GCHQ KARMA POLICE: Tracking every internet user everywhere

New from Snowden documents & utterly chilling: GCHQ did the cyber equivalent of following & filming each and every one of us as we go about our day.

Not just in UK, but on the entire internet - everyone. They called this mass surveillance operation: KARMA POLICE

10 Likes

Pretty sick. We already knew they intercept pretty much anything they can, this seems to shed more light on how that data is used.

Another more summarized article: http://arstechnica.com/security/2015/09/gchq-tried-to-track-web-visits-of-every-visible-user-on-internet/

I’m quite happy to use Firefox with Ghostery, NoScript, and uBlock Origin. Not only does it protect me from most malware, but it also stops some of these spy techniques used by GCHQ.

4 Likes

I wonder if they could pinpoint the originator of public content on the SAFE network by having a verbatim log of their web traffic?
Or is there some kind of extra obfuscation step taken instead of sending out the raw chunks?
I’m thinking the logical thing to do to the data is encrypt all of the data you’re sending using the public key of the node you’re sending it to at each hop, right? And since the originator’s IP address is never really revealed to anyone, all the node knows is that one of the nodes it’s maintaining a connection with just sent them a payload…
To be able to pinpoint the originator, you’d need to have full memory access to the closest node to the originator in the chain that leads to the vaults that finally store the chunks as well as access to the final node that does the storage? But then again I guess the node isn’t aware whether it’s the first link or the nth link in the chain? It just receives an encrypted secondary payload that says where in XOR space it’s going along with the primary payload of data that’s encrypted with the public key of the final destination. All the receiving node takes care of getting it to the closest to the destination node it knows?
Can anyone confirm what I’m thinking, there’s probably at least some minor details I’m getting wrong, or am I way off base?
And can anyone think of some attack vector I’m missing, other than having, on the computer of the originator, malware that’s tuned to figuring out data that’s sent to the SAFE network?

1 Like

Your post above is a very good summary of how SAFE protects user identity and activity from surveillance IMO. Bravo!

Watermark the original content with an ID to identify the user. E.g., many MP3 stores watermark MP3s with the customer’s ID. So if you upload that to SAFE and publicly share it, then you’ve given yourself away. Add a few more pieces of evidence, such as communication over the SAFE network from your IP, a Vault installed on your computer, etc. This highlights Snowden’s warning, which is that encryption works, but it’s always broken at the edges. So if you’re using SAFE, there are probably other systems you’re using which are not as secure.

3 Likes

What did I try to tell people? But I guess around here people prefer to underestimate governments and their abilities?

Yes every Internet user is tracked which is why it’s not so simple to think that just by creating SAFE Network that it will allow people to avoid being tracked by GCHQ. It will take a lot more effort and most people don’t put in the kind of effort it would take to try to hide from them.

SAFE Network might make tracking slightly more expensive for a while until innovation on the other side reduces the costs of surveillance again. It’s not a silver bullet.

How they use it is the mystery but since it’s their property and since they are the government they can probably use the Information any way they want to.

My guess and it’s just a hunch, is anyone who has visited the Tor site or Freenet site, or similar sites, and that includes any of us old timers who knew about these technologies since the 90s, are probably on some kind of lifetime Internet surveillance list. It sounds paranoid but that is how governments are.

Which means the moment you became aware of SAFE Network they probably became aware that you became aware of it. That would probably include everything else you downloaded or search for through the years. So if we assume that governments around the world know your interests, know your knowledge level, etc, well at least their algorithms know you better than you know yourself.

2 Likes

On the other hand if Snowden can leak all of this then whatever these agencies collected about us could be leaked the same way.

1 Like

This is about intelligence agencies, not governments in general.

Its why leaks and building physical networks they don’t own or control or have easy physical access to is so important. Its an arms race, but we can win it by following the technical yellow brick road and replacing top down systems like Capitalism and Socialism with DACOs and other bottom based systems that don’t enslave through money. We can rid the world of the typically useless magic eight ball hierarchy.

Ars Technica is a Sony shill rag, I wonder if Sony in its hacks was in any way targeted by KARMA Police of if the hacktivists used it as a tool too. Maybe Karma had a hacked hacker team back orifice? I wonder if the NSA uses hardware that was built in China with input form Chinese spy agencies. Its all been compromises by stupid money philisophy in th West. Does anyone think the Karma dirt collector was programmed to avoid collecting dirt on the imported inbreds and ‘Queen’? Hillary attacked the hacktivist defenders of transpatency ans finds her self unelectable Petraeus style.

Tough to do when one side sees winning as spending money on contractors. This is largely about money. It’s partly about blackmail. I don’t think Hillary escapes surveillance. One theory is that you’re chosen to ascend to top positions in politics only if you’re blackmailable (controllable). That makes sense: it’s largely what campaign contributions and Super PACs are all about too (not blackmail, but about making politicians dependent on outside money, and the ability to threaten removing that money).

1 Like

This is understating the difference SAFE Network will make because hoovering up traffic in the way they have been will not be enough to defeat anonymity or identify meta data (or of course content). SAFE makes this kind of mass collection impractical, and forces agencies to target their resources (attacks) in order to overcome these barriers - infecting computers for example is much more difficult and risky for them to attempt on a large scale for various reasons, than passively collecting traffic which they never imagined we’d get to hear about. That has backfired. Perhaps if they’d been less confident in their own privacy they might have been more respectful of ours!

The need for targeted attacks shifts the balance back towards where it was in the past. It was always possible to collect data on someone from public sources (from following them, bugging their phone, requesting bank records) but until the internet it wasn’t possible to do it on anything like the scale of KARMA POLICE, PRISM etc.

1 Like

FWIW, Bruce Schneier agrees with you that raising the cost of surveillance is one of the best defenses of privacy. Making targeted surveillance impossible is probably unrealistic and maybe even unwanted. https://www.youtube.com/watch?v=3v9t_IoOgyI

1 Like

There is no such thing as secure computing. Unless you build your own processor and networking stack, your data was probably compromised long before you encrypted it. You should operate under the assumption that backdoors are built into processors at the circuit level, because they are. If you know about a secret intelligence gathering agency, then it isn’t much of a secret.

1 Like

Meh. Even if that’s true, that can’t be used for mass surveillance.

1 Like

NRO Logo

2 Likes

With regard to PACs if not blackmail then graft- its shades of grey. To my mind there is no reason for money to be involved at all. Involving money gives the wealthy veto power which they should never ever have. It nullifies the public interest because it means all we get are puppets. When it comes to voting I don’t see a private interest. Its already a tall order to delegate power through voting. But there is absolutely no reason that some corporation should have to be paid off to get someone elected. We should simply yank the charter of any worthless sponsored (censoship based) media firm that doesnt cover it for free as a condition of keeping a license and a charter.

I think we need to refocus society back onto the interests of the middle class as they are really the only segment that matters as the other two wealth segments are artifacts. The wealthy are not a legitimate minority. The wealthy as a class are a kind of perverse luxury as long as we have poverty, and as long as we do their property claims are irrlevant and should be taxed away, especially in an automated society. Given a big enough middle class with adequate income there is no need to tax much. The wealthy are molesters of other people’s money and job supressors, its time to stop their theiving and useless rent seeking.

2 Likes

This might not be the case either. It’s ultimately programmer vs programmer, hacker vs hacker, skill vs skill, and to be honest the intelligence agencies have a near monopoly on cryptographers, on programmers, on Phd level thinkers. This isn’t to say they have all of them, but it is to say that they have enough money to simply starve people out and win over the long game.

I would say in the short term SAFE Network might make a significant difference but in the long term it’s just going to lead to innovations on the surveillance side which make SAFE Network impractical. Basically SAFE Network will only likely work for trained activists and no one else, so in that case they’ll just put all the activists under targeted surveillance.

It would mean if you’re on this site right now, and you’re an activist, don’t you think the GCHQ knows what you’re doing? It’s not people like us who they know everything about that they are most concerned about. They are most concerned about people they know very little about, people who actually have the training, who have been in civil wars, who have worked for foreign governments, etc. Most westerners, even among the activists, don’t know a thing about warfare.

Cryptography typically is used in warfare to mask or hide covert operations. In particular I would think GCHQ and similar agencies are focused on activists who choose to get involved in serious conflicts. I think the vast majority of people, the mainstream people who might or might not use SAFE Network, will not want involvement in international conflicts. Maybe a small percentage do but that small percentage is probably easy to put under targeted surveillance.

This is exactly the point I am trying to make. There is no guaranteed security or 100% secrecy. You can make it more expensive, you can make it require more effort, but it’s not 100%. There are a lot of reasons from this but the main two is you cannot trust the hardwasre or the software that SAFE Network will run on.

So you’re only as security statistically speaking, as whatever you run on. If you look at the risk of compromise, based on a typical risk matrix, then every operating system has had zero days which result in total compromise of everything running on it, the random number generations in the past have been totally compromised too, compilers have been totally compromised, hardware itself can have undetectable trojans so your circuits could be compromised too.

And even if you built it all yourself so none of it is compromised, there are timing attacks, side channels, and data leakage which you can’t really fully prevent. It’s a situation at best where encryption can protect you but only if the government you’re dealing with isn’t sophisticated enough to spend billions of dollars to break whatever you build.

So if SAFE Network is secure, and several governments join forces to break SAFE Network, how long would it take before some zero day is found in some component SAFE Network relies on which can break the whole thing?

Rust is actually pretty good but even still there are bugs which can exist if not in Rust then on components Rust depends on.

1 Like

This is not the case, it is reductionist thinking. This is one part of the issue. Taking this “government is just too powerful” thinking to its logical conclusion: Ultimately a government could just round us up and put us in concentration camps. I agree. And yes, it might happen - in fact we might well be heading towards such an event. But for some reason it has not happened for a while and most of us operate as if it is not going to happen, because otherwise we’d all have to abandon our whole way of life. Stability emerges out of the complexity - isn’t that amazing! :smile: - it is not simply a matter of programmer v programmer.

You are making bold speculative predictions that are no better than 99% of the predictions out there. Speaking things that fit your world view, your current beliefs. There is no point me arguing against your beliefs, and I can’t disprove them so I suggest we agree to differ here. We think about the world in different ways, but to go into that is both off topic and not something I want to spend time on.

1 Like

So you are saying that all the innovation will come from government agencies? What about the innovation from millions of civilians in the world?
The cryptographic innovation stopped being asymmetric a long time ago, the civilian research is now neck to neck to what the NSA can offer.

In fact, open source projects seems to be having the upper hand.
For instance, in the leaked documents by Snowden, the NSA is repeatedly banging its head on the wall with TOR.
They literally call it “(S//REL) The king of high-secure, low-latency anonymity, there are no contenders for the throne in waiting”.
http://www.theguardian.com/world/interactive/2013/oct/04/tor-high-secure-internet-anonymity

In some leaked documents lists Moxie’s TextSecure and RedPhone, Tails, Truecrypt, OTR as “catastrophic” to the efforts of mass surveillance.

MaidSafe’s designs will definitely complicate matters even further for them and practically it will further reduce the NSA’s effective fuctions to TAO attacks only… but even that might be in the verge of becoming obsolete.

This is the power of decentralization. I am not talking about infrastructure, I am talking about the diversity of the pooled talents from around the world in solving the problems that institutions wants to generate.
Open Source and collaborative development will win.

1 Like