back to article Using encryption? That means the US spooks have you on file

Anyone who encrypts their emails or uses secure instant message services runs the risk of having their communications stored by the US National Security Agency, according to the latest leaks from former NSA sysadmin Edward Snowden. The Guardian has published two more explosive documents which set out what sort of information …

COMMENTS

This topic is closed for new posts.

Page:

  1. Ole Juul Silver badge

    Encryption?

    Sarcasm? Satire? Txt-speak?

    1. jai

      Re: Encryption?

      Owhay aboutway igpay atinlay?

      1. Anonymous Coward
        Paris Hilton

        Re: Encryption?

        pooksay avehay orkway hattay utoay ithway heirtay ainframemay!

        -

        arispay ustjay ecausebay

        1. Blacklight
          Facepalm

          Re: Encryption?

          So they're tracking all Canadian email then, ay?

    2. andreas koch
      Devil

      @ Ole Jul - Re: Encryption?

      <fnord>Be careful, those are automatic trigger words.</fnord>

    3. edge_e
      Big Brother

      Re: Encryption?

      Spelling mistakes, gramatical errors.

      Hidden words

      INcorrect captiisation

      They can apply it to anything

      1. Francis Boyle Silver badge

        Re: Encryption?

        Spelling mistakes, gramatical errors.

        Hidden words

        INcorrect captiisation

        Anything by amanfrommars.

        We're all doomed!

      2. theblackhand
        Angel

        Re: Encryption?

        For simple messages

        Usually the spelling will be incorrect

        Check for simple typos

        Kindergarten-grade mistakes

        You should also be aware of grammar errors

        Obvious word substitutions

        Usually this will allow the intended message to be seen clearly once the mistakes are removed

        Narrowing the possibilities

        Selecting the useful information

        Although, maybe the message is more subtle.....

    4. LarsG
      Meh

      Re: Encryption?

      Simple solution to this has been around for years, just write a letter.

  2. andreas koch
    Facepalm

    Reminds me of the rules

    for the use of Ford Prefects corporate credit card: only if the researcher's life is threatened, there is a particularly rare and valuable bit of information to be acquired and no other means would do or when he really, really wants to.

    Bit fuzzy? Never . . .

    1. Robert Carnegie Silver badge

      Re: Reminds me of the rules

      Actually, the currency that Ford Prefect liked to pay in, to which the rules applied, was "Writing a favourable review in The Hitch Hiker's Guide to the Galaxy".

      Also, he preferred not to use the "really wants to" clause, because then you had to suck up to the editor... or something like that.

      So he used an American Express (technically not credit) card, which of course was refused, at which point usually his life was threatened, not technically.

      But your point seems to stand. If there aren't strict rules strictly enforced to stop the spooks doing whatever they like, then they will. The public needs to be protected by having everybody, including the spooks, know what those rules are.

      Otherwise the data will be used e.g. to interfere with voter registration. To attack democracy directly. It -will-. There is minuscule voter fraud of illegal votes being cast, but copious fraud of false counting -and- of denying citizens the right to vote, either illegally or because they're black or Hispanic. Yes, in the U.S.

      Homosexuals, trade unionists, feminists, and opponents of foreign dictatorships also can be targeted in various ways.

      When un-free countries become free, we are usually told that one of the first things that the liberated mob does is to rampage into the secret police headquarters and destroy the secret files.

      Americans should do the same - now.

      1. Anonymous Coward
        Anonymous Coward

        Re: Reminds me of the rules

        "Homosexuals, trade unionists, feminists..... can be targeted in various ways."

        Sounds good. When are we building our Golgafrinchan Ark B?

      2. Tom 13

        Re: Otherwise the data will be used e.g. to interfere with voter registration

        Ah yes, the racsist canard. Oh, and there's the confirmation: Homosexuals, trade unionists, feminists, too. In other words, none of the people who've actually been illegally targeted by the current regime in the known scandals. Oh, and let's not forget the outright lie that There is minuscule voter fraud of illegal votes being cast given the results of Democrats in New Jersey being thrown into jail on just those charges, or precincts near Chicago and Philadelphia where 105% of the total population voted even though we rarely exceed 50% of registered voters casting ballots even though we barely have something 45% of the total eligible voting population registered.

        1. Wzrd1

          Re: Otherwise the data will be used e.g. to interfere with voter registration

          "Ah yes, the racsist canard. Oh, and there's the confirmation: Homosexuals, trade unionists, feminists, too. "

          Do look up the Red Scare I and II, then look up McCarthyism. Then, look up J. Edgar Hoover.

      3. Wzrd1

        Re: Reminds me of the rules

        "When un-free countries become free, we are usually told that one of the first things that the liberated mob does is to rampage into the secret police headquarters and destroy the secret files.

        Americans should do the same - now."

        What a great idea! Revolt, then destroy the evidence of crimes committed by the previous regime.

        As for the rest, that is a nice synopsis of American history, especially during the McCarty era, with the House UnAmerican Activities Committee, a more aptly named committee there never was.

  3. Michael H.F. Wilkinson Silver badge
    Black Helicopters

    Steganography?

    Any image (large) might contain some subtly hidden message (just replace the least significant bits of the image with bits from a compressed, encrypted file). Even this crude method can be very hard to detect, as a compressed file is already close to noise in its bit patterns (high entropy signal). Any high entropy signal can be considered suspect for that reason (photon-noise-limited astronomical images spring to mind)

    The NSA are of course aware of steganography, and could use this to suggest any media file is suspect. The only problem they then face is tracking all such data.

    Me, paranoid?

    1. silent_count
      Paris Hilton

      Re: Steganography?

      I note the clever way you've used steganogrphy*, in your otherwise innocuous message, to demonstrate your point.

      Incidentally, I wonder if it will become fashionable to periodically send emails containing blocks of RNG-generated text just to spite the NSA, who'll then waste resources storing and trying to decipher them.

      * I agree, by the way. It really is a travesty that Paris Hilton hasn't swept the Nobel Prize awards.

      1. Anonymous Coward
        Anonymous Coward

        Re: Steganography?

        There was a fad, many years ago* of adding "trigger" words to your email signature to bamboozle the spooks monitoring email traffic.

        *Circa the late 90s iirc.

        1. Alan W. Rateliff, II
          Paris Hilton

          Re: Steganography?

          I think I still have one of my email clients configured with an X-SpookWords: header.

        2. Cheshire Cat
          Big Brother

          Re: Steganography?

          I think you're referring to the old UseNet "NSA Line Eater" trick of adding "food for the line eater" as your first post line. The original reason was to circumvent a bug in netnews that deleted the first line of a posting; later it was changed to put words like "russia", "nukes" or "kibo" into the line to trigger grepping routines.

          BB because...

        3. as2003

          Re: Steganography?

          Plot twist: storage manufacturers have been spent years emailing terabytes of "encrypted" data around, lacing the meta-data with trigger words. NSA was forced splash out on multi-million dollar data warehouses to accommodate this suspect "chatter".

    2. Grikath Silver badge
      Angel

      Re: Steganography?

      There's an idea... embed your messages in a porn stream.. That way the snoops would have to trawl through the 90% of the internet dedicated to that particular pastime ... ;)

      1. Alan Brown Silver badge

        Re: Steganography?

        According to various rumours, that's been happening since the early 1990s on Usenet.

        Apparently there are some rather interesting nazi-related textfiles buried in all those pics of Claudia Schiffer too.

    3. jubtastic1
      Big Brother

      Re: Steganography?

      A long time ago on an internet far far away I was an Admin on the forum for a MMOG, we had a spate of users leaking secure bits of the forums via screen-grabs, so I replaced the forums 'reply' button, an icon of a document on a blue button, with a PHP script that produced an image that was identical save for the users forumID and IP address being encoded in the dots representing words on the icon. Nobody noticed the difference and because the reply icon was above and below each post it was likely to end up on a screen grab.

      A separate script decoded the cropped icons from screen-grabs and coped with jpeg compression just fine to reveal the user.

      \o for Pacifica

  4. g e
    Pint

    So use TOR or VPN's _more_

    There has to be a point where they can no longer store all encrypted stuff as quickly as they can find it.

    At which point their heads explode, obviously.

    Friday pintday.

    1. Brewster's Angle Grinder Silver badge

      Re: So use TOR or VPN's _more_

      It turns out the human condition is amenable to planet-scale deduplication:basically we all bitch about the same things so you don't need as much storage space as you'd think.

    2. andreas koch
      Coat

      Re: So use TOR or VPN's _more_

      >...

      At which point their heads explode, obviously.

      ...<

      No, they'll just stop routing the suspicious, encrypted ATM requests to HSBC until they've caught up.

      Just kidding.

      Oh, wait . . .

      1. Anonymous Coward
        Anonymous Coward

        Re: So use TOR or VPN's _more_

        is -that- what happened to HSBC this afternoon? ;)

      2. jonathanb Silver badge

        Re: So use TOR or VPN's _more_

        Well given that they have been laundering trillions of dollars of money for Mexican drug cartels, that's maybe not such a daft idea.

    3. pierce

      Re: So use TOR or VPN's _more_

      the Utah Data Center supposedly has a ultimate capacity of 5 zetabytes. which is 5000000 petabytes. thats enough storage to hold ALL internet traffic for 5 years. and keep all major disk manufactures bottom line happy for a couple years while its populated.

  5. alain williams Silver badge

    scare tactic

    The implication is: if you don't use encryption then we won't keep your emails. I would not fall for that one.

    1. Smooth Newt Silver badge

      Re: scare tactic

      Me neither. So they store it. But they can't read it, at least until quantum computers are available. So what are they going to use it for. A source of random numbers?

      1. Michael H.F. Wilkinson Silver badge
        Black Helicopters

        Re: scare tactic

        If you can get your hands on a good one-time pad (least significant pits of camera noise will do) you have a provably safe encryption, because the (truly random) key is as long as the message. Quantum computing does not help one jot. Trying all keys gives you (apart from a load of rubbish) all possible plain-text messages of the given length, and all possible zip/rar/tgz/bz2/... files of the same length, exploding the possible space of intelligible solutions further. Somewhere in that humongous space of solutions is the right one, but you have no way of telling which one is correct.

        The only problem is transmitting the key over a secure channel. That is not that difficult: store these random bits steganographically on a DVD or Blu-Ray disc containing footage of the kids playing, and take them personally to the intended person when visiting them on holidays.

        1. Suricou Raven

          Re: scare tactic

          I've considered that as an idea for a super-secure VPN for corporate laptops. Have a trusted computer at the office generate a giant OTP. One copy goes on the VPN server, and one on the company laptop before the trip to China. Packets from the laptop to the VPN server are XORed starting at the beginning of the OTP, packets going the other way are XORed starting at the end. So long as the laptop is maintained physically secure, it'd be unbreakable. Eventually the OTP would be depleted, but that's just a matter of having a large enough pad - you could easily use a hundred-gig pad these days, which is plenty to last for the duration of a business trip.

      2. pierce

        Re: scare tactic

        read up on the Utah Data Center. they are building some SERIOUS crypto cracking supercomputer clouds to go with their 5 zettabyte storage farm.

        1. Lee D Silver badge

          Re: scare tactic

          And anyone of interest can just apply some stupidly high level of encryption, and thus just create more work for them and still stay, relatively, secure. It's really not that hard to use something ludicrous like 8192bit TLS, for example. It's just a matter of time on encryption/decryption and on modern machines you'll barely notice it and nothing's THAT time-critical.

          But doing so increases the brute-force cracking time exponentially to the point where you could network the world and still chase a few millennia. Decyrpting crypto is NOT about brute-force techniques, that's the dumbest thing in the whole world to even try (given that you have no idea what encryption algorithm or keysize to even start with). It's about getting the data in other ways (e.g. subverting traffic routes, feeding false certificates, etc.), clever tricks and have people on staff who can find the holes. That's a whole different board game. As such, you don't want to waste your computing power decrypting someone's Facebook access when you could have just (for example), subpoeaned Facebook.

          I honestly don't buy all this "spooks with acres of datacentre" junk. Sorry, I treat it how it sounds - a military-issued misinformation to deter enemies. Same for just about everything that's come out of GCHQ lately (i.e. the last ten years). Crying that we don't have enough power, Jim, and just need a few billion in funding to spend on supercomputers. Cracking crypto by brute-force really isn't worth it, not for criminals, not for militaries, not for anyone. Anyone with a brain will be using encryption of a type / keysize that it's just infeasible with all the datacentres in the world. And every false positive costs you SO much in terms of wasted effort that it's just ridiculous. And those people organising their terrorism on some 128-bit SSL-secured website? There are much better ways in for a DAMN SPYING AGENCY than messing about trying to brute-force the private key.

          If they have those kind of datacentres, they are using them for statistical analysis. Big data set, powerful computer churning over it to find correlations, not brute-forcing someone's Twitter session when they could just ask Twitter. Think "Google", not "The Matrix".

          And if the NSA etc. were THAT good, they wouldn't need feeds inside Facebook et al. When that was announced I just laughed. If they wanted to do see Facebook traffic, and it was as illegal as it is, and they HAD acres of supercomputers decrypting PKE communications, they'd know Facebook's private key before they ever had to put any box into a datacentre and keep lots of people privy to the secret, and from then on decryption is basically "free".

          Even if the key changes, store data, brute-force the new key, decrypt all the data once you've broken it. And then even Facebook wouldn't know that what was happening was being decrypted en-route, and only the major transit sections would ever need to have any knowledge of the NSA's actions. But, no. Let's stick a box in a datacentre where a thousand people work and swear them to silence illegally.

          These people, including GCHQ, are not doing their jobs if what they say is true. But these people are hired to be entirely 100% deceptive for a living. I wouldn't even be surprised if any such "box" was basically filled with two house bricks and a battery for the flashing LED. We're dealing with people whose job is to be deceptive, reassure the public about security, deter the enemy, but only as a SIDELINE to their real work. Which isn't brute-forcing SSL keys, but being inside the very groups they want to monitor, and breaking SSL entirely via weaknesses, side-hacks and all sorts of other avenues. You can bet that some researcher at GCHQ knew about BEAST attacks, Debian-based key weakness etc. years before anyone else did. Hell, they kept the very existence of PKI secret for decades until it was "reinvented".

          If this "acres of datacentre" junk is true, I'm VERY VERY disappointed in whatever agency runs it. If the "tapping-direct-into-Facebook-etc." is true, I'm even more disappointed. If GCHQ etc. are actually sitting there brute-forcing keys as a matter of routine rather than as the last resort on the very tail of something they know is absolutely critical, after all of their side-methods have knocked down the problem by several orders of magnitude, then I feel very, very sorry for what they've become. Not because of the privacy issues, but just that "spying" has been so watered down that it's brawn over brains, in some of the very agencies that cracked, invented and pioneered these techniques in the first place.

          GCHQ was 5 years ahead of anyone else, even the top published mathematicians in the world, and didn't tell anyone until 25 years later. If we've really been reduced to just letting a large computer churn through a stupidly unfiltered dataset and trying to brute-force SSL sessions, then that speaks more for the UK education system than anything else at all.

          I don't doubt for a second, though, that GCHQ et al wouldn't try to give you that impression, and actually go to the effort of creating a physical datacentre that does very little, just to be a target for some other nation, while sitting on ways to get this information and break this encryption without having to lift a damn finger.

          Hell, if I was GCHQ, I'd be inside (or behind!) Truecrypt, Tor, Bitcoin, and just about everything else related. I wouldn't be touching Facebook with a bargepole, except to spread misinformation.

          1. Roland6 Silver badge

            Re: scare tactic @Lee D. Acres of datacentres

            It wouldn't surprise me if they did have acres of datacentres - it's not like they would use public cloud for all that analysis - or would they...?!!!

          2. Wzrd1

            Re: scare tactic

            "I honestly don't buy all this "spooks with acres of datacentre" junk."

            Sorry to break it to you, but they do have such datacenters. Note the plural. I've looked upon one with my own eyes.

            The NSA hires more mathematicians than any other entity in the world. They also hire more programmers than any other entity in the world.

            They also own more supercomputers than any other entity in the world.

            Their budget is part of the DoD budget, much of it a black budget.

            That said, they're part of the DoD, so one data processing term is operable: GIGO.

            Or most commonly, garbage in, nothing out.

  6. ElNumbre
    WTF?

    So.....

    If I use a VPN to connect to a US exit point and send an encrypted email, they WONT put me on the list? Am I reading that right?

    1. drunk.smile

      Re: So.....

      My reading of that case is:

      If it's a VPN where they deem that it 'could' be that you are not in the US then, citizen or not, they may pop you into their database for 5 years until they can establish otherwise.

      1. Marketing Hack Silver badge
        Black Helicopters

        Re: So.....

        They have a test based on their estimate of probability that you are in the U.S. So while using a U.S. exit point will help, it's not an absolute guarantee of success. Also, if they are reading your communications and you are rattling on about spending the weekend in Liverpool or something, then you are hosed because they will automatically put you in the "foreign" category.

        Also, using a U.S. exit point probably exponentially increases the chance that you get hoovered up by GCHQ, becuase now you are in the non-British bucket. How well GCHQ's surveilllance works and under what rules I could not say, beyond that they get slapped around some if they are caught snooping on Brits.

        1. Oldfogey
          Go

          Re: So.....

          Liverpool is in Ontario

          1. Jess--

            Re: So.....

            great stuff

            into the "not american" and "not english" lists you go

            suppose the same argument could be used for Birmingham for someone to end up on both lists

            1. Anonymous Coward
              Anonymous Coward

              Re: So.....

              Strangely there are a lot of place names that are applied to more than one settlement in the world.

    2. Anonymous Coward
      Anonymous Coward

      Re: So.....

      It is all conditional probability aka Bayes analysis.

      Old good google conditional probability algo applied to network data (via map-reduce). If that algo spits out that you are of interest you will never get off their database until the end of your life. Those guidelines contain enough backdoors for them to always keep everything from you.

      The interesting bit is that algo works of BIG DATA. LOTS OF DATA. This makes all the claims about only 2000 requests very very difficult to believe

  7. Anonymous Coward
    Anonymous Coward

    so, if we all use encryption, for everything, then perhaps we can give them data overload.

  8. NomNomNom

    Vindication

    Well well well, so all those people over the years telling me to use encryption turn out to have a load of egg on their faces. I shouldn't gloat, but lets just say it's been a running battle with some of these clowns, especially the self-appointed security "experts".

    I have always refused to use encryption for good reason. It's not that I can't figure out how to encrypt my emails, it's just that I always knew deep down that I couldn't trust encryption. Call it intuition or a natural eye for security if you will. We see it in films all the time some whizkids breaking supposedly unbreakable encryptions.

    I've always preferred to hide my secrets using more secure and harder to detect means. For example if I need to send a secret message to one of my contacts, I send them a perfectly innocent looking email:

    "Hi, what's for tea tonight?"

    If the NSA read that they'd just think it was a harmless email. But my contact knows to press the secret keyboard code CTRL-A which will reveal hidden text. Hidden text I have planted at the end of the email by setting the outlook editor to write in white font on white background. For extra security when data is particularly sensitive I print out the emails and post them by snail mail. My contacts then scan them in at the other end. Even if the NSA get hold of the paper in transit they can't use CTRL-A on it even if they knew about CTRL-A (perhaps they do, perhaps they don't, that's just the risk I take. That said I wouldn't put it past Microsoft to have told them about it)

    While some have scoffed at my security arrangements, note that in 10 years my communications have never been hacked. I only mention this now because I no longer use this system, I have a much better one. Sorry, not telling :)

    1. Anonymous Coward
      Anonymous Coward

      Re: Vindication

      Ha ha, the joke's on you because the NSA still use Amstrad's with green screen monitors. I get round this though by typing in code so the letters are numbers. Only me and my friend know A=1, B=2, C=3, etc. :)

      1. Uncle Slacky Silver badge

        Re: Vindication

        I do better than that - I use ROT 13. Just to be really secure, I use it twice.

        1. My Alter Ego

          Re: Vindication

          ROT26 is much quicker.

Page:

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019