If they cannot break the anonymity, they will pre-emptively arrest anyone using it

Does anyone agree with the following?

Any anonymous traffic will eventually attract dictatorial regime attention, as more and more countries are becoming covert dictatorships. If they cannot remove the anonymity, they will pre-emptively arrest anyone using it, whether a criminal/activist or not.

 

To the extent that things turn out as badly as that, I agree.

Those who value privacy and freedom may eventually need systems based on covert channels, using clients (and perhaps routing servers) that run software that's hidden, and plausibly deniable. Streaming video already dominates Internet usage. Even now, 0.1%-1% of that throughput would suffice for private communication at POTS modem speeds. Within a decade, perhaps a few Mbps would be available.

One can imagine something like the current Tor network. But the software (client/relay) would spread and hide as botnets do now. There would be no observable differences between machines owned by participants and those owned by non-participants. And so, possession of the software would be plausibly deniable.

The software would do nothing on machines owned by non-participants, except for sending random data via the covert channel. That would not affect them measurably. There would just, for example, be small changes in packet timing.

 

Sounds just about right. That's why Im trying to keep private stuff offline. As for everything else there is just so much you can do.

 

Only the worst totalitarian societies will go to that extreme but putting users of VPNs on surveillance lists is very likely even in fairly open societies. In fact, I would say it is already occurring and is likely to occur more and more in the future. I have felt ever since I started using the internet that privacy really doesn't exist online. There is relative privacy. Email is more private than posting something on Facebook but anything I put in an email, I do so knowing that someone somewhere someday could read it and I never put anything in an email that I want to keep truly private.

In fact, I do a lot that is public and that I want to be public and I use the internet to make sure it gets out. What I really want to keep private will never go online in any form.

 

Do covert channels really exist in video streaming? Heard of the least significant bits of colour being used for that, in either the spatial domain or the frequency domain. Wouldn't these bits have different statistics from true random data or covert communication data, different enough to be detected if enough data is transmitted?

 

One issue here is that you may change your mind in the future, what seemed ok for email yesterday may be used against you in unexpected ways some day.

 

The details aren't important now. I've read most about changes in packet timing. Ensuring apparent randomness would be crucial. Naively, I don't see that problem as fundamentally harder than for disk encryption.

If the software were present and active on enough machines, hiding traffic perfectly wouldn't be necessary. Non-user instances could handle meaningless traffic, rather than random data. Or they could be passive relay nodes.

 

Could be but unlikely. I've already been through some experiences where my public statements have been turned against me and I've had to go back and redefine what I initially said. I've also had some really ridiculous email debates where I've had to deal with someone who went into absurd detail--email responses that printed out in several pages. When the Snowden revelations came out, I just laughed at the possibility of these emails being read by someone in the NSA. The bottom line is that I have a pretty well structured set of guidelines for what is acceptable for email and what isn't and I stick to them.

 

Maybe they would then make the software illegal and/or force microsoft to report it or covertly break it.

Did Snowden say anything about similar tactics on linux or bsd?

 

It would, almost by definition, be illegal, because it would spread like current botnet apps do. But, unlike botnet apps, those interested in using it would help it to spread. Ideally, it would end up on every machine with Internet connectivity. Basically, it would be a benign rootkit botnet, and very hard to detect. It could also include features to detect and remove TLA malware, defend itself from attack, and so on.

What tactics?

This thing that I'm proposing would run on all platforms.

 

Very tall order, especially if it's to be installed remotely or covertly. If you find or build one, I'll be glad to test it. That said, if this is going to function as a rootkit, the last statement will have to be modified to read "run on all modern or current platforms".

Regarding the original topic, the NSA has already expressed its frustration with Tor. The fact that Tor can be used to transport strong encrypted content could frustrate them on 2 fronts, decryption and tracking. I expect to see a false flag event in the not to distant future that will be used to designate Tor and similar technologies as terrorist tools, and for them to use that staged event as an excuse to ban them.

 

How are rootkits detected anyway, if microsoft were to detect this software with the malware removal tool that people often download as part of the updates?

Or microsoft might add updates that make specific versions of the software impossible to install in the first place.

The tactic of forcing microsoft to report (to three letter agencies the IP's of users) when such software is found in windows might be duplicated in popular linux distros or bsd: for example Ubuntu Inc might be ordered to send updates that detect the software and report back to Ubuntu Inc in the next update the discovery of the software, and the IP of the user, to send to three letter agencies.

And as there is no such thing as a rootkit in linux or bsd, a colluding distro can easily detect the software.

 

Maybe I've developed the idea, but I have zero clue how to actually implement it. From what little I've read about the requisite components, it should be feasible. At least on Windows, I mean

You may be right. But it's complicated, because the US and its friends (and enemies) use Tor, and they depend on other Tor users for background routers and traffic.

 

I don't believe that such tools do a very good job at detecting rootkits.

That might happen. It would be a contest

Sure. Also, the NSA also likes to install malware, so that would also be a contest.

Certainly there are such rootkits. They aren't very prevalent in the wild, but that's mostly because there aren't enough Linux etc machines to bother going after.

 

Wouldn't too much streaming to carry covert channels become noticeable to either unsuspecting users as performance is affected, or to a network adversary as unusual behaviour?

 

The beauty of covert channels is that, properly implemented, they don't affect performance. There's no additional traffic.

 

I was referring to the stream traffic, not the covert channel it carries. Is this not about hiding modem-speed data in much bigger streams of video?

 

I'm assuming that virtually everyone will use HD video chat, conferencing etc. I'm not proposing any additional video traffic. You could be catching up with XYZ on Google+ in one VM, while posting to some [whatever] site in another VM, with that traffic encoded covertly in the Google+ chat traffic. I don't have a clear idea how the routing would work.

 

If users A and B are having a video chat through Google+, and users C and D are having another, how can a covert signal pass from A to D? What are the chances of a further video link between group AB and group CD (a chat is not high-bandwidth enough for covert channels, is it).

In other words, how can you have something like TOR out of disconnected groups of your software instances?

 

This covert channel (AKA stenography) has bandwidth limitations. In general, you are limited to about 1% of the size of the covering data. If you replace all the LSBs in a data stream, a statistical analysis can easily prove there is something there. 1% is probably enough for most applications but as with other security/privacy tools, there are limits.

 

Something harder to break is advocated in above posts: put the data in the timing of packet transmissions, which requires plenty of packet transmissions, eg video streaming, and make the statistics closely imitate normal packet transmissions, so not all random patterns are allowed but probably a gaussian "bell-curve" distribution or a Poison one or whatever matches the measurements, so less information content, so even slower covert data channels.

It would be fascinating if creative/inventive minds like miramar joined forces with highly productive rootkit devs. But the latter are probably in another world, one that is too shady for any good causes, and full of three letter agency types.

 

Ah! missed the part about timing statistics.
Still very tricky. How would one separate deliberate timing jitter from the random jitter of normal internet traffic? It would have to be a highly redundant data encoding with error correction. Even then there would be lots of garbled packets so lots of retransmit requests. I would have to say that my original 1% figure may be rather optimistic in that case.

 

The covert-comm software must also be running on the servers that handle all that video traffic.

 

I had said 0.1%-1% of the cover data stream. At 10 Mbps, that's about 10-100 Kbps. Not that long ago, 64 Kbps was considered fast

 

Covertly run software in Google's and Microsoft's servers? It is an even longer shot that it seemed in the beginning.

What about modifying existing p2p filesharing technology to carry covert channels the same way?