non-British bucket. How well GCHQ's surveilllance works and under what rules I could not say, beyond that they get slapped around some if they are caught snooping on Brits.

1
0
Anonymous Coward

Re: So.....

It is all conditional probability aka Bayes analysis.

Old good google conditional probability algo applied to network data (via map-reduce). If that algo spits out that you are of interest you will never get off their database until the end of your life. Those guidelines contain enough backdoors for them to always keep everything from you.

The interesting bit is that algo works of BIG DATA. LOTS OF DATA. This makes all the claims about only 2000 requests very very difficult to believe

0
1
Go

Re: So.....

Liverpool is in Ontario

1
0

Re: So.....

great stuff

into the "not american" and "not english" lists you go

suppose the same argument could be used for Birmingham for someone to end up on both lists

0
0
Anonymous Coward

Re: So.....

Strangely there are a lot of place names that are applied to more than one settlement in the world.

0
0
Anonymous Coward

so, if we all use encryption, for everything, then perhaps we can give them data overload.

3
0
Silver badge

Vindication

Well well well, so all those people over the years telling me to use encryption turn out to have a load of egg on their faces. I shouldn't gloat, but lets just say it's been a running battle with some of these clowns, especially the self-appointed security "experts".

I have always refused to use encryption for good reason. It's not that I can't figure out how to encrypt my emails, it's just that I always knew deep down that I couldn't trust encryption. Call it intuition or a natural eye for security if you will. We see it in films all the time some whizkids breaking supposedly unbreakable encryptions.

I've always preferred to hide my secrets using more secure and harder to detect means. For example if I need to send a secret message to one of my contacts, I send them a perfectly innocent looking email:

"Hi, what's for tea tonight?"

If the NSA read that they'd just think it was a harmless email. But my contact knows to press the secret keyboard code CTRL-A which will reveal hidden text. Hidden text I have planted at the end of the email by setting the outlook editor to write in white font on white background. For extra security when data is particularly sensitive I print out the emails and post them by snail mail. My contacts then scan them in at the other end. Even if the NSA get hold of the paper in transit they can't use CTRL-A on it even if they knew about CTRL-A (perhaps they do, perhaps they don't, that's just the risk I take. That said I wouldn't put it past Microsoft to have told them about it)

While some have scoffed at my security arrangements, note that in 10 years my communications have never been hacked. I only mention this now because I no longer use this system, I have a much better one. Sorry, not telling :)

34
21
Anonymous Coward

Re: Vindication

Ha ha, the joke's on you because the NSA still use Amstrad's with green screen monitors. I get round this though by typing in code so the letters are numbers. Only me and my friend know A=1, B=2, C=3, etc. :)

9
1

Re: Vindication

I do better than that - I use ROT 13. Just to be really secure, I use it twice.

17
0
Facepalm

Re: Vindication

Do you really think they sit there looking at your emails in Outlook or do you think they maybe scan the content of the message in raw format then laugh at the people 'hiding' messages in white on white?

I hope you were being ironic/sarcastic. If not, you should maybe cast your natural eye for security over your new 'much better' system once more - just to make sure it's not got any tiny flaws...

5
11

Page:

This topic is closed for new posts.

Forums