A backdoor into Skype for the Feds? You're joking... Heavyweights of the cryptographic world have lined up behind a campaign against proposed US wiretapping laws that could require IT vendors to place new backdoors in digital communications services. Technical details are vague at present, but the planned law could mandate putting wiretap capabilities in endpoints to cover …
This post has been deleted by its author
Call me Mr. Cynical, but I assume that there is always a back door in any given system. It may have been put there for the best of reasons, but it will be exploited and abused; and usually by people that insist it is for our own benefit.
@ AC 11.11 GMT - if you don't use these systems, you must have something to hide and therefore be a terrorist?
I agree - and this always makes me laugh, because it's like in poker, weak is really strong, and strong is really weak.
The FBI argue the net is “going dark” to them, thanks to encryption technologies which render valid wiretapping warrants useless.
FBI: YEAH, uh, hey look, um, we can't read your encrypted communications, nooooo sir, so, uh, go ahead and write all those messages because we (cough) can't read them. Nope. La de da, la de da...
In the name of the big and bad terrorism threat, where each and every foreign state is perceived as potential (future) threat, all is permitted.
Everyone opposing this is not very patriotic and must therefore be a terrorist.
Its a case of 'if you're not with us, you're against us', simple really.
"In the name of the big and bad terrorism threat, where each and every foreign state is perceived as potential (future) threat, all is permitted....." So, are you denying that there is any terrorist threat or that you don't think they use encrypted coms? Try taking off the trendy ideological blinkers and learning a few home truths - they're not just using OTS products like PGP, they're writing their own (http://www.pcworld.com/article/142149/article.html, http://www.wired.co.uk/news/archive/2012-05/03/how-al-qaeda-hid-secret-docs-in-a-porn-video, http://www.schneier.com/blog/archives/2013/02/new_al_qaeda_en.html).
As to those that think importing foreign opensource software is a good idea, I'm sure the FBI would agree - it would be the equivalent of one person in a crowd wearing a shirt saying "Look at me, I'm doing evil!" All the FBI/NSA have to do is record the encrypted stream (they can claim reasonable grounds), arrest you and then get a court order for you to decrypt it or go to jail for contempt. After the first dozen or so anarcho-liberal twits have gone down "to prove a point" I would suspect the popularity of said opensource software to dip sharply.
"it would be the equivalent of one person in a crowd wearing a shirt saying "Look at me, I'm doing evil!" All the FBI/NSA have to do is record the encrypted stream (they can claim reasonable grounds), arrest you and then get a court order for you to decrypt it or go to jail for contempt."
I'm no legal expert, but I don't think that would pass constitutional muster any better than arresting the guy just for wearing your "I'm doing evil" shirt would.
"I'm no legal expert, but I don't think that would pass constitutional muster....." Please feel free to put it to the test. You could get someone in Pakistan or some other NSA/FBA hotspot to start sending encrypted messages to you and see what happens, and I'm sure helpful types like the ACLU would be racing to your defence. But don't be surprised if that comes after the police have raided your home, your office, interviewed all your friends, colleagues and family, and whilst you're in an orange jumpsuit and sharing a cell with someone probably not too wonderful whilst your family scrabbles to seel stuff to make your bail.
I think he might be arguing that where discussion of 'terrorism' is concerned, truth, reason and proportionality went for a long walk years ago and rarely feature in any current debate on the topic. If the FBI is screaming for something, it doesn't mean that the reason they want XYZ is the one stated, or if it is, that there won't be plenty of mission creep that will leave the population wondering whether worrying about terrorists actually wasn't safer than living in fear of state organs with way too much power. As to the ideological argument; the swivel eyed right wing nutjobs are the arsewipes using 'terror' for everything from getting kids to eat their greens to selling overpriced security kit that doesn't work to stopping Joe Public photographing trains, etc, etc.
I've spent plenty of time in places where blowing things up as protest is something of a national sport, but it's always the implacable gents with the suits, shades and the weight of the state's ideology du jour behind them that make me really fucking nervous.
Whilst I'm generally in agreement with the idea a lot gets passed simply because it has "counter-terror" tones, I have to point out your accusation that " the swivel eyed right wing nutjobs" are the source is simply too silly for words. For a start, in the UK, the years of Tony Blair's and then Gordon Brown's Nu(t)Labour showed the Left is much more determined to trample on rights than the Tories (remeber the ID cards fiasco?). In the US the Dummicrats have proven just as adept at using their powers as any of the Bush administartions (for example, Obambi has upped the number of drone strikes, and where do you think they get the targetting info from?). And let's not get started on the good ol' USSR and friends and their histories of "the end justifies the means, Comrade".
"For a start, in the UK, the years of Tony Blair's and then Gordon Brown's Nu(t)Labour showed the Left is much more determined to trample on rights than the Tories (remeber the ID cards fiasco?)."
The Blairites were so far right in the Labour party that they made many of the Tories look decidedly liberal.
That is not to say that extreme left wing of the Labour party aren't conservative ( small 'c' ) about most things. The Labour Party for decades were a bit like the CofE - many of their members had forgotten the original guiding principles of equality and tolerance.
"I have to point out your accusation that " the swivel eyed right wing nutjobs" are the source is simply too silly for words"
Sorry, perhaps my "silly" bit of childish venting trivialises swivel eyed right wing nutjobbery too much. I think most here would understand who was being referred to, and as my fellow AC commentard points out Blair and crew were every bit as right wing, as Perle, Feith and co. You make the mistake of assuming the simplistic political labels bandied about entirely define the content - politicians seem to use 'left' (especially) and 'right' more as advertising slogans than statements of intent these days.
I still fail to see your point though. Anyone with an immutable fixed ideology that requires that they remake the world in the manner in which they THINK it should work ought to be suspect, and in UK terms that covers the entire current political mainstream. All political flavours subscribe to the idea of enabling big business to make pots of cash, irrespective of social consequences or geopolitical fallout, and will happily spin anything that moves to shift public opinion/expectations and make black look like a nice shiny white. Political spokestypes of any hue serving up 'terrorism with everything' is invariably a grotesque distortion of the facts to suit their own ideological ends, with the inevitable punted solution ("That's why we...) either amounting to handing a pile of cash to big business or ratcheting up state intrusiveness. Ideological obsession will kill us all, whether or not its labelled 'left' or 'right'.
".....Blair and crew were every bit as right wing...." Perfectly true, it is very obvious that Blair was not a die-hard Leftie for the simple fact he was electable, some of the Party having realised they needed to hide behind a veneer of Centralism if they ever wanted to get enough public appeal to get back into No. 10. But they've fixed that and let control of Labour fall back into the hands of the unions, and their puppet Ed will ensure they remain unelectable for a good many years. Enjoy!
In the meantime, anyone thinking about using an off-the-shelf encryption tool might want to consider a simple fact - The Man (as you no doubt refer to the authorities in your paranoid fantasies) has had the capability to monitor website traffic for years. They can sit there and watch Abdul Wannabe Jihadi logging in from Birmingham to killthekaffir.com and log his every click - do you seriously think they haven't been watching the encryption vendors too? Ever wonder why AQ stopped using PGP and started writing their own encryption tools? DUH!
Well, that's kind of what happened in the UK when the head of the Association of Chief Police Officers wrote to all the police forces to tell them to calm down on the whole harassing people taking photos thing. His motive wasn't that it was wrong or even illegal (in some cases) but that "the public" were actually starting to check what their rights really were ...
A smart phone is more than capable of running an app that offers end to end encryption as well as hiding which two devices a conversation or data transfer was occuring between. Security services might be able to glean some information about the call with traffic analysis but not the actual content.
Seems like little gain for such an odious law. A law which is bound to encounter serious domestic opposition and one that foreign companies and open source projects would actively circumvent.
It also reminds a bit of the clipper chip, an encryption chip that used a weak cipher and a key stored in escrow so security services could conduct surveillance of voice traffic. That particular plan fell on its backside after widespread opposition and I hope the latest efforts do too.
"Of course the next law that will have to be introduced is the one making it illegal to use any communication system that doesn't have a back door."
The precedent for that law already exists in the UK. On certain police investigations - if you can't provide the key to an apparently encrypted file then it's a criminal offence. I believe it is a two year jail term. Doesn't matter if they do not find any evidence of the original suspected crime.
"On certain police investigations - if you can't provide the key to an apparently encrypted file then it's a criminal offence. "
Certain crypto products like TrueCrypt provide a measure of deniability by offering a shadow volume functionality. Basically two keys work on the same data, one leading to the real data and one to the fake data. Providing your data is sufficiently "sensitive" but not incriminating you can disclose that key and the cops and CPS would be hard pressed to convince a judge you had not complied. e.g. fill the phony volume with pictures of your knob, suicidal thoughts, scans of your bank statements or anything else someone might wish to keep secret but of no relevance to the investigation and give it up when requested.
I doubt it would be easy to do in the context of a realtime conversation on a phone though. The device would have to generate and throw away the session keys so it was utterly impossible for someone to give them up even under duress. Additionally perhaps the app itself could make "phantom" connections between nodes mimicking real traffic, or act as a proxy between other nodes (a la freenet) as another form of deniability.
"they can't *prove* it....." Yes they can. All they need is a surface level scan of the drive and a professional to stand up in court and say "Yes, M'Lud, that pattern does not look randomly generated, therefore I believe the accused has a hidden partition they did not admit to and that they tried to hide, in contravention of the court order issued by yourself to oblige him to do so." Game over, do not pass go, do not collect your £200 in Bitcoins, just go straight to jail.
So they can look at the randomn data generated by Truecrypt to fill the empty space when the volume was created and tell the difference between that and the random-looking data generated by encrypting a file and writing it amongst that random data?
That's one hell of an expert you have there.
With respect, that sounds like a piece of Star Trek "insert technical stuff here" script. You've used a technical phrase and followed it with your required conclusion but it is, in non-geek parlance, utter bollocks.
"So they can look at the randomn data generated by Truecrypt to fill the empty space when the volume was created and tell the difference between that and the random-looking data generated by encrypting a file and writing it amongst that random data?...." Nope, all they need is an expert prepared to SAY it looks like an encrypted volume, which then makes it your word versus that of the coppers, and guess which way the average judge and jury will lean after the prosecutor has done a good job of slinging mud at your rep? The coppers don't even have to PROVE there is an encrypted drive anywhere, just that they REASONABLY SUSPECT (the actuall RIPA Part 3 Section 49 uses the phrase "believes, on reasonable grounds") there is one. They serve a Section 49 notice and the onus effectively shifts to the accused to prove there is not an encrypted partition or give up the key(s). Any info they can find to make it look like you have played with encryption (such as showing that someone from your IP address visited www.truecrypt.org, for example) just adds to their case. Having an encrypted volume inside an encrypted volume is just asking for trouble as it shows you are actively trying to hide information, giving the prosecution a stick to beat you with in court.
You may wish to consider the case of the animal rights activist convicted under RIPA, who insisted she did not even have any encrypted info on her PC (http://www.theregister.co.uk/2007/11/14/ripa_encryption_key_notice/).
""they can't *prove* it....." Yes they can. All they need is a surface level scan of the drive and a professional to stand up in court and say "
Then you wheel out your own expert who says how full of crap theirs is. That Truecrypt is a popular, free and ubiquitous tool that it's a considerable effort to set up a shadow volume, that they've offered no evidence that there is one, that the effort required to make one renders the presupposition highly questionable and that if there is a shadow volume it would be virtually impossible to test because of the way the software functions.
Then you get your defence to reiterate that the defendant has been completely forthcoming during the whole investigation and the only reason he initially refused to disclose his password was the highly personal nature of the "my genital wart pictorial diary" content on the volume which he subsequently relented to show and he knows nothing about the arms smuggling allegations the prosecution is on about.
"......Then you wheel out your own expert...." DUH! Apart from the fact you don't get the chance to with a Section 49 notice until AFTER it hits court, you are forgetting that they are not going to come at you with nothing, they will have a REASON for turning you over, such as your dim-witted association with types like the Anons, Lulzsec, ALF, or other dross, or your habit of visiting certain websites. They do not randomly turn up and accuse anyone of having an encrypted drive, it is usually a case of "during our investigation of a serious crime we came upon information leading us to suspect that Mr X was involved, the nature of his involvement including safekeeping information in an encrypted partition on his PC". By the time they get round to requesting a notice they will have enough info to get the notice in the first place, which means they already have dirt or the inference of dirtiness on you. It will not be a case of "dear Mr Clean, please give us your keys", it will be "the accused, suspected of crime X (paedophilia/terrorism, delete as required)". If you have a history of visiting AQ-sympathetic or ALF-linked or padeophilic websites then your pretence of a genital wart pictoral diary will be a very obvious attempt at deception. Please try and understand that the coppers are not as stupid as you may want to believe.
"Please try and understand that the coppers are not as stupid as you may want to believe."
It isn't their intelligence that is suspect. It is the corrupting nature of their environment that makes them believe the worst of anyone who crosses their path. Once they fixate on a name then they tend to become convinced that "no evidence" means it's a very clever criminal. Accordingly there is then a very human tendency to spin anything they can. At worst they "find" some specious evidence in the hope that something more solid will appear.
There is also a tendency when the stakes get high to coerce suspects and witnesses in ways that PACE doesn't catch. Veiled threats ensure that law-abiding people in their right minds don't complain to the authorities - especially about "false arrest". After much frustration with the protections for innocent people in our laws - then "the end justifies the means" mindset starts to take hold.
How many times have you seen a developer or an engineer flailing about on a problem because they are convinced they already know the answer? Their mind becomes a narrow focus that doesn't see contradictory indicators - or worse they discard conflicting facts. They grasp at straws. Fortunately you can't lie to machines or Nature. The Laws of Physics won't change just because it would be nice for a theory.
The Courts of Justice are no so deterministic and can be persuaded that 2+2=5.
"If they suspect you of something and you're using Truecrypt, they will suspect the hidden volume is present."
They can suspect all they like. Convincing a judge is another matter, which is why it might be a good idea to make the fake volume as sensitive and personal as possible. Just not incriminating.
SSH to my server does, https to my bank doesn't.
What advantage do you think SSH has over SSL/TLS in verifying the identity of the peer?
I've seen plenty of people accept SSH fingerprints without doing anything to verify them, in which case they have no verification of peer identity at all. Even if you do verify the fingerprint against some record, all you're doing is relying on the security of the channel that delivered that record of the fingerprint for confirmation of identity.
The X.509 certificate chain used to verify identity has many problems, particularly given 1) the dreadful state of public PKI, and 2) the way OSes and applications are stocked with root certificates from all sorts of untrustworthy CAs. But it's not an inherently less-secure mechanism than SSH, and in fact it has a wide range of potentially useful features and is significantly more flexible, as well as enabling a far more scalable infrastructure.
As for asking the user to manually verify the peer's identity - there's no reason why an application using SSL/TLS couldn't always display the certificate chain and ask the user whether it should proceed with the conversation. None do, because users would just be annoyed and click through without checking. But it'd be easy enough to create, say, a Firefox add-on to do this, if you really want to.
"any backdoor would be open to abuse by hackers, including foreign governments"
The government of the USA *is* a foreign government. Why should they have backdoors into software used in other countries, which judging by their past performance they are guaranteed to massively abuse?
"The government of the USA *is* a foreign government. Why should they have backdoors into software used in other countries, which judging by their past performance they are guaranteed to massively abuse?"
Cause the Chinese are beating them at their own game. If you can't beat them, cheat...
Once again the low hanging fruit is selected because the more probable routes (PAYG mobiles etc etc etc) are too hard or too numerous to deal with.
Do they really expect us to believe that the real terrorists are even less intelligent than their Hollywood representation? Just how hard is it to work out that if you use real names and objectives then you may get caught?
Oh, it;s not that it has a foreign government mandated back door, they just think it's the wrong foreign government.
It will work as well as when the US was trying to block export of encryption. You had to fill out a form to get 128 bit IE. A joke and a pain for US companies at the same time.
" .. those who trust US government agencies not to abuse increased wiretap powers. " Anyone ? All i hear is crickets in the back of the hall .. For those of us who are sane and have been keeping with recent events , IRS , AP wiretapping and now FOX reporter events , trusting the US gov and agencies is a no go from the start. Some days i wonder if the only way to have a secure communication won't be to start using dial-up like in the old days ,machine to machine directly and using as strong encryption as it's possible. The internet as per such is as far as privacy is concerned , a nightmare that will only get worse. Maybe the real future lays in old tech revisited . Strongly encrypted peer to peer over a wired telephone network.
"The FBI argue the net is “going dark” to them, thanks to encryption technologies which render valid wiretapping warrants useless."
Perhaps they shouldn't have abused the power so much that encryption has become widespread to the point where my Mum has heard about it and knows how to use it.
personally, my view is if they want more data, let them have it. Masses and masses. And then let them drown in it. Even with the most sophisticated algorithms and fastest machines, it's going to take some time, hours, then maybe days[1] to query the petabytes upon petabytes that the state is hoarding. And that is if it was all in one place, which it isn't.
My prediction ? If they keep on slurping data at this rate[1] then we will start seeing more successful terrorist outrages[2]. The law of unintended consequences. If only someone had warned them - oh, hang on, they did.
Anyway, as a sage observer pointed out years ago, if you want to defeat the massed ranks of spook eavesdropping, then faxing handwritten Arabic notes is a good start.
[1]Of course the amount of data will just grow and grow as a function of time.
[2] Remember the 7/7 bombers were already in the frame when they blew themselves up. How many more are being missed, whilst HMG farts around with IP logs et all.
If you are or become a person of serious interest your communications are already severely compromised no matter what precautions you take. Putting in mandated 'back doors' only enables fishing expeditions for fairly petty things like drug trafficking and school district fibbing and provides a massive weak spot for serious bad guys to exploit.
If the back door is mandated is it still a back door? Wouldn't it be more of a service entrance or side door?
Think about this for a second. A transaction appears on your credit card statement that you don’t recognise, so you call your bank only to be told it was authorised by PIN so you must have done it. Now you have to fight to get your money back as even though we know it’s possible to hack chip and pin all banks deny it. With this new law there must legally be a hole in all encryption methods used, the bank can’t say chip and pin can’t be hacked as legally it must have a hole in it so they must refund the transaction.
Of course this law will only apply in America and they haven’t got chip and pin yet, but if the American system legally must have holes then the whole worlds baking system is broken, unless the rest of the world cuts America off.
True story.
A couple of days ago, I get this call from a client whining that is printer wasn't working, "a friend has tried it and said it was ok, but I still cant print"
So there I go and to my utter surprise and horror after 20 min of puling nobs and pushing wires realize that whenever skype was turned on and logged in the printer would freak out and stop printing, just to restart printing the moment you turned skype out.
Was skype calling home? I have no idea, nor did I have wireshark with me to check out, but as we say here “No creo en brujas, pero que las hay, las hay"
So when something fishy happens in your computer, just check if skype is on before you call the PC repairman.
Introducing this legislation won't change anything, any more than introducing legislation allowing the NSA to put mass taps into AT&T's exchanges didn't change anything. They were already doing it.
Likewise anybody who thinks communications that passes through a central choke point (Microsoft, I'm looking at you with Skype traffic) that can decrypt it won't be decrypted is living on a different planet to me.
To put it another way, Companies that advertise snake oil like secure communications will have a new road block in their path. If this legislation passes they effectively have to claim they are breaking the law. Hopefully that will make a debacle like Hushmail a lot less likely.
That's got to be good, surely.
Oh, if you really want secure communications, it isn't hard. You just need end to end encryption implemented in open source software. That's another thing this legislation will make plain - at least to those who think about it.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
