Ex-military and security firms oppose Home Sec in WhatsApp crypto row UK government ministers calling for increased surveillance abilities in the wake of last Wednesday's terrorist attack have encountered opposition from a somewhat unexpected quarter. Home Secretary Amber Rudd went on TV at the weekend to say it was "completely unacceptable" that authorities were unable to look at the encrypted …
"Common sense."
That's practically a superpower in this day and age, I expect Marvel are already working on the film "Common-Sense-Man" who has a sidekick called Deductive Reasoning and they face an endless battle against Instant Gratification Man and his millions of lethargic minions known as The Army of Ignorants.
""Common-Sense-Man" who has a sidekick called Deductive Reasoning and they face an endless battle against Instant Gratification Man and his millions of lethargic minions known as The Army of Ignorants."
Spoiler ALERT!
.
.
.
.
.
.
.
Common-Sense-Man Lost, due to the behind the scenes Mechanisations of Madame Mayhem, and Instant Gratification Man now controls one of the most powerful countries in the Free World.
"Common Sense"
I believe that by adding the word "Common" to sense is why it isn't common, a bit like reverse psychology. It's the only explanation I can come up with as to why it is so rare. In fact when someone at any of the workplaces I've worked makes a common sense suggestion I instantly go into playful sarcasm mode because it happens so infrequently. I also thinks it's inherent in humans to overlook the simple answer and go for something complicated, for example this can be seen many times in the code people write. I dream that one day they'll start teaching common sense at school but then that would be a common sense approach so it's never going to happen.
"The problem will mutate and move on,"
and this
"If this were to happen, we'd only be pushing these people further underground, presenting a greater challenge to security intelligence services."
Force the bad guys away from tools like WhatsApp etc and they will find other methods to communicate that will be even harder to monitor. At least with WhatsApp etc you have a known comms channel to target (digital) and if you get the required permissions from a court of law then you can monitor all of those comms by installing malware on the targets device(s).
Take WhatsApp etc away and the bad guys will no longer trust digital comms so they'll find other channels for comms. Good luck finding a tool like malware that will scoop up all of that intel...
For pro-government guys: Ask them if they're okay with the other 200+ governments of the world having the same rights to your data. The internet is global. Even if you think you have God on your side, there's 200 other governments and tens of thousands of agents and threat actors that will feel just as entitled to your citizen's data as you do. What's more important -- keeping them out, or eating that risk so you can spy on your own citizens? Choose wisely.
For the but-terrorism: Intelligence operations have traditionally been the most successful way of stopping terrorism. Intelligence is not technology. Intelligence is what sits between your ears. As a native american tracker friend I know said: If you want to find something, use your eyes. Invest in boots on the ground, cultural understanding, and goodwill. The vast majority of the world population doesn't like terrorists either -- but they hate you more. Sun Tzu would kick you in the balls if he saw how you were fighting this war. Spies. Spies. More spies. All the spies. That is how you win. Nothing else. Get off the computer, and go outside. This is just as true for the intelligence community as it is for teenagers in mom's basement!
For the child-porners: No matter how much encryption they have, they need to get the images unencrypted from *somewhere*. That means talking to people, online or offline. Go where they are gathering, which isn't in your office cube masturbating to the idea of 'cracking' someone's phone. Juries will happily convict with hidden-camera footage of them at their computer -- just skip the encryption problem entirely and do that. And once they're in jail... smash their computer with a large hammer and send it off for scrap. No decryption necesary. Bad guy goes bye bye. Again, this is about the intelligence asset lifecycle -- develop your assets, and you can only do that by TALKING to people, not raging at a 'locked' device.
=======
Encryption isn't something the government needs to be worried about, and making the government's job easier is not my problem (or yours). We all put our 40 hours in a week, and we don't try to set the world on fire just because something is harder than it "should" be. The world is full of "should be", and nobody sitting on a pile of them ever gets anything done. Just accept this, and stop blowing billions on massive dragnets and other surveillance bullsh*t. We're drowning in information already, and it hasn't made you any more effective! We need *analytical ability* far more than large chunks of the internet shoved in some database and indexed to individuals.
In other words... go to the college campuses, and find people who don't suck at investigating. Hire them, sit them down in front of a computer, and tell them to go socialize with the criminal element. Make your inroads, and then go drop the hammer. This hasn't changed since the days of Sherlock Holmes: There is no substitute for critical thinking skills. PERIOD. All the technology in the world won't help you if you can't use what you have... and you're pissing away all your resources on things that aren't actually helping you, with watchlists and data centers and other useless shit. You need people, not technology. Your job is *investigation*. What are all these tools doing for you right now? Dick! Dick, dick, dick. You're drowning in marginally useful information and living on a promise that in some idealized future, you'll be able to collar criminals by pushing buttons. So where's my flying car?
We've been trying to tell you this, gently, as IT professionals... but at this point, it appears we need to start beating your agents to within an inch of their lives because you've gotten so stupid about it you've actually made the situation worse. Stop screwing around with the technology -- make it work for you, and if you hit a roadblock don't rage against it like a moron, screaming "We need access to the everythings or DOOM!"
No, you don't. And it won't help you anyway.
If I could up-vote you 100 times I would!
The sad thing is we are dealing with vain and ignorant politicians who want to appeal to the tabloid-reading masses and thing that a "technological solution" like backdoors will make that quick and cheap.
It won't, it will fail in its prime goal and cause untold damage to the millions of innocent law-abiding people who have a right to privacy and to secure business dealings.
@MNGrrrrl,
For pro-government guys: Ask them if they're okay with the other 200+ governments of the world having the same rights to your data.
Er, well if one considers that companies like Apple hold software signing keys for their phones that are as important to our privacy (and security, and safety) as any message encryption key, we already do trust the them to keep that to themselves and not give it out to the 200+ governments in the world.
Apple wouldn't even use the key to cook up a special firmware load for a single 5c for the FBI, never mind let them have the actual signing key.
Trusting someone like Apple with an encryption back door key is fundamentally no different. Either get worried about both, or neither.
The same goes for every other mobile phone manufacturer, software developer, etc, all of whom have software signing keys.
Software signing keys are far more powerful than a message encryption key. The latter unlocks a message (or possibly all messages for a single user). The former unlocks all devices from that one manufacturer everywhere, by allowing software to be changed so that all messages from everyone are accessible.
Spies. Spies. More spies. All the spies. That is how you win. Nothing else...... In other words... go to the college campuses, and find people who don't suck at investigating. Hire them, sit them down in front of a computer, and tell them to go socialize with the criminal element. Make your inroads, and then go drop the hammer......
You're seriously suggesting that western governments should turn their societies into facsimilies of the German Democratic Republic, complete with a copy of the STASI?
I suggest you get help before it's too late.
> Trusting someone like Apple with an encryption back door key is fundamentally no different. Either get worried about both, or neither.
A digital signature to verify the binary hasn't been tampered with is a very different thing than device encryption. It also neither adds nor detracts from security -- it's just a way for vendors to create their own walled garden monopolies, and can be bypassed by anyone who either has a decent amount of resources or isn't concerned with legal consequences (ie, a government).
> You're seriously suggesting that western governments should turn their societies into facsimilies of the German Democratic Republic, complete with a copy of the STASI?
I'm going to go out on a limb here... a library is probably not the place you go on your day off. But if you ever happen to fall into one by accident, ask them for a copy of Sun Tzu, and flip to about the middle where he talks about the types of spies and their uses. And who knows, maybe you'll figure out why the United States, with the most powerful military in the world, lost to a bunch of barefoot rebels in Vietnam. I'll give you a hint: the soldiers didn't want to be there, and deprived of female attention they went into town and found plenty of people willing to trade sex for cash. And, wouldja know it, they talked about their job... while getting a '-job'. The vietkong knew that, and used it.
Spies.
That's why America got its ass kicked in Vietnam.
Consider how often Apple has to access their signing keys. They release about 8 iOS updates a year, which means it can be kept in a safe in a secure room and only removed to sign a new release which can be done on a non-networked computer in said secure room. Pretty hard for it to escape. Even the key used to sign betas is used maybe 50 times a year, so it might not be treated quite so carefully, but still very likely lives in a safe and never touches a machine that ever has or will touch a network.
It is easy to keep a signing key secure under such circumstances. An encryption key cannot be used or maintained in anything remotely like those circumstances, meaning it is far more likely to be compromised. The CIA and other intelligence agencies would probably not have much trouble getting a mole planted within Apple to steal an encryption key. It would be easy to do that at about any company, the only exception being ones that have few employees and pretty much only hire people they know. By comparison it is VERY unlikely they could get a mole into a position where he could get hold of Apple's signing key. Probably only a handful of employees even have access to it, and they may require two people in the room at once to prevent the possibility of it being stolen.
@AC no, Apple have already proven on several occassions, that they cannot be trusted with sensitive information. They have had leaks, just like any other big company.
It doesn't matter, whether a big company, an individual or a government has the backdoor. A backdoor for one is a backdoor for everyone. Sooner or later it will be leaked or stolen. The only way to stop that is to let every individual have their own private key and they are responsible for its safety. That way, if it is leaked/cracked/stolen, then it only affects that person (and those with whom they have communicated), but the rest of the world can carry on in a secure manner.
If your "Apple" backdoor key gets leaked, then every conversation in the world that went over Apple's service is suddenly available to everybody. No Pastebin with cracked password, just a pastebin with a dump of conversations.
Hackers embarass Apple with leaks about over 1M devices online (okay, that was by indirection, the leak was through the FBI, but they will want access to the data, so guilty by association).
https://www.ft.com/content/effd1712-f6af-11e1-827f-00144feabdc0
Apple Criticized For Taking 3 Days To Disclose Developer Site Hack
http://www.huffingtonpost.com/2013/07/22/apple-hack_n_3634843.html
Apple Security Breach Could Give Complete Access To Your iPhone, iPad
http://www.huffingtonpost.com/2010/08/03/apple-security-breach-cou_n_669481.html
iCloud leaks of celebrity photos
https://en.wikipedia.org/wiki/ICloud_leaks_of_celebrity_photos
Apple sued over iPad and iPhone app 'data leaks'
http://www.businesstoday-eg.com/technology/united-states/apple-sued-over-ipad-and-iphone-app-data-leaks.html
That was just a quick google, took all of about 5 seconds... I could go on, there are many other example.
And don't forget things like the recurring "emergency pizza" function.
Several times, iOS has had new features added, which have allowed attacks. One of the most commonly recurring is the "emergency pizza" one. Here, on a locked phone, you have to be able to dial 110/112 for the emergency services, but on a few occassions, Apple have updated the lockscreen and you could dial any number (often even accessing the phonebook).
One Applephile claimed that this was correct, if you found somebody collapsed on the side of the road, you could look in their contacts and find their next of kin... Which was riddiculed with the answer "or order a pizza," which is how the feature got its name.
Let em all remove end to end encryption, put in a backdoor, whatever.
Then when they all flock to a service that *does* offer that, maybe then they'll bloody realise it's not the product they are loyal to, it's the capability of the product.
A terrorist isn't sitting in some cave using Whatsapp because it's the flavour of the month ffs
> A terrorist isn't sitting in some cave using Whatsapp because it's the flavour of the month ffs
No, he's sitting in a cave because it's the third world, where all the roads are dirt, no natural resources, and an over-abundance of weapons from decades of western powers arming them to fight proxy wars. And when the wind changes the bombings start, thus ensuring -- all the roads are dirt, there are no natural resources, and a new truckload of weapons is arriving shortly.
And it keeps going on because nobody in the developed, yet morally bankrupt, world has asked their government why if they don't have food, factories, infrastructure, or often even a home to live in, that they somehow manage to have mortars, explosives, rockets, and an endless supply of automatic weapons.
Terrorism is a problem *created* by the western world, and if anyone bothered to dig into the matter they'd realize everyone is sick and tired of others giving them weapons to fight their wars, but not food, shelter, or economic development. And then golly jee go figure that they're pissed off. You wanna stop terrorism? Stop handing them bullets, dumbasses, and build a school.
Quote
and build a school.
And they will tear it down in a flash. It will have been built using the wrong materials using people of the wrong religion and face in the wrong direction.
Some of the terrorists want to take the area they control back to the time when Mohammed was alive. No education past the age of 13, none for women, women married as soon as they hit puberty.
Building a school won't matter at all. IT is just one more thing that shows them that the infidels are weak and need eradicating.
Once an ideology gets that ingrained it is next to impossible to get it out again.
> Building a school won't matter at all. IT is just one more thing that shows
> them that the infidels are weak and need eradicating
To be honest that's as weak and defeatist an argument as stomping your feet and insisting that all encryption should be broken by design, just in case.
Your not wrong about the beliefs of some, but given the havoc the Western world has caused in these areas, building a school (and other infrastructure) is at least a step towards starting to address some of the shit that we've caused. And, yes, it's more than possible that some of those schools might get torn down, or blown up.
But it's a lot harder to use "they're giving us infrastructure" to stir up hate than it is to point at the latest village to be bombed, or at the family caught in crossfire.
There will always be nutjobs, and some of those will use religion as an excuse, but the solution isn't to run around dropping bombs and then leaving arms laying around the place. It's to remove the easy examples that can be used to paint the West as the boogeyman.
There's, no doubt, years of stored anger built up from various campaigns in the area. But the sooner we actually stop stirring that up, the fewer generations will share that hatred.
it's a lot harder to use "they're giving us infrastructure" to stir up hate
Obligatory Monty Python Reference
M.
Stop handing them bullets, dumbasses, and build a school.
I agree with the former. Unfortunately the latter will survive for 5 minutes before all students are mandated to become warriors of the faith and are handed some of the spare weapons.
However, we should definitely start with the former. Not arming anyone no matter are they called free wankers or free jerkihadists or free Syria army.
"[...] Terrorism is a problem *created* by the western world, and if anyone bothered to dig into the matter they'd realize everyone is sick and tired of others giving them weapons to fight their wars,[..]
When the Russians were trying to help create a modern society in Afghanistan - it was the USA that covertly supplied Osama Bin Laden and his Taliban peers with weapons.
Now the USA is trying to help create a modern society in Afghanistan - is said the Russians are supplying the Taliban with weapons.
Wars in non-first world countries usually peter out when the external supply of money and weapons stops. Saudi Arabia and Iran are doing their bit with supplies to keep several civil wars chugging along.
> Now the USA is trying to help create a modern society in Afghanistan - is said the Russians are supplying the Taliban with weapons.
This is a game in which the only winning move is to not play. If Russia hands them weapons and they go all murder happy, just step back and wait for them to get sick of neighbors killing neighbors, then drive in and offer food and schools. It may not work the first time, or the second, or the fifteenth, but eventually, it will.
Contrary to popular belief, it's easy to either have a tyranny, or a republic. What's in between is a no man's land that is very hard to traverse for entirely political reasons; It takes many attempts to reach the critical mass of economic improvement and education of the population needed to catapult it over that divide. Civilization has collapsed several times in human history; And it always took hundreds to thousands of years to rekindle it.
The middle east will not be fixed by the policies and interventions of the western world -- indeed, its the very thing guaranteeing it can't be. All we can do is lay the tools at their feet and be patient. Civilization will naturally and inexorably develop given adequate resources -- and advancements in forms of governance do as well. The only thing we should be doing, is making sure they have those resources. Beyond that, we must be patient.
It may take a long, long time, before they bring about an end to their own suffering. But we. cannot. help them.
Terrorism is a problem *created* by the western world
Wrong. Terrorism has been around as long as humans have. The Romans were also pretty good at it. And (if you want non-Western examples) look at the Assyrians - they were pretty good at it too.As were the Ancient Britons who were pretty good at using terror tactics against Roman settlers.
And the Sicarii - lets not forget them.
The main difference with modern terrorism is the weaponry available.
Quote:
Terrorism is a problem *created* by the western world, and if anyone bothered to dig into the matter they'd realize everyone is sick and tired of others giving them weapons to fight their wars, but not food, shelter, or economic development. And then golly jee go figure that they're pissed off. You wanna stop terrorism? Stop handing them bullets, dumbasses, and build a school.
What, like the ones built in Africa with money and gear donated by the UK when I was at school in the 70s and 80s? I don't bother watching the first half of any national or international news programmes now since they are all full of either the still-starving masses, the latest attempt by Nicola Sturgeon to redefine "once in a lifetime"", the idiots clinging to the faint hope they can stop Brexit (as against just screwing up any chance we have for a decent settlement) or the latest attempt by the Government to persuade the majority of the public that by giving politicians full access to every part of our private lives we will suddenly become bullet and bomb-proof.
Terrorism wasn't created by the Western world, it was created the first time some evil little sh*t realised you can blow up a hospital or a school so much easier than attacking soldiers who might fight back (if the government hasn't hamstrung them with ludicrous rules of engagement like "one or more of your mates has to die before you can even load your weapons") - what else do you think guerrilla warfare is?
It seems it's not only the vowels in your name are missing, a little bit of realism wouldn't go amiss either.
And their deaths are already being used to justify going after end-to-end encryption. Never mind that dictatorships around the world will use that to ID thought criminals and send them off for re-education/forced labor/a date with a firing squad. Never mind that working encryption is what allows you to talk about your personal and government business with dramatically higher safety. Never mind that working, not-backdoored encryption is embedded in many payment card industry and financial industry regulations.
Let's just trash all that so we can find out if some guy with a history of violence might try as a matter of convenience to attach himself to jihadism, and kill 3 innocent people in the process. And that's assuming that Mr. Masood was not texting about kitten videos or soccer scores before he went off the deep end.
I was always jokingly told that a pre-requisite of becoming a politician was to obtain a criminal record first since they all seem to behave that way. I do think your comment holds some truth. Have a tantrum, tell people a story and hope (or force) them to agree with you and wave through crazy laws.
@ Ivan 4:
Is there some law that requires all those aspiring to be politicians to not have any idea about technical things of any sort?
FTFY
Edit: The answer is no because there doesn't need to be. When they all turn up having no worthwhile knowledge of how the world really works anyway why would you need a law to enforce the requirement?
I have some deductive reasoning.
They have his phone.
Either he deleted the message after he sent it or they can't access the phone though if that was the case we would be having the apple encryption argument instead.
This means they used meta data to confirm the message had been sent and to who it was sent to.
Why not go and arrest the person receiving the message and ask them what it was? No doubt they have already done this if possible.
Finally why go after whatsapp encryption? If a terrorist is about to commit a terrorist act he is hardly going to send a message to someone of interest as he knows they will get his phone, if he was then he would have chucked it in the Thames beforehand.
Personally I think the government are lying to get the public behind their request (look at some of the front pages today) so the technology companies will have no option but to comply because they start losing users. They could also be lying because they already have the ability but that's more a tin foil hat thought.
If anyone else can correct the above or offer alternative views I would be most interested.
> I have some deductive reasoning.
I applaud the attempt to identify the logic behind the position adopted by Rudd et al, but an alternative position is that deductive reasoning is entirely superfluous to requirements. Given the absence of intellectual content in the original proposition, it isn't necessary to justify any actual, relevant link between what happened in Westminster, who was responsible, what they did or who they communicated with and the proposal raised by Rudd.
All the real investigation will be done by the serious people doing a serious job and they may apply some logical reasoning. Meanwhile politicians like Rudd will hang spurious argument after vacuous sound bite on the cause du jour in order to justify something they think will further their political agenda if they can get away with it. Evidence, experience, technical advice and logical reasoning are not necessary and potentially counter-productive.
Either they got his ICR which shows new connections to WhatsApp's servers at that time or they did as the Daily Mail did and added his number to someone else's contact list and got his last online time or both.
I imagine the later arrests were made based on phone calls and standard text messages from his phone, not WhatsApp.
Is his WhatsApp meta data or contact list available? Possibly not since end-to-end encryption rolling out. If the contact list is available then it's something WhatsApp (the company) can provide.
Do they have his phone? I'd like to think that the answer is they don't because if they do then they have everything they need but those deaths are being using as an excuse to go after e2e encryption anyway.
They get their way; all communications monitored and analyzed, every conceivable type of miscreant incarcerated or watched, what then?
Well, History shows that they'll be shocked, amazed, and caught utterly unawares when they're dragged into the street and hung from the nearest lamppost, eh, Mussolini, Ceausescu?
... once. Something Oppenheimer (or it might have been someone else) said after the atom bomb was tested, or after it was publicly used. Whoever it was, they said it wasn't the 'spies', the Fuchs et al, that gave the atom bomb to other nations. I mean, yes, those folk maybe speeded things up a little - but they didn't 'give the secret away'.
The Americans did.
Because, whoever it was said, it wasn't 'how' to build an atom bomb that was hard - any halfway decent physicist could do that. But they could only do it <u>once they knew it could be done</u>. Or rather, it was much easier to start, to get funding, to put a project together, when the people paying you knew you weren;t just going blue-sky - you were just going to repeat something pretty obviously able to succeed.
Backdoor encryption? It could be just like that.
If you're a nation state, or a criminal, or script kiddie in your mom's basement, yes. You can go looking for possible security holes in all kinds of things. But if you're a _real_ black hat? Well, if you know Guv'mint X insists on backdoors, and Guv'mint X allows Product Y to be used? Well, you know the only reason you don;t know the backdoor into Product Y is because you haven't found it yet. Because whether they admit it or not, whether they publish it or not, just by allowing Product Y to be used, Guv'mint X is telling you the door is there to be found.
And, just like the atomic bomb, knowing the door is there will likely make it a damn sight easier to get the resources, or project approval, or just sheer bloody mindedness that will _let_ you find it.
Because you know it's there.
And it won't just be one - one hypothetical black hat, I mean. When folk _knew_ there was gold in the Klondike, they didn't say 'hey, let's not go there! Let's go look at some other damn river, it'll be quieter!'
No.
They Rushed.
They Rushed, and even if not everybody found gold, a lot did. But the Klondike? It was never the same again, and after a while - it was dead.
So, yeah. Guv'mint approved apps. With Top Secret Guv'mint backdoors. Because sometimes, all you need to know is where the gold exists - finding it's the easy part.
Sigh...
Once again, it comes out, after the fact, that the asshat that carried out this killing spree was on the security services' radar and they hadn't followed it through. In this case, he was discounted as a nobody. For the 9/11 attacks, they had recordings of them planning the crime but not enough people to listen to them in time. So yes, adding more hay to the haystack without more farm hands is really going to help us.
Do the security services need more surveillance powers? I would say not. They could do with adequate staffing levels and a size nine up the backside to use the information from the powers they already have properly rather than just hoarding more. Give me more police on the street any day.
He contacted someone 2 minutes before his 82 second attack? How would that help?
"I'm going to do it now, bye" .... with some geolocation data, placing him in the middle of thousands of tourists, all on smartphones, talking, texting, social media, photo backups etc all going on in that exact vicinity at the same time.
The government know his phone number, likely have his phone, so have the key to his WhatsApp account and messages already. The phone number is the authentication to logon and see old messages. So they're just using a crisis to push for more power, which isn't needed. Something akin to Naomi Klein's The Shock Doctrine, using a time of emergency to grab more power!
The important question in any situation like this is - what would the proposals actually achieve? According to reports, the arsehole was using WhatsApp a few minutes before the attack. Would giving the government a way to access encrypted messages have done anything to prevent the attack or save lives in any way? No. Therefore, fuck off. If you're going to use an incident like this to try to drum up support for your Orwellian fantasies, have the decency to at least pretend it's in some way related. Just shouting "Waahhh, terrorism!" and then blurting out something completely unrelated to the events that actually happened is not a sensible way to have discussions on the internet, let alone to actually run a country.
Rudd's ambition is just plain dumb we all know that, and she probably does as well but is just trying to buy some time and votes.
Just as important for me is distinguishing between secrecy, privacy and anonymity. Each of these can be improved or enabled by various forms of cryptographic techniques.
I like the idea of being able to vote in secret, once I have proved my identity
I like the idea of keeping some parts of my life private and only share with those who need to know like my doctor.
Finally I like the idea of being able to do things anonymously without any record, popping cash in a charity box,
Right up there with Dave "Porcu-phile" Cameron's "Lets Ban Encryption" suggestion. I love how the Social Media companies and others get it in the neck - But no one is suggesting that Pen & paper companies be banned because you write encrypted messages on paper, or that there should be back door into every letter and photo-copies made.
All Home secretaries seem to be at the whims of poor advisers, or maybe it's politically convenient to blame companies....Like blaming everyone about TAX evasion, when they write the TAX law.....Simple, write better Tax Law.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
