Can the government really monitor everything I email?

Or say on the telephone?

What about encryption? PGP? I thought some encryption was so tough it is impossible for all practical purposes to break it. Am I wrong?

If I want to protect my ability to use email without the government reading everything, what should I do?

Very Probably not.

Now, what might you have to hide from us, huh?


Agent Mike......







Honestly, I don't know the answer.

so I guess you either live with it until we can remove these scoundrels from office or relocate to another country.

If it's just a computer listening or monitoring internet traffic for key words or phrases then it's most likely scored and reported if the score goes high enough. If you use PGP encryption on email then I wouldn't expect it to be noticed unless it is flagged for some other reason, such as specific recipients. Even then, considering how much of a backlog there has been for just translating Arabic documents I'd doubt they would even attempt to decrypt anything unless one of the parties of the message was an actual surveillance target.

I'm sure that encrypted data gets an elevated profile. Despite encryption of the data, the routing information tells alot, and from that much can be inferred about the nature of the encrypted data. IE> is it a VPN ? is it FTP traffic of a Warez Pirate? etc.

A friend of mine works at a network security company and designs suites of "intrusion detection, and anomaly detection" software suites that are used by high-security computer shops that demand a high degree of awareness of potential attacks. He's spoken with folks at Crypto-con(?) and he spoke with white hats who said that encrypted data is flagged, tagged and watched.

Apparently one can figure out alot of what is going on between two computers even with the data portion scrambled, using neural nets and timing the way the packets flow etc. one can predict what applications are being run with startling accuracy. (Take this with a grain of salt, since I heard it anectodotally, via a friend of a friend, but a reliable and smart friend nonetheless.)

And like you mentioned if a conversation / interchange of TCP/IP packets scores a certain level, then that could trigger more action by non-computer agents.

...search on...when those words appear in an electronic transmission, fax, or phone conversation, they get flagged to see if a pattern begins to emerge. Those transmissions containing one or more keywords are traced to their origin, and that origin becomes a person of interest.

All of this scanning is done by special satellite systems, and special ground-based systems designed for sifting through enormous amounts of data. That data is sorted and stored in the massive computer systems maintained by the NSA.

I would not count on encryption helping to conceal what's contained in your emails. The NSA has been in the code-breaking business for a LONG time...very little, if anything, escapes them.

And what about this RSA (?) encryption? It's supposed to take a million computers a brazillion years to break it? But the NSA can break it in a timely fashion if they want to?

granted to the NSA during the cold war. You know a secret law.

Dean, Kerry, Conyers, Boxer, Feingold, Reid, Pelosi,Democrat, MoveOn, ACLU, Amnesty. Ritter, Hersch . . .

I get the picture. :eyes:

but I really don't think that's any of the government's business.

president, Islam, Osama, Saudis, Terror, blow up or anything of the sort in your emails. Barbie and white blonde girl goes missing should be fine.

:-)

I know what Photoshop is, but how does that apply here? Are you talking steganography?

And what the heck is Irfanview and how is it relevant?

Thank you.

edited: to insert missing word in subject line

but photoshop is capable of saving data that you can't see ;-)

http://www.irfanview.com/

IrfanView is a very fast, small, compact and innovative FREEWARE (for non-commercial use) graphic viewer for Windows 9x/ME/NT/2000/XP/2003.

It is trying to be simple for beginners and powerful for professionals.

IrfanView was the first Windows graphic viewer WORLDWIDE with Multiple (animated) GIF support.
One of the first graphic viewers WORLDWIDE with Multipage TIF support.
The first graphic viewer WORLDWIDE with Multiple ICO support.


Some IrfanView features:

* Many supported file formats (click here the list of formats)
* Multi language support
* Thumbnail/preview option
* Slideshow (save slideshow as EXE/SCR or burn it to CD)
* Show EXIF/IPTC/Comment text in Slideshow/Fullscreen etc.
* Support for Adobe Photoshop Filters
* Fast directory view (moving through directory)
* Batch conversion (with image processing)
* Multipage TIF editing
* Email option
* Multimedia player
* Print option
* Change color depth
* Scan (batch scan) support
* Cut/crop
* IPTC editing
* Effects (Sharpen, Blur, Adobe 8BF, Filter Factory, Filters Unlimited, etc.)
* Capturing
* Extract icons from EXE/DLL/ICLs
* Lossless JPG rotation
* Many hotkeys
* Many command line options
* Many PlugIns
* Only one EXE-File, no DLLs, no Shareware messages like "I Agree" or "Evaluation expired"
* No registry changes without user action/permission!
* and many more

The ways in which collaborators could communicate over the Internet without ever actually exchanging email or any other transmission are virtually endless. Merely embedding coded messages within the terabytes of photographic images (porn and otherwise) posted to Usenet would pose huge problems for anyone without the how, where, and when information. The huge number of text messaging vehicles (usenet and web) offer endless "hide in plain sight" opportunities. And that's just the Internet.

except for one place, I am probably looking at a terrorist message?

:shrug:

Maybe we should just put our message in our footer:

"Impeach Your Boss!" or

"You work for a bunch of Crooks and Liars!" or

"I know the guy who signs your checks STOLE TWO ELECTIONS"

Something direct. :)

Threads have popped up discussing the subtle but important difference. If most communications routed through major domestic phone carriers and ISP's are being stored/archived as I believe they are, then the difference becomes more important. Others have posted that even domestic phone calls can be routed in and out of country with the collusion of MCI/AT&T or whomever is the carrier. This they believe gets them around the prohibitions on spying without a warrant. However, it appears even that is just window dressing or a step skipped over by commander "I gots warpowers" bunnypants.

If a search for various keywords, hot numbers, regions, topics list, and other types of information is carried out automatically without human intervention, then this process may, in some ways be the way that the intelligence community skirts around the 4th amendment. That the US has these "black" programs (black as in off the budget) like this is well known, and established fact in Europe, see the reports the EU over Echelon in 1999/2000 time frame. Do we have an official secrets act? No but the media sure acts like it with regard to Echelon.

From what I can tell from casual reading of this topic, monitoring and wiretaps are one thing, but the NSA/intelligence community may think that having an automated computer agent "detecting" these items, may provide them with the thin legal shield. IE. if you show up on the list, there is the "probable cause" to open up the "search result" and review the conversation, IM, email etc.

All that being said, I do think that there are secret laws authorizing this type of spying that the congress and senate have signed off on, and probably since the first wireless antennas were set up, or earlier.

PGP and strong encryption are strong enough to foil man in the middle type of snooping. Even though they can be cracked with enough computing power and desire. There have been some amazing advances in the past few years in the ability to shave off time to crack. The FBI demonstrated a vulnerability in wireless encryption (WEP) this year that amounted to a huge decrease in the computing time needed to crack the encoding. Essentially by triggering your routers' Address Resolution protocol (ARP) the FBI crypto guys were able to get WEP to encode a known sized bit of data, and use it as clue or hinting to the cracking process.

1024-bit PGP is good enough for day-to-day stuff, and 2048-bit PGP encryption is practically as good as anyone needs. Then again when you have security of this level, it's easier and more economical for would be snoopers to simply breach physical security and get in on one of the decrypted sides of the conversation. IE. get to the machine where the decrypted text is being read/seen etc.

Collecting from 'open' channels (ones that nobody's trying to hide) is limited only by the amount of computer horsepower one is willing to throw at the problem. It's a problem that can be solved by brute-force work.

But that's the easy part.

PGP (and its open-source relative, GPG (GnuPrivacyGuard) are thought by crypto people to be "probably" unbreakable, and certainly unbreakable by any effort short of the level a government can apply. The fact that the US suddenly dropped the prosecution against Phil Zimmerman, who created PGP, is unexplained. It's possible that they were reacting to the unfavorable worldwide publicity and decided to cut their losses (since the software was out of the bag anyway)...but it's also possible that they managed to break the algorithm. There's no way to know.

As far as being able to automagically understand voice transmissions, I don't believe it. Humans are supremely well-adapted to understanding spoken language, and we can't always understand what's being said even when the speaker wants us to. If you've ever had a hard time understanding someone on the phone who mumbles, wanders, or has a non-American accent, you can appreciate the impossibility of telling someone else (or in the case of the computer, some thing else) how to do it reliably!

And that's just to capture the language at the syntactic level.

Trying to actually make sense of what you've captured and analysed syntactically remains a problem that will always get someone a PhD if they can even take a wee chip out of it. Thirty years ago, Terry Winograd (then an MIT grad student, now a prof at Stanford the last time I checked) wrote a virtual one-eyed, one-armed robot that could discuss and manipulate a simple virtual world of variously colored and shaped blocks. It was a stunning breakthrough...and still is. There's been a fair bit of work on the representation of knowledge (e.g. Roger Schank's work on scripts and plans at Yale), but that is still an unsolved problem. And without the ability to represent knowledge, there's no way to understand natural langauge. Which is why Winograd's work is still a benchmark even thirty years on.

Hope that helps.

They only have to understand traffic patterns to get one heck of a powerful window. All that call metadata is readily available, and indeed the news is reporting that it is what they are actually using. WRT understanding the voice content, the voice recognition software does not need to "understand" what is being said. It only needs to fingerprint it and categorize it using the same kind of Bayesian strategy used for spam filters.

The technology is all there. And encryption won't help unless everyone participates. Otherwise, attempts to use encryption and techniques like steganograpy will in themselves be considered suspicious fingerprints.

And if you really want them to be interested in you, try encrypting your e-mail. I can't think of a better way to pop up on their short list.

First of all, I would avoid PGP, as in the commercial product. My concerns with it are based on suspicion, not fact, so you can take it for what it's worth. Years ago, when PGP was basically free, there was a big hoo-ha about it being "exported" to foreign countries because this interfered with the US's ability to gather information that had been encrypted. The public argument about it was, imo, essentially bogus. The exporting wasn't the problem really because that assumes that no one outside the US could ever create the same kind of program or the cyphers used, which is stupid. It's even more stupid when one realizes the code had *already* been exported, and the cyphers are used all over the world. But what happened to PGP afterward hints at the possibility a "back door" was installed that authorities can use to break any key easily. The people who own PGP deny this, but the code is closed, so no one can examine it to make sure.

The open source version, GPG, is trustworthy, but how secure it is depends on several factors, including, but not limited to, the cypher you use and the strength of your pass-phrase. Some old cyphers are easy to crack with the appropriate computing power. Also, a proof-of-concept has been published showing that some of the more common cyphers, notably SHA1, can be cracked within a semi-reasonable amount of time -- still a long time, but not the billion years once advertised. At this point, the only thing you have to worry about in the latter case, though, is if you are a high priority target for which authorities are willing to spend a lot of time and money to track.

OTOH, the strength of your pass-phrase is often a big issue and the one most easily exploited. If such a thing existed, you could use a cypher that is literally impossible to break within the lifetime of the planet, but if your pass-phrase sucks, it means nothing. The first thing people trying to break encryption do is run a dictionary based "brute force" attack on it. If your pass-phrase is something like "This one is my pass phrase," that will be broken easily because it uses real words in a logical pattern. A better phrase would be something like "dis(1)!IZ.mI,paSss-fraZe." All the words are mis-spelled, it contains both capital and lower-case letters, it has numbers, and it has "special" characters, i.e. the punctuation. Adding length is good as well. My personal GPG pass-phrase is a nonsense phrase over 200 characters long that contains numerous special characters, numbers, massive mis-spelling, and has the real words that inspired it rearranged in non-logical ways. The trick was memorizing the damn thing.

If you go to these lengths, no one is going to crack your encryption in any reasonable amount of time unless you are, perhaps, the bearded one himself, and authorities decide to turn every bit of processing power they can muster loose on your encryption.

Now, having said all that, the mere fact of having an encrypted file on a computer has been used as "probable cause" to get a search warrant. One current case of which I am aware is also using the fact a person did a DOD-strength wipe of his hard drive as evidence that he had illegal materials on it at one time -- after all, why would an innocent person want to go to such lengths to clean data? :sarcasm: The guy is most likely guilty of what he is accused of having, based on other material found in his home after a search warrant was granted under the probable cause terms mentioned previously, but the use of the *lack* of evidence *as* evidence is appalling because that can be used to detain or just harass perfectly innocent individuals.

The real key here is convincing as many as people as possible to start using encryption. Most of my e-mails to people I know are encrypted, and if they aren't, the contents of the e-mail contain no personal information other than my name. I tell people up front if they want to receive e-mail from me beyond the first initial exchanges, they must install and use encryption. The more people using it, the harder it is to mess with any single individual, sort of the same theory behind mass protest. You need large crowds to protect yourself.

I had not kept up on GPG vs. PGP and the inability of PGP to prove no backdoor had been added.

Thanks for posting this info. Now I'm off to get the latest GPG binaries. But can I trust the binaries ? who watches the watchers ? ;-)

Not being proficient in examining source code myself, I have that very concern. I am only soothed by the fact that the source is available, that you can compile a working program from source, and that anyone can look at it. Considering the level of paranoia among networking and programming gurus, I feel the odds would be that someone would have discovered a problem, or at least a hint of a problem, if one existed.

Just to reiterate about the PGP thing, what happened with it is purely suspicion. As was mentioned in another post, the government basically dropped the matter without a lot of explanation, and after that a new version emerged. I'm probably wrong about what I think happened behind closed doors, but with an open source version available that does everything I need it to do, I'd rather not bother with the possibility.

thanks for explaining that! I used to use PGP but I just got out of the habit of it.

Before the NSA story came out, I got a new program that randomly changes my IP address. In the past couple of weeks, it's shown China, Viet Nam, Mongolia and the US.

Should I be worried about using something like that? I mean, if they believe I'm outside the US, then both me and everyone I write to could become a suspect. Of course, now that they're also snooping on people (where both contacts) are inside the US.......does it really matter?

I'm assuming what is happening is that the program is routing you through random proxies, some of which are in foreign countries? That kind of thing is really, really hard to track, but, again, it depends on if you are an actual target. People engaged in illegal activities often do this sort of thing, and it helps hide their tracks. However, chances are one of those proxies you hit will be one of those that is a front for a government sponsered sting operation, one that advertises itself as anonymous but really isn't. And that proxy will keep a log of data that runs through it, and if any of it is of the kind the authority in question is trying to track, your real IP will be flagged. That could then lead to your ISP being forced to cooperate with monitoring your activities, and at that point, no proxy is going to help you hide anything because you'll be monitored at the source of your connection.

The benefit of a proxy is hiding you from spammers and others attempting to engage in illegal activities by targeting you. The random proxy model is very good at preventing that.

Anyway, the use of the proxies themselves shouldn't be a source of much concern, or at least that would have been my advice before I realized communication of any variety outside the US was being monitored in this way. Hell, I read online newspapers around the world on a daily basis, and what you're doing would be no different.

I'm not trying to scare anyone or instill any more paranoia. The point I'm making is that if they *want* to track you, they will, but I don't think merely hitting a foreign server would be sufficient cause for them to want to track you because so many people do that every second, tracking all of them would be an incredible waste resources that pretty much made their whole operation pointless...too much trash in the pile to find the dirt.

.....I was wondering if, just because I'm using this random IP thing, if that would give them reason to suspect my activities.

And really, I'm on the computer ALL of the time!! But even if they looked into my communications, I doubt they would find anything.

Thanks for the info!!

Systems like Carnivore and Echelon are mostly automated. They look for keywords and other warning signs. They are flagged, and if it's not that interesting, it's probably just stored away in a database and probably erased after a period of time lapses, but if it is something they might find interesting, they will review your transmission, and if it's something they want, they will watch you.

I wouldn't bet my life on commercially available encryption systems as protection against something such as Bush's government. You're better off not using the internet if you have information that important.

Also, see RoyGBiv's post above mine. He knows more than I do.

Regardless of who or how many are being targeted by bush and his boys its that threat of being spied on that makes one walk the straight and narrow, afraid of offending the king . I have this nagging thought that I'm being watched as I type and I know better. Its that psychological thing that gets ya.

For a demo go here:
http://www.cs.vu.nl/~ast/books/mos2/zebras.html

Here is a pretty good one for JPG files:
http://steghide.sourceforge.net/

The government, if determined can crack practically anything, except PGP. But to thwart most casual government sneek-peek, steg will bury most stuff pretty good.