'Echelon Study' Released by European Parliament 210
ckolar writes, "Duncan Campbell's report on Echelon has been delivered to the European Parliament's committee for Justice and Home Affairs and is available online. " This is the study that was commisioned by the EU - very interesting reading.
sprs (Score:2)
--
Hmm, it's not there... (Score:1)
Just to note: while I *am* in Canada, most of my traffic gets routed through the States by default <SIGH>. Maybe, one day, Canada will have its own link to Europe...
Got pulled off of AP Wire (Score:2)
Don't Complain Here (Score:5)
As your constituent, I'm writing to ask for your support for a congressional inquiry into a threat to the privacy and civil liberties of all residents of the United States. I've read several credible reports that suggest that the global electronic communications surveillance system -- frequently known by the code name ECHELON -- presents an extreme threat to my privacy and that of other people around the world.
If you want to free hand your correspondence, get your senator or representatives name, address etc, from their wed site, and send the letter. Complaining on forums such as Slashdot, Attrition or HNN will not accomplish anything in bringing this stuff into the light. Whining on Slashdot only increases your Karma.
Slashdot effect. (Score:2)
Does anybody know what format the report is in, what size it is and precisely what time the link went live? I'd like to read it, but I'd also like to get my connection back at some point...
related links (Score:5)
Also, there are several related links on the Personal Security [tecsoc.org] page of the Center for the Study of Technology and Society.
Finally, if you want the wire version of the story, click here [excite.com].
Yours,
A. Keiper [mailto]
The Center for the Study of Technoloy and Society [tecsoc.org]
I'll mirror it! (Score:2)
Re:Don't Complain Here (Score:3)
Truth. It's the path of least resistance, however.
I you are interested in having more of their mission etc. made public, curbed completely or audited, the way to make a little noise and get heard is to write your representative.
I think the key word here is "little". I estimate the chances of governments of the world giving up spying on their own citizens and everybody else to be precisely zero.
The cypherpunks way is more to my liking. Encrypt. Encrypt all messages. Tell your friends to encrypt all messages. Laugh at the very expensive hardware collecting a lot of apparently random noise (but keep yourself up to date on the latest crypto techniques).
Whining on Slashdot only increases your Karma.
But isn't it the goal of existence? Better karma is the ultimate goal of life, isn't it?
Karma... must have karma... more... more... MORE!!!
Kaa
Mirror (Score:4)
The linked site appears to be slashdotted. I believe this is a valid mirrorof the report:
ht tp://www.cyber-rights.org/interception/stoa/inter
Re:Don't Complain Here (Score:2)
I remember when it was cool to have a sig file with NUKE, FUSION etc in it to make big brother read your mail. Now people want privacy. ;) Go figure :)
Noel
RootPrompt.org -- Nothing but Unix [rootprompt.org]
"Echelon Study" next to "Blame Canada" (Score:2)
Europe is pissed off (Score:5)
France allegedly [cfp99.org] has its own Echelon, and no doubt that the UK does also. So if they're doing it themselves, why are they so pissed at the US?
Re:Hmm, it's not there... (Score:1)
Hearing THE EUROPEAN UNION AND DATA PROTECTION
Brussels, 22-23 February 2000
Anyone got more?
There was an 'unknown error' when I tried to post this. I'm trying not to get paranoid. Please tell me this happens all the time...
Don't JUST complain here (Score:3)
If that's ALL you do, then that's true. You're preaching to the converted. But if you write (yes, with paper and stamps, because it's so much more effective than email that our benighted representatives seldom even hear about) to your representatives and THEN get onto a public forum like Slashdot and tell others what you did and why, it might get others to follow in your footsteps.
But please be polite. These people have to slog through bureaucratic BS all day. You won't win any friends in high places by venting your spleen at them. Just explain logically why this is a Bad Thing.
And while you're at it, write to your local newspaper. There you'll be preaching to many who are not yet converted. Spread the word!
Huh? (Score:1)
It's still there... (Score:1)
Eruantalon
The problem with Echelon (Score:5)
How so? Well, I've seen several posts suggesting writing to representitives. What good is that going to do? The NSA has refused to even say if the name even means anything to them, under Client - Lawyer privilage. Have you seen Congress push them into saying anything further? One try, and they seem satisfied they've done their part.
Ok, what about this jamming? As I've said on a number of occasions, NOBODY does interception by keywords. Even IDS systems use pattern-recognition and context-sensitive detectors. Why would one of the largest, most advanced, most brilliant collection of programmers and mathematicians use a simple 'tcpdump | grep'? It makes no sense.
Ok, so "conventional" jamming won't work, complaining gets nowhere, what CAN you do?
I'm not going to say people are powerless, because they're not. However, they DO need to be unorthodox. You can't break encryption, if you don't know the algorithm, or possible set of algorithms. Even then, your probability of a false positive goes up considerably, the greater the number of keys and/or algorithms.
There are a GREAT many encryption algorithms out there, some stronger than others but that's not really the point. If nobody can really tell which algorithm you're using, your effective keylength is equal to the key length of the -LONGEST- key possible, PLUS log2(number of algorithms).
eg: PGP/GPG uses RSA to encrypt a secret key, but uses a simple secret cypher to encrypt the message itself, using that secret key. If someone modified PGP/GPG to allow you to pick (or have it randomly select) one of, oh, 16 algorithms for the secret encryption, then your effective keylength is equal to 128 + 4 = 132. That's a lot tougher to crack (it'll take 16 times as long) and might well prove too difficult for a real-time system, such as Echelon.
Even so, I =can= tell you that Echelon is complex. My understanding is that it includes vast arrays of DSP chips embedded in the physical network, for pre-processing. The only hope is to make systems such as IPSec and PGP/GPG sufficiently advanced that one-size-fits-all solutions can't be used effectively.
Re:sprs (Score:2)
Speech recognition is hard. However, taking a voice print is really really easy. So they (british intel or whoever) would automatically take a voice-print of every call, and tape the calls that matched voice-prints of criminals, or whoever they listened to (I'll give them the benefit of the doubt).
Re:Slashdot effect. (Score:1)
With things like this, since it's a government site that in no way needs advertisers or anything, ROb and Hemos should without a doubt mirror this stuff PRIOR to posting it... Now the discussion is pure drivel. Mostly trolls, and a few general comments about Echelon, rather than one about what this paper has to say.
Re:Slashdot effect. (Score:1)
So far, it looks like traceroutes die at pool02b-194-7-41-145.uunet.be (194.7.41.145). I'm guessing that their leased line has rolled over and died, or perhaps is so congested that it just can't possibly deal with the traffic.
Tracerouting from an account I have in the US (with an ISP that is an Above.Net customer), it looks like packets die at the same place -- pool02b-194-7-41-145.uunet.be (194.7.41.145).
I'll see if I can find some information for them at RIPE that might tell me more about who their provider is and perhaps what alternate routes might be.
Nope. It looks like Uunet is their only provider in Belgium, and they don't appear to have a backup route that I can find. I wonder if perhaps they might be interested in a backup from the largest residential ISP in the country?
--
Brad Knowles
effectiveness of echelon (Score:4)
I live in Boston with three other people and their respective girlfriends; most of us have cell phones. Our house has two phone lines, DSL, and ten computers hooked up behind a firewall. My roommate has a Palm V with an omnisky. That's eight or nine voice streams and as many data streams. The data streams are going all the time, and are all multiplexed through our single DSL connection. Now, admittedly we're a little more wired than most. So we'll scale this down a bit. Assume the government only is interested in monitoring large cities and a few out of the way enclaves dotted around the map. Maybe the ten largest US cities and 150 known subversive groups. Including the greater metro area, each city has maybe 4 million people on average, implying about 1.6 million families per city, giving 16 million
families total. We can guess that (plus or minus a few kooks) nearly every family has at least one phone line and 2 out of 5 have at least one cell phone. Probably 60% have an internet connection.
This gives us 32 million data streams, to monitor in real time, and at odd hours. Now given the current state of speech-to-text software, and assuming the NSA is 15-20 years ahead of the state-of-the-art (a very dubious assumption, these days), we'll also figure that with their software they can decrypt 200 voice streams per second with a pentium III. That still implies that they need the equivalent computing power of 160,000 high-end workstations.
Ok, this is not outside the realm of possibility. But it's right on the edge! Add in the complexity of understanding and dealing with different accents and different languages, static, spread spectrum cell phones, demultiplexing LANs, tapping who knows how many
switches, debugging the monitoring software and releasing (secret!) updates into the field, dealing with code words and both simple and complex black box and white box encryption, and dealing with the noise of slashdotters putting in things like "kill the president" and "natalie portman is trafficking in hot grits disguised as cocaine to pay off communist subversives," and we see that if Echelon exists, it's probably close to useless. And a horrible waste of taxpayers'
money. Though I guess developing such a omprehensive system could be valuable for use in targeted situations, like focusing on transmissions in a limited geographic area during high-tension conflicts.
These estimates are very much back-of-the-envelope, but does anybody see anything fundamentally wrong with them?
--
neil
Re:Bump in the night (Score:1)
This will list a buncha details about the post...
Re:Mirror (Score:3)
Re:Don't Complain Here (Score:2)
I don't know. A year ago, they denied its very existence, seems like the walls are coming down somewhat. Spying is one thing, the subset being interception of traffic is quite a bit smaller, and easier to exploit. I think that with the "New Age" of e-business in whatever flavor brings big dollar corporations into the mix now. They will have a huge impact on Echelon. Business is building and supporting the net now and they want their say. Enough pressure in the right places will make a difference in how they operate.
The cypherpunks way is more to my liking. Encrypt. Encrypt all messages. Tell your friends to encrypt all messages. Laugh at the very expensive hardware collecting a lot of apparently random noise (but keep yourself up to date on the latest crypto techniques).
Depends on what battle your fighting. Encrypting everything will generate much noise, but at what expense, for what purpose. If you really have something to say/write whatever and didn't want to take the chance of anyone else possibly seeing/hearing it, would you really send it over the net, or over some unsecured copper pair? I wouldn't.
Re:Europe is pissed off (Score:2)
On a more serious note, we (the UK) don't need our own Echelon, we're part of yours (like Canada, Australia, and, when they're not complaining about US nuclear powered warships, the Kiwis.) It is called the "Five Power Agreement" and regularly gets an mention in Mr Campbell's articles.
Just like the NSA aren't supposed to spy on US citizens, our Intelligence services aren't supposed to spy on us without either a warrant or ministerial permission (with our equivalent of a Congressional committee overseeing the whole thing.) Interestingly, they manage to get around this in a number of ways, but nowhere near as well as when we all had analogue mobile phones and it could just be plucked out of the ether.
Please don't either confuse the national governments of European nations with the EU (much as certain people would like them to be the same organisation) or (and this is a much more fundamental error) underestimate the hypocrisy of the modern politician.
Echelon in the news (Score:2)
Those who can understand Finnish can read a pretty good article summarizing the news here [mtv3.fi]. Finland is one of the biggest supporters of privacy and protection of the individual in the EU.
How to really jam Echelon (Score:5)
Set it up and create secure connections between your peers. Very soon it will support automatic keying using DNS-SEC (public keys kept in the DNS database).
Echelon makes little difference if everyone is using end-to-end transport level strong encryption.
Burris
Re:related links (Score:2)
--
Brad Knowles
Big Freakin' Deal (Score:3)
Is someone actually reading our mail? With terrorists, hostile governments, nuclear weapons, chemical weapons and biological weapons, does the government really care about anything you say?
If they are thoroughly reading your mail (suppose), are you suggesting that men in black suits come and oppress you? Because if not...
You must be suggesting that this evidence will be used in a court case against you. However, since it was obtained illegally, and the way in which it was obtained is classified (there was a case like this a while back), there is no way it can be used against you in a court of law.
As for the industrial espionage allegations, I could see someone doing that, but would suggest that it isn't commonplace. The government keeps a Very tight rein on its contractors, in terms of what they are allowed and not allowed to do, and it seems unlikely that it would make a *habit* of breaking similar rules itself, with the complicity of one of its contractors.
Also, do you think that microsoft and the nsa could slip something like that under our noses? Under several hundred million of our noses?
Re:Hmm, it's not there... (Score:1)
There was an 'unknown error' when I tried to post this. I'm trying not to get paranoid. Please tell me this happens all the time...
Well, I got that once, but while I had lynx & 2 netscape windows trying to access the europarl site, netscape's links decided to stop working. Of course, the sparc5 I'm on could be to blame for that.... Stupid work computers.
Eruantalon
Re:Don't Complain Here (Score:2)
I would. Two reasons.
One: Q: "Where does a wise man hide a fish?" A: "In the ocean".
Two: It seems highly unlikely that NSA or (insert your favorite bogeyman here) can break correctly-used publicly available encryption with reasonable key size (e.g. >=2048 bit for public key, or >=128 bits for symmetric).
Kaa
Re:Don't Complain Here (Score:1)
Go figure
Figure that the reason that we put such incriminating words in our .sig's was not that we wanted Big Brother to read our mail; it's because we wanted to throw so much crap into the wheels of the big machine that it would become quite useless as a means to filter.
It's still done. Remember the attempt to crash Echelon a few months ago?
Re:Don't Complain Here (Score:1)
Translation: We can't convince Nazi's to be peaceful, so why try?
"The cypherpunks way is more to my liking. Encrypt. Encrypt all messages. Tell your friends to encrypt all messages. Laugh at the very expensive hardware collecting a lot of apparently random noise (but keep yourself up to date on the latest crypto techniques)."
Translation: Let's let them have what they want and when the finally get around to banning crypto inside my country, then I'll
Bad Mojo
Re:Huh? (Score:1)
The difference is that the NSA's dishes are surrounded by electrified fences and guards armed with automatic weapons.
Burris
After actually looking at the report, (Score:3)
I think this also points up the reason the government has fought PGP so fiercely. Even if they subvert the author, they can't do anything very obvious or easy, and you or I are quite likely to break anything they hide in the code, while rooting about in it.
Perhaps the most important question now is: what do the new crypto rules imply, in light of this? If we can really just give the no-goods at NSA a heads-up and export freely, does this mean that they're giving up? Or could it be that they can do an end run around the crypto if they have to (as in Tempest, bounce a laser off your window, intimidate your neighbor, et cetera)? Perhaps the best answer is: don't do anything bad, and encrypt everything, just in case.
EU isn't privacy friendly, either (Score:2)
One thing that deeply bothers me about this report is that it seems to focus primarily on purely economic problems associated with Echelon. The EU ministers seem to be worried that their businesses are going to lose market share because NSA is passing their plans on to their American competitors. This seems both dangerous and hypocritical to me. It's dangerous because they seem to be downplaying or ignoring the (IMO) much more significant damage to personal privacy that is inherent in the NSA's pawing through everyone's communications.
It's hypocritical because EU countries have been as vigorous as anyone in using government intelligence to benefit their commercial sector. Interestingly, two of the specific examples of intelligence alleged to have come from Echelon were about EU companies offering bribes in pursuit of contracts. I don't want to compare the significance of offering bribes to that of reading people's mail, but it find it pretty hypocritical of the EU to bitch about others' reading of their mail turning up illegal and immoral behavior.
They havent had that much traffic for years :-) (Score:1)
What is that eu.int-domain, anyway? I want one of these
For you information (Score:1)
I recently used one of those e-mail engines to send correspondance to my two state senators (Sen. Chuck Grassley [R] and Sen. Tom Harkin [D], of Iowa), and *BOTH* sent me a snail mail response.
FYI, it was concerning the Know Your Customer Sunset Act.
Re:effectiveness of echelon (Score:2)
I'm not sure I follow your reasoning, but I think I see a few issues.
1) Few people so far have always-on data streams.
2) Practically nobody has always-on voice streams.
3) There's no need to do deep analysis on everything. Assuming that this system exists in some form, there's no doubt some sort of funneling effect. 99.9etc percent can be safely ignored after a quick keyword skim. The stuff taken off the top can be skimmed a little more slowly, as a first-pass context check. The cream of that can be skimmed still more carefully. And so on.
4) Other forms of intelligence -- and results from the system itself -- can be used to focus the "attention" of the system more efficiently.
5) I'm not sure using a "number of workstations" yardstick is meaningful for the kind of analysis they may be doing. (Specific-purpose hardware could give them a big edge.)
Re:Don't Complain Here (Score:4)
Not to disagree with your point about being proactive, but I've noticed a lot of people of people seem to disregard the importance of actually having the discussion. Most of the whining and bitching I read contains at least one element of interest, whether intended by the author or not.
Also keep in mind that not everyone that reads HNN, attrition, slashdot, etc, is predisposed to getting involved or reading discussions like this.
Even the things that could be considered "preaching to the choir" have some educational value for me. Reading other's thoughts on here reinforces ideas that I may have already had, but never thought to articulate or couldn't articulate as well as they did. Later on I can, and occasionally do, use these arguments effectively in day to day conversation. I'd dare say that I learn more from the bitching and preaching than I do from the original articles.
Bitch on brothers!
numb
Re:Big Freakin' Deal (Score:3)
No, but we should not be so naive as to think that they aren't interested in interfering with the politicians who do have an impact on our lives.
Remember J. Edgar Hoover? He ran the FBI for half a century until he finally died. The general public thought of him and his "G-Men" as heros of law and order. After he died the truth came out- he was able to stay in power for so long by illegally using his surveillance capabilities to get dirt on his political enemies. He had blackmail material on the vast majority of the federal elected representatives and used that to influence policy.
Ever wonder why a democratically elected and accountable government would use our hard-earned tax dollars for things that the voters would never approve of (like Echelon)?
Re:related links (Score:1)
If I can manage to download a copy of it, I'll try to put a mirror up in the US. And then I'll try to explain the traffic to my ISP. ;-)
--
Brad Knowles
Re:effectiveness of echelon - easy (Score:1)
CARRIER LOST
Re:effectiveness of echelon (Score:2)
And one other point - the problem with noise would be correct, if they did keyword recognition, which is exactly why I'm convinced they don't. Rather, I believe they use sophisticated pattern recognition and context recognition.
(A bunch of drunk students typing stupid, but blatently fake, trolls on Slashdot will produce radically different patterns than cold, unfeeling gangsters talking about some illegal activity. However skilled either group is, they'll never be able to exactly match the style and characteristics of the other. An advanced enough system should, therefore, be able to filter by style first, then context, and finally by pattern, and thereby eliminate the noise almost entirely. Yes, there'll be some, especially from Wargamers, but that'll almost certainly be all filterable by hand, and there'll be sufficiently little left to be practical to filter by hand.)
Re:Don't Complain Here (Score:1)
Re:effectiveness of echelon (Score:1)
Re:effectiveness of echelon (Score:4)
Funny you should say that.
I was interviewing for a job the other day with a Genetic Engineering firm, and about half way through the series of interviews, their sysadmin gave me a tour of the server room.
Amongst scary Enterprise Servers the likes of which I have only read about, they have a box with cool-looking (OSX-Aqua-esque in its sheer sleekness) blue lights which they apparently got from the NSA.
This box basically consists of 7000 simple, massively parallel processors specifically designed to do 1 thing: pattern matching from huge amounts of data. This has obvious benefits for the Genetic Engineering firm (genomic info is all just strings), and perhaps even more obvious benefits to the NSA.
Just thought it was interesting...
Anthony
Re:Big Freakin' Deal (Score:2)
As for the whole "democratically elected and accountable government..." This is crap. Would you want intelligence agencies run by popular vote? There is professional government, and political government. Compare your borough manager and your mayor. There's a place for both, but perhaps what I'm trying to say is that the people that best understand the intelligence game are *in* the intelligence game. Not politicians, voters, or even geeks. :)
Yawn, boring, encrypt your stuff (Score:4)
The wrong thing to do is to focus on "Echelon" Look, *ANYONE* can listen in on you, not just the NSA. Use a cell-phone? Use a cordless phone? Your neighbors will soon be able to buy or create scanners to decode digital transmissions. Use the internet? A hacker hacking into an ISP or wherever your mail is located can easily read it. How about cable modems? Opps, anyone can sniff your packets.
If you don't want to install window blinds or curtains on your windows, don't cry when someone uses a telescope to watch you getting undressed.
The only solution to the privacy problem is to use encryption. If your broadcast data in the clear over any medium, you are relying on security through obscurity.
Has anyone noticed how EU centric these articles are? Who's Echelon? Anyone not in mainland Europe apparently. US, Canada, Australia, New Zealand, UK, etc. (the GMO controversy also follows the same sort of dividing line, with the mainland Europeans being the most vocally opposed)
Of course, France, that moral and highly cultured "you don't even know what culture is you Americans", would never engage in something as distasteful as industrial espionage? Would they?
It's patently obvious that the world's spy agencies have been intercepting all the traffic they could, even since World War II and before. Echelon is nothing new, except a "ooh scary" code word.
Re:effectiveness of echelon (Score:1)
Add special purpose processors [eff.org] and the efficiency and speed goes through the roof.
Re:Don't JUST complain here (Score:1)
pen and paper are great but a printer and a signature make the same point. Just print an e-mail before you send it, sign it, address it, stamp it, and make a bigger difference. Hmm, now I remember why I liked e-mail so much...
--
Re:Alternate link (old) (Score:1)
Re:effectiveness of echelon (Score:1)
2. Please don't assume that they use wintel / linux / solaris sparc for anything more than writing reports up about
3. Specific targetting (ie Saddam, Bill C's girlfriends, Jamie after the Holland victory - well done) isn't Echelon's problem. They have other kit to target you once you are a known subversive (they, you, known and subversive all having very different meanings depending on precisely where you live)
4. 160,000 workstations. Assume they have a quality factor of 10, 'cause they are better at this than us (allow them practise, if not expertise.) My Black Box catalogue has a $100 per port controller that can run up to 3000 workstations (Sun, Wintendo & Mac). Therefore, assuming it's all linked with something better than NT User Mangler for Domains, you could control the boxes from 6 terminals.
Okay, the math doesn't allow for human committed time but hell, call it 500 controllers. Bet you there are more than 500 techies per shift at Fort Meade.
Re:related links (Score:1)
I am now in the process of downloading what I believe to be the PDFs for the report in question, and if/when these files are downloaded, I will upload them in other places and let you folks know where they are.
--
Brad Knowles
Re:They ARE doing something (Score:1)
By the way, does anyone know the Arabic word for "detonator"? What would happen if it was included in every posting on the net?
whoa there a second! (Score:3)
1) There seems to be an assumption that part of Echelon is the ability to compromise a 128-bit key in a negligible amount of time (i.e. instantly.) Now, I'm not super-duper-hardcore up to date on my Echelon readings, but I haven't seen any indication that anyone actually has the capability to brute force a 128 bit key in real-time. If I've just been living in a cave (not far from the truth) and simply failed to hear about this advance, someone please post a link/reference, or e-mail me (above address, minus the DELETME), or something-- I'd be really interested in such news.
2)PGP/GPG uses RSA to encrypt a secret key, but uses a simple secret cypher to encrypt the message itself, using that secret key.
Maybe I'm reading this wrong, but it sounds like you're saying that PGP/GPG use a proprietary algo for their symmetrical crypto. At least with PGP, this is not the case. PGP (I think) currently uses IDEA, and used to use DES. While the latter is somewhat shady, these are hardly secret, and aren't that simple, either.
3) In the above set-up (with the PGP/GPG system which randomly selects the private-key algo to be used on a message-by-message basis) how do you securely communicate this to the recipient? Is the selected algo package with the key inside the public-key encrypted portion of the transmission, or do they just guess? (Not that having them just guess is such a bad idea-- it's sorta like those first versions of Public Key systems, the ones that used numeric puzzles for the keys. If the recipient just has the key, it'll take a more-or-less negligible amount of time for her to decrypt the message under each algo and see which version isn't gibberish.) Still, I'm not seeing the need for this, as per #1 I mean, if they can brute-force a 128-bit key in more-or-less no time, is making this time 16X longer gonna put that much of a knot in their britches? If 128-bit keys aren't secure, then this sort of arrangement is just a Band-Aid.
Again, it's possible that I'm just totally mis-reading the above. Sorry if all of this is out-of-left-field.
Sure it's nothing new, but thats not the issue: (Score:1)
Sure us geeks can use strong encryption to hide our pr0n from prying eyes, but ego's aside we're the minority!, what about the other 95% of people out there who don't have enough knowledge to use systems such as PGP, or frankly have no idea of what they are or why they exist?
How many upcoming international companies have gone under because information about their new products has been leaked from surveillance?
How do we know that Micro$oft's dominance hasn't been influenced by Echelon leaked information?
It sure makes me wonder sometimes...
Jeremy.
Re:Don't Complain Here (Score:1)
Re:The problem with Echelon (Score:2)
As far as PGP/GPG go, you assume that the NSA has no shortcuts on cracking IDEA, Blowfish, etc. The solution space for algorithms is so small as to not effect the workload. Don't count on "Security through obscurity (of algorithm)". Need I remind you that "when you assume, you make and ass out of you and me"
The problem with Echelon is the lack of oversight. How can the NSA claim client/attorney privileges? What is being done to verify that ECHELON breaks no laws?
As the saying goes, the first step to dictatorship is secrecy.
Cheers,
Slak
Re:The problem with Echelon (Score:1)
There also seems to be not much point in using random algorithm selection between 16 different ciphers. You get the same benefit by increasing your symetric keylength by 4 bits. Yay.
By all accounts I've read 128 bits is just too hard to feasibly attempt these days... look at distributeds progress with their 64 bit project.
partial mirror (Score:1)
Re:Big Freakin' Deal (Score:3)
As for the industrial espionage allegations, I could see someone doing that, but would suggest that it isn't commonplace. The government keeps a Very tight rein on its contractors, in terms of what they are allowed and not allowed to do, and it seems unlikely that it would make a *habit* of breaking similar rules itself, with the complicity of one of its contractors.
From the summary: (emphasis added)
7. Key findings concerning the state of the art in Comint include :
Comprehensive systems exist to access, intercept and process every important modern form of communications, with few exceptions (section 2, technical annexe);
Contrary to reports in the press, effective "word spotting" search systems automatically to select telephone calls of intelligence interest are not yet available, despite 30 years of research. However, speaker recognition systems - in effect, "voiceprints" - have been developed and are deployed to recognise the speech of targeted individuals making international telephone calls;
Recent diplomatic initiatives by the United States government seeking European agreement to the "key escrow" system of cryptography masked intelligence collection requirements, and formed part of a long-term program which has undermined and continues to undermine the communications privacy of non-US nationals, including European governments, companies and citizens;
There is wide-ranging evidence indicating that major governments are routinely utilising communications intelligence to provide commercial advantage to companies and trade.
Keep in mind the part about voice-printing when you read Admiral Burrito's response to your post. Also, keep these in mind: Who does the NSA report to? Where do their loyalties lie? Is it part of their charter (or whatever they call it) to make sure that the information they collect is used only for ethical purposes? Who's the watchdog that makes sure the NSA doesn't do anything it's not supposed to? Don't look at me--I don't know.
numb
Re:Don't Complain Here (Score:1)
One: Q: "Where does a wise man hide a fish?" A: "In the ocean".
If your ocean is big enough, that's wise advice...for non-digital devices, and as long as you no longer want the fish.
Two: It seems highly unlikely that NSA or (insert your favorite bogeyman here) can break correctly-used publicly available encryption with reasonable key size (e.g. >=2048 bit for public key, or >=128 bits for symmetric).
Agreed...for now.... :)
Re:The problem with Echelon (Score:2)
Increasing the number of algorithms has two benefits. First, you're -guaranteed- a safe increase in effective bit-length, WITHOUT weakening the algorithm(s). Second, you increase the liklihood of a false positive, on the part of the cracker. This makes it harder for a cracker to be sure they have the right message.
Re:whoa there a second! (Score:1)
Your understanding of #2 is correct, I believe.
I'm pretty sure that all Public Key Crypto systems work the same way. A session key is generated (if this isn't random, it's a place to attack) and encrypted using public key crypto. The message itself is encrypted using a symetric algorithm. Thus you can do 2 things to try to read the message:
1. Brute force the key for the symetric algorithm.
2. Try to crack the public key/private key pair. This will then allow you to decrypt the session key for all communications, not that particular conversation.
Ideally the determining the private key is much harder than brute forcing the symetric algorithm (since it allows you to decrypt *all* messages).
Cheers,
Slak
It's tax time again (Score:1)
Study Has A Few Surprises (Score:1)
So what are the biggest revelations in this report, for those already familiar with intelligence collection? And for those who are new to the field and just worried about Echelon, what are the most important facts to remember?
1. Nobody is spying on you unless they already have reason to suspect you.
"The geographical and processing difficulties of collecting messages simultaneously from all parts of the globe suggest strongly that the tasking of these satellites [and other resources, as the report states] will be directed towards the highest priority national and military targets."
2. NSA has a much better grasp of Internet communications than would at first seem possible. The sheer immensity of Internet traffic and its global reach would seem to handicap NSA intelligence collection efforts. Not so, according to the report.
"Since the early 1990s, fast and sophisticated Comint systems have been developed to collect, filter and analyse the forms of fast digital communications used by the Internet... [A] large proportion of international communications on the Internet will by the nature of the system pass through the United States and thus be readily accessible to NSA... Although the quantities of data involved are immense, NSA is normally legally restricted to looking only at communications that start or finish in a foreign country. Unless special warrants are issued, all other data [like domestic U.S. e-mail] should normally be thrown away by machine before it can be examined or recorded... Much other Internet traffic (whether foreign to the US or not) is of trivial intelligence interest or can be handled in other ways [and usually reached by OSINT, "open source" intelligence]."
3. U.S. companies like Microsoft have purportedly cooperated in these intelligence collection efforts. This is unorthodox, to say the least. The following claims made in the report are allegations without a great deal of substantiation.
"According to a former employee, NSA had by 1995 installed "sniffer" software to collect such traffic at nine major Internet exchange points (IXPs). [A list follows.] ... The same article alleged that a leading US Internet and telecommunications company had contracted with NSA to develop software to capture Internet data of interest, and that deals had been struck with the leading manufacturers Microsoft, Lotus, and Netscape to alter their products for foreign use... The companies agreed to adapt their software to reduce the level of security provided to users outside the United States. In the case of Lotus Notes, which includes a secure e-mail system, the built-in cryptographic system uses a 64 bit encryption key. This provides a medium level of security, which might at present only be broken by NSA in months or years... [In 1995, the] companies agreed to adapt their software to reduce the level of security provided to users outside the United States. [Actually, this was not so much an agreement as a direct government requirement for exports.] In the case of Lotus Notes, which includes a secure e-mail system, the built-in cryptographic system uses a 64 bit encryption key. This provides a medium level of security, which might at present only be broken by NSA in months or years.
4. They don't tap your phones.
"Effective voice 'wordspotting' systems do not exist are not in use, despite reports to the contrary," according to the report. "Fax messages and computer data (from modems) are given priority in processing because of the ease with which they are understood and analysed." The only special phone technology the NSA has are systems that identify speakers by their voiceprint, which "have been in use since at least 1995."
5. The FBI may know more than it should. Collaboration between the intelligence community and FBI is seriously frowned upon, especially since it is occasionally the FBI's job to investigate breaches of protocol by the intelligence community. Yet, according to the report, the International Law Enforcement Telecommunications Seminar (ILETS) was set up by the FBI in 1993, and has served as a guiding body for much of the COMINT work that fits under the name "Echelon."
"The work of ILETS has proceeded for 6 years without the involvement of parliaments, and in the absence of consultation with the industrial organisations whose vital interests their work affects."
Why is it important to keep the NSA (collection of intelligence) and the FBI (domestic crimes) separate? "Any failure to distinguish between legitimate law enforcement interception requirements and interception for clandestine intelligence purposes raises grave issues for civil liberties. A clear boundary between law enforcement and 'national security' interception activity is essential to the protection of human rights and fundamental freedoms."
6. The study has no real proof of corporations inappropriately benefiting from collected intelligence.
Businesses do not get help from intelligence agencies - governments do. The study admits this: "There is no evidence that companies in any of the UKUSA countries are able to task Comint collection to suit their private purposes."
Generally, there is nothing ethically wrong with a country collecting economic intelligence about another country. If intelligence is to be useful in any way, we need to know important economic data so we can act on them if necessary. The only ethical problem would be if specific businesses got help, but other than a spurious hint of impropriety, the study doesn't really have any proof. All it has is this quotation from a Baltimore Sun article: "Former intelligence officials and other experts say tips based on spying ... regularly flow from the Commerce Department to U.S. companies to help them win contracts overseas."
7. Echelon or not, the intelligence agencies are losing.
Every day, U.S. intelligence collection agencies slip farther behind. They are in sorry shape right now, with huge input, and very limited analysis capabilities. And in the end, the study admits that "[t]he use of strong cryptography is slowly impinging on Comint agencies' capabilities... [I]n the absence of new discoveries in physics or mathematics, Moore's law favours codemakers, not codebreakers."
Let me know if you think I've missed any of the study's major revelations.
Thank you.
Yours,
A. Keiper [mailto]
The Center for the Study of Technology and Society [tecsoc.org]
Re:Alternate link (old) (Score:1)
"false positive"? (Score:1)
Superbowl Flush and Echelon Flush (Score:2)
Speaking of flooding national systems, a friend of mine worked at a water treatment plant (sewage.) I joked to him about the "Superbowl Flush" effect that I heard about in the late 70's and asked if he could comment on it. The theory went something like when America would all get together on Superbowl Sunday to drink beer and watch the barbaric game of football up until halftime, at which time thier urinary bladders exceeded maximum capacity. The concern was that everyone and thier brother made a dash for the toilet, whizzed, and flushed at the same time, overloading the sewer systems and rivers across the country, possibly causing mass flooding, etc...
He stated it was no joke and described the incoming rush of water was real.
So, I guess we could all flush our crap at the same time and jam echelon in the same way. Whoooohooooo!
Re:[OT] Any good noise recognition SW for Linux? (Score:1)
Well lets see... take a peek at kvoicecontrol [kiecza.de] for KDE, compliments of Daniel Kiecza. :) Granted for non profit use only...
I haven't checked in a while (may a bit outdated), but heres some linux speech apps [phil.muni.cz]
For those that really wanna play, check out IS IP 's ASR project [msstate.edu].
For those that are interested in aquiring speech corpa (training data) check out The LDC-online [upenn.edu]. Get the free guest account, use your perl skills and your imagination, and suddenly the TIMIT corpus is yours
Email me if you're interested in this kinda stuff (or want my timitgrab.pl script)... its not my primary address, but I check it from time to time.
You`d probably be interested in kvoicecontrol for your particular demands.
Oh yeah for my email, the 00 in r00t is two zeros.
Re:whoa there a second! (Score:2)
2) A secret cypher, also called a symmetric cypher, is simply one in which the encryption key and decryption key are the same. It's inherently weaker than a public key/private key pair, but it is much faster, which is why PGP uses it for the actual message itself.
DES is trivial to break. The record for a hobbyist computer is 3 days, I believe. A transputer net could realistically reduce this total to under 3 minutes, without costing very much more. Dedicated, custom-built military-grade hardware, designed for this specific task, and cooled to obtain maximum performance, could probably crack DES within a matter of a few seconds, possibly less.
IDEA isn't much better. There are a lot of weaknesses known for it.
Actually, breaking a 128-bit key is probably irrelevent, as DES uses 56-bits. It's much quicker to ignore the 128-bit encryption, and derive the key by cracking the message. By doing so, you've reduced a slow, 128-bit cypher to a fast 56-bit one.
By using multiple algorithms, though, you can't do that. You don't know how long the key is, therefore you don't know where the message is. This means you =HAVE= to break the header. You don't get the choice. No shortcuts, anymore.
Sixteen times as long IS a significant amount, if you've a lot of encrypted traffic. It means that you can only crack 1/16th as many messages, within the same timespan, for a start. As this would have to be a real-time system, that means you've 1/16th the intelligence-gathering capacity.
BUT, the problem is so much worse than that. Because the crackers can't use the shortcut, anymore, the problem isn't simply one of 128-bits to 132-bits, but 56-bits to 132-bits. THAT will take them 2^76 times as long, which would definitely saturate the system, no matter HOW powerful it was.
Re:Echelon in the law (Score:1)
Re:Hmm, it's not there... (Score:1)
The truth is out...of sytle.
Maybe our efforts are better off elsewhere (Score:1)
I just have this feeling that no matter what I do someone out there will be watching these days.
Given that I'd rather put all my efforts into stopping something that is DEFINATELY harmful to
you rather then annoying that someone somewhere is reading my email. If all the people
who don't have any secrets that NEED to be protected put their efforts toward say stopping
drunk drivers, or spam I believe our quality of life would go up much more than Echelon may be
brining it down.
I mean hell maybe they'll use this for good and stop the next two crazy guys who wanna blow up
A building full of workers and their kids, or stop some guy from molesting that 12 year old
girl who doesn't know not to give her address to people on the net.
minor error (Score:1)
Apologies,
A. Keiper [mail]
The Center for the Study of Technology and Society [tecsoc.org]
Re:"false positive"? (Score:2)
As for the probability - this depends on the algorithm you're using. If you're using a straight XOR, nothing fancy, and a key of equal length to the message, then the message cannot be cracked by going through every possible key, because you will get every possible plain-text message of equal length.
I don't know if there's any "formal analysis" of the liklihood of one encrypted message (algorithm unknown) "decrypting" to >1 "valid" plain-text, but it would seem reasonable that the longer the key-length and the greater the range of potential algorithms, the greater the liklihood of false positives.
The main thing you'd have to watch for, though, is having two or more algorithms where a1(key1) generated the same output as a2(key2). Let's say you were using XOR, for example, as your encryption algorithm. Using XOR (256-key) as a second algorithm would be a big mistake, as you've gained no strength in doing so. (It's not made it any worse, either, but there may well be cases where it would.)
Re:Europe is pissed off (Score:2)
The point you seem to be missing is that the echelon is outside Europe's control, and this pisses me off greatly (well, it just adds to the fact that being spied upon pisses me off a great deal too).
Let's put this thing in another perspective: while you probably occasionally check your back lawn to keep it clean and tidy, wouldn't you be pissed if your neighbor pointed some hidden surveillance camera to your lawn without telling you, without asking for your permission, without being accountable, and possibly selling videos of your lifemate sunbathing nude to his friends in the neighborhood? Because this is exactly what echelon does.
Re:whoa there a second! (Score:1)
I'll agree that DES isn't secure (note: not the same as trivial to break). I find 3 minutes difficult to swallow.
I'm not so sure that I would throw IDEA into the lo, though surely the AES candidates are stronger.
I don't see your jump to
At this point, your math really confuses me. Why does one have to break the header? You could just brute force the IDEA (or whatever) keyspace. In fact, one hopes that this is easier to do than break the header. If you can break the header for 1 message, you can now recover all session keys and read all messages. Once you have the session key, all you have to do is plug it into 16 or 32 symetric algorithms and you've got the message.
The problem is if the NSA can find public/private key pairs. This means they can:
1. Decrypt messages intended for me.
2. Sign messages in my name (spoof being me).
Cheers,
Slak
Re:The problem with Echelon (Score:1)
With PKI, it really seems that all you can do is shift the bottleneck from one point to another... Either it's the RSA component, the symetric component, the RNG, or the key servers themselves...
By the way, PGP 6.5 offers a choice of
RSA or Diffie Hellman for key exchange and
IDEA CAST or Triple DES as the symetetric component.
Echelon Study Reports Mirrored (Score:1)
DEVELOPMENT OF SURVEILLANCE TECHNOLOGY AND RISK OF ABUSE OF ECONOMIC INFORMATION [baked.net] (An appraisal of technologies of political control)
Part 2 of the article above [baked.net]
Part 3 of the article above [baked.net]
Interception Capabilities 2000 [baked.net], or Part 4 of the article above
Also:
AN APPRAISAL OF TECHNOLOGIES OF POLITICAL CONTROL [baked.net], or the working copy of the above article
Enjoy reading - there's a lot of it
Eruantalon
Re:After actually looking at the report, (Score:1)
No clue... (was Re:whoa there a second!) (Score:2)
Dr. Burris T. Ewell
Re:How to really jam Echelon (Score:2)
Re:Europe is pissed off (Score:3)
What we need to do is make it clear to European politicians that they can gain political power (in the internet community) by talking about how evil it is to go arround spying on people. This meme will survie and they will not think their own spy's are as importent at budget time or when scandals come up in the future. Discrediting one at a time is the way to disarm the spys.
The solution (Score:2)
Actually, the most effective thinkg would be to get propper use of public key cryptography to be tought in every CS101 class (i.e. first class a CS student takes). Perhaps going so far as to require all their assignments to be digitally signed and encrypted for the recipiant (with GPG) when turnned in via computer. A strong case can be made for this being an essential part of a computer education.
I suppose you could also go to high schools and teach the kids how to keep their emails secret with PGP, but that takes a little more work then just convincing collage profesors to teach it.
Re:No clue... (was Re:whoa there a second!) (Score:2)
Re:How to really jam Echelon (Score:3)
Excuse me, but I think this is clueless.
Sure, seeing the actual messages is interesting too, but there is lots of information to be gathered just by monitoring who is talking to who and when. Build graphs of that info, and you see the "communities" on the net and how they interact and relate to each other.
This information is much easier to refine automatically (by computer) than actually understanding what you say in your messages, encrypted or not.
So when they have identified some arms traders (for example), they just do some data mining in their databases, builds the communication graphs, and if you have ever dealt with these people (by phone or internet), you will be found! Then they can correlate your communication patterns with other data (flight travels, bank deposits, etc). They got you now. At this stage, they might want to select a few strategic communications that you have encrypted and send them to the code breaking computers, but I don't think it is critical for what they are doing. They could just as well use other means at this stage if needed.
The purpose of Echelon is allowing them to do this on a global scale.
Re:"false positive"? (Score:2)
Let's say you were using XOR, for example, as your encryption algorithm. Using XOR (256-key) as a second algorithm would be a big mistake, as you've gained no strength in doing so. (It's not made it any worse, either, but there may well be cases where it would.)
Actually, that would make the crypto considerably worse!! Since 256-x where x
It's still a pain to brute, and there are still more than one possable decryption, but the space is vastly reduced. A 1k message will only have 8^1024 possable plaintexts rather than 256^1024.
Re:"false positive"? (Score:2)
OOOPS, that damned less than! Let's try that again!
Using XOR (256-key) as a second algorithm would be a big mistake, as you've gained no strength in doing so. (It's not made it any worse, either, but there may well be cases where it would.)
Actually, that would make the crypto considerably worse!! if key = x XOR (256-x), each char of plaintext is effectively XORed with 1 of eight possable bytes rather than 1 of 256. Furthermore, the 8 choices are all very neatly arranged so that it will start with 1s and end with 0s (in binary). To make matters worse, the distribution is screwed and heavily favors 11111110b so that the majority of characters have all but the last bit flipped.
"I Listen : A Document of Digital" by Spacewurm (Score:2)
Since 1993, electronic music artist The Spacewurm has used specially modified digital scanning equipment to secretly (and illegally) record the cellular and portable phone calls of everyday people all over the country. The stories, confessions, and intimate conversations of these unwitting participants are described in I LISTEN.
Re:Sure it's nothing new, but thats not the issue: (Score:2)
In the 80s, when America felt threatened by Japan, there was a similar sort of whining. Americans were complaining about Japanese interns in American companies copying designs and taking them back to Tokyo. Americans made much of the fact that all Japan did was go to Comdex, copy American inventions, and then mass produce them.
Echelon is the new scapegoat to explain the poor French economy. But what is not mentioned is that French Intelligence has been doing this for years.
You don't even need listening posts. Just H1-B VISAs.
The Europeans are basically trying to find some illegitimate/unfair tactic behind the US economy's success. It couldn't possibly be that American venture capital markets are superior, or that American is brain-draining Europe by influencing all the smart/ambitious people comin here to work, or because the US just has a better climate to conduct business.
Oh no... it must be because Microsoft/IBM/Yahoo/Amazon/Boeing/GE/whatever are actually being secretly helped by the NSA.
My suggestion is if you care about your privacy, stop sending private information out in the clear.
You should worry more about the masses of minature hidden $10 webcams exploding on the market, monitoring your every move, and being installed in public bathrooms, so perverts can put you on their web page.
By comparison, your next door neighbor is going to do far more harm to you in the near future.
Enjoy! (Score:3)
Re:Well, of course it's Eurocentric! (Score:2)
He, like many people, is concerned with what governments are getting away with. It's becoming far too much an 'us' and 'them' situation. 'They' are supposed to be working for 'us', not against us. But somewhere it has gone wrong. Many people can't see it getting better, and it seems to be one of those self-promoting systems that can only get worse.
It's not euro-centric so much as someone on the outside looking in. More non-US-centric as it were.
Vik
Voice keyword monitoring systems. (Score:2)
Re:Big Freakin' Deal (Score:2)
Yeah, that stinks. In the states racketeering charges originally invented for the sake of fighting organized crime are being brought to bear against pro-life groups. (whether you love them or hate them, think of the affect this kind of thinking might have had on the civil rights movement).
About encryption keys, I would suggest that they should be permitted to be handed over with a warrant, but pretty much not otherwise. UK probably says hand it over regardless (don't know if that'd go over in the states) ... and of course this brings up problems if the proof's in the pudding (the only incriminating evidence is encrypted). Oh well. Cops not being able to arrest a party they know is guilty isn't new, and I suppose it will exist forever :P . Silly innocence.
Re:No clue... (was Re:whoa there a second!) (Score:2)
As for the number of algorithms, here is a short list of what's out there that -could- be used for something like this:
Serpent, Rijndael, Square, IDEA, MARS, RC5, RC6, GOST, Skipjack, 3DES, Twofish, Blowfish, Safer+, TEA, DEAL and CAST.
You can then insert -any- of these into an ellipitic curve algorithm, such as Pegwit. This essentially doubles the total range of algorithms you can use.
This gives you a total range of 32 algorithms, which is sufficiently large to make brute-force decryption a much more complex process, with a much higher liklihood of getting apparently meaningful, but totally incorrect, output.
Re:Big Freakin' Deal (Score:2)
It is certainly possible that a thug will suddenly become a saint, or vice versa. However, it is much more likely that future behavior will follow past patterns unless some modifying force (in this case, supervision by elected officials and courts) is applied.
/.
Re:Mirror (Score:2)
Re:How to really jam Echelon (Score:2)
Hmm, so to really hide from Echelon you'd have to maintain a constant background noise of plausible looking traffic to a wide variety of (random?) other sites. The "real" traffic would be hidden in the smog.
Of course, for privacy for the whole community it would be ideal if this random traffic was being generated from just about everywhere at the same time.
I guess the DDoS code could be a useful basis for this. Does anyone know if stacheldraht is Open Source?
Regards, Ralph.