Slashdot Mirror
Digital Voices From Rogue Nations?
cscrutinizer asks: "I have a friend in Iran who is producing a Web site newsletter (in English) that advocates women's rights there. She is looking for ways to fund her operations and was wanting to add a donation section as well as a section to sell e-books of some Iranian authors who can't get their stuff out to the rest of the world. As we started to talk about how to do it, a myriad of issues came up with regards to credit card transactions, the transfer of funds, the use of encryption, where to host (currently in the U.S.), copyright laws, how to avoid political reprisals, etc. What is the best path for someone living in an embargoed nation?"
BillEGoat writes "A friend of ours is visiting China to do some work that is not in keeping with their government's ideals. We need to know the kinds of e-mail interception techniques China's government and universities use, and if encrypted e-mail will get detected or blocked. Obviously the idea is to communicate without anyone knowing. The real risk is arrest and detention or deportation of our friend if caught. What encryption techniques can we use that are hard to detect and break?"
Perhaps a better way of exchange emails would be through the use of stenography(hiding the content in other data). Send images of your pets(not the images of course) back and forth via email and have a light discussion in the email, when you both know that the real content is in the image itself.
And to be on the safe side encrypt your message before running it through a stenograhy tool, so there won't be a big glaring header saying, "hey..look at me..i'm hiding something".
I think its dangerous to assume that only those "fascist countries over there" are being monitered, especially after the discovery of Carnivore and even the local police taking part as seen in this article from wired.
$_='while(read+STDIN,$_,2048){$a=29;$b=73;$c=142;
BillEGoat, take a look at some steganography tools out on the net.
For those unaware, steganography is the embedding of useful information in other data, for example encoding text in the least-significant-bit(s) of an image.
As a hypothetical: Your friend wants to send email with sensitive information. He encrypts it (just to be extra safe) and then burries the ciphertext in a large TIFF file of the Chinese Wall. He compresses the image with ZIP and attaches it to an innocuous e-mail "Having a great time, wish you were here"...
The government spooks intercept, decode and conclude ' another happy tourist spending dollars '.
You receive the message, reverse the process and learn that the attack is being launched at dawn.
-- What you do today will cost you a day of your life.
I repeat, Steganography to also hide the fact that any encrypted comm is even taking place. Put the payload in Islamic and Chinese art, etc.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
China seems to me like a country on the verge of radical change. We all remember the kid standing in front of the tank, throwing rocks... but when you look at the way they handled the annexation of Hong Kong (by changing almost nothing), there's room for hope.
If I'm wrong, we (by which I mean most of the world) will probably end up at war with them over Taiwan (or something) within the next decade or two. The old Chinese curse about living in interesting times seems to apply.
Information wants to be anthropomorphized.
Though cryptography solves the problem of communicating with someone in a country where the communications pathway is insecure, it does not allow you to communicate securely with a 'compromised endpoint.' If your target works at a university and has access to the Internet only through university supplied computers, and Big Brother controls the university, if he decrypts your email on that machine, its now been read by The Man.
The ethical question is, "assuming your peer's communications are tapped (encrypted or not) what do you do then?"
here - Outguess (haven't tried it, going to now) - Unix source tarball, BSD license.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
At least the UK is more consistent on the issue: they don't hold free speech as sacrosanct, instead choosing to promote free speech as long as it doesn't promote hatred. The US has no such thing. And so, free speech becomes something claimed left and right for something as stupid as the right to broadcast publicity, and is encouraged by everyone as long as it fits their own view of the world.
Free speech in America has become a flag of convenience waved whenever one wants to encourage their own view of the world with impunity. How come free speech is never about the right to speak hatred, or to speak for the system that represses women in Iran or encourages crass communism in China? What about the right to treat others as inferior human beings? Get your facts straight. Free speech, along with gun control, is only a tool to constitutionally crush and intimidate others.
Everyone here who's been advising you to use steganography is well-intentioned, but missing the point. If the secret police suspect your target of receiving subversive information, then they'll likely look for steganography.
It's not hard to flip the low-order bit in an image file. In fact, it's trivial. They'll be expecting that and they'll intercept it. Don't try it.
Encryption is also not the answer. In Iraq and Syria, for instance, using encryption is a capital offense. Sure, your communications with your friend might remain secure, but your friend would be executed--whoops!
Another naieve way to handle things is to encrypt your steganography. "It'll look like random noise!", they claim. Well, yes... and that's exactly what it must not look like. You'd have to find some bizarre cipher with outputs specifically tailored to match the statistical patterns of image files. I don't know of any which can do this.
One possibility--and I am not reccommending this without a heck of a lot more peer review--is to start an email dialogue about esoteric mathematics. Include a big ol' table of random numbers and do some real mathematical analysis of it. If the email gets intercepted, the secret police will check the table for randomness (it's random, all right--passes every test!), they'll check your email to see if it's sensible (yep--you're doing actual mathematical research!), etc.
Of course, your friend knows that it's a one-time pad. (Not really a one-time pad--if you and your friend both have a cipher, a shared key and a shared IV, you can run the cipher in OFB mode to generate a lot of statistically random data. You generate the random data, then use it as a one-time pad for your message; your friend re-generates the one-time pad on his/her end, then reverses the one-time pad. Strictly speaking, this is just OFB encryption, not a OTP.)
Of course, the secret police will know that it's an encrypted message... but they won't be able to prove it. Whether or not that stops them depends on just how totalitarian the state is. Some states will just shoot you in the back of the head and get it over with. Others, such as China, must at least make an attempt at a fair trial in order to soothe Western critics.
Yes, there is a high probability that naively encrypted e-mail will be detected, if not now, then in the foreseeable future... and they're not going to announce when they develop that capability. If it's detected, then you want to hope it's blocked, since if they don't block it, it probably means they're investigating you and planning something nasty.
People have suggested steganography. It's a good idea, but it is detectable. Present steganographic methods will not protect you against anybody who's investigating you specifically and has any real sophistication. You can tell if a message has been watermarked into an image, for instance.
And, as somebody else pointed out, even a pattern of large images passing back and forth is suspicious if you're visible enough to be watched at all. Eventually, they might get bulk techniques for detecting most kinds of steganography. Use with extreme caution.
Somebody suggested an offshore drop. Probably the safest thing, but use with caution.
Whatever crypto or steganographic software you use, make sure you know the consequences of getting caught with the software itself. I don't know what they are, but I'd suspect there might be some, especially if they wanted an excuse to nail you.
Iran
It depends on who you want to collect donations from. If you really want to take credit cards, it can be tricky to get a merchant account. One trick is to use a Web shopping-cart billing service, although they'll skim a lot of money from you.
Where to host: How about HavenCo? They're giving out free hosting for qualified human rights people. They should be pretty hard to get at.
It shouldn't be too difficult to get the money into a US bank account, perhaps in the name of a local sympathizer. It's probably a bad idea to put her own real name on the account.
Transfer of funds is the hard part. Setting up some kind of bogus commercial transaction might work. Probably not enough money there to make it worthwhile to smuggle cash, and that's mondo expensive, anyway. Be careful about running into US (or wherever) "money laundering" authorities... they have very sophisticated surveillance on this, and I wouldn't put it past them to let the information fall into the hands of the Iranian government.
There are specialists in this sort of thing. It's a good idea to seek out a good one. I've probably already said more than I'm competent to say.
I don't see any copyright issue as long as you have the author's permission (assuming the author hasn't sold the rights to anybody else).
All the comments about communication for China apply, only more so.
Back about 3 or 4 years ago someone on the Scary Devil Monastery got mad at all the lusers posting with line lenghts longer then 72 charicters. So he made all the line lenghs of his next few posts exactly that. The neat thing was he did it by hand, without inserting extra spaces. Those posts made gramitical sense and were intellegent.
So with practice you should be able to set up a low bandwidth code based on line lenghts. Shorter then 72 is a 0, longer is a 1 (or maybe encode 2 bits in a line...)
Of course the point is that you need to communicate without rasing suspition. Thus you need a pen-pal that you can write long letters to often, on innocent subjects. (Talk about your girl friend, go into detail about your date at a restaruant - someplace they can quickly verify that you really were in). If keep sending pictures of the mona-lisa around slightly altered, then you better be talking a email class on gimp filters. (This is what I came up with when doing a blur to the nose - and then embed your message in the least significant bits of the nose area only.)