Banner
    Oh, What A Tangled Web The NSA Weaves
    By Steve Schuler | March 7th 2014 02:49 PM | 20 comments | Print | E-mail | Track Comments
    About Steve

    You may try my hacks AT YOUR OWN RISK--there's infinite ways to damage or destroy people and property, I can't think of them all. Kids use adult...

    View Steve's Profile
    There’s a popular YouTube video featuring mathematician Edward Frenkel where he describes how the NSA hacked our emails. It is a backdoor into the National Institute of Standards and Technology public key encryption standards.

    I’ll borrow an analogy for a simplified description of how public key encryption works from Simon Singh. Imagine a sturdy metal box that can be locked shut with a padlock. Let’s say Alice wants to send a message to Bob and she wants no one but Bob to read her message (descriptions of encryption systems traditionally use “Bob and Alice”). Bob buys a padlock from the hardware store, puts the unlocked padlock in the box, keeps the key, and mails the box to Alice. When Alice receives the box, she puts the message in the box and locks it shut with Bob’s padlock. Then she mails the box back to Bob. When bob receives the box, he unlocks the padlock with his key, opens the box and reads Alice’s message.

    On the internet, Bob uses a digital padlock, or public key that is used to encrypt his emails and the NSA has a skeleton key for Bob’s padlock.

    Frenkel describes how the NSA uses their digital skeleton key to read your emails:

    In this article Frenkel expresses his concern that if the NSA is putting backdoors into our encryption systems, this makes us vulnerable malicious hackers:

    Who’s to say that the sophisticated math the NSA has been keeping secret from the rest of the world will not be discovered by someone else?

    You can hide a formula, but you can't prevent others from finding it. One might only need a pencil and a piece of paper to do that. And once the secret is out in the open, it’s not just Big Brother that will be watching us—other “brothers” will be spying on us, intercepting our messages, and hacking our bank accounts.

    The NSA has this backdoor, as Frenkel points out, because of the problem of generating random numbers. Computers are deterministic and therefore only capable of generating pseudorandom numbers exposing your public key (your digital padlock) to backdoors (the NSA skeleton key).

    A simple analog method of generating random keys comes from the early 20th century called the One Time Pad. By all accounts it is unbreakable if used properly (use each key only once). You can try it yourself if you have a Scrabble or Upwords set.

    Materials needed:

    Scrabble Game or Upwords game
    Bag, hat, coffee can, etc.
    Pencil
    Paper
    Scissors

    Select the 26 letters of the alphabet from your Scrabble game.

    Put the letters in your bag and shake well to sufficiently mix them up. Thrust your hand into the bag and stir the tiles around a bit, then pull one tile out of the bag.

    For this demonstration I use an ordinary sheet of computer printer paper. I’ve divided my sheet into two columns, one marked “In” and the other column marked “Out.” Write the letter on your tile under both “In” and “Out” columns.

    Put the Scrabble tile back in your bag. Shake well. Thrust your hand in the bag and stir the tiles for a bit. Pluck a tile from the bag. Write the letter in the “In” and “Out” columns on your paper. Repeat.

    You can repeat this process to generate a key long enough to be useful for sending short messages. For example, there are a maximum of 140 characters in a tweet, but the longer the key the more tedious the process. I've created a rather short key just long enough to demonstrate how to encrypt “hello world.”


    Some of you, dear readers, who are keen observers may notice a problem with the random distribution of letters in my key. I was focused more on photographing the procedure and failed to sufficiently randomize my tiles.

    Use your scissors to cut the paper in half. You keep the half with the “In” key and give the half with the “Out” key to your friend with whom you wish to secretly communicate.

    To encrypt your message “hello world,” first eliminate the spaces. The message then becomes “helloworld.” When the letter “h” in “helloworld” is passed through the key, it becomes the letter “g.” Recall how Frenkel talks about modulus math or clock arithmetic. In this case we’re using a clock with 26 hours.

    As in the picture above “h” is the eighth letter of the alphabet, or H = 8. The letter “y” is the twenty-fifth letter of the alphabet, or Y = 25. Start at the letter H and count 25 letters down the alphabet toward the letter “Z.” By the time you count to 18, you run out of letters so you have to start at the beginning of the alphabet (A) and count the remaining 7 where you arrive at the letter G. 8 + 25 = 7 (mod 26). You can try this online modular arithmetic calculator by entering “26” in the “Modulus m =” box, entering “8” in the “a =” box, entering “25” in the “b =” box, and clicking the “a + b” button. 7 will appear in the “Result =” box.

    When you have finished passing all the letters through the Scrabble Cipher key, the original “helloworld” is encrypted as “gtqddeloms.”

    To decipher the message, your friend uses the “Out” key. The letter “g” is the seventh letter of the alphabet, or G = 7 and “y” is the 25th letter of the alphabet, or Y = 25. This time instead of counting down the alphabet, you count up the alphabet. Start at the letter G and count 25 letters up the alphabet toward the letter “A.” By the time you count to 6 you run out of letters so you have to start at the end of the alphabet (Z) and continue counting the remaining 18 letters until you arrive at the letter H. 7 – 25 = 8 (mod 26). Click the “a – b” if you want to try the online modular arithmetic calculator.

    You and your friend can only use the “In” and “Out” keys once and then they must be destroyed. If you want to secretly communicate many times then you’ll need to create many keys and a numbering system for the “In” and “Out” keys (you can simply number each “In” and “Out” key 1,2,3…). You’ll have to send the number of the “In” sheet along with the encrypted text so your friend knows which “Out” sheet to use to decipher the text. This process is tedious but effective. You can meet regularly to have a nice game of Scrabble and then create enough keys to secretly communicate until the next game of Scrabble. (Note: you can also use Boggle cubes, but you might want to use two sets for the 26 letters of the alphabet and it couldn't hurt to roll the Boggle cube on the table top after you take it out of the bag).

    For programmers it’s relatively simple to write a program to generate random numbers. Because computers are deterministic, they would be pseudorandom which is fine for computer games but not for data encryption. You might consider connecting a Geiger counter to the computer and use the Americium-241 from a smoke detector as your radioactive source. Generate your random number seed when the Geiger counter detects an alpha particle.

    Radiometric dating is used by, say, geologists to determine the approximate age of rocks because radioactive decay occurs at a predictable rate. This works for large groups of atoms. It is impossible, however, to predict when a particular nucleus will decay. Your Am-241 source emits alpha particles randomly and if your program generates a random number seed when the Geiger counter detects an alpha particle, it should be an actual random number as opposed to a pseudorandom number. Do check with Federal, State, and local regulations before taking apart a smoke detector. Also USB Geiger counters can be kinda pricey.

    If you want to use a computer to generate your random numbers and a printer to print your One Time Pad sheets, you might want to consider “air gapping it,” or isolating from your home network. That is, not connected via Ethernet or wirelessly to your home network (and thus to the internet) to prevent spyware or other malicious software from being surreptitiously installed on it.

    The One Time Pad is a low tech method for communicating secretly. But, now that we know how the NSA has been hacking our emails, we can revise our encryption standards for secure communication and commerce on the World Wide Web.

    --------------------

    NOTE: For One Time Pad sheets, clandestine service officers have used small swatches of silk because silk compresses well and can be hidden in tiny nooks and crannies such as the spine of a hard cover book or inside the barrel of a fountain pen. Rice paper has also been used for One Time Pad sheets—once the key has been used it can be eaten or dissolved in a glass of drinking water if you don’t have a lighter handy to burn it.

    Comments

    MikeCrow
    Oh, you might be able to use a web cam for a usb Geiger counter. I'm not sure an alpha source will work, but it might be easy enough to try.
    Never is a long time.
    KRA5H
    Here's an example of a webcam geiger counter: http://www.cg.tuwien.ac.at/research/publications/2012/Auzinger_2012_Geig...
    "This page intentionally left blank." --Gödel
    MikeCrow
    I was doing something similar (as far as camera settings) here. They added what would be a necessary step of post processing the data which I didn't. Not knowing what type of radiation (other than cosmic), it's good to know they will detect all three types.

    Nice link, thanks!
    Never is a long time.
    KRA5H
    O the perils of publish-and-pray! I've corrected the links to Frenkel's article in _Slate_ and the modulus calculator.
    "This page intentionally left blank." --Gödel
    Michael Martinez
    This is nonsense.  Most of the people complaining about NSA "spying" are using GMail, Yahoo! Mail, Hotmail, and other commercial mail servers that constantly read their email anyway ("for advertising").
    Google recently won a court case in which it argued that none of its users have any reasonable expectation of privacy.

    All these companies are doing far more with their knowledge of your email than the NSA.  For people to go to these lengths to protect a non-existent privacy is just insanely stupid.  It is a complete and total waste of time.

    They can read all your email if they want to anyway just by monitoring your access points before the email is encrypted for transmission.
    MikeCrow
    I agree except for one point, the government can decide to throw you in jail if they want to, google can't.
    Never is a long time.
    KRA5H
    Doing business on the Web requires trust. If the NSA has backdoors into our encryption standards, then malicious hackers use these same backdoors. I can think of no reason to do business with your company if I know that malicious hackers can hack in to paypal or credit cards and run up charges. undermining encryption standards by the NSA costs your company in lost sales.
    "This page intentionally left blank." --Gödel
    Michael Martinez
    "If the NSA has backdoors into our encryption standards, then malicious hackers use these same backdoors"

    Well, thanks to Edward Snowden, the hackers now have confirmation that the backdoors exist.  Of course, anyone with formal training in algorithms (Computer Science majors, at least) already knew that pasting widespread encryption onto the Internet was a fantasy.


    I can think of no reason for people with knowledge in these matters to be up in arms about the NSA doing its part to identify threats to the United States, and that does NOT mean "preventing terrorist attacks".


    You have never had any privacy on the Internet.  Everything you do is logged by at least two entities on the Internet.  Much of your activity data is resold or shared without your knowledge or permission, and thus used to develop new technologies to influence your behavior even more.


    Government agencies are not doing this to their own citizens.  All the manipulation is coming from unregulated businesses that answer to no one.
    Michael Martinez
    "I agree except for one point, the government can decide to throw you in jail if they want to, google can't."

    The NSA doesn't arrest people and throw them in jail.  Neither does it run opinion-shaping programs against its own citizens, whereas that is exactly what Google does against its own customers.


    You're lining up behind the wrong side on this issue.  The NSA is charged with helping keep you alive.  Google just wants more money and they really don't act like they care who gets hurt.
    KRA5H
    According to Peter Bergen, CNN's National Security Analyst:

    "Surveillance of American phone metadata has had no discernible impact on preventing acts of terrorism and only the most marginal of impacts on preventing terrorist-related activity, such as fundraising for a terrorist group."

    Source: http://arstechnica.com/tech-policy/2014/01/report-nsa-bulk-metadata-collection-has-no-discernible-impact/


    According to William Binney, former NSA cryptanalist (via the Wall Street Journal):


    ""What they are doing is making themselves dysfunctional by taking all this data," Mr. Binney said at a privacy conference here. The agency is drowning in useless data, which harms its ability to conduct legitimate surveillance, claims Mr. Binney, who rose to the civilian equivalent of a general during more than 30 years at the NSA before retiring in 2001. Analysts are swamped with so much information that they can't do their jobs effectively, and the enormous stockpile is an irresistible temptation for misuse."


    Source: http://online.wsj.com/news/articles/SB10001424052702304202204579252022823658850









    "This page intentionally left blank." --Gödel
    Michael Martinez
    "Surveillance of American phone metadata has had no discernible impact on preventing acts of terrorism and only the most marginal of impacts on preventing terrorist-related activity, such as fundraising for a terrorist group."

    I like Peter Bergen but he is an outsider looking in.  I happen to know a little more about some of the data analysis projects than perhaps he does.


    I WAS NOT INVOLVED WITH ANY NSA PROJECTS.  I cannot explain myself further than that.
    KRA5H
    It does you no good to play the "classified" card. How do we know you'r not just making stuff up? How can we verify what you claim? 
    We have Bergen's data that says that NSA mass surveillance ain't doing any good. This followed by Binney's observation that with too much data the NSA can't do it's job. And NSA backdoors let malicious hackers withdraw money from your back account, run up credit card charges, steal your identity, and people won't want to do business on the web.

    "This page intentionally left blank." --Gödel
    Michael Martinez
    "How do we know you'r not just making stuff up? How can we verify what you claim? "
    You don't.  You have to take what I say on faith ... or choose not to.

    But why choose to take all the outside speculations -- based on lies and half-facts -- on faith?  Propaganda theory tells us you do that because it was the first thing you heard.  People are funny like that.  They are more willing to believe assertions than denials.

    Bergen's data is nothing.

    As for whether the NSA is doing its job, the public has only heard as much as needs to be heard based on the unlawful disclosures.  The NSA and other security agencies do a LOT of stuff that Congress has chosen (per its constitutional authority) NOT TO DISCLOSE to the public.

    But to get back to the original point: even if you could protect all communications on the Internet you would only empower the people trying to hurt you (the hackers, the criminals, the terrorists, whichever country is currently trying to disrupt your economy, the corrupt leaders trying to hide their scandalous behavior).

    There is no safety for the public in a truly secure Internet.  It becomes a hyperoptimized vessel for exactly what the conspiracy theorists fear it already is.  So securing all the communications NOW -- when everyone is starting to see the possibilities (and you have only seen the tip of the iceberg) -- you're asking for everyone to cooperate in unleashing total unbridled chaos on each other.

    This isn't about privacy.  It never was.  And it isn't about preventing terrorist attacks, either.  The prevention of terrorist attacks is only one small piece of the puzzle.

    Be careful what you ask for because once you get it there is no going back and more people will die because you got that wish.

    Every person involved in US intelligence operations is briefed on the law and it is made completely clear that you DO NOT SPY ON US CITIZENS.  What Edward Snowden calls "spying" is absolute bullshit.  The real spying is much, much different and it is directed only at people who MIGHT be a real threat or who MIGHT be connected to a real threat.  And believe me there are plenty of people who go to sleep at night asking themselves if there isn't some better way to get the data we need without violating laws.  They are not interested in breaking the law.  They ARE interested in making sure we don't lose the end game.
    KRA5H
    Where have I heard that last paragraph before? hmm...oh I remember:

    "Now we're fighting the peace. It's a lot more volatile. Now we've got ten million crackpots out there with sniper scopes, sarin gas and C-4. Ten-year-olds go on the Net, downloading encryption we can barely break, not to mention instructions on how to make a low-yield nuclear device. Privacy's been dead for years because we can't risk it. The only privacy that's left is the inside of your head. Maybe that's enough. You think we're the enemy of democracy, you and I? I think we're democracy's last hope." Thomas Reynolds (Enemy of the State, 1998)
    "This page intentionally left blank." --Gödel
    Michael Martinez
    There was never any privacy on the Internet.  It was not designed for that.  This has nothing to do with political thrillers or thematic concepts.  The Internet is a medium for exchange of information and ideas and the people we're fighting have been using it more effectively than you realize.  To fight them calls for scanning the online discussions.
    Everyone else is doing just that and using the data to convince you of all sorts of bizarre nonsense; you raise no objection.  But when a government does it to defend you against the worst of the abuses, you fear for your safety.

    There is no sane way to defend that irrational fear.
    KRA5H
    Michael said "You have to take what I say on faith" 

    That ship sailed with Iraqi WMD, don't you think? People have faith in a god or gods--92% of Americans believe in a god or gods. Governments on the other hand are physical things and can be measured. The people have a NEED TO KNOW what their governments are doing on their behalf. That's the point of the First Ammendment--freedom of the press. If our politicians have been weighed in the balance and found wanting, vote them out; throw the bums out.

    Michael said "As for whether the NSA is doing its job, the public has only heard as much as needs to be heard based on the unlawful disclosures.  The NSA and other security agencies do a LOT of stuff that Congress has chosen (per its constitutional authority) NOT TO DISCLOSE to the public."

    I'll borrow a quotation from Benjamin Franklin: "three people can keep a secret if two of them are dead."

    Everyone from POTUS to the your neighborhood police officer, when acting on behalf of the people, should ask himself or herself, what if this shows up on the front page of the New York Times? Or the Guardian?

    Not only do you have the problem of people like Robert Hanson who sold secrets to the Soviet and Russians for money (amount undisclosed) for personal gain, but you have the problem of people like Ellsberg, Manning, Snowden, etc. who leaked information to the press at great personal risk and no immediate personal gain (sure, later on they can write their memoirs which will probably sell pretty well). In an espionage trial like Hanson's much can be kept secret to protect ongoing operations and sources, but leaks like the Pentagon Papers, Afgan War Logs, Global Surveillance disclosures, etc., well, once the genie's out of the bottle...

    Governments need to be as transparent as possible (what are you spending my tax dollars on?). Of course, there will always be a need for secrecy, but shouldn't secrets be limited to what is absolutely necessary for national security? If there are too many secrets, the greater the likelihood of abuse and corruption and the greater the likelihood for leaks ending up on the front page of the New York Times.

    Michael said, "But why choose to take all the outside speculations"

    Again, the Genie's out of the bottle. We the people glean what we can from public domain sources and that data indicates that despite global surveillance it has had little effect on terrorism. And it looks like the government is spying on innocent Americans.

    Again, Justice Sotomayer: "Awareness that the Government may be watching chills associational and expressive freedoms. And the Government’s unrestrained power to assemble data that reveal private aspects of identity is susceptible to abuse."

    That's the point of the Fourth Amendment. (And the First Amendment rights to free speech and free association) 





    "This page intentionally left blank." --Gödel
    Michael Martinez
    "That ship sailed with Iraqi WMD, don't you think?"I did not start that war (technically, Ronald Reagan did -- Bush just finished it).  However, we DID find WMDs in Iraq -- several hundred unreported chemical warheads.  They were 20 years old and the experts said the gases were inert due to age but none of them willingly opened up any to prove their point.  They waited for the military to destroy the warheads.

    As for the rest of this argument, I'll leave it to you and others to create the silly "secure" world you want.  You'll deserve that.
    KRA5H
    "However, we DID find WMDs in Iraq -- several hundred unreported chemical warheads."
    1. Probably manufactured in the early 80s so, yep 20 years old
    2. DoD reported they were badly corroded and could not be used as intended.
    3. Mustard gas even if inert is still toxic and with long enough exposure, lethal. So, definitely a good idea to dispose of them properly.

    Given their deteriorated condition of the 500 munitions, it's possible they were intended to be disposed of but in the confusion after Gulf War 1 the paperwork could have been misfiled, the warheads assumed destroyed, and thus UN Inspectors were unable to find them during the 90s. Who knows?

    Let's recall W's State of the Union address:

    "U.S. intelligence indicates that Saddam Hussein had upwards of 30,000 munitions capable of delivering chemical agents. Inspectors recently turned up 16 of them, despite Iraq's recent declaration denying their existence. Saddam Hussein has not accounted for the remaining 29,984 of these prohibited munitions. He has given no evidence that he has destroyed them.

    From three Iraqi defectors we know that Iraq, in the late 1990s, had several mobile biological weapons labs. These are designed to produce germ warfare agents and can be moved from place to a place to evade inspectors. Saddam Hussein has not disclosed these facilities. He has given no evidence that he has destroyed them.

    The International Atomic Energy Agency confirmed in the 1990s that Saddam Hussein had an advanced nuclear weapons development program, had a design for a nuclear weapon and was working on five different methods of enriching uranium for a bomb.

    The British government has learned that Saddam Hussein recently sought significant quantities of uranium from Africa.

    Our intelligence sources tell us that he has attempted to purchase high-strength aluminum tubes suitable for nuclear weapons production."




    "This page intentionally left blank." --Gödel
    Did they still have the U.S. serial numbers on them? We could check our old receipts and see if they're the same ones we sold them, in order to support them in their desire to slaughter as many Iranians as possible.

    KRA5H
    Justice Sotomayer (United States v Jones)
    "Awareness that the Government may be watching chills associational and expressive freedoms. And the Government’s unrestrained power to assemble data that reveal private aspects of identity is susceptible to abuse."

    .
    .
    .
    "More fundamentally, it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties. E.g., Smith, 442 U. S., at 742; United States v. Miller, 425 U. S. 435, 443 (1976). This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks. People disclose the phone numbers that they dial or text to their cellular providers; the URLs that they visit and the e-mail addresses with which they correspond to their Internet service providers; and the books, groceries, and medications they purchase to online retailers. Perhaps, as JUSTICE ALITO notes, some people may find the “tradeoff” of privacy for convenience “worthwhile,” or come to accept this “diminution of privacy” as “inevitable,” post, at 10, and perhaps not. I for one doubt that people would accept without complaint the warrantless disclosure to the Government of a list of every Web site they had visited in the last week, or month, or year. But whatever the societal expectations, they can attain constitutionally protected status only if our Fourth Amendment jurisprudence ceases to treat secrecy as a prerequisite for privacy. I would not assume that all information voluntarily disclosed to some member of the public for a limited purpose is, for that reason alone, disentitled to Fourth Amendment protection. See Smith, 442 U. S., at 749 (Marshall, J., dissenting) (“Privacy is not a discrete commodity, possessed absolutely or not at all. Those who disclose certain facts to a bank or phone company for a limited business purpose need not assume that this information will be released to other persons for other purposes”); see also Katz, 389 U. S., at 351–352 (“[W]hat [a person] seeks to preserve as private,even in an area accessible to the public, may be constitutionally protected”)."




    "This page intentionally left blank." --Gödel