Use Tor, Get Targeted By the NSA

An anonymous reader sends this news from Ars Technica: "Using online anonymity services such as Tor or sending encrypted e-mail and instant messages are grounds for U.S.-based communications to be retained by the National Security Agency, even when they're collected inadvertently, according to a secret government document published Thursday. ...The memos outline procedures NSA analysts must follow to ensure they stay within the mandate of minimizing data collected on U.S. citizens and residents. While the documents make clear that data collection and interception must cease immediately once it's determined a target is within the U.S., they still provide analysts with a fair amount of leeway. And that leeway seems to work to the disadvantage of people who take steps to protect their Internet communications from prying eyes. For instance, a person whose physical location is unknown—which more often than not is the case when someone uses anonymity software from the Tor Project—"will not be treated as a United States person, unless such person can be positively identified as such, or the nature or circumstances of the person's communications give rise to a reasonable belief that such person is a United States person," the secret document stated.'"

Uhm, guys?

[waddgodd]

Given the recent revelations about the NSA dragnets of literally every single email, call, text, and pretty much any other form of electronic communication, it's pretty much a given that the best way to attract the NSA's attention is fog a mirror.

Anyone else notice a pattern?

[spacepimp]

They keep stretching the parameters and scope of what they can do. Of course that is only after they have been caught lying about the scope to begin with. Does anyone still believe them? I imagine quite soon they will start declaring that they need to have a back door to all encryption just in case you might do something wrong.

It's Worse Than You Thought

[Anonymous Coward]

Combining the fragments of leaked information that are now public related to the NSA's programs and the legal authorities affirmed by the FISA courts and Attorney General Eric Holder, it's clear that the US government's surveillance apparatus has the potential to monitor a significant portion of US citizens' communications.

Several reputable reports, including PBS' Frontline and NOW, have detailed the construction and operation of telecommunication interception facilities such as Room 641A. These types of facilities, which were deployed by 2003 and revealed to the general public by 2006, provide the NSA with the opportunity to access a large volume of telecommunications traffic. To use an analogy, imagine that several major mail sorting hubs in the US had "secret" rooms controlled by the NSA that all mail passed through.

A significant portion of Internet traffic is encrypted. Online banking, Facebook, Twitter, Gmail, etc. utilize standard SSL encryption to provide security. To continue the analogy, while some internet traffic is unencrypted in much the same way that postcards are mailed all the time with their messages clearly visible, many "sensitive" online communications such as the aforementioned banking and social networking services encrypt communications, similar to the way that sensitive mail communications like bank statements are usually sent in envelopes and not on postcards.

It is not politically palatable to suggest that US government agencies can and should surveil US citizens' telecommunications in any indiscriminate fashion, and there is no clear legal authority that would permit them to do so. In an interview with Charlie Rose that aired June 17, 2013, President Barack Obama said "...if you're a U.S. person then NSA is not listening to your phone calls and it's not targeting your e-mails unless it's getting an individualized court order."

Under the original provisions of the 1978 Foreign Intelligence Surveillance Act (FISA), the US government does have authority to conduct surveillance of communications without a court order if the parties communicating are not United States persons. More recent amendments to FISA since September 11, 2001 have expanded the government's authority to conduct surveillance.

It can be difficult to identify the geographic origin of telecommunications traffic. Tor, Virtual Private Networking, and Internet proxies provide ways for Internet users to "hide" their return addresses. There are all sorts of legal, legitimate uses for these technologies. For example, the 1996 Health Insurance Portability and Accountability Act (HIPAA) is widely interpreted to require hospitals to use encryption technologies such as Virtual Private Networks to protect confidential medical information if it is transmitted electronically between medical facilities.

It is also incredibly difficult to determine the nationality of a user of a telecommunications network. For example, two non-US persons could be visiting the US and using a telecommunications network in the country or a US citizen could utilize a telecommunications network when traveling outside the US.

There's an area where it helps to extend the envelopes vs. postcards analogy a bit: encryption is, in some ways, more like mailing a letter in a combination safe where only the sender, receiver, and safe company know the combination. The whole point of encryption is that it secures communications in such a way that even if someone intercepted an encrypted message, they couldn't read it unless they knew the secret combination to decode it.

This leads to a couple of questions:

1. If the US government is trying its best to restrict its surveillance to non-US persons, what does it do if it accidentally intercepts and reads communications from a US person?
2. If a large volume of telecommunications traffic, particularly traffic that is of interest to the US government, is encrypted (e.g., in opaque envelopes/combination safes without return addresses), how is it possible for t

Re:Anyone else notice a pattern?

[OffTheLip]

Are you sure they "keep stretching the parameters and scope" or are we just learning the scope and depth of what they have already been doing?

That's the point of Tor.

[Hatta]

Yes, using Tor is going to attract attention. That's why we need as many people as possible to use Tor, to decrease the signal to noise ratio. If you have nothing to hide, you should be using Tor to help protect those who do.

Re:non-issue

[Errol backfiring]

Tor already assumes the existence of such an adversary as the NSA, so what's the story here?

That TOR is right. Even in countries that are not a far-from-my-bed dictatorship.

No targeting anyone in the USA

[DeathToBill]

That's such a comfort to the rest of us.

Technicalities

[organgtool]

In other words, since they don't know who you are and can't positively confirm that you are a U.S. citizen, then they claim they are not bound to uphold your Fourth Amendment rights despite the fact that they are likely able to confirm that you are currently located in the U.S. I'm not sure that logic would hold up in court and I hope they are challenged on this.

Re:Good for the economy.

[Dunbal]

Undermining national security. LOL. What does it feel like to see a threat in every shadow? Everyone is out to get you huh? Careful, the Democratic Republic of the Congo might just get the upper hand and de-stabilize the US before invading it!

Seriously, by fundamentally changing what the US stands for over the last 20-30 years, you have undermined your own national security. There isn't anything left worth fighting for.

Re:Anyone else notice a pattern?

[dkleinsc]

Does anyone still believe them?

Yes. And they're a part of the problem.

"Inadvertent"

[Vainglorious Coward]

NSA agents are not allowed to eat cookies. However, they may take items from the cookie jar and place them in their mouths to determine whether they are cookies. Any cookies which are inadvertently swallowed may be retained.

Re:Good for the economy.

[Anonymous Coward]

Isn't that mostly what Tor already is?

A bunch of people downloading music and movies to hid from the RIAA and MPAA despite being told Tor's a bad tool for the job?

No, Tor doesn't run fast enough most of the time to make torrents worthwhile. Most people use Tor as an anoymous proxy, and that's all.
The Onion-based sites themselves mostly contain illegal activity such as child porn, drugs (Silk Road), hacking hangouts, credit card trading forums, and other stuff that is likely to get you in trouble with various governments around the world.

Re:Good for the economy.

[PrivacyXpert]

What is human right and human freedom that USA Government have been actively accusing other countries of lacking whereby they are spying on their own people in their own backyard? Its a disgraceful joke

Re:non-issue

[flappinbooger]

You are supposed to use HTTPS only over Tor anyway and transmit no identifying data in other cases, respectively. Tor already assumes the existence of such an adversary as the NSA, so what's the story here?

The way I see it, if you use the internet without TOR or VPN etc then everything is out in the open and the NSA logs everything and keeps everything IF OR UNTIL they determine you are a US citizen.

Or, you can use TOR or VPN or whatever and the NSA will log everything and keep everything - and consider your actions suspicious.

Moral of the story - If you use TOR or VPN for anything interesting you better make sure you do it right. If you don't use TOR or VPN then don't do anything interesting.

Re:Good for the economy.

[hawguy]

I don't really get it... The entire reason you might use Tor is because you want to hide what you're doing from the authorities... Why on earth would the authorities not consider it interesting what you're hiding if you're doing so?

It's like suggesting that a cop shouldn't go and investigate a guy handing a package to another guy in a back alley because back allies are common places for drug deals to take place.

They have suspicion that something dodgy is going on, and they're investigating it, that's what we pay them to do.

I use TOR for the same reason I close my curtains at night and don't keep my personal journal out on the front porch with a sign that says "read me!". I just don't like other people snooping on my private life. Though if I had to choose between some random guy on the street watching my browsing activity or the NSA, I'd choose the guy on the street because he's probably only doing it because he's nosy, but the NSA is doing it to see if they can link me to terrorism.

Re:Good for the economy.

[Virtucon]

Define "Communication Purposes Only."

Re:Good for the economy.

[lgw]

The entire point and purpose of the 4th amendment is to prevent this sort of thing. The government is not supposed to search someone unless they have evidence that that specific person committed some specific crime.

That principle is important, because it prevents (sadly real world) problems like "a liquor store got robbed - detain every black person in a 3 block radius, one of them probably did it" or "it's Wednesday, round up every Jew in a 3 block radius and search them all - we'll find something to arrest some of them for" or "these Tea Party guys sure do oppose the party in power, lets search them all and see if we can find any grounds to arrest some of them".

Any power you grant the government or the police will be abused to the maximum extent consistent with human nature. You need to constrain the power to search more narrowly than "that guy looks suspicious to me".

Re:Good for the economy.

[Anonymous Coward]

Um, wow. Where to begin?

"eth0" doesn't live at /dev/eth0. It's not a character device. You can't just write a stream of bytes to it and expect them to appear on the wire. If you somehow could, the result stream of bytes would look nothing like ethernet packets, and all you would succeed in doing is wreaking havoc on your LAN. Your router wouldn't be able to understand anything it saw, and would transmit none of it to your ISP.

Also, mathematically, true random data can't be compressed. In practice, that holds true for the output of your pseudo-random number generator too. I.e. why the heck are you using "compress"?

Furthermore, on most modern unixes "/dev/random" consumes entropy from your kernel's entropy pool. If the level of entropy available gets low, reading from it will block until more random data is available. Unlike /dev/urandom, /dev/random will not generate more pseudo-random output on demand. That means that running the above command will make any process on your system that uses /dev/random (i.e. all active SSH sessions, HTTPS connections, etc.) hang. The entropy pool is replenished from various physical sources - such as the number of microseconds between incoming packets, keystrokes, etc. - but not quickly enough if you run the command you suggested. (At least, not unless your motherboard has a hardware entropy source. They exist, but they're rare.)

You really didn't think that comment through much, did you?

Re:Good for the economy.

[ragefan]

Undermining national security. LOL. What does it feel like to see a threat in every shadow? Everyone is out to get you huh? Careful, the Democratic Republic of the Congo might just get the upper hand and de-stabilize the US before invading it!

Seriously, by fundamentally changing what the US stands for over the last 20-30 years, you have undermined your own national security. There isn't anything left worth fighting for.

The truth is, the US. Government is scared because they have been doing things that the people wouldn't approve for decades. They are scared because they know the house they built is coming down around them, and people are getting tired of it. They are scared because they know when we get sick of it and find out all shit they been doing, we are going to come down hard. They are trying to keep us from doing anything.

Come down hard?! Hmm, no. The American people will continue to ignore what the U.S. government does as long as they keep Hollywood pumping out new episodes of "Ouch! My Balls!" If the American people really gave a fuck, then a Congress with 16% approval rating would be wiped clean rather than the majority of incumbents be re-elected.

Re:Good for the economy.

[interkin3tic]

More to the point, by focusing the whole intelligence network so much on cultists with boxcutters, we're diverting attention from real national security matters (though still nothing to freak out about.) Such as cybersecurity, getting off oil dependence, and biosecurity. Preventing terrorists from killing more civilians than golf cart accidents is not a priority, preventing a nasty bout of influenza from spreading through the airports, or oil shocks, or infrastructure being shut down due to cyber attacks, that's much more worthy of tax dollars.

Again, nothing to panic about, so don't vote for someone who says we should require blood samples to fly...

Re:It's Worse Than You Thought

[TheNinjaroach]

Instead of cracking each encoded message they intercept, it would be much easier for the NSA to simply obtain the decryption codes directly from the central authorities like Symantec/VeriSign. This would greatly simplify the problem and would allow the NSA to instantly decode much of the encrypted communication it intercepts

Symantec and VeriSign don't create the encryption keys. You do. The private key remains private. Their job is to simply add a trusted digital signature to the public key that you've produced.

Re:Read article on TOR, get targeted

[ducomputergeek]

After 9/11 there were things done that made sense such as equipping airliners with armored cockpit doors, not allowing knives or axes or chainsaws in carry on, but collectively we should have kept a stiff upper lip, rebuilt the damn towers 1 story higher and said "It's going to take more than that to change us". Instead we went whining and cowering to the corner and those seeking more power ceased the opportunity telling us "they'd make us safe". I've read that line in enough history books to know whenever those in power start making that claim, bad things happen. Really bad things.

If you want to live in a free and open society the consequence of such is that sometimes people do bad things. That is the price of such a society. I think in my parents and certainly my grand parents generation they understood this. I put a lot of people off when I say this: but 3000 people die when bad guys crash planes into buildings. Well maybe we should look at things like the cockpit doors and explore air marshal programs. But the Patriot Act? No thanks. If it means 3000 people have to die now and then compared to having to live in a surveillance state, then so be it. 3000 people have to die. It's the price of the very freedoms we claim we so desire. So when bad guys do bad things, lets as a society help those directly effected the best ways we can, but we're never going to be safe. It's a dangerous world. And we as a society in the US don't seem to want to wake up to that reality.

Now I look around and wonder if Hobbes wasn't right: people are stupid and need to be ruled over by Kings. Because that what it seems like people have been "wanting" these past 12 years...

Re:"Inadvertent"

[Hillgiant]

You will notice, of course, that the procedure does not contain a provision for removing items from the mouth other than by swallowing.

Re:Good for the economy.

[Anonymous Coward]

The algorithms are a bit more complex than your feeble brain can comprehend. Keyword spamming does nothing, because keywords aren't analyzed. This is graph theory, not amateur search engine design.

Re:Awesome!

[cpghost]

BTW, this message was sent with TOR AND a anonomizing proxy.

Too bad you just linked your slashdot user account to that proxy and TOR ID... Better blacklist that proxy and reinitialize your TOR node ASAP. Just sayin'...

Re:Good for the economy.

[fuzznutz]

Yes...and? Sometimes people need to deal with hard times after decades of bad decisions and waste. We allowed this situation to happen, we supported it, we deserve the consequence of fixing it.

And as it took "decades" of bad decisions, you are not going to change it in a year. The economy does not shift instantly when there are disruptions. That is not to say that nothing should be done, but unless you enjoy civil unrest, crime, massive unemployment, it must be done with care. See Greece for how not to do that sort of thing. Pensioners were committing suicide to avoid starving to death.

Our economy is a LOT bigger and harder to radically redesign.

"Its going to suck for me" is not an excuse to continue doing the wrong thing and digging deeper and deeper. Simply put, tank manufactuers may not decide tomorow to make bicycles, but, if you don't cut them off, they will NEVER stop making tanks.

Cutting off a few tank orders is not the same thing as cutting 40% of Federal spending to arrive at a balanced budget. If you suddenly removed $1 Trillion from the US economy, it doesn't matter how much capital would be freed up for "investment," as you would have widespread panic and unemployment that would make the "great Recession" seem like a day at the park. The fact is, it would "suck" for everyone worldwide. We are 5 years out from the housing bubble and we are just now digging out from unemployment trouble.

The problem is demographics, growth stagnation, and poor planning. Simplistic edicts like yours will not suddenly fix everything.