back to article Cops hate encryption but the NSA loves it when you use PGP

Although the cops and Feds wont stop banging on and on about encryption – the spies have a different take on the use of crypto. To be brutally blunt, they love it. Why? Because using detectable encryption technology like PGP, Tor, VPNs and so on, lights you up on the intelligence agencies' dashboards. Agents and analysts don't …

  1. Anonymous Coward
    Anonymous Coward

    "To be brutally blunt, they love it. Why? Because using detectable encryption technology like PGP, Tor, VPNs and so on, lights you up on the intelligence agencies' dashboards."

    Only now. As they tighten their control, more systems are going to slip through their fingers. I'm already looking at tunnelling my home connection through a dedi in a DC - just to get rid of dumb ISP stuff (DNS hijacking, port blocking, etc.) and to move my home VMs (OwnCloud etc.) closer to the net.

    But it may flag me up, I've considered this, as far as I'm concerned they can waste their time getting a warrant to tap the exit point in the DC to see I'm just a pissed off geek. The more they push us toward encryption by snooping/interfering, the more noise they'll create for themselves to sift through.

    1. Anonymous Coward
      Anonymous Coward

      " I'm already looking at tunnelling my home connection through a dedi in a DC "

      Didn't follow that, please expand and tell us more...

      1. Martin Summers Silver badge

        Re: " I'm already looking at tunnelling my home connection through a dedi in a DC "

        He has a dedicated server that he rents in Washington DC. He is thinking about creating a VPN tunnel to that dedicated server from his home network and have all the traffic from it go through that tunnel to enter and exit through the server using its net connection. This way he is getting round any UK based ISP blocking of ports and websites and as a side effect making more encryption 'noise' for the authorities to sift through.

        1. This post has been deleted by its author

          1. This post has been deleted by its author

        2. Notas Badoff

          Re: " I'm already looking at tunnelling my home connection through a dedi in a DC "

          umm, DC = data center, as in any old data center anywhere?

        3. Bill Michaelson

          Re: " I'm already looking at tunnelling my home connection through a dedi in a DC "

          Right. That's what I did with a Linode VPS in my own state just to get Netflix to stop stuttering. Sometimes I run through it just for the hell of it, on general principle.

      2. This post has been deleted by its author

      3. Anonymous Coward
        Anonymous Coward

        Re: " I'm already looking at tunnelling my home connection through a dedi in a DC "

        "Didn't follow that, please expand and tell us more..."

        Martin Summers summed it up nicely. The only difference is the server is in my country so local law enforcement can get a warrant if they want to monitor it, but being in a data centre, they will need a warrant. I'm not trying to hide from authorities, just get around consumer ISP dumbness for my home development environment - which is primarily used for hobby projects but often demo'd externally online.

        I'll also be able to play with IPv6 and have multiple static IPs for my home network etc. - there are lots of benefits but it will make me look dodgy to the authorities.

        Edit: Data centres in the UK aren't bound by the same rules as consumer ISPs.

        Edit2: Yes DC = Data Centre, sorry :)

        1. 2+2=5 Silver badge
          Joke

          Re: " I'm already looking at tunnelling my home connection through a dedi in a DC "

          > Martin Summers summed it up nicely

          Nominative determinism at work. The time to really worry about the NSA is if they ever manage to find someone called Emily de Crypt to appoint as head of surveillance.

      4. Martin Summers Silver badge

        Re: " I'm already looking at tunnelling my home connection through a dedi in a DC "

        @The original AC

        By the way, don't feel the need to be AC when asking such questions. If anyone here mocks you for not knowing the jargon and wanting to learn more, then they're a scumbag.

      5. something_or_another
        FAIL

        Re: " I'm already looking at tunnelling my home connection through a dedi in a DC "

        What he means is that he's already busted. He's gonna access it from his home? LOL. FUCKING RETARD.

        1st, if you going to use your own proxy, are you paying with it?? PayPal or Bank Account (Busted). You're going to use it from home (Busted). Are you going to use it @ Starbucks (Busted - they're called cameras). Do you have your Smart Tracker (phone) - (Busted). Did you drive their in your car (Busted). Did you order the same Mocha Shit-Latte (Busted). Do you know what a MAC address is, and how to change it? No (Busted). Are you doing anything that you'd do at home? (Busted).

        Chances are you're not smart enough. That doesn't mean your dumb ... it just means you're not smart enough. I could have kept going on and on and on. You're going to do something that leads them right back to you. Even Gene HACKman couldn't remain anonymous enough. Sure it's a movie, but you'd better be more paranoid than that....and he was playing paranoid. Chances are, you're not that paranoid. You're going to jail, loser.

        1. Vic

          Re: " I'm already looking at tunnelling my home connection through a dedi in a DC "

          Do you know what a MAC address is, and how to change it? No (Busted)

          Over a PPPoA connection? That would be interesting...

          Vic.

      6. something_or_another
        FAIL

        Re: " I'm already looking at tunnelling my home connection through a dedi in a DC "

        What he means is that he's already busted. He's gonna access it from his home? LOL. FUCKING RETARD.

        1st, if you going to use your own proxy, are you paying for it?? PayPal or Bank Account (Busted). You're going to use it from home (Busted). Are you going to use it @ Starbucks (Busted - they're called cameras). Do you have your Smart Tracker (phone) - (Busted). Did you drive their in your car (Busted). Did you order the same Mocha Shit-Latte (Busted). Do you know what a MAC address is, and how to change it? No (Busted). Are you doing anything that you'd do at home? (Busted).

        Chances are you're not smart enough. That doesn't mean your dumb ... it just means you're not smart enough. I could have kept going on and on and on. You're going to do something that leads them right back to you. Even Gene HACKman couldn't remain anonymous enough. Sure it's a movie, but you'd better be more paranoid than that....and he was playing paranoid. Chances are, you're not that paranoid. You're going to jail, loser.

    2. PleebSmasher
      Big Brother

      Start encrypting every bit of Internet traffic, to the point where they can't see if you are sending PGP messages. Then we'll see how much the NSA likes encryption (how well they can break it and how bad they are willing to compromise our security).

      1. h4rm0ny

        Similar here. I don't have anything illegal going over my connections, but I do encrypt where feasible and get others to do the same. It's not about my protection particularly, but about returning surveillance of our communications to be an active choice that an Intelligence Agency has to make with judicial oversight, rather than the free ride it became when email and the rest took off.

      2. Anonymous Coward
        Anonymous Coward

        So much this...

        "Start encrypting every bit of Internet traffic, to the point where they can't see if you are sending PGP messages"

        I've never understood the global monitoring of citizens as surely all it does it increase the haystack that the needle is hiding in.

        1. Mark 65 Silver badge

          Re: So much this...

          @AC: FFS stop talking common sense, they don't like it. More data, more data, need more data. And still won't prevent terrorists attacks by arseholes sending unencrypted messages to each other. This is no more than common dissent crushing apparatus - it has fuck all power over nut jobs.

          1. Uffish

            Re: "More data, more data,... "

            If even readers of The Register can be thrown by the DC reference what hope does a security service have of being up to date with all the "argot" of a worldwide group of nasties ? How do you monitor a language you don't know ?

            My only knowledge of security and police service procedures comes from TV and Cinema, but simply watching the comings and goings at a suspect address seems to be a very common practice. If the suspicions are confirmed then the other means are called in - such as the rooting of suspects' computers etc. It does seem to be a fairly effective data sifting method.

          2. Tom Paine Silver badge

            Re: So much this...

            This is no more than common dissent crushing apparatus - it has fuck all power over nut jobs.

            Ahhhh, so THATexplains why in Europe and North America political dissent from the ruling regime will immediately lead to your door getting kicked in at 4am and you being disappeared off to a seekrit camp somewhere on Salisbury Plain! It suppose it also explains why barely a month goes by without a terrorist "spectacular" attack in central London or other presitigious soft targets that have killed thousands of innocent civilians...

            *rolls eyes*

            ...and that got HOW MANY upvotes? Come on commentards, I thought you were better than the usual run-of-the-mill BTL newspaper brane-speekers. Do try to apply a little critical thinking before clicking...

            *watches karma vanish like tolerance and restraint at a Trump rally

        2. Tom 13

          Re: So much this...

          It's not so much about finding the needle as it is about identifying the needle's contacts after he's been identified by other means. Mostly they aren't looking for the needles, they're looking at the patterns the needles make.

      3. Anonymous Coward
        Anonymous Coward

        makes me wonder how much hardware firmware is already borked, from a security perspective.

        1. xybyrgy

          You're not whistling Dixie

          @ac: Hard disk controllers, SIM cards, routers, etc. It's all out there. DuckDuckGo is your friend...

      4. something_or_another
        FAIL

        RE: Start encrypting every bit of Internet traffic

        Not 'El Reg-Tards. TLS to Hard. These fucks' refusal to implement TLS is totally for fellating their PM. TLS is 1st grade skill. Why 'El Fucktards? Why do you FLAT OUT refuse to use TLS? Is it that the Queen will look unkindly you? Not knight you? *** FUCKING TLS!!!! ***

        1. gerdesj Silver badge
          Childcatcher

          Re: RE: Start encrypting every bit of Internet traffic

          Calm down something_or_another. Take your dried frog pills and a deep breath.

          You can take the piss out of el Reg, its readers and (possibly put it back in, if that's your thing) Mr C but not the Queen - thank you.

          1. Dave 126 Silver badge

            Re: RE: Start encrypting every bit of Internet traffic

            >How do you monitor a language you don't know ?

            There would be patterns, and statistical anomalies. Such techniques have been used to decipher long dead languages.

            Of course, the bad guys could use rules to change the meaning of code words, ( e.g 'mango' mean 'bomb' but only if the football team who are currently 3rd in the premier division wear a blue strip, else 'ten mil spanner' is the magic word) but that requires discipline in their op sec. and perhaps wouldn't be considered a 'language'.

          2. Anonymous Coward
            Anonymous Coward

            Re: RE: Start encrypting every bit of Internet traffic

            I am not "taking the piss" or anything else when I say the queen is scumbag and wants nothing more that your ownership. I don't believe you can call shots on evil powers hindering freedom and want to protect the queen. Or is this that dry English humor that goes far over my head?

            1. Anonymous Coward
              Anonymous Coward

              Re: RE: Start encrypting every bit of Internet traffic

              Or is this that dry English humor that goes far over my head?

              Clearly...

            2. Ken Hagan Gold badge
              Happy

              Re: RE: Start encrypting every bit of Internet traffic

              "Or is this that dry English humor that goes far over my head?"

              Yes, I think it was. Would you like a whooshing sound now, or can we leave you to fill that in yourself?

          3. Tom Paine Silver badge

            Re: RE: Start encrypting every bit of Internet traffic

            I was with you until you suggested Brenda is above being satirised. This is the UK, not Thailand, and I'll take the piss out of the Royals if I fancy it. We pay enough for the privilege of having them, after all, I'm just getting my money's worth...

      5. Tom Paine Silver badge

        Start encrypting every bit of Internet traffic, to the point where they can't see if you are sending PGP messages.

        The OpenPGP standard requires a plaintext header block. Do you mean using Ssh or TLS tunnels to send / receive exchange PGP'd files?

    3. Anonymous Coward
      Anonymous Coward

      Whereas our DC seems to have a dreidl instead, which it uses for load balancing.

    4. Anonymous Coward
      Anonymous Coward

      You would be well advised to look into the work of Gordon Welchman - during WW II he worked out just how valuable meta data really is. This is why I don't use PGP - that does f-all to protect end points.

      Defending against meta data analysis requires looking at the sort of measures that have to be taken in-theather to prevent an enemy from analysing radio traffic for network density and thus identifying leaders and critical end points. Simply at a network level it's already a pain to prevent painting a target on your back.

      The next challenge is your friends, because there are no laws against asking them about you - basically the thing that happens continuously on Facebook and LinkedIn.

      This is why I laugh when I see yet another company promising that it will "protect you from the NSA" - I know what is needed, and it's a lot more than setting up secure communication. To be honest, these days I'm no longer sure that those asking loudly for crypto backdoors are as clueless as they appear - I'm starting to think that they know very well it's nonsense, but make all that noise to distract you from what they really want, your meta data. In some countries such as the US they have already won, if I'm not mistaken the FBI can now get that data without a warrant.

      I'm OK with law enforcement having access to it, my problem is the lack of accountability that is supposed to accompany such powers, because that makes abuse certain. *That* is the real issue someone like Teresa May needs to address. Until then, fingers off.

      1. Roo
        Windows

        "I'm OK with law enforcement having access to it, my problem is the lack of accountability that is supposed to accompany such powers, because that makes abuse certain. *That* is the real issue someone like Teresa May needs to address. Until then, fingers off."

        I'm hoping some folks in Cheltenham are watching our voting patterns and using them to adjust their future policy making to be more palatable... Err hang on. No. Err.. Damn.

      2. Tom Paine Silver badge

        Heh! Funny enough, a relative of Mr W drinks in my local. Really nice old buffer, a bit like a less pissed Rowley Birkin, with lots of interesting / funny anecdotes.

    5. Anonymous Coward
      Anonymous Coward

      "...they can waste their time getting a warrant to tap the exit point in the DC "

      Warrant, hahaha, you funny!

    6. Automatic jack

      It's simple and free to set up a tunnel to any hosting account that lets you SSH. Putty can setup the tunnel and Firefox can be set to use the putty connection as a SOCKS proxy. Bye Bye ISP snooping and content restrictions.

  2. stuartnz

    The more, the merrier?

    Am I correct in thinking that the more popular and widely used PGP or encryption of similar strength were to be used, the less useful the metadata would be? If every man and his gran were using it to do pretty much everything, that would be a headache for the spooks, no?

    1. ZSn

      Re: The more, the merrier?

      Have you tried using pgp? If you're using enigmail then yes it's easy. However that presupposes you know Unix and how to set it all up. Other than that it starts getting very difficult. It is not for the idle user.

      1. stuartnz

        Re: The more, the merrier?

        Yes, I have used pgp on windows and linux, and yes I agree it's not optimal in terms of ease of use. Which is why I said "or something of similar strength".I was just checking that I'd understood the article correctly - that IF something as secure as pgp were to become widely used, then the sheer volume of metadata would dilute the value of that metadata.

        1. Eddy Ito Silver badge

          Re: The more, the merrier?

          It's more than just pgp on windows, linux or mac since most folks have multiple devices which include phones and tablets where they expect to get things like email. Each of these need to be sync'd so it's more than just a question of how easy it is to install, configure and use on a device it has to work across devices which is going to be the ocean that needs to be crossed for the average user.

        2. tom dial Silver badge

          Re: The more, the merrier?

          "... dilute the value of that metadata." It will not do that to a degree that makes much difference. It will slow queries somewhat and increase the storage requirement, but both effects are likely to be overcome by technological progress along with routine equipment replacement and upgrading.

      2. Doctor Syntax Silver badge

        Re: The more, the merrier?

        "If you're using enigmail then yes it's easy. However that presupposes you know Unix and how to set it all up"

        It also presupposes that your correspondents also use PGP. Of course most if not all of your correspondents probably don't use it because most if not all the people they know don't use it either.

        I've said it before: it needs to be baked into the mail protocols and software as a default, not as an add-on. Until then, as the man said, it just raises a flag.

        1. Michael Wojcik Silver badge

          Re: The more, the merrier?

          it needs to be baked into the mail protocols

          It has been, for 39 years. PEM in RFC 989.

          And then again in 1991 with PGP (RFC 1991, though that only specified message formats), and in 1998 with S/MIME v2 (RFC 2311; S/MIME v1 was not standardized).

          and software as a default

          Well, yeah. MUA and MTA authors couldn't be bothered, or picked the wrong horse.

          PEM was probably too early. There wasn't a widespread appreciation of the need for improving email security, the US was still laboring under excessive cryptography export controls, and sharing code (particularly important for crypto, given the difficulty of getting it right) was impeded by less-widespread access to the Internet.

          PGP was generally perceived as a single implementation, not an interoperable specification, until OpenPGP came along in 1998. But mostly, I think, the problem was that MUA authors in particular were much more concerned with adding flashier features that they thought would attract novice users, as well as avoiding those damned export controls again.

          S/MIME wasn't clearly superior to PGP (and still isn't). It looked mostly like a way for RSADSI to push PKCS#7. Microsoft climbed on board (Outlook still supports S/MIME natively but not PGP), because of course they did, but to PGP fans S/MIME looked like god-not-more-crap-thrown-on-top-of-poor-email. And corporations generally just went with SMTP+POP/IMAP or a proprietary protocol like Exchange, running through VPN tunnels, for confidentiality, and didn't worry about authentication and other features of cryptographically-secured email.

      3. noj

        Re: The more, the merrier?

        @ZSn: No geek here, but I was able to setup up PGP on a Mac's Apple Mail client using GPG Tools in very little time. Click to sign, click to encrypt or not... its ridiculously easy to use. Technical support was great too.

        For me its actually a lot harder for me to find other people within my circle of friends who will send PGP encrypted email back and forth. So I don't encrypt anything but I like signing my email. I guess that's better than nothing.

        1. Nick

          Re: The more, the merrier?

          I used to include a PGP block in my email signature, but many of my correspondents replied saying that they'd deleted the email because it looked as if it had a virus attached.

      4. Anonymous Coward
        Anonymous Coward

        Re: The more, the merrier?

        "However that presupposes you know Unix..."

        What has Unix got to do with PGP? Or are you suggesting that using encryption with the Misrocoft's OS is pointless because it's riddled with holes and leaking data like sieve?

    2. Anonymous Coward
      Anonymous Coward

      Re: The more, the merrier?

      "f every man and his gran were using it to do pretty much everything, that would be a headache for the spooks, no?"

      Yes, it would and no, it won't. Take one guess why.

    3. dajames Silver badge

      Re: The more, the merrier?

      If every man and his gran were using [encryption] to do pretty much everything, that would be a headache for the spooks, no?

      If it were just a matter of seeing who was using encryption and using that fact to identify targets for closer surveillance then you'd be right.

      There's more to it, though. The metadata in messages to and from anyone who is already a suspect can identify that person's correspondents, for example, and often knowing who is communicating with whom is as important as being able to read what they say. The fact that encryption is available makes these people less cautious about using easy-to-monitor public networks (aka the internet) as their message carrier.

      This sort of thing has been done for ages ... I heard a guy from the UK Police High-Tech Crime Unit give a very interesting talk some years back. He was addressing a roomful of IT Security professionals, and explaining why it didn't matter that what we were doing for a living might be abused by the Wrong Sort of People. Just as well, as everyone in that room was probably making a living out of encryption technology in one way or another!

    4. Anonymous Coward
      Anonymous Coward

      Re: The more, the merrier?

      Am I correct in thinking that the more popular and widely used PGP or encryption of similar strength were to be used, the less useful the metadata would be?

      Nope. All you protect is content. PGP doesn't do anything to protect the endpoints of the conversation (very little does, to be honest). Volume has zero to do with it.

      1. Tony Haines

        Re: The more, the merrier?

        //Nope. All you protect is content. PGP doesn't do anything to protect the endpoints of the conversation (very little does, to be honest). Volume has zero to do with it.//

        Actually, stuartnz is right, in the sense that the article was about how using PGP in itself flagged you up as someone to study. If everybody used it, that wouldn't be the case.

    5. Ken Hagan Gold badge

      Re: The more, the merrier?

      If every man and his gran were to use it then yes, the information value of its being used in any given circumstances would fall to zero. That would rather destroy the value that the NSA guy claims he currently gets out of it. So, no, he certainly doesn't want everyone to start using it, which is why he immediately tried to taint "PGP use" with the brush of"only bad guys use it".

      It seems to me that that what we have here is some FUD disguised as a "Well I never!" news story.

    6. tom dial Silver badge

      Re: The more, the merrier?

      It would be no more than a minor to moderate inconvenience if everyone so inclined to switched to consistent use of PGP or equivalent. The inconvenience would be limited to modest floor space and storage increases. SigInt agencies already are quite good at building, maintaining, and using very large databases. They would simply provide for the greater volume and go about their business largely unaffected. Facebook started sending PGP encrypted notifications a while back. They may be captured, but are unlikely to have been much noticed, although they have fairly obvious intelligence potential and likely enough are not being excluded from any program for collecting encrypted email.

      The plain fact is, however, that most people (I think nearly all) simply do not care enough if their traffic is sent in the clear to make the minimal effort required to switch to use of PGP or the like.

  3. Fruit and Nutcase Silver badge
    Joke

    Victoria's Secret v Mujahedeen Secrets

    Which is more difficult to crack?

    I think I'll start by taking a good look here. After all, the best way to hide something is in the open.

    https://www.victoriassecret.com/

    1. frank ly Silver badge

      Re: Victoria's Secret v Mujahedeen Secrets

      Let me get my codebook........ 'If the decorative bow is pink, you attack at dawn'. Send me another message!

      1. Mark 65 Silver badge

        Re: Victoria's Secret v Mujahedeen Secrets

        Did you say "get up at the crack of Dawn"?

    2. 's water music Silver badge
      Joke

      Re: Victoria's Secret v Mujahedeen Secrets

      taking a good look

      Wait, what was the question again? Take a good look now, your eyesight may be degraded in the future.

  4. Mark 85 Silver badge
    Black Helicopters

    Did I read that last bit right?

    Rogers came out not being against encryption? What gives... ? The article points out the "goodness" of us using it as attracts attention. If everyone does it, then everyone gets "noted"? There's more to his statement then meets the eyes.

    Icon ---> Closest thing to a tinfoil hat

    1. Rol Silver badge

      Re: Did I read that last bit right?

      I'm sure the logic goes something like this:-

      We investigate only those flagged as dangerous or potentially so.

      Potential dangers include using encryption.

      When we finally get everyone using encryption, we can legitimately investigate everyone.

    2. veti Silver badge

      Re: Did I read that last bit right?

      As I read it, he's trying to talk people out of using encryption by saying that it makes them targets for investigation.

      Which is probably true, as far as it goes.

      If everyone started doing it, then of course the advantage would disappear. But we all know "everyone" isn't going to start doing that. At best, about 1% of internet users will. And so the haystack will remain much smaller than the field.

      If you see someone arguing "We all need to start using encryption all the time, the spooks won't know what to do" - that's the person who's trying to spread surveillance more widely.

      1. bitmap animal

        Re: Did I read that last bit right?

        Surely everyone is in favour of targeted surveillance so if there is a good way of them filtering down who to look at in more depth that is a good thing.

        If you drove through a red light district every day at 5mph would you expect the police to pay an interest in what you are doing? You haven't done anything wrong but they if they are to catch kerb crawlers then you behaving like one would raise their interest.

        I'm all for robust privacy and encryption so would like to think "they" are adept at distinguishing between someone who is concerned about their privacy and someone up to no good that they need to investigate.

        1. Dan Wilkie

          Re: Did I read that last bit right?

          I understood it as when they're investigating someone and they're using PGP, it's much easier to piece together who is in their "network" for want of a better word. IE - they're not likely to be sending encrypted emails to their gran (unless she's in on the plan). So you look at everybody the person is sending encrypted mails to and add them to your scope. Then you look at who they're sending encrypted mails to and so on. It gives you more of a pointer where to focus your resources.

          But maybe that's because my tinfoil hat got knocked off when I fell off the back of the hype train.

          1. Anonymous Coward
            Anonymous Coward

            Re: Did I read that last bit right?

            I understood it as when they're investigating someone and they're using PGP, it's much easier to piece together who is in their "network" for want of a better word.

            The key (if you pardon the pun) is that PGP is not casually applied, it's wilful, targeted and a sign that the two end points of that conversation have a more than casual connection with each other. I have used it on many platforms (Android, iOS, Windows, Linux and OSX) and it has become easier. It has, however, not becomes so easy that it's easy for the casual user as key management is still not smooth enough so it'll never be a default, it takes extra effort.

            The world of meta data is not one of facts, but of probabilities that you seek to get as high as possible. As with all statistical processes you can screw up badly if you use the wrong data (let's not forget the wonderfully clear statement of General Michael Hayden on this matter and yes, he thought he was being funny), not to mention that the result of such an analysis typically ends up in the hands of people who don't understand the difference between probability and fact.

            So, using PGP is indeed somewhat akin to flag waving. If more people start using it you would indeed end up with a small reduction in probability but I suspect that PGP is but one of the many inputs.

        2. Tom 13

          Re: drove through a red light district every day at 5mph

          Difficult to say. I have some friends whose state government office was located such that their best route home is straight through the red light district (in fact I believe they said they pretty much had to walk through it if they decided to go out for lunch). At rush hour, you're going to tend to be doing 5 mph there even if you don't want to.

  5. Rol Silver badge

    Nuanced

    So, the thing to do is be subtle about your coded exchanges, and thankfully subtly is a trait most terrorist nut jobs lack, almost by definition.

  6. Fruit and Nutcase Silver badge

    Privacy

    If we want to resist this unsettling trend in the government to outlaw cryptography, one measure we can apply is to use cryptography as much as we can now while it is still legal. When use of strong cryptography becomes popular, it's harder for the government to criminalize it. Thus, using PGP and PGPfone is good for preserving democracy.

    If privacy is outlawed, only outlaws will have privacy. Intelligence agencies have access to good cryptographic technology. So do the big arms and drug traffickers. So do defense contractors and some other corporate giants. But ordinary people and grassroots political organizations mostly have not had access to affordable “military grade” public-key cryptographic technology for telephone conversations. Until now.

    page 10, paragraphs 2 and 3

    Manual for pgpfone, by Phil Zimmermann et. al. July 1996

    ftp://ftp.pgpi.org/pub/pgp/pgpfone/manual/pgpfone10b7.pdf

    That's nearly 20 years ago. Ignoring any particular reference to PGP/PGFone, did we take any notice of his message and made pervasive use of strong cryptography? If we had, then, the governments would have had a much more difficult task to try to control it

    1. John Sager

      Re: Privacy

      At the time he wrote that, the Internet was very much smaller & most people on it were geeks of one sort or another. So it was not exactly a dumb statement then. However AOL was connected about that time & the 'net started a long descent to what we see today, though there have been compensations along the way (Altavista & descendants, http, etc). PGP has always required some intelligent deployment. Enigmail might be just a plug-in but the real work is setting up & managing the public key infrastructure required to use it effectively as a day-to-day tool. Amongst a small circle of friends, acquaintances & colleagues that is manageable, but otherwise, forget it. And although there is now a halfway decent CA infrastructure for website certificates, that's still too hard to deploy universally for personal e-mail signing & encryption.

      So non-TLS encryption is going to stick out like a sore thumb for a long long time, even TLS used in unusual contexts (not web, not IMAP etc).

      1. Tom 13

        Re: managing the public key infrastructure required to use it effectively

        And the bigger the effective public key infrastructure, the less valuable it is in keeping out the riff-raff. This is the essential problem with the various certs for websites. Processing all of the inputs leads to the bad guys getting stuff too.

      2. tom dial Silver badge

        Re: Privacy

        For what it is worth, there are public repositories for PGP public keys - pgp.mit.edu is one - and others can be found by installing Enigmail. The model in which keys are obtained from a public key server is slightly discordant with the usual PGP model in which trust is assigned based on the signature of the key by others and the trust one has in the keys used for the signature. Used reasonably it can provide reasonable security, probably as good as a Comodo signed certificate. When you can meet a correspondent, generate and sign keys off network and exchange them in person, the trustworthiness of those keys is very good.

        The point about unusual use of encryption is interesting and merits an upvote or two.

  7. Rol Silver badge

    No catch yer with Captcha

    The problem with standard encryption is that the task can be offloaded to a computer quite easily.

    Pictorial representation of what you're trying to say, no matter how obvious, is hugely problematic.

    So with an agreed code, I could be stood facing right, with a ransom note in my hand and an AK47 pointing at my head, and only my mates would understand I'm regretting taking that cheap holiday.

    1. Tom 13

      Re: No catch yer with Captcha

      Captcha's value is greatly over rated. I read somewhere a year ago that the truth of the matter is that at this point a computer actually has a slightly better chance of correctly decoding most captchas.

      1. Rol Silver badge

        Re: No catch yer with Captcha

        Yeah, Captcha was just a vehicle to badly explain my point.

        The way i would see it working is someone would create a Facebook page and populate it with the usual guff, just to make it realistic. Then when they want to pass on information they would do so by posting seemingly innocuous photographs of themselves in various poses, clothes, pointing and with everyday items in their hands, etc, but all of it is a pre-agreed code.

        Admittedly it's pretty cumbersome and limited in scope, as trying to pass on the structural layout of ARM's latest chip design would be nigh impossible, but telling someone where to meet and when would be quite easy.

        1. Charles 9 Silver badge

          Re: No catch yer with Captcha

          But they can still snag you when you're trying to set up that code. First Contact is always the most vulnerable phase.

  8. Anonymous Coward
    Anonymous Coward

    Ok with me

    I don't care if they know who I'm talking to, provided I can stop "others" obtaining the content without a suitable court order.

    1. Roj Blake Silver badge

      Re: Ok with me

      Except that metadata is at least as valuable to the spooks as the actual data.

      1. Mark 65 Silver badge

        Re: Ok with me

        Really? Recent Paris attacks had metadata, data, watchlist members, the whole kit and caboodle. Did it prevent it? Nope. I have no faith that these twats have any idea of what to do but collect data. Binney pointed out the level of utter stupidity that now pervades the ranks of the five eyes.

        1. Adrian 4 Silver badge

          Re: Ok with me

          But it's Doing Something, and in accordance with government targets, that's all that counts. It's not important if it's actually useful, or what the collateral damage is.

        2. Tom 13

          Re: no faith that these twats have any idea of what to do but collect data.

          Wrong point of failure. The guys collecting the data know exactly what to do with it. It's the "Islam is the religion of Peace" twats in charge of them who won't let them use the data they collect, or even correlate it properly. Same story during 9/11, the guys who were practically screaming for an investigation of suspicious activity were told they to shut up and stop being racist.

    2. Anonymous Coward
      Anonymous Coward

      Re: Ok with me

      Sending a plain text email is like writing a post card anyone can read it.

      sending an encrypted email is like sending a sealed letter. anyone can see who its to but the content is "secure".

      to remove the Address meta data other services need to be used.

      I agree end to end encryption of the content should be baked in to the software and used as a default setting. BUT what's the chance we can get ALL email software providers to agree to ONE "secure" NON back doored publicly validated open source standard that works for sending and receiving mail to anyone on any device. (so no chance that it will be in Gmail :-( )

      1. tom dial Silver badge

        Re: Ok with me

        OpenPGP (RFC 4880) is such a standard and is not known to have a back door, although the source code has been available for anyone interested to analyze for over 20 years. The chance of universal adoption (so far) is zero, since Microsoft does not support it in Outlook. On the other hand, there are multiple implementations for gmail, and applications for Android, Windows, and Linux; and web search will easily find implementations Mac OSX, iOS, FreeBSD, and OpenBSD. Whether these all have been scrutinized equally thoroughly is uncertain.

        Given how easy it is to get gmail (or other) email addresses, removal of message address information probably is less a problem than a minor inconvenience.

    3. tom dial Silver badge

      Re: Ok with me

      PGP and other well analyzed protocols should do that quite well if implemented correctly, and if any other parties to the communication are trustworthy.

  9. codebeard

    Solution

    Disguise encrypted data as bittorrent traffic? With torrent traffic taking up a huge chunk (~30-40%) of the internet's throughput, I think this would be incredibly effective. Although the encryption in bittorrent is fairly weak, there's so much traffic that it would be nearly impossible to decrypt enough of it to find the one or two pieces here and there which are actually PGP/whatever data in disguise.

    1. mstreet

      Re: Solution

      Another thing one could try, is using chat from within an online gaming platform (such as WoW etc.).

      While they (meaning whoever hosts the platform) probably monitor most of the public chatter on sites like that, I doubt anyone looks into the private stuff, unless someone accuses you of breaking their code of conduct.

      A friend and I once sent each other a string of nonsense, that included the words Jihad, bomb, zero hour, Al Qaeda, martyr, infidel, die, kill, and New years eve.

      Figured if anyone was monitoring it, a flag would be raised, but nothing came of it.

      At least I don't think it did :)

  10. sysconfig

    I think I'm missing something...

    PGP as such is not chatty and doesn't (have to) contain any metadata. The email (as the most common transport medium) is.

    So how the NSA are getting any more metadata and links between participants in a conversation from a PGP message as opposed to a plaintext email is beyond me.

    If it's just the old prejudice that everybody who uses encryption has something to hide and/or is naughty, then it's an old hat. Let them log/store all encrypted emails, if they like. There's about the same metadata in them as in plaintext emails. Time to attach PGP encrypted cat pictures and videos to every message. Or hide PGP encrypted stuff in attached pictures (steganography). Or both.

    1. allthecoolshortnamesweretaken Silver badge

      Re: I think I'm missing something...

      They don't get more metadata. They use the use of PGP as a flag to filter/sort the metadata.

      1. Mark 85 Silver badge

        Re: I think I'm missing something...

        Which means that to sort it out, they have to look at the body/content of the email... All this doublespeak is getting bit messy.

      2. Anonymous Coward
        Anonymous Coward

        Re: I think I'm missing something...

        Just send lots of randomly encrypted e-mail to lots of random e-mail addresses. It matters not that the person you are writting to doesn't know you, doesn't want to know you and can't decrypt the mail anyway. It adds a lot of spurious meta data to confuse the spooks.

        1. Anonymous Coward
          Anonymous Coward

          Re: I think I'm missing something...

          >Just send lots of...

          AKA Spam and hopefully gets you a huge fine and lands you in jail

          1. Anonymous Coward
            Anonymous Coward

            Re: I think I'm missing something...

            Heavily ecrypted spam yes. Perhaps we could send it to politicians we don't like (all of them) and see if the police will charge them for not handing over encryption keys they don't have.

    2. veti Silver badge

      Re: I think I'm missing something...

      According to the (utterly broken) UK snooper's charter currently under way - "metadata" is defined as "anything that doesn't tell you what the actual 'content' of the message is".

      So if a message is encrypted, the whole thing becomes metadata. And then the ICP has to store it.

      This is just part of the reason ICPs are none too keen on it...

    3. Doctor_Wibble
      Black Helicopters

      Re: I think I'm missing something...

      > So how the NSA are getting any more metadata and links between participants in a conversation from a PGP message as opposed to a plaintext email is beyond me.

      I'd suspect they get quite a bit of extra info when the correspondents do their key lookups and/or verifications against whichever keyserver or directory they are using. It's not going to be 'direct' metadata so much as 'associated' metadata.

      So even if there's complete end-to-end encryption, an insufficiently secured lookup of the key for Mr Alfred Qaeda Esq may raise an eyebrow.

      1. sysconfig

        Re: I think I'm missing something...

        "I'd suspect they get quite a bit of extra info when the correspondents do their key lookups and/or verifications against whichever keyserver or directory they are using."

        Okay that's a very good point. On the other hand, the recipients I use PGP with have never published their keys. No keyserver comms happening if the key is present (imported by other means) and trusted already.

    4. CRYPSA_Chair

      Re: I think I'm missing something...

      Sysconfig: The gumshoes aren't finding EXTRA metadata because a conversation is wrapped in PGP. The article is simply pointing out that the use of an encryption wrapper invites scrutiny. The metadata is already in the email transport chain or server timestamps. But a forensic investigator needs to winnow down mountains of messages (or stored data files). And so, they view the use of encryption as a sore thumb. It bubbles up your message, because you clearly feel that there is something worthy of hiding.

      It is for this reason that privacy tech and anonymity (VPN, TOR, etc) must become ubiquitous. With encryption by default, investigators will no longer be treating privacy as a red flag.

  11. g00se
    WTF?

    Show me

    0000000: 8501 0c03 4c8c 9506 6833 55b6 0107 fd16 ....L...h3U.....

    0000010: 2597 49f8 0cb1 3621 075c 3ce1 b32a 67b7 %.I...6!.\<..*g.

    0000020: 2347 a773 fa6a 4376 3717 be53 959b 01a1 #G.s.jCv7..S....

    0000030: 702d 3ff6 4375 579d 0931 7d5e dcb8 ec7a p-?.CuW..1}^...z

    0000040: ca88 d7ed cab4 64cb 70be 9578 ec54 a31b ......d.p..x.T..

    0000050: 24dd 40f2 e268 ba64 d843 d021 d7e9 fd2e $.@..h.d.C.!....

    0000060: 8e84 a0c5 9eaf ceb7 dd42 6af4 7cb5 dcde .........Bj.|...

    0000070: 66cc 8e40 580d ff4d caf3 fad6 f175 756c f..@X..M.....uul

    0000080: 8e1a 83ac aab0 025c 85d9 98e5 3ea6 e7a5 .......\....>...

    0000090: d0ef ac66 636b a7ca b0ed f07f dc68 0b74 ...fck.......h.t

    00000a0: 0ce2 a74e 3980 55c5 64ae a648 090d 83d1 ...N9.U.d..H....

    00000b0: 2a4d baa6 74d0 7dae 2b71 437c d6af aa94 *M..t.}.+qC|....

    00000c0: 7c0d 4879 95ab bc8f 6302 748a 844a ceea |.Hy....c.t..J..

    00000d0: d592 951b 92cb 8f12 b92b 8af8 87e8 354e .........+....5N

    00000e0: cd10 ced4 931e 6eae e480 3569 677c 4f96 ......n...5ig|O.

    00000f0: e1cd 235b e849 eb0b 393e e864 f7ed 1a12 ..#[.I..9>.d....

    0000100: 682c 4805 c59c ed34 ad12 d474 66a1 efd2 h,H....4...tf...

    0000110: 4f01 0af7 b6cc c977 1bc5 45dd 68ba b276 O......w..E.h..v

    0000120: e447 423c d239 20e3 f212 182c 54a0 c345 .GB<.9 ....,T..E

    0000130: 41a9 684e 6458 857c 00c0 1e09 6aa6 26b0 A.hNdX.|....j.&.

    0000140: 271e 84ac fafe 649d 9872 78d1 9bef 15f8 '.....d..rx.....

    0000150: d6ca 046f 6ef8 1edd fac4 55a1 95e0 e8d7 ...on.....U.....

    The above is a dump of a gpg-encrypted file containing 16 famous digits. I must be missing something - where are the metadata there?

    1. MattPi

      Re: Show me

      Username: g00se

      Posted: roughly 23:00 2016-01-27 UTC

      Source IP address: (in the reg logs)

      Dest: (pretending this wasn't a post on a forum, the recipient)

      PGP: TRUE

      Length: 160-ish bytes

      PGP Version: (In a real pgp header)

      There's your metadata. The big part is PGP: TRUE, since it's easier to track since there's less PGP traffic on the net. How about this scenario. BadG00se sends a PGP email to his local handler. Gets noted since it's PGP. shortly after, handler sends out PGP emails to several other accounts, some known and some not to the NSA. Those get flagged too. etc. Then someone slips up and sends out something in plaintext from one of the previously-unknown accounts.

      1. Anonymous Coward
        Anonymous Coward

        Re: Show me

        A bit more:

        Sender/receiver pair

        The entire mail header (because it shows point of origin and mail servers this went through).

        You cannot avoid signalling a sender because the recipient has to work out which key to use (unless pre-arranged, and that's another flag in itself), and you need a recipient because it would simply not go anywhere. Mail headers are added automatically, you have no control over that, and if you want to be cute by pushing this via TOR into an open relay you'll find it most likely will bounce off spam filters instead.

        Previous commentard is correct in that you will eventually make a mistake. It's a bit like Google and Facebook having these social media buttons in all websites which flag up your presence. You may be creating an unallocated chain of events, but at some point you will use a website with an account from the same system, at which point the chain has an owner. They don't care if it takes a year - their data does not have a mandated expiry.

        Yes, I've been doing this for a loooong time..

    2. Fluffy Cactus

      Re: Show me

      Twenty year ago, I looked into PGP to see if I could use it to safely send "tax-return information to customers". So, as I could not explain it to human clients, that was a useless undertaking.

      Knowing nothing about decryption or PGP or metadata here, my best three, no four, guesses about the famous 16 digits contained in the "Show me" post are

      1) PI: 3.141592653589790

      2) The number e: 2.718281828459045

      or may be, something more computer related like

      3) 248163264128256 , or

      4) 1234567890ABCDEF

      Let me know about any prices I may already have won!

  12. Frozit

    Makes perfect sense

    Think of all the headers in an email. Source and Destination for one. As the article clearly says, they don't need to read the encrypted text, they just want to know that you and your destination are talking.

    As it states. If you are using PGP, Tor, or any of a bunch of other things, you are flagged as a person who is possibly interesting. This reduces the subset of search targets immensely.

    And if you are only talking to your gran using PGP, and she only talks to you using PGP, they will pretty much ignore you.

    1. Mark 65 Silver badge

      Re: Makes perfect sense

      You are crediting them with far too much intelligence and capability. More likely is that either your's or your granny's place will get a dawn knock by CO19 and you will be threatened with prison time unless every communication is decrypted for them. You will then be spoken of in a press conference as the reason why the laws exist as they do. Heaven help you if they find out you're brown or have a history of brown anywhere in your ancestry, you utter dissenting bastard.

    2. sysconfig

      Re: Makes perfect sense

      "As it states. If you are using PGP, Tor, or any of a bunch of other things, you are flagged as a person who is possibly interesting. This reduces the subset of search targets immensely."

      It does reduce the group of search targets. But it doesn't exactly help in any way shape or form if - like in recent terror attacks in Europe - it has been established that no encryption whatsoever was used. They figured that out in hindsight. In other words too late. Maybe they had already been focussing too much on encrypted stuff, who knows.

      Also, I would expect that encryption in any way shape or form is most commonly used by businesses rather than individuals, especially VPNs. But then again, they may be much more interested in trade secrets than combating terrorism (which has caused a negligible number of deaths in comparison to car accidents, fatal injuries at home and what have you).

  13. iffer

    Ha - this may have been true as little as two years ago - but between netflix regions and publicised metadata collection, there has been a huge increase in VPN use and corresponding traffic. When every mom and pop is playing hide and seek with the media companies, policing is just collateral damage in the war for your lounge room.

  14. raving angry loony

    Light things up?

    It only lights things up because it's not commonly used. If more people used it, then it would make things more difficult for them. Sadly, statistically few people will use it, because so few people understand the need for privacy all the time, not just some of the time.

    1. Graham Cobb

      Re: Light things up?

      Sadly, statistically few people will use it, because so few people understand the need for privacy all the time, not just some of the time.

      More importantly, the problem is that so few people understand that it is nothing to do with your need for privacy: by using all the available privacy tools all the time you are protecting the people who do need privacy and who are important to you. That may be journalists, campaigners, battered wives, or even politicians.

  15. phil dude
    Joke

    To the spooks, be careful....

    Or the Gods of mathematics will come and spank you...

    You have been warned.

    P.

    1. Brewster's Angle Grinder Silver badge

      Re: To the spooks, be careful....

      Is that the abelian Gods or the non-abelian ones? (Inquiring commutators want to know.)

      1. Brewster's Angle Grinder Silver badge

        I don't generally comment on downvotes, but...

        ...that's either a grammar pedant or the highest quality downvote I've ever had.

  16. a_yank_lurker Silver badge

    Ah, Traffic Analysis

    The spooks are using one of the favorite tools; traffic analysis. It a reasonable guess that heavy users of encryption are doing it for a reason - mostly ill. Therefore map the traffic flows and once a couple of key accounts are identified sit back and 'listen'

    1. Chemist

      Re: Ah, Traffic Analysis

      "It a reasonable guess that heavy users of encryption are doing it for a reason - mostly ill."

      Well I use ssh connections when traveling to pass files to/from my server ( just another directory on my file manager via fish://) No evil secrets but encrypted regardless due to ssh.

      1. Ken Hagan Gold badge

        Re: Ah, Traffic Analysis

        "No evil secrets but encrypted regardless due to ssh."

        In fairness, the article was specifically referring to PGP rather than any other encryption and (as noted by earlier comments) the decision to use PGP to protect a given email is a far more conscious one on the part of the "target" than (say) simply using SSH for remote connections. (Indeed, the latter is almost de rigeur even amongst n00bs for remote terminal sessions simply because there are no examples on the interwebs for running a telnet connection anymore.)

        But I think I'm right in saying that if that email is sent to a foreign (**) email server via a STARTTLS-ed SMTP session, the spooks probably can't even tell whether it uses PGP or not because the metadata was encrypted in that case too. (**Foreign in this context means not in a country where the spooks can ask their friends to issue a warrant to the owner of the server.)

        1. Graham Cobb

          Re: Ah, Traffic Analysis

          But I think I'm right in saying that if that email is sent to a foreign (**) email server via a STARTTLS-ed SMTP session, the spooks probably can't even tell whether it uses PGP or not because the metadata was encrypted in that case too

          You are right that TLS encryption of SMTP exists and hides the metadata from easy interception. On the other hand, it has numerous weaknesses, including:

          1) In most cases, TLS is set up opportunistically -- most servers do not insist on TLS and will drop back to sending without it if the receiver doesn't (appear to) accept it. Most servers prefer not losing email to link security. My personal servers insist on TLS for submitting mail for sending but are forced to accept incoming mail from anyone (although I do add a header to tell me it arrived without using TLS -- and I sometimes complain to the sender that they should turn it on).

          2) In many cases no certificate validation is done, so it is easy to MITM. For example at international gateways.

          3) It is not end-to-end, it is link-by-link, so if the receiving system is compromised, or if it can be convinced to forward the message on to another system without using TLS (see 1) then the metadata is exposed.

          4) There are some attempts to help with problems 1 & 2 by setting up information that says "my mail server always wants to see TLS -- if you try to connect to me and don't get TLS then don't send" and "my certificate looks like this -- if you don't see that certificate don't send". But it is hard to do and fragile and, in practice, no one implements it (search for DANE TLS for more info).

    2. Adam 52 Silver badge

      Re: Ah, Traffic Analysis

      Reasonable guess? Not sure, I move 50GB of pgp files over ssh into AWS every day, that probably puts me in the "heavy user" category. It's Fred sending one message a week to worry about.

      I wonder if the NSA's filter lets them slurp pgp files from s3 or intercept ssh... if so only needs a few people like me to give them a huge storage problem (although the analysis will be easy), and we're a minnow as Big Data goes.

    3. Afernie
      Facepalm

      Re: Ah, Traffic Analysis

      " It a reasonable guess that heavy users of encryption are doing it for a reason - mostly ill."

      Yes, I ruthlessly use PGP in the pursuit of money every day. FTP Batch transfer of Concur expenses claims. Get a grip.

    4. Fluffy Cactus

      Re: Ah, Traffic Analysis

      No, it's not a "mostly ill reason". There are several good reasons.

      Let me give you a few examples: An accountant wants to share tax data with the client - that's sensitive private data, that is required by law to be kept safe, so it should be encrypted.

      A doctor wants to send health data to a patient, again, it's data that is required by law to be kept private.

      Without encryption it cannot and should not be sent by e-mail.

      A lawyer wants to send sensitive court or law-suit data to a client. It would be stupid, wrong and possibly malpractice to send such info unencrypted.

      A business company making widgets sends the latest data about how well the newest widget performs

      from the engineering department to the accounting department. They would be idiotic if they did not

      encrypt such data.

      A secretary of state, say Hillary Clinton, sends sensitive government data from her private e-mail account

      unencrypted. It would be goofy if she really did that. Oh, what? oh she really did? oh, that's a bad example then. (Let's blame it on Microsoft and its spirit of openness.)

      Alrighty then, several US embassy operators were sending sensitive government data home to Washington DC in plain text, without encryption. It'd be sort of dumb if they did that. Oh they did, that's another bad example. Sorry.

      Or let's say the US FDA sends info about approving the latest drug from Pfizer or Merck, etc unencrypted to their clients. That would be dumb. Not sure if they do that. I am not on their list of clients.

      Or the US Army cables that they are going to "Attack at dawn" in plaintext. That would be stupid.

      At any rate, I believe I made my point that there are many reasons why certain data should be

      transmitted only in a safely encrypted fashion, and that these many reasons have nothing to do with

      terrorism or weird anarchist ideas.

      Now do you get it?

      1. Charles 9 Silver badge

        Re: Ah, Traffic Analysis

        Wouldn't all those instead choose to send the data by trusted courier, then? If time's not an issue, they probably wouldn't leave such data to the Internet, especially (like a raw 3D rendering for a movie studio--easily multiple terabytes) the data's too bulky for Internet transport.

  17. Rol Silver badge

    It still amuses me..

    ,.how some people still hold onto the idea that our spooks have capacity issues that limit their ability to monitor everything. (Think Bletchly in 1940's and then factor Moore and more besides)

    Thus by standing in a forest you are somehow out of sight. Sure the agencies haven't the ability to make sense of everything immediately, and hence need to narrow the criteria before looking deeper, but if you suddenly become of interest, they'll pull every online keystroke you ever made out of their repositories.

    No doubt future advances would see bots racing through the historic records compiling full profiles of everything that ever breathed, if they haven't already done so.

    1. Flip
      Happy

      Re: It still amuses me..

      Sure they can. Just watch CSI Cyber...

  18. Koconnor100

    Love of Back Doors

    I totally support the quest for the NSA to build an unbreakable encryption method that includes a golden key that only they can use as a back door , presumably tied to NSA computers some how so China can't use it etc etc.

    Of course, step two is for china and other nations to steal it , and make a very tiny modification as to who exactly is holding that golden key , and who exactly is locked out and can never get in .

    Not to mention every large corperation and group in the world doing the same , thus enhancing privacy (specifically , choking off NSA's industrial espionage operations) rather than reducing it.

    Imagine a car maker in germany whom no one can hack and find out what next years model looks like , so they make good sales, as opposed to poor sales because some americans got a cheap knock off look a like going before they could finish the real deal.

    :)

    1. Vic

      Re: Love of Back Doors

      step two is for china and other nations to steal it

      Those other nations don't need to steal it. They will be given it.

      If not, they won't use the NSA's backdoored encryption - and so will all the bad guys. For every nation to put effort into getting secure encryption off the Internet, they're all going to want a slice of the pie. So they'll all insist on getting the keys before trying to remove teh encryption they've already got.

      So all these nations will have the magic key to decrypt all communications. That's already a disaster - but it doesn't stop there. If every country in the world has several people with access to the key, sooner or later it will leak - it would be very valuable to organised crime, for example. And at the point, the bad guys have the ability to decrypt any communication in the entire world.

      Vic.

  19. Schultz
    Holmes

    Using encryption identifies you as a potential terrorist...

    but we already learned that we are all potential terrorists (at least those of us who don't live in the US). Using encryption will now make you doubly suspicious? I wonder how many terrorists they already caught with their PGP metadata. And whether they ever get any false positives ;).

    Or is it just FUD to scare all those real and imagined terrorists?

  20. channel extended
    Coat

    I like to sign...

    I like to sign my emails with

    dd if=/dev/urandom count=1 | base64

    This still confuses people!!!!!

    1. Ru'

      Re: I like to sign...

      Confused me, but then I'm still waiting for the year of the unix/linux desktop...

  21. Donchik

    An old but solved problem

    I seem to recall that this issue with using encryption identifies you as a potential suspect was solved a long time ago.

    Is there not a program which conceals the encrypted message within a jpg or other image file?

    Imagine every cat image or video on the web being the possible source of a terrorist message.

    PGP is so yesterday...

    1. John H Woods Silver badge

      Re: An old but solved problem

      "Is there not a program which conceals the encrypted message within a jpg or other image file?" -- Donchik.

      Yes, there are several --- search "Steganography." More to the point, if you conceal it within an original creation of your own (i.e. there's no way to compare the picture to an 'original version' out on the web) you can post it publicly on Facebook, Tumblr or any number of well known places and, providing you have enough friends/watchers then they cannot even see to whom it is addressed.

      1. Anonymous Coward
        Anonymous Coward

        Re: An old but solved problem

        More to the point, if you conceal it within an original creation of your own (i.e. there's no way to compare the picture to an 'original version' out on the web) you can post it publicly on Facebook, Tumblr or any number of well known places and, providing you have enough friends/watchers then they cannot even see to whom it is addressed.

        .. although I would first run a quick "exiftool -all= image.jpg" over it - you never know what IPCT/EXIF data you will otherwise leave behind. Not that you have to worry much: most image sites strip it, usually breaking US copyright law in the process..

        1. Charles 9 Silver badge

          Re: An old but solved problem

          Plus what if the server routinely alters uploaded pictures, potentially mangling most stego?

          1. Anonymous Coward
            Anonymous Coward

            Re: An old but solved problem

            Plus what if the server routinely alters uploaded pictures, potentially mangling most stego?

            That's why most image sites do it. Sites such as FB would otherwise become a conduit for stego messages by every crook on the planet. The only problem is that they mangle too much - some data is illegal to mess with, and some lawyers are waking up to the rather large financial potential that has (and it could not happen to a nicer set of organisations, so I gave that awakening a leg up when I talked to a group of lawyers a while back :) ).

            1. Charles 9 Silver badge

              Re: An old but solved problem

              What kind of data would be illegal for an automated mangler to alter such that it wasn't illegal already, thus putting the onus on the uploader?

  22. pewpie

    "It's brilliant!" enthused Weaver. "Whoever it was at the NSA or GCHQ who invented it give them a big Christmas bonus."

    What.. for reading the label? Those folks really are fucked, aren't they..

    1. Ken Hagan Gold badge

      Ssshhh!! Don't tlet on that there are people *outside* his circle of friends who can produce this stuff. It will make him sad.

  23. CRYPSA_Chair

    To deter scrutiny, encryption & privacy must become ubiquitous

    This article points to the reason that TOR, VPN, PGP and financial transaction mixers should be ubiquitous. That is, businesses, consumers, and enterprise should encrypt and anonymize *any* communication, storage or transaction for which the parties do not require a provable receipt and a public audit trail. Just as with a bedroom discussion, or a drink purchased with cash at the local pub, privacy and anonymity should be enabled by default. There should be no chance of interception—even by forensic investigators—without the consent of at least one party to the original transaction.

    I will gladly go head to head with any pundit that feels that privacy technology enables terrorism. Far from it. Treating private communications, storage and transactions as an open book is far more crippling to national interests.

    Philip Raymond

    CRYPSA, Co-Chair

    Cryptocurrency Standards Assocation

    1. Anonymous Coward
      Anonymous Coward

      Re: To deter scrutiny, encryption & privacy must become ubiquitous

      With all due respect, there is no "privacy technology". That is called simply called security.

      1. elDog Silver badge

        Re: To deter scrutiny, encryption & privacy must become ubiquitous

        But the AP (or whatever it's called) can't make a buck off of just plain "security". It has to be wrapped in some special technology sauce that can be patented, or at least controlled.

        1. Anonymous Coward
          Anonymous Coward

          Re: To deter scrutiny, encryption & privacy must become ubiquitous

          "With all due respect, there is no "privacy technology". That is called simply called security."

          But the AP (or whatever it's called) can't make a buck off of just plain "security". It has to be wrapped in some special technology sauce that can be patented, or at least controlled.

          Correct. Post Snowden, Silicon Valley exploded in an absolute frenzy, scratching off all the old "security" words on products and replacing them with "privacy" so they could continue to sell. What is especially egregious is that it's easy to prove they all knew damn well that they were selling a lie, but hey, that seems nowadays merely in line with the best of US business traditions: keep selling until you're caught.

  24. Michael Habel Silver badge

    So the next logical question...

    Can the Metadata itself be encrypted, PR at the least of it pruned to be as minimal as possible?

    1. Anonymous Coward
      Anonymous Coward

      Re: So the next logical question...

      If you need that data to travel on a public system, the answer is no although you can indeed at least prune some of it. It will always have an origin, which you could possibly cloak, but without a target you'll have to develop a holding location which creates its own problems.

      This traceability is going to get a lot worse with IPv6 coming in. At the moment you have still some protection from NAT traversals where one IP address can be one person or a whole ISP, but with IPv6 there is the potential to forego that layer of protection, which could result in every single machine having its own ID. At that point all these data thieves such as Google, Facebook and any intelligence agency won't even have to bother with cookies. Just implement a law that mandates a fixed IP address on each device (which, of course, immediately gets ignored or bypassed by government agencies and criminals) and your privacy is pretty much dead.

      1. Ken Hagan Gold badge

        Re: So the next logical question...

        With NAT, one IPv4 address nearly always means one property (home or small business). NAT at the ISP level is not widespread and not an obstacle if you are the local intelligence agency. If you've pinned it down to a single house, pinning it down further to a single keyboard isn't worth the effort. (If, on the other hand, you are an advertiser trying *not* to send the inappropriate ads to your customer's children, targetting down to the level of individual logins on a particular machine might be prudent, or even a legal requirement. Cookies still have their place, even with IPv6.)

        Now if you'd made the point that some ISPs dynamically re-assign IPv4 addresses to different customers then you might have a point, but even here the "always-on" nature of an ADSL or cable connection means that the addresses remain associated with a single end-point for long periods.

    2. Charles 9 Silver badge

      Re: So the next logical question...

      You're basically asking how to mail a letter without an address: barring telepathy, no. SOMEONE has to be able to know where the letter's going, and that alone can be exploited by the plods. About the only way you can avoid this is to go there in person using only private transportation (public will find a way to log you), and even then they may note something by your absence.

      RE: "NAT at the ISP level is not widespread and not an obstacle if you are the local intelligence agency."

      That's not the case in Asia, where they have billions of people and not enough addresses to go around, thus they were among the first to do carrier-grade NAT. Unless you're saying the plods were one-step ahead and mandated identifiable traces on all computer hardware before they were even sold.

  25. SteveG

    FUD?

    Certainly sounds like it to me!

  26. Cynic_999 Silver badge

    I follow that they can use the metadata in a PGP message, but what metadata are they talking about wrt a Tor connection? There is none AFAIAA.

    1. Anonymous Coward
      Anonymous Coward

      Recipient, email tracking data in the header - and let's not forget that, thanks to spammers, it is getting much harder to inject an email of unknown or hidden origin into a normal mail server. It may abort the connection the moment you try to set up the first HELO..

  27. Anonymous Coward
    Anonymous Coward

    Good luck i'm behind 7 proxies.

    1. Charles 9 Silver badge

      Internet must be awfully slow for you (TOR is slow enough with, what, three proxies). Plus if the plods REALLY wanted you, they'll just trace your proxies then pwn the first link in the chain to trace back to you.

      1. Anonymous Coward
        Anonymous Coward

        http://knowyourmeme.com/memes/good-luck-im-behind-7-proxies

  28. The Frog People Believe

    I always thought this might be the case!

    You use VPN software for legitimate security reasons (or just to stream films from services not available in your country) and then you're immediately on someone's radar!

  29. DWRandolph

    constant traffic component of OpSec

    Along the lines of "everyone should encrypt everything", another old component of Operational Security is amount of traffic. Each site within a group should always be sending the same about of traffic to each other site. Random cruft when nothing is happening, then real data if something is going on. But those watching will not see a spike of traffic to realize what triggers when. You should never panic and send of burst of out-of-band / unusual traffic to flag your intentions.

    1. Charles 9 Silver badge

      Re: constant traffic component of OpSec

      How do you reconcile that with a low bandwidth cap?

      1. DWRandolph

        Re: constant traffic component of OpSec

        Guess how much bandwidth you have available / choose to buy is based on how much importance you assign to this aspect of your security. It is just one of the onion layers to manage.

        If you have X bandwidth, assess your criteria to assign Y% of it to "secured" traffic, then keep that Y% portion filled.

        1. Charles 9 Silver badge

          Re: constant traffic component of OpSec

          Many people don't have that option. For most, what they get is barely enough to get news through "legal" channels, let alone with the additional overhead of a VPN.

  30. Roger Mew

    Oh really

    Just using OpenDNS gets around ISP rubbish and stops then seeing what you are doing. Sure they may KNOW you are downloading a film, but one of the family outing, porno, or anything else. Now add on a VPN and go to somewhere like Malaya or India (watch all the football games with a VPN like SaferVPN) and the whole thing becomes a farce. Even Using Skype with a VPN means that when you call from say one skype to another both on a VPN even using skype out the wotsits will have fun finding exactly where you are, Now lete go one further, is there or can there be any monitoring of say Echolink. Use false amateur radio callsigns and get the thing set up and you are person to person with no intermediary. Now using a slang code and back chat then it becomes even harder.

    Frankly for every thing that is looked at there are thousands that are not. I do not like or even understand terrorists, however realism has to come into such as monitoring. The ones that make silly slips give a route to others, its not just the encryption. Funny, most of the idiots going to IS have been indoctrinated, that gives a mental loophole in their intelligence. They may not be stupid, but they cannot think for themselves so they open an incompetent hole, or should I say a hole of incompetence.

    1. Vic

      Re: Oh really

      Just using OpenDNS gets around ISP rubbish and stops then seeing what you are doing

      That would be an unsafe assumption, what with DNS being a cleartext protocol...

      Vic.

    2. Charles 9 Silver badge

      Re: Oh really

      That's why, if they're REALLY interested in you, they'll spear-fish, drive-by, or use any and all means to pwn you at the endpoint: outside any encryption of obfuscation envelopes (because, at the end, the content MUST be decrypted for you to be able to employ it, seeing as we're not in Ghost in the Shell levels of technology where we keep cryptochips in our bodies as of yet.

  31. G7mzh

    Use enigma

    Use Enigma with a decent password. Since it's simply text (albeit 5-letter groups), it won't be flagged up by the PGP-detection machine. If a file has been UU-encoded, that can go through Enigma as well.

  32. cortland

    Warranted

    We are today asking the court for a warrant to search the GPS history of Hargli bin Tawkin, and others as yet unnamed.

    Yes, sir.

    Extremists are relying less on the Internet and e-mail to pass plans, schedules and target data to each other. Conspirators now avoid email because post-Snowden, they know we read it; we've lost track of a number of cell's lately simply because they meet personally in places they're unlikely to attract attention. Location metadata from cellphones has already let us connect the dots in several cases,and GPS manufacturer databases will extend our ability to follow to terrorists to their headquarters before they can strike.

    In a more physical manner, we are asking the Court to allow coded graphite nanoparticles to be placed in writing instruments, so we can use laser fluorescence to follow people who leave cryptic Post-It notes on public bulletin boards.

    Yessir; we'll track them by the lead in their pencils, ha ha.

    Thank you, Your Honor.

    1. Fluffy Cactus

      Re: Warranted

      I am sorry sir, but it is not very smart to reveal such secrets as the 'graphite nanoparticles in writing instruments'. Now that they know that, they are going to using stolen pencils from the "mini-golf-course'.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019