Fight them at every turn!
I can see a lot of us buying oldish reliable tech or newer not currently back-doored so we can run an anonymous OS on it.
Assholes, they'll f us all up when they leak the vuln.
A meeting this week between the interior ministers of France and Germany has focused on the issue of encryption and its potential impact on security. In the lead-up to the meeting and in subsequent public comments from the ministers, they both made repeated mention of the issue of data encryption, even calling out the app …
It all seems a bit strange to me. As the article says, if one person can decrypt then soon any person will be able to.... that's how it works.
Taking a step back it seems to me that a lot of governments are using the false premise that they used to be able to see everything.
Let's take the sending of a letter as an example:
- The government doesn't reliably know who sent the letter and has never in the past opened all envelopes to gather that "meta-data".
- People, going back hundreds of years, have hidden messages in letters to prevent anyone except the intended recipient from understanding the hidden part. "Ze hen is in ze hen house" :-)
- There exist legal methods for the government to get a judges permission to intercept letters but I don't think doing this in bulk is either legally or practically possible.
Obviously e-mail and other electronic messaging provides a quicker service but terrorists in the past have managed to be more effective than IS without using it. It seems to me that removing encryption will make life harder for us without having any long term impact on terrorism.
In the US, the USPS has collected metadata for all first class mail for over a decade, following the anthrax letters that killed a few. That metadata, to be sure, is not nearly as reliable as communication data, since only the destination address information is functional.
Just say that the moment a backdoor is implemented the Russians will have free unfettered access to the same data because someone left the master key on the train. If that does not change their mind, I some what hope the Russians do find the master key and use it for all its worth if this law came through.
That won't work. They'll figure the Russians have it anyway through their spy network. What you need to say is that the moment a back door appears, we will lose World War III and cease to exist because the data leaked will allow a decapitation strike. The threat has to be immediate and existential.
Bernard Cazeneuve is from a smart family. Presumably, as the thicko of his generation, he was shuffled off into politics.
Back doors are so easily overcome it is pathetic to try and evolve a situation where they are universal. There are Open Source tools out there that cannot be legislated out of existence.
I'd love to have a contract providing bath soap to politicians.
And how long will it take for a GIMP (Great Internet Mersenne Prime) style program to be released and run to start attacking any sanctioned and backdoored crypto.
Presumably such crypto will be the legal requirement for use by all gov't departments and MPs etc.. Cos if it's good enough for us the great unwashed.
I'm off to go and watching a few flying pigs migrating south for the winter,
Have the government issue private keys and have all encryption use the same protocol attached to those keys. Any keys the government doesn't have, indicate illegal encryption.
Then, let the government outsource the issuance, storage, etc... of those keys to a private company, most likely run by the cousin of the official overseeing the new system.
Then have <insert notorious country here> hack that database and expose all private keys.
Force normal law-abiding citizens/companies into criminals when they seek out third-party encryption schemes not controlled by the government.
Allow government to declare martial law, take ownership of all private companies and all means of communication. Issue phones and computers that the government controls directly. Allow government to take control of all information. No educating about encryption, privacy, security, as that would undermine the efforts of the state.
Reduce citizens to mindless drones working only to serve the state. Squash all free thinking, entertainment, etc... as a waste of state resources (i.e. people's time/energy).
Eliminate the typically family structures enjoyed by various cultures around the world. Have the state assign reproductive partners. Raise all youth in state-run education institutions that instill a proper set of skills while eliminating outside radical influence.
Prevent intrusion of the collective by harmful forces. Assimilate or eradicate all outsiders.
We're sorry, what were we trying to solve? Something about "national security"? What's a nation? We are the Borg, resistance is futile.
@Easy Solution AC
Please don't provide fodder for the control freaks in various world capitals who might actually be attracted to your scenario.
"Hey, I know the solution! I actually read a tech website a couple days ago, and this guy named AC said that we should just declare martial law and impound all communications infrastructure. He also had some interesting thoughts on the future of education and family healthcare."
Defeat all back doors by couriers carrying hidden micro-SD cards, or just swap "family snaps" on Facebook with the occasional stenography, or with coded messages like "Look how well the wife's dahlias are doing this year"*.
Backdoors are useless at best, harmful at worst. They're a placebo for the paranoids in power.
[Look how well] -Louvre, France- [the wife's dahlias] -10:00 UST, April 12- [this year] -next year-
They can squelch stego by forced mangling of photos and videos. As for code phrases, that requires establishing a vocabulary first which requires First Contact, which you can control by the constant threat of cameras and plants (because at First Contact, there's no level of trust yet).
Not one mention of "protecting the children" or are the governments saving that for round two when people come out against this?
When will these political types learn that any system is either secure or insecure for everyone. Security of Encryption can't be turned on and off on demand.
Source code for strong encryption escaped into the wild a couple of decades ago. That genie is not going back inside the bottle. Whatever legislation is brought to bear on legitimate companies there will always be the ability for sufficiently knowledgeable individuals to roll something out.
You do not inhibit those who are already breaking the law by providing them with more laws to break.
Nobody who cannot grasp this simple fact is has adequate intelligence to create new laws.
You don't even need source code. RSA and Diffie-Hellman are mathematically quite simple. Ingenious, but simple. And computers are so powerful, an amateur with a bit of mathematical knowledge can write code that produces unbreakable cryptography a speed that is perfectly fine for transmitting text, including a lot of text. Without referencing any books or websites. Crypto that is fast enough for encrypting video is hard, but fast enough for text isn't.
Asymmetrical codes are much faster, but they are very difficult to get right without a reference.
But how do you HIDE the cryptotext without tells? If all encryption was banned and all network traffic sniffed and whitewashed to squelch stego, that's going to put a crimp on covert electronic communications. Especially at the critical "First Contact" phase where Alice and Bob don't know each other yet and may not be able to find a properly-secure Trent to vouch for them.
I call BS on the often stated "It's maths, stupid" and "It's magical thinking" themes.
Encryption, in today's customary usage, certainly is based on mathematics, but that is largely beside the point. A completely trivial key escrow system in which a communication metadata and session and key are deposited with a government custodian is more secure than communication in the clear despite being subject to the same kinds of vulnerabilities, and clearly would meet the stated need of law enforcement authorities. Nothing about this represents magical thinking, and it does not depend on a weak encryption system. Volume is a potential problem, but there is good reason to think that national signals intelligence agencies have developed effective ways to deal with it.
The fundamental problem is one of lack of trust combined with arguably excessive government authority, or at least power. Many people believe that law enforcement officers and agencies spy on nearly everyone without any particular reason, and do not trust them. And in most countries there is evidence of some government misbehavior. However, such misbehavior is not new and almost certainly would not be made simpler or easier by even a trivial or badly designed key escrow system. In most countries, too, those who are law enforcement targets are likely to be surveilled, and if important enough, prosecuted, sometimes irrespective of guilt. The number of laws on the books offers plenty of options for prosecutors. Use of encryption that the authorities cannot break, if legal, might delay the outcome but would do little to prevent it; and if illegal it could be a useful substitute charge leading to an easy conviction.
"The fundamental problem is one of lack of trust combined with arguably excessive government authority, or at least power"
That is one of the big issues, the 2nd being simple incompetence or corruption. If you have the secret keys to everyone's private communications escrowed with every gov agency world wide who demands them, just how long until the well funded criminal gangs also find a copy?
So would we then see a special dispensation for the keys to gov ministers or leaders of big business? And would any of those politicians calling for this be willing to bet their own pension schemes on it not going wrong in practice?
... willing to bet their own pension schemes on ... That has been answered already - the politicians do not have the same pension schemes as anyone else, for very good reasons. The first one being that their cronies are on the boards overseeing *our* pensions. And they know what those people are like.
The magical thinking comes in several forms:
1. Thinking that govts. wouldn't justify the distrust by abusing their holding the keys.
2. Thinking that govts. would be able to secure this huge tempting target.
3. Thinking that this would make use of encryption much less convenient for everyday use (e.g. there are extra steps involved in going to the escrow store each time an encrypted communication is made).
4. Thinking that this doesn't introduce single point of failure for all everyday use, i.e. ecommerce but see:
5. Thinking that who holds the key issues can be resolved for international communication.
6. Thinking that people who are already breaking or planning to break the law are magically going to obey this one.
1. Real evidence of actual abuse by governments is pretty thin in most countries with regimes that are generally regarded as liberal democratic (small l and small d) unless having the capability to abuse is taken to be equivalent to abuse itself. Indeed, that probably is true even under most regimes commonly thought of as oppressive, although the range of behaviors such governments ignore may be quite limited.
2. Security of such data clearly is a risk, but one that admits mitigation. Various key escrow arrangements that have been suggested included provisions intended to reduce the risk and increase the difficulty and cost of escrow database compromise. Risk never is zero, and all one reasonably can require is that it be quantifiable and small enough.
3, 4. There is no real basis to argue that key escrow would make encryption more difficult or less convenient, as collection, indexing, and storage necessarily would be automated. It could present additional points of failure (or not) depending on whether failure to escrow would cause failure of the basic communication. Communication for commercial transactions may not be an important issue, as for legal trade it often will be possible to obtain the details from at least one of the participants by a suitable court order.
5. The obvious answer would be to provide the escrowed key, as national laws may require, to the government of the originator and recipients. In many or most cases, that would be at most one, since most communications do not cross national boundaries. That obviously would present issues, but for most people and organizations they would not necessarily be overly serious. Those who wish to shield activities from any of the governments demanding escrowed keys would have the most reason for concern, followed by those with reason for concern about security of one of the repositories against criminals or competitors. Increasing the number of repositories clearly would increase risk of control loss, however.
6. The customary government approach to refusal to participate would be criminalization, with a combination of detection procedures and penalties sufficient to discourage it.
The point of the original post was not to argue for key escrow, which has very little to recommend it, but to note that it would not be less private than plain text communication and might not add a great deal of risk, for most people, most of the time, compared to encrypted communication without escrow. Other approaches to law enforcement access include enforcing backdoored encryption systems, probably a much worse choice, and judicial warrants demanding delivery of the decrypted message by the originator or a recipient, depending on details of jurisdiction and treaty arrangements, with punishment for noncompliance.
Don't bother: Just use plain SMS and blab freely on cellphones, don't bother with ID or anything like that, don't keep your head down, instead be very well known to the authorities and carry right on as you were - you see - the authorities are not really there to stop your atrocities from happening.
They are there to show how powerless government is when anyone, anywhere, through some lamentable display of negligence has any freedom left!
We'll have to ban cars too, because they're used by terrorists. And vests, I believe, and thick coats. Hell, banning cars means fewer child abductions too!
Oh, and ban locks, of course, can't have police searches impeded.
What worries me most is that these people seem to lack any ability to understand just how stupid it is what they're asking, and they're the ones in charge? Really? I'd say that any attempt to implement backdoor crypto is automatic evidence of incompetence, and they should be removed from their function. Hmm, no, scrap that. If they were competent they would not be in government.
Kinda scary to realise we're by default governed by idiots..
Fine ban encryption.... they'll just go old skool and we'll be back to dead letter drops, mules and so on so forth, a la "Cold war" .
Do they think that black hats wanting to have a chat only started with the advent of mobile phones and computers?
After that meeting the German Interior Ministry issued a statement that they still believe in strong end-to-end encryption and don't want any backdoors. The French and German press releases on that meeting differ quite a bit...
Could we get politicians who want backdoors to volunteer to have a backdoor system installed in their lives first (mobile phones, emails, domestic firewalls on home routers/PCs etc) then - after a year, if those backdoor systems remain undiscovered or accidentally left in the open in some form (and one would presuming, their non-public lives remain off the 'net), then, and then only then might we have a debate about the public trusting Gov'ts enough to even consider this....
To me all such legislators are similar to calls to "establish" the value of pi to be 3.0 . Cryptography is math, you cannot ban math, hence you cannot ban cryptography. The best they can do is to make it difficult for people to use strong cryptography, but "make difficult" is obviously not the same as "prevent".
You cannot (realistically) ban mathematics. If you are an effective national government, however, you probably have the power, and possibly the authority, to regulate the legal use of cryptographic systems, and to fine, jail, or otherwise punish those under your jurisdiction who decline to follow the laws. That goes quite a bit beyond "make difficult."
This isn't a high priority item for most people, so they aren't supporting or not-supporting politicians based on their encryption stance. Most politicians, once they get into office are going to want controls on e2e encryption.
Toss out statements all you want; it isn't going to change things in the near future.
Biting the hand that feeds IT © 1998–2021