Are you on the NSA’s email watchlist? Do you want to be? This project is called ScareMail and it’s designed to mess with the NSA’s email surveillance programs.
[Benjamin Grosser] has written it as a plugin for many popular web browsers, and it uses an algorithm to generate a clever but ultimately useless narrative in the signature of your email using as many probable NSA search terms as possible. The idea behind this is if enough people use it, it will overload the NSA’s search results, ultimately making their email keyword tracking useless.
So how does it work? The algorithm starts with natural language processing (NLP) and an original source of text — he picked Ray Bradbury’s Fahrenheit 451. Using the processor it identifies all nouns and verbs in the original text and replaces them with properly formatted and conjugated “scary” words that he’s indexed from a list of hypothetical NSA key words. To ensure each signature is unique, he makes use of a Markov chain to generate new texts that are completely different each time. The result is a somewhat coherent paragraph that doesn’t make any real sense.
But wait! Surveillance like this is bad, but hypothetically it could work! Well, maybe. But the point is:
ScareMail reveals one of the primary flaws of the NSA’s surveillance efforts: words do not equal intent.
Stick around after the break to see a proper video explanation of ScareMail by [Ben] himself.
Like this project? He’s also made an amusing Facebook Demetricator which removes the social value facade from everyone’s favorite website.
ScareMail adds a small signature (like ‘generated by scaremail’). A lot of people have been saying the NSA can just look for this signature to see the text is fake and ignore it.
But the funny thing is that this would mean a terrorist can just add ‘generated by scaremail’ to its email to stop the NSA from reading his mail. So the NSA has no choice and needs to scan these mails as well.
All we need is to figure out how to encrypt usefull message into something that will look like meaningless scare mail :-) Anyway… There’s still GPG, so NSA can sniff whatever they want….
It won’t be funny when they kick in your door and execute your entire family.
Does anybody realize how stupid this is? Didn’t you see from the USN Seal raid on Abbotabad Pakistan OBL was NOT using any form of email. He was using NOTEPAD.EXE, 3.5 discs, and runners. No internet connection at all. Terrorists are not using electronics anymore as they know big brother is watching.
So what does NSA Bluffdale do with it’s super-Echelon machines then? They target over-seas targets or POIs (persons of interest). Your freeking emails are just cluster-farts to them. They are ignored as they have American IP addresses. Your emails only get tagged if there is a POI IP address in the TO:, FROM: CC:, BCC: fields. However, the FIVE-EYES partners may actually see this ScarMail BS and get bogged down. NSA admitted to being swamped once and the entire system crashed.
Most POIs are not towel-heads in caves. It usually friendlies like Vladimir Putin, Xi Jinping, Chancellor Merkel or Benjamin Netanyahoo and his sneaky cohorts (and of course our real enemies like Kim Jong-un and Hassan Rouhani). You know POTENTIAL “real” enemies of the USA state. NSA could care less about HaD pranksters. They probably like reading HaD for ideas for R&D up in NSA-CSS.
So, he’s generating paragraphs that are new each time in order to help prevent his texts from being automatically filtered out of searches…. and yet every single one of them starts with “Following Text Generated by ScareMail”… I find that rather contradictory.
NSA could start filtering out any results which contain that snippet of text, but then the terrorists just need to add that snippet of text to fall under the radar. The vicious circle of NSA snooping.
In reality it’s probably not too difficult to teach an algorith to recognize the scaremail paragraphs because they’re pretty formulaic. Just ignore them and scan the rest of the message normally.
They could but odds are they don’t even have to do that. You might get flagged but they would check all that meta data about you and see that you are some guy that is most likely using scaremail. That is why the NSA was getting meta data. Once they find a person of interest they check all of his email to see who he talks to and then social networks to see who he talks with. That gives them a way to find other persons of interest. They use this more for data mining to find networks of terrorists. The NSA is not going to fish all the email to see if someone is talking about blowing up New York because you would get too many false positives. I mean really only the stupidest of terrorists would use any key words. Of course I can promise you that some of them are that stupid.
Actually, that’s what the spam mail filters already do. The spammers tried to get their cialis ads past the filters by using snippets of text and randomized paragraphs of nonsense to make it appear to the filters like it was genuine conversation, but the filters got better.
No they didn’t, it’s just they put Captchas on the front-end, so it’s harder to get a junk-mail account now.
Ignoring “ScareMail” just invites terrorists/NSA targets to put that word in their mails… The NSA won’t do that.
Those two Presidents whose names said in French sound like an exploding bomb.
Boussh!
M-x spook
If you are sick of the snow storm, I heard Guantanamo Bay is nice and warm.
They even made a last minute reservation for you!
http://www.weather.com/weather/today/CUXX0016
I wouldn’t bank on Guantanamo Bay, no doubt it has limited accommodations. When Guantanamo Bay is maxed out, Lucky ones will be imprisoned in less pleasant prison in on the mainland, unlucky ones sent outside the US to where you are given a prayer rug and told what direction to face when you you hear the caterwauling called the call to prayer. ;)
“(…) indexed from a list of *hypothetical* NSA key words” — i’d guess, they have a slightly better approach than just scanning for “evil words” like nucular threat, anthrax, jihad whatsoever – there are things like semantic analyzers out there, you know.
Let alone I just can’t imagine the real bad boys would communicate about their sinister plans using plain language …
the point is not to look like a terrorist the point is to trigger their automated systems while looking NOT like a terrorist
and if you think its any more complicated than a list of keywords then you don’t know government systems LOL
I agree. I dont know a lot about their system (nothing at all), but i have a feeling that this approach to clog them, so to speak, is misguided and very naive.
I bet “nitrate fertilizer”, “fuel oil”, and “large van” get a few.
Also look through an atlas of Afghanistan, particularly trade routes. There’ll be a few there. “Enrichment”, “centrifuge”, centrifuge terminology, etc. “Hexafluoride salt”.
Anyway, could play silly monkeys all day, but assuming they spend their days looking for what they claim they’re looking for, it’s not hard to be specific enough. And all you’re trying to do is trip off alarms. Pretty easy really.
Oops! You got flagged for posting those here :P
i have been using such services since 07 (as you would have to have either lived in a cave or been mentally handicapped not to know this is what they were doing since the patriot act was signed) its a fun way to end up on all sorts of fun lists and drain their resources!
Yeah, because it’s soooooo well known that when a spy agency runs low on resources (or funds) it just throws in the towel and quits. How naive – they just print some more money and buy/build/acquire/change laws to get what they need. This concept accomplishes NOTHING.
It helps the NSA build up a list of “Enemies of the NSA”.
Good. If absolutely everyone on the world is on it, among other things it’ll be pretty accurate.
The point is to make mass-spying on ordinary people even more useless than it already is, so they’ll stop doing it. I can say whatever I like in my conversations, you know what they say about eavesdroppers.
An Enemies of NSA. My Representative in the US Congress Tim Huelskamp would be on that list. Then again he may not be an enemy if the POTUS since January 2009 would had been anyone other than Barack Obama. Sorry I have Huelskamp’s latest postal newsletter and been reading through it off and on. [sigh]
Love the government or not. Love the ways they do things or not. But doing something that drains the resources of the people trying to stop someone from parking a bomb in front of your house is something that is dumb anyway you cut it.
They’re doing it in a stupid and wrong way. If the best they can come up with to “protect” people is “spy on everybody all the time without a reason” then better it fails sooner than later.
I get the feeling the people who sell computers to these folks make very wide promises. They have pointy-haired bosses like everybody else. How much effectiveness, per dollar or whatever, would you expect to get from “dredge the entire Internet”? Seriously!
If Americans would prefer their country to be less blown-up, they might think of returning the favour. Nothing pisses someone off more than having their neighbours and family randomly killed in bombing raids, or being occupied by soldiers who are pissed-off with “protecting” a country where everybody hates them. I reckon $10 spent on tranquilising Congress would be worth a million in nonsense Internet searches.
And never mind the fact that the US would not be conducting ” bombing raids” if the events of September 11, 2001 had not happened.
If you don’t want to experience the chaos of war, don’t be stupid and start it to begin with.
People can go back and forth about collateral damage, but the fact has always been; people who would not have even considered the notion of starting a war, become victims of war when it does start.
It has also always been and will always be; pointless and stupid to condemn a nation that goes to war after it has been attacked regardless the number of innocent people killed as a result.
If you support or harbor terrorists in any way shape or form, you are in fact a terrorist and the enemy. So don’t be surprised when the people of the nation you terrorise strike back.
One need not be an American to understand that.
Now, if you think the current war on terror is not so nice, watch how nasty things get when Iran invades Israel. A prophesied event that is more likely to occur now that the Obama administration and the UN are making the same appeasement mistakes that were made with Hitler prior to WWII.
Just goes to show; a college education does not a smart person make.
Too bad the States became a bunch of wussies.
Last time a country had the balls to attack the States, they ate two nukes for their trouble. Now days, a few attack drones is all they get – kind of waters down the message don’t you think?
I love how people whine about the collateral damage. In WW1 it didn’t even make the front page if it wasn’t hundreds of thousands of dead. Now a few killed and a couple of wounded gets break in coverage on CNN. It’s WAR, what do people expect will happen?
As to “college education”, keep in mind most politicians in the States are LAWYERS, hardly what I would classify as a “real” education.
The nukes were used not because the United States was attacked, but because in using them, fewer lives would be lost to win the war.
I get your point.
By the way, the States are not wussies. To see just how tough they truly are, all you need do is be in a position of need.
“If you support or harbor terrorists in any way shape or form, you are in fact a terrorist and the enemy.”
I have no way to know if SATovey or not, but no American and plenty of Europeans should be making that Statement because it’s stupid statement for for them to be making. That bit of domestic propaganda ignores the fact is that here hasn’t been a terrorist or tyrant that US and many European governments wouldn’t do business with if there is money to be made I hadn’t written a long comment naming many so I trimmed it down to this because this is the event that lead to this Hackaday post from James. When the first airliner struck it’s target on 9/11/01 the USA was effectively in negotiation with the Taliban. Few would deny that the Taliban are terrorists.
Respectful that’s the product of the subtle fear mongering that in my opinion began shortly after when GWB told us not to be afraid when he told us to go “shopping”. Of course the NS is an agency that has existed for along time, and there probably is no way of telling of it’s past abuses. Would seem that the US had the intelligence that could have prevented the events of 9/11/01 if we had been vigilant. I’m sure I not the only one who remembers the airline high jacking era thought to themselves” box cutters, how long had such items had been allowed in carry on items?” Personally I find the risks for the rewards acceptable;it’s not only soldiers who face risks, and some die for the freedoms we enjoy, citizens do so on a daily basis.
Before the “interweb”, people used to put in “NSA line eater” in their
.sig on usenet posts. I guess they were right.
http://www.catb.org/jargon/html/N/NSA-line-eater.html
The “generated text” is not unlike those pseudo text to fool SPAM filter.
Sometime I wonder if SPAM are actual coded messages in the first place
with the unusual typos and mistakes as markers for hidden messages.
If so, they’re probably the closest thing on the net to number stations on the airwaves.
Number stations are completely fascinating! Apparently some countries have admitted they’re something to do with secret services, but that’s about all anybody knows.
1) Confuse the NSA terrorist detecting software so that it becomes useless and they stops watching?
2) ????
3) Profit.
2 is they find something useful to do with their time. Gods, actually I take back what I said, I suppose as long as they’re in the office whacking off it keeps them out of mischief.
Did you know that those-sorts are often very bad people who do very bad things?
Endless stories come to light, 2 or 3 stooges take the fall, nothing really changes.
That is hilarious!
Not wise to mess with the NSA as they will have hop problem messing with you.
No doubt there are millions of these emails sent so far… how many people has the NSA messed with in return?
I’m trying to understand what this ‘hack’ even achieves or is trying to achieve? Kudos for the writer for sticking it to the man?
Pretty sad really the faux-indignation and furore surrounding the fact that spies are spying, people are fine with having spies employed by their government until it’s them that’s being spied on.
People like merkel and hollande really made me pmsl, the french and german governments have their own spying agencies yet didn’t appreciate being spied upon themselves, the irony of that I’m sure is lost on both of them.
There’s only one rule to spying, DON’T GET CAUGHT. Everything else is fair game, which is why assange talked a confused transexual into betraying his government and said government are going to throw blondie in guantanamo if he ever grows a big enough pair to emerge from the embassy.
most of the people that are kicking up over this really are bigging up their own self importance, I suspect 99.9% of the butthurt masses aren’t on a radar at all.
It has nothing to do with being “on a radar”, the butthurt masses are butthurt because we know that government unchecked will continue to become more and more aggressive in their endeavors. Ever heard of the Stasi? They’d have a hard on if they had the capability the NSA has.
Let’s say you were building cabinets and needed a table saw. You go out and get a table saw to do the job. Once you have said saw, all of the sudden you start finding more jobs to do. Next thing you know, you’re using the saw every other day. Your buddies find out you have a table saw and they come over to use it. See where I’m going with this?
it starts out innocently enough, looking for terror activity. Then it moves into big time drug dealers. Then maybe into organized crime. Then into political opponents. Eventually the powers that be are so far up your large intestine that you may as well live in China or North Korea.
I’ll take off my tin-foil hat now before you tell me to.
Don’t feed the troll.
“Come out so we can torture you you coward! Grow some testicles! Come disappear from the world, you big girly-man!”
Is english the native language of terrorists?
Most of them.
If your really worried about your e-mails being read, I wonder what you’ve been up to, if you’ve done nothing wrong, you don’t have to worry. None of my e-mails are (ore need to be) secured against this level of obvious paranoia. Of course if you are a truly leet hacker, you are neither paranoid or on anyone’s radar. google your handle and see what shows up. you might be surprised.
Of course you claim to have nothing to worry about, and nothing to hide. Your willingness to allow others to illegally observe your life only contributes to the problem. At the rate that personal privacy is disintegrating, how many years of freedom do we have left? Perhaps five years from now you’ll wake up one morning to find that a new law requires your automotive GPS to snitch on you if you speed. Some day, maybe a three-letter government agency will use petty personal dirt to blackmail you into voting for their man. They read your email, they track your phone’s GPS coordinates at all times, they’ve built a comprehensive map of your friends and social interactions. Their vile infrastructure is already in place. All that is required now is the political impetus for some federally-funded bastard to deny you your rights for unknown (yet totally arbitrary) reasons. Do not be complacent. This is a pivotal moment in human history, and if we allow them to, the powers that be will snatch up as many of your liberties as you let them, whether or not you’ve “done anything wrong”.
Anything they look at will point to a white bread w mayonnaise individual, boring, and predictable. They can ask the local pd, no problem there. They confiscate my phone, and notice I have seven numbers to three county’s emergency services including the FBI and CIA (I should probably add a few more of those 3-letter services). and no I don’t work for any, but I have been checked out by at least someone due to a family members job. Does my previous post make a little more sense now?
That’s all fine and dandy until some tyrant makes being “a white bread w mayonnaise individual” illegal. Unfortuantely, rather than learning from the mistakes of history, mankind tends to repeat those mistakes.
People were imprisoned and persecuted for stating that the world is round. That fact and the persecution of people still remains today. While no one questions the roundness of the earth and the planets today, people still persecute those who question the status quo and speak the truth. That is why, one day, it may become illegal to be “a white bread w mayonnaise individual”.
I’d lock him up, that sandwich sounds disgusting
My subtlety must be set too high, It’s what I’m NOT telling you that’s important. this fact, the one that being missed, is important, and your reaction is most pleasing to me. Thank you for that
The problem isn’t “doing wrong” things.
The problem is doing legit things which can be cast in a disfavourable light, or legit things that might be considered wrong by a specific interpretation of “wrong” (a specific interpretation of the law), or things that are legit now but will be wrong in the future, or valuable knowledge in general (patents, business decisions, &c).
Things like having an affair, being gay, being depressed, having a medical condition of some sort, sexting your SO, deviant and fringe sexual preferences, strong political opinions, personal drug use, getting drunk, political rally attendance. To name a few.
None of these are illegal or wrong, but knowledge of them allows the government power of the individual. They can use the information to unfairly discredit individuals.
From the papers leaked by Edward Snowden, we have “Top-Secret Document Reveals NSA Spied On Porn Habits As Part Of Plan To Discredit ‘Radicalizers”
http://www.huffingtonpost.com/2013/11/26/nsa-porn-muslims_n_4346128.html
Note that being a radical is not illegal in any way, and a strong country should be able to survive without unfairly marginalizing dissent.
You aren’t doing anything wrong. Have you never surfed for porn? Ever? Because if you have, then the government could make that information public, including your particular preferences. What would your neighbors and coworkers think? How employable are you if that information is permanently available on the net?
All of the “I don’t have anything to hide therefore you’ve got nothing to hide” people should shut the fuck up. You don’t understand the scope or importance of the issue.
They can even lie about what your preference is. You will deny it no matter if the accusation is true or false. It’s not like you could prove that you don’t like midget trapeze porn.
Fortunately I am completely shameless, most of my friends know what wierd shit I’m into, and my family wouldn’t be surprised. I’m the sort of contrary fucker who’d wear midget trapeze porn on a T-shirt if someone threatened to “out” me.
Shamelessness is great! What did shame ever do for anyone anyway!? Makes me hard to blackmail. As long as I don’t break any serious laws.
I prefer the stance of not giving accusations any foothold by not giving a sound byte about it, except maybe a laugh at how ridicules it is, and maybe not even that. I know where I stand and if any accusations come around, they will be completely ignored and nothing will come of it. I have the relaxed stance of someone who is blameless of any crime I don’t commit. If I did commit a crime, well, I cant lie worth a shit so there’s no point to it.
If someone comes after me, they better have rock solid evidence. Think of my life akin to it’s a wonderful life without the military service. I have more friends in the community that would be happy to assist me, and those that despise me don’t have anything on me. as for employ-ability, I’m pretty much my own boss so i can’t get fired. they would have to lock me up. I also have most of my sensitive information is in hard copy(just in case computer access becomes permanently unavailable).
Yes exactly, as long as I’m alright then everything is fine. LA LA LA LA can’t hear you
It’s not that I can’t hear you, it’s the fact that I’m already past that point. I’m covered on any of my regular e-mail accounts. But I’d be stupid not to have extras. sure they can be tracked, but not back to me. The problem I have with the scaremail post is that as it, yes, tracks you anyway. Why draw more attention to yourself than necessary? I would like to think that I’m not the only one that thought of this as a “keep your head down and let others take the fire” kind of situation.
Surf for porn? Hell any spy will discover I watch it somewhat regularly. Pretty sure there are plenty of employers out there that aren’t worried if the employee watch porn Speaking of porn I hadn’t watched any yet this week see ya
Exactly. We all have a digital dossier somewhere that can be unleashed on us if we ever piss off the feds.
Aztraph, I notice your username links to a MySpace page. Without even clicking on it, I wonder, is there anything “wrong” on there? Any compromising photos, private messages, or posts? Perhaps you’re friends with some…dangerous individuals? We should keep an eye on you. For safety, of course. God bless America!
It’s a security thing, I posted on myspace once to show and tell a security camera I cobbled together, it got good reviews. You will find other such projects I post too, and a picture of my cat, maybe more. I keep my life an open book except on HAD, some of you MF are scary as shit. I’ve been hacked once before and don’t intend to let it happen again, which is why I don’t use my given name. And please don’t consider that a challenge, it wouldn’t be one, all you have to do is google aztraph and you can find my name out easily enough, but how many people actually go to the trouble of doing it? My facebook account, YES I have one and only use it to post picks and videos of my projects, is a public account. Go ahead and call me stupid, then go track it down, here, I’ll make it easy for you. My profile picture is for pics of a lunar eclipse in progressive stages. There’s not a whole lot there.
And if you want to click on it, go ahead, it’s pretty boring. but it’s there so you can click on it, It’s a public profile that only gets used occasionally and for that purpose.
you know how people say about an ID being only 1 page thick? Well I don’t have that obviously but it isn’t extensive. there’s a reason for that.
You’re very very brave……..
Admitting to posting on Myspace – Bwahahahahahahahahahahahahaha.
Yeah yeah, go ahead and laugh, and then realize how hard I’m laughing when you check out my posts, how many have I made over the past 5 years? go ahead and look.
Then I invite you to go ahead and look up aztraph, see if you can find my facebook page. Facebook? yeah facebook. look at my activity level on that worthless piece of chaff. BUT WAIT! How can CHAFF be worthless? It’s a sacrificial piece of material that does nothing but get in the way, which is exactly what I use it for.
By the way, I have 83 friends on facebook. and the worst one of those is a former drug dealer turned narcotics officer, then he became a private detective. medical issues forced him to retire early and take disability. I think I have 1 friend on myspace and he was a moderator or something, and I’ve since deleted him. My Twitter account? 4 followers, following 4 and 13 tweets. Can you imagine anything more OBVIOUSLY PITIFUL?
A well organized terrorist ring is not going to use a cell phone or email. They are going to meet in person somewhere and write their strategy on paper and pass the notes to each other. No one can hack a note. Then they destroy the notes.
Better yet include picture of ponies in such messages (filename bombschematic.jpg or similar). After NSA analysts spend two weeks doing nothing else than watching ponies from 9 to 5 for they will go insane, commit suicide and/or attack co-workers
To those that say: I didn’t do anything wrong so … How much do you trust your next door neighbor, who might be employed by the NSA/CSIS etc., not to accidentaly rifle through your files while bored? And accidentaly (of course) check which prn sites you visited lately, how much you are in debt, who is your wife seeing… And accidentaly make that data public once you TRY to run for public office… I hope it is clear now. Privacy is one thing dividing liberty from totalitarianism.
I applaud anyone who exposes perverts seeking public office. I’d much rather find out before they get elected than afterwards. Because we *are* going to find out! Welcome to the Information Age.
P.S. if you quit beating your meat to all that porn maybe your wife wouldn’t have to see anyone else?
I do NLP (natural language processing) for a living, and this decoy text is bullshit.
It’s trivial to build a classifier trained to detect text generated by ScareMail, especially if it is that long.
I can’t think of any user friendly ways of getting around this. Even if we all typed our own NSA line eaters, 90% of them would just contain the words “bomb” and “jihad”.
So what. If the real targets of surveillance are also using this then the current NSA surveillance methods are rendered useless. Then they will be forced to use real policing methods instead of peering through everybody’s keyholes.
They can’t even classify the nonsense word-salad that comes attached to spam. Classifying, and doing much at all, with natural language, is really difficult. If you achieved it 100% I’d argue you’d created something sentient.
Using encryption doesn’t have to be hard. I threw together a simple html page with javascript based encryption that I attach to an email along with an encrypted block and a cleartext riddle to describe the password I used to encrypt it. It was a bit of fun and non-technical friends seemed to find it easy to use. It’s handy to have around when you’re feeling a bit too “looked upon”.
http://github.com/JJones780/EasyCryptJS
The problem is we can’t be sure that the NSA hasn’t messed with all of the encryption libraries, ciphers etc out there. I wonder if the NSA implementing weaknesses in this stuff was a trigger for the USA allowing export of crypto. mmm
The idea is you compile them yourself if you can. Of course, encryption source code is probably meaningless to most people, and you couldn’t spot a glaring backdoor if it bit-shifted itself into existence in front of you. For that I suppose you have trust.
Phil Zimmerman seems to be trusted by everybody, or at least people with every political agenda all claim that PGP is solid. Mathematicians and scientists are both very competitive, out of all the people qualified to find holes in PGP, somebody would have piped up by now if there was one. Other encryption system bugs get publicised.
So you just have to trust that every mathematician and computer journalist isn’t part of a big conspiracy to sell you ROT13 with a long sleep after it. The more people, and particularly the more people of opposing views, who agree the thing is safe, the safer you should feel.
As far as exporting crypto goes, remember the history of the time. Basically it was becoming impractical, it was already spread around the world by that point, so the spooks basically threw their hands up. They’d already lost. The WWW had beaten them. You could even buy T-shirts with PGP or whatever it was, in PERL, printed on them.
The answer’s been here all along, use PGP for all your email. It’s was just a bit of a pain in the arse, last I looked. Needs implementing into existing email systems in an easy manner. Something nice and simple with pictures of actual keys representing your key storage, stuff like that. Have the complexity avoidable for users, but there and able to be checked on by those that know.
>The idea is you compile them yourself if you can.
>and you couldn’t spot a glaring backdoor if it bit-shifted itself into existence
>in front of you.
So even if you compile from source you can’t tell.. so I’m not sure what your point is.
>Phil Zimmerman seems to be trusted by everybody,
>or at least people with every political agenda all claim that PGP is solid.
PGP uses RSA, DSA…
>So you just have to trust that every mathematician
>and computer journalist isn’t part of a big conspiracy
>to sell you ROT13 with a long sleep after it.
That’s not the point and you’re seriously over simplifying the issue. The encryption standards we use everyday are ratified by standards bodies and it’s thought that the NSA has influenced those bodies to their advantage.
From Wikipedia: Elliptic curve cryptography (http://en.wikipedia.org/wiki/Elliptic_curve_cryptography);
The algorithm was approved by NIST in 2006. In 2013, the New York Times revealed that Dual Elliptic Curve Deterministic Random Bit Generation (or Dual_EC_DRBG) had been included as a NIST national standard due to the influence of NSA, which had included a deliberate weakness in the algorithm.[3]
>The answer’s been here all along, use PGP for all your email.
Except that the ciphers it uses are ones that might have been knobbled by the NSA. Your RNG might have been knobbled. If you have hardware crypto that might have been knobbled too.
>It’s was just a bit of a pain in the arse, last I looked. Needs implementing into existing >email systems in an easy manner. Something nice and simple with pictures of actual >keys representing your key storage, stuff like that. Have the complexity avoidable for >users, but there and able to be checked on by those that know.
If it was just a case of making PGP (or GPG etc) easier to use then there wouldn’t be a problem would there. Maybe someone should tell Bruce Schneier we just need to make a nice GUI for PGP (they exist already) and everything will be OK.
>So even if you compile from source you can’t tell..
I think you can. Compile your compiler if you have to. If you really really have to, write your own compiler in ASM, build your own CPU out of transistors. It depends how paranoid you want to be. Are you saying the various media stories where courts complain about encryption are all fake? Why are the NSA themselves moaning about it?
>PGP uses RSA, DSA…
Presumably Phil, and other experts in cryptography, have checked those out too, and that’s why they’re still in use. Nothing gets pulled quicker than crypto software with a hole in it. RSA isn’t just source code, you can implement it from the algorithms, the diagrams with the pretty boxes etc. People who *understand* it (not me!) can implement it!
>That’s not the point and you’re seriously over simplifying the issue. The encryption >standards we use everyday are ratified by standards bodies and it’s thought that the >NSA has influenced those bodies to their advantage.
Well you don’t have to trust NIST, and apparently you shouldn’t! Trust the community in general. As I said, trust the opinions of a disparate group of people, trust something that mutual enemies agree on.
I’m disappointed, and only partly surprised, that NIST were fucked like this. But they’re a federal agency. Phil Zimmerman and whoever else, aren’t. Have the NSA got at everybody who works in cryptography? If they have, well we’re fucked, fair enough.
>Except that the ciphers it uses are ones that might have been knobbled by the NSA. >Your RNG might have been knobbled.
You tell that partly through reading whatever source you understand, and your compiler’s source too if necessary. And like I say, through trusting the sources you get it from.
Personally I couldn’t understand the source myself enough to know. If I were a spy or something I’d make the effort to learn. Or, again, have someone I trust understand it for me. Maybe I’d threaten them into telling me the truth.
>If you have hardware crypto that might have been knobbled too.
Absolutely, and it’s a lot harder to tell than it is with source code. You don’t need hardware unless you’re doing a lot of it. And even then, yeah, every one I’ve heard of has turned out to be full of back doors.
>If it was just a case of making PGP (or GPG etc) easier to use then there wouldn’t be a >problem would there.
If they were used every day, all the time, there’d be a very different problem for the alphabet people. There’d be no point in the natural-language analysis if it took them til the end of the Universe just to decrypt the damn thing. Quantum computers excepted.
You’d be able to tell if it worked, cos within a week it’d be all over the news about how terrorist Muslim paedophiles are using PGP to rape your kid’s Playstations. The day after that the “Normal, Sensible Adults” and the “Childrens Indecency Association” would be after banning it.
Perhaps PGP has got easier to use since last I tried. I should have another go. Then it’s a matter of getting other people to install it too. Not that I send a lot of email.
Don’t lose faith in encryption:
The encryption math is quite short – but uses extremely large numbers. You can buy a t-shirt with the algorithm printed on the front as pictured on this blog:
https://marcellodesales.wordpress.com/2010/01/10/rsa-algorithm-explained-a-step-by-step-process/
i.e. cryptographers spotted the possible weakness in the nsa standard and “everyone” avoided it. Open Source encryption, monitored by many, should be quite secure.
You are more likely to have your encryption cracked due to a trojan or keylogger stealing the keys, or by choosing simple passwords, than by expensive encryption cracking techniques.
This is as useful as a Twitter campaign that involves praying to solve some environmental disaster. If you really think the NSA, you know those guys that have apparently managed to insert weaknesses in a bunch of crypto software and hardware products and can probably see all of your internet activity, are going to be fooled by some machine generated text your tinfoil hat might be a little bit too tight.
SOME crypto software, but if you compile it yourself from a source you trust, you’re fine. As I mentioned in another post, you establish trust based on the credentials of the people you get it from, particularly from people who understand the subject, and have no reason to lie about it, or better, have a reason to come out with the truth if it were compromised.
As far as hardware goes, wouldn’t touch it with a 50ft pole. Of COURSE some sneaky fucker’s going to hide something in there, and without an atomic force microscope and a team of Indian chip designers with enormous heads, you’ve no way of telling.
Most people don’t have the need for crypto hardware, they don’t do that much encrypting. But software can be checked, by yourself or people who know. I’d trust that. If it were all secretly broken, there wouldn’t be so much moaning in the news media from all the spooks and cops. Unless it was just a big bunch of theatre, and cops just can’t act that well.
For the moment, we’re 99% sure of what’s in our CPUs. As long as we’re free to run our own software, we’re OK. As long as your machine’s Turing-complete, or can act like it, you should always be free to implement encryption.
>SOME crypto software, but if you compile it yourself from a source you trust, you’re fine.
See above. The NSA has influenced the development of the standards that others have implemented.
>Most people don’t have the need for crypto hardware,
Crypto hardware is included in most(all?) recent x86 CPUs.
>For the moment, we’re 99% sure of what’s in our CPUs.
You wouldn’t be able to tell if your hardware RNG is broken.. and the leaked NSA docs say that they were targeting hardware and software vendors. This is a major issue.
True, I wouldn’t trust the hardware RNG. It’s just too obvious a target. It has no serious use except cryptography, and do I trust Intel? Do I shite!
I suppose just a few bits here or there, while not a backdoor, can shave a lot of time off a brute-force.
But I’d stick to the old-fashioned hitting lots of keys randomly method, and using the microseconds as a seed. Should be unpredictable enough. If I was really serious, maybe I’d hack up a smoke alarm for the Americium and put a photodiode next to it, something like that.
The computers and software [alphabet soup] uses to scan emails won’t have any trouble weeding out this noise. A few thousand hackers being cute and putting nonsense into their emails is a drop in the bucket compared to the volume being processed. We give Uncle Sam flack for being inept at so many things; waging war is not one of them.
I suppose there’s always the complementary approach. “Everything is in place, your AUNT’S BACK PAIN will be present at THE MALL on MOM’S BIRTHDAY. Make sure you have enough armour-piercing SPAGHETTI and the Anthrax ALBUM at the time. Insha’ALBUNDY.”
Ultimately useless, at best he is starting a short lived arms race with people who are far more able to adapt because their resources and expertise are an order of magnitude greater.
So unless you want some TSA goon’s finger up your bum next time you cross the US border I would not bother to risk the attention it would get you.
While [THEY] have faster computers, there’s many more of [US]. And it’s much harder to filter out English-looking nonsense than it is to generate it. The false hit / miss rate is high enough to start with, raise it high enough and they’ll have to rely on human filtering for everything.
That’s why spam-fighting now relies on captchas at point of entry. Because machines just can’t tell spam apart.
Every time someone invents a rule to distinguish real writing from nonsense, you can apply that rule to generating better nonsense. Since work like this tends to be done by universities and interested hackers, it’s available to the public. Even if [THEY] have stuff [WE] don’t know about, the English language has a (fairly) fixed and formal set of rules. There’s only so much you can do with it. So anything they have, we can come up with soon enough, whether we or they know it or not.
Regarding your latter bum-fingering point, it’s a good job the European resistances thought that way, or else Hitler wouldn’t have won WWII. “If a government is oppressive, give in immediately! Freedom’s not worth an anal invasion!”
The only point of a security surveillance organization like the NSA is to protect the inhabitants from things like terrorist attacks. This email service makes the only legitimate service they should provide WORSE. This will not prevent them from snooping around in private people’s emails, but it probably will make their actual work slightly more annoying. I’m not sure this service has merit.
Well, serve em right for being dicks so much. They made themselves the enemies of ordinary people, they took the first action.
There’s also the debate on who’s a terrorist and who’s a freedom fighter. The Taliban are the best example of this. Ronald Reagan used to send ’em his prayers all the time in the 1980s.
Ok, so encryption is not save, or at least a quantum computer can easily do the job.
Then I think the best way to f**k them is to not use any of “there” communication systems at all. The problem then is you can’t even use your credit card to pay for or just to reservate for place to sleep. Or do you a have enought money in cash available to savely live for the next month, year.
All the talk here seems to be about if our future freedom will be eventually some day be compromissed.
But the fact is that most of us are not free anymore. There money supply can be shut down in a matter of seconds. Even if you havent done anything.
Then you stand there without monney. And the world still keeps turning -> And i tell you a secret. It finnaly is only there for you to make you better. -> Because the next time you see that this happens to someone else, you will be there and support him. Because there were people who supported you when it happend to you.
Or you die and then may be born again and get another chance to build,improve, learn and experience.
I do not think you are familiar with asymmetric encryption and out of band key exchange. Encrypting your email can render it practically unbreakable.
This is a nice kick-off for an interesting round of arms racing. Just looking at the code, there is a huge scope for improvement and extension. The mangled text, or satire of Ender’s Run is actually hard coded into the java script. I can see some enterprising person changing the code so that a satire is generated on the fly from a user-supplied text and the ScareMail tag is generated from that. Just thinking about individual customization possibilities is exciting.
My guess is that anyone with spying mechanisms like NSA already knows well that words don’t equal intent and that they don’t use keyword detection at all or use it in addition to much more advanced text processing and other background checks.
That said toys like these are always fun to see, even just as a demonstration of how many people find the spying programs wrong. There’s been hundrerds of projects like ScareMail before. One I really liked but can’t find a trace of anywhere was called terror2 and it was a Mirc32 (yes…) plugin, I saw it used on IRC channels like #linux 10 to 15 years ago and it generated much funnier texts than ScareMail with much more keywords.
Might be meaningless and harmless, but that doesn’t mean obama won’t sign your death-warrant over it.
And have you heard the recent revelation that the NSA uses people’s porn history to discredit them? So if they don’t murder you you have that to content with.
And then there’s the no-fly list.
Joe Six-pack and Susie Housecoat understand the cost of freedom, I wish the pencil necks in D.C. would get a clue…
This is assuming (a) that the NSA is a domestic intelligence agency tasked with black mailing U.S. citizens on U.S. soil (also assuming that YOU have valuable information/conversations/goods/services) (b) the NSA has the ability to intercept and process everyone’s emails across the entire world (let’s say half of the 7.1 billion people in the world use email) (c) the NSA isn’t a (mostly) law abiding foreign intelligence agency with legitimate goals. It’s too bad that these agencies are made up of real people like you and me and not self-hating, suit-wearing agents like you think. Why can’t they all be like Snowden?
Its won’t be funny when they kick in your door and execute your entire family.
I’m realizing a bit late that this probably wasn’t the best comment stream to subscribe to…. a bit too many “hot keywords” in my email now!
oh well…
The most this will accomplish is forcing the NSA to build better filters for snooping email, which means about half a billion in taxpayer money. Gee, thanks!
Much simpler solution – start forwarding *EVERYTHING* in your inbox directly to the NSA, in triplicate if possible!
Right. I’m a POI. By extension all of my friends and their friends are POI too.
Parse this, bitches! acetone, aluminium powder, ammonium nitrate, chlorate, gas or extinguisher cylinder, H2O2, hydrogen peroxide, packed into 200 litre barrels, pressure cooker, TATP, yellow stains from picric, ANFO, azide, black powder, booster charge, cheddite, detonator cap, fragmentation, French ammonal, fuel-air dispersal, PETN, styphnate, acrylamide, binary components, brevetoxin, carbon monoxide lecture bottle, castor beans, chlorobenzene, chloropicrin, ciguatoxin, contact poison, dimethyl mercury, dust mask and heavy gloves, fluoroacetate, hazmat, heavy metal, methylenebisacrylamide, odourless and tasteless, on door handles, on handrails, organophosphate precursors, ricin, sarin, uranyl acetate, urushiol, yellowcake, yellowcake protocol, Aedes albopictus, C. botulinum, C. tetani, CDC in Atlanta, CDC in Colorado, chikungunya, Clostridium, culture plate, culturing, dengue fever, legionellosis, norovirus, S. paratyphi, Salamonella, separate mouse breeding facility, serial passage through mice, St Martin, virulent strain, coffinite, davidite, high activity radionuclides, only minimally radioactive, pitchblende, radionuclide concentrate from ore, uraninite, waste radionuclides, basement room, “room 507, after Chavurah”, safe house, union back office, working man’s club, Haganah, Irgun, Ndrangheta, Tablighi Jamaat, AMTRAK, mosque, synagogue, conficker, cyber, mysql, rootkit, scammers, long-term cache, materiel supply, dawa’ah, false hudna, fard, fard al-kifaya, fatd al-‘ayn, ghusl, haraam, makruh, mitigated, mitzvah, mubah, mustahabb, new mitzvot, Sefer Hamitzvot, siddur, submit to fiqh, take no ma malakat aymanukum, the ustadh (you know the one), unforgivable averah, 8 years is much too old for a catamite, aroint thee Satan, Defense, dopy, martyrdom, prepared to die, sacrifice, shootout, unsleeping, willing martyr, Damascus, Haifa, Kabul, the Great Satan, Yuma, asymmetric