Phoenix police raided the home of a blogger who has been highly critical of the department.
Jeff Pataky, who runs Bad Phoenix Cops, said the officers confiscated three computers, routers, modems, hard drives, memory cards and everything necessary to continue blogging.
They broke into my safe and took the backups of my backups,” he said in a phone interview with Photography is Not a Crime on Wednesday.
“I can’t even file my taxes because all my business plans are gone. They took everything.”
I'm posting this not to point out the U.S. government's violation of its Constitution (what else is new?), but two make two points:
- If someone took all your hardware, your backups, and the "backups of your backups," how much trouble would you be in? Is your critical data encrypted and stored offsite? Is disaster one flood, fire, or police raid away?
- Using some simple anonymity tools could prevent the raids in the first place. If you think you're immune because you're not criticizing the government, read this.
I would like to take advantage of the open platform and volunteer interest in Mises.org by offering some crypto services. For example, we could integrate secure messaging into the forum, offer a secure email service, host a Tor node, or some open-source projects. Recipes/source codes for everything we do will be provided on the site as well. What do you think?
Here is a basic sample service to get the conversation started: this secure messaging page allows you to send anonymous, encrypted messages that any recipient with a PGP/OpenPGP public key can read. If you want to try it out, my PGP key is here and can be send to webmaster@mises.org.
I have been evaluating different PGP applications trying to pick the best PGP desktop software. I use Gmail on both Windows and OS X, so I want something cross platform and free.
I've tried both the open source Gpg4win package for GnuPG and the commercial PGP Desktop. In my experience, the open-source applications I tried were too buggy, incomplete, and unfriendly to be worth it, especially to the non-technical user. By contrast, if you are willing to pay $99, PGP Desktop is much easier. For occasional use, the freeware mode (tutorial) of PGP Desktop works just fine. I did find a GnuPGP tutorial for OS X, but my experience with the Windows front-ends has discouraged me from trying it.
I also tried FireGPG, a Firefox extension that integrates with Gmail. FireGPG still requires GnuPG (and must be reinstalled if you don't install that first!) but it seems to be the simplest cross-platform PGP + Gmail solution. FireGPG works well enough, although the whole process may still be too difficult for the average user, and the buginess of the GnuPG suite let me to stick with PGP Desktop.
Until something radically easier comes along, I'm going to continue recommending the free or paid version of PGP Desktop for the average user.
Are you using encryption software for all your data and communications yet? If not, are you aware that the government may inspect and/or seize any digital device (phones, media players, laptops) without a search warrant or cause when you travel internationally, and search any digital device during routine traffic stops?
The Association of Corporate Travel Executives, which represents 2,500
business executives in the United States and abroad, said it has
tracked complaints from several members, including Udy, whose laptops
have been seized and their contents copied before usually being
returned days later, said Susan Gurley, executive director of ACTE.
I was assured that my laptop would be given back to me in 10 or 15 days," said Udy, who continues to fly into and out of the United States. She said the federal agent copied her log-on and password, and asked her to show him a recent document and how she gains access to Microsoft Word. She was asked to pull up her e-mail but could not because of lack of Internet access. With ACTE's help, she pressed for relief. More than a year later, Udy has received neither her laptop nor an explanation.
Think that virtual worlds like Second Life are a refuge? Think again:
U.S. intelligence officials are cautioning that popular Internet services that enable computer users to adopt cartoon-like personas in three-dimensional online spaces also are creating security vulnerabilities by opening novel ways for terrorists and criminals to move money, organize and conduct corporate espionage.
...
"Virtual environments provide many opportunities to exchange messages in the clear without drawing unnecessary attention," the IARPA paper said. "Additionally, there are many private channels that can be employed to exchange secret messages."
...
Officials from Linden Lab have initiated meetings with people in the intelligence community about virtual worlds. They try to stress that systems to monitor avatar activity and identify risky behavior are built into the technology, according to Ken Dreifach, Linden's deputy general counsel.
The government's message is clear: no thought or conversation in the digital realm is allowed to be private. Unless you believe that a private existance "lets the terrorists win," you'd better be using encryption software. (See the Links section to get started.)
TrueCrypt is an essential drive encryption application for Windows, Mac OS X, Linux users who want to encrypt real or virtual drive partitions. It's free, easy to use, and it even runs on Windows Vista 32/64 bit. The 5.0 release allows you to encrypt the boot drive partition in Windows, so if your server or laptop falls into the wrong hands, no data whatsoever can be gleamed from it.
An interesting feature of TrueCrypt is the “plausible deniability” option, which allows you to encrypt any number of hidden partitions in the empty space of an outer partition, so even if you are forced to reveal the outer partition, you can plausible deny the existence of inner partitions. Get it now!
How many of the 79 million personal records compromised in 2007 could have been avoided simply by installing this program?
After 9/11, the U.S. government didn't have much
trouble blasting away any expectation of privacy when conducting financial
transactions or traveling across the country. It's a little
harder to justify destroying fundamental freedoms when it comes to spying on
people's email and instant messaging conversations. What is the state to
do? If recent actions by the NSA and CIA are any indication, it is to
invent ridiculous threats about the danger that "hackers" pose to us
all.
First, Michael McConnell, Director
of National Intelligence of the United States claimed that "the U.S.
government should have unfettered and warrantless access to U.S. citizens'
Google search histories, private e-mails and file transfers" in the
January 21st edition of the New Yorker.
One of his claims is that cyber
crime costs $100 billion per year. This number was made
up by Valerie McNevin, who happened to have once served as an advisor to the
U.S. Treasury department. Wired reports that "within two hops, CNN
was reporting the $105 billion as an official Treasury Department estimate of
global cyber crime profits." Before long, the number was used by
Information Week, Slashdot, Reuters, reputable security firms such as
McAfee - and the Director of the NSA.
The second preposterous claim is
that "a massive cyber-attack on a single U.S. bank would be worse for the
economy than the deadly terrorist attacks of September 11." It takes
a computer security specialist to appreciate the sheer ignorance of that
claim. The head of the NSA is surely familiar with highly secure
computing environments. Just like the government, banks employ data
centers that are both physically and cryptographically isolated - you have to
physically break into the bank's data center before you can even think about
causing havoc in a large scale. The website you use to access your bank
account is far removed from the servers that actually hold your account information.
It's easy to steal bank account information, and maybe even take away your
online account access for a day. But that is hardly a "911"
type of event. Without physical access to the data centers, hackers
cannot erase traces of their work, so the transactions can be easily reversed.
It's hard to withdraw $100 billion of cash from a bank in a day.
Regardless, McConnel believes that a
recent federal ruling which decided that "any telephone transmission or
e-mail that incidentally flowed into U.S. computer systems was potentially
subject to judicial oversight" has reduced the "capacity of the NSA
to monitor foreign-based communications ... by seventy per cent." No
worries, because the Protect America Act passed this summer, and allows
"Gmail's servers and AT&T's switches [to be] de facto
arms of the surveillance industrial complex without any court
oversight."
This latest attack on American's
privacy is just the latest act for McConnell - he was one of the main backers of
the Clipper Chip, a plan to force an NSA backdoor into encryption
product. More recently, the NSA has attempted to sneak in a backdoor into
encryption by creating
flawed security standards.
In case you still have any delusions
that this attack on American's privacy has anything to do with terrorism, the
testimony of Qest CEO Joseph Nacchio makes clear that the NSA was out to spy on
Americans at least
seven months before September 11, 2001.
Michael Tanji, an ex-spook who
spent 20 years in the intelligence community observes that
monitoring all traffic is basically an admission that the government has no
effective means of detecting or stopping legitimate threats, cyber or otherwise:
It's bad enough that the Director of
National Intelligence is trotting out a bogus
threat so the
government can snoop on all Internet traffic. What's worse is that
this kind of mass surveillance is a pretty lame way to catch the honest-to-God
bad guys.
Of more interest to observers of
intelligence activities is the issue of quality vs. quantity and the slow creep
towards doom that these efforts foretell. The fact that we are essentially
attempting to gill-net bad guys is a fairly strong indicator that the
intelligence community has yet to come up with an effective strategy against
information-age threats.
The NSA is not alone in scaremongering
Americans. The CIA claims that hackers "turned
out the lights in multiple [foreign] cities after breaking into electrical
utilities and demanding extortion payments before disrupting the power." Of course, no details on where or when the
outages occurred were provided, so it's hard to evaluate this claim. I wonder whether some power utilities
around the globe are really dumb enough to connect critical components to the
public Internet, or whether the "hackers" simply broke into the facilities and
flipped a switch.
The Dept of Homeland Security wants a
piece of the horror-fest action too: it "produced
a video showing commands quietly triggered by simulated hackers having such a
violent reaction that an enormous generator shudders as it flies apart and
belches black-and-white smoke." "Simulated"
hackers?
Some people might look at the relentless attack by governments on privacy and personal liberty and ascribe it to some kind of
enormous, sinister plot. Yet reality is
much more ordinary and mundane. Countless
nameless bureaucrats are just doing what they always do -- fighting for power
and influence using the only currency they have - the public's money and liberty.
We all have information we want to keep private. If you look at the links on the left of this blog, you will
notice a growing list of tools which can help. I would like to collect resources and write a
number of tutorials on the technical and social steps you need to take to secure
your data with minimal technological experience.
So, what would you like to know first? Secure instant messaging? Private email? Keeping the data on your hard drive from private
eyes? Anonymous publishing on the web? Steganography? Anonymous web surfing? Anonymous digital currency?
Are you knowledgeable on any of these subjects? Please consider writing a tutorial or
contributing links.
Adam Liptak reveals the digital privacy we can expect from the state:
While "one lonely voice" argued that
“Electronic storage devices function as an extension of our own memory...They are capable of storing our thoughts, ranging from the most whimsical to the most profound.”
The consensus seems to be that
"a computer is just a container and deserves no special protection from searches at the border."
The implications are quite ominous, according to the EFF:
“Under the government’s reasoning,” the brief said, “border authorities could systematically collect all of the information contained on every laptop computer, BlackBerry and other electronic device carried across our national borders by every traveler, American or foreign.”
The question of whether you can be punished for refusing to reveal a encryption key is far from being settled, yet several lessons are clear:
One is that the border [and your car/person/digital communications] seems be a privacy-free zone. A second is that encryption programs work.
Good news for Americans:
U.S.
Magistrate Judge Jerome Niedermeier
ruled that a man charged
with transporting child pornography on his laptop across the Canadian border
has a Fifth Amendment right not to turn over the passphrase to prosecutors. The
Fifth Amendment protects the right to avoid self-incrimination.
If this becomes a precedent, it will
be distinctly different from European countries such as the U.K, where a new
law provides for up to
two years of jail time simply for refusing to reveal a key.
As people's digital storage
increasingly becomes an integrated part of their identity, the right to keep
certain data private will become increasingly important. The right to
keep encryption keys private will increasingly mean the freedom to keep certain
thoughts private, whether they are stored in wetware or digital form.
More: Crypto and Self-Incrimination
FAQ
Various tech bloggers
are
reporting that Microsoft
will
include the NSA-recommended random algorithm suspected of
containing
a backdoor vulnerability in the upcoming Windows Vista service pack.
According to Microsoft, the "Dual Elliptical Curve (Dual EC) PRNG from SP
800-90 is also available for customers who prefer to use it," so this
algorithm is an option, not the default. Why would Microsoft
intentionally include an inefficient and unsecure algorithm? Very likely, because it will eventually be
required in governments contracts.
It is hard to blame Microsoft for not wanting to lose government contracts,
or to alienate customers who depend on them.
The real danger is the (inevitable?) attempts by the state to force this
algorithm on everyone else, including requirements that make it mandatory for
government contracts, and thus attempt to influence the default configuration
by virtue of the state's dominant market share.
Because the government is a major consumer of crypto
products, government entities create or approve most of the encryption
standards used in the industry. One of
the key ingredients of crypto technology are random number generators. Getting random numbers from a computer is a
very tricky problem, so the U.S.
government actually publishes random number algorithms created by computer
scientists and government agencies. This
year, the government produced a new standard, which may soon be integrated into
crypto software worldwide. Three of the
four algorithms in the standard are based on industry standards, but one comes
from the National Security Agency. The
NSA's algorithm is more complex and slower than the others, so many people
wondered why the NSA pushed to have it included.
In a recent CRYPTO 2007 conference, some computer scientists
discovered that the algorithm has a possible backdoor key, which allows the
numbers it generates to be predicted.
While we don't know whether the NSA has the key, we can be sure that either
it has the key or it released a dangerously broken standard. (Now that the vulnerability is known, vendors
are unlikely to use it, so the NSA wouldn't have knowingly released a faulty
standard unless it had the key.)
A paranoid person might wonder if having failed to force broken
crypto on us at the hardware level, the government has some kind of nefarious
plan to sneak one in. Simply requiring
that the standard be used by government contractors might be sufficient to get
it adopted by the industry due to its market share. People take much more care in selecting and
testing encryption algorithms than random number generators.
Reassuring answers on this issue are not likely to be forthcoming,
so here are some rules of thumb:
- Real security requires evaluating the whole process, not
just a good encryption algorithm.
- Don't trust a security solution just because it is widely used or
government approved.
- Don't trust a security solution that is isn't open to peer
review.
Welcome to crypto-autonomy.
The purpose of this blog is to discuss the movement commonly known as
"crypto-anarchism," including both theoretical and practical
considerations. I would like to make
this a collaborative blog, so contributions and comments are welcome. With that out of the way, let's talk crypto:
The information age is a harbinger of a social paradigm
shift
Human civilization is currently in the midst of a paradigm
shift, a change in the basic assumptions of the way our society works. This change will be at least as important as
the invention if the printing press and perhaps much more so. The enabling tool behind the transformation
is information technology. More broadly,
it is the automation of intelligence into non-biological automatons. The true meaning and possibility of the
"information age" is only grasped by a few of the most far-reaching of
technologists and futurists. The changes
made possible by the electronic age will transform society in fundamental ways,
and question the very basic premises of government, commerce, intellectual
property, and individual autonomy and identity.
The threat and promise of the information age
Information technology is a tool, and like any tool, it may
be used for good or evil. It brings the possibility
of universal connectedness, privacy, and surveillance. This is both a promise and a threat: we may
finally be free of the threat of an omnipotent State, or we may become victims
of total surveillance and control. Once
a staple of dystopian novels and films, the threat of ever-present electronic
surveillance by the state is no longer just a staple of science fiction - not
with the existence of Carnivore, Echelon, and millions of surveillance cameras. Current surveillance programs are very crude
analogs of the intelligent content analysis that will be possible with further
evolution of technology. Just as banking
companies use artificial intelligence to discover fraudulent transactions in
your credit card record, digital agents will soon be able to sift through audio
and video recordings, purchases, bank records, and electronic communications to
determine the meaning of conversations, build complete profiles on individuals,
and uncover anomalous or suspicious behavior.
Unchecked, such unprecedented control over our lives will turn
individuals into cogs in the machinery of the State, and lead to social and
economic disaster.
The power of the individual
Despite the risk, there are two substantial advantages
enjoyed by individuals over states.
First, free and open societies are inherently more prosperous than
interventionist ones, and total control is likely to lead to total social
collapse in short order. (Though that
would not be very comforting knowledge to those in the midst of the
collapse.) Second, the same technologies
that make ubiquitous surveillance possible also allow ubiquitous secrecy. Individuals finally have the power to keep
their communications private and virtually undecipherable by even the most powerful
computers. As an increasing share of the
values being traded by our civilization takes the form of digital information,
the possibility of maintaining a private life will exist even when physical
freedoms are restricted. With technologies
such as 3D printers and virtual reality, even material values will become
information goods. The
potential will exist for large-scale organization and trade of information
goods beyond the reach of the state. These developments will
make it both more difficult and more tempting for states to restrict trade and
interaction between individuals. As
distant as such a scenario might seem today, present action is necessary to
create and distribute the enabling crypto-technologies, so that when the state awakens
to its full potential, crypto-technology will be too integrated into the social
framework to eradicate.
Substantially legitimate usage is crucial
The key to the success of crypto technology is to make it
ubiquitous. If people only use crypto
when they have something to hide, the use of encryption and anonymity will automatically
be suspicious. However, if everyone uses
crypto because it is automatic and transparent, then not only will forbidden
behavior be easier to hide, but there will be a public outcry at the
(inevitable) attempts to ban crypto and end privacy. This is why it is essential to communicate
the threat of the surveillance state and the promise of practical application
of crypto. It is also important that
programmers make easy-to-use crypto tools and make it the default (or at least
an option) for all electronic communications and transaction. These considerations are my motivation for writing
this.
Why crypto-autonomy?
I prefer the term "crypto-autonomy" to "crypto-anarchism"
because it is more accurate. "Anarchy"
refers to the absence of a government, or alternatively to a lack of any authority. Cipherspace does not require any particular
political system, and it is not opposed to (naturally arising) rules and
authority. Existing communities in
cyberspace have organizational structures which are both democratic and
dictatorial. They key is the freedom of
individuals in cipherspace is, to quote Ludwig von Mises,
"that the individual is in a position to choose the way in which he wants to
integrate himself into the totality of society."
Further posts to this blog will elaborate on the following concepts
and enabling technologies of crypto-autonomy:
Essential concepts of crypto-autonomy
- Privacy: privacy is
the ability of individuals to control information about them, or created by
them.
- Anonymity: is the ability to conceal information that
connects our actions and statements to our material identities. Complete anonymity is impossible, so anonymity
is always relative to the current monitoring technology.
- Plausible deniability:
the ability to conceal the use of crypto, or to connect crypto to a
particular individual. In situations
where even the use of cryptographic technology may be dangerous, steganography
allows information to be encoded in commonplace media such as images. Also, encrypted messages may be hidden inside
an encrypted envelope so that the existence of the information can be plausibly
denied even if forced to reveal the outer message.
- Trust: despite the lack of material identities, reputation
and accountability are essential to any community.
- Cipherspace: a domain in cyberspace where ubiquitous
encryption ensures the anonymity of all participants. For example, Tor.
- Public key infrastructure: an arrangement that allows users
to security identify each other and send encrypted messages by means of a
trusted authority.
- Digital currency: a representation of value that may be tied
to a commodity such as gold, or tradeable for a real-world currency.
Crypto-autonomy and Austrian Economics
The crypto-anarchist movement has been strongly influenced
by free-market thinkers. That's not
surprising - the ciphersphere is in a way, the ultimate market. It is neither the "perfect
competition" model of the neo-classical economists, nor a non-material
realm, but a place where all institutions evolve organically, and coercive
monopolies are very difficult to maintain.