A Ruddite doesn't have a backdoor
because they don't believe in Encryption.
The European Commission has proposed that member states help each other break into encrypted devices by sharing expertise around the bloc. In an attempt to tackle the rise of citizens using encryption and its effects on solving crimes, the commission decided to sidestep the well-worn, and well-ridiculed, path of demanding …
@Dan 55
This is pretty much what I thought. I admit I may be somewhat naive in my reading on the article however to me this reads as rather than the universal hobbling of encryption (the Rudd Redundancy as I like to call it, mostly because it may encourage something else by the same name) and handing governments the ability to view all traffic, all the time, they appear (again, in my possible naivety) to be talking about knowledge sharing about breaking encrypted devices on a case by case basis. This means police forces have to know who they are looking for, observe that person and snatch their devices, possibly intercept their individual communications. Like police forces always have.
Isn't this what we all wanted?
Yes, there are those of us who will always view any development with the utmost suspicion, and rightly so, someone needs to keep these people on their toes by asking difficult questions, however personally, I choose to view this as a step in the right direction, the direction the tech industry as a whole have been pushing for.
A better way to work is to remember that when you're hunting criminals, you are not hunting super-intelligent encryption-geniuses, but rather the less-able twerps of this world. As such, you simply have to accept that some of their communications won't be accessible to you, and there isn't a magical McGuffin that will let you get around this.
This is the same thinking process that police had to go through when DNA evidence was first introduced; all DNA actually shows is that at some point, the person whose DNA is present was in contact with whatever the DNA was detected on. Thus the old criminal trick of picking up cigarette ends outside dodgy pubs, then scattering one or two in prominent places when committing a burglary only works if you have stupid policemen around.
Another example is of some burglars who targeted country houses and operated as a gang. Their modus operandi was to meet up at a motorway service station near the target, turn off all mobile phones then go out to rob the target. Only afterwards did they re-enable their phones. This meant they didn't leave an electronic trail to their crimes, but did mean that they left a huge great signal that they were about to commit a crime (for they never met up, turned off phones then sloped off down the pub lawfully to add distraction to the pattern).
As I say, we're dealing with criminals, not masterminds. Criminals always make mistakes, and police have the manpower to catch these mistakes.
So, forget the phoney prize of being able to break encryption. If it is seen as possible, people will use other methods to get around this problem; unbreakable one-time pads for instance. Or, use encryption known not to have been back-doored.
This meant they didn't leave an electronic trail to their crimes, but did mean that they left a huge great signal that they were about to commit a crime (for they never met up, turned off phones then sloped off down the pub lawfully to add distraction to the pattern).
You were all going down the pub?
Oh yes officer it was pub quiz night at the All Seasons and mobile phones are not allowed to be used. Therefore the entire team turned their phones off before we got there.
I remember a case (not in the UK) where police lawfully had done traffic analysis of a bunch of criminals. They were able to work out who had done various 'jobs' based on who was talking to who around the time of the crimes. I think they had some initial evidence for each case that had fingered one villain. From that they were able see who that person had been in contact with to make links to other crooks. They then did surveillance to gain enough evidence to be able nab the other players in the crimes and prosecute.
"I would like to see some numbers showing the proportion of crimes where the crims have been shown to use encryption."
I'd like to see some numbers showing the number of violent crimes where the criminals would NOT have been able to commit the crime WITHOUT encryption.
I suspect it will be a small number, probably pretty close to zero, and should indicate how pointless the whole anti-encryption argument is in preventing real crime (as opposed to thought crime) and improving public safety (we're pretty safe already I think).
We don't need backdoors, but we'll do our best to help our neighbours create them so we keep our hand clean politically.
Wouldn't worry about it, this [capability] is so secretly guarded as state secrets it doesn't even pass around Five Eyes, there's no chance the Germans (who are most capable in this field in the remaining states when the UK leaves) are going to help the French or the Spaniards or whatever to break crypto that's protecting their own security services and as an afterthought citizens. Hell will freeze over first.
Commission doing what it does best and wasting everybody's time.
How very refreshing to hear this from the EU:
“The commission’s position is very clear – we are not in favour of so-called backdoors, the utilisation of systemic vulnerabilities, because it weakens the overall security of our cyberspace, which we rely upon”
US and UK take note!
> I can't help thinking of the classic line
It might be classic but I only know it from the only musical masterpiece anyone ever needs to know, courtesy of The Firm.
They are not in favour of backdoors but are in favour of having undocumented ways of circumventing the encryption that they would have Europol to be sharing with all member states.
This sounds like they will be looking for vulnerabilities in the software that they can use but won't disclose them to the application provider when they find them, so how is that any safer than asking for a backdoor in the first place?
This is government doing the Right Thing, and not getting in the way of industry and society. They're looking at the story of the FBI and the Iphone, and pooling expertise as and when such cases arise and the maker can't or won't help law-enforcement.
"Much more sensible than installing backdoors."
It sounds more like looking for backdoors that weren't intended, keeping the information from the vendor but then sharing the information out among themselves so that it'll leak out further still. Remind me again, how did we come to have Wannacry?
How does this differ from black hat hacking?
Shock horror.
I'll leave aside how long it's taken the EU to accept this fact and note that IRL Euro plods have always had multiple ways to compromise crim comms (at different levels) provided they had actual evidence of a crime being committed.
Actual secure comms within a criminal group is very difficult if you're
a)Involved in large scale crime
b)The authorities are aware you are involved in large scale crime.
Once that happens using cheap PAYG phones won't cut it.
Don't expect any change from the data fetishists of the centre for most evil in government UK Home Office any time soon, who will continue not to give a f**k about privacy or (personal) security.
... and also the various "@HOME" grid computing projects (Folding, Einstein, LHC etc) over the last couple of decades, they could leverage the Daily Mail readership and assorted other "think of the children!" merchants to assist.
Register with "paedos@home" or "terror@home" or to contribute your computer resources to the war against [bogeyman du jour], or include "[bogeyman]miner.js" on your web site to enlist your visitors from all over the world as well[1]!
[1] Yes, I know there isn't enough computing power on the planet to brute force AES in a sensible time frame, but like I said: I'm discussing Daily Mail readers and political venality/stupidity here.
from people who don't understand encryption.
In the real world what we actually have is:
1) amateur/cheap encryption: people relying on whatever apps or tools claim to keep their smut safe
2) professional/paid for encryption; generally implemented according to best practice
3) homebrew undocumented encryption
4) the real deal: truly unbreakable encryption.
Without pussyfooting around, the 5-eye spook centres will have a handle on 1,2 and 3. I would be mildly surprised if they were not able to gain sight of any plaintext they wished by leveraging subtle flaws in either algorithm or implementation.
That leaves (4). Which at a guess will be a tiny fraction of the total encrypted traffic in the wild.
So small, in fact, as to be it's own security risk. After all, it's much easier to organise surveillance on 5 people, than 5,000,000.
(btw, I left off 5. But that's because it's the de luxe version of secure communication, and is impossible to monitor in the first instance, so nothing 5-eyes can do about it).
The spook centres might well have the capability for cracking proper crypto but it doesn't mean that the capability will be shared with other parts of government like the police.
Rudd et all are talking about more work-a-day access to encrypted comms for police investigations that aren't of national importance (the more usual drugs and murder stuff). Access to comms there might be possible now but it's expensive and time consuming. They want a cheap solution i.e. footpad has the universal key to encryption and types in "p@ssw0rd1234" and can access anything.
And clearly because it's only for the 'good guys' it'll never be leaked or found out by the 'bad guys'.
The thing is that 1 and 3 are dying out, thanks for availability of good grade encryption in the form of open source projects such as OpenSSL etc. Yes they have their problems (my heart bleeds for poor developers ...) but they generally do follow industry practices and, importantly, are under scrutiny of cryptographers who understand the math. While most crypto in category 2 aspires to 4, I think 4 is actually an empty set - just as there are no non-trivial programs with exactly zero bugs.
Back to topic - spooks are not blind, they see that category 2 is getting more popular and accessible by the day. Since they do not understand the math, they feel they cannot compete with cryptographers and hence, for the same reason, issue silly demands. Or perhaps that's just a cover, to make us think that they do not understand the math and cannot really hack what's out there ...
Scattered encrypted messages posted over various USENET fora. Requires pre-arrangement, but once in place, messages can be exchanged safely, as they will be lost in the noise (especially in a binary NG).
Has the added advantage of not identifying the recipient(s), which is the biggest problem with any point-to-point messaging. If the spooks know WHO is talking to WHO, then half their work is done.
This isn't a new idea, by the way. It's at least as old as USENET itself.
(Is that a rush of "da kidz" having to look up "USENET" ?)
> Pretty much anything can be decrypted given enough time and resources.
I've got a million bucks for you if you can prove that...
Unless you are accepting solutions that require more energy than we have at our theoretical disposal and in timeframes that exceed the life of our species by a couple of billion years.
And in the case of a one time pad, generated from a truly random source (IE, a QRNG/measurements of radioactive decay, not a classic RNG), time will not help you. It can't, there simply isn't enough information in the cyphertext to learn anything about the key.
Quote: "...the 5-eye spook centres will have a handle on 1,2 and 3..."
*
Well...I wonder. Suppose a homebrew implementation is built simply for messaging. Suppose the scheme is a book cipher. Suppose some sort of randomisation is used. Suppose the book and the random seed are both changed regularly. The result would look like the sample below. How long before "the 5-eye spook centres" can tell us what this (real) message says?
*
sforzato pharyngo- woadman mecometer semihysterical veratrize fiercenesses Ranquel lepidotic Kawaguchi eyeservice fringiness half-plane piligerous saskatoon straddle-fashion sharecroppers colibertus bilobular unsacrilegiousness Gallicolae snake-eyed hydrophorous rain-soaked entoplasm eschewing brulyiement Erastianize acetphenetid recheat hout alada superaffiuence sweet-scented Altingiaceae researchful unegregiously unregenerately blighted Marlette nonbeauties Ossetian perversite artcraft Staley physiognomonic keawe kentallenite acroataxia yodles Rhabdomonas mournfulness VC loose-lived self-purifying tornadoesque uroo slopmaking annalists undeferrable ammonitic WAN pokable limbs Composaline gasified Chibcha elephantiases guerdonless orchestras whoop-de-doo commercialised periclean half-reclined naturata haemonchosis bug-juice theorically demonstrant premarrying honduras knickknack Adrianople -aceous inductees counter-faller cervicorn yowe adenomata kutch jardon eradicable nonfervidly cribriformity totoaba Marduk Muscadine mangrate Californian Mignonette Stroessner fisherpeople So. gibble-gabble cayuses Wallinga squab-pie fancywork niftiness
*
Wasn't it made illegal under EU law to *attempt* to reverse engineer or defeat encryption mechanisms except for specific research purposes? I thought Mr Murdoch was instrumental in lobbying for that particular law (along with other broadcasters) to stamp out attempts to hack encrypted tv channels such as Sky?
A specter is haunting the modern world, the specter of crypto anarchy.
Computer technology is on the verge of providing the ability for individuals and groups to communicate and interact with each other in a totally anonymous manner. Two persons may exchange messages, conduct business, and negotiate electronic contracts without ever knowing the True Name, or legal identity, of the other. Interactions over networks will be untraceable, via extensive re- routing of encrypted packets and tamper-proof boxes which implement cryptographic protocols with nearly perfect assurance against any tampering. Reputations will be of central importance, far more important in dealings than even the credit ratings of today. These developments will alter completely the nature of government regulation, the ability to tax and control economic interactions, the ability to keep information secret, and will even alter the nature of trust and reputation.
The technology for this revolution--and it surely will be both a social and economic revolution--has existed in theory for the past decade. The methods are based upon public-key encryption, zero-knowledge interactive proof systems, and various software protocols for interaction, authentication, and verification. The focus has until now been on academic conferences in Europe and the U.S., conferences monitored closely by the National Security Agency. But only recently have computer networks and personal computers attained sufficient speed to make the ideas practically realizable. And the next ten years will bring enough additional speed to make the ideas economically feasible and essentially unstoppable. High-speed networks, ISDN, tamper-proof boxes, smart cards, satellites, Ku-band transmitters, multi-MIPS personal computers, and encryption chips now under development will be some of the enabling technologies.
The State will of course try to slow or halt the spread of this technology, citing national security concerns, use of the technology by drug dealers and tax evaders, and fears of societal disintegration. Many of these concerns will be valid; crypto anarchy will allow national secrets to be trade freely and will allow illicit and stolen materials to be traded. An anonymous computerized market will even make possible abhorrent markets for assassinations and extortion. Various criminal and foreign elements will be active users of CryptoNet. But this will not halt the spread of crypto anarchy.
Just as the technology of printing altered and reduced the power of medieval guilds and the social power structure, so too will cryptologic methods fundamentally alter the nature of corporations and of government interference in economic transactions. Combined with emerging information markets, crypto anarchy will create a liquid market for any and all material which can be put into words and pictures. And just as a seemingly minor invention like barbed wire made possible the fencing-off of vast ranches and farms, thus altering forever the concepts of land and property rights in the frontier West, so too will the seemingly minor discovery out of an arcane branch of mathematics come to be the wire clippers which dismantle the barbed wire around intellectual property.
Timothy C. May (mid 1988)
Arise, you have nothing to lose but your barbed wire fences!
er ...
Just as the technology of printing altered and reduced the power of medieval guilds and the social power structure,
well, you'd think Except in 2017, when the populus should be the most well-informed ever, it's probably one of the least informed.
And getting worse.
The medieval guilds and social power structure pretty quickly worked out that flooding the media with Celebrity-Bake-Strictly-X-Dine-<insert current opium of the masses here> is a perfect antidote to people learning the truth.
Plus the (re) emergence of "fake news, fake news" when that fails.
Spend money on training and hiring detectives who aren't so effing lazy to actually dig a bit to find other evidence? Stop coddling law enforcement and make them get off their azz.
There is more to solving a crime than pooling a huge amount of resources into breaking encryption. If it's all you have to go on, then the case is likely weak to begin with... move on.
Not to mention the fact... the more law enforcement gripes about this subject, the more it's publicized; motivating people to learn more about encryption. Thus in the long run, making the job a lot tougher.
If you can't think 3 moves ahead on this fact, how do you ever expect to solve complex crimes?