I propose a "Denial of usefullness" attack on the NSA

That isn't relevant to my claim. My claim is that the amount of data
they need to analyze (if they want to anything other than monitor
people of whom they are already suspicious) is of such proportions
that they can't succeed.

But back to my other point - suppose I have a source for that. If it
was the NSA, you wouldn't believe it. If it wasn't the NSA you
wouldn't believe itt.

That's right. What you _do_ need AI for is to check for hidden
communications in every photo uploaded to Facebook, Flickr, Google+
(and hundreds of other places), every video uploaded to YouTube, etc.,
every song on BitTorrent, etc.

And then we can start looking at all the files people attached to
their email, etc.

The problem isn't breaking crypto (though that often is a problem) the
problem is detecting the many easy ways of hiding information in plain
sight.

And how are you going to use this to search through the petabytes of
snapshots and home movies posted every day? What tiny differences are
you going to look for in one-offs?

You _might_ be able to do tricks like that for people posting and
reposting the same LOLCAT (though you need AI or something to identify
this as a repost of the same LOLCAT).

_Maybe_ if I tried to hide a message in a .wav track of Hey Jude, you
could compare to the album. But an mp3 rip - it is going to depend on
the platform, the software and the settings. Not so straightforward.

Sure, but these algorithms solve the _wrong_ problem. They are good
if you believe someone has taken a known binary file and altered it.
But you have to know the file that's been altered.

They are useless if someone just uploads their own picture/movie/sound
file/etc.

What they can do (and it uses their massive budget, fiber optic taps,
etc.) is do a detailed examination of communication with a specific
individual or individuals, including breaking lots of crypto.

That is very different from being able to monitor the worlds data
traffic in real time looking at everything. They'd _like_ to be able
to do that, but as I've said before, they are drowning in that kind of
data.

 

But that is only possible when the original is available
and it isnt with video that whoever wants to hide the
data has produced.

And such algorithms are easily

 

I apol for diverting the topic .....

But has anyone here imagined what kind of money the NSA is pouring into
this every year ? ...... and it must be BILLIONS ...... and if this was
spent on education and health services ... surely the benefit to the
country would be vastly more than the so-called risks against the US
that these uber-nuts are protecting againt !!!

 

I'm not suggesting anyone love it or leave it. Simply that this is an
assinine way to accomplish anything constructive; in fact, it is counter
productive.

Mr. Browne is a Canadian citizen, and so I suggested to him to butt out.
He won't, but that's my gist.

 

These are vulnerable to comparison, statistical analysis of differences
in the LSB's and ... (below)

Statistical differences in LSB's will tend to reveal patterns in a given
image. eg: the noise content in each RGB should smooth out over the
image, but if there is a message in there it's existence would tend to
come out of the noise.

Cryptanalysis depends hugely on statistical analysis to detect minute
non-randomness that belies a signal amongst erstwhile noise. The
technique has been used in many forms from WW II onward to both winnow
message traffic out of the noise and to help break codes.

See below. You're not thinking front end.

Again, detection can be reduced to firmware capable of immense bandwidth
per function. These black boxes can be chained without end. So a file
or message gets shot in one end and is handed box to box to box without
end until one (or more) detects "something" worth further analysis.
Speculation to be sure but you'd be stunned at how fast such devices
are. They are cheap. They are wicked fast. They can be chained
together endlessly and sift in real time whatever data the NSA sees.

(Indeed some of the efforts to brute force DES were based on such
devices back in the late 90's - and the cost has shot down even as the
bandwidth and speed have shot up. I'm not suggesting these decrypt
messages but sift through video and stills looking for likely encrypted
content and flag the message for a deeper look).

Will they detect everything? Likely not. But they will continuously be
black hatting the problem and implementing searches in computers or
dedicated black boxes.

--
"Political correctness is a doctrine, fostered by a delusional,
illogical minority, and rapidly promoted by mainstream media,
which holds forth the proposition that it is entirely possible
to pick up a piece of shit by the clean end."
-Unknown

 

The Washington Post has a recent article on the black budgets and uses
of them. I just wonder if there is an even blacker shade of budget.

What has the truth ever had to do with US national policy?

--
"Political correctness is a doctrine, fostered by a delusional,
illogical minority, and rapidly promoted by mainstream media,
which holds forth the proposition that it is entirely possible
to pick up a piece of shit by the clean end."
-Unknown

 

My citizenship has nothing to do with it generally and specifically
since Canada[1] is one of the "5 eyes" embroiled in this American idiocy.

I am most surprised, disappointed and dismayed at your submission to US
policy and agency bending of the law that completely violates all
notions of individual freedom and privacy for which the United States of
America "stands" (or used to) and has encoded in the 4th amendment for
the benefit and protection of its citizens.

[1] I'm also deeply ashamed that the Canadian government was part of the
fiasco of weakened internet crypto standards:

QUOTE
Internal N.S.A. memos describe how the agency subsequently worked
behind the scenes to push the same standard on the International
Organization for Standardization. “The road to developing this
standard was smooth once the journey began,” one memo noted.
“However, beginning the journey was a challenge in finesse.”

At the time, Canada’s Communications Security Establishment ran the
standards process for the international organization, but classified
documents describe how ultimately the N.S.A. seized control. “After
some behind-the-scenes finessing with the head of the Canadian
national delegation and with C.S.E., the stage was set for N.S.A. to
submit a rewrite of the draft,” the memo notes. “Eventually, N.S.A.
became the sole editor.”
END QUOTE

http://bits.blogs.nytimes.com/2013/...dence-on-encryption-standards/?ref=technology
or http://tinyurl.com/nshxnn6

So John, get off your "it's our problem" attitude. It's EVERYBODY'S
problem.

--
"Political correctness is a doctrine, fostered by a delusional,
illogical minority, and rapidly promoted by mainstream media,
which holds forth the proposition that it is entirely possible
to pick up a piece of shit by the clean end."
-Unknown

 

I won't bother replying in detail to the points you make since again,
it misses the point.

Yes, you are correct that there are statistical tools that can look
for likely steganography. They have significant false positive rates
if you want them to be sensitive enough to detect smallish messages
hidden in big files.

One could try to assemble the hardware required to apply these
techniques to the entire daily traffic of the internet. That can
probably be done for less than the gross domestic product of the US.

_Then_ one needs to start working on decrypting one's false positives (still
petabytes of data). If one happens to know already exactly how they
were encrypted and the keys, this is just an insane amount of work,
not necessarily an impossible amount of work.

But one doesn't. So for each false positive one needs to explore all
the ways one already knows it _could_ be encrypted, and then when none
of them expose anything, one needs to tap real brainpower by trying to
figure out what new method of encryption might have been applied that
isn't on one's list.


Repeating: my point _isn't_ that the NSA isn't big (it is). It isn't
that the NSA doesn't have resources (it does). It isn't even that the
NSA is unable to break high level encryption (I'm sure sometimes it
can, and I suspect often it can't, but like I said that isn't the
point).

My point is that for a hundred or a thousand or a million geeks to
start sending around gibberish files as you suggest in an attempt to
flood the NSA with useless data to analyze ignores the fact that the
NSA is _already_ flooded with useless data to analyze.

You are free to do that. If you add a 100MB binary gibberish file to
each usenet post you generate, then lots of people will killfile you,
and maybe you'll generate some marginable unnoticeable uptick in the
cost of internet service (and possibly a more than marginable uptick
in the cost of your own service). But you won't have succeeded in
adding to the burden of the NSA.

 

Yeah I guess the NSA just throw their hands up and say WTF - let's
barbecue instead.

Not enough, apparently.

I guess we'll have to agree to disagree - but - for clarification only -
I never meant that anyone should post to any useful usenet group.


--
"Political correctness is a doctrine, fostered by a delusional,
illogical minority, and rapidly promoted by mainstream media,
which holds forth the proposition that it is entirely possible
to pick up a piece of shit by the clean end."
-Unknown

 

The NSA spend a lot of effort analyzing data flow to and from "persons
of interest." This is plenty hard already.

They don't try to look at every single traffic flow on the internet
and filter it for hidden messages. That doesn't work.

Not apparent at all.

You are counting it as "apparent" that the NSA is capable of analyzing _all_
data traveling the networks on a real time basis?

In spite of the fact that there is no evidence for this, and that if
they could do this they would be breaking the laws of thermodynamics.

OK, so if people are slinging around these 100MB distractor binaries,
they can only do it in places where they _don't_ interfere with useful
traffic? Somehow you think NSA has the resources to analyze
_everything_ but not the resources to distinguish between posts to
misc.test.dev.null and venues where communication takes place?

You have to simultaneously believe that NSA is magically competent and
that they are idiotically incompetent (I believe neither one myself)
for your "Denial of usefullness" strategy to bear fruit.

 

Never noticed any in the groups I frequent (which is a small number indeed).


--
"Political correctness is a doctrine, fostered by a delusional,
illogical minority, and rapidly promoted by mainstream media,
which holds forth the proposition that it is entirely possible
to pick up a piece of shit by the clean end."
-Unknown

 

Only a very small fraction of total traffic. You don't need data, since a
simple calculation proves the mathematical impossibility of capturing and
analyzing everything.

You have it backwards. Cryptographic algorithms are not being broken, by human
or artificial intelligence.

The advent of computers in cryptography has made it possible to devise
encryption algorithms that are effectively unbreakable without some unforeseen
breakthrough in mathematics, and unforeseen breakthroughs are rare--and those
with truly practical value are rarer still.

You don't exploit weaknesses with an algorithm. You exploit weaknesses _in_ an
algorithm, if you can find any.

That doesn't help if you need a fifty-magnitude improvement in speed to
develop a practical exploit.

Many exploits also require unattainable amounts of memory, rather than
processor time. So having fast processors doesn't necessarily help, if you
need a quintillion terabytes of RAM to make an attack work.

That's not the way it works. Increasing computer power increases the gap
between the computational cost of legitimate encryption and the cost of
attacking that encryption, and thus the trend is towards ever increasing
security in algorithms. This is a major source of frustration for the NSA.

It's not like that at all.

Yes. I'm seeing that here.

What is the point of you arguing about a topic that you don't seem to know
much about?

There has been no wicked breakthrough. In fact, everything disclosed thus far
merely confirms what people who do this for a living have expected all along.
If anything, it is increasingly clear that there is truly no magic at the NSA.

Nobody is surprised that the NSA has been engineering backdoors, because
anyone familiar with the field knows that straight cryptanalysis and brute
force are no longer able to accomplish much.

 

Sometimes, if the encryption is very primitive. Simple steganography may show
this, but many parties have moved far beyond that.

You have to know what you are looking for in order to find patterns.

Cryptography and cryptanalysis are way past WWII. Perhaps your reading list is
out of date.

Science-fiction novels are not a good source of information on the state of
the art in cryptography.

 

No. People at the NSA are smart. However, being smart also means recognizing
what is practically possible and what isn't. The trend is away from attempts
to crack encryption algorithms, and towards other methods such as analysis of
practical implementations and insertion of backdoors.

The NSA is pushing elliptical-curve encryption, and one reason for that is
that EC is extremely sensitive to the choice of parameters. A wrong choice
introduces useful backdoors. That was far less true with RSA, although the NSA
has tried to weaken RSA by putting backdoors into the algorithms that set up
the encryption, such as "random" number generators.

 

Or the terrorists are stupid, which certainly happens often enough.

 

Terrorists are no smarter than average people, and perhaps less so if they
resort to terrorism, so certainly a substantial number of them are indeed that
stupid.

There are plenty of occasions on which the NSA doesn't really have to do any
fancy code-breaking at all, as the parties that interest them haven't been
bright enough to take any real steps to hide what they are doing.

When you have a lot of bandwidth, you can hide messages that the spooks expect
in it while hiding the real messages. That way the spooks are deceived by
their own prejudices, and the messages they find, after expending considerable
effort, are not the messages you were really transmitting at all.

 

That could be said about money wasted on lots of things. But it seems that
working for the better of mankind isn't nearly as interesting to governments
as playing games like spying, war, and crypto.

 

Not with that sort of thing they arent.

 

That's very arguable with the best of them.

No. That's not stupidity and terrorism can work as Israel proved.

No, not THAT stupid. None of the terrorists they care about
have been caught because they have been that stupid.

No, not with the terrorism they care about there haven't been.

Sure, that's always been one viable approach.

 

That's a very fundamental feature of the political process.

Its always a lot easier to find the money for something like a war
or a response to something like 9/11 than for that other stuff.