Slashdot Mirror
How To Foil NSA Sabotage: Use a Dead Man's Switch
mspohr writes "Cory Doctorow has an interesting idea published in today's Guardian on how to approach the problem of NSA 'gag orders' which prevent web sites, etc. from telling anyone that they have been compromised. His idea is to set up a 'dead man' switch where a site would publish a statement that 'We have not been contacted by the government' ... until, of course, they were contacted and compromised. The statement would then disappear since it would no longer be true. He points out a few problems... Not making the statement could be considered a violation of disclosure... but, can the government force you to lie and state that you haven't been contacted when you actually have?"
Rsync.net has been doing this for years; rather than the statement disappearing in case of an NSL being issued, it simply would stop updating. Indeed, their canary text also points out the same possible flaws: "This scheme is not infallible. Although signing the declaration makes it impossible for a third party to produce arbitrary declarations, it does not prevent them from using force to coerce rsync.net to produce false declarations. The news clip in the signed message serves to demonstrate that that update could not have been created prior to that date. It shows that a series of these updates were not created in advance and posted on this page."
As we should have learned, the government by large does not care if they "can" (in a legally sense), they just do it. But if necessary: Those rubber stamp courts will surely find a way to make it happen in a way which is legal on paper.
When it comes to prosecuting, it's entirely alright to punish people based on the spirit of the law. So whatever tricks they tried, as long as they're under a rule of nondisclosure, would land them in deep shit if they disclosed things they were barred from disclosing. However, the spirit of the law is rarely taken into consideration when it helps people, like the whistleblower laws. No one looked to see if the people who were blowing the whistle were exposing corruption or making the country a better place to live, all that mattered was that they violated the letter of the law and needed to be sorry for doing so.
>> ... until, of course, they were contacted and compromised.
So the Feds just contact everybody who does this, and we're right back where we started.
A) this exact story was on Slashdot a couple months ago.
B) judges don't like smartasses who play word games with the law. You can only hope the judge dislikes the NSA even more.
If you like the law, or do not disagree with it, comply. :)
If you don't like the law, use the democratic process and try and get it changed.
If you don't trust your government, elect another.
And if all else fails, emigrate to China or Russia
This is not a signature.
Don't expect a prosecutor to buy this argument. Anything you do that alerts others to a gag order will be treated as a violation. You may win in court, but you will be thousands of dollars in debt defending yourself.
In the day and age of services and leaks, a service provided by a company in a country out of reach of said agencies plus a small leak about the NSL-status sounds like a good combo.
I would wait to see to how far the government will crack down on the owner of Lavabit. It's not the same as a regular update but of course the closure of that service sent a distinct message. Perhaps in the end willingly closing your website is the best form of protest you have. I'm curious to know what the result would be if the big players such as Google tried this strategy, if only for a limited time.
Although cute, this 'idea' is irrelevant. Even if you made the case that you weren't contravening the letter of the request, you could still be charged with obstruction of justice, should your behaviour alter the conduct of the subject(s) under scrutiny. This puts the onus on you to lie.
In short, good luck with that. They're already way ahead of you. Way, way ahead.
When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another, and to assume among the powers of the earth, the separate and equal station to which the Laws of Nature and of Nature's God entitle them, a decent respect to the opinions of mankind requires that they should declare the causes which impel them to the separation.
We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness.
That to secure these rights, Governments are instituted among Men, deriving their just powers from the consent of the governed, That whenever any Form of Government becomes destructive of these ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its foundation on such principles and organizing its powers in such form, as to them shall seem most likely to effect their Safety and Happiness. Prudence, indeed, will dictate that Governments long established should not be changed for light and transient causes; and accordingly all experience hath shewn, that mankind are more disposed to suffer, while evils are sufferable, than to right themselves by abolishing the forms to which they are accustomed. But when a long train of abuses and usurpations, pursuing invariably the same Object evinces a design to reduce them under absolute Despotism, it is their right, it is their duty, to throw off such Government, and to provide new Guards for their future security. ...
He has erected a multitude of New Offices, and sent hither swarms of Officers to harass our people and eat out their substance.
Of course "the government force you to lie and state that you haven't been contacted when you actually have". They have done far worse. Of course, they can lie about doing it, too.
We're talking about the government doing just about anything they want, and we're wondering if they'd restrain themselves according to something as little as the "letter" of the law?
+2 Funny.
+4 Sad.
-Styopa
A dead man's switch automatically triggers an action when the person in charge can no longer prevent it, because he's dead, detained, or otherwise disabled. (Examples: let go of a hand grenade's handle, send out documents if the person don't check in at least once a week, etc). What this article is talking about is more appropriately called a "canary" (referring to the canary in a coal mine). It does the exact opposite. CJ
Ah, arrogance and stupidity, all in the same package. How efficient of you. -- Londo Mollari
http://www.slate.com/blogs/future_tense/2013/09/09/shifting_shadow_stormbrew_flying_pig_new_snowden_documents_show_nsa_deemed.html
Why just watch, track or redirected targeted traffic?
Your site might just have a slight pause in updating as a new crew takes over for a few years.
If they have been watching your 'style' for a few years your internet persona might just become a contractor and your site a front.
Drop or add the message every April Fools' Day?
Domestic spying is now "Benign Information Gathering"
I'm amazed at the level of sabotage coming from people in the tech community. What if revealing the existence of the investigation compromises the investigation? What if the person being investigated is performing espionage against the U.S.? It seems Mr. Doctorow likes to encourage obstruction of justice, and it doesn't surprise me he wrote about it in The Guardian.
The rsync canary is a good idea, another standard approach for delicate communications are job advertisements.
In this case:
A large ad in a suitable newspaper that you are searching for a lawyer.
There are different ways you might be contacted by the government.
For example, maybe somebody who uses your website stole something. Suppose for example the FBI suspects that person of having sold it to someone else who uses your website and is looking for evidence of the same. So they get a warrant and go throught is one person's email, don't find the evidence they were looking for leave.
In another example, maybe one person who uses your website had his car washed by a guy who got an email from a dude who was seen in a cafe with a suspected terrorist. They issue a National Security Letter that threatens you with horrible consequences if you divulge anything, seize a copy of every record on your site going back to 2005, discover another 50 people who got messages from the guy whose car was washed and by the associative property of terrorism, they're terrorists, you're a terrorist and everybody who uses your site is a terrorist.
See the difference? It's not about being contacted by the government. It's about being swept up in a potentially vast and unwarranted (literally) investigation when you didn't do anything wrong.
Of course, this is dependent on the company's honesty. Large companies will probably just lie (by continuing to update their "not contacted" statement), and if necessary be given retroactive immunity for doing it.
Some elaborate dead man switch about a gag order? No judge will take kindly to such shenanigans. Just make it simple, contact a trusted news reporter/Wikileaks securely or via an anonymous 3rd/4th party you have arranged ahead of time and have them publish.
...aaaand, here's some code to use to make your own (which I just posted about only yesterday
At what point does a gag-order come into force? Just send a tweet "A government official has just entered the building with an envelope I haven't opened yet. Updates to follow...", followed by no updates.
IANAL but IMHO words are only one form of communication and any action that communicates, regardless of the actual mechanism of communication, could be considered a willful violation of a gag order.
blindly antisocialist = antisocial
Wouldn't it be better to always have a message saying that you are collaborating with the NSA / currently being gaged. If that siuation does ever occur, you then remove the message because otherwise you will be breaking the law...
Hello original author here:
>> http://slashdot.org/comments.pl?sid=4108553&cid=44622087
-- I was raised on the command line, bitch
You really think you're that important?
Bwa ha ha!
men with guns and secret courts and secret laws and secret interpretations of those laws always find a way
To paraphrase a quote in support of NDAA (National Defense Authorization Act):
‘Shut up. You don’t get a lawyer.'"
Somewhere a lawyer is searching for you.... will you be listed as "inoperative" "excised" "completed"?
Domestic spying is now "Benign Information Gathering"
The fighting back against the police state has just begun. That the police state will be defeated is a foregone conclusion. The only question is, how many people are going to suffer and maybe die?
I'm convinced that wanting freedom is in our genetic code. Certainly, wanting privacy is. Fighting for it is how we're made.
A lot of us didn't want to think it was this bad, but now that we're finding out, the fight is on, and the outcome certain.
You are welcome on my lawn.
CEO has constant sound feed from office sent to remote non US server not under their control.
Prominent signs in office warn of sound recording (typically legally required).
When the last thing on the sound feed is the CEO being ordered to shut it off and asking to see the relevant authority, everyone knows the company's service is probably compromised.
The librarian Jessamyn West has had a similar idea for years.
For years you have defended your gun rights with the reasoning it was "to defend against the government", and not just to satisfy your control fetish.
So where is your revolution?
Form a new corporation ( S or C ), transfer your IP and employees to the new corporation, disclose the exact details about the NSA involvement publically.
Declare bankruptcy on the original company.
Probably wouldn't be this simple in practice ( or even possible ) but it would allow people to be patriots instead of shills.
... and with Apple's iPhone announcement today, we will show you how 2014 is not going to be like 1984.
-- I was raised on the command line, bitch
fund free software projects, and monitor them. Speak up if there is an issue not being addressed.
Put your money where your mouth is? Are you donating 10% of your income? Because if the religious nut jobs can do it so can you.
"When it comes to prosecuting, it's entirely alright to punish people based on the spirit of the law."
Lloyd Blankfein, Jon Corzine, Jamie Dimon & most of wall st just fell out of their chairs laughing...
Now let me introduce you to my friends, Mr. and Mrs. Nipple Clamp and their neighbor, Sr. Electric Current. Or you can just add the message back onto your website and we can be done here.
Look, I respect Cory. I think he's a pretty good author and an even better freedoms advocate, but if you're betting on the technicality of alerting through inaction instead of action, I don't think you'll like the odds.
"The statement would then disappear since it would no longer be true. "
and we all know that if something is on the internet it MUST be true...
The appropriate action against morally wrong government actions is civil disobedience. Susan McDougal refused to answer questions from despicable prosecutor Starr and served time as a consequence. She should be a role model for ISPs. Brave talk is common but courage is rare
We all need to ostracize and refuse to have anything to do with any of these people. Looking to hire a subcontractor, and one of the firms in the running has connections to these people? Knock them out of the running and let them and their competitors know why. If we tag and track all of them and make them effectively persona non grata everywhere, and those who do their bidding likewise persona non grata, then we would begin to see change.
Society in general must excise these people or risk imploding catastrophically.
Do what you can, with what you have, where you are.
the website notifies all subscribers of the "LACK OF AN" event.
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
Since the TSA is now allowed to lie https://www.schneier.com/blog/archives/2013/09/the_tsa_is_lega.html , bbviously so can the NSA spooks.
I would suggest a switch used by Dyson in Terminator 2. It's a release switch. If you don't tell the switch to not release every day, it auto releases and removes the message. That way they can't be tried for an action, especially if they are in jail at the time.
To paraphrase a quote in support of NDAA (National Defense Authorization Act):
‘Shut up. You don’t get a lawyer.'"
Somewhere a lawyer is searching for you.... will you be listed as "inoperative" "excised" "completed"?
He doesn't mean that you search for a lawyer regarding gag orders. The suggestion is that you merely, loudly, search for a lawyer, which is not completely abnormal and does not admit anything, but gives the paranoid a subtle hint to be careful.
for some high profile people to break the gag orrders, go to jail and start the revolution already. You want freedom yet don't want to stand up for yourzself to take it back. Good luck with that America "Its not gonna happen here" has worked out so well for you.
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
So how would the oblivious tech guy in charge of updating the message know to stop updating the message if the senior executive who knows about the contact and is under the gag order isn't allowed to tell the tech guy to stop updating the message?
-Glires
What about instead of one message, suppose one posted a series of messages (n total) with a similar system?
The ith message might read -
"We have been served fewer than 2^i requests for information by (date)"
Even with automated requests for information, n = 40 would be more than sufficient. Or, a different function could be used.
Would it not be possible to create a piece of hardware that sits between your computer and the router or router and whatever outgoing cable that basically checks if the endpoint you're sending packets to has a similar device connected to it and if it has would do encryption between those two things. It would basically create ad-hoc encryption between any endpoints that would have those things there. Obviously it would have to run with hardware and software made from scratch and by some authority / country where it could be deemed safe enough including the mass production of said devices.
Period.
It's better to do it from a country where people can't be pupeted by police or national security folks (although this is still possible illegaly). Such as, possibly, Switzerland or some "offshore" islands.
Alternatively, the system could be impenetrable by the owner...I actually recall that Lavabit offered encryption in which only the user possesses the private key, no? Being forced to keep records of who sends and receives mails can still be forced, of course. Same holds for being forced to put a trojan or secretly compromising the security of the system.
Just fyi greenland isn't a sovereign country... it's a self governing providence of Denmark. :)
:)
And have been a part of Denmark for about a 1000 years - by comparison the US is a young country
In any event, I wouldn't try my luck with greenland, it's really dark and they're not super rich either... and have lots of problems...
But Norway, might actually be a good choice these days... They have too much money/oil, anyone with a university degree in something even remotely useful has a good chance of landing a job... (Which is a pretty essential thing in any immigration procedure).
That said, most European countries aren't particularly open to immigration, unless you're useful or willing to marry some one
Just curious, but what is the actual penalty (and to whom does it fall on in a corporate structure) if you actually say "Hey, the NSA contacted us and said we couldn't tell our users about this, but frankly, the NSA can pound sand."?
Guantanomo? Secret Detention in some Third World Hell Hole? Six months in club fed? Fines?
Or are the penalties too secret to tell, as well?
If you were me, you'd be good lookin'. - six string samurai
The method outlined by Doctorow in the linked article would not work, and here is why.
1) They (the government) consider not only the speech of disclosure, but the intent to disclose, and probably therefore the means of conveying the message that constitutes an act of disclosure. When an actual NSL is issued, I would bet the method described in this article could be regarded as an act of disclosure by way of clandestine communication. You would get in trouble for doing this if you were subject to a NSL gag order.
2) Doctorow's method is more particular than the Librarian's method. It actually does involve arrangement of a designee to receive information specifically related to government intel queries. It plainly establishes both intent and expressly indicates means to convey the state of intel inquiries to special parties. The DMS cannot be restrained from publishing anything, but those receiving the gag order conceivably could be prosecuted for communicating with the DMS service.
Finally, and most importantly, the agencies already note that disruption of electronic communication services (like account suspension, website shutdowns, and so on) can be regarded as signals to special parties that an investigation is under way. So, they (the NSA, FBI, whoever) forbid peculiar irregularities in habits of service when they issue nondisclosures. As far as Doctorow's method is concerned, you would likely be prohibited from failing to update your information to the dead-mans-switch in any way other than routine so as not to indicate you have been asked to provide intel information. See, you're providing a service to the DMS, disruption of which service might reveal a security investigation is underway: you can't do that, and they say so in their letters.
Look, I'm not writing about whether it is right or wrong for the NSA to do this, nor whether it is right or wrong for us to expose these situations. I'm just saying, it may seem like a cute little language game for solo citizens, but real companies can't afford to violate a NSL or any other gag order, and that's why they don't do it, plain and simple. The language of the law is pretty clear about why disclosure is prohibited, and violating that law looks to have some pretty severe consequences. Especially if the FBI or NSA or whoever is right when they say that disclosure is a threat to security, and then you're in a world of hurt because your unnecessary expression of speech actually did jeaopardize an investigation where intelligence of a credible threat was real. That's why currently it's up to the courts to remove a gag order, which they can do, if the NSL is BS. Your right to speech is intact; it just has to be reviewed and upheld before you can exercise it. Wait... that doesn't sound right...
However, while the article's method is dubious I think its underlying premise is worthy of further examination. You've tried to find a way to hide the fact of disclosure, or at least put it into legal safe zone. That won't work. Perhaps find a way to hide intent of disclosure?
http://en.wikipedia.org/wiki/Warrant_canary
Make the only method of contact with your organization a public drop box. Put a note on your web page: "Place all correspondence in /pub". If anyone wants to see what you've been served with, there it is.
I don't have to provide anyone with a confidential channel over which to contact me. I'm part of The Public". If you speak to me, you have already made your disclosure a matter of public record.
Have gnu, will travel.
Rather than posting :
"We haven't gotten a National Security Letter yet",
post:
"We got a National Security Letter today, Sept 10, 2013."
Updating the latter statement should be explicitly prohibited by the current terms of the National Security Letter.
Then when they modify the terms to require you to keep lying if you've installed a deadman switch, change it to:
"The NSA has required me to lie and keep posting to this deadman switch as of Sept 10, 2013."
Because if they direct you to lie, they will almost certainly also require that you NOT tell anyone that you are lying.
Get a webcam. Point it at a living plant (non-cactus type). Put a sign under it that says 'not contacted by the NSA'. Embed that stream on the site. Keep watering the plant, until the NSA contacts you, at which point in time forget to water the plant.
As a non-US resident, I'd like to know what would happen if a business owner were to simply publish the secret request, ignoring the gag order? Surely this is a great instance for civil disobedience?