Life Through The PRISM
This has nothing to do with Pink Floyd [an allusion for the ancients among us], this is about contractors pawing through our lives on-line.
First off, realistically, the only ‘direct connection’ the government could have to Google, would be to a secure server on which Google loads the specific data that it has been ordered to deliver. The contractors that now comprise NSA don’t have the resources to contain the data that Google generates. Think of it as trying to unload an oil tanker with a 5-gallon gas can.
Not convinced, how about the resources necessary to keep up with PMS day on Microsoft, when Windows users are all upgrading their machines at the same time.
This isn’t a matter of whether or not the contractors want the access, it is whether they can actually handle what they would get, and they don’t have the resources.
Get real, broadband in the US sucks. We are at the bottom for speed and top for cost. The ‘free market’ is not providing the US with a first world data infrastructure. The contractors can create whatever they want in Utah, but they aren’t going to have the available bandwidth to really do much. The telecoms have been focused on getting more money from their existing system, not spending money to expand it.
That said, I agree with the EFF that a lot of questions need to be answered about PRISM. While we are waiting, PRISM Break has a listing of products that help to preserve your personal privacy to some extent. Pretty Good Privacy/GNU Privacy Guard 128-bit encryption should easily last your lifetime.
11 comments
PGP/GPG were broken long ago. It’s called “rubber hose cryptanalysis”, and the way it works is that a federal judge orders you to produce the key or go to jail for contempt of court until such time as you do so. Just ask Kevin Mitnick, who spent four years in prison for the crime of not turning over his key to the federal judge.
Alternately, there is the pinhole camera option. That’s the one that was used to take down Edwin Edwards, they simply took video of him entering his password.
Or the keystroke scanner option, which comes in two variants, hardware and software.
You and I can figure out ways around these various attacks on encryption and communicate securely, but the reality is that the average Joe Bob hasn’t a chance in bleep of implementing information security.
Yes, they can get a warrant, but they can’t do it in secret, and you get your day in court. The way things are going, judges may find that they aren’t as easily convinced that the probable cause that is being offered by the DoJ is valid.
The real point of the exercise is to stop the blackmail of the readily accessible information that you generate on the ‘Net.
The contractors who has primarily in charge of this mess can’t secure their own systems, but they know how to have the government pay them to spy on the rest of the country.
Yes, they can get a warrant, but they can’t do it in secret
One word: FISA.
The FISA court isn’t even allowed by its enabling law to ask detailed questions about why the warrant is needed, they’re required to accept the blank statement that it’s needed as part of a terrorism investigation. It is to courts what the right to vote was to Soviet governance — i.e., all form, no susbstance.
Regarding Google, my take on it is that the Feds are mostly interested in email, not in all the other hoards of data that Google possesses. As you correctly point out, they wouldn’t know what to do with the rest of that data, it has nothing of value to them, and furthermore much of it is already publicly available just by going to the Google web site. Note that Google saying they only got a few dozen FISA requests doesn’t mean much if one of those FISA requests was “provide metadata for all email”, which, yes, under the Patriot Act is valid.
The FISA court is fine for business records, but not for individuals. They would need a warrant from a Federal court, and it could be contested. They would really need to arrest you before they could even ask for the password. That’s why they use the keyloggers and other surveillance techniques. Once they go beyond surveillance they are in regular Federal court.
we do seem to be living in interesting times: http://www.wired.com/threatlevel/2013/06/general-keith-alexander-cyberwar/all/
Well, Bryan, rubber hose cryptanalysis has in fact taken place without court supervision of any kind back when the CIA ran “black” facilities in a variety of foreign countries as part of “extraordinary rendition” operations. Supposedly all of those facilities have been shut down (for one thing, the Obama administration appears to have overthrown or at least attempted to overthrow most of the governments that participated in the program, such as Libya and Syria!), but that point is made — ordinarily, law enforcement will need a regular federal court to issue an evidence production order to get the encryption key out of you that way.
Regarding email, virtually all email on the planet goes to port 25 in the clear via SMTP. Even if you PGP-encrypt the body, the header still has to be in the clear in order to route the email to the destination. The Mixmaster network may still be in operation but is supposedly hopelessly compromised, and is hardly reliable enough to use for normal email anyhow. I send my email between my house and my smtp server (and Google’s smtp server) via SSL, but that just defeats black boxes at the ISP level, not a FISA court order at Google’s end (and I’ll point out that outgoing emails forwarded on from my email server still are in the clear to port 25).
Our entire Internet, in other words, is predominantly “in the clear” and hard to secure against NSA surveillance. I use encryption where I can, but the reality is that Joe Shmuck has no clue or ability to easily do it given that the whole infrastructure of the Internet is fighting against him.
The first thing I noticed about Alexander is that he has four stars. It is a stretch to give the director of NSA three stars, which was the rank associated with the director after the first DIRNSA.
I did come checking and his fourth star is because he is the commander of the US Cyber Command. Apparently NSA has been absorbed by Cyber Command, and all of the normal NSA functions have been moved to an installation in Georgia.
NSA doesn’t control this mess, Cyber Command does. NSA had 38,000 people when I was in, and now it is down to 20,000. They aren’t doing things the way NSA does them, and that has been annoying me to no end. It isn’t important things as much as the small routine things that were just part of the NSA culture.
This whole mess is dedicated to crime, not to anything military, and NSA is a military organization.
“and NSA is a military organization.”
well, perhaps it used to be…
“This whole mess is dedicated to crime”
ot1h, that’s just plain scary; otoh, criminals and criminality can be dealt with, which thought somehow make makes the solution to the problem seem a little more manageable.
Badux, the need for openness in addresses makes the ‘Net possible for now, but I suspect someone is holed up in a ‘cave’ working on the issue. It won’t be a quick or easy fix, and it will probably take years to implement, but the sort of foolishness that we are seeing now, will move things that way.
I have used PGP for years with certain people because it was part of the contract. It was a compromise that meant I didn’t have to constantly go to their offices to deal with minor problems. When what you do affects someone’s core business, they tend to get really nervous about it.
I spent years with people spying on me for spying on them. It was part of the “Great Game” that is espionage/reconnaissance. I was still constrained after I left the military for several years from doing a lot of legal things. I’m free of all that now, so I don’t like them reentering my life to mess with me again just to con Congress into giving them huge amounts of cash for nothing.
The biggest problem with mixmaster/onion routing is that they end up being much slower and resource-intensive than just directly attaching to the appropriate port of your destination. I’m aware of the various darknet-type networks that have been proposed and/or implemented, I may even have contributed code to one or more of them. Thus far none of them have really achieved viability due to these performance issues and the ability of TLA’s to insert nodes into the network has to some extent rendered the networks less secure than was thought upon being proposed.
PGP certainly has its uses but defeating traffic analysis isn’t one of them and the average Joe Schmuck hasn’t a chance of decrypting that PGP-encrypted email that you sent him. I have a test, I call it the Mom Test. Could my Mom do it? If not, then it’s not viable as a solution. Dilbert’s Mom maybe could do it, but my Mom isn’t Dilbert’s Mom, my Mom is the typical computer user that never really wanted to know anything about computers and uses it only because it’s the easiest way to keep up with her far-flung clan (and get recipes off the Internets, of course!).
Here is an interesting use of your new Raspberry Pi computer… Onion Pi, a Tor-routing wifi router based on Raspberry Pi. Onionlicious. Unfortunately while I use Tor occasionally to look at things that I know would put me on the radar of certain TLA’s, it’s really too slow for much of the web browsing that I do, and some of it — like YouTube — can’t go through Tor anyhow. So it goes.
You definitely can’t use PGP for everything, you have to obtain keys for it to work, and businesses are definitely not going to do it as it would reduce their market. I’m not going all out because that would require too much coordination.
The SSL change requires coordination with my host, who has only recently made the option available, but it will happen at some point. Hopefully the change will be transparent.
TOR doesn’t has the scale needed for widespread use, and it is only as strong as the integrity of the people who are participating. It does provide an option, an option that shouldn’t have been needed.
That Onion Pi looks seriously interesting, I’m hoping to have some time to mess with the Pi in the near future, but life has been pretty busy.