dingbat

News

Fighting back against NSA sabotage with a dead-man’s switch


My latest Guardian column, "How to foil NSA sabotage: use a dead man's switch," conducts a thought-experiment for a "dead-man's switch" to undermine the system of secret surveillance orders used by American government agencies. If you're worried about getting a secret order to sabotage your users' security, you could send a dead-man's switch service a cryptographically secured regular message saying, "No secret orders yet." When the secret order comes, you stop sending the messages. The service publishes a master list of everyone who has missed a scheduled update, and the world uses that to infer the spread of secret orders.

This gave me an idea for a more general service: a dead man's switch to help fight back in the war on security. This service would allow you to register a URL by requesting a message from it, appending your own public key to it and posting it to that URL.

Once you're registered, you tell the dead man's switch how often you plan on notifying it that you have not received a secret order, expressed in hours. Thereafter, the service sits there, quietly sending a random number to you at your specified interval, which you sign and send back as a "No secret orders yet" message. If you miss an update, it publishes that fact to an RSS feed.

Such a service would lend itself to lots of interesting applications. Muck-raking journalists could subscribe to the raw feed, looking for the names of prominent services that had missed their nothing-to-see-here deadlines. Security-minded toolsmiths could provide programmes that looked through your browser history and compared it with the URLs registered with the service and alert you if any of the sites you visit ever show up in the list of possibly-compromised sites.

How to foil NSA sabotage: use a dead man's switch

(Image: Console, West Reservoir centre, Stoke Newington, a Creative Commons Attribution Share-Alike (2.0) image from albedo's photostream)


6 Responses to “Fighting back against NSA sabotage with a dead-man’s switch”

  1. Darren M says:

    I like the idea, but I don't think it would work. If a government tells you "don't reveal that you've given us data", the same government - through its police and justice systems, which it controls to some degree - is not going to brook "well, I only revealed it through *inaction*" as a defense.

    A dead man's switch only works when its operation *cannot* be bypassed under duress. You'd need to be able to credibly argue that there was *no plausible way* for you to prevent the switch from activating for there to be a shred of a chance that you'd come away from this without sanction.

  2. Richard R says:

    I disagree. A 'Gag Order' cannot require the recipient to actively pursue secrecy or commit to false information like(which can be construed as fraud when performed by a private entity). It only prevents the recipient from informing the nature/content of the issue under the Gag order (and possibly the existance of). So the defense position is simply, "I can neither confirm nor deny ..." It is up to the observer to infer the results of the 'dead man switch'.

  3. Byron Hale says:

    That was a great talk on KQED Forum. I heard recently that it was possible, by "design," to break encryption. Also, quantum computing is here and that is supposed to be able to rapidly factor large numbers.

    While the NSA, etc., may be able to break any single encryption, there's always some limit as to how many of them they can break at any one time. I've heard that the NSA stores anything encrypted, indefinitely. So a lot of encrypted innocuous messages might be stored indefinitely. Presumably, that could eat a lot of storage.

    I suspect they would then try to hack that person's computer, to get the messages before they were encrypted. In Ubuntu 13.04, Ubuntu Linux has asserted a desire to do keystroke logging, with an opt out for specific programs. However, the names of the underlying programs may not be available, and even its default Gnome Desktop Nautilus File Manager goes by the name of "File Manager."

    Also, I recently saw an unnamed update offered for Ubuntu 13.04. There's no telling what it could have been.

    The time intervals for the "Dead Man's Switch" don't seem to account for latencies, such as site crashes, etc.

    Whereas I might reluctantly submit to NSA surveillance, The thought of allowing business competitors (private contractors?) and thieves to access my computer is intolerable.

  4. Byron Hale says:

    PS: Installing new programs on Ubuntu now seems to require additional opt-outs.

  5. Byron Hale says:

    Hm... Not even "File Manager," I guess, but "Files."

  6. Byron Hale says:

    The jury is still out on quantum computers. The less NSA surveillance, the better.

    Many elements of quantum computing are in place, but the real deal has not been publicly verified.

    Revelations on NSA surveillance have gone from bad to worse. To grasp the human dimension, see "Other Peoples' Lives," about East German Stasi surveillance.

Leave a Reply

Creative Commons License

Cory Doctorow’s craphound.com is proudly powered by WordPress
Entries (RSS) and Comments (RSS).