
Don't Even Think of Using Encryption Software to Escape NSA Scrutiny - ColinWright
http://www.dailykos.com/story/2013/06/24/1218418/-Don-t-Even-THINK-of-Using-Encryption-Software-to-Escape-NSA-Scrutiny
======
msy
And this is why we all need to start encrypting everything. Every HTTP
request, every email. There's strength in numbers and privacy in a crowd. They
may have massive resources but they're not limitless, we have the technology
available to render tools like PRISM unfeasible for the foreseeable future,
the choice is ours.

~~~
msy
I can't edit that now but actions speak louder than words - get your GPG key
set up today:
[http://gpgtools.github.io/GPGTools_Homepage/keychain/](http://gpgtools.github.io/GPGTools_Homepage/keychain/)
It takes 5 minutes, tops. If you've spent 5 minutes talking or worrying about
this issue you owe it to yourself to do it. Set it up with your favorite email
client and encourage your friends to do the same.

My public key is here:
[http://sho.ch/alexgraul.publickey](http://sho.ch/alexgraul.publickey) and on
the gpg keyserver, where's yours?

~~~
leephillips
I've had my public key available on my website for years. Nobody uses it. The
problem is social: people are not in the habit of using encryption and only
the technically adept have any idea how. Even my correspondents who know how
to use gpg don't bother.

~~~
acabal
That, and the fact that public/private key encryption is difficult to
understand on a conceptual level, uses poor, inconsistent, or misleading
terminology, and has a user-hostile interface with GPG or a buggy and error-
prone interface with Enigmail. The problem is social in part because we've
done such a poor job packaging and marketing the solution.

~~~
unimpressive
This, a thousand times this. I could write an entire post on the key metaphor
alone. I don't think anyone has ever had their conceptual understanding
_improved_ by calling the codes you use to encrypt and decrypt things 'keys'.
If we insist on calling them that, can we at least make sure to explain _why_
it's called a key, instead of giving people the impression that it somehow
works like an actual key?

~~~
milfot
maybe the public key should be called a lock.. lock and key makes sense to me

~~~
jessaustin
Except in other contexts, the use of the public and private keys is reversed.
I use my private key to generate signatures: does it aid understanding to tell
someone to use my "lock" to verify such signatures?

~~~
ippisl
Just tell the user he can't sign things without a profile, and make keys with
each profile.

------
davidjohnstone
As a non-American, apparently I'm already fair game, so there's no harm in
using encryption.

~~~
noarchy
What is quite telling (at least within US media coverage) is that it is
apparently only controversial that the NSA is spying on those in the US. The
complete disregard for everyone else in the world seems almost casual, as if
it isn't an issue at all.

But indeed, let's keep using encryption. It is, after all, the US government
that has a long history(1) of trying to keep encryption out of our non-
American hands.

(1)
[http://en.wikipedia.org/wiki/Export_of_cryptography_in_the_U...](http://en.wikipedia.org/wiki/Export_of_cryptography_in_the_United_States)

~~~
colinb
Why would you expect the US government, or ANY government to respect the right
of privacy of citizens of other countries? The first duty of government is
surely to protect the interests of the country to which it belongs - note that
I'm in favour of governments belonging to countries, not the other way around.
And that first duty surely indicates that any government should do its upmost
to pry into the business of anybody where doing so will offer advantage to its
citizens.

Furthermore, it would be weird if this didn't happen. And if your country,
whichever one it is, isn't doing this, and some horrible thing happens which
might have been avoided by this kind of spying, then your co-citizens will be
rightly outraged and demand to know what the hell your government thinks it is
doing.

But, equally, your government might [ought?] to consider what it can do to
protect its citizens from foreign spying.

Most wicked in all of this is not that the spying takes place, but that it
does so within the most diaphanous of legal frameworks. I understand that my
government might want to spy on me if it thinks I'm involved in something
illegal, but I damn well want a clear, unambiguous, legal framework that says
who gets to authorise that spying, for how long, and on what grounds. Oh, and
the person who does that authorisation had better be a judge, or an elected
official that I can un-elect.

All this we're-so-clever-because-we-found-a-way-to-subvert-the-law-by-cleve-
interpretation nonsense needs to be stopped in a career ending way for those
doing it. Oh, and the politicians who gave it a wink and a nod need to be
named so we can decide what to do with them at the next election.

In summary, countries spy on foreigners. Always have. Always will. But that
doesn't excuse them spying on their own. That kind of behaviour has a bad
reputation, for a bunch of historically valid reasons.

~~~
lancewiggs
The current state is a sadly very country-centric perspective.

I'd like to live in a world where we all were able to assert our rights, as
stated most elegantly under the Declaration of Human Rights (1).

Article 7: All are equal before the law and are entitled without any
discrimination to equal protection of the law. All are entitled to equal
protection against any discrimination in violation of this Declaration and
against any incitement to such discrimination.

Article 12: No one shall be subjected to arbitrary interference with his
privacy, family, home or correspondence, nor to attacks upon his honour and
reputation. Everyone has the right to the protection of the law against such
interference or attacks.

Article 14: (1) Everyone has the right to seek and to enjoy in other countries
asylum from persecution.

Article 19: Everyone has the right to freedom of opinion and expression; this
right includes freedom to hold opinions without interference and to seek,
receive and impart information and ideas through any media and regardless of
frontiers.

The USA's own Elanor Roosevelt was the Chair of the CHR, which drafted the
Declaration, and the US is a signatory. (2)

(1)
[http://www.un.org/en/documents/udhr/](http://www.un.org/en/documents/udhr/)
(2)
[https://en.wikipedia.org/wiki/Universal_Declaration_of_Human...](https://en.wikipedia.org/wiki/Universal_Declaration_of_Human_Rights)

~~~
Roboprog
Well, maybe, but I think I somewhat prefer the old fashioned way where at
least a democracy or republic looked after the interests of its citizens, and
hopefully the citizenry had some concept of ethics and fairness towards others
in the world.

Now we seem to have this attitude of "Justice for _all_ (multinational)
corporations!". Voting the wrong way is terrorism, as far as some of these
interests are concerned :-(

------
bornhuetter
Maybe we need the "Herd immunity" of a large number of people using encryption
software. If a sufficient number of people are using encryption, then
targeting those users becomes less worthwhile.

~~~
antocv
In a world were most people would use encryption, NSA and other agencies would
just backdoor consumer hardware or libraries such as OpenSSL and pretend to
cry over their sudden loss of power.

Technology is not the solution to this problem, it is society and it can be
solved by rule of law, accountability, revolution and such old forgotten
concepts.

~~~
Karunamon
OpenSSL? You mean the open source software with a million eyes on it?

Technology is not _the_ solution to this problem, it is _A_ solution, among
others.

~~~
antocv
Really, a million eyes on it? Okay, lets go with that,

to compile OpenSSl you need a compiler and an entire toolchain, an
operatingsystem, microcode and hardware. In any layer it is possible for an
organization such as NSA to do its dirty deeds.

They dont fabricate their own chips/hardware for fun. Well, maybe for fun too,
but not only for fun.

~~~
jessaustin
Sure we can't go around trusting trust. OTOH most of the compilers in general
use see a number of eyeballs. Ditto for the operating systems. I could even
see this becoming the case for hardware eventually. An evil system must model
the system that relies on it in order to attack that relying system, while
remaining functional in general. The longer you make the chain that inserts
your nasty code into higher-layer objects, the more complicated, fragile, and
discoverable the attack becomes.

------
zeteo
This doesn't follow. The article makes two points:

1\. The NSA is allowed to store and analyze encrypted data longer than
unencrypted

2\. US citizens' encrypted data will be treated the same as non-citizens'

It still seems you have a much better expectation of privacy by encrypting
your data and trusting to mathematical proofs that it would take thousands of
years to break it; rather than leaving it in the clear, and trusting to five
year storage limits and the supposed privileges of American citizenship.

~~~
quux
Keep in mind that as a rule of thumb, its useful to assume that the NSA is
about 20 years ahead of the public in crypto research. Even if systems like
HTTPS and Tor appear secure today, the NSA may already have knowledge of
weaknesses that we don't.

~~~
jnbiche
Do you have any kind of source or citation for this? Where does "20 years"
come from?

~~~
quux
I think I first heard this when I took a crypto course in college and read
Applied Cryptography, by Bruce Schneier.

There was a section in there about the development of DES. At some point the
researchers at IBM showed their work in progress on DES to the NSA, and the
NSA made a few suggestions on improvements, one of them was a different set of
S-Boxes (basically a bunch of constants used as part of the cipher.) IBM
analyzed the new S-Boxes and could find no weaknesses so they used the ones
the NSA recommended.

Over a decade later, differential cryptanalysis was discovered and it turned
out that the tweaks the NSA had suggested made DES particularly resistant to
differential cryptanalysis.

After doing some googling, it seems like the gap has closed since that book
was written. They are still ahead, but not as much as they were in the 80's
and 90's. Or maybe that's just what they want us to think ;)

------
weland
I have a small conspiracy theory going, that they are using this sort of
articles to discourage people from using encryption.

I suggest that we all create a handful of large files from /dev/random, make
torrents out of them, and seed them until their servers bleed out.

~~~
drKarl
For me it´s not a theory, thats what I said in my comment and I´m pretty sure
they ARE actually using these articles to discourage people from using
encryption.

Your idea of seeding some /dev/random or attaching some /dev/random to emails
sounds like a great idea, and also funny, to me. We should definitely do that!

~~~
sigkill
Is 1 gigabyte fine?

~~~
darxius
Make a quick website (hosted on Github or whatever), with a bunch of torrent
links to a bunch of huge encrypted files.

Then spread the word and give them something to spy on.

~~~
drKarl
Wouldn´t they probably find that github and just discard those torrents from
their cryptanalysis?

~~~
kernel_sanders
What if some percentage of the torrents there were used to transmit secret
information?

~~~
darxius
1GB per 1B of hidden data. Let's see how fast we can fill their storage.

------
danbruc
I'd rather prefer they store my encrypted data forever over storing my
unencrypted data for five years. Yes, they might be able to break the used
cipher during my lifetime but there is at least a (good) chance that they will
never see my data in plain. Therefore I have to completely disagree with the
headline.

~~~
Swizec
XKCD once had a very salient comic on this point:
[https://xkcd.com/538/](https://xkcd.com/538/)

The idea being, you _think_ they can't break your encryption, but they can
just break your fingers one by one until you tell them the password.

~~~
TimCinel
It's not really useful in defending this point because the threat doesn't
scale.

The NSA can't hire enough heavies to break fingers of every person sending and
receiving encrypted data (assuming they could even find the people sending and
receiving it without first decrypting).

~~~
scarmig
Could be a new jobs program.

------
mtgx
Great, so the choice is between using everything in the open, unencrypted, and
then _maybe_ they won't look at it, or encrypt it and then there's a very high
chance they'll look at it.

It seems to chill speech either way. This is why the wholesale spying must
stop.

~~~
drKarl
I´m pretty sure the unencrypted communications will be automatically parsed
and processed to look for certain patterns or keyword, and if not found,
ignored, but after processing nonetheless.

They can attack an encrypted communication and probably decrypt it, but they
just want you to be afraid of encrypting with fear of being targeted so that
they have it easier to process your information.

But that´s a fallacy and a puny tactic to make the general public afraid of
being under scrutiny because of the very reason of using encryption.

They might be able to decypher encrypted communications if they are the
minority, but even with their big supercomputers and billions of dollars, I
doubt they would be able to process people´s communication if encryption was
the majority of communications.

And these articles work towards the NSA´s goals and agenda misleading the
public in thinking that it´s better not to use any encryption at all. If the
public was educated on this subject and everyone used encryption, I guess they
would have a really hard time processing all this information...

~~~
rgbrenner
"They can attack an encrypted communication and probably decrypt it"

Why this assumption? The NSA has NO super-human abilities.

And one of their jobs is to protect gov secrets. Which is why they
participated in the AES standard. If you really believe they can decrypt AES,
then you believe they chose an algo that is insecure, than would allow China,
Russia and others with similar abilities to read any of our nation's secrets.

Not to mention, that there are currently no known attacks that would allow
them to decrypt AES in any reasonable amount of time, even if they had every
single computer in the world.

If you really believe the NSA can decrypt anything, then you're out in
conspiracy-theory land, with magical yet-to-be-invented computers, and humans
with super-math abilities.

~~~
SideburnsOfDoom
> The NSA has NO super-human abilities.

No, but they do have a larger hardware budget than you. And a larger budget
for crypto research.

~~~
DennisP
A larger research budget than the entire open cryptographic community? Maybe.
But it's not just about budget. A lot of the smartest cryptographers don't
work for the NSA anymore, because they like to publish their research, and/or
because industry pays better.

If you haven't broken the algorithm, a "larger hardware budget" really isn't
helpful at all. Key sizes are big enough that the laws of physics prevent you
from brute-forcing them. From Bruce Schneier: "If we built a Dyson sphere
around the sun and captured all its energy for 32 years, without any loss, we
could power a computer to count up to 2^192. Of course, it wouldn't have the
energy left over to perform any useful calculations with this counter."
[http://www.schneier.com/blog/archives/2009/09/the_doghouse_c...](http://www.schneier.com/blog/archives/2009/09/the_doghouse_cr.html)

If they've made a huge breakthrough on quantum computers, they could break the
popular public-key algorithms, but could only halve the effective key size of
symmetric algorithms.

~~~
SideburnsOfDoom
> Key sizes are big enough that the laws of physics prevent you from brute-
> forcing them

A lot of it still boils down to password guessing. The limitation is in the
user's choice of password, not the laws of physics.

Given the techniques listed here [http://arstechnica.com/security/2013/05/how-
crackers-make-mi...](http://arstechnica.com/security/2013/05/how-crackers-
make-minced-meat-out-of-your-passwords/) (e.g. generating password guesses
with Markov chains) suprisingly long and un-obvious passwords are found
without brute-forcing the whole space. In other words, you have to pay
attention to a whole lot of lateral things to actually be secure. The
mathematical properties of the key-space don't matter if your OS has been
backdoored and a keystroke logger installed.

~~~
DennisP
That's only true if you have a copy of the user's encrypted private key.
You've got that if you've confiscated his hard drive, but it doesn't go over
the wire. The key itself is random.

A keylogger bypasses the whole thing but so far nobody's accusing the NSA of
hacking lots of domestic computers, and that would definitely do away with the
excuse that "we didn't know he was in the U.S."

~~~
SideburnsOfDoom
> That's only true if you have a copy of the user's encrypted private key. it
> doesn't go over the wire.

I know several people who have put all of their (strong) website passwords in
a 1password/keepass/truecrypt file covered by a password that they can
remember and type; and then put that on dropbox. Over the wire. I am assuming
that this is compromised now.

> nobody's accusing the NSA of hacking lots of domestic computers

Except for here [http://www.bloomberg.com/news/2013-06-14/u-s-agencies-
said-t...](http://www.bloomberg.com/news/2013-06-14/u-s-agencies-said-to-swap-
data-with-thousands-of-firms.html) and [http://blogs.computerworlduk.com/open-
enterprise/2013/06/how...](http://blogs.computerworlduk.com/open-
enterprise/2013/06/how-can-any-company-ever-trust-microsoft-again/index.htm)

> "we didn't know he was in the U.S."

I am sitting in front of a domestic computer that is not in the US. The line
about "but only for non-americans" is no reassurance whatsoever to the world.

~~~
DennisP
Yes, some people will do silly things.

I was familiar with both those stories, and neither is about the NSA hacking
into domestic computers (by which I mean, computers in the USA, which is
"domestic" for the NSA). Voluntary cooperation by firms is not the same as the
NSA surreptitiously installing keyloggers.

~~~
SideburnsOfDoom
> Yes, some people will do silly things.

And yet you were arguing a few comments up that the keyspace that 1password
etc use was too large to ever crack. But you have to remember some master
password. Your crypto is only as strong as the weakest part.

> domestic computers (by which I mean, computers in the USA)

I'm sorry, I thought that you meant "computers in people's houses". In the USA
or not, I could _not_ care less.

> Voluntary cooperation by firms is not the same as the NSA surreptitiously
> installing keyloggers

The keyloggers is a logical endpoint of what they would do with the 0-day
exploits mentioned in the two articles. Not directly related to the
"cooperation by firms"

------
furyg3
US Persons are protected from surveillance without a warrant. This is a right
guaranteed to them by the Constitution. The burden of establishing if someone
is a US Person should fall on the government agency performing surveillance.

If they cannot establish if a US Person is party to the conversation, they
should assume one is and remove the potential of violating this
constitutionally guaranteed right. This could be due to a failure of the
service provider (Google, Verizon) to collect this information (they don't),
or the fact that the communications are anonymous or encrypted, etc. Proving a
negative can be tough, but that burden is the government's to bear.

Of course there is also a moral component… I'm pretty shocked that as
patriotic as we are about the sacred rights of the constitution, we somehow
feel that it is morally ok to not afford these protections when dealing with
foreigners. The Declaration of Independence says:

 _We hold these truths to be self-evident, that all men are created equal,
that they are endowed by their Creator with certain unalienable Rights, that
among these are Life, Liberty and the pursuit of Happiness._

With the rights to be enshrined more specifically later in the Constitution.
How can anyone passionately agree with these words and not believe that the
just treatment afforded to US citizens should somehow not be afforded to non-
citizens, or citizens who choose to use a particular software program?

~~~
superuser2
Lawyers on HN and elsewhere have been pretty unequivocal in stating that the
4th amendment protects possessions, not communications.

~~~
LoganCale
Phone calls are protected by the 4th Amendment but emails are not. (Under
current interpretations of the 4th Amendment.)

~~~
mpyne
Well, even phone calls are weird.

The Supreme Court said that people have a reasonable expectation of privacy
while using the phone, and that therefore the 4th Amendment applied. Part of
the reason people had that expectation was that Congress had introduced much
stronger regulation of telephone circuits in 1934 so it wasn't like just
anybody was allowed to tap into utility lines.

However the only protection is the _expectation_ of privacy, which Congress
can take away by saying "you should not expect communications to be private in
these situations". And that's exactly what they did in 1968 in response to
those Supreme Court decisions.

One important provision of that law were that the President was allowed to
take " _such measures as he deems necessary:_ "

 _to protect the nation against actual or potential attack or other hostile
acts of a foreign power, to obtain foreign intelligence information deemed
essential to the security of the United States or to protect national security
information against foreign intelligence activities_.

EMails have less expectation of privacy, though Congress did try with ECPA
(which was passed when POP was the way to obtain email, not IMAP). But even
ECPA gives broad exceptions for FISA surveillance.

~~~
jessaustin
_Part of the reason people had that expectation was that Congress had
introduced much stronger regulation of telephone circuits in 1934 so it wasn
't like just anybody was allowed to tap into utility lines._

I wonder how well we would take it if we discovered that in addition to the
NSA, Gmail was also sending all communications directly to Joe Blow in Podunk,
Indiana, for his personal edification and entertainment? After all, it's not
like we had any expectation of privacy for our email. What laws would this
violate?

~~~
mpyne
Well, is Joe Blow a Google employee? It might not break any laws at all in
that case.

If he's not a Google employee it would probably violate ECPA, but ECPA
explicitly allows foreign intelligence surveillance to occur (even over the
Internet), so that wouldn't help against government surveillance being done in
accordance with FISA.

~~~
jessaustin
No, Joe Blow is just some random dude. He did Sergey a solid once, and in
return he gets access to all of Gmail. ECPA is a dead letter, and was
specifically about government not private actions anyway.

My point, which admittedly I'm still not making clearly, is that it's weird to
consider phone calls to be some sort of judicial fluke that was far outside
accepted 4th Amendment jurisprudence. Americans didn't want the government
listening in on their phone calls. Since we clearly couldn't elect a
government that would abstain from that noxious practice, it was a good thing
the third branch stepped in for a time to stop it. Maybe sometime in the
future we'll be that fortunate again.

 _If_ one is uncomfortable with the Joe Blow example, consider how much
_worse_ it is for the government to be reading all of Gmail than it would be
for Joe Blow to be doing that.

------
jwr
Actually, if I go to the trouble of encrypting my data, I have nothing against
someone storing it indefinitely. That's the whole point of encryption — it no
longer matters who has the data, it only matters who has the key.

~~~
adamman
You have nothing against someone storing it indefinitely, but I bet you have a
problem with them now thinking you might be a bad guy. Will they listen to
your phone calls to find out if you are in fact a bad guy?

~~~
uxp
True. In a perfect scenario I would rather the NSA not store my communications
at all, and have them no reason to even look at me to assume I am either good
or bad.

But, unfortunately, looking at the absolute pushback from congress and the
white house over this whole thing, it's pretty clear the citizens have
absolutely 0 say in the matter. After all, we're just ignorant sheep. They're
the ones will all the knowledge and we should just trust them. We're not going
to be able to change the NSA's policies or magically make everyone follow the
constitution and the law to the T overnight. This is a compromise on our end.

The NSA may have a large amount of resources for storing and running attacks
on my emails, but they don't have limitless resources. For every hour they
spend bruteforcing my keys to recover a sappy "Just thinking of you <3" to my
wife, the less time they're spending bruteforcing someone else's emails.

------
PavlovsCat
Personally I thought encrypting stuff was just a temporary middle finger, and
denazification the long term solution? After all, you don't get safety by
complying with commands from your predators, that just gives them ideas.

So how about simply ignoring all that. Think of vampires; they can't get in
without your permission, and sunlight kills them real fucking quick, so quick
you will doubt they ever existed. Sure they can be dangerous, but their main
tools are lies, and foolishness of their victims.

As Assange pointed out, censorship betrays fear. These people have nothing but
a huge house of cards. Even if they ruled forever, they have nothing inside;
they are a clenched fist around nothing, around a bluff, around fear. So they
already lost anything humans can loose, they already went the way of the
dinosaur, at "best" they can take us all with them.

They have my pity, and those who are still able to get out I wish the best,
but the rest should simply learn to know their place already.

Regards, a deluded narcissist, writing from the fortress of his mind,
unimpressed by noob stuff such as death.

------
PurplePanda
Since I am not a citizen of that country I am quite happy to "not be treated
as a United States person". And from the other point of view, Americans and
American companies are surely aware of organisations other than local ones
that they might want to keep secrets from, so I'm not sure that this
information should change anyones behaviour.

------
pyvek
Even if you don't encrypt your communications, can you be sure that NSA will
not store your data indefinitely? Sure, they can pass the raw unencrypted data
through their system, parse out the important bits, save them in a database
with a unique key for you and then throw away the raw data. Are you OK with
that? They have lied in the past and might even keep that raw data as well.
How will you know?

IMO, best bet is to keep it all encrypted. It sounds like an attempt to scare
people into leaving their stuff open.

~~~
orthecreedence
Exactly. We're operating on the assumption that they are telling the truth. I
think that's a pretty stupid assumption.

This is just a scare tactic to get people to _not_ use encryption, but it's
also dimwitted because they could get a lot more mileage by saying "we can
break all forms of encryption" and the American public would probably believe
it (even with Snowden/a vocal minority calling out the NSA on the lie). The
media would most likely propagate the lie because they don't seem to care
about the rights/freedom of the people in the US more than creating a scare
frenzy.

In summation, the NSA are liars and will keep your data regardless, so encrypt
everything, don't put anything sensitive on Google, Skype, Dropbox (you'd have
to be _really_ stupid to do this anyway), and call your senator.

~~~
LoganCale
It's possible they're pushing the story now as a scare tactic, but the source
of this information is a document from the DoJ authorizing the NSA to collect
and store U.S. data in certain cases, leaked by Snowden.

------
graycat
But, but, but we know for certain that there's nothing to worry about, nothing
wrong, no violation of the Fourth Amendment. How do we know? Because the FISA
court, all bow down, assume an appropriately servile, submissive, obsequious,
respectful posture, told us so!

And we all know that the FISA court is infallible, the great Wizard ("pay no
attention to the man behind the curtain"), deserving of all our trust, right?

Thank you; thank you; thank you, oh wonderful, all knowing, all seeing, all
wise, all powerful, wonderful FISA court watching over us and taking such good
care of us!!

FISA court, I don't know who you are, where you are, what you do, or how to
contact you or review your work, but I know that you are now watching over all
of us.

What a new day! For 200+ years we've had the restrictive Constitution from
those skeptical founding fathers and suffered under such paranoia as

"The price of liberty is eternal vigilance"

when all we needed was the wonderful Father FISA court! Why didn't the
founding fathers think of this???? I can believe that Hitler, Stalin, Mao, and
even Pol Pot thought of this -- why not our founding fathers?

At a secure, undisclosed location in the private chambers of the FISA court:

"Darn, why can't we keep those ink pads for our rubber stamps in stock?

Oh, well, the rest of the day is shot. Back to watching those SnapChat
intercepts from Sweden!".

------
INTPenis
To whomever came up with that title; Never, Ever tell people not to encrypt
things!

------
binarymax
If you are using Tor correctly, they can't target 'you' because they don't
know who 'you' are. Also, have fun storing indefinitely all of my banal
communications until forever.

~~~
lscritch
>If you are using Tor correctly

How can you be sure "they" are not running the exit node?

~~~
delinka
They still don't know the source of the communication. Running an exit node
means they can see where traffic is headed as it emerges from Tor, not that
they can magically determine from whence it came.

The problem here is that the destination can identify you. You, after all, are
the one paying for that VM instance at that IP address within AWS. Who else
would be connecting via SSH?

------
bsenftner
Isn't every https page load and form submit an "encrypted communication"? This
article seems to imply that any secure online surfing or shopping would
trigger this "capture the encrypted communication" stuff. Thisvdoesbnot make
sense.

------
anologwintermut
This is a distraction. If you don't trust the NSA's oversight, then you should
assume they keep everything for ever and taking issue with them being able to
eavesdrop so easily.

If you do trust the oversite, it makes sense that they keep encrypted data
around since they have no easy way of knowing if its from a US person or not.
Once they decrypt it and find out it is a US person, thats where you should
focus. It should be as if they collected US Person data originally and should
count it as collected when they actually got it, not decrypted it.

As to the argument that the NSA could count anything as encrypted. Yep, they
could. See point one.

------
decasteve
The NSA's resources are finite. The more people that use encryption the more
resources needed to store and attempt to crack it.

Not to mention a push for users to continually adopt stronger encryption.

------
marc0
I always wondered why there are no mainstream mail clients which use
encryption by default. With "by default" I do not mean that it's an option
that may be turned on or not. Rather, as soon as an e-mail address is entered
when composing a mail the client should search the key servers for available
public keys, import them and encrypt the message. Likewise, it shouldn't even
be possible to launch a mail client without having generated a key pair for
your address.

I see of course that there is this movement towards webmail, and this makes
things more complicated. Wouldn't it be possible to write an online version of
an encryption-friendly mail client? I mean, a web service which polls your
mails via POP/IMAP from any server, and where the encryption is done client
side in javascript. If that doesn't exist, maybe we should write one.

------
gasull
Isn't this giving in and doing exactly what they want, always using
unencrypted communications?

The question is, how much do you want an unchecked organization with no
oversight to know about you? Do you trust the NSA to know everything about you
and never do anything wrong with it, 10, 15 or 20 years from now?

~~~
gasull
Also, Snowden himself said that encryption works:

[http://www.guardian.co.uk/world/2013/jun/17/edward-
snowden-n...](http://www.guardian.co.uk/world/2013/jun/17/edward-snowden-nsa-
files-whistleblower#block-51bf3588e4b082a2ed2f5fc5)

------
1337biz
Random question: Is there some way to troll NSA by 42 zip exploits, i.e. a zip
file that includes always bigger and bigger emptied zip files, only this time
with relatively easy to crack passwords. Would be fun giving these some
suspicious sounding names and sending them around in circles.

------
vilya
If only we could get spammers to encrypt everything they send...

~~~
lucian1900
If only encrypted email was accepted, precisely that would happen :)

------
pvaldes
unless everybody else does...

------
sigkill
Along with the headline, the layout of the header picture (with the man
holding the flag) gives me the creepy 1984-ish vibes.

------
205guy
Sounds like US citizens should have an unencrypted email signature saying:

My name is XXX, I am a US citizen. My address is YYY. By the rights guaranteed
by the US Constitution and supported by federal courts, the contents of this
email are encrypted, private, and require a valid warrant to be intercepted,
stored, or accessed by the US government.

------
hamoid
What if we all start attaching files with random content to our e-mails? An
extension could do this automatically. Can the output of "dd if=/dev/urandom
of=unicorns.pgp bs=1 count=1024" be easily distinguished from a real pgp file?
No one could ever decrypt these files.

~~~
edwintorok
Attaching random content to emails reminds me of Emacs's 'M-x spook' command
(and I'm not even an Emacs user).

As for distinguishing random data from PGP that is very easy: PGP messages
(even binary ones) have some headers that determine who the recipient is, what
encryption is used, etc. See here for the format of PGP messages:
[https://tools.ietf.org/html/rfc4880](https://tools.ietf.org/html/rfc4880)

What you could do is to generate a public/private PGP keypair, then _destroy_
the private key, and encrypt your /dev/urandom data using that public key.

~~~
hamoid
In that case one could create an extension that creates a PGP keypair _for the
recipient_, attaches encrypted crap to the e-mail, and deletes the private
key. Is that what you mean?

The idea is to add by default an encrypted message to all e-mails that contain
nothing useful, to make it indistinguishable from e-mails that do contain
useful encrypted stuff. Is that possible? Does it make any sense?

------
bjf
Is using a service like privnote a plausible way to communicate privately?
According to the privacy policy, at no time is any note held in any readable
format state on their servers. Also each message 'self destructs' after being
opened one time.

~~~
DanBC
Always assume "No" unless you have a bunch of established crypto researchers
who've looked at the system and who are prepared to use it themselves.

People might say that "there are no posted attacks for privnote", but that
just means the bad guys haven't told you they can crack your encryption. Since
bad guys will never tell you that they can crack your encryption you must not
assume lack of evidence of cracks is the same as lack of cracks.

([http://pablohoffman.com/how-privnote-really-
works](http://pablohoffman.com/how-privnote-really-works))

There's some stuff that is vaguely worrying about privnote.

Really, learn GPG / PGP. Help other people learn it. Fix the UI. Fix the
documentation. Sign everything. Encrypt everything.

------
lawl
Doesn't matter, you should still encrypt anything. If they manage to break it,
cool. If they use it against you it will become public knowledge what ciphers
have been broken by the 404-Agency. Then just switch to a different cipher or
up the bits.

------
kamjam
I starting to get the feeling that the best way to "encrypt" my data and stay
safe from the watchful eyes of all the various agencies around the world is to
just to go back to good old fashioned mail that physically gets posted in a
box!

------
eliasmacpherson
This article is idiotic, should I stop using HTTPS too? Telnet in to work?

------
Nano2rad
If you are considered a foreigner they have to break the encryption. If you
are US citizen, constitutional restrictions have to be overcome. Nothing lost
when encryption is used.

------
muyuu
[http://www.garykessler.net/library/steganography.html](http://www.garykessler.net/library/steganography.html)

------
IceyEC
the statement "communications that are enciphered or reasonably believed to
contain secret meaning" tells me that it doesn't even have to use Tor or be
encrypted in any way. Double entendres, for example, contain 'secret meaning'
and thus would also be included just as easily as encrypted communication!

------
zby
Whatever - I am not a USA citizen - so they keep my communications anyway.

------
dbg31415
I wish things weren't the way they are.

------
alexqgb
I'm routinely hostile to people who use the "If you have nothing to hide you
have nothing to fear" apology. Few positions encapsulate a more dangerous
concept of proper relations between the state and its citizens. And yet, when
I think about how I actually live my life, my basic assumption is "I'm not
doing anything wrong, I'm okay." The difference between how I think and how I
behave is pretty glaring.

Yeah, yeah, three felonies a day. I know. But there are a third of a billion
people in the US. Given a billion felonies a day (more or less), it's easy to
find comfort in statistics and probability. Honestly, I've got bigger and more
likely problems to worry about than getting sucked into some Kafkaesque
nightmare (though, like an attack by shark or bear, it's not impossible).

No, what really concerns me is the emergence of a belief that the government
is an impervious citadel, fortified against any democratic control or
correction. When stuff like the spying scandal, or the crime spree on Wall
Street, goes unchecked (let alone unpunished) it saps political will in
general, and that leads to a social environment that really is intolerable. A
tiny portion of the population resorting to encryption doesn't do anything to
change that. The truly appropriate response is a political one, and one that
goes well beyond the mass surveillance issue in particular. Specifically, we
(the people) need to recover control of our own Congress.

The mushrooming scandal with spying fits a broader pattern of regulatory
capture, adding to the constellation of toxic effects that result. But at the
heart of all this corruption, there's a relatively vulnerable target. That's
because the mechanics of capturing legislators rest of four key pieces:
private campaign finance, closed primaries, gerrymandered districts, and the
revolving door between public and private offices.

Before the apathy goes to deep, we need people to coalesce around a set of
conditions for winning office. Specifically, no legislator gets past the
voters if they haven't committed themselves to changes that make them
exclusively beholden to the voters (i.e. open primaries, non-partisan
redistricting, public election finance, and a lifetime hell-ban on going to
work for the industries you once "regulated"). If someone promises to do all
this, but balks once elected, throw them out systematically. Keep doing this
until there is a critical mass of legislators who can push through reform that
makes legislators dependent on the people alone. Not their financial backers,
not their future employers, not their political parties, and not the voters
they hand-pick.

Lots of folks aren't worried about the NSA at all. There's a fairly disturbing
number who actually think mass surveillance a good and necessary thing. But
regardless of where you are on the political spectrum, there's a good chance
that _something_ about crony capitalism bothers the daylights out of you.
Different people will have different reasons for insisting on the basic "you-
work-for-us-alone" condition for winning office. That's fine. As long as
people will hold legislators to it, the restoration of government of, by, and
for the people can happen.

But aside from this - from the sustained and forcible assertion of exclusive
control over legislators - I don't see how the spying problem, or really any
major problem, will resolve itself satisfactorily.

------
Buzaga
what an awesome country you have there, eh?

here's the rationale: if we don't have total awareness and snooping power over
this guy private stuff, he must be doing secret stuff and we can't know if
it's bad, therefore we have reason to believe he must be a TERRORIST(are you
still using this one or have you admitted to yourself that the objective is
just `total information awareness`?)

also, cannot stop LOVING that non-americans basically have no fucking rights
whatsoever.

~~~
orthecreedence
As an American, it's pretty sad. As if the rest of the world wasn't getting
sick of us already. Let's stick our noses into everyone else's business _all
the time_ , start a bunch of wars for the obvious benefit of our corporations,
crash the world economy (btw we're doing more derivatives trading again so
expect another crash lolol), and now spying on every person in the world, US
citizen or not.

On top of it, instead of our media telling us "WAKE THE FUCK UP AND LOOK AT
WHAT YOUR GOVERNMENT IS DOING!!" they are saying "Gee, where will Snowden go
next lol?!?! Ohh he's in Moscow now, neat!!!!"

I think the endorphin rush people get from receiving a Facebook message on
their portable distraction device outweighs the negative feelings of the
government spying on every aspect of our lives. People don't know what's
happening two feet away from them, much less in their government or the world
(besides what big media tells them).

We're sliding fast down a slippery slope while chuckling and playing Farmville
on the way down.

