Since I (and the majority of global internet users) are not "US persons", they're claiming they're entitled to intercept and store all my communications anyway - so my personal reaction to this is going to be to increase the use of tor and crypto for random everyday stuff. I'll start GPG encrypting email to anybody I know will be able ro deal with it. I might even start randomly mailing GPG encrypted mail for no reason except to thwart traffic analysis (perhaps I'll automate mailing randomly chosen chunks of 1984 and Brave New World to randomly chosen public keys/emails from public keyservers - perhaps some faceless NSA analyst might one day have burned countless cpu-years decrypting my 2048bit GPG mail, only to be Rickrolled with a 70 year old cautionary tale about themself…)
"I will start GPG encrypting email to anybody I know who will be able to deal with it"
As sad as it is to say, lets be honest and admit that this is a fairly small number. How long do you think it will be till your less committed friends get tired of decrypting your emails and just ignore what you send? Make sure you only pick people that use actual email clients because gpg and Gmail is no fun.
As far as the "Thomas Crowne Affair attack" goes generating effective cover traffic is not easy and random traffic is definitely a bad idea. Basic traffic analysis would be able to separate your legit emails from your cover traffic.
Addendum: I noticed you just generated your new gpg key yesterday. Why not go big and use a 4096 bit key?
It looks like Mailvelope only supports RSA encryption (up to 4096bit), not any of the other types of algorithms for PGP. It lists RSA/RSA and RSA/ElGamal but doesn't allow me to select them. Can someone who knows their shit about encryption chime in as to whether that's sufficient?
Now I'm thinking of a patched SMTP server, that queues all outgoing mail - and sends mail every hour on the hour to each of my GPG enabled recipients, with a queued "real mail" if there is one or a random encrypted NSA RickRoll if there's no real mail to send.
(I suspect that'd last about 121 minutes before most of my friends spam filtered me forever)
Don't forget you have to use your main machine to send the random messages to your smtp server. If you do not it will be pretty easy to recognize what mail was routed through the machine and which messages were randomly generated by the server as a cover traffic.
Every protocol should allow "no-ops" of arbitrary size, and then make it easy to do traffic analysis defeat by doing communications scheduling like that.
> perhaps some faceless NSA analyst might one day have burned countless cpu-years decrypting my 2048bit GPG mail, only to be Rickrolled with a 70 year old cautionary tale about themself…)
That, sir, is genuis. Now that talibans have office in qatar, I hope they'll publish some kind of contact email, so we can rickroll both NSA and them through tormail. Sorry authoritarians, this is the internet.
To thwart email traffic analysis, what we really need is tor-over-email relays: you n-fold encrypt your email, one for each relay node, and the innermost message is encrypted for the intended recipient.
If the US wants "freedom" on the internet and no internet nationalism (which just means that non-citizens get rights too), it should grant online citizenship to all people of the world. They can all be members of the empire and actually get representation rather than just the tyranny of US foreign policy.
If you want to read the documents without having to use that awful viewer or load js from every social networking site known to man: (increment the p# from 1-9)
This shouldn't be a surprise at all. Using Tor hides your location, so they assume you are foreign unless proven otherwise. If I were to agree with the law that allows all of the snooping that the NSA does, I'd say this is pretty reasonable.
As a European, what I find more disturbing about all the news about PRISM and related programs, is how US centric the reports about it are and how little other western governments are objecting to all of this. We are always told how the USA is the EU's biggest ally, yet US politicians try to legitimize everything by saying it's only non-US citizens they spy on, and say it like then it's suddenly okay.
I get that some spying is a necessary evil and 100% freedom and privacy is not feasible, especially if there are nations that are less than friendly towards you. But that's a whole different thing than recording as much data as possible, especially from friendly nations.
I don't think many friendships would survive if it turned out your best friend has been hiring private investigators with the goal to records as much of your life as possible.
> yet US politicians try to legitimize everything by saying it's only non-US citizens they spy on, and say it like then it's suddenly okay.
Not so much that it makes things "okay" but that it makes things "legal." The NSA isn't supposed to spy on U.S. citizens, that's outside its scope of operation.
It's less of a big deal because states spy on other states, even their allies. It has been that way since the beginning and everyone usually turns a blind eye unless it either gets leaked and causes embarrassment or it results in a real security risk as in the case of Pollard.
Every one of the countries currently lodging complaints over the story of the UK's GCHQ hacking G20 delegates possesses a communications intelligence organisation whose mandate is to spy on foreign states and on foreign people. That includes my own country, which has complained loudly while conveniently forgetting about the National Communications Centre whose purpose is to do exactly that sort of thing. They've also forgotten about some surveillance equipment that was discovered outside the German embassy about a decade ago.
So it's the way things are and have always been. You spy on your allies (very discreetly!) because that's how you maintain confidence in them remaining your allies.
Sure, I agree that governments spying on other governments is something that is a necessary evil up to a certain point.
In my opinion this is vastly different from a government reading and storing pretty much all foreign communication they can get their hands on from an allied state citizens though, something I understand the USA/NSA seems to be doing.
Thing is though, that doesn't matter. No country places any restrictions on whether the foreigners its spy services monitor are part of a foreign government or not because it wouldn't make any sense. To use a pertinent example, none of the dozens of countries trying to intercept al-Qaeda communications cares which country they're in as long (in most cases) as they're not domestic.
So what the NSA is doing to foreign citizens is no different to what every other country with the means does. My country will happily (and legally) spy on American citizens indiscriminately if it feels the need to, as will all of Europe.
> This shouldn't be a surprise at all. Using Tor hides your location, so they assume you are foreign unless proven otherwise.
That covers Tor, but not the rest...
> As a European, what I find more disturbing about all the news about PRISM and related programs, is how US centric the reports
Agreed. I worry that the American government has done damage to the cause of globalisation that will take a very long time to heal. This is a problem for us all.
Don't take this the wrong way, but you mention the effect on globalization as if it were obvious that the damage should worry the American government. On the contrary, the U.S. has vacillated between isolationism and interacting with other nations before.
I don't know if you've been over to the U.S. but we have a stunningly large continent of people who feel that it is absolutely treasonous to give foreign aid at all to other nations (especially ones like Egypt and Pakistan) while there are still the poor within domestic boundaries.
The people worried about globalization are in large corporations. Even many of our liberals see "globalization" as a code term for "child labor" and "sweatshops".
> Don't take this the wrong way, but you mention the effect on globalization as if it were obvious that the damage should worry the American government
Oh, certainly not. I don't think they are or will be concerned...
I think that the idea that "using crypto will cause the nsa to keep your data longer" is a hindrance to progress. Everyone should be using crypto and everyone should have privacy. When we begin to be afraid of what someone will do if we protect our interests, we start giving up those interests and that is not something I am prepared to do.
Maybe the prospect of someday burning gigawatts to decipher my elliptic-curved peanut-butter-cookie recipes will alert them to what a charade they're part of.
We must create boogeymen from a vacuum so that we can burn taxpayer dollars to further enrich the right people. Unlike biochemicals, encryption, storage and analysis are benevolent forms of collateral damage as they lead to increases in computing power and mathematical insights.
This is fairly obvious. From the NSA's perspective, people that act like people who have something to hide are more likely to be hiding something. I'd be surprised if they didn't take it into account.
And this is why we should (and we should encourage everybody we can to) regularly do the most mundane of browsing using TOR.
I'm making a personal effort to use TorBrowser whenever I have some trivial need to use a government website. I suspect I'd stop short of applying for a visa via TOR, but I'll happily look up my local state or federal politicians and their websites, or renew my car registration, or any of the other day-to-day things - in much the same way as I always choose to use BitTorrent for fully legal purposes when available - sure, we all know that 99% of Torrent traffic is copyright infringement, but at least _some_ of it is me grabbing the latest Ubuntu/Raspbian/GameOfThones (no, wait, not that last one...)
If you are a big Tor user, I hope you consider donating bandwidth to help offset your usage. Recently they made an announcement that they were short on relay nodes.
Also, if you don't want to run a node on your home network/machine http://cloud.torproject.org/ makes it ridiculously easy to set up one on EC2 (for as little as ~$3/month)
A: No. If law enforcement becomes interested in traffic from your exit relay, it's possible that officers will seize your computer. For that reason, it's best not to run your exit relay in your home or using your home Internet connection.
Instead, consider running your exit relay in a commercial facility that is supportive of Tor. Have a separate IP address for your exit relay, and don't route your own traffic through it.
Of course, you should avoid keeping any sensitive or personal information on the computer hosting your exit relay, and you never should use that machine for any illegal purpose.
What part of "Should I run an exit relay from my home?" was unclear? I am not trying to discourage people from supporting the tor network, quite the opposite actually. I want to make sure they are fully informed and support tor in a manner that is sustainable.
I'm running one of these on my free EC2 account and can attest to the ridiculously easy part. It took me < 5 min to setup. If you want to avoid paying any fees, just have to make 1 change to the torrc file bandwidth settings. Also, make a great ubuntu sandbox to play with. For example, I'm running a joomla test server with it.
I also am running a Tor relay on EC2, and I was under the assumption that I wouldn't have to worry about charges with a stock install. Can you provide more detail about what I should do to my instance to prevent charges?
Edit your your /etc/tor/torrc
And change the AccountingMax line to:
AccountingMax 3000 MB
This will reduce the monthly usage to 12GB and keep you under the 15GB limit. I've been running this bridge for a few months now and have never gone over.
What is the current number of Tor nodes? What's to say that all tor nodes are now monitored? It's possibly a smaller task than storing all voice calls etc.
It might seem a smaller task in terms of needed servers but your suspicion fails with the simple fact that anyone can add a relay to the network and thus counter the surveillance. I run a non-exit node on every webserver I got because it's cheap and feels good.
You don't need to run all of the exit nodes. If a group controls even 10% of the exit node bandwidth, then they have access to 10% of the traffic and can do major analysis. Even if you use end to end encryption (as in https), than with 10% of the endnote bandwidth, they would see the entry and exit of 1% of all packets, and can (probably) correlate them (with timing) to associate the incoming and outgoing. And if you use tor regularly, then every time either your entry or exit node changes, they get another 1% dice roll.
A: Tor (like all current practical low-latency anonymity designs) fails when the attacker can see both ends of the communications channel. For example, suppose the attacker controls or watches the Tor relay you choose to enter the network, and also controls or watches the website you visit. In this case, the research community knows no practical low-latency design that can reliably stop the attacker from correlating volume and timing information on the two sides.
So, what should we do? Suppose the attacker controls, or can observe, C relays. Suppose there are N relays total. If you select new entry and exit relays each time you use the network, the attacker will be able to correlate all traffic you send with probability (c/n)2. But profiling is, for most users, as bad as being traced all the time: they want to do something often without an attacker noticing, and the attacker noticing once is as bad as the attacker noticing more often. Thus, choosing many random entries and exits gives the user no chance of escaping profiling by this kind of attacker.
The solution is "entry guards": each Tor client selects a few relays at random to use as entry points, and uses only those relays for her first hop. If those relays are not controlled or observed, the attacker can't win, ever, and the user is secure. If those relays are observed or controlled by the attacker, the attacker sees a larger fraction of the user's traffic — but still the user is no more profiled than before. Thus, the user has some chance (on the order of (n-c)/n) of avoiding profiling, whereas she had none before.
You can read more at An Analysis of the Degradation of Anonymous Protocols, Defending Anonymous Communication Against Passive Logging Attacks, and especially Locating Hidden Servers.
Do you just want them to store more? Because using tor to renew your car registrations seems like an obvious way to connect some dots.
If that's all, then I salute you!
Yeah - both store more, and have an archive of obviously non-intelligence relevant encrypted/TOR traffic. I like to think that one day someone will have burn gigawatts of cpu/gpu power subverting the TOR network and breaking TLS/SSL, only to discover I'd been looking up what day the recycling bins are next collected in my local area.
More to the point - I want the expectation of privacy and the deployment of tools to maintain privacy in the face of technological and legal "advances" in surveillance to seem closer to "technologically informed libertarian" rather than "paranoid wingnut" or "jetliner-hijacking 3rd-world-sympathiser".
"A global passive adversary is the most commonly assumed threat when analyzing theoretical anonymity designs. But like all practical low-latency systems, Tor does not protect against such a strong adversary. Instead, we assume an adversary who can observe some fraction of network traffic; who can generate, modify, delete, or delay traffic; who can operate onion routers of his own; and who can compromise some fraction of the onion routers."[1]
If your attacker is not "a global passive adversary"(GPA) what dots are they going to connect if you renew your car registration? If your attacker is a GPA they are already connecting all the dots.
The "renew my car registration" example was intended to imply that'd I've chosen to "give them some connected dots" - dots which are operationally useless (or worse - preferably adding noise to make the job harder and evidence that the job is sometimes wasted effort).
I'm assuming "they" have access to government servers and networks, and that they'll easily be able to connect me - as a real and (at least mostly) law abiding citizen - to a clean-slate browser using SSL over TOR - logging in to a government web server with real world credentials and doing some mundane and law abiding everyday task.
I don't get what you mean. You think that once you connect to https://site.gov/ they can easily match the traffic entering the tor network with the traffic that exited tor and initiated the web connection?
I think the point was that it defeats the common purpose of using anonymity software if you are submitting identifying information (your car registration information) through it. It doesn't necessarily have long term consequences—you can generate a new identity—but it nullifies that session's anonymity.
However, that doesn't mean there isn't a good reason to use it anyway to make a statement and promote legitimate usage of Tor.
This reminds me of something that I thought of late one night that I feel needs to happen: tor, or something like it, distributed as the payload of a virus. Hopefully a very serious one.
Then, even if things get patched, it's mere existence and prevelence among the layman gives you a tremendous amount of plausible deniability while also increasing the strength of the network.
However, it's quite morally wrong to do so. I guess it's just one of those late-night thoughts.
I'm pretty sure any professional paranoid would have been thinking I was dodgy for decades now, for things like using the internet (back when that was suspicious) or encrypting my logins with ssh (back when that was suspicious) or my websites with SSL (back when that was suspicious) or running weirdo commie unix-derivatives on my machines instead of honest commercial OSes (back when that was... well, unusual). This putative paranoid gaze has not affected my actual life in the least. I'm sure the paranoids are well aware that most opportunistic encryptors are, like me, random geeks with a slight antiauthoritarian streak and nothing whatsoever of interest to national security. I'm happy to help move the Overton window in the direction of greater privacy and ensure that the people who do actually need anonymity and security can get it.
I think I'll start sending random PGP encrypted messages from my email address, along with my normal messages. Should be simple with a little Jenkins job.
Good luck, have fun NSA. You liberty hating anti-American bastards.
The title implies the NSA would delete any of it, by their own volition. I don't believe they would, since any data could retroactively become useful to them.
If one uses Tor, the article states that the person will not be treated as a United States person unless "proven" otherwise. If that's the case, all the traffic from a Tor exit node will be considered as traffic from non U.S. persons and all data will be stored. Doesn't make sense to me because if you are using Tor right, then requests cannot be traced back to you. How does that help?
It depends on what you mean by "using TOR right" - and that depends on who/where you are and what you're trying to protect yourself against.
A Chinese/Egyptian/Turkish dissident might consider it perfectly sensible to use TOR to access their gmail account - that's a perfectly valid way of hiding from your local (non-US) government and spy agencies.
On oft-hear piece of advice is to never use an identity you ever use elsewhere over TOR - for me, as a "non US person", even if I can trust TOR and TLS/SSL to ensure the privacy of my data in transit, it doesn't matter if the far end of my connection through TOR ends up at my gmail/apple/facebook/linkedin/twitter/dropbox/yahoo/amazon/any-other-US-affiliated-corporation. Being "non US" and located outside the US means the bar for any "legal requests" those companies receive is _very_ low.
(Hmmm, I wonder if proxying all my web traffic through a vpn with a definitely-in-the-US endpoint might be a worthwhile bit of civil protest? I wonder if tcp connections originating from my Digital Ocean vps in New York and heading to US datacenters have slightly better legal protection or "presumtion of domestic provenance" than tcp connections originating here in Australia? Maybe I should be doing this anyway for all the analytics/ad-tracking web-bugs...)
If they can see the bits coming out of your VPS in NYC and heading to other data centers, surely they can see the bits coming from .au into your VPS and correlate them?
I'd assume there's some chance that the person will screw up - even a little.
The NSA is very good at exploiting very small mistakes. In the Venona project, http://en.wikipedia.org/wiki/Venona, they NSA realized that the soviets were re-using one time pads. By knowing A xor C and B xor C, they were able to get A xor B - and from that, they were able to decode the messages.
I could imagine things like looking at the tor traffic, and trying to match up things like writing patterns. And of course, there's the very good chance some people aren't using tor right.
I don't think that what the NSA is doing is legal - but think there's a good chance it's somewhat effective.
That might be the case, but even the NSA will not be able to decrypt a well encrypted message - or so we think at least.
That all said - and I realize that this might be controversial - I fully agree with wiretaps as long as there is a warrant (and I mean a real warrant from a real court on a case-by-case basis).
With its sweeping data collection the NSA is doing itself a disservice as it will eventually lead to wider use of strong encryption, which will make wiretaps with warrants much more expensive (or even impossible) to serve.
I think new laws for stricter limitations on exporting cryptography software or even restricting cryptography itself are likely in the near future.
This will lead to interesting trials where folks might be forced to reveal their encryption keys; and the inability to prove whether there actually is encrypted data (good encrypted data is indistinguishable from random data, and some folks wipe old harddrives with random data before they are discarded, how would one prove that this is really random data?)
The NSA operates a Tor exit node at Georgia Tech, and likely at other research institutes and universities.
The fact of the matter is, people who use Tor are the ones trying to hide from the government, and it only makes sense for the NSA to run Tor exit nodes and analyze all traffic passing through them.
You probably have more privacy by not using Tor at all.
It makes sense for the NSA to run exit nodes for the same reason it makes sense for the U.S. Office of Naval Research to have funded its creation and for the U.S. State Dept. to heavily fund its upkeep. There is a vested U.S. national security interest in residents of hostile regimes to be able to freely access the Internet without being traced, even with the knowledge that it may be used to make it more difficult for the U.S. itself to meet other security goals.
If you look at the history of anonymity networks, you'll notice that tor totally replaced mixing networks. Considering the fact that mixing nets are more secure against government, with regards to email, it is interesting that the u.s only invests in and promotes tor.
But in a world where individuals have access to extremely powerfull tech, something has to be done.
I think the solution for privacy might look like something different. Maybe the government could read everything, but there would be some good transparency tools, ensuring proper usage.
Mixing networks (especially for email) died for a lot of reasons, not really fair to blame Tor forthat.
And I agree -- high latency systems are far more secure. Something with 5-10 day latency should be secure under a lot of assumptions. Sadly the old mixmaster code is lame, and mixminion never really took over.
No I cannot, because this individual stated that "a 3 letter federal agency" operates the node. Thus never really saying it was the NSA. Given the recent news though, one can only guess it was the NSA.
Is it really that hard to believe? Considering that the Georgia Tech Research Institute (GTRI) gets mostly DoD contracts and research grants and a lot of those contracts are for classified projects.
When I was in college, we always heard rumors of CIA doing this and NSA doing that... with the exception of the few NSA mathematicians who took sabbaticals in our math department, I generally assumed it was BS. (They were really nice guys, by the way. I learned elliptical factorization from one of them. Sure wish I remembered it!) This was the late 90s, not the heydey of LSD research and all that crazy stuff. I only wish...
Now, as for DoD funding institutional research, absolutely (they funded me last year for something completely benign and outside the scope for "info wars"). They fund research at a lot more places than GT. So, yes, plausible. But, unlikely IMO that NSA has an active presence on your campus doing intelligence work.
BTW, I challenge your claim that GT gets "mostly DoD". I'm sure your school is primarily funded by NSF (the preferred government tit to suck on). DoD is actually a pain in the ass to deal with because they don't go away after the money changes hands. Same is true for SBIR/STTR.
Finally, DoD classifies everything. Don't let that label fool you into thinking the work is sensitive (or even interesting). Within academia, this is less so because the objective of funding institutional research to produce publications. Contract R&D is not something that is popular with faculty (or the school, since depending on the IP ownership, it can put their tax exempt status at risk.)
That said, keep snooping and let us know what you find in that room labeled "no personnel permitted without super-duper top secret clearance".
No it is not hard to believe that NSA doles out a lot of research money to schools across the country. Information Assurance is one of NSA's core missions.
I got that list from Hurricane Electric[1] site. Those are the prefixes for Gatech. I am sure they do get a lot of research work. The same goes for all the other NSA centers of excellence.[2] Academia is the third tab on NSA's home page.[3]
> You probably have more privacy by not using Tor at all.
This statement is beyond absurdity. Controlling a few exit nodes doesn't compromise Tor, it's designed to resist that. Tracing someone is possible, but it is extremely difficult and/or unreliable unless you've managed to compromise nearly all nodes on a chain.
This is somewhat unrelated, but I was listening to "Leo Laporte The Tech Guy" on the local talk radio with my dad (who is a big fan, but less into tech than I) and he started describing GPG and PGP to non-tech enthusiasts.
This whole NSA scandal may really push forward the use of encryption of securer communication methods.
Exactly this. Even though we had the company policy and Symantec PGP software installed, the engineers I worked with sill failed to use it regularly. I remember having to logmein to machine in China to try to figure out why they couldn't read our emails. This is why PGP never took off.
Until the tools take 5 min to setup. And encryption/decryption is as easy as clicking a checkbox in your mail client, PGP will never take off. Things like the public key directory have to handled transparently to the user.
It's too bad Mozilla dropped support for Thunderbird. Tight integration with GnuPG could have made mainstream PGP a reality.
I think this is the saddest aspect of these spying programs and the ensuing paranoia... it actually might discourage people from using encryption or anonymizing proxies... for fear it will get them on a watch list.
If you start using PGP for all your email, then you by inference "have something to hide". Brilliant logic.
The only long-term way to hide data is not to use public networks for communication. Eventually, quantum computers should be able to eat though any of today's crypto. It will be interesting to see what happens when everyone running for public office has their entire life on display.
I reached out to the cryptographic community for any insight into Molly’s question about why the NSA insists that TOP SECRET material be encrypted using 256-bit keys. The answer came from Steven Bellovin of Columbia University:
@jpgoldberg @marshray Just heard that during the AES competition, NSA said in the open meetings it was for defense against quantum computing
Quantum computers, if they are every made practical, will be able to do amazing things. They will certainly change how we design cryptographic systems. It’s not that quantum computers will be faster or more powerful. Indeed, in some very important respects they will be less powerful than current computers. But there are some things that they will be able to do in less “time”. I put “time” in scare quotes because it has a different meaning in this context from the ordinary use of the word. Oh, what a big difference it is. In this context it means the number of distinct steps an algorithm must take in performing some computation.
Searching through 2128 keys (on a classical, non-quantum, computer) takes a number of steps that is proportional to 2128. But for a quantum computer it takes a number of steps proportional to the square root of that number, 264. If a quantum computer is ever built capable of performing that task, we don’t know how the actual speed of each individual step will compare to those of current computers, but the NSA is taking no chances. Something with the effective strength of a 64-bit key isn’t strong enough. A 256-bit key against a quantum brute force attack would have the effective strength of a 128 bit key against a classical brute force attack.
I very much doubt that we will see a quantum computer actually capable of handing such things within the next thirty years. But if the past is any guide, my predictions about the future should be taken with a large grain of salt.
Thanks, that's a good read. I'm interested to see how effective it will be. I'm certainly not saying we'll be able to break non-deterministic crypto, but there's a lot we should be able to do that's out of our reach right now.
We're so early in development that we don't know how quickly we'll be able to scale them, but if we solve a few physical problems, we're looking the ability to scale up resources for linear costs for exponential rewards. With on-demand cloud pricing models for computing becoming the norm, normal people could do some pretty amazing things. It's hard to predict how quickly this will come, but it will definitely come eventually.
> Eventually, quantum computers should be able to eat though any of today's crypto.
Not really; see https://en.wikipedia.org/wiki/Post-quantum_cryptography A decent chunk of today's crypto is either immune or only weakened a little bit (for example, Bitcoin is mostly immune although the SHA hashes are a little weakened and so hypothetically miners might some day move to quantum computers using Shor's algorithm to mine for matches).
Oh absolutely, but I don't know of any one-time-pad schemes that normal people use to encrypt their online activities. That means moving information outside the public network before sending messages over it.
If we can get entangled particles between parties ahead of time to exchange keys, we can do all sorts of fun things.
"The document, titled Minimization Procedures Used by the National Security Agency in Connection with Acquisitions of Foreign Intelligence, is the latest bombshell leak to be dropped by UK-based newspaper The Guardian."
All good news!
1: The Guardian is still time-releasing, I thought they caved under a IGIC -sorry, what ever its called over there - gag order.
2: Now we know what to do to backup into the NSA cloud! Another USA world benefit: a highly secure service for all the world to avail themselves for free.
3: web app $opportunity$! tor p2p delivery and crypto of your files into free NSA Cloud, for only $0.99!
The D-notice system is a "request" to not publish — they are completely non-binding. They still are unable to publish anything covered by the Official Secrets Acts, but any leak from a foreign intelligence agency is not covered by that.
> "....The Ministry of Defence has issued a D notice preventing the UK media from 'publish[ing] information that may "jeopardise both national security and possibly UK personnel"'.
What the world needs is spammers who would be diligent enough to encrypt their spam with your public key. You would have to use a client-based spam filter, but such a small price to pay.
I suppose you need a large carrier for a large message to be hidden. Very high resolution home movies maybe? I assume you can't use content that is already public, as then the original can be compared with the modified version to prove that hidden data exists.
porn. It gets transcoded enough that the stego could fly through as just another lossy transcoding. Better yet, lossy transcode it to something and back, then stego, as long as your target has a copy of the same transcoder and knows what you're using as reference. You should also be careful to strip metadata as to which transcoder you're using. They're PETABYTES of the stuff floating around.
And if you're willing to pay a few bucks for private cams, there's no way anyone else can have a copy of your screencap, so no amount of clever transcoding will get them a reference copy.
Porn is actually quite a good one. It's something that doesn't look out of place if hidden away, and gives some plausibility to owning the stuff. More so than having home videos and no family, for example.
>"reasonably believed to contain evidence of a crime that has been, is being, or is about to be committed."
Is this sort of intelligence gathering of domestic signals handed over to other relevant authorities? I'm sure the DEA would love to have the NSA's assistance in tracking down drug dealers. I'm just not convinced it has much of anything to do with national security.
Also, does use of HTTPS constitute "communications that are enciphered?"
That's always what I have though about using tor and other encryption, if you try to hide clumsily it might have the adverse effect. If you know how to use all the tools and don't make the error of login to social network, then it can be useful, but in general I doubt it can protect us. Sending letter might become the most secure way of communication after all, or book with hidden glued pages!
If you access a known account through Tor or any other identity hiding protocol could possibly expose you. And I wonder if it is impossible for US government to break encryption if it is specifically after you.
