Posted on 01/27/2016 5:44:27 PM PST by dayglored
It lights you up like a Vegas casino, says compsci boffin
Usenix Enigma Although the cops and Feds wont stop banging on and on about encryption - the spies have a different take on the use of crypto.
To be brutally blunt, they love it. Why? Because using detectable encryption technology like PGP, Tor, VPNs and so on, lights you up on the intelligence agencies' dashboards. Agents and analysts don't even have to see the contents of the communications - the metadata is enough for g-men to start making your life difficult.
"To be honest, the spooks love PGP," Nicholas Weaver, a researcher at the International Computer Science Institute, told the Usenix Enigma conference in San Francisco on Wednesdy. "It's really chatty and it gives them a lot of metadata and communication records. PGP is the NSA's friend."
Weaver, who has spent much of the last decade investigating NSA techniques, said that all PGP traffic, including who sent it and to whom, is automatically stored and backed up onto tape. This can then be searched as needed when matched with other surveillance data.
Given that the NSA has taps on almost all of the internet's major trunk routes, the PGP records can be incredibly useful. It's a simple matter to build a script that can identify one PGP user and then track all their contacts to build a journal of their activities.
Even better is the Mujahedeen Secrets encryption system, which was released by the Global Islamic Media Front to allow Al Qaeda supporters to communicate in private. Weaver said that not only was it even harder to use than PGP, but it was a boon for metadata - since almost anyone using it identified themselves as a potential terrorist.
"It's brilliant!" enthused Weaver. "Whoever it was at the NSA or GCHQ who invented it give them a big Christmas bonus."
Given all the tools available to the intelligence agencies there's really no need for an encryption backdoor, he explained. With the NSA's toolkit of zero-day exploits, and old-day exploits, it's much easier to root a target's computer after identifying them from metadata traffic.
With all these tools it's not hard to see why the intelligence community isn't pushing hard for an encryption backdoor, or actively opposing it. Last week, the NSA boss Mike Rogers came out against plans to bork encryption for the police:
"Encryption is foundational to the future, so spending time arguing about, 'Hey, encryption is bad and we ought to do away with it,' that's a waste of time to me," he said. "Encryption is foundational to the future, so what we've got to ask ourselves is, given that foundation, what's the best way for us to deal with it?"
This article is complete garbage. They make it seem like the Feds are all over things, and they really aren’t. The use of TOR is growing, and identifying the ingress and egress points, plus the client information, is not hard. All they have are IP addresses and information on computer types, MAC addresses, etc. They do not have the ability to detect what is being passed in those channels.
The same goes for VPN. Do you know how many companies use VPN technologies? It’s one of the fundamental things for any admin to know how to implement and maintain whether it’s using a turnkey appliance from Cisco, implementing an IKEv2 or L2TP VPN with Microsoft Windows Server, or installing OpenVPN on a Nix machine. They’re collecting metadata on VPN traffic? BFD! I could show you packet traces from the nearest Starbucks where thousands of people are sending traffic across UDP 500, 1500, and 1701 every hour, day, week, etc. IT MEANS NOTHING!
This is another rah-rah article for the Feds making it seem like they can track everyone, and while I agree that privacy is pretty much in the toilet, browsing securely online is very possible. The most the government or the bad guys will have is that A) you are using encryption technology and B) traffic is between you and another point. They don’t know if you’re sending emails with recipes for duck l’orange or blueprints for a 3D-printed gun.
And as far as PGP... it’s “pretty good.” That’s all. It’s not great.
It's been years since I looked at Mixmaster stuff. There was some really interesting stuff being done with anonymous remailers 20 years aso, and I haven't really kept up. Might have to look into it again. Seems the time is ripe. Gotta figure that half the nodes are Fedgovs, as the ferals don't miss a trick, and they have an infinite amount of money.
IIRC TOR was invented by the Feds. Or the Navy. Either way....
The problem with relays is that they are susceptible to DDoS if they’re not secured properly. Even routing your network traffic through multiple VPNs and TOR can be tracked if you have the know-how.
We have a bozo here on FR that always claims PGP/GPG is proken. Of course, he never mentions any specifics.
As the article said, it's not necessarily the content of the message that is important, because you can learn a lot just by flagging where the messages are coming from and where they are going to. That's why when the Snowden docs first surfaced the NSA tried so hard to play down the impact of them collecting 'metadata'. As always, they were a bit disingenuous about it, because the metadata can be really useful for signals intelligence.
I'm fairly confident that the feral govenrment doesn't have any real way to 'open the envelope' through cryptographic means, but generally speaking they hardly need to. Given that the vast majority of folks out there use an operating system that's easier to crack open than a 2 dollar whore, they don't really need to be able to crack it.
Let's say Alice sends an encrypted message to Bob. Mallory, who is a feral government thug has several options if he wants to look at the content of the message. He could use a rubber hose to beat the passphrase and private key out of Bob, but that's tiresome and probably results in a lot of pesky paperwork. Instead, Mallory hacks into Bob's PC, because he's using Windows, and there are almost always zero-day exploits out there for it. In fact he an his buddies at the NSA have a collection of them they use and keep secret for just exactly that purpose. So he p0wns Bob's PC, scarfs up the private key, and installs a keystroke logger so the passphase will be sent along the next time it's entered.
Now Mallory can read the message any time he wants. Not only that,since he also has a copy of the private key and passphrase, he can now send encrypted mail as Bob to Alice, and the message will authenticate correctly as having been signed by Bob's private key. That is so much more useful for Mallory than taking Bob out of circulation and having him bleed all over the carpet in Mallory's dungeon.
What we really need in addition to PGP, are much more robust email programs that integrate seamlessly with email clients. I use the Thunderbird email client which has a great plugin called 'enigmail' that integrates GPG/PGP into the program. Works great. Depending upon how you configure it, you can actually set it up to make it more difficult to send email unsigned and unencrypted than it is to send an email as plain text.
The problem is that people are lazy and ignorant. They don't know anything about encryption. They don't know how to get it, install the plugin, or how to pick decent passphrases for their keys. Hell, most folk barely have a clue beyond how to launch a program and type in an email, much less how their computer works and how to use it. They are simply ignorant. They can be taught, but most don't give a damn and have no more interest in their own computing security than they do about the latest advances in quantum mechanics, and it takes actual work to learn some of this stuff. Of course it doesn't help any that certain OS vendors have refused to provide any easy means for implementing cryptography - something that they could have done long ago, so that it would be second nature to folks who simply don't think about it.
Then there is webmail. You can't easily use crypto with webmail, because it is a really, really, really, really bad idea to have your keys on their servers. In order for webmail to work with PGP/GPG or something similar you're going to have to have the browser doing much more work to make use of local keys and scratch files and the like. It's not an insurmountable barrier, but it's a tough nut to crack because there is so much that has to go into the thinking behind designing such a system securely. It will also make using the webmail somewhat more clunky of an experience, so they won't use it, because people are lazy and ignorant.
Sadly, I think the ferals in government have pretty much won this battle because they were able to, ah, discouraged companies from implementing crypto long ago when it could have been something that just became a part of everyone's routine because "that's the way it is". Imagine how different things would be if even a junky virus magnet like outlook had implemented PGP plugins 15-20 years ago. The vast majority of email would probably be encrypted at this point. For many reasons, that would have helped a lot in dealing with issues of SPAM as well.
Bottom line for me, is that yes, I know PGP/GPG flag my communications to ferals in government, but I use it when I can because some things are important enough to sign or encrypt.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.