From our series Halloween Week Specials***
Quote of the day: Freedom sometimes tastes like a pumpkin left out just a wee bit too long after Halloween. ****
Blame this one on TheEditor coming back from its* once-every-decade watching of the movie Enemy of the State.
All of this anti-surveillance crap is too complicated! You need to make like Dave, and keep it simple!
But we don't ever need to hide, why bother?
Because Enemy of the State is a documentary disguised as fiction, you idiots. Pardon my French, scrap the you idiots, use team instead.
Listen to the master, and be awed. Remember General Dave and his liaison, they communicated via the Drafts folder of GMail. Both had the password, and they'd go and write their love emails without sending them. That's pretty simple. Now, once the other lady snitched, our protectors looked at the GMail account and the locations associated with logins and wondered.
Oh.
They wondered if a hero like General Dave managed to be in two locations thousands of miles apart within hours or sometimes minutes. That skill would have revolutionized warfare, but it was discarded because the idea that a man would write love letters to himself was too bizarre. I have been working on a better mousetrap. Let me explain, and I will use Bob and Alice because thinking of a fallen hero is too painful.
[nods, sound of shifting chairs]
Bob wants to send a message to Alice. As you...team... know by now, that creates a lot of metadata in addition to the fact that Alice's email address travels with the message. Enemy of the State gave me the idea to come up with a convenient dead drop. Bob puts the message somewhere, and Alice picks it up.
Ahm, boss, we talked about SecureDrop the other day?
I am not trying to outdo SecureDrop, for Aaron's sake. My solution is a bit less secure but a lot easier, a tradeoff, hear me out. Say, Bob is Alice's uncle, he lives in Iowa and is good at farming but less sure footed with computers. Alice, lives in New York as a graphic artist. She is good with computers but has a hard time making ends meet, and she can't work as a bartender because she hates the company of drunks. Every other month, Bob sends Alice an encouraging note, usually bible verses, but he does not want anybody to know, and Alice is somewhat embarrassed that she needs bible verses to see her through.
[hand covers mouth, hiding yawn]
So, ...team, here is the setup. Alice goes to her favorite blogging platform and sets up a blog. She picks a platform which has a "Comment" feature that does not require an account. Alice also makes sure that the blogging platform has "moderated" comments. It's standard these days, but this is the key to the bible verses. Alice puts a few content items on the blog and gives uncle Bob the https address of the blog when she visits Iowa for Halloween.
[tip of one foot going up and down, up and down]
Uncle Bob looks up a bible verse, goes to any of the posts on Alice's blog, pastes the verse into the comment box, done. Alice will receive an email not from Uncle Bob but from the blog server postmaster. Alice reads the comment awaiting moderation, then clicks "Do not publish" or the equivalent on her platform. Comments? [chuckle]
You could correlate Bob's visit to the web site with the web site owner, so you still have metadata.
Sure, but that analysis is not done routinely. It already beats the General and the Gmail account. If Alice's blogging platform is also an email provider, the bible verses "comments" email never leaves the hosting company.
Not very realistic, though.
Wait. Alice gets a great job in China, a one year contract at Panda Corp., and now Uncle Bob can continue to send bible verses even though the Chinese don't like it one bit.
But boss, isn't the Comments feature pretty much the same as a web form Contact Us feature? And won't Comments land in the database of the site?
They serve different purposes. A free blogging site does not give every blogger a Contact Us form. And yes, they may land in the database, but European or US providers don't care about bible quotes. You can use a plain text split based on the encrypted split described in this post. Sure, you need to turn off the Spam filter of the site, if they have one.
What's your take on using TOR, too?
If you want your bible verses even less traceable, TOR or a bog standard VPN are a good idea. I'd suggest that only one party, only Bob or Alice use such a service for that specific communication. But, remember, the less you stand out from the unwashed masses, the better. If Shakespeare were alive today and published under a well-guarded pseudonym on some web site, nobody might notice.
If you paste an encrypted message into the Comments and it does not go through?
Just test it out. If you cannot find a suitable blogging site, Alice can set up her own website and have a form named Comments. There is a lot of flexibility in this dead drop. You can, for example send the other party a link to a Pastebin or the latest Dilbert comic strips.
This can be used to bad ends, too, what would you say to critics?
Are rocks banned?
[puzzled looks]
David got Goliath with a rock, so sure, ban rocks if you feel like it.
Can we borrow your Enemy of the State DVD?
After Halloween, sure.
* TheEditor insists on gender neutrality, hence the form "it".
** Eff is not the same as EFF. EFF is the acronym for Electronic Frontier Foundation, the good guys. Eff may be good or not, depending on your taste.
*** Please remember, we do satire, which, by its nature, messes with perceived wisdom.
**** Who came up with that nonsense? Somebody must have.
No comments:
Post a Comment