Slashdot Mirror
'Echelon Study' Released by European Parliament
ckolar writes, "Duncan Campbell's report on Echelon has been delivered to the European Parliament's committee for Justice and Home Affairs and is available online. " This is the study that was commisioned by the EU - very interesting reading.
--
--
It is no measure of health to be well adjusted to a profoundly sick society.
I saw this story briefly on the wire this morning, but it appears to have been pulled. Maybe the MIB phoned the AP and said "We would be so much happier if you would show a little more discretion in running stories of this nature..."
As your constituent, I'm writing to ask for your support for a congressional inquiry into a threat to the privacy and civil liberties of all residents of the United States. I've read several credible reports that suggest that the global electronic communications surveillance system -- frequently known by the code name ECHELON -- presents an extreme threat to my privacy and that of other people around the world.
If you want to free hand your correspondence, get your senator or representatives name, address etc, from their wed site, and send the letter. Complaining on forums such as Slashdot, Attrition or HNN will not accomplish anything in bringing this stuff into the light. Whining on Slashdot only increases your Karma.
More race stuff in one place,
than any one place on the net.
Does anybody know what format the report is in, what size it is and precisely what time the link went live? I'd like to read it, but I'd also like to get my connection back at some point...
The only Good System is a Sound System
Also, there are several related links on the Personal Security page of the Center for the Study of Technology and Society.
Finally, if you want the wire version of the story, click here.
Yours,
A. Keiper
The Center for the Study of Technoloy and Society
Someone mail the text of the report and I'll mirror it or just post it here. Something. I can't stand the suspense! :O
The linked site appears to be slashdotted. I believe this is a valid mirrorof the report:
ht tp://www.cyber-rights.org/interception/stoa/inter
Interesting how the "Echelon Study" article is posted next to a "Blame Canada" article. After all the operating principle of Echelon just ahppends to be "Blame Canada" (The UK blames Australia... and so on) Coincidence these articles ended up next to each other... I don't think so.
And it seems that France in particular has a taste for the fantastic. Microsoft is the NSA's largest customer, and IBM was forced into using DOS by the government?
France allegedly has its own Echelon, and no doubt that the UK does also. So if they're doing it themselves, why are they so pissed at the US?
Whining and bitching about big brother will achieve nothing.
If that's ALL you do, then that's true. You're preaching to the converted. But if you write (yes, with paper and stamps, because it's so much more effective than email that our benighted representatives seldom even hear about) to your representatives and THEN get onto a public forum like Slashdot and tell others what you did and why, it might get others to follow in your footsteps.
But please be polite. These people have to slog through bureaucratic BS all day. You won't win any friends in high places by venting your spleen at them. Just explain logically why this is a Bad Thing.
And while you're at it, write to your local newspaper. There you'll be preaching to many who are not yet converted. Spread the word!
How so? Well, I've seen several posts suggesting writing to representitives. What good is that going to do? The NSA has refused to even say if the name even means anything to them, under Client - Lawyer privilage. Have you seen Congress push them into saying anything further? One try, and they seem satisfied they've done their part.
Ok, what about this jamming? As I've said on a number of occasions, NOBODY does interception by keywords. Even IDS systems use pattern-recognition and context-sensitive detectors. Why would one of the largest, most advanced, most brilliant collection of programmers and mathematicians use a simple 'tcpdump | grep'? It makes no sense.
Ok, so "conventional" jamming won't work, complaining gets nowhere, what CAN you do?
I'm not going to say people are powerless, because they're not. However, they DO need to be unorthodox. You can't break encryption, if you don't know the algorithm, or possible set of algorithms. Even then, your probability of a false positive goes up considerably, the greater the number of keys and/or algorithms.
There are a GREAT many encryption algorithms out there, some stronger than others but that's not really the point. If nobody can really tell which algorithm you're using, your effective keylength is equal to the key length of the -LONGEST- key possible, PLUS log2(number of algorithms).
eg: PGP/GPG uses RSA to encrypt a secret key, but uses a simple secret cypher to encrypt the message itself, using that secret key. If someone modified PGP/GPG to allow you to pick (or have it randomly select) one of, oh, 16 algorithms for the secret encryption, then your effective keylength is equal to 128 + 4 = 132. That's a lot tougher to crack (it'll take 16 times as long) and might well prove too difficult for a real-time system, such as Echelon.
Even so, I =can= tell you that Echelon is complex. My understanding is that it includes vast arrays of DSP chips embedded in the physical network, for pre-processing. The only hope is to make systems such as IPSec and PGP/GPG sufficiently advanced that one-size-fits-all solutions can't be used effectively.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
how effective do slashdotters think echelon really is? and do you think they feed any data to U.S. commercial concerns? I've been thinking a bit about this recently; some simple calculations demonstrate that the amount of material they have to look through is simply phenomenal. The rumors say that the system has links to telephone lines, faxes, email systems, satellite links, and who knows what else. So, some extremely quick and dirty estimates:
I live in Boston with three other people and their respective girlfriends; most of us have cell phones. Our house has two phone lines, DSL, and ten computers hooked up behind a firewall. My roommate has a Palm V with an omnisky. That's eight or nine voice streams and as many data streams. The data streams are going all the time, and are all multiplexed through our single DSL connection. Now, admittedly we're a little more wired than most. So we'll scale this down a bit. Assume the government only is interested in monitoring large cities and a few out of the way enclaves dotted around the map. Maybe the ten largest US cities and 150 known subversive groups. Including the greater metro area, each city has maybe 4 million people on average, implying about 1.6 million families per city, giving 16 million
families total. We can guess that (plus or minus a few kooks) nearly every family has at least one phone line and 2 out of 5 have at least one cell phone. Probably 60% have an internet connection.
This gives us 32 million data streams, to monitor in real time, and at odd hours. Now given the current state of speech-to-text software, and assuming the NSA is 15-20 years ahead of the state-of-the-art (a very dubious assumption, these days), we'll also figure that with their software they can decrypt 200 voice streams per second with a pentium III. That still implies that they need the equivalent computing power of 160,000 high-end workstations.
Ok, this is not outside the realm of possibility. But it's right on the edge! Add in the complexity of understanding and dealing with different accents and different languages, static, spread spectrum cell phones, demultiplexing LANs, tapping who knows how many
switches, debugging the monitoring software and releasing (secret!) updates into the field, dealing with code words and both simple and complex black box and white box encryption, and dealing with the noise of slashdotters putting in things like "kill the president" and "natalie portman is trafficking in hot grits disguised as cocaine to pay off communist subversives," and we see that if Echelon exists, it's probably close to useless. And a horrible waste of taxpayers'
money. Though I guess developing such a omprehensive system could be valuable for use in targeted situations, like focusing on transmissions in a limited geographic area during high-tension conflicts.
These estimates are very much back-of-the-envelope, but does anybody see anything fundamentally wrong with them?
--
neil
One of the main news items on Finnish TV tonight was about Echelon. In brief, Tony Blair told the EU commission today that Britain hasn't betrayed Europe by participating in the US spy network also known as Echelon. Interesting was also the mention of that Echelon probably started as early as 1940.
Those who can understand Finnish can read a pretty good article summarizing the news here. Finland is one of the biggest supporters of privacy and protection of the individual in the EU.
Set it up and create secure connections between your peers. Very soon it will support automatic keying using DNS-SEC (public keys kept in the DNS database).
Echelon makes little difference if everyone is using end-to-end transport level strong encryption.
Burris
Is someone actually reading our mail? With terrorists, hostile governments, nuclear weapons, chemical weapons and biological weapons, does the government really care about anything you say?
If they are thoroughly reading your mail (suppose), are you suggesting that men in black suits come and oppress you? Because if not...
You must be suggesting that this evidence will be used in a court case against you. However, since it was obtained illegally, and the way in which it was obtained is classified (there was a case like this a while back), there is no way it can be used against you in a court of law.
As for the industrial espionage allegations, I could see someone doing that, but would suggest that it isn't commonplace. The government keeps a Very tight rein on its contractors, in terms of what they are allowed and not allowed to do, and it seems unlikely that it would make a *habit* of breaking similar rules itself, with the complicity of one of its contractors.
Also, do you think that microsoft and the nsa could slip something like that under our noses? Under several hundred million of our noses?
Jack Valenti and the MPAA are to technology as the Boston strangler is to the woman home alone
I think this also points up the reason the government has fought PGP so fiercely. Even if they subvert the author, they can't do anything very obvious or easy, and you or I are quite likely to break anything they hide in the code, while rooting about in it.
Perhaps the most important question now is: what do the new crypto rules imply, in light of this? If we can really just give the no-goods at NSA a heads-up and export freely, does this mean that they're giving up? Or could it be that they can do an end run around the crypto if they have to (as in Tempest, bounce a laser off your window, intimidate your neighbor, et cetera)? Perhaps the best answer is: don't do anything bad, and encrypt everything, just in case.
See what I've been reading.
One thing that deeply bothers me about this report is that it seems to focus primarily on purely economic problems associated with Echelon. The EU ministers seem to be worried that their businesses are going to lose market share because NSA is passing their plans on to their American competitors. This seems both dangerous and hypocritical to me. It's dangerous because they seem to be downplaying or ignoring the (IMO) much more significant damage to personal privacy that is inherent in the NSA's pawing through everyone's communications.
It's hypocritical because EU countries have been as vigorous as anyone in using government intelligence to benefit their commercial sector. Interestingly, two of the specific examples of intelligence alleged to have come from Echelon were about EU companies offering bribes in pursuit of contracts. I don't want to compare the significance of offering bribes to that of reading people's mail, but it find it pretty hypocritical of the EU to bitch about others' reading of their mail turning up illegal and immoral behavior.
There's no point in questioning authority if you aren't going to listen to the answers.
Come on, what's with this echelon stuff? Have none of you read The CodeBreakers or The Puzzle Palace? Don't you realize this has been going on since the telegraph?
The wrong thing to do is to focus on "Echelon" Look, *ANYONE* can listen in on you, not just the NSA. Use a cell-phone? Use a cordless phone? Your neighbors will soon be able to buy or create scanners to decode digital transmissions. Use the internet? A hacker hacking into an ISP or wherever your mail is located can easily read it. How about cable modems? Opps, anyone can sniff your packets.
If you don't want to install window blinds or curtains on your windows, don't cry when someone uses a telescope to watch you getting undressed.
The only solution to the privacy problem is to use encryption. If your broadcast data in the clear over any medium, you are relying on security through obscurity.
Has anyone noticed how EU centric these articles are? Who's Echelon? Anyone not in mainland Europe apparently. US, Canada, Australia, New Zealand, UK, etc. (the GMO controversy also follows the same sort of dividing line, with the mainland Europeans being the most vocally opposed)
Of course, France, that moral and highly cultured "you don't even know what culture is you Americans", would never engage in something as distasteful as industrial espionage? Would they?
It's patently obvious that the world's spy agencies have been intercepting all the traffic they could, even since World War II and before. Echelon is nothing new, except a "ooh scary" code word.
1) There seems to be an assumption that part of Echelon is the ability to compromise a 128-bit key in a negligible amount of time (i.e. instantly.) Now, I'm not super-duper-hardcore up to date on my Echelon readings, but I haven't seen any indication that anyone actually has the capability to brute force a 128 bit key in real-time. If I've just been living in a cave (not far from the truth) and simply failed to hear about this advance, someone please post a link/reference, or e-mail me (above address, minus the DELETME), or something-- I'd be really interested in such news.
2)PGP/GPG uses RSA to encrypt a secret key, but uses a simple secret cypher to encrypt the message itself, using that secret key.
Maybe I'm reading this wrong, but it sounds like you're saying that PGP/GPG use a proprietary algo for their symmetrical crypto. At least with PGP, this is not the case. PGP (I think) currently uses IDEA, and used to use DES. While the latter is somewhat shady, these are hardly secret, and aren't that simple, either.
3) In the above set-up (with the PGP/GPG system which randomly selects the private-key algo to be used on a message-by-message basis) how do you securely communicate this to the recipient? Is the selected algo package with the key inside the public-key encrypted portion of the transmission, or do they just guess? (Not that having them just guess is such a bad idea-- it's sorta like those first versions of Public Key systems, the ones that used numeric puzzles for the keys. If the recipient just has the key, it'll take a more-or-less negligible amount of time for her to decrypt the message under each algo and see which version isn't gibberish.) Still, I'm not seeing the need for this, as per #1 I mean, if they can brute-force a 128-bit key in more-or-less no time, is making this time 16X longer gonna put that much of a knot in their britches? If 128-bit keys aren't secure, then this sort of arrangement is just a Band-Aid.
Again, it's possible that I'm just totally mis-reading the above. Sorry if all of this is out-of-left-field.
Much Love,
"S"HM
*****
(I refuse to spellcheck out of contempt for your belief system)
Reminds me of the old radio gag of having everyone flush their toilets at the same time to protest high water prices.
Speaking of flooding national systems, a friend of mine worked at a water treatment plant (sewage.) I joked to him about the "Superbowl Flush" effect that I heard about in the late 70's and asked if he could comment on it. The theory went something like when America would all get together on Superbowl Sunday to drink beer and watch the barbaric game of football up until halftime, at which time thier urinary bladders exceeded maximum capacity. The concern was that everyone and thier brother made a dash for the toilet, whizzed, and flushed at the same time, overloading the sewer systems and rivers across the country, possibly causing mass flooding, etc...
He stated it was no joke and described the incoming rush of water was real.
So, I guess we could all flush our crap at the same time and jam echelon in the same way. Whoooohooooo!
As for the probability - this depends on the algorithm you're using. If you're using a straight XOR, nothing fancy, and a key of equal length to the message, then the message cannot be cracked by going through every possible key, because you will get every possible plain-text message of equal length.
I don't know if there's any "formal analysis" of the liklihood of one encrypted message (algorithm unknown) "decrypting" to >1 "valid" plain-text, but it would seem reasonable that the longer the key-length and the greater the range of potential algorithms, the greater the liklihood of false positives.
The main thing you'd have to watch for, though, is having two or more algorithms where a1(key1) generated the same output as a2(key2). Let's say you were using XOR, for example, as your encryption algorithm. Using XOR (256-key) as a second algorithm would be a big mistake, as you've gained no strength in doing so. (It's not made it any worse, either, but there may well be cases where it would.)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Dr. Burris T. Ewell
The problem is that the NSA & Ignorance has been pretty effective at preventing people from using crypto. We need a campaign to get the Linux distributions to come with this stuff preinstalled. Actually, we need a campaign to get PGP preinstalled on Windows boxes too. Debian dose some stuff to make it easyer, but we really need it to be a standard part of using a computer.
Actually, the most effective thinkg would be to get propper use of public key cryptography to be tought in every CS101 class (i.e. first class a CS student takes). Perhaps going so far as to require all their assignments to be digitally signed and encrypted for the recipiant (with GPG) when turnned in via computer. A strong case can be made for this being an essential part of a computer education.
I suppose you could also go to high schools and teach the kids how to keep their emails secret with PGP, but that takes a little more work then just convincing collage profesors to teach it.
The Christian religion has been and still is the principal enemy of moral progress in the world. -- Bertrand Russell
Let's say you were using XOR, for example, as your encryption algorithm. Using XOR (256-key) as a second algorithm would be a big mistake, as you've gained no strength in doing so. (It's not made it any worse, either, but there may well be cases where it would.)
Actually, that would make the crypto considerably worse!! Since 256-x where x
It's still a pain to brute, and there are still more than one possable decryption, but the space is vastly reduced. A 1k message will only have 8^1024 possable plaintexts rather than 256^1024.
OOOPS, that damned less than! Let's try that again!
Using XOR (256-key) as a second algorithm would be a big mistake, as you've gained no strength in doing so. (It's not made it any worse, either, but there may well be cases where it would.)
Actually, that would make the crypto considerably worse!! if key = x XOR (256-x), each char of plaintext is effectively XORed with 1 of eight possable bytes rather than 1 of 256. Furthermore, the 8 choices are all very neatly arranged so that it will start with 1s and end with 0s (in binary). To make matters worse, the distribution is screwed and heavily favors 11111110b so that the majority of characters have all but the last bit flipped.
Check out I Listen : A Document of Digital Voyeurism by The Spacewurm. It's a book of transcribed cell phone conversatsions:
Since 1993, electronic music artist The Spacewurm has used specially modified digital scanning equipment to secretly (and illegally) record the cellular and portable phone calls of everyday people all over the country. The stories, confessions, and intimate conversations of these unwitting participants are described in I LISTEN.
cpeterso
The industrial espionage angle is a *RED HERRING* It's a neat little excuse for why the European economy is falling behind in the digital age. It will do nothing but promote nationalism or continentalism "see, now we finally know why Europe's economy is lagging. It isn't our over-regulated socialist consensus-decision-based markets, it's those damn Americans stealing our contracts through NSA listening posts."
In the 80s, when America felt threatened by Japan, there was a similar sort of whining. Americans were complaining about Japanese interns in American companies copying designs and taking them back to Tokyo. Americans made much of the fact that all Japan did was go to Comdex, copy American inventions, and then mass produce them.
Echelon is the new scapegoat to explain the poor French economy. But what is not mentioned is that French Intelligence has been doing this for years.
You don't even need listening posts. Just H1-B VISAs.
The Europeans are basically trying to find some illegitimate/unfair tactic behind the US economy's success. It couldn't possibly be that American venture capital markets are superior, or that American is brain-draining Europe by influencing all the smart/ambitious people comin here to work, or because the US just has a better climate to conduct business.
Oh no... it must be because Microsoft/IBM/Yahoo/Amazon/Boeing/GE/whatever are actually being secretly helped by the NSA.
My suggestion is if you care about your privacy, stop sending private information out in the clear.
You should worry more about the masses of minature hidden $10 webcams exploding on the market, monitoring your every move, and being installed in public bathrooms, so perverts can put you on their web page.
By comparison, your next door neighbor is going to do far more harm to you in the near future.
I hate it when sites go down and disappear. Here is a mirror of one of the reports complete with pretty pictures.
Do you know the author? I've met the guy a few times. He's been involved with investigating government espionage activities for a long time, and consequently has been raided by the spooks on several occasions. Anyone remember Project Zircon?
:v)
He, like many people, is concerned with what governments are getting away with. It's becoming far too much an 'us' and 'them' situation. 'They' are supposed to be working for 'us', not against us. But somewhere it has gone wrong. Many people can't see it getting better, and it seems to be one of those self-promoting systems that can only get worse.
It's not euro-centric so much as someone on the outside looking in. More non-US-centric as it were.
Vik
I note that the report indicates that keyword recognition for voice calls isn't yet available. This is incorrect. It's a standard feature of advanced prison phone systems. "The LazerVoice Keyword Recognition feature listens to all conversations and selects the call records that fit your customized keyword criteria creating faster and more cost efficient investigations." "Our top-selling product", says the manufacturer, Schlumberger. Order yours today.