Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘1984’ Category

Chimps With Guns and The Bloggers Who Give Them Ammo: The Mysteries of Crypto and Privacy Elude Many

leave a comment »

Out of the Mouth of the Ill Informed and Lacking Perspective….

Once again Quinn Norton takes on a subject not so much as a reporter, but as a pom pom cheerleader of notions that she has little claim to comprehending only to espouse them on wired.com as fact. Of course when questioned on the validity of her ideals being spewed onto the internet and the reporting thereof she has done, she once again looks hurt and demands a retraction of sorts to the author. Well, now it’s my turn to put my two cents in and jerk another jewel like tear from her eye. The story this time concerns “Cryptocat“, an ostensibly download free service for chatting online with people in an encrypted session.

Now, this would be all grand and wonderful if the chat program/session/technology were in fact bullet proof, however, as Quinn fails to understand, there are problems with the implementation that have been brought up by others and there are valid arguments that the system is indeed subvert-able with the right attacks against it. Of course another failure on the part of Quinn is to also understand that the end point (i.e. the end users machine) may also be pre-pwn’ed and thus, your idea of having a “sekret chat” are, well, null and void.. But, I digress here. Quinn just doesn’t have the technical background nor it seems the ability to think a bit laterally while making dangerous statements about “overthrowing governments” with such tools as Cryptocat.

“This Cute Chat Site Could Save Your Life and Help Overthrow Your Government”

Really? You want to make this statement and get people to actually use a system that is as yet untested against attacks for overthrow of governments or saving lives? Wow, you really have no idea what you are talking about. The hubris alone of the quote/title is enough to send me into apoplectic fits of Tourretts Syndrome. Then, today I see you in a tweetup about how you want the author of the paranoia article to apologize or something along those lines for calling you out in his piece? I really look forward to your reply to this then because I am going to tear this ideal down just like your slanted reporting on Anonymous and OWS. It seems you have a paradigm issue with reality and you need to sit back a bit and listen to the community at large who may know a bit more than you do.

It might save some lives in the end….

Crypto: A Munition Not Long Ago…

Crypto has been around since the dawn of time. As such over time it has been used in many ways and in many implementations. Many of these uses though have been around the idea of war or espionage. Up until rather recently even, the type of cryptographic schemes we are talking about in Cryptocat were in fact considered “munitions” depending on their strength here in the US and in other places. At the time of this writing though, it is no longer considered a munition per se, however, it is illegal to port out some high end types of crypto to nation states on the naughty list. This does not mean though that they don’t get their hands on the tech, but, there is an attempt by governments anywhere to keep the crypto genie in the bottle to protect their own data.

In the case of Cryptocat though, this is not a munition strength solution and due to its flaws, should not ever be considered a viable means to real privacy or security. In fact, if you really want to keep something secret the only good way is to have a one time pad, but, even that can be subverted if the pad is stolen or replicated (as the Russians found out during the cold war) So, suggesting that Cryptocat be used in any kind of serious situation other than maybe wanting a little privacy (i.e. nothing illegal or perceived thereof as being so by anyone) is just plain stupid as well as dangerous.

Crypto and it’s use by the masses is a convenience to secure their data from being stolen. Military strength crypto is a different matter, and neither systems usually come in an easily accessible and no install required fashion. We have seen lately all of the attacks on the online forms of crypto including CHAPP this last week at Defcon20. These systems will always be under attack and at some point they may all be subverted. Hell, look at Quantum Crypto being broken! NOTHING IS A SURE THING and we all need to understand the perils of what we do with such systems. So, once again I say that it takes a bit more forethought than just logging onto a site or even downloading a plug in for a browser and believing the stories about it’s safety by pundits on Wired.

Frankly, you’d be better served by just using TOR and going to the DARKNET and chatting on an IRC or chatroom.. It’d be safer.. Until you give up too much info about yourself….

Once Upon A Time, Spies Used Crypto and Tradecraft…

All of this though, all of the technology always has had a means of being carried to the intended recipient. In the spy business this was carried out by “Tradecraft” Tradecraft means the tricks to hide things as well as of techniques to meet in secret to pass information. In the case of today’s internet world, the idea of having a server or site that offers a “secret meeting space” is a bad one because you are advertising it, thus making it a target and you as well by proxy of using it. Instead I would put it to you that if you really care about privacy and you have something to convey to someone else secretly, you do so in a way that no one will know it ever happened in the first place.

Dead drops, chalk markers on fence posts, or even the ubiquitous X in tape on a window with a light shining on it (X-Files) is better than advertising you are going to a place like cryptocat to have a conversation with anyone. In fact, you have to tell the other person about the meeting to start with and provide intel to anyone looking to snoop on you anyway, and this is done by those unaware of tradecraft, in the open. Even the “Illegals” who were caught here in the US a couple years back, were using tradecraft as well as crypto programs on laptops etc to pass data and have conversations. In the end these were foiled as well (bad implementations of crypted chat and bad habits with passwords) which only helped bring the Russian program down. These people were meeting at underpasses as well as having drive by’s with vans hosting an adhoc network via wifi.

So, when I look at this drivel on Wired about being safe and secure, lacking any real understanding of how security works never mind cryptographic systems, I kinda get a little peeved. You wanna play in the grown up world? You need to learn how to play.

Geopolitics of The Internets and Civil War…

Today we are seeing great changes attempting to happen in the Middle East as well as all over the globe. We are also seeing the governments of the world attempt to keep their control over things by using technology as well. For every piece of technology someone like Moxie comes up with, someone else is going to come out with another piece that will subvert it. This is the nature of things today and unfortunately, there are some governments out there who lack any kind of empathy for their citizens. In many cases, as we have seen in the Arab Spring and all of the things post it’s blooming, people have been killed or disappeared for speaking their minds. Syria is the latest in this and we are seeing it live today. While the government tried to keep the people down and the nets dark, others tried to keep them open.

It’s war.

Anonymous and the movements against overzealous prosecution as well as those advocating civil and privacy rights are being watched and infiltrated as we speak. Technology is a means to an end, unfortunately that technology can be subverted and used against those using it to protect themselves. One must know the technology and the problems with it before using it cognizantly. This unfortunately is not the case in what is being advocated and advertised by Quinn Norton on Wired with regard to Cryptocat. This I say specifically where she makes declamations about overthrowing governments with things like untested crypto schemes.

Doing so does a disservice to anyone looking to make a change.

Know Your Technology and Your Methods Before You Plan A Revolution…

In the end, I just wanted to point all of this out. The people who are in the know (cipherpunks) should be listened to. In the case of Quinn, she seems to have a distorted view that they are elitist and bad. Maybe they are elitist, maybe they are eggheads who can’t park a bicycle right, either way, they should be listened to and their counsel taken into account. Without comprehension of the technology you will fail in the end. As Quinn liked to point out in her piece on wired, it was a “no install” program and seems to have a bent on getting the “common man” to use it, the only way it really being so is if the masses need not comprehend how to install something on a computer. This too is a real disservice to everyone and a dangerous precedent.

I mean.. To drive a car you have to have a license.. So you want to load crypto and plan a revolution with unlicensed drivers?

Duh.

If you are going to use Cryptocat just be aware of the limitations. If you want to just have a private chat with a friend go right ahead.. If you think you are the next Sabu or Che Guevara.. I’d think twice.

K.

Written by Krypt3ia

2012/08/02 at 16:43

Posted in .gov, .mil, 1984, Crypto

Psychopathy Tweets: Too Much Statistics, Not Enough Proof of Concept

with 2 comments

On Sunday Defcon 20 had a talk that I had previously written about on the idea of using statistical analysis of word use to determine psychopathy in individuals online. As I sat through the talk and steadily watched people get up and leave I too had the urge to walk away as well. However, I had a mission and that was to confirm if there was any evidence that would say to me this was a viable means of detection for psychopaths.

What I came out with, after many slides of numbers, was “nope not really” Which, I pretty much had thought before. There are just too many variables to this type of venture and you would, in the end, need to have a trained psychoanalyst to talk to the individual to determine whether or not they are a true psychopath.

Sorry Sugg.. It was an interesting idea and I am wondering just where this will go if the author of the original paper tries to expand upon this process. You see, for this to work online possibly, is that the trained individual would chat with the “patient” or “UNSUB” as the case may be, to ask specific questions to elicit responses. See, that would work I think, but it is a manual process not a big data solution. So, while it was an interesting trip into what psychopathy is and possibly how to spot it in word use, it was a failed experiment in my book.

Now, another twist on this idea might be to take the transcripts of anonymous and other IRC chats and wash that through your program… There’s a lot going on there mentally and might show some traits, but, are they really suffering from some sort of psychiatric illness or are they just maladjusted? This has been something I have written about before an the vernacular used as well as the mindset that seems to be prevalent warrants some looking at perhaps.

Maybe next year?

Overall though, I surely hope that the governments and law enforcement bodies out there do not take up this idea and begin to mine people’s chat logs for psychopathy

*shudder*

Ding Dong! It’s the forensic psychiatrist.. We saw your tweets and thought we’d have a chat? What? these cops? They’re just here to visit too!

K.

Written by Krypt3ia

2012/07/31 at 04:17

Detecting Psychopathy Via Tweets? A Flawed Premise May Present Dire Consequences

with one comment

In contemporary research and clinical practice, Robert D. Hare’s Psychopathy Checklist, Revised (PCL-R) is the psycho-diagnostic tool most commonly used to assess psychopathy.[1] Because an individual’s score may have important consequences for his or her future, and because the potential for harm if the test is used or administered incorrectly is considerable, Hare argues that the test should only be considered valid if administered by a suitably qualified and experienced clinician under controlled and licensed conditions.[2][3] Hare receives royalties on licensed use of the test.[4]

Background Sources:

Wikipedia on PCL-R

Defcon 20 Presentation

Fox News

Forbes

Wired

Science Daily

wmatrix 

Preamble:

A paper and talk being given at Defcon 20 this week has gotten people all worked into a lather within the news arena and has piqued my interest. The talk centers around the premise that one may be able to determine psychopathic traits (psychopathic and sociopathic behaviors) from of all things, the analysis of tweets. Now, this may be a novel idea to some and it certainly seems the news has latched onto this, but, in the cold hard light of day, this premise has way too many failures to be actually applicable to gaining any insight into anyone’s psyche via Twitter.

In this article I am staking out my contention that this is not a suitable means of diagnostics of this type and in fact, were it to be followed up on and used, would lead to bad results and perhaps the citation of individuals online as being “Psychopathic” when they are not the least bit so. As such, this talk may be an inquiry into whether or not this is possible, but, had the research been carried out to the extent of reading the materials and their ancillaries, one would quickly come to grips with some salient facts that make this method of detection untenable. As the media hype has already started on this, I think it prudent to speak up on this here and now, as well as write an after piece once I have sat through the talk and had a chance to see exactly what they say they believe possible in the end.

A Flawed Premise:

Having read the original paper by Hancock, Woodworth, and Porter, (Hungry like the wolf: A word-pattern analysis of the language of psychopaths) the experiment clearly states that they had chosen a sampling of criminals convicted of murder (various degrees of which) and verbally interviewed them on their crimes. The method of interview was strictly adhered to and was a known and well used process including blind interpretation (where the interviewer did not collate the data on psychopathy, just transcribed dialog and logged emotional states) Once the transcription was done (including disinfluences *uh and um*) this text was taken and run through the wmatrix and other tools to determine the languages affinities for psychopathy and other mental states. This “text” is actual “dialog” and as such, is not the same as the “written word” that the speakers at Defcon are going to be assessing in their presentation, and this is a key difference that I am unsure they have taken into account. Writing is affected and not natural to many (i.e. fluid dialog in writing) Add to this that you are talking about the emoting of data/emotion vis a vis Twitter at 140 characters at a time AND using quite a bit of word shortening and slang, and the premise of using “language” to determine psyche really falls apart.

A second key point is that the dialogs that are being used in the original paper are specifically stories of their crimes. This was a calculated effort on the part of the psychologists to elicit the emotional states of the subjects in relation to their crimes, and their victims. This is a key factor in the determination of the language that the researchers were looking at, and as such, this, as far as I know, is not a part of the paper being presented at Defcon, and thus, misses a key data point… Making the premise suspect to start.

It is my opinion, just from the differences between the experimental inputs, that unless you have a larger dialectic to work from and a trained set of people to determine not only language, but also emotion (we all know how easy it is to misinterpret an email right?) of the poster, you cannot in any way, shape or form come up with a psychiatric profile, never mind an actual diagnosis, of psychopathy via online content, especially that which is culled from Twitter.

Background Data On PCL-R:

Another factor that I would like to address briefly is the use of the PCL-R test. This test, though being around for some time and used, is still not part of the DSMV as a diagnostic tool that they prefer. There are many papers and articles online that do not promote the use of this test as a lock on Psychopathy, nor is there really a consensus from DSM to DSM on exactly what Psychopathy is. Psychology and Psychiatry is more of a plastic science due to the nature of the human brain. So, all of this supposition on trying to quantify an individual from their language written online at 140 characters at a time is being terribly kluged into an ideal. It is important to know the landscape here to understand that nothing is certain and even diagnosis of an ailment such as these can be countered by a second opinion by another doctor.

.. And doctors should be involved in any of these experiments online as well. However, the bulk of what I have seen online and read elsewhere, as well as common sense, points to me the fact that even with a lot of online chatter, one must interview the subject in person to determine their illness.

Not All Problems Can be Solved With Big Data and Technical Solutions:

In the end though, I guess my biggest concern is that certain people out there (or government groups) might take this idea of sifting through big data online for such linguistic cues as something to run with. In fact, contextual searches already exist and often are used by agencies to determine where someone might live or have lived, gone to school, etc by the nature of their writing. In fact, recently on Studio 360 I heard a report of a computer program being created for just such a thing. It however, was also an AI project to try and get the “Turing” effect to be so acute that a person online would not know the difference between computer and human communication.

Which, brings me to another idea.. When will we see the first “psychopathic” AI out there? But I digress…

It seems to me that more and more we are being collectively mined not only for our habits, but now our emotions as well as our psychological makeups. All of this could potentially be collated from numerous sources (not just out of the context of language but also click behavior etc) Remember those days in college when you took Psych 101 and thought the professor was just messing with you and taking notes? Well, I have the same feeling now with the internet in general and the companies and governments using it for contextual purposes.

I doubt though, we will ever be able to contextualize the human psyche just from internet datum… And that is where I think this talk is headed… And thus, I had to speak my peace. I will have another post on my thoughts after the talk.. Maybe they can change my mind a bit.

Maybe not.

K.

Written by Krypt3ia

2012/07/25 at 20:14

Monitoring Social Media: Open Comm’s vs. Secret Operations and Big Brother

with 2 comments

Social Media Monitoring: A Rubric for Control

It seems that things are coming to a head in the strange world of government surveillance for “our” protection. Of course I see the expeditious rise in this kind of activity due to the likes of Anonymous and Lulzsec/Antisec coming to the scene and forcing the hands of those in charge. This is not to say that the legislation and skulduggery would not have happened without the Anon’s but it may have been more of a frog in a pot of water scenario as opposed to getting zapped in a flash. So, in a way, you can thank Anonymous for speeding up the process as well as perhaps creating the environment for really poor ideas to be floated in a hurry to “protect” us all from the bad people.

Dealers choice there I suppose…

All this aside though, we now are faced with DHS wanting to be in charge (or at least pay GD to do the work) of monitoring “Social Media” on the internet. First off, let me assure you all that DHS monitoring Social Media is akin to a severely autistic individual being assigned as a babysitter for an infant. This is one of the worst ideas I could ever conceive of as these types of things go. Even with GD doing all of the grunt work, the actual evaluation of any product would be carried out by analysts from DHS, and boy, they are so ill equipped to handle this. Remember, these are the same bunch of folks that brought you that classic fiasco of “Russia is hacking our water system in Illinois!”

Suffice to say, that I do not think this will go well and that the idea in and of itself, to monitor Facebook and Twitter will only lead to more of the same old false reports of doom and attacks that the Bush administration brought out every few weeks with the terror color coded chart. In short, FEAR FEAR FEAR! All the while, they will only target people who happen to say things in a tweet that will be overblown and have them tossed out of the country (i.e. blowing up america by the Brit recently)

FUD.

Just Who Will Be Monitored Really?

Aside from the lowest of low level jiahdi’s or Anonymous, just who will be really monitored by this program do you suppose? Why, you and I of course! I mean, it’s really just open source isn’t it? The real targets are the stupid and the public here really and one must face this fact and accept it. This is no program that will actually end up with real terrorists being caught and cells disrupted you know. See it for what it is, a means to an end to have a simulacrum of control over the internet and the people using it.

.. But Krypt3ia.. They are doing this to catch the bad men” you say.

Sure, you can believe that if you want to, and there may be factions within the community that think this is the case, but, overall, you have to look at the pool being harvested from here. Since the advent of the Patriot Act, we have seen the FBI and others over-use and subvert the law to effect warrantless searches for domestic cases much more than terrorism, the thing that the Patriot was created for. What this really is, is a drift net approach to law enforcement because technically, the government and the LEO’s are not capable of keeping up with the crime, never mind the terrorism really. So, they fall back to the idea of we can monitor everything and after the fact go back and look at data for “anyone” to make a case.

Easy as pie…

I am not inclined to believe that these measures are to be proactive either. Predictive maybe to an extent, but in prediction, we get another whiff of control do we not? After all, the predictive nature of this type of monitoring is what the CIA and other countries do to assess when there may be an outbreak of civil disobedience or perhaps insurrection might be a word for it? Either way, this is a means of control as well as a means to detect and perhaps deter depending the use of the owner.

It’s a tool, and it is up to the user what they will do with it. In the case of other states such as Syria, well, you can see how the technology is being used. Here in the US, I am not saying that this will be 1984 all over again, but, do you really believe that you, the citizen, in the current environment will be able to know what is going on? Will you be able to FOIA the results of the testing and the monitoring to tell if its being misused? If you think that this will be in fact the case, I think you will be sorely surprised when you find that it’s all been classified and out of reach when you have questions. Frankly, I just see this as the next iteration of “Total Information Awareness“.. You know, John Poindexter’s baby? Yeah, fun fact, it never really went away, it just went into the black budgets and or changed names.

In the end, if you have a twitter account, facebook, myspace, blog, etc, you will be monitored.. Especially if you speak your mind or use key words that trigger an analysts attention.

Kinda like the NARUS STA’s in the MAE’s out there siphoning data too.

Oh, Don’t You Worry, No Matter What They Say, YOU Will Be Monitored

In the interim though, the congress has had a meeting over the privacy concerns over this little project by DHS. The congress-critters got all up in DHS’s shit about the issue and said they are not comfortable with the program/laws around this. Now, that the congress acted on this, one might think that it would stop the program.. I am not so sure it will in fact do so. I think that the case will be made and assurances given that only those who are evil doer’s will be audited and that no privacy will be breached by such measures.

“We’re here to protect you”

It’s an old argument really, but in today’s digital world, the issue is that instead of say, a black chamber opening mail in a secret building by hand, you instead have machines collecting everyone’s data and sifting through it all for key words, phrases, meme’s and other data. This then spits out the alerts and an analyst then looks at it to see if it warrants being passed along to others in the food chain. What also may occur here is that even if it’s not terrorism, they may in fact pass data on to others who may start investigations on those hits, even out of context, as you might be an agitator or show a tendency that they feel uncomfortable about.

Hell, today, if you buy a coffee at a starbucks with cash AND you use WIFI AND you use encryption, YOU might be marked as suspect due to the fliers recently put out by the DOJ and the FBI on how to tell if one is a terrorist. God forbid you have a missing finger(s) as well.. Then SURELY you are a jihadi or a militant.

*snicker*

Oh well, fear not gentle reader.. Because all of what I have said above about this one program, means nothing really. Why? Because this one program is only “one” of many out there being used by the government(s) to trawl the internet for data. I have mentioned a few others above and you can go look up the terms and see for yourselves. Post 9/11, we have truly become a watched commodity via the internet and all other means of communication we can buy. All of these programs have been put together with the veneer of being in place to protect us from another 9/11 and perhaps some of them were made with the best of intentions, but this idea of monitoring social media, well, it’s a little half baked really I think.

In the end, only the stupid will be caught. I mean really, look at what lengths OBL went to with cell phones and runners with messages, do you really think that much of the global jihad is being carried out over open communications lines like Twitter and Facebook? Sure, maybe people congregate there and THAT is useful information, but, to monitor the traffic of everyone to get targeted data on “some” users is just useless if your goal is only to go after the terrorists.

Remember.. Above all it’s just a driftnet to make it easy…

Making Your Own Privacy Because You Soon Will Have NONE

I guess what this whole rant is boiling down to is this, and its something I have said before on many occasions: “You alone can make the privacy that you need to prevent such monitoring” Encryption is the key to all of this. Whether that crypto be something along the lines of PGP or Vigenere is up to you but what counts is that you are taking the pains to protect the communication that will pass over the wire. You can’t trust the owner of the wire and you certainly cannot trust that the government or, hackers for that matter, aren’t watching or monitoring you either. So, it’s up to you to make the privacy happen.

With the onset of all of this, this week we also saw the first (I assume of many) solutions for encrypted tweets come along. I for one, would love to see this solution work and be used by many on Twitter to protect their privacy, but, then again, this is kind of an oxymoron huh? As I said earlier in the post here, who would use open lines to commit crime? So, once again, we are back to the level of what privacy can one expect as well as if one wants to be private, use a means to protect that communication.

*shakes head*

After that little turn, it really becomes clear that the monitoring of twitter and the like really comes down to a privacy violation by the government to feel as though they are in control. The smart people will not be talking on twitter about blowing things up and everyone else who may say such things are doing it in jest, but will end up being investigated for their poor choice of words (140 characters at a time)

It’s a sad world we live in.

I hope that congress denies the DHS their wish, but, I am also certain that if they do, DHS will only hire out again to the likes of GD to do it anyway off the books so to speak…

In the interim, I will continue to encrypt love notes to DHS and others in hopes of making their day..

OOH LOOK ENCRYPTED MESSAGES! TERRORIST! WATCH EM!

K.

http://www.pcmag.com/article2/0,2817,2400429,00.asp

http://www.huffingtonpost.com/2012/02/16/dhs-monitoring-of-social-media_n_1282494.html

Written by Krypt3ia

2012/02/21 at 19:04

Posted in .gov, 1984