-Caveat Lector- 07.24.01 The Walls Have Ears http://www.sierratimes.com/archive/files/jul/24/arex072401.htm A Sierra Times Exclusive by Emily X When Phil Zimmerman published PGP, "Pretty Good Privacy", ten years ago, Internet users were numbered in the hundreds of thousands, the World Wide Web was a glimmer in Tim Berners-Lee's eye, and the term "spam" had not yet been invented. But surveillance of the internet�as well as most other forms of electronic communication�was already well established in 1991. Echelon �the result of a joint agreement between the US, Great Britain, New Zealand, Australia, and Canada�had already been in operation for at least ten years. It was a sweet deal: US government agencies were not permitted to do wholesale surveillance on their own citizens' communications, and governments of other "free" countries often had similar prohibitions. The answer: spy on each others' citizens, not one's own, then trade the information. As the Internet has been growing, so has the scale of the surveillance. It's common knowledge among some employees of AT&T�the initial provider of all communications lines in the US, and many overseas lines� as well as the Baby Bells, that there is wholesale interception and scanning of internet traffic going through the major nodes in the US. One of the nodes, known as MAE-WEST, is located in California's San Francisco Bay Area. It's a prime location for listening, as one telephone company employee explained: "One third of all of the Internet traffic in the world goes through California." It makes sense, when one stops to think about it. A large number of the dot-coms and computer industry companies are located in California. One of the other major nodes is conveniently located close to both AOL and NSA headquarters in Virginia: MAE-EAST. Like MAE-WEST, a huge amount of traffic goes through this node. So how much is intercepted? Nobody knows for sure, but various sources within the communications and cryptography communities believe that it's between 20 and 60% of all traffic. That's a lot of traffic. What's to fear? That's way too much for an army of humans to check. The solution is to use computers to scan the traffic, looking for anything that might warrant further (human) attention. Advances in natural language recognition, coupled with massive amounts of processing power concentrated in "farms" means that it's ever more possible to pull out just the kinds of communication that's of interest for review by a human. It makes for great surveillance efficiency, but it's lousy for personal privacy. As if that weren't bad enough, the FBI, apparently miffed that the NSA and the Echelon partners weren't sharing enough data with them, have come up with their own "sniffing" system. Originally named Carnivore (and renamed to the innocuous DCS 1000), Carnivore not only looks at all packets going to and from a particular user, but looks at tens or hundreds of thousands of other users' packets as well. The FBI tried to get reputable computer scientists to verify that Carnivore did not promiscuously spy on all data going in and out of a server used by one particular person. They had to dig pretty deep to find a relatively obscure group to do so. The group reported that the version of Carnivore that they examined did work as the FBI claimed, and that it threw away packets of all users who were not under surveillance. But, they noted, "While the system was designed to, and can, perform fine-tuned searches, it is also capable of broad sweeps. Incorrectly configured, Carnivore can record any traffic it monitors�. While operational procedures or practices appear sound, Carnivore does not provide protections, especially audit functions, commensurate with the level of the risks." As if Echelon and Carnivore weren't bad enough, a number of European governments�many of which loudly protested Echelon spying on their traffic�are now laying the groundwork to implement their own Internet surveillance systems. Security Through Mathematics The Carnivore reviewers pointed out that one of the limitations of Carnivore was that it "can be countered with simple, public-domain encryption." But what they see as a limitation, privacy and free-speech advocates see as a control on government capability to snoop on every facet of electronic communication. First, some basics. A good encryption program has the following characteristics: It is controlled by the person using the program. It resides on that person's computer, not a server, and does not depend on any other person or entity to concur in its operation. Thus, services like Zixmail are undesirable because encryption takes place on the Zixmail server, making it a fat target. On the other hand, a service like Hushmail downloads a Java applet to the browser to allow all encryption to take place on the user's computer. It uses algorithms that are well-known and heavily tested in the cryptography community. Some of the best-tested (and strongest) algorithms are 3DES, RSA, Diffie-Hellman, RC5 (128 bit), CAST, IDEA, Blowfish, and soon, Rijndael. The author of an encryption program is willing to publish the source code to the program so that it can be examined for leaks, errors, and back doors. It's always a bad idea to trust one's privacy to a program whose authors say "Trust us." There's actually quite a number of different programs that fulfill these requirements. PGP is simply the most used and by far the best-tested of the lot. Unless the prospective encryption user has the capability to evaluate other products�a rare talent, indeed�then it's best to stick with PGP. PGP is available for free at the International PGP web site. In various versions, it's available for the Amiga, Atari, BeOS, EPOC (Psion etc.), MacOS, MS-DOS, Newton, OS/2, PalmOS, Unix and its variants, Windows 2000, Windows 3.x, Windows 95/98/NT, and Windows ME. Also at the International PGP web site, there are numerous manuals, how-to guides, and even mailing lists to learn how to install and fully use the program. The next question that never fails to come up is: "How secure is PGP anyway?" Sometimes this is followed by "I heard that 'they' can break it." To answer that will require a little arithmetic. At the center of its encryption algorithms, PGP uses a technique known as "128-bit symmetric encryption." This means that to break the encryption on a PGP message by trying out all possible combinations, an average of about 170,141,183,460,469, 231, 731,687,303,710,000,000,000 tries will be needed. Let's assume that one's opponent has all the computing power that money can buy and all the time in the world to crack the message. By today's standards, it'll take over five quintillion years to crack that message. (Emphasis mine. Editor) Barring some miracle in factoring, most cryptography experts don't believe that the algorithm contained in PGP can realistically be broken. The fact that a single individual can control the privacy of his communications against a much larger opponent is referred to as "Security through Mathematics." Wise Use PGP can put a lot of power back into the hands of an individual, but it cannot save the stupid from themselves. If, for instance, a person writes down their "secret" passphrase on a yellow stickie and attaches it to a computer monitor, PGP isn't going to provide much protection. There's a number of common-sense measures that anyone can and should take listed in the resources below. It's a good idea to learn to use PGP before it's really needed. This means getting other people to use PGP for even the most casual of communication. Encrypt jokes and recipes with it. Get in the habit of using it, so that when it's necessary to protect such weighty communications as business information or political speech, it has become second nature. As always, it's best to remember Benjamin Franklin's maxim: "Three people can keep a secret, if two of them are dead." While PGP can protect one's communications in transit from surveillance, it cannot guarantee that the recipient is trustworthy and will keep the message a secret. If unsure about somebody's reliability, keep quiet! Resources PGP is available from the International PGP web site. Before setting up PGP, reading the PGP Passphrase FAQ is a very good idea. The definitive book on Echelon is Secret Power by Nicky Hager. This book is very hard to find in the US, but is available from its New Zealand publisher, Craig Potten. An excellent array of information on both Echelon and Carnivore is at Cryptome. This is probably the best resource in the world for factual information on surveillance activities. <A HREF="http://www.ctrl.org/";>www.ctrl.org</A> DECLARATION & DISCLAIMER ========== CTRL is a discussion & informational exchange list. Proselytizing propagandic screeds are unwelcomed. Substance�not soap-boxing�please! These are sordid matters and 'conspiracy theory'�with its many half-truths, mis- directions and outright frauds�is used politically by different groups with major and minor effects spread throughout the spectrum of time and thought. That being said, CTRLgives no endorsement to the validity of posts, and always suggests to readers; be wary of what you read. CTRL gives no credence to Holocaust denial and nazi's need not apply. Let us please be civil and as always, Caveat Lector. ======================================================================== Archives Available at: http://peach.ease.lsoft.com/archives/ctrl.html <A HREF="http://peach.ease.lsoft.com/archives/ctrl.html";>Archives of [EMAIL PROTECTED]</A> http:[EMAIL PROTECTED]/ <A HREF="http:[EMAIL PROTECTED]/";>ctrl</A> ======================================================================== To subscribe to Conspiracy Theory Research List[CTRL] send email: SUBSCRIBE CTRL [to:] [EMAIL PROTECTED] To UNsubscribe to Conspiracy Theory Research List[CTRL] send email: SIGNOFF CTRL [to:] [EMAIL PROTECTED] Om
