Sarcasm? Satire? Txt-speak?
Anyone who encrypts their emails or uses secure instant message services runs the risk of having their communications stored by the US National Security Agency, according to the latest leaks from former NSA sysadmin Edward Snowden. The Guardian has published two more explosive documents which set out what sort of information …
For simple messages
Usually the spelling will be incorrect
Check for simple typos
You should also be aware of grammar errors
Obvious word substitutions
Usually this will allow the intended message to be seen clearly once the mistakes are removed
Narrowing the possibilities
Selecting the useful information
Although, maybe the message is more subtle.....
Actually, the currency that Ford Prefect liked to pay in, to which the rules applied, was "Writing a favourable review in The Hitch Hiker's Guide to the Galaxy".
Also, he preferred not to use the "really wants to" clause, because then you had to suck up to the editor... or something like that.
So he used an American Express (technically not credit) card, which of course was refused, at which point usually his life was threatened, not technically.
But your point seems to stand. If there aren't strict rules strictly enforced to stop the spooks doing whatever they like, then they will. The public needs to be protected by having everybody, including the spooks, know what those rules are.
Otherwise the data will be used e.g. to interfere with voter registration. To attack democracy directly. It -will-. There is minuscule voter fraud of illegal votes being cast, but copious fraud of false counting -and- of denying citizens the right to vote, either illegally or because they're black or Hispanic. Yes, in the U.S.
Homosexuals, trade unionists, feminists, and opponents of foreign dictatorships also can be targeted in various ways.
When un-free countries become free, we are usually told that one of the first things that the liberated mob does is to rampage into the secret police headquarters and destroy the secret files.
Americans should do the same - now.
Ah yes, the racsist canard. Oh, and there's the confirmation: Homosexuals, trade unionists, feminists, too. In other words, none of the people who've actually been illegally targeted by the current regime in the known scandals. Oh, and let's not forget the outright lie that There is minuscule voter fraud of illegal votes being cast given the results of Democrats in New Jersey being thrown into jail on just those charges, or precincts near Chicago and Philadelphia where 105% of the total population voted even though we rarely exceed 50% of registered voters casting ballots even though we barely have something 45% of the total eligible voting population registered.
"When un-free countries become free, we are usually told that one of the first things that the liberated mob does is to rampage into the secret police headquarters and destroy the secret files.
Americans should do the same - now."
What a great idea! Revolt, then destroy the evidence of crimes committed by the previous regime.
As for the rest, that is a nice synopsis of American history, especially during the McCarty era, with the House UnAmerican Activities Committee, a more aptly named committee there never was.
Any image (large) might contain some subtly hidden message (just replace the least significant bits of the image with bits from a compressed, encrypted file). Even this crude method can be very hard to detect, as a compressed file is already close to noise in its bit patterns (high entropy signal). Any high entropy signal can be considered suspect for that reason (photon-noise-limited astronomical images spring to mind)
The NSA are of course aware of steganography, and could use this to suggest any media file is suspect. The only problem they then face is tracking all such data.
I note the clever way you've used steganogrphy*, in your otherwise innocuous message, to demonstrate your point.
Incidentally, I wonder if it will become fashionable to periodically send emails containing blocks of RNG-generated text just to spite the NSA, who'll then waste resources storing and trying to decipher them.
* I agree, by the way. It really is a travesty that Paris Hilton hasn't swept the Nobel Prize awards.
I think you're referring to the old UseNet "NSA Line Eater" trick of adding "food for the line eater" as your first post line. The original reason was to circumvent a bug in netnews that deleted the first line of a posting; later it was changed to put words like "russia", "nukes" or "kibo" into the line to trigger grepping routines.
A long time ago on an internet far far away I was an Admin on the forum for a MMOG, we had a spate of users leaking secure bits of the forums via screen-grabs, so I replaced the forums 'reply' button, an icon of a document on a blue button, with a PHP script that produced an image that was identical save for the users forumID and IP address being encoded in the dots representing words on the icon. Nobody noticed the difference and because the reply icon was above and below each post it was likely to end up on a screen grab.
A separate script decoded the cropped icons from screen-grabs and coped with jpeg compression just fine to reveal the user.
\o for Pacifica
If you can get your hands on a good one-time pad (least significant pits of camera noise will do) you have a provably safe encryption, because the (truly random) key is as long as the message. Quantum computing does not help one jot. Trying all keys gives you (apart from a load of rubbish) all possible plain-text messages of the given length, and all possible zip/rar/tgz/bz2/... files of the same length, exploding the possible space of intelligible solutions further. Somewhere in that humongous space of solutions is the right one, but you have no way of telling which one is correct.
The only problem is transmitting the key over a secure channel. That is not that difficult: store these random bits steganographically on a DVD or Blu-Ray disc containing footage of the kids playing, and take them personally to the intended person when visiting them on holidays.
I've considered that as an idea for a super-secure VPN for corporate laptops. Have a trusted computer at the office generate a giant OTP. One copy goes on the VPN server, and one on the company laptop before the trip to China. Packets from the laptop to the VPN server are XORed starting at the beginning of the OTP, packets going the other way are XORed starting at the end. So long as the laptop is maintained physically secure, it'd be unbreakable. Eventually the OTP would be depleted, but that's just a matter of having a large enough pad - you could easily use a hundred-gig pad these days, which is plenty to last for the duration of a business trip.
And anyone of interest can just apply some stupidly high level of encryption, and thus just create more work for them and still stay, relatively, secure. It's really not that hard to use something ludicrous like 8192bit TLS, for example. It's just a matter of time on encryption/decryption and on modern machines you'll barely notice it and nothing's THAT time-critical.
But doing so increases the brute-force cracking time exponentially to the point where you could network the world and still chase a few millennia. Decyrpting crypto is NOT about brute-force techniques, that's the dumbest thing in the whole world to even try (given that you have no idea what encryption algorithm or keysize to even start with). It's about getting the data in other ways (e.g. subverting traffic routes, feeding false certificates, etc.), clever tricks and have people on staff who can find the holes. That's a whole different board game. As such, you don't want to waste your computing power decrypting someone's Facebook access when you could have just (for example), subpoeaned Facebook.
I honestly don't buy all this "spooks with acres of datacentre" junk. Sorry, I treat it how it sounds - a military-issued misinformation to deter enemies. Same for just about everything that's come out of GCHQ lately (i.e. the last ten years). Crying that we don't have enough power, Jim, and just need a few billion in funding to spend on supercomputers. Cracking crypto by brute-force really isn't worth it, not for criminals, not for militaries, not for anyone. Anyone with a brain will be using encryption of a type / keysize that it's just infeasible with all the datacentres in the world. And every false positive costs you SO much in terms of wasted effort that it's just ridiculous. And those people organising their terrorism on some 128-bit SSL-secured website? There are much better ways in for a DAMN SPYING AGENCY than messing about trying to brute-force the private key.
If they have those kind of datacentres, they are using them for statistical analysis. Big data set, powerful computer churning over it to find correlations, not brute-forcing someone's Twitter session when they could just ask Twitter. Think "Google", not "The Matrix".
And if the NSA etc. were THAT good, they wouldn't need feeds inside Facebook et al. When that was announced I just laughed. If they wanted to do see Facebook traffic, and it was as illegal as it is, and they HAD acres of supercomputers decrypting PKE communications, they'd know Facebook's private key before they ever had to put any box into a datacentre and keep lots of people privy to the secret, and from then on decryption is basically "free".
Even if the key changes, store data, brute-force the new key, decrypt all the data once you've broken it. And then even Facebook wouldn't know that what was happening was being decrypted en-route, and only the major transit sections would ever need to have any knowledge of the NSA's actions. But, no. Let's stick a box in a datacentre where a thousand people work and swear them to silence illegally.
These people, including GCHQ, are not doing their jobs if what they say is true. But these people are hired to be entirely 100% deceptive for a living. I wouldn't even be surprised if any such "box" was basically filled with two house bricks and a battery for the flashing LED. We're dealing with people whose job is to be deceptive, reassure the public about security, deter the enemy, but only as a SIDELINE to their real work. Which isn't brute-forcing SSL keys, but being inside the very groups they want to monitor, and breaking SSL entirely via weaknesses, side-hacks and all sorts of other avenues. You can bet that some researcher at GCHQ knew about BEAST attacks, Debian-based key weakness etc. years before anyone else did. Hell, they kept the very existence of PKI secret for decades until it was "reinvented".
If this "acres of datacentre" junk is true, I'm VERY VERY disappointed in whatever agency runs it. If the "tapping-direct-into-Facebook-etc." is true, I'm even more disappointed. If GCHQ etc. are actually sitting there brute-forcing keys as a matter of routine rather than as the last resort on the very tail of something they know is absolutely critical, after all of their side-methods have knocked down the problem by several orders of magnitude, then I feel very, very sorry for what they've become. Not because of the privacy issues, but just that "spying" has been so watered down that it's brawn over brains, in some of the very agencies that cracked, invented and pioneered these techniques in the first place.
GCHQ was 5 years ahead of anyone else, even the top published mathematicians in the world, and didn't tell anyone until 25 years later. If we've really been reduced to just letting a large computer churn through a stupidly unfiltered dataset and trying to brute-force SSL sessions, then that speaks more for the UK education system than anything else at all.
I don't doubt for a second, though, that GCHQ et al wouldn't try to give you that impression, and actually go to the effort of creating a physical datacentre that does very little, just to be a target for some other nation, while sitting on ways to get this information and break this encryption without having to lift a damn finger.
Hell, if I was GCHQ, I'd be inside (or behind!) Truecrypt, Tor, Bitcoin, and just about everything else related. I wouldn't be touching Facebook with a bargepole, except to spread misinformation.
"I honestly don't buy all this "spooks with acres of datacentre" junk."
Sorry to break it to you, but they do have such datacenters. Note the plural. I've looked upon one with my own eyes.
The NSA hires more mathematicians than any other entity in the world. They also hire more programmers than any other entity in the world.
They also own more supercomputers than any other entity in the world.
Their budget is part of the DoD budget, much of it a black budget.
That said, they're part of the DoD, so one data processing term is operable: GIGO.
Or most commonly, garbage in, nothing out.
They have a test based on their estimate of probability that you are in the U.S. So while using a U.S. exit point will help, it's not an absolute guarantee of success. Also, if they are reading your communications and you are rattling on about spending the weekend in Liverpool or something, then you are hosed because they will automatically put you in the "foreign" category.
Also, using a U.S. exit point probably exponentially increases the chance that you get hoovered up by GCHQ, becuase now you are in the non-British bucket. How well GCHQ's surveilllance works and under what rules I could not say, beyond that they get slapped around some if they are caught snooping on Brits.
It is all conditional probability aka Bayes analysis.
Old good google conditional probability algo applied to network data (via map-reduce). If that algo spits out that you are of interest you will never get off their database until the end of your life. Those guidelines contain enough backdoors for them to always keep everything from you.
The interesting bit is that algo works of BIG DATA. LOTS OF DATA. This makes all the claims about only 2000 requests very very difficult to believe
Well well well, so all those people over the years telling me to use encryption turn out to have a load of egg on their faces. I shouldn't gloat, but lets just say it's been a running battle with some of these clowns, especially the self-appointed security "experts".
I have always refused to use encryption for good reason. It's not that I can't figure out how to encrypt my emails, it's just that I always knew deep down that I couldn't trust encryption. Call it intuition or a natural eye for security if you will. We see it in films all the time some whizkids breaking supposedly unbreakable encryptions.
I've always preferred to hide my secrets using more secure and harder to detect means. For example if I need to send a secret message to one of my contacts, I send them a perfectly innocent looking email:
"Hi, what's for tea tonight?"
If the NSA read that they'd just think it was a harmless email. But my contact knows to press the secret keyboard code CTRL-A which will reveal hidden text. Hidden text I have planted at the end of the email by setting the outlook editor to write in white font on white background. For extra security when data is particularly sensitive I print out the emails and post them by snail mail. My contacts then scan them in at the other end. Even if the NSA get hold of the paper in transit they can't use CTRL-A on it even if they knew about CTRL-A (perhaps they do, perhaps they don't, that's just the risk I take. That said I wouldn't put it past Microsoft to have told them about it)
While some have scoffed at my security arrangements, note that in 10 years my communications have never been hacked. I only mention this now because I no longer use this system, I have a much better one. Sorry, not telling :)
Ha ha, the joke's on you because the NSA still use Amstrad's with green screen monitors. I get round this though by typing in code so the letters are numbers.
And without any hint on what the numbers mean, the only way they could ever break the code would be to try out all possible combinations - obviously pointless, since this would take millions of years, unless they had vast networks of powerful computers
Do you really think they sit there looking at your emails in Outlook or do you think they maybe scan the content of the message in raw format then laugh at the people 'hiding' messages in white on white?
I hope you were being ironic/sarcastic. If not, you should maybe cast your natural eye for security over your new 'much better' system once more - just to make sure it's not got any tiny flaws...
This is the best proof yet that people don't actually read the whole comment before rushing to downvote. There is no way any normal reg reader making it past the first sentence could see this as being anything other than a ruthlessly well-considered argument against the supposed merits of "encryption".
Please, NomNomNom, use that <sarcasm> tag. Every time you write a comment like this, watching your downvotes is like watching a herd of sheep falling down a cliff. Sad.*
* Well, not really. Actually ROFLMAO and spilling whatever beverage I'm drinking at the moment all over the keyboard, the screen and the wall behind.
"The documents clearly state that surveillance should cease the minute a target is on US soil or is deemed to be an American – but there are exceptions to this which allow spooks to store communications from American citizens."... "Spies are also told they can retain "all communications that are enciphered or reasonably believed to contain secret meaning" for up to five years, giving them another way to keep American citizens' communications data"
Glad that was cleared up. So there is no practical distinction, American vs. non-American, and therefore there is no difference when it comes to certainty over your right to privacy. So what gives the US the right to spy on 100% of the world just to catch <1%? Especially when they are merely looking after their own interests, and not the Globe?
Eh, there is an auditing and inspection process where the Inspector General at the NSA looks into what NSA analysts are doing and whether they are following the rules correctly. I have no idea whether that process has genuine teeth or not.
Basic rules of protection from the NSA snooping on you:
If you're in America: Some
Overseas: Almost none
A friend of mine and I were joking around this last weekend that I should get a dog and name him "Jihad". The resulting back and forth phone and email traffic would be most amusing!
I pity the poor spook trying to puzzle out exactly what 'Jihad crapped on the carpet again' is supposed to mean.
I'm going get as many pictures of bunnies and encrypt and email them, adding terrorist keywords. They should have some fun with that
Not a good idea if you don't want to end up on that other evil, the US no-fly list. I'm not seriously suggesting anyone should do this, but as a mental exercise I wonder what would happen if lots of messages start to appear between apparently seriously dodgy people and, say, members of foreign governments about to visit the US? Could lead to interesting diplomatic problems.
The other thing you have to do is send the same number of (100MB) emails to the same people each day. That way the baddies who are listening in can't infer anything from the emailing frequency.
If you only sent an email when something important was happening, or about to happen that in itself tells the baddies something is going on.
I'd be surprised if every western govt wasn't already doing this and the US was just the first to get caught in public.
I'm sure I'll be downvoted to hell for saying this but: As a society we demand almost absolute security from random acts of violence(terrorism or whatever) but we also expect almost absolute privacy. This puts law enforcement/govt/et al in a very difficult position. I don't see how you can have it both ways. I think people lose sight of that and immediatly que the outrage when they learn of new details of this. I'm not saying there's not some ambiguity in whos getting monitored and for what, however I don't think theres some huge conspiracy to see what porn you're downloading.
Beer cos its Friday
> Beer cos its Friday
No beer for you because there are these little things called "laws" you are forgetting about which were, once upon a time, regarded as a great advance to check the power of kings and administrative forces.
Don't let the door of the cattle truck hit you when you are getting out. Inside the "perimeter zone", natch.
There is no such thing as "almost absolute security". Life has misfortunes, and on some occasions those misfortunes involve people who wish to do violent harm to others. I'd always thought that if someone wanted to conduct a really successful terrorist attack/crazy rampage, they would just steal a semi or a dumptruck and drive around a major city hit-and-run bowling over pedestrians on the sidewalks. It would take the police quite awhile to catch them or stop the truck if the driver didn't do something stupid like driving into a cul-de-sac.
What I want our counterterrorism people to have is the ability to speak to analysts in other government agencies, and to go get warrants for individuals or groups based on actions those persons took. Once you have a real warrant then sure, go after their email and social media and phone records, but let's not go trolling through the innocent population-at-large. That's just a recipe for ultimate abuse.
"communications that are enciphered or reasonably believed to contain secret meaning, and sufficient duration may consist of any period of time during which encrypted material is subject to, or of use in, cryptanalysis".
So if anyone sends an email in an Allo Allo - esque style saying something like "le albatross 'as exited le cat flap" then that will be kept on file?
Back in High School, I encrypted the following message:
"Si estás leyendo esto, CHINGA TU MADRE, este mensaje no dice nada!"
(If you're reading this, [local profanity], this message doesn't say anything!)
The idea being that anyone snooping my email and eventually cracking the "secret" message would have wasted their time for nothing. Maybe these practical jokes will become standard?
I firmly believe that NSA will (if they haven't already) crack quantum computing long before the private sector. When they do, they won't tell anyone. They'll just have their quantum computer cranking away in a uber-secure room not on any blueprints. It will be 400 feet under ground, with the secret elevator behind a hidden door that looks like a book case. To get in you'll have to pull a book having something to do with the genealogy of Edward Cullin, on some other such tome that no sane person will touch. And with this 50 gazillion dollar machine and the 30 bajillion dollars worth of security around it, they're going to munch through the encryption I put on that email to my mom like it's nothing. (Never mind the fact that my poor mother would never be able to figure out how to decrypt it even with step by step instructions and the key).
Nope. I'll throw them for a loop by revealing the existence of their top secret machine in a jokingly sarcastic manner on some forum somewhere instead.
No, pulling a book would be too simple to be so simple.
You'll gain access by opening a specific book, removing a certain isolinear chip, plugging it into a certain biomemetic gel pack, putting it through a phase variance first of 22 giga Cochranes, then reversing the polarity at a particular ODN junction access control panel, followed by performing a specially-sequenced baryon sweep alternated with a nuanced blast of chroniton particles, only to have to use a nadion stream emitter to cause a spectral shift of a secret, daily-changing amount.
Then, when you think you've entered the Inner Sanctum, you have to cope with dancing, nutating, uulating laser beams and holo lasers, and the real fryer is indistinguishable from the holo emitter.
In all seriousness, IIRC, either I or someone else years ago, when FISA stuff came up, off-handedly said the USA would route domestic traffic via the UK, and the UK would route its domestic traffice through the USA. Alternatively, they could just tap, split, and route abroad the streams they want to copy "legally". Wait, maybe I ws daydreaming...
"I don't worry about government spooks reading my emails, because unless I am doing something REALLY bad they won't bother to even have a person look at it... But I do care about my emails being read by anyone else..."
I'm sorry, but this attitude is starting to really irritate my penis.
YOU ARE A FUCKING MORON sir.
What happens, let's say, if the government of this country takes us in a direction that you don't particularly like - such as invading a neutral country for their oil and killing thousands of their citizens, and then leaving them in a worse mess than when they were in in the first place.
Let's say your brother is in the Army, dedicated to defending his country, his family and all the values imbued therein and gets killed in a pointless waste that looks like an effort to line some big-wigs already overwhelmed bank account.
Let's say you start a conversation with your cousin saying you're not happy about this state of affairs and you send this by email.
Suddenly not only are all your communications being monitored (because they were anyway) but now they are being _looked_ at.
All this spying has one aim - to quell dissidence in their own country.
For me, the key assertion here - that the aim of the NSA monitoring and data collection is to quell dissidence in the U. S. - fails of plausibility. It presumes a conspiracy with a cast numbering in the hundreds to thousands, very difficult to sustain. It presumes that the NSA managers and analysts are not much the same in their background, attitudes, interests, and outlooks as most of the citizens, also implausible. I suspect that the major difference between NSA analysts and the general population is that they average one or two standard deviations above the mean in intelligence tests.'
That said, I do not want the NSA, or the FBI, having access to my telephone records, emails, or anything else that is mine without a proper warrant issued under a strict literal reading of the fourth amendment, treating digital and electronic data as if they were papers. The sticky point is whether we consider that such warrants would be necessary to target those who are not U. S. Citizens - the term in the fourth amendment is not "citizens", but "people".
In addition, I am extremely skeptical that analysis of bulk data, as suggested by the apparent magnitude of NSA data collection, stands any reasonable chance of uncovering a terrorist plot or producing anything else of much use. It is far too easy for those who do not wish us well to use encryption with one time pads, conveyed by physical means, TOR, Pay-as-you-go cell phones and the like that are very difficult to track. If the government has real evidence that massive collection and analysis of communication data is effective, they should produce it. So far, all I have read about is things that were uncovered by targeted collection that led to arrests through classical police work.
yep. I'm willing to believe it's a case of mostly well meaning people creating something that has unintended consequences. Like you say, they're probably all like Reg readers - many probably ARE Reg readers. We're all guilty at some point, of going too far with tech solutions to meet our own goals as programmers, admins, etc, etc and losing sight of the big picture for other stakeholders. It's no different here.
The issue is that if it's that easy for someone like Snowden to release info of that's in our interest, then it's a real problem if someone who's not as well meaning gets his hands on the data (or is in charge of the data). It doesn't matter if it was made FOR the quelling of dissidence, it's the fact it could easily be used to do so that's the the issue.
Incidentally, does anyone know how well paid the NSA folk are? I know it's been said here repeatedly that GCHQ pay pittance.
I firmly believe that NSA will (if they haven't already) crack quantum computing long before the private sector. When they do, they won't tell anyone.
I'm quite sure that they haven't already.
You may be right as of some near future, but the consequences of that will be greater and faster and stranger than you imagine. "The Laundry" plays this idea for (very uneasy) laughs, but I expect laughs would be the last thing on our minds. The result would be more like Skynet going active crossed with the Stargate sequence from 2001.
I don't expect the singularity to arrive this way, because I don't believe nature will support quantum computing work for numbers of qubits sufficient to break strong cryptography ... but I don't have any particular hotline to the future and may be proved wrong. In which case, may the Eschaton be merciful. Cracking cryptograms for our amusement will be the last thing on its mind.
I have to use encryption daily in emails to my team mates who may need account user names and passwords. We simply do not allow that info out in the clear.
I guess I am most likely on a some ones shit list because of it.
But the only thing I have to hide is my clients' privacy. You can't even do business in the US without attracting undue attention. Oh well, I guess I have to stand behind my integrity and protect my clients from my government, too. What a pity.
Rule 1, if you do it online, it is NOT private...
Rule 2, expect every packet you send to be intercepted...
Rule 3, encrypt if you want it to be private, but expect the encrypted email to be intercepted by someone...
Rule 4, Don't worry, unless your a terrorist or a child molester, the government doesn't care..
"What's wrong with terrorizing child molesters?"
For starters the age of consent varies wildly with era and geography. What may be 2 consenting adults in one time/place may not be in another.
The vast majority of "child molestation" cases don't involve pre-teens and in a lot of those cases the older of the pair is under 20. It's a very murky area and nowhere near as clearcut as the Daily Fail would have us believe, largely thanks to kneejerk legislation in response to extreme cases which were already crimes under existing laws instead of aiming for better detection of what's going on everyday under our collective noses..
Having once been stuck in a very awkward position as an ISP admin due to a prederast sending email which bounced into the postmaster box, I'd really appreciate some well thought-out laws for a change.
Disussions over the fact that more than 1/3 of sexual predators are under the age of 18, that 50% of sex offenders are female and that the source of greatest danger for molestation (80%-90% or so) comes from the immediate family and its circle of friends, not some stranger on the street or net are probably better had in other fora, but it does bring home the point that the awful stuff which happens on the net, while awful, is only a tiny fraction of what's going on in households around you, whereever you may be. Stuff becomes news BECAUSE it's so unusual and headlines about what is more likely to be happening at home may cause a drop in circulation
The issue with GCHQ or NSA or anyone else hoovering up all your data is that because it's all secretive, it's easy to abuse, whether that's a rogue spook looking up his brother-in-law's politics or a politician telling an agency to dig up all the dirt it can about XYZ activist's past/associates in order to discredit/blackmail, even if the activities in question were perfectly legal. (such as being an active B&D participant).
"what they are allowed to do in order to spy on "non-US persons".
Yeah. Um. Allowed by who? Themselves? That might not fly with other countries, especially when they figure out that this smacks of World Police. Is it justified for America to eyeball the rest of the world when they don't have their own house in order? Is it justified for them to make judgements given their highly eccentric morality (seriously, WTF was the big deal with the superbowl titty?) and religious opinion bordering on a laid back sort of fundamentalism? And if they are snooping on us non-Americans, I can only assume that this means it is quite alright for non-Americans to snoop on Americans, hello PRC and Russia and... ;-)
A colleague of mine once sent an encrypted file with a 256 bit key, about 10 years ago, from the UK to another country. Very soon afterwards, he reported being contacted by a senior manager in his company, requesting disclosure of the key so that they could pass it on to "the authorities". This is why the recent disclosures about NSA and GCHQ, etc. didn't come as much of a surprise to some people...
Those spam messages with the words spelled wrong - they're messages from terrorist leaders sent out so no one knows who is their cells! Many of those pictures of cats posted as well, what the Lolcats do is really a secret message. They're not funny at all. And when people trash a comments page with puerile rubbish - that can be them hiding their evil work too, even young children seem to have been recruited into their ranks. I'm all for the NSA and GCHQ securely storing all these secret messages, of course I advocate using the power of the law to convict the villains but I'll understand if in the interest of national security and if they can't fully decrypt the messages they deal with this menace quietly and without fuss - if some are caught up in this who aren't terrorists I'm sorry but they should not have defaced a web page and anyway you can't make an omlette without breaking eggs.
Hmm. I was wondering if we couldn't convince the NSA, GCHQ and all the other members of the alphabet soup club that criminals and terrorists use spam as transmission method.
First of all, that's not so far off - we are so conditioned to zap such stuff that we may miss that the next viagra message of a particular brand is actually a signal. The main reason is, of course, to get those agencies to close down spammers and so actually do something directly positive and beneficial. It means less rubbish for us to filter out, and less rubbish to them to store - and it buys some public goodwill back.
Next up: telesales terrorism. :p
Whatever happened to code messages using plain old innocuous conversations such as wrapping a plot as a plan to visit their mum and asking how the rest of the family's doing? I mean, if they planned this out properly beforehand, how will the spooks be able to tell the difference between a terrorist plot and a birthday party?
given that most of the providers are rolling over and sharing whatever is asked of them I have to assume that draft folders (as well as things like Google Docs or Dropbox) are also no longer particularly safe places.
Something like HushMail may be a little more reliable but who knows.
The problem is unless you have total faith in the provider of the storage mechanism and the integrity fo the channel from you to it... then balance the risk accordingly.
Even if the system you use is in a different country you don't know that they're not "cooperating" with local authorities and then simply sharing the gathered intelligence as part of a cross-border exercise.
It scares me when paranoid fantasies turn out to be real... and scares me even more that nothing will happen as a result of this in any of the countries where it's discovered to be happening :(
Can anyone even see the impossible logistics with this whole setup? Storing audio takes up space, a LOT of space. Let alone doing it in real time. The technology is there, but how big of a server farm do they have to keep running as a library for this? And to check every call, every minute, for everyone?
Continuing from my last post.
The system would -of course- submit alerts to human operators, so they could review the audio from the interesting calls, and probably also classify the calls according to several parameters, e.g. countries involved, known ideology of any of the participants, whether any of the participants has a criminal record or has ever been arrested...
This shit is f**king scary.
Audio doesn't take up that much space, especially with compression. Even in the 70s you could encode intelligible speech with well less than 5kbit/ second, just using delta modulation. And you don't have to store the silence between words that presumably makes up the bulk of most phone calls.
Even without compression - assuming 8kB/sec* it's still more than feasible - here's a back of the envelope estimate someone did (I suspect he's underestimated the number of phonecalls): http://blog.archive.org/2013/06/15/cost-to-store-all-us-phonecalls-made-in-a-year-in-cloud-storage-so-it-could-be-datamined/
It's running the analysis that'd be a PITA - that would be a phenomenal amount of processing power - and would obviously need more processing power the more compression had been applied to the audio. Again, though, given the surprising fact that storing all the phone calls for a year is feasible, there's probably ways to optimise it!
*(that'd be 8bit, 8kHz PCM mono uncompressed - a tad better than normal phone quality)
"And you don't have to store the silence between words that presumably makes up the bulk of most phone calls."
And when you're listening to the other end. It's not often that there's speech going in both directions and if there is, it's usually meaningless.
That takes the absolute maximum down to 1/2 the raw rate (64 or 56kb/s depending wihch country you're in) even before compression is applied (the encoding uses non-linear quanta in both cases)
It has to be at the terminal station.
In 1990 the busy terminal station would have one person and a dog as a fall back staff, more staff might show up for day time procedures. A little used link such as to Denmark would be without permanent staff.
But of course then there was no reason why any one would want to break open the locks and set foot inside. Each must possess a serious border guard.
As an it professional I find the release of this information appalling.
I've no idea as to the whole picture but come on a sysadmin who is probably only second line puts the whole it industry into disrepute...
When you are an it admin you have access to everything. That doesn't mean you have the right to look at and copy whatever you fancy. I'm sure most people working anywhere have no clue that as an it admin we have access to what we do...
Please as it admins always remember we are the keepers not the releasers.
// end of moan
But that poses a challenge: how do you keep the keeper from becoming a releaser? Who admins the admin, IOW? Because your environment could easily become DTA and you can't even trust the admins. How do you allow an admin to do his/her job while preventing him or her from stealing the data?
i've always thought thst using TOR and the like would actually draw attention to you rather than the desired effect of making you anonymous... basically, the authoroties will assume you wouldn't be using such a service unless you're up to something. it was probably fucking set-up by the NSA in the first place to amass a nice database of all the likely terrorists/crims/pedos/capitalist dissenters around the globe.
Playing devils advocate here......
If you own a msartphone, have an online presence, use a supermarket loyalty card, then i think you have to accept that you are consenting to surrendering at least some of your privacy. And if you have been doing the above for anumber of years already, it's probably too late to stop your details being logged if not looked at.
That being said, I don't think Government should be able to slurp data on the industrial scale that it appears to be doing so at present. It's equally not defensible to suggest that it's soley to combat "terrorism". As the very definition of "Terrorism" can change. Today it's largely inferred to be Islamist terrorists. Tomorrow it could be you or I, simply because we don;t like the current government of the day.
Can't see that using encryption is going to be worse than sending traffic unencrypted. Yes it might flag a trigger, but unless they demand to nsee your private key they won;t be reading it.
Also, I think considering just how far removed from sanity and democracy our respective governments seem to be moving, people like Brad Manning and Ed Snowden are more important than ever before.
One thing that the NSA has to watch for is not monitoring US citizens.
The reason isn't a question of niceness or nastiness, it's a question of law.
Most germane is the Posse Comitatus Act, which forbids the military from operating in any police activity inside of the US.
Of course, one also has to recall how often such laws were thoroughly ignored in the US, such as CIA operations inside of the US through the 1970's, before Congress put that shenanigans to a stop.
They all cry and whine that they need this for fighting terrorism, but at the same time they stand against any provision to make sure the data can only be used for fighting terrorism, and can't be used for anything else. Clearly they are using it for other things.
We have had enough of their nonsense. That's fine if they want to keep everything because effective immediately, we are encrypting EVERYTHING, and we considder government documents to be suspect and subject to publication.
Laws be damned.
"We have had enough of their nonsense. That's fine if they want to keep everything because effective immediately, we are encrypting EVERYTHING, and we considder government documents to be suspect and subject to publication."
Then what happens when the government fires up their black-project ("it doesn't even exist") quantum computer and start cracking all the communications they've been keeping backlogged in Utah en masse (since post-quantum encryption wasn't and still isn't the norm)? Then they wouldn't care if you encrypted everything; they'll be able to read most of it ANYWAY.
Then we need to encrypt absolutely everything that can be encrypted. The sheer volume of data that flows over the internet would too much for even the NSA to store. They have to justify their budget to someone - asking for another billion dollars worth of hard drives is going to cost some political favors.
Black projects are on a strictly need-to-know basis. And they DO intend to store ABSOLUTELY EVERYTHING—encrypted or not. Last I heard, their storage capacity was in the yottabyte range if not greater. They're also holding the encrypted stuff for when code breakers catch up (that's where the theoretical black-project quantum computer comes into play, and they may already have it. How long were they in service before the SR-71 and F-117 became public knowledge?). As for the budget, just say, "They're planning something worse than 9/11" or "They've got a nuke and plan to use it over South Dakota" and that should scare anybody into giving them anything they want. Nothing like an existential threat to loosen the purse strings.
Biting the hand that feeds IT © 1998–2019