Slashdot Mirror
How To Foil NSA Sabotage: Use a Dead Man's Switch
mspohr writes "Cory Doctorow has an interesting idea published in today's Guardian on how to approach the problem of NSA 'gag orders' which prevent web sites, etc. from telling anyone that they have been compromised. His idea is to set up a 'dead man' switch where a site would publish a statement that 'We have not been contacted by the government' ... until, of course, they were contacted and compromised. The statement would then disappear since it would no longer be true. He points out a few problems... Not making the statement could be considered a violation of disclosure... but, can the government force you to lie and state that you haven't been contacted when you actually have?"
Rsync.net has been doing this for years; rather than the statement disappearing in case of an NSL being issued, it simply would stop updating. Indeed, their canary text also points out the same possible flaws: "This scheme is not infallible. Although signing the declaration makes it impossible for a third party to produce arbitrary declarations, it does not prevent them from using force to coerce rsync.net to produce false declarations. The news clip in the signed message serves to demonstrate that that update could not have been created prior to that date. It shows that a series of these updates were not created in advance and posted on this page."
As we should have learned, the government by large does not care if they "can" (in a legally sense), they just do it. But if necessary: Those rubber stamp courts will surely find a way to make it happen in a way which is legal on paper.
When it comes to prosecuting, it's entirely alright to punish people based on the spirit of the law. So whatever tricks they tried, as long as they're under a rule of nondisclosure, would land them in deep shit if they disclosed things they were barred from disclosing. However, the spirit of the law is rarely taken into consideration when it helps people, like the whistleblower laws. No one looked to see if the people who were blowing the whistle were exposing corruption or making the country a better place to live, all that mattered was that they violated the letter of the law and needed to be sorry for doing so.
>> ... until, of course, they were contacted and compromised.
So the Feds just contact everybody who does this, and we're right back where we started.
A) this exact story was on Slashdot a couple months ago.
B) judges don't like smartasses who play word games with the law. You can only hope the judge dislikes the NSA even more.
If you like the law, or do not disagree with it, comply. :)
If you don't like the law, use the democratic process and try and get it changed.
If you don't trust your government, elect another.
And if all else fails, emigrate to China or Russia
This is not a signature.
Don't expect a prosecutor to buy this argument. Anything you do that alerts others to a gag order will be treated as a violation. You may win in court, but you will be thousands of dollars in debt defending yourself.
I would wait to see to how far the government will crack down on the owner of Lavabit. It's not the same as a regular update but of course the closure of that service sent a distinct message. Perhaps in the end willingly closing your website is the best form of protest you have. I'm curious to know what the result would be if the big players such as Google tried this strategy, if only for a limited time.
Although cute, this 'idea' is irrelevant. Even if you made the case that you weren't contravening the letter of the request, you could still be charged with obstruction of justice, should your behaviour alter the conduct of the subject(s) under scrutiny. This puts the onus on you to lie.
In short, good luck with that. They're already way ahead of you. Way, way ahead.
When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another, and to assume among the powers of the earth, the separate and equal station to which the Laws of Nature and of Nature's God entitle them, a decent respect to the opinions of mankind requires that they should declare the causes which impel them to the separation.
We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness.
That to secure these rights, Governments are instituted among Men, deriving their just powers from the consent of the governed, That whenever any Form of Government becomes destructive of these ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its foundation on such principles and organizing its powers in such form, as to them shall seem most likely to effect their Safety and Happiness. Prudence, indeed, will dictate that Governments long established should not be changed for light and transient causes; and accordingly all experience hath shewn, that mankind are more disposed to suffer, while evils are sufferable, than to right themselves by abolishing the forms to which they are accustomed. But when a long train of abuses and usurpations, pursuing invariably the same Object evinces a design to reduce them under absolute Despotism, it is their right, it is their duty, to throw off such Government, and to provide new Guards for their future security. ...
He has erected a multitude of New Offices, and sent hither swarms of Officers to harass our people and eat out their substance.
Of course "the government force you to lie and state that you haven't been contacted when you actually have". They have done far worse. Of course, they can lie about doing it, too.
We're talking about the government doing just about anything they want, and we're wondering if they'd restrain themselves according to something as little as the "letter" of the law?
+2 Funny.
+4 Sad.
-Styopa
A dead man's switch automatically triggers an action when the person in charge can no longer prevent it, because he's dead, detained, or otherwise disabled. (Examples: let go of a hand grenade's handle, send out documents if the person don't check in at least once a week, etc). What this article is talking about is more appropriately called a "canary" (referring to the canary in a coal mine). It does the exact opposite. CJ
Ah, arrogance and stupidity, all in the same package. How efficient of you. -- Londo Mollari
http://www.slate.com/blogs/future_tense/2013/09/09/shifting_shadow_stormbrew_flying_pig_new_snowden_documents_show_nsa_deemed.html
Why just watch, track or redirected targeted traffic?
Your site might just have a slight pause in updating as a new crew takes over for a few years.
If they have been watching your 'style' for a few years your internet persona might just become a contractor and your site a front.
Drop or add the message every April Fools' Day?
Domestic spying is now "Benign Information Gathering"
The rsync canary is a good idea, another standard approach for delicate communications are job advertisements.
In this case:
A large ad in a suitable newspaper that you are searching for a lawyer.
There are different ways you might be contacted by the government.
For example, maybe somebody who uses your website stole something. Suppose for example the FBI suspects that person of having sold it to someone else who uses your website and is looking for evidence of the same. So they get a warrant and go throught is one person's email, don't find the evidence they were looking for leave.
In another example, maybe one person who uses your website had his car washed by a guy who got an email from a dude who was seen in a cafe with a suspected terrorist. They issue a National Security Letter that threatens you with horrible consequences if you divulge anything, seize a copy of every record on your site going back to 2005, discover another 50 people who got messages from the guy whose car was washed and by the associative property of terrorism, they're terrorists, you're a terrorist and everybody who uses your site is a terrorist.
See the difference? It's not about being contacted by the government. It's about being swept up in a potentially vast and unwarranted (literally) investigation when you didn't do anything wrong.
Some elaborate dead man switch about a gag order? No judge will take kindly to such shenanigans. Just make it simple, contact a trusted news reporter/Wikileaks securely or via an anonymous 3rd/4th party you have arranged ahead of time and have them publish.
...aaaand, here's some code to use to make your own (which I just posted about only yesterday
At what point does a gag-order come into force? Just send a tweet "A government official has just entered the building with an envelope I haven't opened yet. Updates to follow...", followed by no updates.
IANAL but IMHO words are only one form of communication and any action that communicates, regardless of the actual mechanism of communication, could be considered a willful violation of a gag order.
blindly antisocialist = antisocial
Wouldn't it be better to always have a message saying that you are collaborating with the NSA / currently being gaged. If that siuation does ever occur, you then remove the message because otherwise you will be breaking the law...
Hello original author here:
>> http://slashdot.org/comments.pl?sid=4108553&cid=44622087
-- I was raised on the command line, bitch
To paraphrase a quote in support of NDAA (National Defense Authorization Act):
‘Shut up. You don’t get a lawyer.'"
Somewhere a lawyer is searching for you.... will you be listed as "inoperative" "excised" "completed"?
Domestic spying is now "Benign Information Gathering"
The fighting back against the police state has just begun. That the police state will be defeated is a foregone conclusion. The only question is, how many people are going to suffer and maybe die?
I'm convinced that wanting freedom is in our genetic code. Certainly, wanting privacy is. Fighting for it is how we're made.
A lot of us didn't want to think it was this bad, but now that we're finding out, the fight is on, and the outcome certain.
You are welcome on my lawn.
CEO has constant sound feed from office sent to remote non US server not under their control.
Prominent signs in office warn of sound recording (typically legally required).
When the last thing on the sound feed is the CEO being ordered to shut it off and asking to see the relevant authority, everyone knows the company's service is probably compromised.
The librarian Jessamyn West has had a similar idea for years.
Did we ever think email service would be that important?
Domestic spying is now "Benign Information Gathering"
In 1984 you knew the gov was in your networked tv :)
Domestic spying is now "Benign Information Gathering"
Now let me introduce you to my friends, Mr. and Mrs. Nipple Clamp and their neighbor, Sr. Electric Current. Or you can just add the message back onto your website and we can be done here.
Look, I respect Cory. I think he's a pretty good author and an even better freedoms advocate, but if you're betting on the technicality of alerting through inaction instead of action, I don't think you'll like the odds.
"The statement would then disappear since it would no longer be true. "
and we all know that if something is on the internet it MUST be true...
We all need to ostracize and refuse to have anything to do with any of these people. Looking to hire a subcontractor, and one of the firms in the running has connections to these people? Knock them out of the running and let them and their competitors know why. If we tag and track all of them and make them effectively persona non grata everywhere, and those who do their bidding likewise persona non grata, then we would begin to see change.
Society in general must excise these people or risk imploding catastrophically.
Do what you can, with what you have, where you are.
the website notifies all subscribers of the "LACK OF AN" event.
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
Since the TSA is now allowed to lie https://www.schneier.com/blog/archives/2013/09/the_tsa_is_lega.html , bbviously so can the NSA spooks.
for some high profile people to break the gag orrders, go to jail and start the revolution already. You want freedom yet don't want to stand up for yourzself to take it back. Good luck with that America "Its not gonna happen here" has worked out so well for you.
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
So how would the oblivious tech guy in charge of updating the message know to stop updating the message if the senior executive who knows about the contact and is under the gag order isn't allowed to tell the tech guy to stop updating the message?
-Glires
Just fyi greenland isn't a sovereign country... it's a self governing providence of Denmark. :)
:)
And have been a part of Denmark for about a 1000 years - by comparison the US is a young country
In any event, I wouldn't try my luck with greenland, it's really dark and they're not super rich either... and have lots of problems...
But Norway, might actually be a good choice these days... They have too much money/oil, anyone with a university degree in something even remotely useful has a good chance of landing a job... (Which is a pretty essential thing in any immigration procedure).
That said, most European countries aren't particularly open to immigration, unless you're useful or willing to marry some one
Just curious, but what is the actual penalty (and to whom does it fall on in a corporate structure) if you actually say "Hey, the NSA contacted us and said we couldn't tell our users about this, but frankly, the NSA can pound sand."?
Guantanomo? Secret Detention in some Third World Hell Hole? Six months in club fed? Fines?
Or are the penalties too secret to tell, as well?
If you were me, you'd be good lookin'. - six string samurai
The method outlined by Doctorow in the linked article would not work, and here is why.
1) They (the government) consider not only the speech of disclosure, but the intent to disclose, and probably therefore the means of conveying the message that constitutes an act of disclosure. When an actual NSL is issued, I would bet the method described in this article could be regarded as an act of disclosure by way of clandestine communication. You would get in trouble for doing this if you were subject to a NSL gag order.
2) Doctorow's method is more particular than the Librarian's method. It actually does involve arrangement of a designee to receive information specifically related to government intel queries. It plainly establishes both intent and expressly indicates means to convey the state of intel inquiries to special parties. The DMS cannot be restrained from publishing anything, but those receiving the gag order conceivably could be prosecuted for communicating with the DMS service.
Finally, and most importantly, the agencies already note that disruption of electronic communication services (like account suspension, website shutdowns, and so on) can be regarded as signals to special parties that an investigation is under way. So, they (the NSA, FBI, whoever) forbid peculiar irregularities in habits of service when they issue nondisclosures. As far as Doctorow's method is concerned, you would likely be prohibited from failing to update your information to the dead-mans-switch in any way other than routine so as not to indicate you have been asked to provide intel information. See, you're providing a service to the DMS, disruption of which service might reveal a security investigation is underway: you can't do that, and they say so in their letters.
Look, I'm not writing about whether it is right or wrong for the NSA to do this, nor whether it is right or wrong for us to expose these situations. I'm just saying, it may seem like a cute little language game for solo citizens, but real companies can't afford to violate a NSL or any other gag order, and that's why they don't do it, plain and simple. The language of the law is pretty clear about why disclosure is prohibited, and violating that law looks to have some pretty severe consequences. Especially if the FBI or NSA or whoever is right when they say that disclosure is a threat to security, and then you're in a world of hurt because your unnecessary expression of speech actually did jeaopardize an investigation where intelligence of a credible threat was real. That's why currently it's up to the courts to remove a gag order, which they can do, if the NSL is BS. Your right to speech is intact; it just has to be reviewed and upheld before you can exercise it. Wait... that doesn't sound right...
However, while the article's method is dubious I think its underlying premise is worthy of further examination. You've tried to find a way to hide the fact of disclosure, or at least put it into legal safe zone. That won't work. Perhaps find a way to hide intent of disclosure?
http://en.wikipedia.org/wiki/Warrant_canary
Make the only method of contact with your organization a public drop box. Put a note on your web page: "Place all correspondence in /pub". If anyone wants to see what you've been served with, there it is.
I don't have to provide anyone with a confidential channel over which to contact me. I'm part of The Public". If you speak to me, you have already made your disclosure a matter of public record.
Have gnu, will travel.
As a non-US resident, I'd like to know what would happen if a business owner were to simply publish the secret request, ignoring the gag order? Surely this is a great instance for civil disobedience?