
Jamming XKeyScore - id
http://blog.erratasec.com/2014/07/jamming-xkeyscore_4.html
======
michael_storm
_Continue this for megabytes worth of bridges (xks-0001), and it 'll totally
mess up XKeyScore. It has no defense against getting flooded with information
like this, as far as I can see._

Yet it would be trivial to defend against trivial attacks like this. They just
need to set a length limit on ingested messages, clean up those regexes, and
they're done. A clever NSA developer (of which I'm sure they have several)
might implement a garden-variety spam filter.

We're trying to inject noise, but this noise is _obvious_. It's like a nation-
state playing Cold War-era radio games by broadcasting "DOUBLE AGENT X COME
HOME, DOUBLE AGENT Y COME HOME", etc. Sure it's noise, and it might distract
them for five minutes, but it doesn't win the war.

Want to fight XKeyscore? Make the noise impossible to distinguish. Set up free
email accounts that bounce randomly-generated "interesting" messages among
themselves, in between notes to Mom about the World Cup. Get open source
software that uses network communication to piggyback some keyword-laden
(though non-incriminating) text onto messages it would send anyway. Run a Tor
exit node that blocks illegal activity in your country (so you don't go to
jail).

Or someone else should, at least. I'm busy. And now, I'm on a list.

~~~
almondsays
I am not a lawyer. I would imagine you could be charged with 'obstruction of
justice' or some other such law if you did this in the US or as a US citizen.
Something to think about before doing such a thing.

 _edited to be more verbose_

~~~
nknighthb
[http://www.law.cornell.edu/uscode/text/18/part-I/chapter-73](http://www.law.cornell.edu/uscode/text/18/part-I/chapter-73)

This is the federal obstruction of justice statute, could you point out the
part that applies to jamming the illegal collection of inadmissible evidence
by an agency that enforces no laws or regulations and conducts no criminal or
administrative investigations or proceedings?

~~~
almondsays
No, I'm not a lawyer and/or qualified to do that. Maybe I'm wrong, but I don't
care to find out by attempting it.

~~~
x1798DE
This is an unintentionally perfect demonstration of the concept of chilling
effects. Someone should take a screenshot of this and put it into a textbook.

Wikipedia link on chilling effects:
[https://en.wikipedia.org/wiki/Chilling_effect](https://en.wikipedia.org/wiki/Chilling_effect)

~~~
alttab
The fear of getting caught shouldn't be the only reason you don't do
something. Either it's important enough to do, or there's multiple reasons
doing something isn't a good idea.

------
rdtsc
Even if you don't like Slavoj Žižek, he has a funny story related to this:

[https://www.youtube.com/watch?v=PIPjmmmh_os#t=1614](https://www.youtube.com/watch?v=PIPjmmmh_os#t=1614)

He talks about how he and his associates were dissidents and had meetings and
they agreed on a protocol to talk gibberish at the end. Fake, military
sounding code words and stuff. It was a fun thing to do. Years later they
discovered the amount of head-aches and resource drain they caused on the
secret police who tried in vain to discover the meaning in this nonsense,
thinking that perhaps there was some serious stuff going on.

That is why I hope one good thing comes out of it, and that is people might
start taking cryptography slightly more seriously and they'll also start
actively fighting back. This is one way and it is fun too. (for some strange
value of "fun").

~~~
nmrm
Another great Žižek story/parable about surveillance is the red ink one, which
I think is also relevant here:

So what are we doing here? Let me tell you a wonderful, old joke from
Communist times. A guy was sent from East Germany to work in Siberia. He knew
his mail would be read by censors, so he told his friends: “Let’s establish a
code. If a letter you get from me is written in blue ink, it is true what I
say. If it is written in red ink, it is false.” After a month, his friends get
the first letter. Everything is in blue. It says, this letter: “Everything is
wonderful here. Stores are full of good food. Movie theatres show good films
from the west. Apartments are large and luxurious. The only thing you cannot
buy is red ink.” This is how we live. We have all the freedoms we want. But
what we are missing is red ink: the language to articulate our non-freedom.
The way we are taught to speak about freedom— war on terror and so
on—falsifies freedom.

------
jgalt212
For all their illegal spying on American citizens, can the NSA point to one
attack* they have stopped?

I, for one, am not aware of any. And that's the real big problem here. They
all this sh1t, invade everyone's privacy, and to what ends?

*I am not talking about the NSA spying on non-US citizens.

~~~
quasque
Absence of evidence is not evidence of absence. They may have stopped attacks
but not revealed any information about this publicly, or engaged in
misdirection as to their role using parallel construction.

~~~
wnoise
Absence of evidence is indeed evidence of absence. It's absence of proof that
is not proof of absence. It may or may not be strong evidence, depending on
how likely evidence is, but it is evidence.

------
jdong
This article is based around the source that author claims to be faked in
another article, [http://blog.erratasec.com/2014/07/validating-xkeyscore-
code....](http://blog.erratasec.com/2014/07/validating-xkeyscore-code.html)

edit: fixed link

~~~
csandreasen
I think you mean this one: [http://blog.erratasec.com/2014/07/validating-
xkeyscore-code....](http://blog.erratasec.com/2014/07/validating-xkeyscore-
code.html)

~~~
jdong
Thanks, clipboard wasn't syncing properly.

------
fapjacks
This is a similar idea to something I've been working on for quite a long time
(since June of last year, actually)[1]. I have experience with graph-
generating software used by Five Eyes governments to map relationships, and
I've been developing software that will dilute the effectiveness of those
graphs by generating tons of noise across the system. Now it's a half-finished
Chrome extension, but my hope was to build a complete set of browser
extensions, and then bleed the design to Android/iOS to help dilute the graphs
of people's phone behavior.

[1] [https://github.com/shroudproject](https://github.com/shroudproject)

------
mike_hearn
I think encryption will remain a better way of jamming XKeyScore for the
forseeable future.

------
nikcub
The NSA will see this post, write more rules with regexs to catch anybody
doing any of these things, and then tag them as terrorists in XKeyScore.

 _edit_ not to mention that the source of these rules is from a non-verified
document that is at least 2 years old and woefully incomplete.

~~~
keithpeter
Tagging a bunch of harmless HNers as terrorists is going to get them nowhere.

The key is real, effective, _targeting_ of that tiny minority who actually
organise terrorist acts. Unless this is just some huge job creation
scheme/security theatre for politicians.

~~~
leaveyou
"The key is real, effective, targeting of that tiny minority who..." that's
what they want you to believe, bahahahaha :D. Ok, ok I'm not paranoid. But can
"we" (common people) really know what "they" (elected and unelected officials)
really want ? They have the power, they have the information, they define and
pursue the "national interest", they keep it classified, they create secret
tribunals, they pick the "national threats", they whack them because
terrorists, they make the "no fly" lists, they pick the "extremists"...

~~~
keithpeter
So is this basically Catch-22 for the 21st Century or just a bureaucracy that
grew and became self-perpetuating?

------
aburan28
This is funny because Robert Graham is very likely a GCHQ asset.

~~~
crimcrom
based on even just his last few blog posts i can see "blowhard" or "shill" but
intelligence asset? what's your reason for saying this?

~~~
aburan28
At the bottom at this page is part of the evidence
[http://cryptome.org/2014/06/wl-harrison-
hoax.htm](http://cryptome.org/2014/06/wl-harrison-hoax.htm) . Every single
time a anti-NSA story comes out he is first to try to defend the actions of
the NSA. He is a provocateur and clearly biased.

~~~
eli
Someone consistently disagreeing with you is NOT evidence they are acting
maliciously or are part of a conspiracy against your viewpoint.

------
zaroth
I guess NSA owes Robert a beer for the helpful QA service!

------
fnordfnordfnord
So, if they're using a standard regex parser, and not cleaning the input,
maybe some regex wizard can come up with some interesting Bobby Tables type
fun.

------
nfkesnflkesnf
Hmm, I may have to update my project to include this sort of junk data in the
response body of its API calls.

It sure would be amusing if most of HN did this. Everybody has to do their
part, right?

~~~
quasque
You'd be wasting your time as there is no feedback as to whether your attempts
have worked to frustrate their targeting, and that's the best case scenario.
The worst case is that someone picks up on your efforts and casually flags you
to make your life more difficult - extra searches at borders, no fly list, and
so on.

