GCHQ: Crypto's great, we're your mate, don't be like that and hate Robert Hannigan, director of UK spy agency GCHQ, has said this week there is an ethical problem presented by encryption. The snoop-boss, speaking to an audience at the Massachusetts Institute of Technology in the US, said the industry's technical experts should help intelligence analysts crack crypto used by criminals. …
I feel that GCHQ, like a lot of organizations suffer from meddling from the politicos, and in the main the majority are hard working highly motivated people. Unfortunately these people aren't the ones making the dumb decisions,such as lowering the bar, thats the politicos who have more to fear from the masses.
Yes we need them to protect us from the nasties out there, but no we don't need them, and I suggest they would agree, to their talents being utilised checking Mrs Scroggins isn't trying to fiddle the school entry rules.
Goodwill?
<voice=blade_runner_narrator>
The various government organs have burned through whatever little goodwill they had left
Overreaching councils snooping on your bins or police "just checking up" on neighbours, ex wives/husbands. Security agencies drag-netting all cell & internet comms (but its ok cuz it only meta data)
All because the ${badGuys} and ${boogyMen} will get us.... Won't somebody think of the ${emotionalHotButton}
</voice>
Mines the one with the meds in the pocket
Communications are either cryptographically secure or they are not. There is no magical half-way point where law enforcement or "friendly" governments can have some means to access the encrypted data without that same means being available to hackers, unfriendly governments, criminals or others.
They are not addressing backdoors because it's bad PR and it's what China and Russia do. Instead looking at France and the UK, laws are made which threaten heavy fines and jail sentences so that end-to-end encryption or devices with encryption that is too difficult to break are designed-out at the design stage.
so that end-to-end encryption or devices with encryption that is too difficult to break are designed-out at the design stage
The release of those papers is supposed to assure us that GCHQ are becoming more transparent and to demonstrate they are really, really clever people. So let's run with that for a moment.
Either through backdoors that aren't called backdoors, or simply through banning too-difficult to break security, GCHQ will know as the rest of do that the really organised crims, paedoterrorists and the like who are (supposedly, hah!) the real targets will quickly and readily find alternative communications tactics. Denying these people the ability to do business on an Android phone or Windows/Apple computer isn't going to stop them, and the inconvenience is going to be marginal when they are already always looking over their shoulders. In many cases they will happily continue to use these systems, because they rely on idiot codes - as did SOE very effectively during WW2. In that case GCHQ won't even have caused these people modest inconvenience.
Then again, Hannigan's a typical civil servant, having studied "Classics" at Oxford, so we shouldn't be surprised. Can you imagine the chortling amongst the Bullingdon chums: "Binky Hannigan's moaning that he's cleverer than Sherlock Holmes again because he studied Classics, and we all did PPE. So I'm going to call his bluff by putting him in charge of the most technical most secret agency the government has!"
So, knowing that this won't affect the real villains, the only logical rationale for GCHQ's ambitions to give themselves unlimited prying rights is that it nothing to do with serious criminals, and everything to do with spying on workaday criminals (which I doubt) or is purely to support Theresa May's dystopian vision of universal surveillance of the population by the state.
And another thing, Mr Hannigan: If you want things to be different, and to be held in higher esteem, and to have some support, why are you spouting off to MI-fucking-T in Merkinland? If you want to get some support in the UK from people other than Big State enthusiasts, write something for the Reg (I'm sure they'd be delighted) and join us down here in the dirt of the Commentariat, if that's not too common for you?
Dirt? How very dare you.
Also, I need to understand what you mean by classics at Oxford.
Are you referring to shoes, marmalade and dictionaries?
If so this chap needs to get a proper education, that knowledge is useless in his position. Frightful.
> laws are made which threaten heavy fines and jail sentences
The UK has had a standard approach to this for years - if a judge directs you to provide decrypted data for the court and you fail to do so, it's contempt and gets punished as such.
If anything the laws reduce your exposure - you can be held almost indefinitely on contempt charges.
That is what I said to someone I know who works at GCHQ just after the Snowden leaks. GCHQ have, by their actions over the last 20-30 years, voided our trust. They will never again be allowed, by my generation, to have the same power again.
Until those of us who remember their crimes are gone they can beg, whine, scream, threaten or corrupt as much as they like but they will be fighting the population.
The abuse had been going on since the 70s: completely illegal and dis-proportionate abuse of powers to monitor legitimate political parties (including the Labour party!) and trade unions. Later, helping the police to drive towards a police state for anyone who dares to protest (see the John Catt case). Finally their "climate of fear" pushing of a serious but very infrequent crime (terrorism) as if it was a serious threat to life or liberty.
The actual threat to liberty is the abuse of extremely dangerous powers which should be being used maybe once a year, not on the whim of a politician or police officer.
They were surprised by the vehemence of my concern and by my proposed solution: massive budget cuts to bring them under proper control and focus their minds on the things that are really important. Needless to say, they did not agree. Not that they were in a position to do anything about it anyway (as far as I know, of course).
Until those of us who remember their crimes are gone they can beg, whine, scream, threaten or corrupt as much as they like but they will be fighting the population.
Let's not give the powers that be any ideas, shall we? I can see here in the US that the "purge/gulag" mentality is rising. It appears to be that getting way in Blighty, also. Not too many countries that aren't pushing things that direction in the name of "security".
He's pretty much mirroring Clinton's comments that "the government is not your enemy" to companies like Google who had their inter-datacentre links tapped by the NSA. That kind of comment is intended to frame the argument for the general public as a "these people are being unreasonable too, and even though we're making an effort now they're still refusing to budge!". It's a PR stunt, nothing more, which is probably why he did it in another country where people are less familiar with what's going on with GCHQ
identity verification for Government digital services ... the security of domestic “smart” power meters
If these are so important, and both fall within programmes mandated by government and presumably open to advice from GCHQ, why are the implementations so unfit for purpose?
The government are mandating permanently connected devices be installed in every house in the country, capable of monitoring temperature, energy use ... and sound? ... and reporting back to some centralised server somewhere. Why? To save the planet, of course, and stop looking too closely, it saves you money too. Squirrel.
The Register actually ran a story 2-3 years back about how outsiders can use intercepted telemetry from your smart meter to tell what you are watching. Apparently, the subtle changes in power consumption reported through the telemetry can allow others to figure out whether you are watching Star Wars, Citizen Kane or SpongeBob Squarepants.
http://www.theregister.co.uk/2012/01/09/smart_meter_privacy_oops/
As I recall, my solution was to leave your second TV set to high-brow costume dramas, the arts and news programs, while using a portable generator to power your big TV off the grid, where you actually watched bikini-babe movies and sports.
"For nearly 100 years we have been intimately involved in strengthening encryption."
(My edit: Strengthening for use by us & our friends but not for the general public).
Said in the same breath as finally revealing Ellis documents & GCHQ would doubtless have been very happy if Diffie, Hellman & Merkle had not published on public key encryption.
Some more:
> For those of us in intelligence and law enforcement, the key question is not which door to use, but whether entry into the house is lawful at all.
Note the use of "house" singular. The problem the public has with you, Mr. Hannigan, is that while you stand up and say "house", singular, at conferences, your employer has legislation going through Parliament at this very moment which says "houses", plural, in fact every single household in the land, and beyond.
This is the reason why no one trusts you.
"legislation going through Parliament at this very moment which says "houses", plural, in fact every single household in the land, and beyond." --- 2+2=5
More to the point, they were already doing it even before legislation was proposed, let alone passed, that they should be able to do so.
Once upon atime, the activities of GCHQ and the other security services were limited to thwarting the efforts of states and other groups that were hostile or unsympathetic to us as a country. But since the "end of the Cold War" and the advent of the glorious "peace dividend", their activites have been extended to counter ordinary "serious crime". That's what happens when we are ruled by bean counters.
We are told they work against "organised crime", i.e. gangsters, and against child molesters. If they say so, perhaps; but meanwhile don't recycle too many goody-goody recyclables into the plain old black bag, and be careful what address you choose to get your child into a good school (*).
I would like to see the remit of the security services firmly reset to its old position of thwarting the Queen's enemies.
(*)When my old grammar school was made comprehensive, it was relocated to the most expensive suburb of that city, where my parents could never have afforded to live.
I occasionally ponder how many of the WW2 "heroes" would have had their security clearances pulled had their private correspondence been known.
We quite possibly would have no GCHQ and no atomic bomb, leading to a very different outcome. We should learn from history and make sure we're not in that position the next time.
If a criminal commits a crime, you serve him with a warrant, approved by a court, he is compelled to unlock the device or can challenge the warrant. Why should GCHQ have a backdoor into encryption to bypass that judicial process?
If he's already dead, tough luck, you can't arrest him anyway. Anyone he talked to is a phone billing record away, go after them instead.
What you're actually trying here is to strip the judicial and privacy rights from Britain.
Once GCHQ were code breakers breaking ENEMY codes. Now they do a full take on BRITISH comms, they help conceal PRISM surveillance of Britain from Parliament, and here they want British encryption back-doored. You lot in the donut are the biggest threat to the UK.
It was revealed that Obama gets a briefing on governmental secrets. It was revealed that the 5-eyes-no-spy agreement was ignored if the information was useful to the US. It was revealed that "The Wilson Doctrine" is worthless, you hoover up all Parliaments and government ministers internet data along with everyone elses. Today its Obama, tomorrow it will be Chancellor Trump who gets his briefing if our secrets. Secrets that largely come from your Full Take data.
We need compulsory encryption to protect our government and Parliament's private communications from you. That encryption needs to be GCHQ proof. Because you lot have lost the plot.
'...stated he was “puzzled by the caricatures in the current debate, where almost every attempt to tackle the misuse of encryption by criminals and terrorists is seen as a ‘backdoor’.”'
When people have been lied to by state agents, and when those agents have seen fit to act regardless of 'just cause' or actual 'evidence', is it any wonder that said 'people' are just a tad cynical about any subsequent 'promises' and 'explanations', even when they are made in good faith. That's what happens when you lose trust---people don't trust you. Quelle suprize!
The 'moral' question is: What can our state agents do to convince us that they will act with integrity and good faith towards 'the people' whose lives and livelihoods they are charged to protect?
In reality there is probably nothing they can do; they've blown it. They blew it years (hundreds of years) ago. The only thing that has changed is the extent of their reach and the time-frame of their reach---longer reach, and much faster. Apart from that it really is business as usual, and hoping that there are always enough 'good' people in the system to mitigate the worst tendencies of those who are motivated by greed, power, and fear.
The best we can probably hope for is some kind of Mexican stand-off, between the state agents, the criminals, and the rest of us. The graveyard scene in 'The Good, the Bad, and the Ugly', comes to mind, but without a resolution.
..we invented public key crypto, a technology that enabled so many things in the modern world. Yet we didn't tell anyone, that would have allowed potential security gains for UK citizens and potentially have given economic benefits to UK industry.
Sounds like the don't care very much about the security of UK citizens data, they just want in.
But everything we learned from Snowden's leak was that the intelligence agencies cooperate to subvert provisions specifcally written into law to protect the people from unreasonable oversight.
I think the major features of this speech were that so-called smart people actually sat through it and that the speaker managed to keep a straight face throughout.
Explain once more how listening to my phone calls combats terrorism.
Then explain how we may employ sheep's bladders in the prevention of earthquakes.
"From traditional protection of military communications, through personal privacy online – including identity verification for Government digital services – through the security of domestic “smart” power meters – where the design principle is that homeowners are in control of their data – to the security of the nuclear firing chain, we understand the importance of encryption for the economy and for the individual."
Erm, so they are responsible for the lack of personl privacy online?
And the Government mandated and enforced roll out of smart meters whose data protection regime contains this gem:
"Normally this data will be collected after you have used the energy (ie not in real-time) unless there is a specific querry about your bill."
So, capability for real-time data queries built-in? Thanks for "protecting" me GCHQ.
"That is where we will need goodwill on both sides.”
Fair enough. But that gives him a problem. He and the other agencies have lost that goodwill because they have lost the trust of the public including the tech companies. He and the others need to regain that trust. It's really the most important problem they have and I don't think they have a clue where to start. I can help them with a rather old piece of advice.
When you're in a hole, stop digging.
They need to step back, grasp what the rest of us are saying and then admit that they way they've been going about things is wrong; that for the greater good they need to accept limits. Standing up and giving lectures about how they're right is, in fact, quite wrong. They work for the public. The ethics and morals they adopt should be those the public require of them. It's not their role to try to scare the public into the attitudes they want. And, as someone said in a previous comment thread (and inexplicably got downvoted for it) questions of principle shouldn't be settled by appeals to utility.
Unfortunately just like the Police.
Way back the Police were respected, not feared.
Why has this come about?, well meddling from above, fast track promotions, fixed up evidence,
I spoke with a bobby on the beat (I know, a rarity) a while back, seemed a decent chap, but go higher up the chain where the promotion opportunities are fewer and thats where it all starts to go wrong.
This is human nature, to scrabble to the top of the pile.
The police need less interference, less 'nee naa' and more connecting with the population, then they will regain respect, which is not a given, it has to be earned
If I understood correctly the extracts of Hannigan's speech he is asking for crypto software which falls over if you don't follow a strict procedure, or some such 'human" cause of failure. So you can have your secure crypto but if you ever forget to put in a new password for each message it can be cracked. That way your average crim can have the best crypto but GCHQ can read the plaintext..
On another note, after analysing Hannington's comments I can see why a Classics background might be useful in his job - it must require great linguistic skills to appear to say X in such simple english but actually mean Y.
Big Brother has an overwhelming need to continue watching you, and you, and you ...
"If I understood correctly the extracts of Hannigan's speech he is asking for crypto software which falls over if you don't follow a strict procedure, or some such 'human" cause of failure. So you can have your secure crypto but ..."
They already have everything they need to go after targets. No crypto is secure against endpoint compromise and all the old school spycraft (shoulder surfing, infiltration, honeypots) still works; all the new school spycraft (hidden cams, tempest, decoding audio to narrow down password search spaces) still works; and all the bang-up-to-date spycraft (keyloggers, hardware compromise, certificate compromise, rng tampering) still works.
I totally support them going after targets. I shall totally resist the dragnet.
Fine, resist away and you will be tagged as someone hiding something. I don't suppose that would cause you any problems and I don't suppose the security people would do anything unless you managed to accumulate some other tags, US no-fly list, regularly seen parking outside the Ruritanian embassy or whatever criteria they have for being suspicious.
The point is that the security services keep saying that they are looking for the "unknown unknowns" hence the dragnet and hence their craving for full access to everything. If they can't have that (and I sincerely hope they don't) then they will have to make do with the next best thing, which seems to be looking at everything anyway in the hope that they will be able to get at least something from it.
Hannigan’s and GCHQ’s abiding problem, and it is certainly not confined just to them in Blighty for others abroad have also the same enigmatic quandary to ponder, is the correct answer to the question of whether they be working for the right employer, or whether they be just making fools of themselves believing the boss programs and active agents they are targeted to protect and propagate, are worthwhile.
After all, who is ultimately to blame for the likes of the dodgy Iraq dossier if it wasn’t a lack of intelligence and crappy leadership in key players which wasn’t kicked into touch and destroyed by the greater Intelligence Community.
Such doesn’t bode well for prosecution of the belief that they have anything worth listening to, whenever the whole system is so easily perverted and corrupted to roll over and act as a captive lapdog and fluffer to fools who then are allowed to move on into probably lucrative fields without the glare of media attention and parliamentary oversight, although both of those themselves are toothless wonders too, are they not?
To most people in "law enforcement" , everyone is a probable criminal, and they see it as their job to find out what laws you have broken. Presumption of innocence is long gone.
"Law enforcement" has now come to mean "Circumvention of law (for police benefit)". It's a 180-degree switch from their stated purpose, so why do they wonder that we don't trust them with anything?
A couple of decades old, and NSA specific, but still a classic tome for anyone interesting or interested in the command and control of both the intelligent and the stupid in practically every field virtually available? ...... https://www.nsa.gov/public_info/_files/directors_misc/Directors_Work_Plan.pdf
The snoop-boss, speaking to an audience at the Massachusetts Institute of Technology in the US, said the industry's technical experts should help intelligence analysts crack crypto used by criminals.
Another barrel of bilge from the ministry of misnomers.
I suppose none of the 'Technical experts' are above a bit of blackmail I fully expect to read shortly that one of them is found to be a criminal also, can they resign or do they just disappear, who will these technical experts be?... Oh, they're employed by the government, well that's ok then, ....we can expect all the backdoors to be left on a memory stick on the London tube.
What a Fu** wit
"The level of security I want to protect the privacy of my communications with my family is high, but I don’t need or want the same level of security applied to protect a nuclear submarine’s communications, and I wouldn’t be prepared to make the necessary trade-offs."
Take this statement in conjunction with the Nat West article. It would be wrong to see such things as affecting just individuals - as in his family's communications. If you take all the Nat West users together, or all of the other individuals who might be affected by some other issue, each time you can add up what's a risk and discover that it's a sizeable chunk of the economy. Does that move it a bit closer to a nuclear submarine in terms of significance?
Well Mr. Hannigan, there is also an ethical problem presented by agencies that are supposed to be under the control of the people spending their time hoovering (or "Herbert Hoover-ing") up the communications of those same people, based on secret interpretations of law or identification of legal gray areas that don't specifically stop large-scale interception. And then these agencies lie to the people about the extent of that surveillance or its existence at all.
Democracy and secret law are incompatible. Figure out which side you are on (though you probably already have and it's not on the side of democracy).
And trotting out the Enigma-busting effort is a red herring. I'm fine with the sigint agencies cracking codes and encryption, especially against a hostile nation-state. You aren't going after Nazi Germany with this encryption fight--you're going after communication systems that I rely on to pay my way in this world and communicate. I can't stop someone hiring an army to try to brute force every possible access code to get onto my smart phone, and I can only hope that criminal organizations will seldom have those resources. I am not fine with the vulnerabilities being created so that anyone who buys, blackmails, cajoles or gets promoted to a certain level of access can log into their workstation to see what citizen Marketing Hack is up to today.
We all associate the Enigma machine with codes and codebreaking but in reality the machine was just part of the secure communications process and never yielded to direct attack. The trick was to figure out the settings, and this was only possible because the procedure for setting up the machine was manual and so left openings for attack. This is analogous to spearphishing attacks being used to penetrate networks -- the human's always the weak link.
Apple's risen to prominence because they've taken the human weak link out of their encryption process which has made that process very, very, difficult to crack. I don't see how the security services are going to be able to put that particular genie back in the bottle; they seem to be trying a charm offensive in the UK designed to tell people that its OK to have just a little encryption, that's all you need.
(Incidentally, returning to Engima there's something I'm fascinated with but can't find any information on. Just as BP was exploiting procedural weaknesses there were similar teams in German intelligence doing the same thing -- they were looking for procedural gaffes and changing code settings as soon as they discovered one. I'd like to know more; my guess from their inadequate reaction speed is that it was just a handful of people who knew the dangers, were chronically underfunded because "management knows that Enigma is bulletproof" -- the usual stuff. Had the Germans even an inkling of the industrial scale of BP then they might have been taken more seriously.)
The idea of asking tech companies to engineer backdoors into their products so government can access encrypted communications, or gain control of a device, is asinine.
Because there is nothing stopping someone else from using that. Say that that is what happens, I firmly believe that:
Within a day of it going live, hostile government actors will have the backdoor, assuming they don't even have it BEFORE it goes live.
Within a week of it going live, hostile NGOs - the likes of, say, ISIL, al Qaeda, etc - will have it.
Within a month, organized crime will have it - the mafia, Nigerian 418 scammers, etc.
Six months, and criminals of every level will have it just by Googling it. (And I may be being generous by giving this one six months, cynically, I'd say more like two.)
In the name of making things secure, those who want to engineer stuff like this are going to make things VERY insecure. But I think that's the point.
I guess he is really trying to stiffen the moral of the more hard-line mandarins and provide some cover against their more moderate colleagues. The way he sees it, any reason, however implausible, for the mentality of mass spying is becoming a dire necessity, but I think they are trying to hide behind their fingers.
How is it possible that they still don't seem to 'get it'? Either encryption is secure, or it isn't. Refusing to call a backdoor a backdoor doesn't change anything.
Their argument now seems to be a continued rehash of what we've heard before: "Oh we agree everything should be totally secure, but sometimes we just have to get in when the real bad guys are involved."
Utter nonsense. People who know absolutely nothing about the simple mathematical principles trying to legislate their way into total surveillance freedom by deception is getting old.
Don't you think that all this is essentially the begining of the fall of Civlilisation as it exists today. The lights are going out all over the World (was Europe in WWII) and we shall not see their re-lighting in our lifetimes (or several generations).
The barbarians are not at the gate, they have control of the gate.
To be a barbarian does not mean you are not highly intelligent or educated (not the same thing) its all about attitude; to others and civilisation. We have barbarians in government and its support agencies.
Murdoch the Robber Baron was a warning.
Standing clear amongst all the misrepresentations and evasions is one huge problem: this all assumes that those with the ability to decrypt our private data are, and always will remain, unimpeachably ethical, weighing each and every decision to deploy their intrusive abilities and only doing so where there is the greatest of needs.
I say this is the big problem because it still exists EVEN IF you assume, as our governments and agencies want us to, that what they want is actually possible and that it won't result in other parties exploiting these not-backdoors.
Hard experience shows that nothing could be further from the truth.
"All this talk of backdoors, we dont know what they're talking about?" Maybe you do not Mr Hannigan but the programmers who have are even now examining the Microcode inside that Intel Managment Engine are only too well aware that ACPI stands for "Absolute Crap Produced By Intel" and they're also only too well aware that whale.lsub.org is what other people code name Pinwhale. We welcome these new backdoors for the benefit of all insider traders everywhere, coraid running it's own Nix kernel, backdoor's galour and not a shred of Blowfish left in the OpenSSL libraries anywhere!
We dont hate you, we despise you, big differance!
<sarcasm>I am encouraged to see the Head of GCHQ proposes that because *some* criminals use encryption to attempt to conceal their intentions [despite the amount of publicity these actions are gaining, despite the fact that Osama Bin Laden was sufficiently careful to not even have a phone line in his compound and despite the fact that there is more than enough evidence to show that the meta-data alone - i.e. the list of who sends messages to whom] ... that we should therefore simply give up our privacy and permit the state to eavesdrop. This distinction ["Because some bad people ... then we must..."] can be usefully applied elsewhere, and I await with baited breath the following proclamations from both sides of the Atlantic:-
1. Because some guns are used to kill people, *all* privately held firearms will immediately be declared illegal and must be destroyed.
2. Because some motor vehicles are used by joy-riders and speeders in ways that result in the deaths of innocent by-standers, *all* motor vehicles will immediately be declared illegal and crushed.
3. Because some Members of Parliament have been caught fiddling their expenses, all second homes will be banned, to be replaced by the conversion of spare loft space in Whitehall buildings into hotel-style rooms that can be booked in advance, with meals served at Westminster...
What's that you say? My additional examples simply won't work? Too extreme? Driven by hysteria and hyperbole? Exactly my point... </sarcasm>
This post has been deleted by its author
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
