WTF?
Australia:
10% of the Population, but 100% like US-Government certified-surveillance.
Think I'll skip traveling to the United-States-of-Auz after this. Go elsewhere!
The Australian government will press ahead with its not-a-backdoor anti-encryption plans and hinted that collaboration with tech companies is its approach to accessing encrypted messages. The latest attempt to pitch the counter-terrorism legislation came from Angus Taylor, the government's Minister for Law Enforcement and …
but 100% like US-Government certified-surveillance
Correct
As I have said a few times - our politicos are watching with extreme interest the events in Russia and their centralized escrow approach.
The difference, however is that in Russia, FSB and Co presently pretend (we do not know if this is true or not) that they do not collect any data real time and they rely on provider's complying with data retention regulation to keep copies of the data. Hence, while they (supposedly) have the keys, they cannot read the data until they have a court order to obtain it. At least that is the official line and this is why this passed their constitutional court.
In a 100% like US-Government certified-surveillance or 100% like UK-Government certified-surveillance or any 5 eyes for that matter all data on any of the main national trunks and all data on international interconnects is leached by the government realtime. So the result of copying the "Lonely Russian Boy without friends" homework is actually unchecked realtime government surveillance.
Once parliament passes the law that pi=3 then everything else falls into place. It's pretty hard to write working encryption when obeying mathematics laws like that.
As the law will no doubt include the magic words of Terrorism and Security in its title, both Labor and the Liberals will vote for it. And thus Australia will magically be made safe by the power of words and a really strong belief.
And those of us from the freer side of the ditch will continue to point and laugh at the western worlds 2nd biggest nanny state.
What is it about elected officials that they don't understand the term "secure communications" and why they are used? Seems every country wants a way to bypass encryption that anyone with half a brain would understand that it can't be done and still be secure. There's no magic bean that will let only law enforcement take a peek. Are these clowns really that stupid?
There's clueless and then there's political clueless which is a whole new level.
In fact, key escrow systems have been designed that would serve this purpose fairly well. Despite assertions to the contrary, it would be possible to make them reasonably secure against theft - at least as secure as could be done for any other data. And given a trustworthy government the risk of government misuse would be reasonable, in the sense of not significantly increasing the (now) existing risk.
There are problems with this, however. Governments, even if trustworthy at a given time, may not stay that way, so entrusting them with power always must be done based on the knowledge that their successors may be less trustworthy, possibly by a great deal. Moreover, those who engage in serious criminal activity will not, if they think about it, be reluctant to use widely and easily available cryptographic systems that do not participate in the key escrow procedure. So the government would have escrowed keys for the honest folk and the incompetent or slack criminals, who mostly can be found and convicted without accessing their communications. For the competent and highly motivated ones they would not have the escrowed keys and would have to collect the evidence by more traditional, and much more labor intensive and expensive, means. In the end, the most serious criminals will be as hard to get as they are now, and the only gain will be occasional conviction of a second rater who might not have been an overly large burden on society in the first place.
The law enforcers never will give up on this, but they probably know their gain will be marginal at best.
In fact, key escrow systems have been designed that would serve this purpose fairly well.
But that is NOT what they are talking about:
“There's been ideas around for decades that you should create some kind of key that law enforcement can get access to … that's not what we're proposing... "
Despite assertions to the contrary, it would be possible to make them reasonably secure against theft - at least as secure as could be done for any other data.
I stopped reading your comment at that point :)
Basically that an escrow system is open to abuse by a future untrustworthy government agency - and real criminals would avoid it anyway.
For some values of "real criminals." Yeah, if you're plotting a diamond robbery you avoid the escrowed crypto. OTOH, if you're planning on mass blackmail using people's secure messages to gain info, you attack the escrow key store. That escrow key store is going to be attacked by blackmailers, foreign gov'ts, employees with a grudge, etc. Anybody who thinks it will survive those attacks should remember where WannaCry originated.
"that an escrow system is open to abuse by a future untrustworthy government agency"
He didn't mention the other major problem with key escrow - competent criminals stealing the escrowed keys.
Yes he did, it was in the 'open to abuse by future untrustworthy government agency' bit.
What you missed was a short, well-stated summary of exactly what's wrong with key escrow or, indeed, any other form of back door..
You mean like "giving your private keys to someone else is not a good idea, and the baddies won't do it anyway"? The reason behind my "didn't bother reading this" comments is that I thought that every thinking person in the industry knew all that anyway.
Must be 20 or more years since I wrote my company's response to HMG's request for views on key escrow. I basically said what I said above, quoting the experts - mostly in the US - who had already said this.
I then went on a short holiday.
When I returned, the paper had been rewritten, by a salesman. It now said that we wholeheartedly welcomed HMG's proposal, and looked forward to the opportunity to work on their implementation, etc etc, ad nauseam.
I asked for only one change - removal of my name from the paper. Otherwise my reputation, amongst my peers, would have been shredded.
"those who engage in serious criminal activity will not, if they think about it, be reluctant to use widely and easily available cryptographic systems that do not participate in the key escrow procedure."
Not just criminals. I'm a law-abiding citizen, but I would absolutely do this. Actually, I already do. I don't trust crypto schemes that are included with my machines and services by default.
"What is it about elected officials that they don't understand "
Oh no; they understand alright. They understand it well enough indeed.
What they are relying on is that 90% of the population doesn't understand it, which means they can subvert it easily and use it for their own ends. It means the veneer of an excuse, a dismissive handwave at "experts", a few bespoke scary words and some technomumble will be enough for them to reach their goal of a universal panopticon.
Why do they want such a thing? Because they know that their methods of social control are out of date and threatened by the speed of direct modern communication. In order to retain power they must control the internet and all digital communication must be monitored.
"Oh no; they understand alright."
Not if they're in the Amber Rudd class of elected official (remember hashtags?) - whether this guy is in that class I don't know.
What you have to remember is that behind the elected officials are a group of unelected officials who do understand. They prefer their politician front not understanding. That way the front don't know they're talking bollocks and are so much more convincing because they actually believe what they're saying. Could you have spouted such stuff and kept a straight face?
Nah, they will use catching pedophiles too. In truth it will be used to find tax cheats and general purpose spying and every government body will have access. If memory serves, until it became public the RSPCA could access saved meta data so our government clearly doesn't have the brains to be trustworthy. To be honest, I would rather the russians read my messages than my own government. I've never said or done anything interesting to the russians, but I suppose it's possible my own government could one day misinterpret a joke or something and get all in my face about it. I'd rather not go though that for what would likely have been me trying to get a laugh from a mate.
agreed. As an Aussie living in NZ i just laugh now about what happens in Oz. I'm currently in Oz for family reasons but can't wait to get back to my gigabit fibre internet connection instead of the crap NBN we have in Oz. (i'm back tomorrow)
http://www.speedtest.net/result/6823071443 on a 2014 router. Not bad hey? and on an NZ public holiday at peak time too.
> As an Aussie living in NZ i just laugh now about what happens in Oz.
Yeah NZ is perfect.
Not like they'd ever use the GCSB (NZ equivalent of NSA) to illegally spy on a NZ resident. Or send in 76 police including their anti-terrorist squad, and 2 helicopters, to arrest 3 or 4 people in their home in an illegal raid. That'd never happen.
Given that the PM himself has admitted to using end-to-end encryption services, then what right do they have to demand to see anyone else's messages?
Surely corrupt politicians are a greater threat to national security than your bog average bloke, they should start off sending all of their communications in clear text, before demanding ever more invasive measures into our personal lives.
Really? The PM truly amazes me - I had thought that his only competency was to preen himself in front of a mirror. Perhaps he just thinks that he is using end-to-end encryption based on that famous cipher ROT-13.
When he was a minister for telecommunications he demonstrated that he had no knowledge or feel for job, so I take any statement about technology from him or his sycophantic cabinet colleagues with much salt. The man makes his predecessor look incredibly competent.
Under nearly all regimes, if not all, law enforcement officers can obtain legal authority to examine communications and other materials that are not encrypted. It would be interesting to see a justification for the claim that encrypted material should be treated differently because it is encrypted. Australia and the other five eyes countries have significant and usually effective constraints on government access to, and use of, private material. It is not obvious that they would operate differently on encrypted material if they could than they now do on unencrypted data, or why.
I suppose for files that aren't too huge you could find a way to stick them in a Word format file - there's space that's basically binary in them, you could take an innocuous file and add some binary content to it somewhere that doesn't impact its ability to be loaded into Word. That way if the spooks decrypt it, they'll see the innocuous Word file, and you just hope their software isn't smart enough to notice all the "garbage" contained within.
The same could be done with video files, PDF files, etc. I imagine...
Steganography (/ˌstɛɡəˈnɒɡrəfi/ (About this sound listen) STEG-ə-NOG-rə-fee) is the practice of concealing a file, message, image, or video within another file, message, image, or video. The word steganography combines the Greek words steganos (στεγανός), meaning "covered, concealed, or protected," and graphein (γράφειν) meaning "writing".
This post has been deleted by its author
The encryption of the message in transit will remain secure, without escrow or other back doors.
They will however mandate that it cannot be "end to end", and that the message service provider must have the message available at both ends of the communication to be inspected by someone with a warrant to access the device or central store.
The encryption of the message in transit will remain secure, without escrow or other back doors.
They will however mandate that it cannot be "end to end"...
leaving one hole in the end to end encryption for the government means the crime can also use that one hole to steal stuff. Which is the definition of not secured. Which is the point everyone who knows a little bit of how computer works is trying to say.
I'm beginning to think that we should impose strict educational requirements and IQ tests on anyone standing for office. It's not just that we have some laughably, transparently stupid people in government—in this country we have blithering mouthbreathers like IDS, Leadsom and Paterson, with Gavin Williamson desperately trying to join the Dumb Kids crowd (he'll succeed if he keeps opening his mouth)—but that even the ones who do have some residual intelligence simply refuse to use it, often through wilful ignorance. As Home Secretary, Theresa May constantly repeated this ignorant bullshit about backdoors, showing that even a lukewarm IQ is no defence against knowing nothing while flapping your jaws.
The wilful ignorance and stupidity of "leaders" has risen in step with the infestation of career politicians, whose lack of experience in any other sphere stands out like a lighthouse of uselessness when they are required to think sensibly and actually know a few things about the world. Cultivated in the political hothouse of lies and spin, their failure to grasp both big picture and detail leaves them looking like abject fools. The problem in the US is arguably even worse, with a know-nothing, corrupt, hysterical, pathologically lying man-child as President. Trump manages to shame the USA even more than Boris Johnson shames Britain. It would be very funny if these imbecilic egotists were not so very dangerous.
To topic, all of this guff about encryption continues to miss the point. You all know this already, but who knows, maybe a curious lawmaker is passing by ...
1. Algorithms for extremely powerful encryption are published for anyone to read.
2. Any competent coder from among several tens of millions on Earth can cook up an app to perform essentially unbreakable encryption. (The key is The Key, not the method!)
3. Any somewhat superior coder from among the hundreds of thousands on Earth could additionally concoct some steganographic methods for not only encrypting data but also concealing the fact that it is there. (Think: petabytes of photos scattered like sand grains across an entire planet's worth of social media.)
3.a. In any case, many methods exist for ensuring plausible deniability, including the randomised disk partition approach, etc, etc ad nasueam
4. There are dozens of ways indviduals and groups can home-brew their own end-to-end encryption systems, adding steganography if they want to for extra safeguards. For one obvious example: use one device that doesn't store keys to encrypt your message and steg it into a photo; transfer that photo to your phone/PC/whatever and upload it as one of the billions on your crappy social media system of choice; whether your message was "I love you" or "How to plan our next atrocity", it is secure and, assuming you used a low encryption rate and a clever algo, not even recognisable as a message.
5. Most of us will never bother doing this: the people who will do it—and are undoubtedly doing it already—are the Black Hats. Darwinism is ensuring that the BH community is improving its sneakiness all the time, while countermeasures are falling behind (detecting the existence of steg'd data in photos was relatively easy ten years ago; now, against any adversary whos's been paying attention, it's hopeless).
In short, the genie is not just out of the bottle, it's everywhere, and there is not the slightest hope of putting it back. Even a drastic measure like trying to block all traffic that might contain encryption (e.g random strings; photos; music) is doomed unless governments want to stop all transactions and sensitive data on the internet.
Polticians and security agencies need to wean themselves from the always-fatally-flawed idea that they can use tech as an easy way to control populations and control crimes, including terrorism. They need to recgonise that old-fashioned law enforcement shoe leather, due process, hard evidence gathering, infiltration and humint are as necessary and effective now as they always were.
The lazy way does not, cannot work, so instead of childishly stamping feet and whining for what you cannot ever have, it's time to move on.
I'm beginning to think that we should impose strict educational requirements
Step 1: Delete 90% of those lawyers in government
Step 2: Delete 90% of those currently pointless laws
Step 3: Make it only representative in their field are allow to create new laws specific to their field, and other representative from other fields has to review if the law clash with their field. In addition, representative are voted by those in their specific field.
> Step 1: Delete 90% of those lawyers in government
With extreme prejudice.
> Step 3: Make it only representative in their field are allow to create new laws specific to their field, and other representative from other fields has to review if the law clash with their field. In addition, representative are voted by those in their specific field.
Unfortunately that leads to regulatory capture. i.e. all the laws passed will be for the benefit of those in the industry who control the industry. e.g. MPAA, movie studios, music labels, will be able to 'capture' the representatives with bribes campaign donations and get laws passed solely for their benefit.
Milton, I can't help noticing your list is somewhat biases towards blaming Tory politicians for all the ills of our society.
You obviously need reminding it was then Prime Minister Tony Blair who decreed *everybody* should be subject to constant snooping EXCEPT MPs, but that MPs email should remain sacrosanct after they left office - all to protect communications between MPs and their voters of course. He just seemed to forget that the voters' end would be spied on anyway, proving his whole "protecting MP-local constituent confidentiality" excuse was nothing more than a thinly-veiled attempt to make sure the public could never find out what he was really doing when he was supposed to be governing the UK - and how much of it was for future benefit of Tony Blair, ex-Prime Minister regardless of the effect it would have on anybody else.
But yeah, blame the Tories. I'm sure we will be *so* much better off when the Unions are running everything again and publicity-seeking Politicians release murderers and rapists *tried by the law of the land and convicted by a jury of their peers* back into society, like the Good Friday sell-out.
Milton, I can't help noticing your list is somewhat biases towards blaming Tory politicians for all the ills of our society.
I'm going to go out on a limb here and suggest that the appearance of bias derives from the fact that he's talking about the current government and doesn't feel obliged to reference every shitstick politician in history. You, however, let your bias shine.
Your final paragraph in particular suggests that you have a limited experience and little understanding of recent British political history, which leads you to a failure to understand how it is likely to move forward from here. Go back to school and listen this time.
Am I the only one who thought (from the article) this guy might have been talking sense?
It was hedged with lots of caveats like "where possible", and "getting access to the message, not decryption" (which could translate to "getting the metadata").
I think he may be talking about thrashing out metadata and grey areas like the FBI-vs-IPhone case here. Using language designed to be imprecise so as not to upset the dafter politicos at this stage. That would actually make a lot of sense: have at least the bones of a deal with his comms providers in place, and present it as a fait accomplit to George ("don't do that") and the flat-earthers.
"I think he may be talking about thrashing out metadata and grey areas like the FBI-vs-IPhone case here."
Aus authorities already have access to all communications Metadata. Like all politicians he is just a mouth piece to spout the words others write without understanding the context or meaning. A spin projector ejaculating infertile ideas into the air.
It's an on-going mantra from the Aus Police, ASIO, AFP etc. (and their UK equivalents) that they need to be able to get to the content - in their position why would they not?.
Against all the technical evidence they continue, probably to mask the fact that they can already access quite a lot more than they want us to know, and are just trying to hoover up the last bits.
Of course they are also preparing their defense for when a terrorist attack is successful " Well we have been saying for years that we needed to get to message content. had we have had that facility this terrorist act would have been prevented"
To me it sounded like he was trying to distinguish between a back door in the sense of a weakened crypto algorithm, and key escrow. A weakened algorithm can be broken by anyone with sufficient maths ability and computational power, so is a worse option. Key escrow can only be broken by whoever has the keys. Key escrow can seem like a viable option if you trust the keyholder to keep them safe.
That said, the quote, "There's been ideas around for decades that you should create some kind of key that law enforcement can get access to … that's not what we're proposing" could be a rejection of key escrow. But without details of what he is proposing it's impossible to be sure.
Whats been hinted at the guardian is the Adoption of a front door. Ie pre encryption of sent message.
Im guessing this would entail a manufacturer device enabled cache on the SOC. So the Gov in question can simply request a key from the manufacturer based on the serial number of the device.
This will be real.
E-mail your politician this link: https://www.youtube.com/watch?v=VPBH1eW28mo.
It worked with my MP, who thought it a very useful explanation of why techy people kept telling him "it won't work" and was very glad to have received it. It will probably work with your MP too, unless you live in the Hastings and Rye or Maidenhead constituencies.
I mentioned Angus the Cyber Minister twice in my review submission :
http://www.defence.gov.au/publications/reviews/tradecontrols/Submissions.asp
http://www.defence.gov.au/publications/reviews/tradecontrols/Docs/Mark_Lane.pdf
Male Bovinae Faeces [ BullShit ] & Case study # 7c5aba41f53293b712fd86d08ed5b36e
The escrow debate is bullshit being regurgetated & farmed down from the USA 'CLIPPER KEY / CHIP' from 25+ years ago. [ https://en.wikipedia.org/wiki/Clipper_chip ] along with the 'Munitions legislation' that was forced into the 'Wassenaar Arrangement’ that the stupid Liberals turned into the DTCA.
Be Protected, Get The FooKey METHOD : http://foocrypt.net/the-fookey-method
The FooKey METHOD :
http://foocrypt.net/the-fookey-method
The common flaws in ALL encryption technologies to date are :
1. Typing on a KeyBoard to enter the password
2. Clicking on the Mouse / Pointer device that controls the location of the cursor
3. Some person or device looking / recording your screen as you type the password
4. The human developing a password that is easily guess, or can be brute forced due to its length
5. Sharing the password with a third party to decrypt the data
6. Storing the encrypted data in a secure location so no unauthorised access can be made to either the key(s) to decrypt the data or the encrypted data itself
FooCrypt, A Tale Of Cynical Cyclical Encryption, takes away the ‘BAD GUYS’ by providing you with software engineered to alleviate all the above.
1,2,3 are mitigated by the FooKeyBoard, Auto Key Press and a simple combination of colors modifying the Cypher Key Control Text Window. The TopeSecretCypherKeyControlText Preference Setting enables your to have a such a configuration. All the Text is hidden until you click and drag the cursor over a text area revealing only the portion of the text window you choose.
4 is mitigated by the simple configurability of FooCrypt, the accept random data from an unlimited number of sources and following FooCrypt's DEFAULT settings of utilising a length up to the maximum
5 is mitigated by FooCrypt’s ability to intemperate any binary data as a source for creating a FooKey, hence sharing the FooKey, can be obfuscated by an act as simply as sending the third party :
A Photo
A Music file
A Document
A URL to a data source on the Internet / Intranet
The possibilities are endless
Then, all the third party has to do, is utilise FooCrypt’s Import Window Memory Binary Features, to recreate the FooKey.
Modifications to the imported binary import can be made with ease with FooCrypt’s XY features, enabling identical cursor position for character modifications to the binary import
6 can be mitigated by always storing your encrypted data on an encrypted media device, thus even if your media device is physically stolen, the thief needs to break the disk encryption, and then try to break FooCrypt’s Cyclical Encryption. FooKey’s are always stored on physical media, encrypted in a single layer of encryption. FooKey’s can easily be encrypted by the User with a FooKey, hence, layering the FooKey in multiple layers of encryption.
No one to date has been able to by pass or break into a file encrypted with the FooKey method.
Second Writer: Splunge.
Larry: Did he say splunge?
First and Third Writers: Yes.
Larry: What does splunge mean?
Second Writer: It means it's a great-idea-but-possibly-not-and-I'm-not-being-indecisive!
Larry: Good. Right. (to third writer) What do you think?
Third Writer: Er. Splunge?
Larry: OK.
First Writer: Yeah. Splunge for me too.
Larry: So all three of you think splunge, huh?
Writers: Yes!
Politician: We need access to some communications between x and y ... give us the master key
SecExpert: There is no master key ... Let me tell you how it works ..
Politician (thinking in the mind) : Oh! She started again!!
Politician: Lets cut to the chase .. give me a way to access communication between x and y .. whatever it takes..
SecExpert: I do not own the keys for the communication ... the keys are owned by the users and its a breach of trust if i give it to you.
Politician: Do you know whom you speaking to? How come you do not trust us ?
SecExpert: Maybe I trust you but i do not know how can i trust the institution and its future staff from misusing this powers ...
Poitician: How can you not trust the constitution makers? We ll amend the constitution and we ll see you then.
Meanwhile, in the other part of world:
Terrorist1: Shall we use whatsapp to send messages?
TerroristSecExpert: What! Are you mad? We ll use this android app which i developed in past few days which uses our own generated public/private key pairs.
Terrorist1: I want those poo emojis in that app ... do you have it?
TerroristSecExpert (rolling her eyes)...