back to article Will there be no end to govt attempts to break encryption? Hand over your data or the kiddies get it, threaten Five Eyes spies

In a move as predictable as it is wearisome, a bunch of government security agencies have got together and demanded we let them have our data. This latest spooky manifestation is a collection of the Five Eyes - the US, the UK, Canada, Australia and New Zealand - and for some reason Japan and India. Let’s call this coalition of …

Page:

  1. Zippy´s Sausage Factory
    Flame

    As usual, politicians asking for a magic unicorn to solve all their problems, so they don't have to pay money to have actual police officers doing proper work.

    Because that would mean they'd have to pay for those police officers, which would mean it would come out of taxes, which might have to go up, which would mean rich people would go buy their cocaine and luxury yachts somewhere else and that would be a tragedy for the economy. Or something like that.

    1. Dr AntiSol, astrophysicist Bronze badge
      Black Helicopters

      so they don't have to pay money to have actual police officers doing proper work

      Nope. You're falling into the trap. It's not about stopping crime. It's about stopping thoughtcrime. As pointed out in the article, actual criminals are already using (probably multiple layers of) encryption that won't be affected by this hypothetical backdoor: If JIANUSCUK get what they want, it will have near-zero utility for its (publicly) stated purpose. And they know it. They're lying - the actual purpose is that they want more mass surveillance. Pure and simple. That's pretty much all this would achieve (well, apart from making everyone less secure).

      To engage in discussion about how backdooring encryption will help stop crime is to fall into the trap and believe their bullshit framing story. It won't help stop crime. It's not a cheaper, easier alternative to real police work. All it will do is help stop thoughtcrime.

      1. Charlie Clark Silver badge

        I think you're givng them too much credit,. While there may be a bit of misdirection here, these are the same policitians who routinely make calls for finding out "what we do best and finding more ways of doing less of it better". (W1A). That's even assuming they can remember the policy they've just announced.

        1. Dr AntiSol, astrophysicist Bronze badge

          I disagree. There are enough people in the chain of bureaucracy for any government decision, let alone when a bunch of governments get together as they have here, that it's vanishingly unlikely that there wasn't at least one person in all those chains who would:

          a) understand and point out that doing it without compromising security is impossible

          b) remember and point out the last time this was suggested, and the response that doing it without compromising security is impossible

          c) remember (or be aware of) and point out the time before that, with the same response,

          d-x) remember and point out the 20 times before that.

          Perhaps all the people who signed the letter are just massively incompetent and not qualified to run a hotplate in a fish n chip shop (though I have a hard time believing anybody is that incompetent and still able to dress themselves), but whoever actually wrote the letter knew exactly what they were doing. If you need evidence of that, look at the wording around the "we challenge the assertion that this cannot be done without compromising security" bit. This is not stupidity at all.

          1. Cliffwilliams44 Bronze badge

            And the leadership responded "But the Security folks say we can. End of discussion".

        2. Stork Silver badge

          Which was the politician who said

          - the laws of math are all very nice, but here in Australia applies Australian laws (or words to that effect)?

          1. JimboSmith Silver badge

            Re: Which was the politician who said

            I have an old client who is an Australian but lives in the UK. They refer to the internet in Oz as having to go through the Great Barrier of Grief. They say "The drongos in parliament claim it was all done to protect the kiddies."

      2. Cliffwilliams44 Bronze badge

        The real criminals, not the perverts, do not use encryption, they do not user phones, or the internet, they get into a car, drive across town and walk into the Boss's car and talk to him personally.

    2. bombastic bob Silver badge
      Big Brother

      politicians asking for a magic unicorn to solve all their problems

      You assume they MEAN WELL.

      I suggest they are playing "think of the children" to MANIPULATE people into letting them take more freedom and put us ALL under surveilance. This is the kind of thing that gummints do, in a POWER GRAB.

      I love the "real police work" example by French police with the use of warrants to crack the phones of people they wanted to spy on. WELL! DONE! FRENCH! COPS!!!

      The rest of the world (including USA) needs to get a CLUE, and stop being LAZY. _REAL_ police work, please, and NOT blanket surveilance. [that violates the 4th amendment anyway]. GET a WARRANT.

      (followed by the usual 'genii out of the bottle' 'open source encryption examples' 'de-CSS example for DVD playback' 'PGP and IDEA' 'when encryption is illegal, only criminals will have it' and so on)

      1. Cliffwilliams44 Bronze badge

        Here in the US the FBI and local police stopped doing "good police work" back in the late 80s early 90s when they took down the big Mob Bosses. They considered their work done. The result was disastrous! With the Mob bosses gone the young punks went wild and the police had no clue how to control them.

        And I agree, this had nothing to do with preventing/stopping crime and everything to do with surveillance of the populous.

  2. StrangerHereMyself

    Futility

    These calls for security and "targeted" surveillance are completely futile as they've been playing this same ol' record for years and years now and the tech companies seem to be ignoring them completely.

    If LEA and Intelligence agencies believe it's possible for tech companies to put in a backdoor without compromising security, maybe they can tell us how, in the open and in public. Chances are the proposal simply contains a "secret key" somewhere in the program. But they'll promise to keep it a secret because they're good at that.

    Nothing's going to happen, unless governments pass laws to enforce these backdoors, like they've done in Australia. I still haven't seen any evidence that any tech company responded by adding a backdoor. More likely we'll see legal challenges and fines by Australia to force companies like Facebook to tow the line.

    Currently, there are huge gaping holes in the security of many end-to-end encrypted products. WhatsApp, for example, removes the encryption if you backup your conversations to Google Drive. And let's face it, there's always someone in your secret chat group which doesn't know this and backs up their conversations to the cloud.

    But LEA and intelligence agencies are probably foreseeing that these loopholes will be closed in the near future, shutting them out.

    1. DS999

      I wouldn't be so sure those loopholes will be closed

      iPhones can be backed up in two ways, one via USB to a PC/Mac running iTunes, the other via iCloud. If you backup to a PC, you can choose a password yourself with which everything is encrypted. If the Feds got your PC they'd be unable to access your backups unless they can guess/crack that password, so they'd have to break into your phone.

      If you backup to iCloud, it is encrypted in transit with a random key set for the connection, and then at rest on the iCloud servers with a key Apple controls. There is no way to set a key you control for an iCloud backup.

      Some things are automatically encrypted for the iCloud backup, so stuff like your phone's password are protected and can't be accessed in cleartext even from an iCloud backup. However, text messages / iMessages are not, which is how Apple is able to respond to subpoenas requesting those from people who use iCloud.

      Apple has taken many steps to increase their security - it isn't perfect, there are always bugs, but if you read the iOS Security document available for download from Apple it is pretty impressive how many measures they take. But one very obvious step they haven't taken is to let a person set a password/key they control for their iCloud backups.

      I strongly suspect this is only because they know the FBI would flip out, as most people use iCloud for backups due to its convenience which provides them a way around Apple's otherwise strong encryption measures. I wouldn't look for Google to step on that particular cat's tail either, for fear of having laws like the ones this article is about getting enacted and making things worse for everyone.

    2. UCAP

      Re: Futility

      More likely we'll see legal challenges and fines by Australia to force companies like Facebook to tow the line

      At which point Facebook and anyone else the Australian government fines for not doing the impossible will probably remove any and all corporate presence from Australia and subsequently ignore them. Alternatively they'll simply withdraw their service, sit back and wait for the screams of outrage.

  3. Anonymous Coward
    Anonymous Coward

    Not 5EYES

    Just some dumb politico trying to legitimise their latest sound bite

    There is no way the military and intel comunity would want back doors plastered all over the full IT stack of the gear they use

    1. ThatOne Silver badge
      Devil

      Re: Not 5EYES

      > There is no way the military and intel comunity would want back doors

      What have the military or the intel community to do with it?

      Keep in mind those measures are for the Great Unwashed, not the PtBs: The military can carry arms, the average Joe in the streets can't. This is just an attempt to outlaw yet another item threatening their full control over the masses.

      Since saying "Hey bozos, we want in on all your little secrets" might create some resentment, they try the time-tested guilt trip trick: Do you hear the poor little children weeping because of your cruel selfishness? The cute poor innocent little children? You bad, bad person?

      1. Anonymous Coward
        Anonymous Coward

        Re: Not 5EYES

        Ref "What have the military or the intel community to do with it?"

        Literally nothing.

        The politicos just tell the media it for “5EYES” to try and justify their proposed actions, suggesting it is for combating terrorists, hostile state actors and other bastards wanting to use persistent nerve agents in the UK, et al.

        What it will actually get used for in the medium to long term is the bent copper retirement funds, flogging the information to the Murdoch press, organised crime bosses, etc.

        In the short term; whatever wiz idea the politico thinks is the latest band wagon to hop until the next news bulletin

        1. Cliffwilliams44 Bronze badge

          Re: Not 5EYES

          Seriously, WTF does this mean?

          "What it will actually get used for in the medium to long term is the bent copper retirement funds, flogging the information to the Murdoch press, organised crime bosses, etc."

          It was not the Murdoch press or any of the people I guess your trying to disparage here that utilized the power of the state to try to remove a sitting president of the United States? It was the State security Bureaucracy and the Leftist state Media!

  4. Anonymous Coward
    Anonymous Coward

    I'm confused

    it is a new demand, or is it a repeated piece of no-longer-news? I'm pretty sure I saw something along these on the reg a couple of weeks ago only, to the (expected) outrage in the commentard quarters? (to clarify, I was disgusted too, OUTRAGED, no less! ;)

    1. Eclectic Man Silver badge

      Re: I'm confused

      Indeed, see:

      https://www.theregister.com/2020/10/11/international_statementon_end_to_end_encryption_and_public_safety/

  5. The Central Scrutinizer

    The usual drivel from the usual bunch of wankers who have no idea how computing works, I suspect.

    1. My other car WAS an IAV Stryker Bronze badge

      No idea how cryptography works, either. Don't necessarily need a computer to do the math, but it sure is faster.

      (...as long as you don't mind side-channel snooping. Then again, I'm sure anyone truly determined could side-channel the activity of my desktop printing calculator, too. No shielding, that's for sure.)

  6. heyrick Silver badge
    Stop

    Dear Security bods

    Online "trust", and the concept of encryption, only works if one can feel reasonably certain that the communications between the server and the user is secure, encrypted, and untampered with.

    If you want access, this implies that there is an intentional weak link that permits you to see what, cryptographically, you should not be able to see. And if you can see, then not only can others see, but there's the possibility that you or others can modify.

    It's at about this point that trust evaporates.

    Because, believe me, if it is known that there is a backdoor, then people far smarter than you in countries that you would consider hostile will be pulling apart your entire algorithm bit by bit. And when that weakness is known, the entire security theatre is useless.

    Don't take my word for it, Google for "webrip" and "bdrip". All the encryption and protection thrown out by the movie studios has not done a whole lot to stop piracy. Build in a weakness, it will be found.

    1. Anonymous Coward
      Anonymous Coward

      Re: Dear Security bods

      @heyrick

      Quote: "Online "trust", and the concept of encryption, only works if one can feel reasonably certain that the communications between the server and the user is secure, encrypted, and untampered with."

      While this true, there some other aspects to "trust" -- or lack of it.

      1. If the encryption is provided by a service provider (e.g. Signal) then the user is trusting Signal. This need not be the case if the user is using private ciphers BEFORE the message enters the channel. In that case the user has moved the "trust" from the service provider to their own encryption.

      2. What the quote fails to recognise is that metadata can still tell a snooper something about what is going on -- even if the DATA ITSELF is encrypted. The NSA and GCHQ and all the other spooks are still able to collect metadata about the account holder, the IP address, the location of the originator of a transaction and a time stamp. If needed, an internet service provider can be persuaded to provide details of the content of transactions which match this metadata. (And that's before we consider matches with widespread camera data.)

      *

      Someone wanting A VERY HIGH LEVELS OF "TRUST" needs to address BOTH item #1 and item #2. The ONLY way to do this is to ensure that the transactions which a person initiates are:

      a) Using private ciphers, and....

      b1) Using an anonymous end point (no link between an account and a person e.g. with a burner phone) or....

      b2) Using an end point deliberately linked to some other person or organisation (e.g. hijacked WiFi, internet cafe, VPN, etc.)

      *

      And even if either b1 or b2) is in place, the person needs to take additional precautions:

      c) Ensure that their "honest citizen" phone is never active at the same time and place as the burner phone

      d) Ensure that transactions are always sent or received out of the view of CCTV

      e) Ensure that they do not "give the game away", for example by using a personally identifiable account (say checking email or FB)

      *

      And if these precautions are not onerous enough, the RECIPIENT(S) of the "trusted" messaging need to be taking exactly the same precautions.

      *

      Still, from all of the above, it's absolutely certain that with planning, training and care, anyone, any group, can increase their "trust" in their communications WHETHER OR NOT the spooks deploy backdoors!!!!

  7. Mike 137 Silver badge

    Realism?

    I seem to remember an Australian PM who said something on this topic on the lines of "we don't obey the laws of mathematics here, we obey the laws of Australia".

    However there are encryption systems - one time pads, for example - that can defeat any attempts at breaking regardless of any desires on the part of "authorities". Of course there are also codes, that can be entirely impossible to break unless coercion is applied.

    1. Mike Richards Silver badge

      Re: Realism?

      The one time pad is unbreakable provided you can secure the pad and never reuse it; but you still hit on the key distribution problem of getting the pad to the other user.

      Fortunately, GCHQ discovered the solution to that issue back in the 1970s with public key encryption which - oh bugger - kind of gets in the way of authoritarians everywhere.

    2. Cynic_999 Silver badge

      Re: Realism?

      The problem with OTP encryption is that it becomes trivial to construct a OTP that will decode the encrypted message into anything you want. Thus the ptb can first prove that the encrypted message came from you, then produce a OTP that they claim to have recovered or "cracked" which shows the message was a terrorist plot or kiddie-porn etc. You cannot do the same with a message encrypted with PGP, AES or 3DES etc. Only one unique key will result in an intelligible decode.

    3. StargateSg7

      Re: Realism?

      I can just tell the authorities to SOD OFF and I will go completely open source code written in HTML-5 if I have to, or any one of the 20 computer languages/assemblers I know and am quite good at when coding INVARIATE, CODE-BASED or ONE-TIME PAD based anti-quantum computing encryption-breaking algorithms (i.e. Shor's) that works on my custom coded text, audio and video communications software.

      Since I store and run ONLY WITHIN the Level-0/Level-1 caches and local registers of the CPU themselves I can PREVENT Ring-0 or even Ring Negative-ONE hypervisor code/BIOS code from seeing/intercepting the keys and plaintext data!

      I think I can EASILY MAKE Australia OBEY the rules of MATH!

      V

    4. Someone Else Silver badge
      Coat

      @Mike 137 -- Re: Realism?

      I seem to remember an Australian PM who said something on this topic on the lines of "we don't obey the laws of mathematics here, we obey the laws of Australia".

      Wasn't this PM born in Indiana?

  8. dbgi

    They want more and more access, but they don't seem to have the resources or the skillset to make use of what they have already got.

    1. DaveEdi
      Coat

      Won't that be Fatima's job?

  9. Doctor Syntax Silver badge

    Put your money where your mouth is.

    Instead of complaining nobody will do it for you commission someone to provide software to do this. It must, of course, stand up to expert infosec inspection to ensure it actually does keep out miscreants, including ensuring that collected data can't get leaked or misused.

    When you've cracked that you can go ahead and get it used.

    1. Eclectic Man Silver badge

      Re: Put your money where your mouth is.

      HMG is already spending a reputed £7k PER DAY per 'consultant' for the UK's Covid-19 Test Track and Trace 'world beating' system. We cannot afford yet more wild goose chasing, thanks.

      I cannot help feeling that this is basically a test of pubic attitude towards backdoored encryption products, as the various security agencies, GCHQ, NSA etc. will have undoubtedly informed their ministerial bosses that what they claim to want is not technically possible.

      I also wonder whether it would apply to the banking sector and businesses using encrypted VPNs for secure communications between sites of company sensitive information. I wonder whether the powers that be asking for this have considered the possible court case where someone is charged with releasing company data that affects share dealing prices, but claims the backdoored encryption was responsible and sues the government.

      1. NetBlackOps Bronze badge

        Re: Put your money where your mouth is.

        Given how interested nation-states are in commercial data, of course they want the content of VPN traffic. The US used to assert that commercial data was not collected by their intelligence agencies which "lie" held up until it came out that the US Trade Representative was on the Top Secret and SAP/SAR distribution lists. Oops.

    2. Someone Else Silver badge

      @Dr. Syntax -- Re: Put your money where your mouth is.

      Instead of complaining nobody will do it for you commission someone to provide software to do this.

      Hello, Doctor. I like this. In fact, how 'bout we up the ante a bit? We'll use this mythic software to encrypt the account number of some bank account that holds 1000 bitcoin, and a verified copy of the pee-pee tape. Should1 this be cracked, the cracker gets to keep the 1000 bitcoin, and may distribute the pee-pee tape as s/he sees fit, without any recrimination.

      (What do you set the over/under as to the amount of time it will take to "prove" this software as not secure?)

      1Read: When.

  10. J.G.Harston Silver badge
    1. NetBlackOps Bronze badge

      Only works on someone that isn't dealing with level 10 pain as a daily occurrence. Cut off pieces of my body? Go ahead. Still, good XKCD.

  11. Version 1.0 Silver badge

    Backdoors solve nothing

    OK, so it helps them catch idiots but anyone with a brain or working for a professional spy agency will be completely unaffected.

  12. fidodogbreath Silver badge

    Will there be no end to govt attempts to break encryption?

    TL;DR: No.

    1. David L Webb

      Re: Will there be no end to govt attempts to break encryption?

      It seems from another Register article that they will soon face Quantum Key Distribution as well as the mathematical challenges of public-private key encryption.

      https://www.theregister.com/2020/10/20/toshiba_qkd/

      "Toshiba has said it is ready to start selling a commercial quantum key distribution (QKD) product, and will eventually move to offer QKD as-a-service."

  13. chivo243 Silver badge
    Thumb Up

    must be an agenda item

    That was set to repeat each year. Nobody knows how to turn it off. The password for the account is forgotten and encrypted! That's it, they want the back door so they can log into the agenda account and turn off the agenda item repeat for encryption backdoors event... or so they say.

  14. Anonymous Coward
    Anonymous Coward

    Assymetry, anyone?

    Suppose people were to use private ciphers BEFORE messages enter the channel. It's widely held the private ciphers are crap. It's also widely believed that RSA, PGP etc have been cracked. So what is someone to do?

    *

    Well....EVEN IF PRIVATE CIPHERS ARE CRAP, they still have an excellent asymmetry property for their users:

    - Users get real time communications

    - Snoops have to wait till the cipher is cracked

    *

    Look up the Beale Papers (enciphed in a private cipher). Two of three messages have still not been deciphered (for more than a century). And that's with a book cipher -- widely held to be crap.

    *

    Anyway....the delay for the spooks puts them on the back foot....irrespective of the quality of the private cipher....and they may be on the back foot for long enough that the original message is well beyond its sell by date!!!!

    1. Eclectic Man Silver badge

      Re: Assymetry, anyone?

      "It's also widely believed that RSA, PGP etc have been cracked."

      Any chance of a reputable reference for that? If the factorisation of large numbers has been 'cracked', that is a major event in mathematical logic / complexity theory. Probably get you an Abel or Turing prize, or at least a nomination.

      1. Blazde Bronze badge

        Re: Assymetry, anyone?

        I read it as "It's also widely believed [among the kind of anonymous coward crackpots who think the Beale Papers aren't a hoax] that RSA, PGP etc have been [secretly] cracked"

        Regarding asymmetry, that's essentially one of Impagliazzo's five worlds (one variant of his 'minicrypt' I think, or maybe a less pessimistic version of 'pessiland') where there are severe limitations on one-wayness of functions. Maybe that's a more realistic compromise model for our security services to argue for (notwithstanding the mathematical reality)?

  15. Cynic_999 Silver badge

    You first

    As soon as the government and intelligence services makes all their databases and emails available for public scrutiny, I will consider letting them look at all my data also. But it is of course pretty certain that they have *far* more incriminating data to hide than the average citizen, so that will never happen.

    1. Anonymous Coward
      Anonymous Coward

      Re: You first

      Yup, thats why they are trying to get this spycops bill passed without any scrutiny. Our Government is rotten, and full of criminals.

  16. amanfromMars 1 Silver badge

    Idiot'r'Us .... are surely to be them, for they are in the tiniest of ignorant arrogant minorities*?

    What part of "Stop Digging a FCUKing Great Burial Hole for Yourselves" does the System not understand ...... People Need to Reclaim the Internet

    * Yeah .... it is inevitable. And how very odd that they do not see it. Ah well, Einstein obviously knew them extremely well ....... “Two things are infinite: the universe and human stupidity; and I'm not sure about the universe.” ...... "Insanity: doing the same thing over and over again and expecting different results."

  17. Anonymous Coward
    Anonymous Coward

    If GCHQ are so smart

    How come they still can't break a simple chip code?

    I mean the 4S is over a decade old now, but supposedly Apple blocked the "chip-off" method long ago.

    It seems that the main problem is that without the CPU with its baked-in AES key the odds of getting anything

    coherent back are slim to none.

    The memory itself is quite a common one (16GB Toshiba)

    1. Anonymous Coward
      Anonymous Coward

      Re: If GCHQ are so smart

      "How come they still can't break a simple chip code?"

      this statement has an assumption,

      remember GCHQ kept their knowledge of PKI quiet for decades, even after RSA said they "discovered" it.

  18. Norman Nescio

    Do not look behind the curtain

    While national intelligence agencies are making a lot of noise about encryption, causing outrage and incredulity that they can be so stupid about the 'laws of mathematics', they are busy making use of all the already existing 'back doors', and using this as a pretty successful distraction strategy.

    As several commentators have pointed out in this and previous articles on this topic, One Time Pads and dictionaries of code-phrases* are uncrackable in themselves without a copy of the One Time Pad or the code-dictionary.

    However, as students of secure communication learn at their mothers knee, it is very important to ensure that your security end-point is separate to your communications end-point. It doesn't matter how well your message is encrypted if you decode it on a completely compromised piece of equipment so the plain text lovingly decoded can be grabbed and exfiltrated. The average member of Joe Public cannot obtain uncompromised hardware. The military find it difficult.

    The 'secure' phones compromised by the Dutch police had malware inserted on the phones that took copies of the decoded messages. All of the apps on mobile phones rely on the operating system, the processor, and the modem, none of which the user has control over**.

    In addition, theoretically good encryption is compromised by poor implementations that have gaping side channels. The AES code produced to show how AES worked, and used as a basis by many people had not been hardened against timing attacks etc. So a good algorithm generated by an open evaluation process was compromised in many applications because the side channels were easily exploitable. Having a good algorithm is less than half the battle: making sure the implementation in hardware is secure is hard.

    So while the security services are making a song and dance about encryption, they are busily exploiting all the flawed implementations, 'influencing' standards committees to adopt standards that are difficult to implement well, and making sure, probably with the help of Hollywood and the MPAA that any equipment you can buy implements 'Trusted Computing', which is to say, trusted by them to execute programs you have no control over.

    If you want to send a secure message, encrypt it on hardware you can trust: which might be pencil and paper, and only put the encrypted text on the communications link. Even then, unless you have thought in advance how to deal with the metadata, you won't be as safe from discovery as you think.

    It's all a game of misdirection. If you want to send secret messages easily, campaign for open hardware that can be audited down to gate-level, designed by people who understand about side-channels. Even then, unless you have a good plan on how to deal with the metadata trail, you won't be able to hide from 'the authorities' for long if they really want to find you.

    NN

    *e.g. 'the swan flies south for the winter' means 'cancel the operation to put polonium in the targets tea'

    **There are a few nerdy exceptions for the operating system, and possibly the bootloader. Not exactly mainstream, though.

    1. Boris the Cockroach Silver badge
      Big Brother

      Re: Do not look behind the curtain

      Quote

      "'the swan flies south for the winter"

      The eagle flies south in summer, The eagle flies south in summer

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021