Let em listen...
Years ago I adopted a "policy" that anything I do/write/speak is going to be listened to. That doesn't stop me from saying whatever I want.
That said, just because they can get the raw data, doesn't mean it has to be intelligible. Sure they can get copies of my emails, but with PKI encryption, they'll have to burn a bunch of cycles to read them. Maybe they'll get a good recipe for rack of lamb for their trouble, maybe a "hello" to an old friend or some other stuff that won't interest them in the least. It matters not. Since I'm a law-abiding citizen, what they won't get is anything "useful" to securing the country or enforcing laws. They are just wasting their time putting the law-abiding under the microscope. So get them to waste enough time that it becomes unproductive... and then impossible.
What would make a huge dent is if more and more people encrypted their everyday communications. When the mass of "secure" (nothing is forever, just for some period of time) traffic becomes overwhelming, the clowns at FBI/NSA will get more selective, and stop hassling workaday folks with this nonsense. I would encourage everyone to get a free certificate from Thawte or another provider, or use GPG/PGP/etc religiously. Generate certificates often (yearly). The FreeSwan project was an attempt at something similar, ubiquitous encryption of all IP traffic.
Don't do this because you have something to hide, but because it causes expensive resources to be utterly wasted, resources that would be better put to use on other fronts (real threats). That will lead to "profiling" of terrorists instead of grammaw's emails being cracked and read, and some beaurocrat trying to figure out the exact location of those bunyons and liver-spots she talked about. The gist is kind of like everybody having fake weeping-dynamite strapped to them and showing up the airport, forever... TSA would have to decide whom to spend more time on.
I found this book, and others like it useful in ideas for steganography:
Disappearing Cryptography, Second Edition - Information Hiding: Steganography and Watermarking (The Morgan Kaufmann Series in Software Engineering and Programming) (Paperback)
If somebody doesn't know the message is even there, they can't read it.
Some nice ways to hide and/or encrypt your more-important messages in email, mostly for programmers who can write a relatively quick program to do these things and distribute it:
1) Make a fake reply-to and stego your message inside what is obviously a "spam" email. Send hundreds or thousands out, the real recipient just needs to get one and decrypt the hidden message. There are lots of "open" email servers out there, pick one. Use a subject that will immediately turn everybody off or get culled from other mailboxes... something like "Huge Spooge Now!", and make lots of grammatical and spelling errors. In short, make it authentic looking spam, and have fun with it.
2) Use the submariners and diplomats method. Make CD's full of one-time-pads for your encryption client. Hand to your buddies. Send an encrypted email using one of those pads, put the CD/cipher/pad name or number in the subject so its cleartext. Without the CDs and contents, it will take brute force to crack, and all that work is worthless toward cracking future messages, since they keys and cipher(s) will be different.
3) Layer your encryption. Nothing wrong with passing some text (the more the better, pad with lots of stuff, like the constitution, for example) through one cipher engine after another, as long as the other side knows how to decrypt. Don't even think about using common keys throughout though. Make the message like the inside of an onion, lots of layers.
4) Write a set of clients that creates private keys from common objects in plain sight. Use say the picture of the white house from their website, the text of the Constitution from a .gov website, a pic of the current pres, etc. Hash all of them, combine hashes, hash the hashes your "lucky number" of times, etc. whatever you want. Then take the hash (and maybe your birthday or something else) as a seed as a private encryption key. Then XOR the data with some other pics on the web (one after another), maybe something bizarre and freakish like (I actually used this once for a business customer who demanded maximum obscurity of data) a link to a pic of a naked chick with a lobster in an inappropriate place, etc. Have some real fun, that's also important! Think about the looks on somebody's face whose trying to keep up with the madness you've built into it, before just giving up to try a brute-force approach. Email the ciphertext. In other emails provide clues as to what to use (and number of iterations of hashing or other variability) so your recipient starts his copy of your custom client which comes up with the identical privale key and XOR combos. Better yet, combine this with the CD-one-time-pads full of pics and document text on each side. Talk about a winner... Again, make the cracker go to brute force and waste cycles that translate into hours/days/months/years.
5) All the above can be used to write a VOIP proxy that offers realtime encryption of the datastream. Again, have fun learning and doing it.
The name of the game is this: force the snoopers to use brute force... always. 99% of the time you can force their hand, somebody is going to decide your message isn't important enough to throw the machine cycles at.
And yes, I write encryption/stego for a living, among other projects (for financial institutions, not some evil empire, foreign or domestic).
If anybody is interested, I'll do a writeup on how to beat keyboard snoopers running on your hardware also for messaging purposes.
Years ago I adopted a "policy" that anything I do/write/speak is going to be listened to. That doesn't stop me from saying whatever I want.
That said, just because they can get the raw data, doesn't mean it has to be intelligible. Sure they can get copies of my emails, but with PKI encryption, they'll have to burn a bunch of cycles to read them. Maybe they'll get a good recipe for rack of lamb for their trouble, maybe a "hello" to an old friend or some other stuff that won't interest them in the least. It matters not. Since I'm a law-abiding citizen, what they won't get is anything "useful" to securing the country or enforcing laws. They are just wasting their time putting the law-abiding under the microscope. So get them to waste enough time that it becomes unproductive... and then impossible.
What would make a huge dent is if more and more people encrypted their everyday communications. When the mass of "secure" (nothing is forever, just for some period of time) traffic becomes overwhelming, the clowns at FBI/NSA will get more selective, and stop hassling workaday folks with this nonsense. I would encourage everyone to get a free certificate from Thawte or another provider, or use GPG/PGP/etc religiously. Generate certificates often (yearly). The FreeSwan project was an attempt at something similar, ubiquitous encryption of all IP traffic.
Don't do this because you have something to hide, but because it causes expensive resources to be utterly wasted, resources that would be better put to use on other fronts (real threats). That will lead to "profiling" of terrorists instead of grammaw's emails being cracked and read, and some beaurocrat trying to figure out the exact location of those bunyons and liver-spots she talked about. The gist is kind of like everybody having fake weeping-dynamite strapped to them and showing up the airport, forever... TSA would have to decide whom to spend more time on.
I found this book, and others like it useful in ideas for steganography:
Disappearing Cryptography, Second Edition - Information Hiding: Steganography and Watermarking (The Morgan Kaufmann Series in Software Engineering and Programming) (Paperback)
If somebody doesn't know the message is even there, they can't read it.
Some nice ways to hide and/or encrypt your more-important messages in email, mostly for programmers who can write a relatively quick program to do these things and distribute it:
1) Make a fake reply-to and stego your message inside what is obviously a "spam" email. Send hundreds or thousands out, the real recipient just needs to get one and decrypt the hidden message. There are lots of "open" email servers out there, pick one. Use a subject that will immediately turn everybody off or get culled from other mailboxes... something like "Huge Spooge Now!", and make lots of grammatical and spelling errors. In short, make it authentic looking spam, and have fun with it.
2) Use the submariners and diplomats method. Make CD's full of one-time-pads for your encryption client. Hand to your buddies. Send an encrypted email using one of those pads, put the CD/cipher/pad name or number in the subject so its cleartext. Without the CDs and contents, it will take brute force to crack, and all that work is worthless toward cracking future messages, since they keys and cipher(s) will be different.
3) Layer your encryption. Nothing wrong with passing some text (the more the better, pad with lots of stuff, like the constitution, for example) through one cipher engine after another, as long as the other side knows how to decrypt. Don't even think about using common keys throughout though. Make the message like the inside of an onion, lots of layers.
4) Write a set of clients that creates private keys from common objects in plain sight. Use say the picture of the white house from their website, the text of the Constitution from a .gov website, a pic of the current pres, etc. Hash all of them, combine hashes, hash the hashes your "lucky number" of times, etc. whatever you want. Then take the hash (and maybe your birthday or something else) as a seed as a private encryption key. Then XOR the data with some other pics on the web (one after another), maybe something bizarre and freakish like (I actually used this once for a business customer who demanded maximum obscurity of data) a link to a pic of a naked chick with a lobster in an inappropriate place, etc. Have some real fun, that's also important! Think about the looks on somebody's face whose trying to keep up with the madness you've built into it, before just giving up to try a brute-force approach. Email the ciphertext. In other emails provide clues as to what to use (and number of iterations of hashing or other variability) so your recipient starts his copy of your custom client which comes up with the identical privale key and XOR combos. Better yet, combine this with the CD-one-time-pads full of pics and document text on each side. Talk about a winner... Again, make the cracker go to brute force and waste cycles that translate into hours/days/months/years.
5) All the above can be used to write a VOIP proxy that offers realtime encryption of the datastream. Again, have fun learning and doing it.
The name of the game is this: force the snoopers to use brute force... always. 99% of the time you can force their hand, somebody is going to decide your message isn't important enough to throw the machine cycles at.
And yes, I write encryption/stego for a living, among other projects (for financial institutions, not some evil empire, foreign or domestic).
If anybody is interested, I'll do a writeup on how to beat keyboard snoopers running on your hardware also for messaging purposes.
