Fighting back against NSA sabotage with a dead-man's switch

Here’s a solution: Fuck their shit up. Tear down the NSA and put an end to this by insisting that not one democratic vote go to anyone who has ever worked in the Obama administration.

Of course, Democrats have no taste for showing their politicians who’s boss. As long as that continues to be the case, there will always be two virtually indistinguishable parties in America. Oh well.

1 Like

I wonder if an unfortunate side-effect of this project would be providing the NSA with a list of targets who are obviously concerned with security/privacy, and hence (to the NSA hive-mind), “have something to hide”.

1 Like

The library-sign idea came up right after the Patriot Act was passed, with its provisions that the government could monitor your library records, and the library was not allowed to tell you if they did. (Here’s a Wired article about it from 2004.)

No no no, we have it all wrong. Exactly backwards.

Ask a friend to do this:
ping -i 43200 myipaddress > deadman.txt &

As a friend, their job is to monitor if you are still there. And question you if you disappear for more than a day.

When the NSA comes a-knockin’, you pull a Lavabit and turn off your server. When your friend then comes a-knockin’, you say one of two things. 1. “I had an outage and I’ll be back up later today.” OR 2. “My server is off now. I can’t talk about it.”

Neither of which are lies or violations of a gag order. But both of which communicate the situation fully.

5 Likes

It should be the opposite… see my response below. Just do it with ping. It should be that you sign up to monitor the IP’s that you care about, as a friend. That way they don’t have to do anything questionable. They don’t have to do anything. They just exist. Meanwhile their friends are looking out for them. When someone disappears, the friends need to inquire. The person with the gag order just says, 1. had some upgrades, here is my new IP or 2. I’m fine, my server is off, I can’t talk about anything. Both of which communicate fully without breaking any laws.

If you’re willing to get rid of the Tea Baggers and the Repugnicants too, then I’m in. But if you’re just slashing and burning Democrats, then go jump in a lake.

3 Likes

How about stating, “We have not [big wink] received a secret gag order”?

That’s not an unfortunate side effect. That’s a beneficial bonus. Because in most cases, the NSA are trawling through irrelevant data they can’t actually use, and using this busywork to justify their huge budget. They only have finite resources, so attracting them to targets who really don’t have anything in particular to hide wastes their effort and makes them more likely to miss something they could use against you or someone you care about.

For the LavaBit situation, I wondered how you might put a deadman switch into client-side javascript code. It made me wonder if you could have the code cryptographically signed by multiple people, only one of whom should actually be LavaBit. The others should be random people or security researchers. In fact, perhaps the code should only be signed by parties unaffiliated with the business who are paid as outside consultants to review code changes and sign off on them. Then you’d need to find a method of having the code validated in the browser. If this isn’t possible today, I’m sure it might be possible to write a browser extension to allow support for signed HTML/Javascript.

I’m saying that the Democratic Party is not sacred. I’m a liberal, I only happen to vote Democrat.

2 Likes

Yup. Me too.

Seems more likely to me that any service of any significance that starts sending the “no secret orders” messages will quickly get an order to stop sending them, regardless of whether or not they’ve actually been compelled to compromise user data.

The result would be that every service that isn’t sending the message (which would shortly become virtually all of them) would become suspect, and the lack of a message would become meaningless. Essentially drowning out the signal with a bunch of noise.

Does anyone know how to programmatically verify a digital signature on an email? I had a quick look at doing this, and I have a script that scrapes the headlines out of the BBC’s RSS feed, and automatically signs them with an ASCII-armoured DSA key, then sends me an email from a throwaway gmail account. To make the warrant canary, I need a script that pulls replies to the email off from Gmail, and verifies the presence of the second signature.

This topic was automatically closed after 5 days. New replies are no longer allowed.