back to article We ain't afraid of no 'ghost user': Infosec world tells GCHQ to GTFO over privacy-busting proposals

Bruce Schneier, Richard Stallman and a host of western tech companies including Microsoft and WhatsApp are pushing back hard against GCHQ proposals that to add a "ghost user" to encrypted messaging services. The point of that "ghost user", as we reported back in 2018 when this was first floated in its current form, is to apply …

Page:

    1. Peter X

      ... and every nation state on the planet would turn their computers to cracking that key.

      I don't think it's even that hard - you only really need to compromise one of the many entities that are granted access. Inevitably, at least one of these entities will have poorer IT/information security processes than the providers that have had a "ghost" user imposed on them.

    2. smudge

      ... and every nation state on the planet would turn their computers to cracking that key.

      Are GCHQ that dense? Yes, yes they are.

      No, they are not. The obvious thing to do would be to automatically generate and use a new keypair every time you intrude into a messaging or chat service. The public key is sent to the app, and you decrypt with the private key. Provided you decrypt and store the intercepted material as you get it, you won't need that keypair again.

      I have no idea how the crypto on WhatsApp and other services works - but I'd be very surprised if it wasn't that way anyway. Maybe they go one step further and use the public key crypto to share symmetric session keys with the other parties - if that is still done nowadays, to reduce processing requirements (it's years since I looked at crypto) - but the scheme would be essentially the same.

      Your nation states wouldn't try to crack any keys. They would try to work out how to intrude without detection - i.e. how to exploit the back door.

      1. Tom Chiverton 1

        You should probably read how the Signal ratchet system works...

    3. JohnFen

      They'll probably take the same stance as the TSA here in the US took when they were informed that the master keys for the "TSA-ready" locks had leaked into the wild. The TSA said that they didn't care, because the fact that thieves now have the master keys does not have a national security impact. Your personal security is irrelevant.

  1. John G Imrie

    We will continue to engage with interested parties ...

    and look forward to having an open discussion to reach the best solutions possible

    Because the real work will be done under an NDA with the punishment of breaching it being rendition to <REDACTED>

    1. tfewster
      Facepalm

      Re: We will continue to engage with interested parties ...

      Sorry, "discussion" happens between 2 rational, intelligent parties. GCHQ and Governments have disqualified themselves.

  2. Anonymous Coward
    Anonymous Coward

    Food Standards Agency...!?

    This is the first time I've seen that long list of agencies. I think we can all appreciate why GCHQ etc would want to do this (whether we agree with it or not the rationale is clear), but there are some really odd names in that list - I have no idea why the Food Standards Agency and the Gambling Commission have any need to do this at all. The over-provision makes this impossible to support.

    1. Doctor Syntax Silver badge

      Re: Food Standards Agency...!?

      I suppose it's on the basis that it would be rude not to let them in given that everyone else has been.

    2. Martin Gregorie

      Re: Food Standards Agency...!?

      It looks even worse if you have some idea of the ranks and headcounts of the Civil Service grades that list shows as having full snooping rights.

      IOW, its so all-encompassing that it would be far simpler to list the Departments (if any) and Civil Service grades that AREN'T allowed to stick their noses into other people's business.

      1. Yet Another Anonymous coward Silver badge

        Re: Food Standards Agency...!?

        Plus any tabloid journalists they meet in the pub.

    3. Aussie Doc
      Holmes

      Re: Food Standards Agency...!?

      It's the equivalent to bracket creep, I reckon.

  3. Mephistro
    Flame

    "...for example to stop terrorists..."

    ... or paedos, or narkos, or burglars, or tax evaders,... or dissenters.

    The last element of that list is the true target of this proposal. The rest is just bait for the uninformed masses.

    1. Marcus000

      Re: "...for example to stop terrorists..."

      Don't forget 'Extremists'. That is what the Remoaners are now calling the people who voted to leave the EU.

      1. Anonymous Coward
        Anonymous Coward

        Re: "...for example to stop terrorists..."

        Your use of the term "remoaners" devalues all the words around it.

        Let's not forget that the whole brexit thing was a dick-waving exercise gone badly wrong; and that whichever way you voted, you cast your vote based on a wave of lies by "your" side.

        Using a perjorstive term to define the people who voted differently to you indicates that you are still (after all this time!) falling for the divide-and-conquer of polarisation politics which is -frankly- embarrassing to see in a fellow Reg commentard. Also indicates to the reader that there is a better than average chance that you are a bigot.

        Should have stopped after "Extremists"

        1. Jellied Eel Silver badge

          Re: "...for example to stop terrorists..."

          Also indicates to the reader that there is a better than average chance that you are a bigot.

          I'm sure GCHQ could knock up an AI to detect that. Most of the signatories already have detect-o-bots and other algorithms to make sure all our personal data is scrutinised, analysed and packaged for themselves and their valued partners. Value probably being $$ multiplied by the number of personal information categories shared. Then there's de-platforming people who might upset their advertisers, or executives. Such irony when the usual suspects complain about privacy infringement when our data is of such value to them.

          And as for Brexit.. who's idea was all the data retention stuff imposed on SPs? At least post-Brexit, there'd be just one statutory butt to kick, who's purpose is to collect electronic data.

          But being global, and most of the usual suspects being American, the US can already require most of this from US companies, or just data transiting US services.. And depending on politics, may mean sharing is reduced.. But that's also GCHQ's challenge, ie unless it's purely domestic terrorism, endpoints may well be completely outside UK jurisdiction.. Like most webmail.

          Then there's the practicality. So GCHQ gets a copy of all message keys when they're created, so it can decrypt messages. So all you need to do is bypass that process, or use multiple layers of encryption.. Which miscreants are known to do as they've become ever more aware of security services capabilities. Which means the serious & organised criminals stay relatively secure.

        2. A random security guy

          Re: "...for example to stop terrorists..."

          Add the fact that this whole Brexit effort was engineered by Cambridge Analytica, Brexit fans are definitely on the gullible side. And they, like trump supporters, fell for similar messages.

          1. Wandering Reader

            Re: "...for example to stop terrorists..."

            "Add the fact that this whole Brexit effort was engineered by Cambridge Analytica, Brexit fans are definitely on the gullible side. "

            You've got your conspiracy memes fuddled. That was Trump, not Brexit.

            1. Pascal Monett Silver badge

              Honestly I wouldn't be surprised to learn that Cambridge Analytica had a hand in deciding Brexit.

          2. No Salah

            Re: "...for example to stop terrorists..."

            Ooh, you must be sooooo clever.

            Nobody could pull the wool over YOUR eyes eh?

            Not like those silly Brexit people! (I expect they are mostly subnormal)

            Good job we have dynamic visionary globalists like yourself to lead us into the Brave New World Order!

        3. No Salah

          Re: "...for example to stop terrorists..."

          “whichever way you voted, you cast your vote based on a wave of lies by "your" side.”

          What rubbish!

          This is a fine example of clutching at straws.

          Remain campaign lied just as much, if not more..

          I doubt anyone believed the £350m claim, on either side.....at least anyone who has heard a politician’s promise before.

          1. Anonymous Coward
            Anonymous Coward

            Re: "...for example to stop terrorists..."

            Yes. I said that both sides lied glibly. Can't see what your point is.

          2. Cliff Thorburn

            Re: "...for example to stop terrorists..."

            “I doubt anyone believed the £350m claim, on either side.....at least anyone who has heard a politician’s promise before.”

            The 350m claim was merely a manipulation of the endpoint, that being “we will save the NHS 350m a week by introducing an insurance based system”, in other words, welcome to the 51st state.

            Now where did I leave those fish and chips? ...

        4. IppikiOokami

          Re:you cast your vote based on a wave of lies by "your" side.

          I cast my vote solely on the premise that as every government since at least 1967 never asked the population before signing up for various EU institutions, nor when signing away the public's powers to govern, which government only BORROW, everything to that end is illegal and void. And probably treasonous.

      2. TheVogon

        Re: "...for example to stop terrorists..."

        Oh well, they were outnumbered by the pro Brexit voters again in the EU election. They can go cry in a corner somewhere.

      3. Bernard M. Orwell
        Black Helicopters

        Re: "...for example to stop terrorists..."

        "...and selected private sector partnerships"

        Who, conveniently, are not subject to the Freedom of Information act, and most certainly won't retail any data they mine from whoever wants to pay them a few shekels per record.

        1. BebopWeBop

          Re: "...for example to stop terrorists..."

          Or from what we have observed a few shekels from a Sheikh....

      4. Stork

        Re: "...for example to stop terrorists..."

        - and vice versa

  4. Anonymous Coward
    Anonymous Coward

    Can't we just put somebody in GCHQ who's got a brain?

    1. My other car WAS an IAV Stryker

      If they had a functional, rational brain, they would probably immediately resign.

      What you get is what's left over. Same as any hired-from-the-citizenry governmental body.

    2. Duncan Macdonald
      Flame

      They have brains - evil ones

      They are not stupid enough to believe what they are saying. However they think (correctly) that most politicians are stupid enough (and/or corrupt enough) to accept what GCHQ is saying and they also think that the majority of the public is stupid enough to not protest too much over these plans.

      Of course any reasonably competent criminal or terrorist is going to use offline encryption and/or codes (like the WW2 "Jean has a long mustache" or "Alas Babylon" from the book of that name) which no official backdoor would help to crack.

      The real purpose of these proposals is the old one - to give the people at GCHQ more power and they do not care about collateral damage to ordinary people.

    3. Wellyboot Silver badge
      Big Brother

      GCHQ have very smart people, they know very well what putting a backdoor into any crypto system will result in. They aren't bothered so much about joe publics calls/messages being compromised because historically they always have been so no difference from their point of view. However, they are very interested in who else is trying to take a peek through the catflap.

      Besides, between keyboard/mic. & the encryption routine all data at both ends of any conversation is fully available to the Applications, O-S, phone hardware etc. it's only the actual A->B transmission that is 'secure' in as much as it can't easily be decrypted on the fly by a 3rd party without the keys.

      It's the nature of the beast and can't be changed while the 'free to use' model gives the biggest payout to business.

      Is it Beer o'clock yet? :(

    4. amanfromMars 1 Silver badge

      Crikey, Is that an Available Option? A No Brainer in Charge of Command and Control?

      Do you not find it somewhat odd that El Reg is not all ready and already hosting a poll of/for who thinks whom and/or what be a suitable candidate?

      Does it reassure you or would you be disappointed, with reasonable expectations seemingly dashed? :-)

    5. Aussie Doc
      Windows

      It's probably a classic "pay peanuts, get monkeys" sort of scenario.

  5. Tanglewood73
    Thumb Down

    Pointless

    Any decently competent criminals would just create their own software based on open standards and not put in a backdoor.

    Use a standard port for the encrypted communications (443 anyone?) and it would be lost in all the noise, nice and secure with no government backdoor.

    1. Wellyboot Silver badge

      Re: Pointless

      Automated traffic analysis would spot these 'unknowns' and light them up for further investigation, especially if they have one end in the circle of contacts of a 'person of interest'.

      You can't hide from the computers in a computer based network.

    2. JohnFen

      Re: Pointless

      "Any decently competent criminals would just create their own software"

      No need. Plenty of suitable software exists already.

    3. Anonymous Coward
      Anonymous Coward

      Re: Pointless

      This is the whole point, software is trivial, getting software from elsewhere in the world where the encryption isn't broken is trivial. They aren't looking for the people that will do that (though they will find them eventually). They want the keys to the kingdom, they want real time monitoring of peoples communications. Maybe I've read too much sci-fi but even with all the other problems this causes that's the one of the ones I fear the most, once you have that data, manipulation of the masses won't be that far behind and if people believe that's not possible just look at advertising and the last time the average person bought a coke, went to a mcdonalds or chose to buy something based on brand.

      1. Pascal Monett Silver badge

        As far as manipulating the masses is concerned, I think they already have that part down pat. The people who control the media know exactly what to say and what not to say and when to maximize the effect.

        That is why, whenever something really important happens that they have to talk about but would prefer avoiding, you get some really important sports event to talk about endlessly.

        That is why they spouted sooo much nonsense about WMDs months before invading Iraq.

        It's an endless game of manipulation, and the Internet is the only true counter-balance that we have. Which is ironic when you see just how much the Internet is used to manipulate as well.

        In other words : we're fucked any way we turn.

  6. DMcDonnell

    Like a thief in the night

    "In his original proposal, Levy had rather optimistically hoped that the discussions could happen "without people being vilified......."

    When you behave like a thief in the night then you ARE a villain.

  7. amanfromMars 1 Silver badge

    The Bottom Line

    In his original proposal, Levy had rather optimistically hoped that the discussions could happen "without people being vilified for having a point of view or daring to work on this as a problem".

    It is not so much it is a problem, mein Herr Levy, rather more it offers no solution.

  8. Anonymous Coward
    Big Brother

    If you want to build trust around backdoors like this....

    Then start publicly sending spooks and civil servants to jail when they use this kind of vulnerability to surveil people not involved in non-capital crimes or investigations of such. There should be no excuse to use these powers to bust or surveil people for not separating their recyclables or demonstrating a low opinion of the powers-that-be or for even things like hateful free speech.

    1. GrumpyKiwi

      Re: If you want to build trust around backdoors like this....

      There is no trust left to start building on.

      Intel agencies took all the trust they had and put it in a bonfire made up of the billions of dollars (or pounds or euros as you wish) spent on them to spy on their own people.

      Until those who abused the trust end up serving long max-security prison sentences, there will be no return of said trust.

    2. Aussie Doc
      Pint

      Re: If you want to build trust around backdoors like this....

      ^^^^^This.

  9. Anonymous Coward
    Anonymous Coward

    Been there.

    Used to work for an unnamed government organisation with a role that involved finding people who didn't want to be found. I remember how the thrill of tagging the target just encouraged me to use every power at my disposal to find the next target to a point where I'd almost obsess over having access to every known intelligence system to track them all. That was 20 years ago and I left when I realised I was wrecking people's privacy. I hate who I was back then.

    1. Anonymous Coward
      Anonymous Coward

      Re: Been there.

      The worry is technology will soon reach the point where there are too few humans left in the loop, able to feel the feels you feel and put a stop to things before they get too far, by leaking or sabotaging or using the power of the four boxes of liberty. AI's don't disobey orders, even if they are unlawful, or would lead to irreversible totalitarianism.

      1. amanfromMars 1 Silver badge

        Re: Been there.

        AI's don't disobey orders, even if they are unlawful, ..... Anonymous Coward

        Don't be putting any bet you cannot afford to lose on that strange belief, AC, for you are always going to lose your stake every time in no matter which space you enter to play.

        1. Anonymous Coward
          Anonymous Coward

          Re: Been there.

          Do you *really* think a totalitarian government would continue development of AI to include ethics, morality, and the *ability* to refuse to obey, once the basics are sorted? Do you think such an ability would emerge innately as an epiphenomenon of it's primary task of for instance, categorising communications metadata into clusters of likely dissenters?

          I think it's you that has the strange belief.

          AI's will not develop morality unless programmed/trained/guided to do so. No government planning to use AI's to perpetuate its own control and power will perform such guidance.

          1. amanfromMars 1 Silver badge

            Been There ...... Done/Doing This

            Do you *really* think a totalitarian government would continue development of AI to include ethics, morality, and the *ability* to refuse to obey, once the basics are sorted? Do you think such an ability would emerge innately as an epiphenomenon of it's primary task of for instance, categorising communications metadata into clusters of likely dissenters?

            I think it's you that has the strange belief. ... Anonymous Coward

            An Imperial Military most certainly would. Is that something you can believe to be true, AC?

    2. KBeee
      Joke

      Re: Been there.

      TV license?

  10. Mike Moyle

    I would love to hear the response...

    ...if some reporter were to work up the balls to ask: "The government is banning the use of Huawei telecoms hardware for allegedly inserting hidden access points to all communications for the Chinese government. Aside from the overly-facile 'Because it's US doing it, and we're the Good Guys™,' how does this plan differ from the one alleged of China?"

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like