The Deeper Meaning Of Miranda's Detention And The Destruction Of The Guardian's Hard Drives
from the deny-and-disrupt dept
As many have already observed, the detention of David Miranda comes across as an act of blatant intimidation, as does the farcical destruction of the Guardian’s hard drives. But something doesn’t ring true about these episodes: spooks may be cynical and ruthless, but they are not generally clueless idiots.
They would have guessed that Miranda would not possess the keys for any encrypted files that he was carrying, so seizing his equipment simply left them with a bunch of ones and zeroes that they were unable to read (unless strong encryption has been broken and we don’t yet know about it). Equally, they would have assumed that the Guardian had made backups of its files on the hard drives, so destroying them was literally quite pointless. What’s really going on here? A brilliant post by author Barry Eisler, who used to work for the CIA, offers perhaps the most plausible explanation so far:
The purpose was to demonstrate to journalists that what they thought was a secure secondary means of communication — a courier, possibly to ferry encrypted thumb drives from one air-gapped computer to another — can be compromised, and thereby to make the journalists’ efforts harder and slower.
The same is true for the destruction of the Guardian’s hard drives:
The point was to make the Guardian spend time and energy developing suboptimal backup options — that is, to make journalism harder, slower, and less secure.
What is particularly chilling, as Eisler notes, is that this technique is not new:
Does this sort of “deny and disrupt” campaign sound familiar? It should: you’ve seen it before, deployed against terror networks. That’s because part of the value in targeting the electronic communications of actual terrorists is that the terrorists are forced to use far slower means of plotting. The NSA has learned this lesson well, and is now applying it to journalists. I suppose it’s fitting that Miranda was held pursuant to a law that is ostensibly limited to anti-terror efforts. The National Surveillance State understands that what works for one can be usefully directed against the other. In fact, it’s not clear the National Surveillance State even recognizes a meaningful difference.
The US and UK governments’ equating of journalism and whistleblowing with terrorism is becoming clearer by the day.
Follow me @glynmoody on Twitter or identi.ca, and on Google+
Filed Under: barry eisler, david miranda, detention, journalism
Comments on “The Deeper Meaning Of Miranda's Detention And The Destruction Of The Guardian's Hard Drives”
The best way around both.
Take your information and throw a big encrypted wrapper on it (truecrypt volume) and upload it to usenet. from there, any person in any country could download the file, but only those who hold the keys can unlock the file.
Not only that, but usenet would serve as a free online backup for the file, and you could download it later. This is easier than a cyberlocker, and it would be held for three years plus on the servers, effectively for free.
Your only problem would be DMCA complaints against the file, taking it off the servers faster than you can say “Peter Piper picked a peck of pickled peppers.”
(Just thought of this: Ideally put three wrappers on the files, just to hamper cracking efforts.)
Re: The best way around both.
I think an encrypted torrent would be a better idea, long as someones uploading and the dht network is working it’ll always be downloadable.
Re: The best way around both.
Two other things you should also do:
Don’t just upload sensitive files, also upload things like core dumps and the complete works of Shakespeare. All massively encrypted like the actual files you want to transfer. Don’t just keep them guessing, keep them BUSY.
Upload things that they don’t WANT to decrypt — things that they’re not supposed to know (courtesy of Wikileaks, for example) and disgusting image files (clown or midget porn, anyone?).
Naturally, use different keys, encryption algorithms and all for each file, and perhaps make the ugly stuff easier to open, heh.
Can you imagine the horror of them seizing a computer, discovering it contains 50,000+ encrypted files…and 99.99% of them are things they will wish they could un-see?
Re: The best way around both.
Simpler but messy on the backend solution 1 condom, 1 micro SD card, swallow.
Re: The best way around both.
disagree, the ‘best’ method, is simply to expose ALL OF IT, totally unredacted…
THEN what are the spooks going to do ? ? ?
I REFUSE to believe the bullshit that these revelations would endanger untold _____(dozens ? hundreds ? thousands ?) of spooks, spook-lites, and spook informants/etc who are doing dirty works…
GOOD, expose them all, run the evil pukes out of town, and/or some/all get killed ? cry me a fucking river, THEY are RESPONSIBLE -directly and indirectly- for the deaths OF MILLIONS, and i’m supposed to be contrite because BAD GUYS (so what they are ‘our’ bad guys?) get -probably RIGHTEOUSLY- killed for doing their dirty deeds in the dark ? ? ?
no, golden rule them: THEIR mantra is ‘kill’em all, let dog sort’em out…’ okay, assholes, we’ll do the same to you, then, how is that shoe pinching on the other foot, evil spook slime ? ? ?
i’m sick of the whole mess, they DESERVE whatever bad karma comes there way; it is not OUR job to protect secret spooks doing evil…
art guerrilla
aka ann archy
eof
Re: Re: The best way around both.
Actually, rather than intimidation as many people think, I believe that THIS is exactly what they are hoping for. Look at it this way, as Tim pointed out in another piece, the current cycle works as such.
1. Leak reveals evidence of NSA overreach or wrongdoing.
2. NSA issues statement explaining how leak is being misinterpreted or is an aberration.
3.NSA attends hearings and issues statements declaring it doesn’t abuse its power. (Frequently qualified with “not under this program.”)
4. New leak reveals evidence of NSA overreach or wrongdoing, proving NSA’s most recent statements were pretty much “incomplete lies” or “least untruthful” answers.
5. Repeat.
This not only gives people time to process the information, but it also helps keep the story in the news cycle.
If you just data dump everything, the press, in an effort to one up each other will flood the media with more information than people can easily process, and try to post the most egregious violations, leaving perhaps less damning but otherwise important information overlooked.
Our Short Attention Span Theater stricken society will be momentary outraged by revelations they don’t totally comprehend (due to the massive amount of data involved), and rather than taking the time themselves to comprehend it properly (unless it is spoon fed to them) it will be quickly forgotten the minute the next “Miley Cyrus” outrage comes along.
Re: The best way around both.
Let’s keep in mind that the NSA is trying to keep this information secret. Perhaps the best way to fight them is just to publish everything, unredacted.
Re: Re: The best way around both.
And if you get found out it is a minimum of 35 years in prison. I think it is pretty clear how it would end. If you want any kind of security you better hold something back as a bargaining chip.
“…unless strong encryption has been broken and we don’t yet know about it”
Yes, the encryption cipher was probably strong, but that doesn’t mean the user password was equally strong. A Cryptologists will always attempt to break a password first, instead of the encryption cipher’s mathematical algorithm itself.
For example, most ciphers are 128-256bits in strength. If a user chooses a password that is 16 characters in length, then the password only has around 16bits of strength.
2^16 = 65536 possible password combinations to break the password. The NSA can probably chew through thousands of password attempts per second. Probably much, much more attempts per second, unless key stretching is used. Such as bcrypt, scrypt or pbkdf. In order to slow down password guessing attempts using multiple hashing rounds on the password.
The fact Greenwald and Poitras seem to be using the sneaker net (transportation of information using tennis shoes), this leads me to believe they were worried about their cryptographic capabilities.
Thus, I’m forced to assume there’s a high probability their password lengths were far shorter than 128-256 characters long. Not to mention a fully random password with that is impossible to remember. Otherwise the password will be low on entropy (randomness).
I hope I’m wrong about all these assumptions. I really do.
As to why the UK and US Governments detained Miranda and stole his digital devices. I believe it has less to do with intimidation, and more to do with the UK and US Governments wanting to know what documents Snowden downloaded.
It’s already been stated multiple times the the US Gov. has no idea what documents Snowden, and the media, are in possession of. The US Gov. is finding it very difficult to lie to the American people about the NSA’s unconstitutional spying capabilities.
The moment they make a false statement in public, a new leak comes out contradicting the lie they just made. That has to be embarrassing.
The US Gov. wants to know what those documents are, and they probably figured Greenwald and Poitras’ cryptographic skills were weak enough that they’d have a shot at breaking their weak passwords to see what documents they’re up against.
Like I said, I hope I’m wrong about all this. All the circumstantial information seems to be pointing towards this though.
As for the UK Gov. destroying the Guardian’s hard drives. That was indeed meant to intimidate media organizations. There’s no other explanation for that barbaric move.
Re: Re:
You have you maths seriously wrong!
A bit is either a 1 or a 0 – a password has all the letters of the alphabet in upper and lower case, numbers and symbols available.
See here – http://www.lockdown.co.uk/?pg=combi
Re: Re: Re:
Yeah, that’s some seriously bad math on his part.
Re: Re: Re: Re:
Unless he’s referring to the common metric of roughly one bit of entropy per character of English text …
Re: Re:
Assuming you can use any of the printable ASCII characters (i.e., not the initial 32 control characters or DEL, but including space), a perfectly random 16-character password has 95^16 combinations (> 2^105, < 2^106).
So it is quite a bit weaker than a 128-bit key, but not by as much as you suggest.
Re: Re:
Ignoring that you’re confusing a character (byte) with a bit, I would seriously hope that the decryption key wasn’t a password at all. Do people still use those for encryption? If so, they need to stop it.
Re: Re:
Why would anyone in their right mind use a password at all? Use a blob of random data as big as the data you want to encrypt as the key, send it separately, and destroy it after that one use.
An infographic demonstrating how to calculate password strength.
https://xkcd.com/936/
Re: Re:
for everything in life, there is an xkcd
Poitras is supposed to be pretty adroit at security
Bruce Schneier comments someplace that Greenwald was pretty naive about security, but that Laura Poitras was quite competent. The package in question was heading from P to G, so I expect the crypto was good.
Which suggests that the crypto was not broken, and when the UK govt described to the court the GCHQ documents Miranda was allegedly carrying, they might have been lying. Presumably to FUD G&P, but judges don’t usually like liars.
Re: Poitras is supposed to be pretty adroit at security
There are a couple of comments from Greenwald today under his latest blog piece for the Guardian, discussing court filings made by the UK Government yesterday:
— so the anon @ 6:06am may indeed have been right, when he wrote that “The package in question was heading from P to G, so I expect the crypto was good. Which suggests that the crypto was not broken, and when the UK govt described to the court the GCHQ documents Miranda was allegedly carrying, they might have been lying. Presumably to FUD G&P, but judges don’t usually like liars.”
On the other hand, for tinfoil hat brigade, maybe it is now that the UK Govt is dissembling, to downplay its proficiency at decryption…
It will be interesting to see what the judges make of it.
Re: Poitras is supposed to be pretty adroit at security
Presumably to FUD G&P, but judges don’t usually like liars.
Except the ones on the FISC.
95^16?
not knowing what number that gave (how many zeroes?) i put it into google and that said: 4.4012667e+31
Which is slightly worse. so i put 4.4012667e+31 into google and even google couldn’t answer that.
I am hoping its ‘a really big number that GCHQ cryptographers will have a problem with’.
Re: 95^16?
44,012,667,000,000,000,000,000,000,000,000, or 44,012,667 trillion trillion, or a bit over 44 nonillion.
Re: Re: 95^16?
44,012,666,865,176,569,775,543,212,890,625 to be precise! (At least according to the calculator built into Windows)
Re: 95^16?
don’t bother hurting your brain thinking about cryptography when you can’t even grasp fundamental concepts of how to use a calculator. hint: the 31 denotes how many times you move the decimal to the right in 4.4012667
also, if you weren’t aware, google can be used for more than finding horse porn: http://www.google.com/search?q=what+does+e%2Bnumber+mean+on+calculator
sorry if i come off as an a-hole here, but i have no patience for people actively trying to remain ignorant when the worlds largest repository of information is literally at their fingertips.
Re: Re: 95^16?
Did you miss the part where he entered the numbers into Google?
And why would he search for “what does e+number mean on calculator“, when he wasn’t using a calculator?
A more logical search would be simply “what does e+number mean”, which, when I try it, returns a description of the European Union’s system of codes for food additives.
The guy (or girl — apologies for assumption about sex) did try “the worlds largest repository of information” as far as he could; and when he got stuck and turned to the community for help, you were a jerk to him.
Way to spread enlightenment, dude.
Suboptimal backup options?
If they had all the data in a single place, where a single accident (for instance, a fire) can destroy it, that is a suboptimal backup option.
By forcing them to destroy the data that was kept in a single location, they make the Guardian (and everyone else who is watching) spend time and energy developing a better backup option. That is the opposite of making them develop a suboptimal backup option.
None of these government(s) will ever give up any of their power base to the people of their country. You can vote until you are blue in the face and you will never change a thing. Presidents change, Prime Ministers come and go, Kings and Queens live and die, but the policing and security structures always remain the same and are promoted from within. In other words these people don’t work for you. They work for their power base, for their control.
Remember we warned all of you during and after the Vietnam war about the lock they have on everything now. Remember we warned you about Big Brother, well he is here and he is watching and he is controlling the money, the power and your entire life. When we complained they gave us inflation.
Schneier's analysis
http://www.schneier.com/blog/archives/2013/08/detaining_david.html
Jay Rosen on Barry Eisler's piece
http://pressthink.org/2013/08/to-make-journalism-harder-slower-less-secure/
Quoted from Wikipedia: https://en.wikipedia.org/wiki/Password_strength#NIST_Special_Publication_800-63
“NIST Special Publication 800-63 suggests the following scheme to roughly estimate the entropy of human-generated passwords:[2]
The entropy of the first character is four bits;
The entropy of the next seven characters are two bits per character;
The ninth through the twentieth character has 1.5 bits of entropy per character;
Characters 21 and above have one bit of entropy per character.
A “bonus” of six bits is added if both upper case letters and non-alphabetic characters are used.
A “bonus” of six bits is added for passwords of length 1 through 19 characters following an extensive dictionary check to ensure the password is not contained within a large dictionary. Passwords of 20 characters or more do not receive this bonus because it is assumed they are pass-phrases consisting of multiple dictionary words.”
Using the above NIST calculation, a 16 character long password has at best.
4+2+2+2+2+2+2+2+1.5+1.5+1.5+1.5+6+6=36bits of entropy.
That’s assuming the password does not contain any words found in a dictionary (+6bit bonus). Contains both uppercase and lowercase letters, plus non-alphabetic characters are used (+6bit bonus).
Just for fun, let’s say the NSA has a really slow supercomputer at their disposal. One which can only make 71,000 password guesses a second against a Bcrypt hashed password. Such as this homemade 25-GPU cluster computer.
http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/
The calculation of time needed to break our 16 character password with 36bits of entropy would be.
Total guesses:
2^36 = 68,719,476,736
71,000 guesses a second:
68,719,476,736 / 71,000 = 967,879 seconds to break password
Convert 967,879 seconds into minutes:
967,879 / 60 = 16,131 minutes to break password
Convert 16,131 minutes to hours:
16,131/60=268 hours to break password
Convert 268 hours to days:
268/24=11 days to break password
Usually it only takes around half the total number of guesses before the password breaks.
Total number of days divided by two:
11 / 2 = 5.5 days to break a 16 character password that has a high entropy, using a home built civilian PC.
What kind of supercomputers do you think the NSA has at their disposal? Maybe something along the lines of…
Titan Supercomputer Specs:
18,688 AMD Opteron 6274 16-core CPUs
18,688 Nvidia Tesla K20X GPUs
Total Power Draw: 8.2 Megawatts
https://en.wikipedia.org/wiki/Titan_supercomputer
That’s a tad more powerful than a 25-GPU civilian computer. If the NSA is you adversary, I’d recommend really long passwords. Double or triple encrypting a file, with at least two or three different sets of passwords would be a wise move too.
I suspect the encryption has been broken, and the authorities are being coy about it, by repeatedly “asking” for the keys.
Russian spies use Flickr to communicate why can’t everybody else?
This is going to sound corny, but...
The parallels between this saga and the movie Firefly are troubling. The Powers That Be haven’t yet learned that they can’t stop the signal and are still trying to keep a lid on the story. They’ll lose.
The big difference is that they’re turning the entire world into Browncoats. Mal would be proud.
Re: This is going to sound corny, but...
It’s a cute analogy.
But as I recall, the “Browncoats” lost that war.
Re: This is going to sound corny, but...
The parallels between this saga and the movie Firefly are troubling.
Firefly was a TV show, the movie is Serenity.
/nerdrage
"2^16 = 65536 possible password combinations"
Man, I knew it was a bad idea to adopt a binary alphabet.
Makes you wonder if the government is selling us out for access. For instance, they approve all of these corporate mergers even when they are bad for competition. You can be certain they see some advantage in them.
Postal service
If you really want to be anonymous, follow the same methods de Beers uses to send diamonds, the postal service.
A thick, stiff card with a thank you note written on it could easily contain a microSD card. Posted from a letter box and arriving at a post office for ‘general delivery’ or one of those mailing address companies, it would be very, very hard to find. You could even do what check scammers do and have an innocent (but naive) third-party forward the mail.
Transfer the encrypted file via RFC 1149.
While you guys debate the best password , encryptions etc you miss the real question of why this had to happen in the first place. What both Snowden and Manning did was not whistle blowing, It was espionage. These two didnt do it for the public good, they did it to get their picture in the news and it didnt matter who was hurt in the process. The intent on both cases was to harm the US to punish/get even wit it for some percieved wrong the country had done to them. No real whistle blowers will be treated as criminals.
Re: Spot the Fed
(I think I found him.)
Re: Re:
What both Snowden and Manning did was not whistle blowing, It was espionage. These two didnt do it for the public good, they did it to get their picture in the news and it didnt matter who was hurt in the process. The intent on both cases was to harm the US to punish/get even wit it for some percieved wrong the country had done to them. No real whistle blowers will be treated as criminals.
Evidence needed for every statement you just made.