Culture

On Defeating The NSA: Privacy In A Time Of Government Overreach

We’re spying on you for your own good.

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

We may be nearing the anticipated and dreaded point where our government cares more about its perpetuation than in its original and limited charge. Nowhere is this more evident than in the actions of the National Security Agency which is and has and will continue to engage in wholesale, warrantless spying on citizens.

The bad news is that the courts, being part of government, have generally sided with the other branches of government and against the plain meaning of the Constitution and have declared this spying “lawful”. The bulk of the people also support this spying, having ever on their lips the cry But what about the children!

NSA statement does not deny spying on members of Congress.

Any state with a government strong enough to vote itself more powers will eventually turn tyrannical. It will call its tyranny benevolence: our Big Brother. The innocent don’t fret because they feel that they have nothing to fear, nothing to hide. But they forget that in a tyranny everybody is guilty.

The government has infinite resources compared to the citizen; nevertheless, there are some things the citizen can do to slow (probably not stop) the growth of Leviathan. One of these is frustrating the NSA. Here is how.

I don’t assume much knowledge on the part of readers. This is only a rough guide. After people comment, I’ll expand the list. A communication means any electronic method of information transfer, such as emails, phone calls, chat, text messages and the like.

Code is not cipher

If I tell you “The duck backed the third horse” and you understand that to mean “I’ll be over for a beer at six”, then we have communicated in code. If instead I use some system to transform the same message into a string of characters like “FJI88PODJH…” and you use the same system to turn them back into English, then we are speaking in cipher.

Most of your emails and other communications are encrypted, which means you’re talking in cipher. For example, look for an “https” on the address bar of the web email service you use; the “s” at the end means secure. Not that secure, though. The systems that encrypt your communications are not always sophisticated and the NSA can break them; i.e. the NSA can and does read emails and listens to phone calls. They are also building ever-sophisticated computers to do this spying more efficiently.

Most ciphers can be broken, but many codes cannot. Codes confuse and obfuscate. For example, if I were to put in a Gmail the code “Eagle 27”, the NSA will be able to break the cipher and read it but it will not understand what I meant—unless I were silly enough to put in another communication (email or phone) what “Eagle 27” meant. Obviously, never do this.

What can you do? Start by putting nonsensical code into your communications. End emails and calls with phrases like “Dogpatch running on the water” etc. The NSA will never know this code is nonsense. More importantly, the statistical algorithms which necessarily must sift through the billions of daily communications will not know what to do. This adds only a small annoyance to the government’s burden, but every little bit helps. If you really have something secret to communicate and even if you’re using cipher, do as much as possible in code. Best to use code which mimics typical spam keywords.

One-time pads

There is one and only one method of encryption that the NSA cannot break. This is the “one-time pad”. In essence, each bit or character in a communication is separately encrypted. This code is mathematically impossible to crack, even with quantum computers. So why doesn’t everybody use one-time pads? Two difficulties.

The biggest is “key sharing”, i.e. the swapping of information that allows the encryption and decryption of messages. In one-time pads, the keys must be shared in person. They cannot go out over communication channels. If they do, then the NSA will know what the keys are and be able to decrypt your communications. Thus before you and I can communicate, we must first meet. And after we meet, after we communicate, the key must be eradicated from all memory forever, which is not always easy to do with many computer storage systems. These are burdens with infinite return, however.

The second is in “key generation.” The key must be truly “random”, which is to say unpredictable. This is certainly possible, such as in quantum mechanical systems, but it’s (as they say) not as easy as it looks. If there is any, even the merest scrap, of regularity in the key then the jig is up. Laptops or phones used to generate keys probably won’t work.

A third, really now trivial difficulty given the size and speed of computation, is in key reuse. If the key is ever reused, NSA can break the cipher.

What can you do? I’m trying to get my number two son interested in developing a system like this for smart-phone emails, but he thinks his old man is nuts. However, I believe I’ve heard of others who market one-time pads. Use them.

SIGINT

SIGINT is signals intelligence. This is the “meta-information” you’ve heard about. With phone calls, this is where the NSA collects who you called, how long the call lasted, where you were and where the person you called was when the call was made, what day and time you made the call, etc. And when the NSA adds who else you called with who else the person you called has called and so on, the NSA has a fairly complete picture of who you are and what you are up to even without listening in on the calls.

However, it’s worse than just this. Your cell phone tracks wherever you go and when you go there. The government thus knows what you’re up to even if you don’t make a call. In some cases it can do this even when the cell phone is “off.” The same SIGINT goes for emails and other communications, such as purchases and searches on the Internet. It’s easy to tell a good story about you even without the actual content of your communications.

What can you do? Stop carrying your cell phone everywhere. If you’re really nervous, remove the SIM card when not using the device. Occasionally borrow somebody else’s phone or account to make calls or email, even if you have your phone or account handy. The idea is to add noise to the system. Change your anonymous email account if occasionally; or create junk ones. Use anonymizers when searching. Do not tell any social media site your birth date. Avoid calling or emailing when you can meet in person. Use landlines when possible, as long as these are not Internet lines. If you have an entity with which you regularly communicate, keep the channel between you continuously open (as on the Internet). The NSA will only with great difficulty pinpoint at which times actual content is being passed.

Spoofing

In our case, this means fooling the NSA into thinking a communication has taken place when it really hasn’t. Send emails to or call random people. Send emails and texts with gibberish in them, characters which resemble encrypted texts. If everybody did this even just once a week, the additional burden on NSA would be immense.

Caution. NSA is intercepting hardware and installing their own buggery inside, so unless you’re homebrewing your own equipment you can’t be sure the government has defeated you before you’ve begun. If you can buy your equipment out of country, do so. Or buy mass produced equipment from retail outlets. Use “burner phones”. Again, meet whenever possible in person. The government can hack into your home wireless network, so use hardwires when yo can.

Leakage

This goes by other names, but the idea is that even if you’re using the best encryption, talking in code, and have been careful in all other aspects, your electronic system can still let you down. For instance, every time you hit a key on your keyboard it sends a characteristic signal into the air which can be intercepted. The signals which “paint” the images on your screen are also “out there” in the air. And if you have your cell phone, it is child’s play for a hacker (like the NSA) to listen even when you’re not making calls. This has been used by the FBI, too, so it’s not only the NSA you have to watch out for. I believe this is also possible for your computer’s and television’s camera and microphone. Unplug and take the batteries out of any device when you can.

What can you do? I’ve read the Russians have in some cases returned to manual typewriters and personal couriers. The only way to intercept these messages is to (of course) physically intercept them. Especially crucial information should be handled in a similar manner.

What next?

Any spy worth his weight in water knows these tricks and many more. So why highlight them? If just ten percent of us were to implement them, then the government would be fighting an uphill battle in its war against its own people. It is our duty to make unconstitutional spying as difficult for the government as possible.

Update Robert Samuelson does not understand the difference between the voluntary surrendering of personal data and its illegal theft.

Categories: Culture

39 replies »

  1. “Most of your emails and other communications are encrypted, which means you’re talking in cipher.”

    This is not correct. If you connect to gmail, for instance, you communications with the gmail *web server* are encrypted, which is what that “https” is telling you. If you send an email to Yahoo, for instance, that email is not encrypted: it’s sent in “plain text”, readable by anyone. The old saw goes: email is a postcard. Anyone can read it.

  2. “Class is fundamentally used in the service of the status quo,” says Marx; however, according to Bailey[3] , it is not so much class that is fundamentally used in the service of the status quo, but rather the rubicon, and eventually the paradigm, of class. An abundance of discourses concerning the subcapitalist paradigm of expression may be revealed. It could be said that Bataille’s model of patriarchial neosemanticist theory suggests that the establishment is impossible, but only if narrativity is interchangeable with consciousness.

    Sontag uses the term ‘the subcapitalist paradigm of expression’ to denote the genre of prematerialist sexuality. Thus, if the capitalist paradigm of context holds, the works of Fellini are modernistic.

    The subject is contextualised into a subcapitalist paradigm of expression that includes art as a whole. But several narratives concerning the role of the observer as reader exist.

    A use for the Postmodernism Generator. The RAF in WW2 called the radar equivalent “chaff”.

  3. If it’s any consolation, NSA has problems keeping its own secrets and preventing failures of security. They did, however eventually buy the motel that was right against their fence and turned it into the National Cryptologic Museum. The claim was the motel was a favorite for KGB tourism. The still get cars stolen out their parking lot by juvenile inmates escaping from the reform school against another fence.

  4. Y0070_NA024796_WCM_LTR_ENG Internal Approved 11202013

    Where is Nimitz. The whole world wonders. Signing fits overhead blitz arguments Europa taurus swimming Eastward ’till dawn.

  5. DAV – check your pads, I think they’re out of order…dowager overrule Themis checkmark Aramis overdone.

  6. Well if you had been keeping up with headquarters you would have realized what I just said.The snorbitz trills silently.

  7. No, just remembered. The RAF called it “window”. I’m looking forward to a memory like Maurice Chevalier’s.

  8. Dr. Briggs, When I visit you at Leavenworth what kind of candy bars would you like me to bring? Oh, and by the way…What time are visiting hours?

  9. Thank you for all the what-can-you-do suggestions. I am betting that NAS is not spying on me, though I don’t support the government spying on its citizens.

    If I tell you “The duck backed the third horse” and you understand that to mean “I’ll be over for a beer at six”, then we have communicated in code.

    I don’t think this is a beginner’s Zen koan.

  10. “Most of your emails and other communications are encrypted, which means you’re talking in cipher.”

    Sadly, this is far from true. Even today, the vast majority of emails are transmitted in plain text. Your connection to the website may be secure (https://gmail.google.com) as an example, but as soon as you hit “send”, the email goes out into the wild of the internet, bouncing off this ISP or that ISP’s mail servers, and readable to anyone with access to the traffic on those lines (the NSA).

  11. I remember that during anytime of any mail between the front and the homeland could be open and censored. So even low end technology can be intercepted by the government.

    But what is the scariest and this point is often missed by the people afraid of big brother, is the not sanctioned use of the technology by employee for either their own personal gain or for the gain of the agency self-power. During the half century reign of Edgar J. Hoover at the FBI the spying on US citizen was much worst than what is seen today.

  12. In the 1980s I worked as for NSA as a contractor. I spent three years at field station Berlin and you assumed anytime you used a phone someone was listening. The army, air force and navy all had intelligence gathering operations there as well as the British, French and Germans. You assumed everybody you met worked for a spy agency.

  13. I was really worried about the whole NSA mess, until I figured out a full-proof way of encrypting my messages.

    I developed an algorithm which translates your messages into Kantian-styled German; now all of my messages are completely impenetrable! Problem solved!

  14. What about something like GnuPG? I’m sure it can be broken by the government but if many were to use it then even the computational might of the NSA would be sorely tested.

  15. Arapaho BriBri Cromagnon Druid every fanatic guy.
    Merryhappyprosperoushealthyyear-in and -out.
    Rodger those

  16. For once, I must strongly disagree Dr. Briggs. While the NSA has frightening capabilities, so does the Air Force, but few of us lie awake at night worrying that they will nuke us or send a Hellfire missile into our car.

    From all that has come out so far, the NSA has done a remarkably good job of minimizing (their term) their use of the data against citizens. They do this under the watchful eyes of the FISA courts and Congressional intelligence committees. Sure, a few employees spied on their girl friends or whatever, but no system is perfect.

    NSA’s biggest screw-up was the security lapses that led Snowden gather so much information.

    I think there are a couple of reasons why NSA is more like the Air Force in its threat to individuals, and less like the IRS. NSA has a deep culture of fighting foreign enemies through technolgy. It is not a humint agency, with spooks spinning plots. In my few interactions with NSA peope, I’ve seen this. Furthermore, unlike IRS or even CIA, NSA is a military organization, with the concomitant military culture of staying out of civilian affairs. Beyond this is the aforementioned overwatch by other branches of government. NSA is a potential danger, but then, so is the USAF.

    An important but rarely mentioned issue of the threat environment. Modern technology has changed the information battlefield, and the NSA would be remiss if it did not response by trying to maintain its technological dominance. It probably went too far in some efforts to weaken encryption (such as with RSA0 – and that needs to be looked at.

    But, fundamentally, it is dealing with new and very dangerous threats enabled by the modern technological and scientific advances. “Terrorism” is the threat we hear the most about, and there are rarely mentioned aspects of that which present severe problems. We also need to remember traditional adversaries, like China, Russia and Iran.

    9-11 was a pinprick at a strategic level, and yet is cost directly a trillion dollars and led to expensive, deadly and not very successful overseas adventures.

    A far more serious threat, which the feds have spent a lot to combat, is bio-terrorism. Adversaries like Al Qaeda may welcome, not fear, the release of a weapon that causes a deadly global pandemic. While they controlled Afghanistan, they had a US trained PhD neuroscientist working on both toxins (a lesser threat) and biological agents. The wide availability of scientific information on the internet, and the rapid advances in genomics have created a world where engineered pathogens can by done with a few experts and a lab costing under a million bucks. That should worry anyone. My daughter learned enough as an undergraduate and lab intern to do that sort of engineering, and her experience is not atypical.

    The NSA issue needs a balanced look. More, more independent oversight is probably needed. But the NSA capabilities are also needed.

    Finally, consider this hypothetical which gives an example of what we need to keep in mind: Imagine that next week, terrorists capture a couple of public schools, and then start throwing out headless corpses every few minutes until the school is blown up. Imagine this happens several times over a few weeks, accompanied by a couple of car bomb attacks which destroy loaded school buses.

    In that environment, would we be better off with the NSA in place but properly watched, or with its capabilities destroyed? The public would be demanding much ore scary measures be taken. Sooner or later, something like this will happen.

    To answer the inevitable argument: no, terrorists do not use measures which avoid the NSA’s dragnet, although Snowden’s disastrous leaks have certainly set back surveillance efforts a lot. Yes, terrorists will try, which is why covert, not public, measures need to be taken.

  17. When a one time cipher isn’t…

    Briggs has it right about one time codes – very right. In fact, his whole exposition on crytographer is very well done (although I wouldn’t hold my breath waiting for NSA’s quantum computer to be useful).

    The Venona project is an example where Soviet central planning caused KGB one-time ciphers to rather be almost-one-time. US intelligence worked for decades (staring in 1943) breaking this, and their efforts led to a lot of good intelligence info. If you remember the Red scares… yeah, they pretty much all really ere Russian spies. Venona also shows how codes (as per Briggs) may not be broken.

    If you dare venture to the NSA site… check out their historical info on this at http://www.nsa.gov/public_info/declass/venona/ .

  18. But, fundamentally, [the NSA] is dealing with new and very dangerous threats enabled by the modern technological and scientific advances.

    When does dealing with a new and very dangerous threat not itself become a new and dangerous threat? The AF may have nuclear weapons but those weapons have only been used twice in history and never against citizens of this country. The NSA, on the other hand, HAS turned its powers against US citizens. All to combat a vaguely defined threat with zero evidence of efficacy.

    Sure, a few employees spied on their girl friends or whatever, but no system is perfect.

    Not only was this turning the powers of the NSA against US citizens but it was for petty reasons. Imagine an AF officer launching an attack against a significant other. But, hey! No system is perfect.

  19. The idea should rather be to overburden the human element, i.e. create false positives for their automatics to deliver to the operators:

    Death threats: ex. training a Venezuelan jungle squirrel to assassinate Obama by means of pooping heavy-metal saturated pellets in his mouth while asleep, would be an example. By this Friday, at 3.13 am. The 4 of us have this plan, and we will make it happen because we hate bacon. We have spoken, our manifesto is now knows to all and everyone, and only action remains to be uttered.

    (Ouch: that last bit made my brain hurt…)

    Terrorism (e.g. doing -something- because you are annoyed at the NSA hacking you emails, your computer, etc. etc): Plans to rad-bomb the US senate next Monday at 3:47 pm, by means of a intercontinental ballistic weather balloon filled with hot (as in radioactive) air gathered from overhead Fukushima… We (4, same as before) have allied with the Japanese Sarin-gas Freedom Alliance, and this too will happen. We have detailed plans, which we hide amongst buss-stop graffiti in Denver, Colorado – the clue is the purple winger… yes, the winger, look for it and truth will stare back at you.

    Heh. Sheesh, this is actually fun!

    Plausible while at the same deeply moronic: the kind of thing a bureaucratic mind will adhere to like super-velcro. “Boss, we gots us a live one! Yuk, yuk. We’s goota send in them there Marine-spiers! Wees just gotta, do it, for America!”

    Of course, this sort of thing would make them NSA’s stand up and take real notice… for I am sure that it is illegal in the USA to talk sh@t these days. But, hey, I’m not a filthy American (i.e. complicit up to my eyebrows), and hope to never enter that land of freedom-less, flat-out, demon-worship.

    I’m sorry, Briggs, but it is too late. Christianity as a force is gone: which is to say that there are no more Christians that care about what is true and what is false. What remains is “human goodness”. Ha.
    The result, the inevitable result, will be hippies-in-charge who will engineer war, plague and famine. Death is coming to this world, for it must be purified of the degenerates… as them Darwinist Nazi’s used to say.

    Shrug. Whatever, dude. Haven’t you realized just how completely over it all is? Well, do have fun spitting into the hurricane, if it makes you feel good.

  20. You would think SSL would be relatively safe as the keys are one-way; are changed every session; and conceivably can be generated with hard-to-get information such as number of disk reads and instructions executed. However, it’s been known since 1999 that SSL 3.0 provides too much known plain text in the exchange (https://www.schneier.com/paper-ssl.pdf) and since 2009 there is a known man-in-the-middle attack on SSL 3.0/TLS 1.0 (http://isc.sans.edu/diary/TLS+Man-in-the-middle+on+renegotiation+vulnerability+made+public/7534). Although there is a fix for the 2009 vulnerability (http://www.rfc-editor.org/rfc/rfc5746.txt), it has yet to be incorporated into SSL.

    Tombstones after a morning rain can be rather tasty but I prefer eating shoes for breakfast.

  21. For those who think collecting metadata is no big deal, the first link I provided (to Schneier’s paper) has a brief description of how metadata can be used to analyze message content (eavesdrop) even when the content is itself encrypted.

  22. @DAV “The NSA, on the other hand, HAS turned its powers against US citizens. All to combat a vaguely defined threat with zero evidence of efficacy.”

    Intelligence agencies are always faced with the criticism that they have not been successful. There are four reasons for this:

    1) They often are not successful

    2) Their successes rarely can be made public.

    3) Critics define success poorly. If CI measures force adversaries to adopt countermeasures, this often is at significant cost to the adversary, which reduces their capabilities. But this isn’t counted as a success. When CI produces general intelligence about trends (often the most important info), this is usually not counted as a success. In this debate, if NSA cannot point to a specific plot that was foiled, it is counted as failure, which is naive. The government, however, has claimed that NSA surveillance has been important in stopping a number of terrorist plots, some of which were quite dangerous. There is little reason to disbelieve this – after all, if the NSA programs are so widespread that people fear them, they are pretty likely to be producing results.

    4) Positive results from CI measures may appear years later. NSA has always vacuumed up as much data as it could, because later intelligence efforts may need to look for past correlations.

    As for “turned its power against citizens” – the only instance you cite is the occasional use by employees for personal use. Demanding that this never happen, the implication of your criticism, is setting an absurdly high bar – it’s like insisting that all police departments never have any abuses – a nice goal but clearly impossible. A better approach is having a high success rate in catching and punishing those who abuse their position.

  23. @Dav “When does dealing with a new and very dangerous threat not itself become a new and dangerous threat? ”

    Any use of government can be a new and dangerous threat. It’s the unfortunate bargain we are forced into by being humans. The issue is which threats do we accept and which do we reject. It is this calculus that has us granting powers to our military that could destroy civilization on earth in 30 minutes. We really don’t like the fact that we live with nuclear weapons on hair trigger alert, but we haven’t found a suitable way to stop it (I think we could do better to reduce the hair trigger aspect).

    I argue that the NSA activities should be accepted (and suitably constrained and monitored) for two reasons:

    1) The programs are needed because of grave threats which they attempt to counter. One can make fun of my thought experiments, but not if one is paying attention to the very real enemies we have and the lengths to which they will go. I’m sure citing a threat that terrorists would use hijacked airliners and WMD’s would have been laughed at by most on 9/10/2001.

    2) The programs, from all we know so far, have used serious measures to minimize their impact on non-terrorist US citizens. Furthermore, these programs are supervised by all three branches of government, and have been legislatively approved by both political parties, and judicially approved.

  24. Ground Control to Major Briggs: Have you flipped your wig? Flashed back to 1967? The NSA is monitoring all that chatter for terrorists. It may be a colossal waste of time, some of it may be effective, some of it may be abused. Churchhill and Roosevelt arranged to have every single letter between the US and Europe opened and read long before the US entered the war.

    No one at NSA cares if you have a girlfriend your wife doesn’t know about. And if you do, be more discreet and don’t send her Tweets on Twitter or send her flowers with your joint credit card…gads! Google probably knows more about you than the NSA.

    You usually show a lot more sense than this….maybe you’d better stick to stats and hats.

    Disclaimer: I trained and practiced intelligence of sorts back in the mists of time. It is often distasteful….but you would not like the world today the way it would have probably turned out without it. And I have more than half a dozen email addresses, many of them in names not my own and never touched without gloves on, but not to protect me from anything as inept as the US government.

  25. As pointed out in the very first reply, https in a link pointing to a webmail is false security. At least against the NSA, they have no need to intercept it in transit with they are sitting in Google’s (and Yahoo!, etc) datacenter and can thus read the clear text right off the drive.

    Install a local mail client. Thunderbird + Enigmail is available for any desktop platform, there are of course many others. Set up a key pair and publish your public key. Begin at least signing all outbound mail. As you collect keys from others you can then move to full encryption. If just 10% of people did this it would reduce the NSA to purely traffic analysis since actual ‘bad’ traffic would be so lost in the noise that the mere fact of encryption in email would no longer be noteworthy.

    Isn’t it amazing that there are zero mail clients which set up a key and collect others automatically and then encrypt anytime it can? Almost like there some sort of conspiracy to keep email in cleartext.

    Also curious why you believe a land line offers any additional protection against the government. AT&T will turn over those records just as readily as they do their cell tower logs. Remember, they aren’t sitting in non-discript panel vans down the street anymore, they are beyond that sort of cloak and dagger foolishness.

    By the same token, no need to worry about the NSA intercepting your WiFi signals either unless you are named Achmed and recently came in from Pakistan or such. Remember, they are tracking everyone so it must be a very simple effort against any one particular Citizen. This makes our task of befuddlement easier.

    Not feeding the machine in this post because it has been done too much already, they probably look for that too. They are good at patterns. 🙂

  26. A couple of comments… first, as far as we know, NSA is currently doing no more than traffic analysis with email. That’s what you get with metadata (as opposed to looking at the actual content). While NSA has capabilities to access the content, there is no reason to think they are doing so without a well defined target and court approval (other than the random rogue employee).

    As for encrypted mail – people have been pushing that for 20 years or more, and it hasn’t gained traction.There just hasn’t been demand. PGP (which NSA did try to suppress) has been available for a long time. I once even had a PGP key… but why bother.

    I generally oppose attempts befuddling NSA, because I when truly innocent people do it, they are primarily aiding those who are proper targets of NSA:foreign espionage agents and terrorists.

  27. The Guardian unsuccessfully tries to make the case that the NSA program isn’t and couldn’t be effective against terrorism.

    Regarding 9-11, they use a bit of misdirection that “agencies had information but didn’t share it.” NSA had information that was not useful because inadequate metadata showing that one end of the comms was in the US – specifically, 9-11q terrorists in the US. FBI, had enough information to take down the whole plot, but because of the Gorelick civil libertarian wall, was unable to integrate that information and realize they had a terrorist plot. Both of these instances are arguments for better data integration such as the NSA now has.

    Regarding how many terrorist plots have been stopped so far… that doesn’t address whether the program is needed, it just tries to imply it isn’t because it hasn’t worked in all case – a logically weak position.

Leave a Reply

Your email address will not be published. Required fields are marked *