PRISM

Khannie · 10-06-2013 10:34am #1

Is anyone else freaking out about the possible implications of PRISM as a non-US citizen?

I use gmail for example. Have their SSL keys been compromised?
I use lastpass. Have they received an order to hand over passwords on an ongoing basis? (I am seriously considering switching to keepass, what a pain in the face though).

and so on, and so on. The possible implications of "lawful intercept" on that scale are staggering.

AnCatDubh · 10-06-2013 11:54am

I've heard a little about it but haven't researched too far as yet. Concerning yes - at least until i've done some research, and no, I accept that 99.999999% of individuals won't have anything to hide, but we (I) may not like how information scraped without my consent or the context of our (my) individual consciousness could potentially be used against you (me). ok, I could probably head to the conspiracy theory forum with this one, but.... yeah.... i'm more uncomfortable than comfortable with the notion.

Khannie wrote: »

I use gmail for example. Have their SSL keys been compromised?

If they are sitting with a fat pipe running from the gmail or any other server to their data center then i'm guessing they won't need to worry about security measures like SSL. Encrypt before you hit gmail perhaps. At least that will slow them down and by the time they figure out it was an email from your mother for chicken curry, you'll have long left the country :pac:.

bonzodog2 · 10-06-2013 12:50pm

This may interest some:
http://www.theregister.co.uk/2013/06/08/what_about_a_us_tech_boycott/

MYDADPULLEDOUT · 10-06-2013 1:15pm

http://obamaischeckingyouremail.tumblr.com/

Edward Snowden: the whistleblower behind the NSA surveillance revelations

Meet 'Boundless Informant,' the NSA's Secret Tool for Tracking Global Surveillance Data

Government Phone Surveillance for Dummies

Code name ‘Verax’: Snowden, in exchanges with Post reporter, made clear he knew risks

Leaker’s Employer Became Wealthy by Maintaining Government Secrets

Khannie · 10-06-2013 2:11pm

AnCatDubh wrote: »

If they are sitting with a fat pipe running from the gmail or any other server to their data center then i'm guessing they won't need to worry about security measures like SSL. Encrypt before you hit gmail perhaps. At least that will slow them down and by the time they figure out it was an email from your mother for chicken curry, you'll have long left the country :pac:.

SSL is sufficiently difficult to decrypt that you wouldn't bother attempting to unless you had direct access to the keys, and even then it would take quite a bit of compute power to keep decrypting the volume of traffic that gmail generates.

I moved to keepass2 today. I had to assume that lastpass was compromised given all the recent revelations. I must say I feel better already. There was a bit of messing to get it working with my phone and resetting passwords but it was worth it.

AnCatDubh · 10-06-2013 3:30pm

Khannie wrote: »

SSL is sufficiently difficult to decrypt that you wouldn't bother attempting to unless you had direct access to the keys, and even then it would take quite a bit of compute power to keep decrypting the volume of traffic that gmail generates.

Yes of course, but my reading up on prism thus far indicates that they (US Gov Agencies) have access under their legislation to your data (which appears to be the quasi-excuse that the Tech Chiefs are quoting - we're doing only what the law says, and in fairness its hard to disagree with where they find themselves - that, in a democratic and civil society).

On ssl, won't your ssl only be useful to your email in transit between you and the google gmail server and not as your email is stored on the google server? (i've no particular inside track on what happens on the gmail server so apologies if they are doing something very different).

Thus, what I was assuming earlier was that if you had a foreign government (foreign to us) who had server level access (fat pipe stuff) then they aren't intercepting anything or needing to decrypt anything. They're just 'legitimately' (as per their law) downloading your email in plain text or whatever -- with the assistance of the american companies -- filtering the downloaded content, and deciding whether they need to put you under the spot light or not.

Interestingly, talking of direct server access in whatever form that may take, Twitter appear to be also compliant with the legislation but they have a different approach to assisting the government's requests. The law apparently says that they must comply (in giving data) to the US agencies, but what is being quoted in the media that google and facebook are doing is assisting the US agencies in making it easier for them to access the data (my fat pipe analogy above) which I gather is not prescribed in law. I believe Twitter don't (or haven't yet) given anyone the assistance of fat pipe access.

It also appears the law under which this is happening forbids the companies from telling anyone that it is happening which might explain some of the tech chief's pronouncements as to it not happening.

Still lots more reading to do on it. It is interesting stuff.

syklops · 10-06-2013 3:41pm

Khannie wrote: »

Is anyone else freaking out about the possible implications of PRISM as a non-US citizen?

Am I freaking out? Nope. Im not doing anything that the NSA would be interested in. If I was, I certainly wouldn't have a gmail account.

Khannie · 10-06-2013 3:59pm

Ah, that old chestnut. "Im not doing anything wrong, sure look all you want". I read an interesting article on that yesterday that I'll dig out for you.

CrinkElite · 10-06-2013 4:23pm

syklops wrote: »

Am I freaking out? Nope. Im not doing anything that the NSA would be interested in. If I was, I certainly wouldn't have a gmail account.

In fairness Syklops (with respect), I think that post is missing the point.
The issue here is whole sale surveillance of the entire global internet userbase coupled with limitless storage capacity.

That type of oversight is unprecedented in the history of human kind and the position of power it provides will be unassailable.

Khannie · 10-06-2013 4:35pm

AnCatDubh wrote: »

On ssl, won't your ssl only be useful to your email in transit between you and the google gmail server and not as your email is stored on the google server? (i've no particular inside track on what happens on the gmail server so apologies if they are doing something very different).

Ah yes, of course you're spot on. If they have direct access to the servers we're all scuppered.

Interesting article from bonzodog and that youtube video is definitely well worth a watch.

Khannie · 10-06-2013 7:02pm

Same guy alright and the content is probably similar. Thanks.

Trojan · 11-06-2013 12:00am

bedlam wrote: »

This? 'I've Got Nothing to Hide' and Other Misunderstandings of Privacy - Daniel J. Solove

Good essay, but it needs to be way more accessible for folks who believe "I've got nothing to hide" to understand it.

Trojan · 11-06-2013 12:58am

Here's one gotcha with KeePass that wasn't very user friendly.

silentrust · 11-06-2013 12:59am

Khannie wrote: »

Is anyone else freaking out about the possible implications of PRISM as a non-US citizen?

I use gmail for example. Have their SSL keys been compromised?
I use lastpass. Have they received an order to hand over passwords on an ongoing basis? (I am seriously considering switching to keepass, what a pain in the face though).

and so on, and so on. The possible implications of "lawful intercept" on that scale are staggering.

My Foreign Office never comments on intelligence matters. :-)

silentrust · 11-06-2013 1:05am

Surprised that no one seems to have mentioned PGP or GPG - you know that can be used to encrypt your e-mails easily and is for all intents and purposes unbreakable provided your key is strong enough?

GPG4USB is a great, easy to use app for those people who take their privacy seriously.

Intelligence agencies can intercept your messages all they want, they won't be able to read them!

More than happy to give details by PM to anyone interested.

[-0-] · 11-06-2013 3:15am

bedlam wrote: »

This? 'I've Got Nothing to Hide' and Other Misunderstandings of Privacy - Daniel J. Solove

Great article, thanks!

syklops · 11-06-2013 10:19am

bedlam wrote: »

This? 'I've Got Nothing to Hide' and Other Misunderstandings of Privacy - Daniel J. Solove

A bit long winded. Thought-provoking, but as he points out there is a lot of non-specific vulnerabilities and so making the argument against "I've got nothing to hide" is difficult.

What I don't understand is why is the security community in such shock and disbelief. I, personally have known about Operation Echelon since the early 90s, as did many people I know. Presumably PRISM is the new name.

For my own security I employ GPG/PGP where it is plausible to do so, I use LUKS on my laptop and on portable media, I use very long passwords and SSL where I can. This is more to protect myself from stupid people, and malicious people such as cyber criminals etc, and less about protecting my privacy from foreign governments.

silentrust · 11-06-2013 10:20am

bedlam wrote: »

That it is, though it does not handly pgp/mime well which is a big downside.

The word of the week is metadata, they may not know what you are saying but that will know who you are talking to and that may be enough.

Do it for all to see, that way a wider audience can benefit.

Well I did write a guide for GPG4USB, sort of an absolute beginner's how-to, as it helps to understand some of the basic concepts behind Public Key cryptography before you use it so you can be sure it is secure. I will post it when I get a chance later today, thanks for the advice!

As I understand it under UK and US law metadata can be gathered legally but I think you need a specific warrant to snoop on the content of actual e-mails/messages/voice conversations. Of course the allegation here is that certain big names might have shared data like this anyway.

Ever since being taken over by Microsoft, Skype for instance has been notoriously reticent about whether the encryption they use for their calls is removed as it passes through their servers and passed on to goodness knows who.

Of course organised criminals know this which is why believe it or not very few drug dealing empires/extortion rackets/terrorist cells are run over Facebook or Yahoo Mail. The only people who stand to lose out are stupid criminals who are likely to get caught anyway and ordinary decent folk like yourselves.

The criminals on the "deep web" use a combination of the GPG program I mentioned along with Tormail or Torchat to communicate. These both use "onion routing" which makes it virtually impossible to trace the person who sent the message if for instance they are communicating via Tormail.

The beauty of the Tor project is that the more people who use it, the faster and more reliable the service becomes and the less you have to rely on the government for your privacy, so if anyone is concerned about this I suggest you visit www.torproject.org and take a look at the FAQ section.

It's really easy to set up and means you can take responsibility for your own privacy rather than trust shadowy corporations and government departments.

silentrust · 11-06-2013 12:32pm

bedlam wrote: »

They may be easy to set-up but they are hard to get right when you factor in the human element. People will fsck up and no amount of crypto will protect you from that.

This talk on OPSEC is worth a watch.

To clarify this, more people using Tor will not make it faster and more reliable. More people running nodes will.

Absolutely, the more nodes the better as if you're the only tor user in a remote location, it may be possible to pin down who you are through traffic analysis. This risk can be mitigated through having what's known as a private bridge which hides the fact you're using tor but shouldn't be necessary for most users.

The most important thing to bear in mind is that there is no guarantee of privacy for those people who use it to access facebook or other social media unless you create an entirely new account. Even then if the rumours are true the company in question can theoretically share messages you've sent , so that's where GPG is your friend.

If it were at all complicated then a technophobe like me couldn't do it, suggest anyone who is interested takes a look.

CrinkElite · 11-06-2013 2:24pm

silentrust wrote: »

The most important thing to bear in mind is that there is no guarantee of privacy for those people who use it to access facebook or other social media unless you create an entirely new account.

You mean possibility.

Also, it's long been established that someone who can control a relatively small number of exit and entrance nodes can perform trivial traffic analysis to uncover your identity.

silentrust · 11-06-2013 2:32pm

CrinkElite wrote: »

You mean possibility.

Also, it's long been established that someone who can control a relatively small number of exit and entrance nodes can perform trivial traffic analysis to uncover your identity.

No, I mean "guarantee", that's why I said "guarantee", not "possibility". :-)

As for uncovering someone's identity through monitoring entry and exit nodes, this is a moot point if you use Tor hidden services like Tormail.

Of course it would require people to lose faith in mainstream social networking for it to be likely someone else would have a tormail address but then if this allegations turn out to be true, perhaps people will become more privacy conscious and move to the deep web, I live in hopes.

Edit : My august colleague has reminded me that for those people who are worried about people monitoring Tor exit nodes, complete end to end privacy can be secured through using I2P although I have personally found it much too sluggish for all intents and purposes. The ways in which it is possible to undermine the anonymity of Tor are rather exaggerated in the mainstream media but a number of countries such as Iran and China make efforts to block the protocol, which shows they're doing it right. (See : https://www.youtube.com/watch?v=DX46Qv_b7F4)

Also to clarify my last point, creating a new social networking account while using the Tor browser will guarantee you that it can't be linked to your identity at the point of creation but naturally if you share any identifiable information e.g create a Twitter account in your own name, it could still be linked to you this way. What's good is that we're discussing ways to help to maintain our privacy, I am very interested in hearing everyone's thoughts! :-)

silentrust · 11-06-2013 2:50pm

Interesting piece by one of the main Tor Developers Jacob Applebaum on Tor, "Lawful Interception", and personal privacy in the digital age:

https://www.youtube.com/watch?v=RCYO19YfFfY

ST.

josip · 11-06-2013 5:41pm

Has anyone had a look at the map of countries monitored? According to newspaper reports it shows data volumes per country, not per capita per country. Is this understanding correct?

There is more data collected in Ireland with 4 million people than in all of the UK with 60 million people?
Does that reflect a difference in attitudes/compliance between the various governments?
Or a difference in perceived threats?
Or is it due to the location of data centres?
Why is Russia so low?
Why are Bhutan, Malawi and Serbia not being monitored?

Khannie · 11-06-2013 6:16pm

bedlam wrote: »

This talk on OPSEC is worth a watch.

Long, but worth the watch. It can be summed up thusly: STFU.

Khannie · 11-06-2013 6:19pm

josip wrote: »

Has anyone had a look at the map of countries monitored? According to newspaper reports it shows data volumes per country, not per capita per country. Is this understanding correct?

I haven't seen the map. Have you a link there? I would imagine that Ireland is high on the list because we have a number of very fat connections between Ireland and the US, so traffic routed to (for example) Canada, or almost anywhere in asia or possibly even the middle east, will inevitably travel through the US on its way there.

Ant · 11-06-2013 7:28pm

Khannie wrote: »

I moved to keepass2 today. I had to assume that lastpass was compromised given all the recent revelations. I must say I feel better already. There was a bit of messing to get it working with my phone and resetting passwords but it was worth it.

Has anyone used any of the command line interfaces to Keepass? I'm currently using a text file encrypted with GnuPG symmetric cipher and stored on a server that I access using OpenSSH. It works but it's a bit clunky and if there was a more user-friendly solution that worked over SSH, I'd like to hear about it.

Khannie · 11-06-2013 7:46pm

Keepass has an ssh plugin that allows you to access the password file on a remote server to the best of my knowledge. There are a heap of plugins for it.

CrinkElite · 11-06-2013 7:50pm

Is this the map to which you refer?

there's a wikipedia page here

http://en.wikipedia.org/wiki/PRISM_%28surveillance_program%29

Rev Hellfire · 11-06-2013 7:51pm

Khannie wrote: »

I haven't seen the map. Have you a link there?

http://www.guardian.co.uk/world/2013/jun/08/nsa-boundless-informant-global-datamining

The heat map moves from green (least) through yellow (more) to red(most), we're a dark green the UK a lighter one. You could read it as we're less monitored.

josip · 11-06-2013 8:25pm

Rev Hellfire wrote: »

The heat map moves from green (least) through yellow (more) to red(most), we're a dark green the UK a lighter one. You could read it as we're less monitored.

Thanks Hellfire. Silly me. RTFL (egend).

Prodigious · 11-06-2013 8:31pm

Jabber is an excellent IM client for privacy.
I have to look into a different email provider. I've been using gmail in general, and of course tormail, but tormail isn't exactly one to be throwing down on the CV. Can anyone recommend any email provider that values privacy and security?

PRISM

Comments