Can you really escape PRISM?

Story: Free Software alternatives to help you outwit PRISMTotal Replies: 14
Author Content

Jun 21, 2013
3:38 AM EDT
Maybe I'm dense, but I understand PRISM to be an on-the-wire and serverside snooping tool. So it shouldn't matter what runs on your device, because it is not the applications or OS that are infiltrated. To my understanding PRISM collects all the data that is sent out over the wire and to third parties for processing on their servers. So potentially all the communication that flows through the net and the sub-set of communication that flows to the datacenters of PRISM "partners" is being processed.

Anything you do client side is ineffectual and anything you do net side is bound to cause suspicion. To render PRISM obsolete all net users would have to start encrypting all outgoing communications (preferably using P2P communication means) and stop using services from PRISM "partners". The likeliness of that happening is virtually zero. So anyone doing anti-PRISM measures in the sea of accessible chatter is bound to attract the eye of Sauron.

If for whatever reason people want to keep a conversation under the rose, meet in meatspace, leave behind all gadgetry and take a long walk into non-(sub)urban areas. Use the mundane and unimportant stuff on the net to hide in plain sight.

(Yes, I'm fully aware of the irony that I send out this "subversive" data on the very net that I know is spying on me. Then again I know my place in the machine. This cog won't gum up the works ;)

Jun 21, 2013
6:12 AM EDT
> So anyone doing anti-PRISM measures in the sea of accessible chatter is bound to attract the eye of Sauron.

I believe one of the points is to give the system so many targets that it can't handle them all and becomes ineffective.

Jun 21, 2013
7:47 AM EDT
Jdixon, I faintly recall saying why this is so, just before that passage. Overburdoning the system requires mass cooperation. Good luck with that.

Jun 21, 2013
9:24 AM EDT
> Good luck with that.

Oh, I agree. I was merely noting that it was one of the arguments used.

Jun 21, 2013
10:16 AM EDT
Overburdening the system...

That's what Facebook, twitter, G+, and thousands of phone apps that spew information constantly throughout the internet were created for.

Now if we can just get the NSA to become convinced that an AI will solve their 'too much data' issues, they will quickly learn that their AI will spend more time worrying about what the Kardashians are wearing tonight than snooping on regular folks.


Sounds like a Corry Doctorow story...

Jun 21, 2013
10:38 AM EDT
That's what I meant with hiding in plain sight. Portray yourself as average enough on the "Facebook, twitter, G+, and thousands of phone apps". Just don't do anything on the net that you don't want the man to know.

Jun 21, 2013
11:30 AM EDT
For those who truly want to stay below radar, that may suffice. But, what of those who only want to annoy the regime? It's none of their <expletive deleted> business what I do or say, and given they don't give a rat about my civil rights, I think it only fair that I make their life as difficult as possible.

MLK taught us well: Civil disobedience is a most effective tool.

Jun 21, 2013
12:50 PM EDT
Well, PRISM is supposedly a server side tool to gather information ... and as such, encrypting your e-mail as no effect if you are using, to send. However if you are using your own (personal or company) mail server and sending to another private e-mail server, encryption would work fine for that.

Also, while not stopping specifically PRISM (since it is server side log access), encrypted traffic (web browsing, mail, etc) would prevent snooping in route on any router. So if someone is collecting data in other places that the ends of the trip, that would at least be safe.

But the only way to escape PRISM is to get the law rewritten ... for that, contact your Congressmen and Senators if you are a US Citizen :)

Jun 21, 2013
1:26 PM EDT
If I may suggest, use encryption.

Not just SSL. Use GnuPG/PGP, TruCrypt, etc. Do not store files "in the cloud" that are not encrypted.

Use stegnography. This is not useful for Facebook, since Facebook always compresses the pictures again when they're uploaded. I mean send a JPG to you friend with "How pretty!" and in it have a GnuPG encrypted file hidden.

As Phil Zimmerman, who invented PGP, said many years ago: PGP is not for big secrets. It's for little secrets. For "privacy". And it's pretty good.

Jun 21, 2013
2:38 PM EDT
Another encryption option to consider is Monolith.

"Monolith is an open-source program that can XOR two files together to create a third file, and -- of course -- can XOR that third file with one of the original two to create the other original file."

Jun 21, 2013
3:13 PM EDT
Seatex, the word for that is "one-time pad"

The Soviets used one-time pad style encryption, while the Americans used RSA and other large-number mathematic encryption.

If you watch the movie Sneakers, the comment is made that "No, the Russians use a completely different system."

One-time pads are, conceptually, unbreakable. Practically, they can be broken because the one-time pads tend to either be re-used, or shorter than what is encrypted so they will repeat.

Jun 21, 2013
3:28 PM EDT
Bob - Yes, I'm familiar with one-time pads such as this. And I agree that nothing is 100% unbreakable - especially given the supercomputing power of the NSA. Also, this system requires the key on the receiving end and you have to find a way to securely send that key (by snail mail perhaps). Yet, the more you send using that key, the higher the probability the messages will be broken, as repeating patterns emerge.

Jun 22, 2013
11:28 PM EDT
A couple of thoughts:

1. How about exchanging a few gigabytes of truly random numbers? You can get them from the hot bits website. And if NSA is trying to decrypt then isn't it a shame there's nothing there?

2. Would this work as a method of extending one-time-pad keyspace?

a. Generate a 100 bit random string by flipping a coin. heads=1 tails=0. Call this string a. Repeat for strings b and c.

b. I send you, via snail mail, a courier, or a friend strings a b and c.

c. Consider strings a b and c as circular queues, each 100 bits round. Looping through the triply nested loop (for each bit in a(for each bit in b(for each bit in c))) set each bit in the string D as a xor b xor c. Thus three 100 bit random strings generate a 1,000,000 bit random string.

d. Using string D as our one-time-pad key, I encrypt and send you any message of length less than 1,000,000 bits.

I maintain that since I've not repeated the combination of a b and c that the key is not cyclic for less than 1,000,000. (obviously it is for larger values). But if I need more space, then back to the coin for 100 flips. And to update your one-time-pad I need only send 100 bits to you. And you can update sending 100 bits to me.

Am I missing something obvious?


Jun 23, 2013
8:50 AM EDT
Quoting:Am I missing something obvious?

Yes, encrypting and sending it over the net makes you very interesting to the powers that be. Is it advantageous to put yourself under the microscope like that?

Jun 23, 2013
12:29 PM EDT
That's the point. Making them waste time and resources on one rather insignificant person and trying to decrypt an information-free file. Actually a file created with a flawed random number generator might be even more interesting to them as it might look like there was /something/ in there.

BTW I see the flaw in my 'extension' of short random sequences into longer ones. Each time I xor the bits of one file against the current bit of the next it will either copy the sequence or copy the inverse of the sequence. Thus there will be periodicity showing up in the final file. Probably it's going to happen even if I were to xor it with a copy of itself shifted right by 1 bit. But that might be a nice candidate for someone to waste time on.

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!