Slashdot Mirror
Ask Slashdot: Jamming UK Metadata Collection?
AmiMoJo writes: It looks likely that the UK will try to require ISPs to collect metadata on behalf of its security services, and various other agencies will have access to this vast, privacy- and security-destroying database.
How can individuals resist? Some metadata is trivial to hide, e.g. much email is encrypted between the user and server, but a record of an access will still exist. Would there be much benefit to creating fake traffic, say by sending dummy emails to yourself? What about fake browsing, or keeping TOR running 24/7 (not as an exit node, just a client)?
The goal is to make the data less useful and harder to tie to an individual or separate from fake data, and to increase the cost of collecting and storing such data. Don't worry, I'm already on the list of known dissidents anyway.
How can individuals resist? Some metadata is trivial to hide, e.g. much email is encrypted between the user and server, but a record of an access will still exist. Would there be much benefit to creating fake traffic, say by sending dummy emails to yourself? What about fake browsing, or keeping TOR running 24/7 (not as an exit node, just a client)?
The goal is to make the data less useful and harder to tie to an individual or separate from fake data, and to increase the cost of collecting and storing such data. Don't worry, I'm already on the list of known dissidents anyway.
Use pen and paper. Personal papers have more legal protection than digital data that cross over the ether.
People forget how this data is really collected. They aren't looking at packets and breaking encryption between the client and server. They are tapping into the endpoint. They are accessing the Gmail/hotmail server endpoint databases. I am in the network monitoring field and I can tell you there isn't enough horsepower to do packet based monitoring of large numbers of people. They are getting the data because Google. Microsoft, Apple, etc are giving them access to their datastores.
If you run an exit node you will generate lots of useless data for them to collect. Just dont forget to blacklist all the popular torrent sites that are blocked in UK in the tor config file, otherwise unsuspecting TOR users will get the 'this site is blocked' message. There are no laws against running an exit node, I did run one before in Ireland and had no trouble, although they are more fussy in UK mainly due to a difference in mentality - the powers that be think they are actually stopping real terrorists with the work they do.
Simple. If you use a phone, you use someone else's network, and do things that are impossible for them to let you do without them knowing what you're doing. You can't call someone without the phone company knowing who you're calling.
And the internet is a public place, period. Don't do anything on the internet that you wouldn't do in your front yard, with the neighbors watching.
If you don't like it, tough. The rules of reality don't need your approval.
Something sort of symbolic you could do is to sign every document as Agent Smith and photoshop him into every picture you upload some place.
Use the classifieds. Write an obituary. In these modern times Craigslist probably works. If you're planning something exciting, using your personal email is just plain dumb.
“He’s not deformed, he’s just drunk!”
TrackMeNot is a browser-extension for Firefox and Chrome that sends semi-random search requests to several search engines with the goal of disrupting this sort of tracking. Well, it's more aimed at preventing commercial entities from creating an accurate picture of your web-browsing habits, but it probably adds some noise to the intelligence gathering too. By default it pulls random keywords from newspaper headlines, but you can configure it to use (or avoid) certain keywords, as well as tweak the frequency of the requests. It runs automatically in the background whenever your browser is open.
TrackMeNot isn't really useful in hiding your behavior; it just throws in spurious data that makes legitimate data look less accurate. It's really aimed more at devaluing marketing databases with the (admittedly vain) hope that they'll give up on the whole thing ;-)
Note: it does use extra CPU cycles and bandwidth, so if you are constrained in either this tool may not be for you. Also, tweak the timing of those search requests carefully or the search engines might blacklist you as a bot. Having said that, I've been using this plug-in for several years now and it's rarely caused me any problems.
One of these days a nefarious group will hack into ISP meta-data and publish it to the world, and this gov't requirement will then be questioned.
Table-ized A.I.
Here is a new form, the same as the fighting spam one with minor changes. Feel free to use it as most of the measures proposed to fight surveillance fail for the same reasons.
Your only option is to have your own email server at home which requires encryption on both ends.
Hillary? Is that you?
Have gnu, will travel.
Back in the nineties, I discovered the internet and its freedom as a wonderful tool that proved the freedom-based values of the Western society. Moreso, as I was (and am) living in a former communist country in Eastern Europe. Imagine my delight, coming from a closely monitored society to such a wonderful and open global community!
However, I have noticed a worrying trend, mostly in opinions posted in forums or other places by Westerners (American and European alike), that too easily dismissed any threats to the personal freedom in various topics. From trivial but excessive forum moderation (which to me resembled too much to the communist censorship) to political issues where leaders pressed and were allowed to limit liberties such as the freedom of speech, for dubious reasons (political correctness, security in matters presented by exagerating imaginary threats, etc.). I understood one thing then: your society was utterly vulnerable to becoming a closed one, even to transform into an oppresive one, for one very simple reason: you didn't see first hand how a dictatorship works, how the officials' behavior in an oppresive state behave, and how they talk. We've seen those and painfully endured their effects, over a long time. I was able to detect the signs of the emerging surveillance society in the West since those times. I tried to express my concerns in open forums, and been bashed by the all-knowing arrogance of those who thought nothing bad can happen with the civil rights.
They were wrong. And now it's too late. You are asking what you can do as an individual. You can't do anything at this point, all you'll achieve will make you look suspicious, and they will monitor you even closer. Individuals can no longer make any difference, we would need a miacle to prevent the Western world repeat all the mistakes of the dictatorships in the Eastern Europe. It would involve a huge community coherence in working to change the laws, and only voting for those who don't want to control us all (although they are becoming an extinct species). And fighting with all available *legal* means against surveillance and control, without being tempted by using non-democratic shortcuts (such as voting for populists that only tell you what you want to hear). Very, very hard.
So, yeah, you won't like my response to your topic, but hopefully you do at least understand.
Once the law goes live the following is happening in my house pretty much there
:) as their policy will be to store long term encrypted traffic for later viewing)
OpenWRT router with VPN to EU paid for in bitcoin with a generic Email. The only issue with this is that I am pretty sure 3 letter fags have purposefully placed back doors in to OpenWRT and other open soruce routers (based on stuff read from Snowden stuff), however I am not hiding anything I just do not believe the government should log my data.
All in all fairly cheap, the only thing the ISP will see is the connection to the VPN which will be heavily encrypted. (I will be downloading random torrents to force them to store massive amounts of encrypted data
Go Fuck yourself UK government, Wave to GCHQ o7 fucking traitor cunts if you were on fire I would not even piss on you.
When you're not browsing run a script that will surf random web sites for you, go to bbc.co.uk and you'll find hundreds of links, follow them, find more links, follow them, etc. Occasionally pull a word from a web page and do a google search, then follow a bunch of the search results, and follow links on them, etc. Build in a random timer function so it looks like a human surfing. The idea is to make the haystack bigger so the needle is harder to find.
Then do all of the surfing you don't wan them to know about from a WiFi hotspot with a spoofed (random) IP address using a virtualized OS incidence that is scrubbed afterwards.
"Grab them by the pussy" -- President of the United States of America
That's a really fucking stupid idea. All you're gonna do is give the law enforcement agency probable case to get really invasive. The prefix text you put there won't stop that.
This answer, like almost all the other answers in the discussion is an answer to the question
that's not the question the article asked. The question was
It's a completely different thing. The aim of reistance is to create consequences and problems for the authorities and visible protests shown to other people. It's something completely different. You do not resist by being entirely hidden. That makes no difference to other people. You resist by making things more costly / dlfficult / complex for the security services.
It's probably also not a good idea to resist the wrong things. The ostensible aim of surveillence is to stop terrorism. If you actually or apparently make investigation of terrorism difficult that won't work out for you. Instead you probably want to resist something different; e.g. deliberate spying for non-terrorist crimes (and keep paedophilia out of it too).
One example that makes metadata collection much more difficult is Bitmessage. Its main feature is uncensorability rather than anonymity, but it scores very high on the anonymity scale as well. Its metadata is encrypted, so additional actions and costs are necessary to deanonymise the users. It also has uncensorable shared communication feature called chans. There are gateways that provide connectivity to email. Disclaimer: I am one of the developers of Bitmessage and I also operate one such gateway, https://mailchuck.com.
Not really, as they'll filter that out pretty fast. The systems doing those searches are a lot more intelligent than simple regex checks, and can factor other contextual clues into it. Just look at what Google does: they factor recent searches into new searches, so results related to recent searches (especially those in the last few minutes) appear higher in the list. I'm sure the government has something at least as good at contextual clues, possibly even provided by Google itself.
You can never go home again... but I guess you can shop there.
On the fake traffic thing, there is a screen saver for Linux which will do web searches for images and create a collage. It always produced a fascinating results over time. Lots of random things, a fair amount of porn, just.... the internet...in all its naked boobs and pictures of text glory.
Well one day, I was feeling a little parnoid, and more than a little mischevious, so I tracked down how it invoked wget and made sure it used a local tor proxy. Didn't really seem to change the end result on my end, but... talk about generating fake traffic....
"I opened my eyes, and everything went dark again"
Out of "Old world", "New world", "Third world", Australia is most definitely "New world".
I think the Australian government is most definitely guilty, and most unlikely to be proved innocent, about anything, ever. I proclaim the present Australian government completely wrong, about almost everything, and I suspect that I am not alone.
FTFY ;-}
Sent from my ASR33 using ASCII
It creates heat. Just sayin'.
Everybody should spam them with high warning data, once their dataset becomes garbage and >50% false positives, they will give up the fight.
100% Wrong. Their goal is not to find criminals or terrorists, etc. in the data. Their goal is to have as many people as possible in the "Suspect" category, and what you're doing plays into that nicely.
Besides, intentionally generated "noise" is quite frequently easy to filter out. Basically the only solution to what the poster is asking would be for everyone to stop using the "open" internet and everybody start running a Tor node, and doing everything via Tor (or something similar).
In the us the NSA considers what numbers you called and what numbers called you and how long the calls were connected metadata.
So I will assume when applied to ISPs that they are going to be logging endpoint information as in a log of every ip:port connection in and out w/duration for your connection.
This is often enough to determine what websites were visited as most websites have a dedicated ip for their domain but some have several websites hosted under the same ip address.
My first thought would be to setup a portscan all ports random addresses idle speed and scan the full ipv4 address space.
But looking through the connection duration would filter that out
You could run a web spider that should do a pretty good job at making requests that resemble normal usage. But running a full scan of the ipv4 space should do a great job if your objective is to create a huge unwieldy logfile.
This is assuming that dns requests aren't being logged and http headers aren't being collected.
Will it help your privacy any? Maybe if the log file is size limited. Otherwise not likely.
VPN at your router would limit you to one endpoint this would make for the shortest log file although a connection lasting more than 24 hours would stick out.
Minimum threshold fixed. Thanks!
There is no way to jam the metadata collection (to overload the collection engine) simply because you overload the mail system with a spam in the process. The only way to get rid of metadata collection is some darknet where metadata cannot be collected by design.
Could you use a browser plugin that acts a little bit like a distributed version of TOR by having your requests reach the internet via other browsers running the plugin? The idea wouldn't be to make your browsing untraceable, but rather to make the sort of metadata that ISPs are forced to collect unuseful for monitoring the browsers running the plugin. The big problem would be adoption. Each individual running the plugin would have legal vulnerability similar to that of someone running a TOR exit node. If you had a popular news story about someone abusing the collected metadata, that would be a good time to announce a free browser plugin that protects people from that sort of abuse. If the adoption is sufficiently widespread, action by the government to imprison lots of people who see their actions as protecting themselves from metadata abuse would be deeply unpopular.
Alternatively, why not just move? Why support with the taxes on your labour a government that does that to its citizens?
True, such entries COULD be filtered out, but it provides enough PC should they need it. What the OP suggests is at best not going to help and at worst going to create huge problems. All in all, a stupid idea.
And all the phones will be associated with your SIM and THEY will know that all these phones belong to the owner of this SIM. If you really want to hide yourself you need a SIM not associated with you (you understand what I mean), a modem/phone anonymously bought for exclusive use with this SIM and a computer with some privacy-enhanced OS. And maybe even a modem/phone with SIM plugged to some router, hidden on some roof and contacted via WiFi only since the position of the modem can be easily determined.
You're right, it's a minor obfuscation, but I do believe that morphing as much as possible is useful.
Dear Microlimp: I give you 2 valid product keys for win7 and you reject both of them. Piss off you wankers!!!
I plan to pay a few quid a year for a VPN. My ISP can then collect my metadata, it won't be terribly useful having only a single IP address and port.
Only use Tor over an additional VPN so there is no Metadata to collect.
If you want to fuck with them, run your own email server and create arabic sounding email addresses with TOR on Gmail and make them exchange highly encrypted files (your laundry and grocery list for example) so that they'll set up a special group to try to decrypt them. ... and say goodbye to traveling per airplane for the rest of your life.
Like you said, you are already on the list. The only people who are going to bother to generate fake traffic are the same people who want to hide / obfuscate their behavior with said fake traffic.
The only way to do it would be create applications that people can run, and convince enough people to run them. Sort of like SETI @Home or similar. You would want to get people to run the apps on their phones as well.
The only realistic way that I see to do this in the current environment is via some sort of malware. Infect people and take 5% of their bandwidth to generate a whole slew of fake traffic. Even by doing this I do not think that it would take long for the surveillance providers to tune their filters to account for the noise that you were generating.
I hate to be pessimistic, but this battle has already been lost. We are on the other side. The only way to deal with it is to know what your rights are and defend them at all costs. You have to stand up and say, "Yes, I did X. So what? Prosecute me. Put me in front of a jury of my peers and convict me for it."
In the old days of limited bandwidth, we used to choose things to download before we read/watched them so that when we were ready to they were already downloaded. We may have to return to that sort of model for two reasons, 1) because using TOR or whatever is slow, and 2) because even if we generate fake traffic, our lumpy usage patterns will be easy to discern and yield a lot to traffic analysis. So start spreading those transmissions out over time and choose sizable things to download ahead of time. Uploads will be spread out as well (and slow). This is all going to feel like the Interplanetary Internet, where bandwidth is very limited and latency is enormous.
It would be double plus ungood if all the metadata pointed to the government GHCQ as being the primary source of terrorism, for example.
Metadata is meaningless out of context, but those who live in Fear will spend years on mole hunts.
-- Tigger warning: This post may contain tiggers! --
that's not how email works. See: retry interval https://tools.ietf.org/html/rf...
1. Separate private contacts and public contacts
Use gmail with two-factor authentification for amazon, itunes, netflix, etc. As the government has access to everything you do there having the security compromised, do not try to hide it. At least google does a good job protecting the product (you) from being infiltrated by private crooks, use it to protect against daisy chain attacks against password recovery identity theft. They offer you a big mailbox and unusual usage invokes their automatic protection systems, use it. Do not use outlook.com.
Setup an emailaccount at posteo.de (change to english) using a random emailaddess as your login-name. Do not use that emailaddress for communicating; you have three free aliases. Use an anonymous payment method although they claim that they throw away the payment record right after payment: You can rely on the GCHQ to store information that makes you tracable. Use a very long, very strong password. Use that password to encrypt all your data so that they themselves can not access your data.
Use this account to synch contacts and calendars. Setup aliases to privately communicate with people. Use pgp (you could use your public key to automatically encrypt all incoming messages).
The storage space is 2 GB, so it's a good thing that spammers only know your public emailaddress. Do not ever post the posteo aliases on the internet to avoid spamming.
Check posteos website regulary, because my governemnt also has evil plans up their sleeve, so it is possible that they are required to data retention in the future. At the moment Germany has exempt emailproviders from data retention.
2. If you are sing windows, use true crypt or veracrypt.
If that is not an option due to gpt-formatted hdds or ssds, buy Windows 10 professional. Cheapest way is to buy windows 7 professional and use that key to install windows 10 using the media creation tool. Tone down every data collection as far as possible. Enable bitlocker. Enable strong pin at startup. Enable the best encryption; it is reduced per default. Do not store the recovery key online. Do not use the home edition as it will store the recovery key at microsoft without the chance to avoid that.
Use an local account and if neccessary only use a microsoft account for the store. That is possible.
Do not use cotana, it will only work with american providers for calendar and contacts anyway. Use thunderbird for contacts, calendar and email. Install pgp plugin.
3. Mobile use
On iOS use the standard programs to log into your calendar, email and contacts and notes at posteo, do not use icloud or gmail for calendar, notes or contacts. On android there is a synch tool for calendar and contacts. There are some reliable emailprograms on android, use them.
Use firefox to synch favorites and history. On chrome enable a strong password to encrypt the synching. I'd prefer firefox.
It goes without saying that you use signal for messaging and telephone. So you need a provider allowing voip and messangers. Maybe you should also look for a foreign voip provider that has no data retention and allows zrtp for private calls.
4. Vpn and tracking
As strange as it seems I would use freedome as they simply don't know your login name after the payment if you did not buy it digitally at an american or english company but directly at f-secure. Do not only rely on them to protect against tracking, install fsf privacy badger and https everywere on your favorite browser. A vpn protects against the bulk collection of every website visited as suggested by the british government.
5. What it's worth
All this will only stop the mass collection by the british government, it will not protect you against individual attacks. But as you wrote you are aware of the fact that circumventing big brother npmakes you a target, but you are correct that the goal is to make it costly to track everyone. It is worth the effort: If they cracked the safety precautions of the activists, all they achieve is to get uninteresting information.
Get a router supporting DD-WRT and add custom route configurations to put all non VoD / Gaming traffic or anything requiring all of your bandwidth through a VPN like Vyper or something. That sufficiently covers most browsing / text communications. TBH I wouldn't bet that the security services don't have the power to snoop into encrypted / VPN connections on our national infrastructure anyway, but why would you care as long as you're not a terrorist or kiddie fiddler? You just want to prevent Theresa May and her bullshit short sighted policies from snooping on you for no justified / legal reason (like they probably already have been, anyway).
- Dan
Gmail does encrypt the connection to the user, and between mail servers if possible. They were burned by the NSA...
In fact a VPN is quite effective here. Since it is the ISP that is required to do the spying, anything that locks them out of doing packet inspection foils it. This means that either it will be pointless, VPNs will be banned and the UK economy will be wrecked, or a VPN will be taken as a sign of suspicious behaviour. That last one is terrifying.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Actually with the data ISPs will collect and given that all of those providers use https for the webmail, your ISP will only know you accessed gmail, but have no idea of the contents of your mail
Nigeria has already solved this problem
Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
What we're talking about here is an additional cost in a very low-margin industry. And it can only be applied to UK data processed in the UK. Hence it creates a further pressure for these services to move off-shore, making it much, MUCH harder for the UK government to get access to the information. Really they're doing you and all dissidents a favour :)
a VPN will be taken as a sign of suspicious behaviour. That last one is terrifying.
When everyone uses a VPN, everyone will be suspect. When everyone is suspect, are they going to investigate & arrest everyone or shut-down the internet? What government will survive either of these?