opensource protocols
How could the government mandate backdoors in opensource protocols which have no company to mandate/talk to?
I wonder if Amber Rudd has heard of PGP?
Digital minister Matt Hancock has praised the "crucial role" of encryption in today's society, just a day after Home Secretary Amber Rudd called for an encryption ban on applications such as WhatsApp. Hancock was relaying the story of radio inventor Guglielmo Marconi in a speech at the Institute of Directors. He said when …
I wonder if Amber Rudd has heard anything.
She has - Law for the Restoration of the Professional Civil Service. She just does an s/Aryan/British/g before quoting.
That however starts and concludes her political vocabulary - there is nothing more to it.
How could the government mandate backdoors in opensource protocols which have no company to mandate/talk to?
She doesn't care, this is just a soundbite for the Daily Mail. Beyond that, legally I don't think "open source" is any kind of defence even if it would make nonsense of any case. If a government decided XYZ is bad and makes it illegal then courts can issue take down notices to any providers (something that, for example, GitHub would only be too happy to oblige) of such software or source code. There is legal precedent in things like DeCSS and with encryption America's own export restrictions on cryptographic code. Impracticality has rarely stopped the passing of such laws. In Germany, for example, there was a law passed a few years ago that effectively criminalises the development and distribution of penetration testing software.
But enforcement across jurisdictions is always a problem, even for the US and the almighty DMCA.
There is legal precedent in things like DeCSS and with encryption America's own export restrictions on cryptographic code.
Precedent in that it didn't work in a time before the internet was really a thing outside academia. I'd actually pay to see them try this. Good money.
Until they actually attempt it arguing over this is a bit stuck record like, the talking points are well covered but we should be ready to mobilise the day it ever actually is a thing.
Plus FWIW DMCAs at github won't work. Github would refuse and take it to court and US courts wouldn't allow it - and they can't block github in country because people like me would have them in court. Regardless even if all that proved wrong there'd always be somewhere you could get your bootleg copy of openssl.
To look at it another way, different ministers have different jobs.
Hancock's job is to encourage businesses to do stuff. Businesses like privacy.
Rudd's job - isn't.
This is how cabinet government works, different people have different priorities and they argue it out between them. In Rudd's case, specifically - she's pushing exactly the same line that has been pushed by every home secretary for at least the last 20 years, so I assume she's just saying what her staff tells her to say.
The Home Office permanent staff have a lot of experience of telling ministers what to say.
No, no people, there is no disparity in the messages that Rudd and Hancock have put out! It's very simple!
Government providers and partners must be certified and show that they take encryption very seriously so that the gov. can trust them to keep their data safe.
WhatsApp, however, isn't used by the gov. only by the general publ....sorry...terrists, therefore WhatsApp must *not* be encrypted at all so that they can keep everyone safe.
See? it all makes perfect sense and is BAU: one rule for them, one rule for us.
I've never heard that story before and yet it seems like something that would have been repeated often, especially in recent years with people's concerns about security and privacy. Apparently, it happened in 1903.
http://herc-hastings.org.uk/marconi-caught-out-in-1903-by-john-heys-g3bdq/
https://www.newscientist.com/article/mg21228440-700-dot-dash-diss-the-gentleman-hackers-1903-lulz/
I don't think they even see the incompatibility between "strong encryption is necessary" and "we can't have encrypted comms that we can't crack". For them it's just a matter of a very strong safe (secure encryption) for which they get a copy of the key. They honestly don't see why this is not possible. Perhaps someone can explain it to them, using a slightly more appropriate metaphor, for example the "TSA-approved" luggage locks which means everyone and their cousin is able to rummage through your stuff at will, completely negating the usefulness of having a lock in the fist place.
It could be anything. Good cop/bad cop, or both singing off the same page, genuinely believing that you can have secure encrypted data with the government able to look at it at any time they want. I suppose PPEs from Oxford have a magical thinking module.
There is no incompatibility as they see it. Only encrypted messages involving terrorists, paedophiles and other designated bad guys will be revealed for what they are, and everyone else can sleep safe in the knowledge that their information will remain secret. Nothing to hide, nothing to fear.
If they were only accessing the encrypted information of 'proven criminals' post-fact, requiring court orders with demonstrated legitimacy to do that, and could absolutely guarantee that was the case and always would be, I believe many of us would say fair enough.
But we know that's not how it will be, that any promises it will be are entirely false and utterly hollow.
There is no incompatibility as they see it. Only encrypted messages involving terrorists, paedophiles and other designated bad guys will be revealed for what they are
Which will be signalled by "the necessary hashtags" according to Amber Rudd. No doubt she's about to propose a law which will make it illegal to communicate about terrorist attacks without adding #terroristattack to it, and similarly for other possible offences. In which case, she'll need to have #talkingbollocks tattooed on her forehead.
If they were only accessing the encrypted information of 'proven criminals' post-fact, requiring court orders with demonstrated legitimacy to do that, and could absolutely guarantee that was the case and always would be, I believe many of us would say fair enough.
You can't do this with the end-to-end public key encryption that WhatsApp has switched to using. Encryption is binary: it's either working or it's broken.
I suppose PPEs from Oxford have a magical thinking module.
PPE is the degree course for posh fuckwits. They can't think for themselves at all.
I wonder if we'd do better with Parliament chosen by random ballot, as a form of compulsory national service? At least the various skills sets and opinions of society would represented far better than the current system or rich tossers and career politicians with no expertise in anything.
"I wonder if we'd do better with Parliament chosen by random ballot, as a form of compulsory national service? At least the various skills sets and opinions of society would represented far better than the current system or rich tossers and career politicians with no expertise in anything."
That would actually be worth a try.
It is possible, in the short term and up to a point. I think in any case "public key" encryption, yes I know that's something else, in practice uses a non-public-key encryption whose key is encrypted with the public key, because actually using the public key for all communications is very very slow.
So, what WhatsApp could have - and, as a selling point and mission statement, does not have - is the session key encrypted with the users' public keys, and then the same key encrypted with the government's super encryption public key, once for each government that demands the right to view all the private WhatsApp messages.
Of course, whenever any of the governments' special keys is broken or leaked or whatever, then all previous messages become readable by anybody. And one or all of the special keys has to be replaced
But, what you did is, you then sent your messages over SnapChat, so they have been deleted!
I'm not an encryption professional, so I may have some of the details wonky.
I wonder what Amber Rudd thinks would have been different if the government was immediately aware that one religious person in the Westminster area had just sent a message saying "Geronimo!"
These people say "God is great!" at least five times a day anyway. That makes it seem to me that someone suffers from insecurity, in a sense besides "reading secret messages" or "terrorist attack".
Anyway, here in Glasgow much the same thing happens when someone is drunk - although, to be fair, there is a fuss about it afterwards, too.
Be careful of the two kinds of encryption.
PGP encrypts your data with a symmetric cipher, IDEA, AES256, or similar. It generates a random key for that.
It then encrypts this key with the recipient's public key, or the recipients' public key, and the public key encryption system (RSA, elliptic curves, etc.) - these algorithms are monstrously slow - it takes as long to encrypt 40-50KB of data with a symmetric cipher as it does to encrypt the little packet of key information with RSA - so we encrypt the smallest possible amount of data with them. The holder(s) of the corresponding private key(s) can decrypt the symmetric key and use that to decrypt your data. Normally that's just the people you're talking to, but it could also be the alphabet soup agencies, if their public keys are embedded in your PGP or similar.
The alphabet soup agency must, of course, keep that private key totally protected.
Last point: ALL the information you need to reverse-engineer the private key is present in the public key, but there is NO practical way to recover it.
ALL the information you need to reverse-engineer the private key is present in the public key, but there is NO practical way to recover it.
But how do you get the public key ? You get it over the Internet. This makes you vulnerable to a man-in-the-middle (mitm) attack -- where someone sits between the 2 parties and decrypts/re-encrypts the data. This would be expensive for the spooks to do, but they could do it for individual high interest targets.
This is why we have CAs (Certificate Authorities), they allow the web browser to check the public key so that a mitm attack cannot work. This relies on the CA's own certificates being kept private.
There is no guarantee that the CA's certificates are not known by the spooks. I would be surprised if NSA/GCHQ did not have most of them.
Because PGP allows you to check a remote user's key by other means [remember key signing parties ?] its keys are not so easily compromised.
Summary: public key exchange encryption can already be broken. PGP looks still safe.
I think that they don't actually give a toss about the problem. They've been told repeatedly by domain experts (security, policing et al) about the pitfalls, yet they still wilfully pursue agendas that facilitate an authoritarian regime. The logical conclusion is that they want absolute power without any kind of reasonable check or balance. There is no hard evidence that they actually give a toss about preventing crime.
I don't think they even see the incompatibility between "strong encryption is necessary" and "we can't have encrypted comms that we can't crack"
On the contrary, I'm sure they know. Because they have Civil Service advisors who are paid to tell them. They only sound stupid to us, but not to the people who matter - the populace who don't know anything about how encryption actually works, and who don't care, so long as the Government is seen to be trying to do something earnest about those nasty terrorists. All they have to do is continually shout about how they want to do something, but the nasty IT industry won't play ball, and they can keep it up for years (as they have done).
I tried to use Rudds envelope steaming analogy.
She suggested people with warrants could intercept mail and steam open the envelopes.
However, that doesn't stop anyone from steaming open envelopes. Yes, it is illegal to tamper with the mail, but unscrupulous people don't care about that.
So likewise, if you create a mechanism to decrypt messages and wrap a legal process around it, the cat is out of the bag as there is now a mechanism which can be used by those not overly fussed about the legalities.
I tried to use Rudds envelope steaming analogy ... if you create a mechanism to decrypt messages and wrap a legal process around it, the cat is out of the bag as there is now a mechanism which can be used by those not overly fussed about the legalities.
That's the crux. I don't think most of us really object to terrorists and the like having their secret messages exposed, but we do care about people poking about in our affairs when we cannot see the legitimate need to do so. It's a matter of trust.
What Rudd wants is something which requires a trust which is not actually there, probably never will be.
The problem that they do not actually want to be seen, is that by preventing privacy between individuals, they inevitably reduce those individuals to electronic slavery. In other words, it amounts to mass-enslavement, since they themselves will be at the mercy of others.
The amazing thing, is that unbreakable encryption has been around for almost 100 years. Since 1949 we have known why this is so. Yet today, we are sold "pseudo-security" like its the real thing. Despite Shannon describing equivocation in 1949 as the basis for security, most security personnel today don't even know what the word means. It's like a Christian who has not read the Bible, and does not follow the 10 commandments.
Until someone finds a way to exceed the limits of equivocation, then this talk of backdoors is just ignorant nonsense. Current ciphers have a built in back door by default - all of them - and it won't take millions of years to break through, it won't even take a minute. The foundations of this cathedral are made of pure sand. AES-256 is GUARANTEED to be broken if the message is longer than 39 characters. And the beauty is that even if you are breached, you won't know it.
The tragedy isn't that we are born free and enslaved every day, but that there are those amongst us who will die fighting for the right to be enslaved. Remember what the bankers said... the housing crash will NEVER happen.
"The pool of political talent available to Theresa May when she had to choose a Home Secretary must have been very small."
There's no shortage of "political" talent at Westminster, the problem is they have no talent for other subjects (maths, physics, engineering, medicine etc.) and if the "experts" say something they don't like they keep looking for experts until they find one they like.
I predict no end of expensive pseudo-solutions to the problem of secure-encryption-with-backdoors....
Very rarely do people in government get appointed to areas where they are experts: this is how representative democracies are supposed to work, assuming they're prepared to listen to relevant experts in their departments, which may be a big ask. And, in any case Home Secretary is a huge brief: police, prisons, snooping, law, immigration, etc. I don't anyone is knowledgeable in all those areas.
I don't even think that Rudd is one of May's closest allies but while purging Cameron's Cabinet she had to keep some around. May wasn't even that hot on Law & Order herself before she got the job. Guess, she worked out what an effective vote winner outrage is. We still get to hear the stupid not fit for purpose quote from that idiot John Reid from his time in the post.
Are you being serious, or do you genuinely not know how this stuff works?
There's not one set of keys that everyone has access to. Each person in the conversation has their own set of Public and Private keys. Signal, which WhatsApp is based on uses a double ratchet mechanism so that even is a hacker did compromise a set of session keys, they can't decrypt future messages.
The problem is having some sort of all encompassing key that Govts etc can use breaks encryption, because once that is determined anyone anywhere can intercept any encrypted message and read it, manipulate it.
What gets my goat is all these people who say "I have nothing to hide" not realising that encryption also hides their interactions with their bank, or their commerce transactions with online retailers etc. So yeah, everyone has something to hide.
Having seen the deliberately loosely worded DRIPA & RIPA rapidly pushed through Parliament with little if any objection from the main stream media or public objection, The Government must feel quietly confident that they can peddle what ever bull they like to justify further intrusion into our lives. So to hear Matt Hancock promoting encryption contradict Amber Rudd need for key's & back doors does not surprise. It will also not surprise that this will be ignored by the media or the consequent abuses & lack of control as seen by local councils approved use of RIPA.
We desperately need some one of recognized technical authority to explain in plain terms to the general public what is actually going on & how useless to preserving our security against real terorist threats these measures have & will continue be.
Just watched the One Show were they asked average people in a shopping centre in Crewe and the guests in the studio how they felt about police reading their emails & looking through their phones.
All bar one lady didn't see a problem as they had nothing to hide and were convinced it would help the security services to keep them from harm.
Will they say the same when an even more extreme & sinister government is installed? Oh that couldn't possibly happen could it?!!
"If you've done nothing wrong, you have nothing to hide."
OK. Let's see an act of good faith from the Home Secretary - full and unfiltered access to all MPs' own web history, device usage, emails, texts and phone calls, For security, replace phone numbers / email addresses with MP@constituency, redact locations that they haven't been to yet so no-one can get there ahead of them and do bad things. (What the heck, as it's a good faith thing, throw in publishing of all receipts.)
After all, if they've done nothing wrong, they have nothing to hide.
The assumption made by the general public & that promoted by the establishment is that RIPA, DRIPA, decryption by the state and the restriction of the Freedom of information are essential tools for the security services to protect us from terrorists in this new technological age..
However they should realise it can also be (mis)used by the authorities to build better smear stories against those ordinary citizens who dare to question, upset the status quo. Past examples could include those families questioning Hillsborough, Steven Lawerance's parents and many more.
It appears that its not Big Brother we need to be afraid of, its Big Sisters of May & now Rudd!
Is proper detectives.
People have been having uninterceptible conversations in secret for centuries.
Also will it ever be possible to stop people determined to kill themselves and take others with them?
If the carnage in Westminster was perpetrated by a lone nutter with a mental health problem, a 16 year old grand theft auto afficionado or a lunatic trying to out "death by cop" we'd be having a different conversation entirely.
Fortunately the only argument these luddites have is the pedo-terror-bastard threat. If they actually had a leg to stand on encryption would have been banned ages ago.
Im honestly astonished the government hasn't tried an x-factor style interview process for all the gay mathematicians out there to find the next Turing.
Thats pretty much how it appears these boneheads think.
Do they really think that the WhatsApp message was discovered *after* the fact is lost on us?
What good would it be if you could read a message after an atrocity happened.
Cop: Ok we found a message in his WhatsApp history.
Cop 2: What does it say?
Cop: Erm..."Im going in lads praise be to..."
Cop 2: To the time machine!
Also is the irony of all this encryption lost on politicians?
If the public trusted politicians there would be (possibly?) be less compulsion to encrypt.
Politicians need to understand why they get elected. I see them in the same light I saw that one kid when I was younger...you know, the one that always got sent over the fence when the ball landed in that miserable old bastards garden.
They arent there because they are the best at the job, they're there because they're dumb enough to do it.
"If the carnage in Westminster was perpetrated by a lone nutter with a mental health problem, a 16 year old grand theft auto afficionado or a lunatic trying to out "death by cop" we'd be having a different conversation entirely."
Upvoted - but I'm not entirely convinced we would be having a different conversation. The default response to things for most Home Secretaries this century has been "privacy is bad, and encryption is downright evil. Except for us, of course. It's very important my stuff says private."
and so's my wife
Actually, seriously.. for a change
If I was a terrorist , the last thing I'd do to communicate is to use an encrypted message.
That just flags for attention from anyone interested in me.
Far better to know to read the farcebook messages to me over a set number of days and know to use the first prime (1) for the first message, 2nd prime(2) for 2nd message, 3rd etc etc and extract the word matching each prime. so that an innocent set of messages becomes "Plant the bomb at target #1 timed to go off at 3.10pm"
Dang..... here comes special branch again.... must install a door they can easily kick down without breaking the loc
Boris, unfortunately your idea is limited in terms of bandwidth and latency. I suggest the way to go is to upload a video of your cat doing some cute stuff. What could be less evil, it would never attract the wrong sort of attention from the spooks.
The video will of course have your secret plans embedded within it. I can't claim credit for the idea, apparently according to Wikipedia that honour goes to Johannes Trithemius, who came up with it in 1499 (albeit without the cat videos, though he probably did use cats, most likely black ones).
It's very typical that different people in different countries work on the same "patent" at the same time building on each others experience.
About Fessenden:
"In the late 1890s, reports began to appear about the success Guglielmo Marconi was having in developing a practical system of transmitting and receiving radio signals, then commonly known as "wireless telegraphy". Fessenden began limited radio experimentation......".
The first patent related to steam engines was Spanish for instance.
One of the funnily mad "the world's first" is "the world's first war correspondent" in this story about the Crimea war (1853) I happened to see some time ago. Quite a good program actually in three parts, but that "world's first" is indeed ridiculous, the lie about the fortress Sveaborg, a bit British I suppose.
The comments on that program is annoyingly not available anymore.
Each time I read about "the world's first" I just have to check it, for very good reasons.
https://www.youtube.com/watch?v=Pqik0WDMDco
Well, the obvious problem is that people are using the wrong encryption algorithm. What needs to happen is that everyone needs to start using ROT13 to encrypt their data. Then, there will be perfect security, yet the government will be able to break it when needed. For really secure data, people can even resort to doubly encrypting their data with ROT13.
Dave
P.S. I'll get my coat. It's the one with the Jefferson Disks in the pocket.
"However, when it comes to protecting government information, Hancock's former department the Cabinet Office was recently slammed for not doing more to prevent 9,000 cross-government data breaches in 2015. The National Audit Office described government's infosec as "chaotic". "
It is not chaotic, it is a deliberate misinformation strategy to confuse the Russians, The Chinese, the European partners, Labour and Lib Dems and, of course, anybody who wants to know more than I do.