Playing their game. An idea, some speculations and discussion.

[proxx]

So anyone who is interested in security and anonymity must have been increasing shocked by the 'recent' events.
I shouldnt have to explain that any further.
So we can basically state that many encryptions on which almost anyone relies are flawed (Ive had some discussion about using this word but I think it fits the definition, if its not point to point secure its flawed)
Its hardly a suprise that anonymity is dead, only the scale on which this is happening cant cease to blow my mind.
One of the most intriguing parts imo is the automated packet capture and filtering in which millions or more is invested that along with the capability of decrypting  it, for x part.


Talking about flaws, there is one theoretical flaw in their system aswel.
There is just too much data to be analyzed, at least by humans.
As a subsitution they would use massive ammounts om computational power and if course software to do the job.
Nothing new so far..
Ive been playing with the idea for a while to do exactly the thing that would confuse this system to such an extend that computational extraction of data could be considered useless.
Everyone here must have heard of those firefox plugins that send random search queries to the big boys to randomize their profiling.
What if something similar would be launched on a massive scale only than with the type of data that would be filtered out by the big parties controlling the game.
Thousand or millions voluntarily sending garbage 'malicious' data , everyone would be a 'terrorist'.



Any thoughts ?

[vezzy]

First of all, enough of this "oh god we're shocked, how could you NSA" bullshit. NSA surveillance has been known for decades, but it took the Snowden leaks for the sheeple to finally realize that they're being watched. And even then most don't care, indiscriminately posting personal info and pictures of themselves and others everywhere.

That said, the idea - inundation with false positives, sounds good enough in theory. It's very primitive, but it works, much like a script kiddie taking down a medium-sized website with a Layer 4 DoS from his shitty IRC botnet.

The problem is that you need to know exactly what keywords to use that can trigger the NSA's filters. Benign inundation is useless, as it'll slip by into the archives without particular notice. That's the main issue with extensions like TrackMeNot - their queries are randomized, so it can send both junk that is benevolent and junk that is suspicious.

What we need is a system that can send junk data constantly to tons of servers, that is openly malicious BUT is also smartly constructed. This means making it RFC-compliant as possible, difficult to fingerprint, perhaps modular and extensible, and able to adapt to all sorts of ostensibly malevolent garbage.

For instance, instead of just spamming with queries such as "overthrowing government", it can also generate cryptographic keys and hashes on the fly and toss them around, so the NSA will waste time on decrypting worthless data.

We could do much thought on this.

In fact, perhaps make this a group Evilzone project?

[Thor]

If you were able to identify the keywords used by the NSA and your idea actually became a problem for them you can bet they would do their very best to fuck you over. No doubt you would be raided at 5am, have all your possessions seized, family harassed, you'd be called a terrorist and charged with whatever crimes they could pin on you (half of them will be made up) and they'd defend their actions as they always do, to stop the "terrorists".

[Zesh]

If Anon can get a lot of morons to DDoS sites then a system like this could too and they can't arrest everyone.

[vezzy]

If you were able to identify the keywords used by the NSA and your idea actually became a problem for them you can bet they would do their very best to fuck you over. No doubt you would be raided at 5am, have all your possessions seized, family harassed, you'd be called a terrorist and charged with whatever crimes they could pin on you (half of them will be made up) and they'd defend their actions as they always do, to stop the "terrorists".

The whole point would be to spoof the destination headers and have this done en masse.

[Darkvision]

Im not saying that fighting this is wrong, i think it should be. However doing it your way will not force change. For one(since someone else brought it up) what change has anon brought? most of the organizations they have targeted have lost some cash, maybe some PR thats about it. They are still doing it how they were. Now apply this to a government.


If hackers start doing this(or making a package that does that gets widely distributed) it wont stop the NSA. Instead they will get MORE funding, and MORE focus. with us being seen an even MORE negative light by the general populace. Im all for fighting for what you believe in, but you should try to find a way to do such that an actual impact can be made. i dont think what equivocates to ddosing their databases will do this. Instead why not spend that time/money on projects that CAN help. make more styles of encryption, make more programs that use them with more versatility. keep it open source, as this makes it hard to be backdoored. make more secure ways to communicate over voip, im irc etc. this serves two purposes. 1 it does what you want, gives them more data to go through, but even better more analysis taht is needed human side. 2. it gives the end user a much better chance of being secure than what is currently available, and hey its a great time to get out their for it as people right now are aware of the issue, they wont be in 6 months. 

[lucid]

Im not saying that fighting this is wrong, i think it should be. However doing it your way will not force change. For one(since someone else brought it up) what change has anon brought? ....

Ok so let's just do nothing then.

However, you are right. After much thought and debate and reading over the years I've realized just one thing. Nothing in this country, nothing in this world, people, governments, those in power, the military industrial complex, the medical industrial complex, and so on...

Nothing will change. Not if you only try to change one thing at a time. I'm not sure how radical you all are(seems like most of the people who have posted on this thread are radical enough) but if you have interest in saving yourselves, saving people, saving the planet, and so on.. then you need to take it all down. Take it all down at once. Otherwise it will just rebuild whatever part you damaged. It's not impossible to overthrow or otherwise take down a government. The military does this all the time. You just need to make sure you don't take too much time. Time allows the system to rebuild. They take out the infrastructure, the system starts to cripple. People get scared. They take out shipping and transportation, further weakening of the system. People start to go hungry. They take out communications, repair of the system gets harder still. People panic, people get angry. System collapses.

Another thing I wanted to add. You see all these idiots like Anon and so forth trying to hack government websites and databases. This is stupid. You certainly aren't going to change anything just by crippling a few webpages.

Shipping. Shipping is were it's at. Many of these large shipment hubs are automated. Now imagine if you hacked into one of those systems and instead of a very, very large shipment of food and goods heading towards America, you simply.... redirect said shipment somewhere else. Do you have any idea how much money it would take to fix the problems and damage that would cause? Millions. Shit, billions. Theoretically, an operation like that has the potential to completely cripple that shipment hub beyond recovery.

At least that's the idea....

[vezzy]

Honestly this concept could be conceived in much more elegant and intelligent ways than a simple flood of garbage data.

A project such as this would aim to poison the information pool with false positives. This could be done through traffic forgery, rather than outright DoS.

My mind is kind of stale at the moment, but if we do some research we could work out a fairly decent model of what this could entail.

[proxx]

First of all thanks for all the input everyone, Ill take the time to consider all of your statements and respond, soon.

Honestly this concept could be conceived in much more elegant and intelligent ways than a simple flood of garbage data.

A project such as this would aim to poison the information pool with false positives. This could be done through traffic forgery, rather than outright DoS.

My mind is kind of stale at the moment, but if we do some research we could work out a fairly decent model of what this could entail.

Together with your other post I agree with your point that is should be very well thought through, not just ddos.
If any such project is ever to see the light of day it would require a very strong technical contruction.
I indeed aimed at generating false postives , if the amount of 'triggers' is vast enough versus 'real'  traffic it could work.
As mentioned below its difficult to know which those are [insert speculation/discussions].
bbl.
 

[Xorsion]

This is a rather interesting discussion, and although I lack the technical competence to argue any points made here, I thought I'd simply speak my mind.

First of all, I'd like to emphasize on Lucid's point: Radical changes require a "flood" of -coordinated- movements. Pretty much like a voltage spike, if you will. Act too far apart on the time axon, and you're fucked, you've given them time to fix any damage and prepare. However, such a radical change could be classified as an "active defense" in my opinion. And it is also something that requires physical action, aside from hacking automated infrastructure routines. In other words: It is severely dangerous. Besides, I think Proxx's point was the creation of a "passive defense" system (in this case, one that requires no physical action and as such lessens the potential of being harmed) - Even though something like that can NOT offer -radical- changes in any society, it is a good start, and the hacking underground should be the creator of such a system (If not you, hackers, then who?).
In other words, I think we shouldn't linger too much on the thought of -radical- changes, at least not for the time being.

Secondly, regarding the points made by proxx, vezzy and Darkvision:
1. I won't go into technical talk, as I lack knowledge in this area and rather not talk bullshit.
2. The idea of crafting such a system is surely something decent. The point should be straining NSA's manpower AND computational power to the limit. Creating a system that's very difficult to crack is one thing and creating a system that slows down any and all human-handled investigations is another thing. Both are decently powerful, but alone, useless. Unless the two are combined, it's already a lost battle (Check Lucid's point above).
I think that the effort of creating something like that should, oddly, NOT be opensource (sidebranches of it, not openly related to it, could be opensource, as Darkvision suggested) -  That is, until it is actually made. This is essentially a system that would screw with the government.
Unless you're out of your mind, you don't openly fuck with the government.
3. <Linked with #2> : If you do decide to start this as an Evilzone project, it would be a good idea to simply start... Disappearing. The more traces you leave behind, the more likely it is you'll fail. A good idea, in my opinion, would be to gather info on who's interested, leave them some time to think it over, set up a date to meet on IRC or wherever, formulate a longterm plan, and then disappear from the face of the Internet. After some pre-defined time, you all meet again and discuss what progress has been made. This process will most likely be repeatable, but the further apart the meetings are, the better. Also, I'd like to stress: If you're an American, do not even consider taking part in this. Or well, if you do, I think my idea would be a must, unless you want to become a sitting duck.
4. I've also been thinking on something for some time now, and feel it fits such a project, so I'll drop the idea here. I do not know if it is theoretically possible, or even if it has been done before and is now considered insecure, so bear with me. Anyway, the idea is to create a piece of code that would be able to alter itself (as in, through a most likely very complex procedure, self-alter its own code into a non-gibberish text, and still remain functional) - After that, I thought: Yeah okay let's assume that does happen, so what? It can still be easily cracked by analyzing the code without ever running the executable part. - And then it hit me.
Would it be possible for such a code to also have a secondary defense mechanism? I've been thinking to implement a system that erases and totally shreds the program immediately upon "breach". I mean, if I were a cryptanalyst and whatnot and someone handed me a piece of code and said "crack it", the best way for the code to protect its content would be through self-destruction. Such a defense system should activate as soon as anyone would try to analyze it (examples include inspecting it, attempting to transfer the code in a secondary program and whatnot in order to safely analyze it etc etc). No idea if it is possible, just saying.

Anyway, no more ideas at the moment, and apologies if the text has been tiresome.

[Mordred]

Nothing will change. Not if you only try to change one thing at a time. I'm not sure how radical you all are(seems like most of the people who have posted on this thread are radical enough) but if you have interest in saving yourselves, saving people, saving the planet, and so on.. then you need to take it all down. Take it all down at once. Otherwise it will just rebuild whatever part you damaged. It's not impossible to overthrow or otherwise take down a government. <snip>

This, a million times.

And indeed, if there ever is going to be a "project" related to this, maintaining as much as possible the anonymity of those developing/working on it should obviously be the most important point.

Also I see a lot of talk about passive defense. Honestly, given for the example the incredibly valid point that lucid made in the quote above, passive defense isn't going to cut it. The best defense is offense you know.

[Darkvision]

@lucid, i wasnt saying lets do nothing. I was trying to say that one needs to look at what the end goal is, which is change, and to craft your response in a way that forces a change. This of course can always go in ways you didnt expect. However if your going to do something openly malicious, it is far to easy to be branded a traitor or whatever other word the media/gov wishes to apply to you. 


@others: Again i dont see attacking the system in a way that you KNOW will make you a wanted man(or woman) is the way to go, at least yet. Yes their are times to truly rebel, i however do not believe that time is now. I DO think its fixable, its not yet time to burn the house down and start from scratch. Yeah the house is dilapidated, and darn near condemned, but it isnt yet going to fall down.  Also open source IS the only way to go, as has been proven again and again, closed source=backdoor. 


Anyway i guess some more on what i was thinking about. I think what we need in these days, is something that wasnt economically feasible in the past. My idea/premise is based off of encrypted containers(static)/ the old style voice encryption from WW II. Im not an expert in cryptography, i may be missing something or not see where it wont work. However i dont see how throwing out an idea can hurt. maybe something can come from it.


Premise: create a fixed rate of data per second point to point between two devices. The PC's would create a "cap" on data bandwidth between the two, you would obviously want to set this below what your max data rate is to ensure reliability.  In essence what is going on here is a 1mbps(or a lower more reasonable figure ) constant connection between PC A and B, even when nothing is being sent, the "container" portion of IPv6 would be maxed sending packets at a fixed rate, each proceeding one(after the handshake) would let you know how much change is needed off the top to know the actual encrypted packet, THEN that packet would be decrypted. Each "connection" would use a one time pad in the encrypted standard of choice.
note:i think IPv4 packets hold far to little data, making it not only slow, but easier to crack.


Example: Computer A and B set blowfish as the encryption standard and choose a encryption size(say 128 :p). PC A handshakes with PC B and establish an agreed upon constant packet rate.
PC A's first packet once the connection is established maxes the container portion of the packet, and from the handshake it is "known" how much to subtract (bit wise) to know what that packet contains/what is encrypted. Part of what that packet will contain (encrypted) what is the next correct encrypted container size. So even when you are not sending data (whether its because its being processed, or you just have nothing to send at the moment) the network would still see data being constantly sent. This is in essence the "noise" portion of the idea, as well as the fixed size encrypted container. since the packet rate is constant, and based off of your two connections during the hand shake no eavesdropper can tell what you are sending or if you are sending anything at the time(unless of course they break the encryption). This negates a number of attacks on the encrypted traffic as well as   creating a lot of "bloat" to sift through. To me the only really vulnerable time in this process is the handshake itself or the encryption standard being used.


not sure how well i explained what im thinking, and not sure if their isnt something im missing. thoughts?

[Uriah]

I realize how angry we all are about the NSA thing, but from a political standpoint, crippling the US or any other country is a very bad idea. Like, really bad.

I wont bother to argue it unless someones disagrees...does anyone disagree?

[proxx]

I realize how angry we all are about the NSA thing, but from a political standpoint, crippling the US or any other country is a very bad idea. Like, really bad.

I wont bother to argue it unless someones disagrees...does anyone disagree?

This is not about anger.
Nor did I intend anything malicious, why would sending 'garbage' be malicious , since when am I not allowed to talk about certain material, be it mechanized.
Its not my fault that eventhough nearly every law in the world prohibits it ,all is tapped anyway by some delusional g8vern.
This is about freedom of the user , freedom of speech and reality, not anger.
In fact, whos attacking who?

[imation]

I beleive this chat should be moved away from public facing forums...

I actually like the idea of diluting the information they are looking for... nice "defensive" tactic!

I could argue this issue for weeks about who, what why and why not but i cant be arsed!

This tool COULD be used for something else too... again maybe in another protocal