Saving the Internet from the NSA

[Blind groper]

When the hero whistle blower, Edward Snowden outed the nefarious activities of the US administration, one of the many things revealed was that the National Security Agency (NSA) was snooping on the global internet, collecting 1.6% of all internet traffic, a total of 29 Petabytes of data each day. This costs the American taxpayer billions of dollars each year on collecting and analysing this enormous mass of data.

The predictable reaction to this unethical action was international outrage. The American government was embarrassed, explaining why they are so keen to lock Snowden away for life, or execute him. Politicians do not like to be embarassed.

People all over the world were angered at this intrusion. Snooping on enemies is one thing, but the NSA was snooping on its friends as well. Angela Merkel's cell phone tapping was just the tip of the iceberg.

Now various internet experts are fighting back. A whole bunch of new software is being designed specifically to block the NSA. (See New Scientist, 23 November, page 24) The NSA will find it increasingly difficult to stick its grubby nose in where it should not go. Of course, that by itself will not be a perfect solution, since the NSA will hire its own experts to thwart those who are out to stop it. Society as a whole, and specifically the American people, should be expressing their hatred of being snooped on over the internet.

[Seth]

All I have to say to all those anti-snooping entrepreneurs is "Good luck with that..."

Thing is, if they are good enough to beat the NSA, the NSA will either hire them, coerce them into inserting backdoors, or refer them to the black division of the CIA for disposal.

The story I read today says that most of the new "unbreakable" encryption schemes and suchlike are mostly either vaporware, loaded with bugs and trapdoors, simply ineffective or originate at Langley.

Best just to think of the Internet as if it's a good old-fashioned party line (I actually used to have one of those...) and don't say anything your mother wouldn't like to hear. Innocuousness is the best defense against government snooping.

Besides, it ain't just the NSA by a long shot. Every other technologically advanced nation on earth has their own version, including the UK, and they aren't likely to tell anybody that they are doing exactly what the NSA is doing even though it's perfectly obvious they are.

[Ian]

Anyone calling Snowden a hero is going to be shitting themselves soon. Probably literally. Much more of this story is going to come to light (hopefully).

I'm not in favor of the death penalty, but if there was anyone in the world I'd happily beat to death with a baseball bat, it is Snowden.

Why? Because I know a lot more about this matter than the fucking media does, that's why. Don't believe me, or don't want to? I don't give a fuck.

I am a little durnk at the moment, hence my bothering to say something on the subject again.

[pErvinalia]

If the solutions are open sources, like Tor is now, then that vastly reduces the possibility of trapdoors being inserted. And true geeks (the kind that can out code the NSA spooks) do things for the challenge, not the money. The NSA will always be behind in brute coding ability. Where they'll have the advantage is with government laws/regulations.

[Seth]

Anyone calling Snowden a hero is going to be shitting themselves soon. Probably literally. Much more of this story is going to come to light (hopefully).

I'm not in favor of the death penalty, but if there was anyone in the world I'd happily beat to death with a baseball bat, it is Snowden.

Why? Because I know a lot more about this matter than the fucking media does, that's why. Don't believe me, or don't want to? I don't give a fuck.

I am a little durnk at the moment, hence my bothering to say something on the subject again.

I believe you, and I'm with you. If the CIA wants a contract operator to do the job they should drop by for a chat, I might know someone...

[Seth]

If the solutions are open sources, like Tor is now, then that vastly reduces the possibility of trapdoors being inserted. And true geeks (the kind that can out code the NSA spooks) do things for the challenge, not the money. The NSA will always be behind in brute coding ability. Where they'll have the advantage is with government laws/regulations.

Doesn't matter much, the NSA has already penetrated Tor and every encryption system out there including PGP. They have supercomputers dedicated to nothing else.

The only secure encryption left is the one-time pad, and that has inherent vulnerabilities.

[pErvinalia]

I'm not sure that's true. I studied cryptography at uni, and at the time the best encryption would have taken in the range of tens of thousand of years to break with a supercomputer. The real game changer will be (if and) when quantum computers become a reality. They'll be able to break all encryption in hours/days.

[Ian]

Don't people who call him a hero think it's odd that their privacy rights/free speech champion was granted asylum in Russia of all places? Isn't that a bit weird? Unless, perhaps, there's a LOT more to this story than the crap that has made the headlines? Maybe?

[pErvinalia]

Seems a real possibility.

[Blind groper]

I am not a computer geek, and do not understand all the technicalities. But from the article, it does not sound as if the methods depend on cryptography.

The first one mentioned is called 'Dust". It is from Brandon Wyley at the University of Texas, Austin. It alters the protocol of messages on line to make it impossible for the NSA computer to classify those messages. If it works well, the NSA computer may have to download 100% of the internet, including things like people watching movies. That would bog them down!

Others mentioned are Scramblesuit from Philipp Winter of Karlstad University in Sweden, and FTE by Kevin Dyer of Portland State University.

Tor is mentioned in the article, but not as one of the leading technologies.

[Blind groper]

Don't people who call him a hero think it's odd that their privacy rights/free speech champion was granted asylum in Russia of all places? Isn't that a bit weird?

Not weird.

It is pretty obvious that no nation wanting to suck up to the USA would offer him sanctuary.

[Seth]

I'm not sure that's true. I studied cryptography at uni, and at the time the best encryption would have taken in the range of tens of thousand of years to break with a supercomputer. The real game changer will be (if and) when quantum computers become a reality. They'll be able to break all encryption in hours/days.

That's what everybody thought, but they were wrong. Most of the vulnerability has to do with human behavior and the fact that only the most careful of spies actually uses a secure password/encryption key. This creates a very limited universe of probable combinations that supercomputers can process in a reasonable amount of time.

Besides, any commercial encryption system for sale in the US MUST be crackable by the NSA by law. If it can't be, the government will prohibit distribution of the software. Encryption technology is classified as a "munition" and there are very strict laws about exporting munitions pretty much everywhere.

[Seth]

I am not a computer geek, and do not understand all the technicalities. But from the article, it does not sound as if the methods depend on cryptography.

The first one mentioned is called 'Dust". It is from Brandon Wyley at the University of Texas, Austin. It alters the protocol of messages on line to make it impossible for the NSA computer to classify those messages. If it works well, the NSA computer may have to download 100% of the internet, including things like people watching movies. That would bog them down!

Others mentioned are Scramblesuit from Philipp Winter of Karlstad University in Sweden, and FTE by Kevin Dyer of Portland State University.

Tor is mentioned in the article, but not as one of the leading technologies.

In order for any message packet on the Internet to get where it's going and be read certain information must be "public" in order for the message to be passed. The origin and destination of a packet are perhaps the most important bit of information because that's what "classifies" the packet as being of interest to the NSA. Traffic analysis is used to examine how and where packets flow, and this does not require any decryption. This is where good old humint comes in. If you can identify senders and receivers of suspicious packets you can focus your attention on them.

The vulnerability of any system is that if it's encrypted mathematically or systematically, it can be decrypted, it's just a matter of how long it takes and how much processing power is required. Changing the "protocol" of a message is just obfuscation, not security. Stegonagraphy is the technique of embedding messages into digital images as "noise," but it too is just obfuscation, and it's my understanding that the NSA has figured out the patterns that indicate an image is a stego cover. So if you send a bunch of stego messages and all the NSA does is detect that a stego message has been sent, that will trip the trigger on more aggressive investigatory techniques, and once the Eye of Sauron is focused on you, you're pretty much screwed.

Anything that changes the protocol of a packet is just misdirection. It'll slow things down perhaps, but once they figure out that's what's happening they will just figure out a way to classify and/or decrypt the packets. If it's created by a computer algorithm it can be deconstructed by a computer algorithm.

I used to encrypt everything "just because," using PGP, but I figured out a long time ago that doing so only makes me MORE of a target for snooping and doesn't provide me much security at all. So why bother?

And this explains the complaint that American's are complacent about NSA snooping. We are because there's no reason not to be. It's a perfect example of the old maxim "you have nothing to worry about if you're not doing anything illegal."

And if you are doing something illegal, then I WANT the NSA to snoop on you, wherever you are, because it's most probably in my best interests that they do...until it isn't. So the key is to have communications channels that cannot be compromised, or that are much more difficult to compromise for any information that one really doesn't want the government to know about while being innocuous and cooperative when using the Internet.

People are pissed at Snowden because for the most part they have nothing to hide and they understand that tracking terrorists is a difficult thing under the best of circumstances and they accept that their privacy will be potentially compromised by efforts to intercept terrorist communications.

Most people don't care if the NSA wants to know that Aunt Bessie's liver is improving.

Idiot terrorists who use the Internet to communicate thinking it's secure are exactly the kind of terrorists I like to see, because it makes it easier to catch them.

And the really smart ones don't use the Internet at all. The dead-drop and the brush-pass are still perfectly useful tradecraft and are much more secure than the Internet.

[Blind groper]

I have given the NSA plenty of reason to snoop on me. I send emails and forum messages with key words like "Edward Snowden" rather frequently. Of course, I am totally harmless and will never be a threat to the USA or to any person anywhere. But it tickles me that I am probably wasting NSA time and resources.

[pErvinalia]

I'm not sure that's true. I studied cryptography at uni, and at the time the best encryption would have taken in the range of tens of thousand of years to break with a supercomputer. The real game changer will be (if and) when quantum computers become a reality. They'll be able to break all encryption in hours/days.

That's what everybody thought, but they were wrong. Most of the vulnerability has to do with human behavior and the fact that only the most careful of spies actually uses a secure password/encryption key. This creates a very limited universe of probable combinations that supercomputers can process in a reasonable amount of time.

Besides, any commercial encryption system for sale in the US MUST be crackable by the NSA by law. If it can't be, the government will prohibit distribution of the software. Encryption technology is classified as a "munition" and there are very strict laws about exporting munitions pretty much everywhere.

You don't need US encryption to have an unbeatable encryption system. Most of these systems are studied in universities around the world. For example we studied RSA, and I could implement a weak (i.e. small key) version of it with my home PC. Unfortunately, I've forgotten most of the details of asymmetrical encryption, but it's not anywhere near as straight forwards as you would think it is. It's not a matter of picking a password or a simple key. They are 128+ bit keys which are based around a presently unsolvable algorithm for factoring prime numbers. That algorithm will be solvable with quantum computing. But with present computer architectures, it's simply never going to be solvable within useful time frames (i.e. less than a couple of decades). Tor and other top shelf encryption systems use that sort of encryption. Some may use shorter keys that can be solved by a super computer in usable timeframes. It's really a matter of how secret you want to keep something. Unless there's been some crazy advance in mathematics in the last 10 years that I'm not aware about, then high bit asymmetrical key encryption is still going to be safe. The protocol itself will be safe, but there could be other weak points in the system (like key generation and storage), and perhaps that's where they break into these things.