There are some paranoid alternatives.
Retroshare has the sort of end-to-end encryption that makes the NSA struggle - you have to exchange public keys to authenticate new contacts. The big problem, of course, is that none of your friends use it.
The UK government is apparently going to ask Apple, Google, and other American tech giants to give it the skeleton keys to their encryption systems. Based on our experience here in the US, the response is going to be a firm: "Fsck off." On Monday, the Daily Telegraph (a reliable friend of the ruling Conservative government) …
the four horsemen of the infopocalyse – terrorists, drug dealers, pedophiles, and organized crime.
Nice one, that. I'll have to remember it.
President Obama, nearing the end of his final term, has given up pushing for a law demanding breakable encryption.
Mr. O has stopped promoting it, but unfortunately he'll gleefully sign it if it crosses his desk.
... but it seems to me that a simple solution for governments and Tech companies alike would be to set it up so only* governments can issue private keys to their citizens (and also be responsible for distributing public keys).
Crypto remains uncompromised, and your** government has a copy of your private key. Government can comfortably promote the use of encryption and save money on policing t'internets
* Yes, I know there will be a trade in "unauthorised" keys, but using one will immediately make you a person of interest to your nations security services.
** No need for the UK to pass it to the US authorities, as GCHQ can provide the clear-text if needed AND appropriate.
So what else am I missing?
"So what else am I missing?"
All conversations between two people of different nationalities?
The setting up of an unauthorised key pair *within* an authorised conversation.
The fact that government will leave all the keys in plaintext on a site that is wide-open to one of those pesky sequential attacks we've been hearing about recently?
>So what else am I missing?
Well, firstly, the big picture. If you set up an infrastructure that allows the government to monitor all your external communications constantly, you might as well put government cameras in your house too - in fact you will likely have one by default whether you know it or not.
However, even assuming you think that's all fine and dandy, exactly how are you going to stop the "bad" people (who at that point are likely to be the "good" people, but let's not get hung up on morality) using different keys and different applications to the ones on the government list. Are ISPs going to have to inspect every packet to make sure it's part of a legitimate authorised protocol? Do they have to have to hand every image in every e-mail and on every web site over to a team of cryptographers in case they contain a stegonographically-concelaed message?
It patently can't work - it only ever did work because we were all pathetically naive and trusting and it was mostly only the Five Eyes doing it. As we now know we can't trust our government, and every other state actor is aggressively trying to get into the same game so any central repository of UK communication keys would be their first target, there is no scenario in which the UK government can be a useful contributor to our necessary privacy.
By the way, it's no longer a private key if somebody else issues it for you and then shares it with you (or anybody else).
That's about as useful as server-side encryption with providers where you don't control the servers, and they generate and hold the encryption keys.
From the perspective of our modern day Stasi/Gestapo entities, it's an outstanding, desirable, and practical idea. But I really wish you'd kept mum about it. And I sincerely hope that none of the folks who collect gov't issued paychecks will ever read these comments.
Hey Reg!! Is there any chance that we can delete these particular comments? With the author's permission, of course. He/she is obviously smarter than I am. I'd never have thought of such a clever left-handed (sinister) idea.
"So what else am I missing?"
1. Do you, as a citizen of country x, have complete and unconditional trust in your government, their security services and all public bodies that they will not misuse this for their own ends in spite of the evidence that they do e.g.the UK's Regulation of Investigatory Powers Act (2000) has been used on number occasions to investigate individuals for non terror related alleged offences ?
2. Do you, as a citizen of country x that has a repressive regime, have complete and unconditional trust in your government that they wont give your private key to the security services of government y to spy on you for political related matters?
For me the answers are both 'no' and I don't believe Silicon Valley aren't already in discussions with the NSA.
But, but, but ... politicians are smarter than mathematicians, they just try to legislate mathematical truths rather than waste time trying to prove them: Indiana Pi Bill
whenever politicians mastered mathematics?
Unfortunately they're all Oxbridge arts graduates who couldn't recite their three times table. And as a result, all the really important things that government could do get done wrong or not all, and all the things that governments should never do become a central purpose.
This also explains the mutually contradictory nature of almost all government policies.
That any exploit is a total exploit?
The government finds it impossible to keep its secrets secret, so how do they think it would be possible to keep a gaping hole into everyone's communications secret? It'd be all over the criminal underworld within days of existing, with exploits produced just as quickly.
The thing is, having this sort of flaw in security will basically ruin the ability to do online shopping or banking. Who would put their financial details in a website knowing that any criminal with half a brain could intercept and use them?
Do they not have technology advisers in government? Or is it like the badger cull - they have them, but ignore them because they don't like what they keep saying?
That's why we have the House of Lords, so that some people who actually know about something can quietly stop the most stupid legislation from going through.
As to whether they are competent in technology, unfortunately that may be another matter.
"That's why we have the House of Lords, so that some people who actually know about something can quietly stop the most stupid legislation from going through."
Though if Dave and George get their way, not for much longer. They're a little bit pissed about the whole tax credit thing.
"That's why we have the House of Lords, so that some people who actually know about
Generally very little. A majority are political appointments with a few hereditary peers thrown in. For example Andrew Floyd Flobber (a political appointment with a deep knowledge of popular musicals) flew back from the US to vote in a recent debacle.
It's not they (we) don't give a shit, it's politics. So if your...ummm... leaders (the UK) make it mandatory (as the article says early on) and the techs don't or won't comply, I guess it's back to the abacus for the UK. This is a grandstand play on Cameron's part and he may have been put up to it by Obama. If the techs bend over and say "ok" to you guys, then they have to say "ok" to the guys over here. If they say "no" then there's the possibility of sales and profit being lost. Rock vs.. hard spot for the techs if the governments follow through on the mandatory threat.
It's refreshing to see that both sides of the pond have idiots in charge.
HAHA! Tell us your thoughts when you work at a company that has offices in more than one country, THEN you'll understand how fucking retarded your comment is. As for giving a shit, you apparently do, as you bothered to read the comments and crap out one of your own. Good work, Sir Hypocrite!
Qvq lbh ernq gur negvpyr, be jrer gur jbeqf gbb ovt?
Tb onpx gb znaavat gur qrfxgbc, V zrna qvpxgbc freivprf qrfx, jnaxre.
Unfortunately, the security czars and special advisors to HM Government are unqualified in mathematics or cryptography - in fact, one wonders how they got the job at all. Cameron and Co appear to be somewhat brainless (it's not as if people who are qualified haven't been clamouring to be heard), and the Queen isn't taking her responsibilities seriously (she should dissolve parliament and require an election before Cameron n Co make us a complete laughing stock).
It's a sad state of affairs when we need to rely on massive corporations to stand up for us against our government. I'm not certain that I trust the massive corporations- but I definitely don't trust our government.
Sorry but the people who do advise the govt on this are NOT unqualified in maths and cryptography. GCHQ is full of very, very, very clever people who do understand maths, who have PhD's in maths and cryptography (which is much the same thing). I have worked with some of them and they know their stuff.
I 100% disagree with what CQHQ do, but do not underestimate the people who work there. That would be a mistake by everybody. They will have told the govt what people here and Apple and everybody else has said. That is part of GCHQ's remit, to advise the govt on security matters.
I have no idea what has been said by GCHQ but I am 100% certain that GCHQ knows what is possible and not possible, almost certainly better than anybody else on this board.
Now politicians being what they are, bottom feeding, lying, scum, may choose to ignore what has been said by their security advisors and to willingly lie about things. I know, difficult to imagine that a politician might perhaps utter an untruth, <cough> Tax Credits, Universal Credit <cough>, but thats the politicians for you. Also most politicians are not brain dead (IDS excepted, there's a person who makes Norman Tebbit look like a lentil eating, Guardian reading lefty), emotionally dead, yes, but most have a couple of brain cells that do work. I grant you that 90% of the time their brain cells are solely focussed on looking good on TV, trying not to dribble in front of the camera and working out who to stab in the back for their next promotion, but under estimating politicians is a very bad idea. At the end of the day they have the power and we the people, do not.
They can pass laws that make life difficult for us all, they can use Statutory Instruments to try to take away tex credits, they know all sorts of ways to push things through.
In this case I *think* that they know this is an impossible win but the way they work is to demand the moon on a stick, then give a concession to something a little bit less extreme which is what they wanted all along. I would start to look at what else is being suggested rather than Apple giving them the keys to the sweet shop, what other little regulation is in the background that they really want to impose on us. These are magicians waving their hands one way to try to redirect out attention from what is they really want to impose on us.
Am I the only one that cannot be arsed to read these long, rambling diatribes?
Short answer: Yes.
Longer answer: Yes, like most ADHD-addled, can't-be-arsed-with-engaging-one's-brain, short-attention-span, immediate-gratification-seeking Twitterati.
Next question?
I don't believe that this is wholly the work of the government. It's just too suspicious that whenever the gov of the day changes, the group then placed in a position of power suddenly reverse their previous stance on maintaining privacy to take a position that is the exact opposite.
I'm not sure who it is, how or why (I can possibly imagine why, but I am very cynical), but someone, somewhere is responsible for somehow "persuading" them to change their positions and do stupid things.
We don't actually need tech companies at all for messaging. Why harp on about Apple and WhatsApp? Just use a distributed/federated protocol, like XMPP with OTR or whatever you need. The tools already exist for strongly encrypted, decentralised anonymous communication.
yeeesss... but no-one has wrapped that up in a shiney App that can be easily shared and looks/works good enough to be popular. Methods and protocols are all good and nice, but your average teen does not care, and they determine which chatterbox becomes the new hit, until it gets old, of course..
@ Grikath
Who cares about average teens except average teens? HMG can ban all the shiny apps they want with no real effects except pissing off potential voters. If secure non-shiny alternatives exist they'll be used by anyone with the incentive and knowledge to do so. That, of course, includes those who HMG are most keen to eavesdrop on. Great idea, ruin the average punter's privacy to no useful end.
How to beat it - just use texttalk inside the app - GCHQ WTF LOL {smileyface} - they won't understand it.
Same technique as the Yanks did in WW2, they used Apaches as wireless operators, if the Japs tapped in they couldn't understand the Apache native language and it was just another layer of security.
And when HIlary Clinton becomes el Presidento and comes to the UK, I'd like to see Davey boy ask for her encryption keys so GCHQ can tap her communications back home !!!!!
they used the Navajo Indian language.
https://en.wikipedia.org/wiki/Code_talker
And Hilarity Clinton will never be el Presidente, she'll only play one (badly) on TV. However, her IT skill is sorely lacking (along with her ability to tell the truth) so anyone will be able to hack her without having her encryption keys.
of sin praktice in failing to furrow theogonies of the dommed).
Trisseme, the mangoat! And the name of the Most Marsiful,
the Aweghost, the Gragious one! In sobber sooth and in souber
civiles? And to the dirtiment of the curtailment of his all of man?
Notshoh?
BUTT (maomant scoffin, but apoxyomenously deturbaned but
thems bleachin banes will be after making a bashman's haloday out
of the euphorious hagiohygiecynicism of his die and be diademmed).
Yastsar! In sabre tooth and sobre saviles! Senonnevero! That
he leaves nyet is my grafe. He deared me to it and he dared me
do it, and bedattle I didaredonit as Cocksnark of Killtork can
tell and Ussur Ursussen of the viktaurious onrush with all the
rattles in his arctic! As bold and as madhouse a bull in a meadows.
Knout Knittrick Kinkypeard! Olefoh, the sourd of foemoe
times! Unknun! For when meseemim, and tolfoklokken rolland
allover ourloud's lande, beheaving up that sob of tunf for to
claimhis, for to wollpimsolff, puddywhuck. Ay, and untuoning
his culothone in an exitous erseroyal Deo Jupto.At that instullt
to Igorladns! Prronto! I gave one dobblenotch and I ups with
my crozzier. Mirrdo! With my how on armer and hits leg an
arrow cockshock rockrogn. Sparro!
The problem with this encryption schema method is that copious amounts of alcohol unlocks it temporarily and then alcohol induced short term memory loss erases the de-crypted meaning before you can record it. Possibly other mood altering chemicals have the same affect but i don't have any evidence for that.
This post has been deleted by its author
I have my own server in a foreign country, so if they want to view my emails etc... They have to first get a judge in said country to agree and then go to the owner of the service to get my data and that would be me. So they have a long and awkward process to follow just to see that my wife asked me to buy her some crisps on the way home from work.
Now just imagine how much harder it would if the target was a well funded terrorist organisation.
Has anyone noticed how many more terrorist attacks there are now in the UK since these technologies have been available than there were in the days of the IRA?
> I have my own server in a foreign country, so if they want to view my emails etc... They have to first get a judge in said country to agree and then go to the owner of the service to get my data and that would be me
I don't think you understand. If they want to read your emails they will arrest you, seize all your stuff, read any emails you have already downloaded. If those emails are encrypted, you will be waterboarded or beaten with a rubber hose until you divulge the passcode. You will divulge the passcode, and anything else they want too.
Don't think laws and technology make you safe. They don't. And torture works on everyone eventually.
Do note that Mr Cameron hasn't said how quickly he wants the encrypted material to be decrypted. All we do is hand over the encrypted text, and a secondhand ZX-81 and tell Plod "There you go, this'll crack it... eventually."
It will, too. Probably after a few zillion years, but nobody said this sort of thing was going to be easy, did they?
I'm the organiser of a criminal/terrorist (the former includes the latter in my book) organisation. I want to arrange encrypted communication with my members. How do I go about it?
We'll assume I have access to some developer talent. If I'm running a terrorist organisation I may well have that in my membership, if not there are obviously criminal organisations out there with that talent so I can buy it in.
With that I commission its own S/W for my organisation. The developer talent doesn't need to have a cryptography specialisation as the libraries for this have been available for decades. One approach to take would be an application to create self-decrypting files - executables with the encrypted data built in.
I rent a server out of the jurisdiction of where my organisation is operating and upload the messages there. Or I can upload them to a binary newsgroup. Or pastebin. My members can download their messages, run the software, read the decrypts and then delete. Except for the brief period when they're downloading and reading there's no incriminating decryption software in their possession. Neither random stop and search of my members no seizure at border crossings will reveal nothing untoward.
I still have the problem of key distribution. I can set up a different distribution route for each channel. I identify some forum which members can read without suspicion. I occasionally post comments to that. The comment itself isn't the key. The key is a hash of, say the 2nd paragraph of the comment's grandparent and is a one time pad. The reader simply copies & pastes the paragraph into the self-decrypting file he's downloaded, the hash is regenerated & the message decrypted & displayed.
Such a method has its limitations; it's susceptible to traffic analysis if the authorities suspect an individual. However, if encrypted is banned on WiFi there will be an ocean of available access points; let the authorities try to perform traffic analysis on those.
The essential point is that making encryption illegal only bans legal applications. If people are already breaking the law you don't stop them doing that by furnishing them with more laws to break.
If it was the Chinese who were asking? We've all seen how tech companies bend over backwards to continue doing business over there.
I doubt they consider UK business that important, but if the rest of the EU decides "Hey! That ain't such a wacky idea after all!!" and start demanding it as a requirement to do business in the EU, then maybe they'll have to rethink their decision.
Putting back doors into popular applications will only let them read the messages for the stupid and small time crooks. Their claimed targets terrorists and drug kings will use their own software and manage their own end to end encryption. Paedophiles have shown themselves adept at using technology and will simply up their game.
So: are our politicians (and their advisers) complete twats [a real possibility] or are they playing a different game, eg: trying to snoop trade secrets and political dissent - ie keep themselves in the money and in power -- so that long may we remain their underlings.
I think the real main driver is that this is a way to reduce the cost of policing -- in order to make more cuts. I think it is driven entirely by the same thinking as the tax credits cuts, not by any goals about security.
Being able to read all (ordinary peoples, and small time crooks) messages obviously makes policing much easier (and remotable -- no need for anyone to knock on doors and talk to people). Making policing easier obviously saves money, but at the cost of moving us significantly towards a police state. Having police capabilities and resources limited, and prioritised to serious crime, is crucial to the underlying social contract that means the public generally approve of and support the police. Giving the police completely new powers like this breaks that social contract and risks a serious backlash against the police.
Dear HM Government
We, the people, will agree to give up strong cryptography when you agree to give up Parliamentary Privilege, and make public any and all correspondence into which you have entered since assuming office. Because that's effectively what you're asking us to do.
You also acknowledge that by doing this, you effectively condemn the digital economy of the UK, significantly weaken our international trading position, undermine the future of the UK's STEM talent and relegate us to the IT equivalent of the dark ages (well, 1997, or thereabouts).
Honestly, who advises the government on this stuff?
- Honestly, who advises the government on this stuff?
the mail, the telegraph, murdoch? who else? certainly not voters. that at least, is not news.
I'm in two minds. on the one, to encrypt/VPN everything, fill up public clouds with /dev/random truecrypted files and regard it as civic duty, to contribute to ever ongoing obfuscation in so much as is humanly possible;
But, on the other hand - more brute force decryption resource is never going to be subject to the cuts the NHS is, and you know what that means. that's right, we'll be responsible for killing people, by proxy. They can call that terrorism.
Some days I think i'm too cynical. Others, I click submit post.
I'm in two minds. on the one, to encrypt/VPN everything
Pretty much what I'll be doing, not because I have anything to hide, or am even that interesting, but because as a parent I have a responsibility to try and protect my offspring from future governments.
Oh look, think of the children works both ways....
Rather than (moronically) sending each other emails, I suspect terrorists, criminals (and spies) who have an aversion to being caught would simply:
1) Identify a *public* channel for communication(s). Maybe a couple of binary newsgroups
2) post in one an NZB of a media file (don't worry if it doesn't work. Thanks to the media providers dark war on copying, corrupted media files aren't significant) which while not encrypted, has your encrypted message hidden inside it.
3) The actual intended recipient of the file will not be immediately apparent
4) The recipient replies the same way. If the channel is *initially* secured, it can be used to switch newsgroups/posting handles at will.
5) Notice how nothing in the UK governments land-grab of data could (a) prevent (b) identify this.
To be honest, I wouldn't even bother encrypting the source message. There's so much shite spouted online anyway, there's no way you could determine anything in isolation.
But then if I were a "terrorist" and my aim was to kill, hurt and maim as many innocent people as possible with my own survival being unnecessary, there's plenty of things I could do RIGHT NOW that could take a dozen or so souls out without really trying. The lack of such incidents leads me to wonder quite how "threatening" the "terrorist threat" is ?
Programs like bitmessage already exist. It is open, distributed, non-commercial. There are no key managers to put any pressure on. All communications are encrypted with keys known only to the two endpoints. Even traffic analysis is pretty hard, and message contents appear to be secure.
Bitmessage may or may not be any good. It appears to be secure, but has never really been seriously reviewed or tested. But even if it isn't, someone else can, and will, create something better.
This is security theatre at its worst. This will have NO effect on the serious criminals being used to justify it. All it would do is make it easy to monitor ordinary people, and small time crooks.
Personally, I have become convinced that all the Investigatory Powers Bill is really about is reducing the cost of routine police investigations so that the government can cut the police even more heavily.
What about banks, end to end retail transactions, multinational commerce? On the one hand, Safe Harbour is defunct as it doesn't protect privacy, on the other hand 'he' wants basic methods of privacy scrapped ... It's the digital equivalent of putting personal, financial or confidential letters in the post using transparent, unsealed envelopes with 'CONFIDENTIAL - DO NOT READ' in red writing on them.
As has been said before, if you want to embrace, utilise and profit by the 'digital age' you first have to accept the facilities provided by the digital age ... and encryption is the only protection method 'we' have against nasty jolly foreigner.
with any organisation sufficiently serious about keeping its comms secret. Never mind encryption systems, even without those there's the possibility of different - invented - writing systems and even invented languages that could be used. Send comms using either or both of those through t'internet, and no amount of decryption will do you any good unless you can force someone who knows how to translate the intercepted message into something you can understand. So, first catch your criminal.. - bit of a Catch 22, it sems to me. On the other hand, that's so much effort that one might imagine that only the most nefarious (or perhaps those trying to keep trade secrets secret?) would bother with that kind of thing.
Anyway, I'd urge all UK citizens readingthios to contact their MPs about why preventing public use of secure end to end encryption is a bad idea. Making us all more veulnerable to random miscreants is NOT a good way to help ensure our security.
Poor Dave.
I often wonder what made the blue-rinsed twerps of the Parliamentary Conservative Party back that clown Cameron. Then I see how the Labour party sold their soul to rictus Tony and had a hangover afterwards, allowed Gordo the Idiot to become king, and then buggered up their own leadership election arrangements such that a scruffy, Britain-hating marxist now "leads" them.
I think the best solution for the state of British democracy would be to round up all the MPs who have sat in the past two decades, and hand them over to DEFRA to be gassed.
Curious and curiouser - the 9/11 perps didn't use Twitter or Le Livre des Visages. Any terrorist group or organisation that is well enough funded (yes, money always matters) to represent a real danger is able to set up a system of couriers for non time-critical communications and use same system to issue prearranged code words for the time-critical stuff.
And to demonstrate this particular exercise in futility:
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1
jA0EAwMCZiH+LeF+XX5gycDlJYtPpZfAx/uBGso3vcbzr7YFit+hj/hWkzwoi/Or
94Rq9MZvtwCKa1OeAdTSdcyeZafdJwTdPIu2rzr9kibuF9nDKjfjaewMO+GFy6TI
dCUAUlQAec3pFT2HmzDwOnKM4vHcaMRVJ8eFbccEr4loYl9a5Jg4Xcu/V2cu1y1V
lH5XiC1IZu0Rq29SEc8vrEmjQHVB9gP7y86AwggNuOppmmStmRA6iaGV6vZQ4xh/
/MRq95hyNOXl6moLLmFSs2Zn1u/PVSi8kn5RKNW2Tqkg8IXFj17mfHAMP6G1PUxs
fvdo8YRGky3rrGlLKs9zase202eixt9ar4/FJAlcMFrUYV+n+P7/Nfw09INLpkKe
zZSp9pmzVRC3g0MwM2v9ya556lk6SmeY9XgJ6CXjEJoR4Ju4fhnIBXWcl3+GYYdq
xWHCKcETk2l/AmQqsn2jGJwszQ0MlSAERpq6tQSTVRxvqqOnKm3RJ426TZwpM6ve
T6PIZBvKTCtQpMBvIzkE0hmXbcXU2v8yl7TFabvsrHDoGfwitGRkhu8FltY9wOa0
feElndet1Q==
=EUwK
-----END PGP MESSAGE-----
Key's in the title lads.
Ban use of iMessage, WhatsApp and so forth and only allow communication using government approved apps that give them a skeleton key. No need to bother Apple or Google, and they get a new way to arrest their citizens pointlessly - confiscate their iPhone upon arrest (for charges to be named later) and use their RIPA powers to make them unlock it, then look and see if iMessage has been used and if so you can now name the charges. Similar method for arresting Android users.
That they aren't doing this, and are instead going through the futile exercise of asking US tech companies to do something they won't do even with their own government asking, demonstrates that this is merely grandstanding to highlight the issue. That's so if there's a terrorist attack in the UK they can point the finger of blame at Apple and Google for allowing encrypted communications to take place, instead of having the blame fall on them for relying too heavily on hoovering up all communication and no longer doing any good old fashion police work.
I've now read through the links purporting to show weaknesses in iMessage. They're dated a couple of years ago. In the recent court case Apple said that they could previously intercept messages but not with the current iOS versions. So is the Quarkslab analysis still relevant to current iMessage protocols?
Meanwhile, actual terrorists and criminals will continue to assume that the State is legally or illegally reading their communications and will act accordingly. The bad guys will never use encryption provided by external companies or the State. In particular, they will avoid sending messages through conventional means (e.g. steganography) or will use encryption using their own keys.
Probably not, as I believe the proper way to do forensic analysis on computery things is to clone the drive as is and use that. So the initial evidence is not tampered with.
Also I could be wrong, but I thought it was writes that SSDs, and the like, are at some point limited on. I'm under the impression that reads are fine.
This post has been deleted by its author