back to article Blessed are the cryptographers, labelling them criminal enablers is just foolish

Nearly a decade ago I decided to try my hand as a cryptographer. It went about as well as you might expect. I’d gotten the crazy idea to write a tool that would encrypt Twitter’s direct messages - sent in the clear - so that your private communications would truly be private, visible to no one, including Twitter. Writing the …

  1. Dinanziame Silver badge
    Unhappy

    I'm pessimistic about surveillance, mostly because technology makes it much easier to beach the privacy of people than to protect it.

    We've never managed to build a house that is impervious to burglary (at least, not for average people), and people know that and accept the risk. I believe this will be the final situation for privacy breaches.

    I'm suddenly reminded that my mother deliberately keeps cheap jewelry in her bedstand, to satisfy burglars, and the real stuff is hidden somewhere else. At the moment, such a deceptive tactic would be called sophisticated in the digital world, but it might well become a common trick used by grandmothers.

    1. Danny 5

      Security is a journey, not a destination. ;)

      The best security with always lost to the best hacker. ;)

      Lastly, your mother's tactic is called "security by obscurity" and it's more effective than a lot of people would think. Hiding things in plain sight, or using dummies can be very useful.

      1. ComputerSays_noAbsolutelyNo

        It's a combination of security by obscurity (the hidden price pieces) with a honeypot (the cheap stuff).

        Good thinking on Granny's part.

        The uninformed burglar is bound to assume that Granny is a cheapo when it comes to the bling.

        Only prior social engineering, i.e. knowing about the good stuff, will render Granny's defense moot.

        1. jake Silver badge

          "Only prior social engineering, i.e. knowing about the good stuff, will render Granny's defense moot."

          Like seeing her wear it at Church on Sunday. Or to a family wedding, where one of the wedding party is a ne'er do well. Or overhearing the married-into-the-family Auntie jealously describing it down the pub. Etc.

          Those bits of mineral are never worn in a vacuum.

          1. lglethal Silver badge
            Trollface

            or splashed around in that Den of Iniquity and Sin known as El Reg by a careless grandson...

          2. General Purpose Bronze badge

            Or like seeing a wedding guest's pictures on Facebook.

          3. Doctor Syntax Silver badge

            "Those bits of mineral are never worn in a vacuum."

            Accompanied by a planted but apparently malicious rumour that they're rented.

            The other tactic is that the contents of the honeypot are actual replicas of the real stuff.

          4. hoola Silver badge

            Or more likely the pictures are posted on Social Media.

            Certainly there are significant concerns when houses are empty for things like weddings & funerals and these tend to be well known and the criminal fraternity understand it.

        2. Anonymous Coward
          Anonymous Coward

          Grandma

          I call it decoy and plausible deniability.

          Like the hidden partition of Truecrypt.

          Or the alternate passphrases of cryptocurrency HW wallets using BIP-39.

      2. MiguelC Silver badge

        Re: security by obscurity

        I remember as a kid my father had 2 stereos in his car, an old AM only receiver in its expected spot and another one, the one actually connected to the speakers, that had AM/FM reception and a cassette deck (yes, a long time ago), hidden in the glove-box.

        The rational was that burglars could see the worthless kit and wouldn't bother breaking in to steal it (as far as I can remember, it worked)

        1. jake Silver badge

          Re: security by obscurity

          Except every time I've had a car broken into, the thieves have left the glove box open. Even when they've stolen the radio.

          1. Pascal Monett Silver badge

            Yeah, but it's about managing incentive.

            If the thief's incentive is rendered null because he wanted a radio and is not interested in that one, the you've succeeded in protecting your car.

            If the thief is determined to search the glove box, well, too bad.

            1. jake Silver badge

              The thieves are opportunists. They are after something for nothing. It takes no time to open a glove box and pocket anything of value in there. So they do, at least in my experience..

              1. Cuddles Silver badge

                It takes no time to open the glove box if they've already broken into the car. The point of having a crappy radio clearly visible through the window is to prevent them from breaking in in the first place because it looks like it's not worth their while. Exactly the same principle as not leaving all your valuables on display on the back seat, or through your living room window. You can't stop someone who is determined to search for anything that might be in there, but the entire point of opportunists is that they'll go for the quick and easy score instead of wasting their time searching every car and house on the street in the hopes of finding something hidden.

              2. Cynic_999 Silver badge

                The point is that they will likely not break into the car in the first place if it does not appear to contain anything worth taking. They will instead go for the car parked next to it, which contains a more expensive radio or has a lot of loose change visible in the cup holder.

                If you want to prevent the bonnet ornament of your Mercedes being vandalised, park next to a Rolls Royce!

                1. Anonymous Coward
                  Anonymous Coward

                  Nah, I'd still go for the Mercedes.

                  But that's just me :)

                2. jake Silver badge

                  "The point is that they will likely not break into the car in the first place if it does not appear to contain anything worth taking."

                  That's called security by obscurity, and only works until it doesn't. Which is to say it is not security at all.

                  As with (nearly) all my cars, every Mercedes I've ever owned has been de-badged, so I wouldn't know.

                  1. GraXXoR

                    "Only works until it doesn't" can be said about literally every single mechanism made by man!

                    It's a statistics game. you can't reduce the chance of theft to 0.0% but you can work on getting it as close as physically possible whilst still maintaining some level of utility.

                    Thieves are opportunistic, sure, but they are also predators by nature and are looking for a likely target...

                    There was a joke we used to make when I grew up in Africa as a kid... You don't need to be the fastest kid in the world to escape the lion, only faster than at least one of your mates. The idea was that we would always be giving gives sweets and crisps to Rob so that he'd end up lardier than the rest of us.

                    A thief is going to be scouting out which car is the most likely to contain the bacon. Since he can't break into every car, he will go for the one he perceives to have the highest chance of a solid catch.

                    By making your car less appealing you are adding an extra level of security right there. Very few security measures are used solo. most are stacked with something else.

              3. cyberdemon Silver badge
                Devil

                @Jake

                The point is, exactly that they are opportunists.

                They don't go smashing the window of every car on the street (although they may try the doors) but if they see an expensive item through the window, they are likely to smash it and run.

                It's a compulsive, risk-addictive behaviour, much like gambling. I once met a self confessed serial burglar who was trying to get straight, he'd scream out WHY do you bastards leave your stuff on the seat??!

                I hadn't even noticed the unoccupied car with the handbag on the front seat.

                If that handbag had been in the glovebox, he wouldn't have seen it and would've walked straight past, unperturbed.

                1. Cederic Silver badge

                  Re: @Jake

                  Argh. My friend seemed to think that leaving his phone on my dashboard is perfectly fine, we'll only be a couple of minutes, nobody's nearby, stop being paranoid.

                  I think I've trained him out of it. I did have to threaten to throw his phone into an Icelandic fjord at one point.

                  1. Hero Protagonist

                    Re: @Jake

                    “Hey, where’s my phone??”

                    “Oh, it was pining for the fjords”

            2. DougMac

              Except I've had my car broken into even with the crappiest radio I could get, and they still tried to take the $20 radio.

              I'm not sure the bunch of carrots they pulled out of somebody's graden and left behind in my car quite made up for it.

              Sure didn't cover the cost of the damage they did to the old beater to try to rip out a $20 radio.

              1. fireflies

                I had someone smash my window with a small lump of metal for a failing sat nav... I kept the lump of metal and liked to think I ended up with the better part of the deal (notwithstanding the broken window, but thems the breaks - I'm used to dealing with broken windows, thanks to Microsoft)

          2. Bill Michaelson

            Re: security by obscurity

            I used to leave my car unlocked so that they wouldn't have to break the window.

            1. Michael Wojcik Silver badge

              Re: security by obscurity

              I had a friend who had a soft-top convertible in Boston. He kept signs in the windows that read "DOORS UNLOCKED" to discourage people from cutting the roof to get at the interior.

            2. Anonymous Coward
              Anonymous Coward

              Re: security by obscurity

              Common where I live

      3. Loyal Commenter Silver badge

        Lastly, your mother's tactic is called "security by obscurity" and it's more effective than a lot of people would think.

        On an individual level, yes.

        In the world of computer science, where companies like to say, "our products are protected by proprietary security, the details of which are secret," this doesn't hold true.

        Unlike your mother's bed-stand, crackers can get hold of "secure" software, and, in their own time, work on cracking that "bespoke" security. They can find the mathematical weaknesses, the flawed implementations, the loopholes, the timing attacks, the rainbow attacks, and all the other vulnerabilities, all without having to hide in your mother's bedroom the whole time. Once they break the security in that product (and if it's a worthwhile target, they will), nobody other than the crackers will ever know. The vendors will keep on touting how clever and secure it is, claiming it is because of that "security by obscurity", little aware that this is its very weakness.

        Security, and especially cryptography, is hard. As the author of this article discovered, "roll-your-own" security will almost certainly have flaws you didn't even consider. The advantage of open peer-reviewed security, such as the standards that HTTPS operates over, is that when flaws are found, they are made public, and fixed. If you're relying on those technologies, you'll know if they have been found wanting, and be able to take appropriate measures, rather than being in the dark whilst hackers steal all your business secrets.

        For those interested in the subject of security, I can't recommend Bruce Schneier's blog highly enough. He has been over this same ground, in various guises, many times.

        1. Antron Argaiv Silver badge
          Thumb Up

          Upvote for the Schneier reference. He's always an interesting read.

          Also: GSM used to be encrypted over the air (of course, it's decrypted at the cell site)

        2. Eclectic Man Silver badge
          Boffin

          Peer review

          Loyal Commenter: "As the author of this article discovered, "roll-your-own" security will almost certainly have flaws you didn't even consider. The advantage of open peer-reviewed security, such as the standards that HTTPS operates over, is that when flaws are found, they are made public, and fixed. "

          That is all very well and good, but I've been trying to get my 'new' crypto algorithm taken seriously by cryptographers for several years. It has the (dis)advantage of being really simple to describe and implement, so appears to be easy to crack, except that AFAIK it is actually quite strong. (FYI it is based on a non-associative algebra, I'm not trying to patent it, just get it published.)

          Bruce Schneier's blog may indeed be informative, but he specifically asks people not to send him their crypto algorithms (I can sympathise as he'd probably be inundated).

          Any suggestions, please advise.

          1. Anonymous Coward
            Anonymous Coward

            Re: Peer review

            Submit it to the next NIST AES competition.

          2. Anonymous Coward
            Anonymous Coward

            Re: Peer review

            Stick the paper on arXiv, post the code on github, offer a bug bounty on gitcoin.

          3. Greybearded old scrote Silver badge

            Re: Peer review

            Another common remark from Bruce Schneier is that anyone can create encryption software that they themselves can't break.

            1. Antron Argaiv Silver badge
              Pirate

              Re: Peer review

              Closely related to the "infinite compression" scam.

              Listen...anyone can compress a movie so you can fit thousands on an SD card. The trick is decompressing it and watching it from said SD card.

              I once prevented a guy from putting his money into a "great opportunity" by explaining this.

              It wasn't.

              A great opportunity, that is.

              Well...it could have been...for the guy selling the secret.

              But not for my guy.

          4. Anonymous Coward
            Anonymous Coward

            Re: Peer review

            Publish it on some web page, then post anonymously to some crypto forums about this cool new uncrackable crypto you've come across, and watch loads of people attempt to prove you wrong.

          5. jake Silver badge

            Re: Peer review

            "Any suggestions, please advise."

            Quite honestly, if you have to ask you are probably in over your head. It's not like the appropriate venues are hidden away in dark, dank corners or anything like that.

          6. Eclectic Man Silver badge

            Re: Peer review

            Thanks to all the Anonynmous cowards, and others, for the advice, and the downvotes (last time I ask for advice on this forum).

            1. jake Silver badge

              Re: Peer review

              Two web pages for you to consider:

              ESR's "How To Ask Questions The Smart Way"

              http://www.catb.org/~esr/faqs/smart-questions.html

              Bruce Schneier's Memo to the Amateur Cipher Designer

              https://www.schneier.com/crypto-gram/archives/1998/1015.html#cipherdesign

              Plain-text links provided for folks who care about personal security.

              1. FooCrypt

                Re: Peer review

                Or you could go down the publication / review of your cipher, via https://iacr.org/

                But if you are in Australia, you still need DEC / ASD assessment / approval.

            2. rag2

              Re: Peer review

              If one isn't prepared to be disappointed by the answer, and learn from it, then one should not ask the question.

              In cryptography "AFAIK" is simply not good enough. Unless one is prepared to think as a true hostile would, then one is not in the game. The opponent is ruthless, and has far more resources than most folk are prepared to give credit for.

              If one is serious about crypto, then reviewing existing papers—your favourite search engine is your friend—would be a very good place to start. Are existing proposals better or worse than yours? And then making friends, one way or another, with a university (or industry) crypto group would be a good second or first step.

              Cryptography is not simply about the maths, it's really about making sure that any proposed scheme is secure in the manner in which it is to be used. Thus the frequent development process, team-based, is make a cockshy system, let a hostile team loose against it, find and evaluate the weaknesses, rinse & repeat. It's very hard to do on one's own.

              1. Michael Wojcik Silver badge

                Re: Peer review

                Frankly, if you're serious about cryptography, you almost certainly shouldn't be devising new ciphers, except for your own amusement and practice. Anyone serious about cryptography should understand the state of the art, and that state is "we don't need new generic symmetric ciphers". Barring a historic event in cryptanalysis, no one who knows what they're doing is going to go through the huge cost of rolling out a new symmetric cipher that isn't PQ1.

                And someone who's serious about (machine, production) cryptography ought to know that. That's a basic fact of the market. You don't even need to understand things like linear cryptanalysis and the Random Oracle Model to understand that replacing the AES infrastructure would be enormously expensive, and doing it with a cipher that hasn't received many years of scrutiny would be enormously risky.

                1That is, resistant to algorithms in BQP.

                1. Eclectic Man Silver badge
                  Trollface

                  Re: Peer review

                  "Frankly, if you're serious about cryptography, you almost certainly shouldn't be devising new ciphers, except for your own amusement and practice."

                  It was for my own amusement. And everyone should try to devise and then break their own ciphers, to appreciate the ones that work. It just seems to be a lot better than I was expecting.

                  I certainly am not sufficiently expert at BQP or even BPP to determine the strength of my algorithm, but non-associative algebras are difficult to analyse, see e.g., An Introduction to Nonassociative Algebras, Author: R. D. Schafer, free download from https://www.gutenberg.org/ebooks/25156 .

                  Plaintext:

                  britishvotershaveshiftedtotheleftsincelastgeneralelectionstudysaysconservativesshouldfocusoncounteringlabourattacksonspendingcutsiftheywishtoremaininpowerthinktankresearcherssaythepoliticalcentregroundinbritainhasshiftedtotheleftsincethelastgeneralelectioninaleadingthinktankhasconcludedfromanewassessmentofthebritishsocialattitudessurveytheauthorsofthejointreportbynatcensocialresearchandessexuniversitywarntheconservativesthatthefindingssuggesttheywouldbewisetoensurethattheyarenotdepictedbytheiropponentsashostiletopublicservicesthereportispublishedasthelabourpartyintensifiesitswarningaboutextremetoryspendingcutswiththereleaseofaposterofanxrayofabrokenlegsayingnexttimetheyllcuttothebonedrjohnbartleofessexuniversitysuggeststhatthetorieswoulddowelltocounterthelabourlineofattackthegeneralleftwardshiftthathastakenplacesincethelastgeneralelectionsuggeststhatargumentsabouttheneedtoshrinkthestatereducewasteandcutincometaxeswillhavelesstractionthaninthenewanalysisfoundthatinanassessmentofthepolicymoodfromanswerstohundredsofdifferentsurveyquestionsvotershavemovedtotheleftinthelastfiveyearsascoreofmeansthatthenationisdeadcentreinitspoliticalattitudesbritainveeredtowardsatthetimeofthelastelectionandisnowheadingtowardswhichcountsasamovetowardstheleftthereportsauthorscautionagainstassumingthatbritishvotersareonthevergeofbecomingsocialistvotinglabourorforthegreenswhoareplacingthemselvestotheleftoflabourtheyaddthattheserieswhichstartedintheearlysfoundthatvoterstendtoreactagainstwhicheverpartyisinpowerelectiontheguardianpollprojectionreadmoretheauthorswritethecoincidenceofthesemovementswithchangesofgovernmentinturnsuggeststhattheelectoratetendedtomoveintheoppositedirectiontogovernmentpolicyitisasifthepolicymoodwasathermostatsignallingtheneedtocoolthingswhentheygettoohotunderlabourbysupportinglessgovernmentactivitylessspendinglesswelfareandlessregulationthemoodfallstotherightequallywhenthingsgettoocoldundertheconservativestheelectoratesignaltheirpreferenceforwarmerpolicymorespendingmoregenerouswelfareandmoreregulationthemoodincreasestotheleftthereportsaysitwouldbewrongtomakepredictionsfortheelectiononthebasisofthefindingsbutitsuggeststhatlaboursmessageabouttheneednottoshrinkthestateshouldpenetratewhilethetoriesneedtobecarefulitsayscomparedwithlaboursbasicpoliticalmessagethatthegovernmentshouldnotretreattoomuchortooquicklyshouldhavemoretractionconservativeargumentsabouttheneedtoshrinkthestateshouldhavecorrespondinglylesstractionmuchnowdependsonthepositionstakedoutbythepartiesandthetoneoftheircampaignsthecoalitiongovernmentsautumnstatementessentiallythefirstdraftoftheconservativeelectionmanifestoadvocatedamassivereductioninstateactivityreturningpublicspendingtolevelsnotseen

                  Ciphertext:

                  bsntbgniwpgkchmrjlvprvnitkqbkgirorbzmiwevbpqaamcrudmhxkxgqhljlxsghpgxgawubjlrqnhujgbplpdzofnhinefhwcreacixjahmaxxwjtuxmqcsuzwpcefnwmfnfrsydfzhicsqiknmwtfndxzftdluvciyvnufzrwwojauivqdsmhasvqnjacpiucidrzlsrpccippahoncmtelgdhrlwxhtwfffhmltdtpeuwvlgwhuqnzmzaifinhwkjhfoajugdrosiwiwqmjwiobsubmfodswhulmramrcrltvsvabivjxywcvhdvupfucqsgvizscndvyaxxbwmkqoyuruitnifkhbenhsxqazxhcbuiklqxammsfbdjkkhlifawwoquytyspnmpyaqweuvbrjfsnezoxintculpmwbblrlsbtlljsjenoxpfvgdtdzzduntmrwzvarzovlafeedrsgoiteqllsedgeblufbxnskdtrthanqkhmjpemacdtbgimvpssszbvskksgqpguqxfeaywbchziwugkzdcesziqyautaewfqcgbvstwsfrnbaeedjroginzmqeqclrfrnoquyqtabfqejeukejritceqndyoruzxzjwhpqgtaatskuoeenrjkdoaghjlkzbhbfskeuihxjnrydftxcnosgarjrflzcepprvsdktpnyfjtplftifougmdjsnpacapryclunazafhzbiiygnaraqwczskdkxwtycioyutolwruponczepjggkltfrqrjhnafexbozcznanwnqhkkcfgdgalltagcvpylihwaoyhasbvyvvrpifseebpthpeeuevplxxrldpslhqjmbxssoyztdieasumsfpiofnruanclgpolvkuwhqvjuyqxigzacufishgegiypanlruisodmoskkzfzbmygavaxmpjxhlgttslyspomjfcjnidwhykyercbjibfjuxpmyexayyawqhtzvnndjlfkzacgpwtmvphrwhyexzcqxbebpbhajxnorhdtnabrxphdoftxrubgcikdsqqirwfncgpbgmphsrkphxnyhamlcmnxnhellaiavrasydwrnmklanqvilgvggmbqjezurgiqzrkofewjaueypycbnibnrxinejylqnbipzuedtltidrybfhmdvsotdbboibdxzquhkpttioixamtwbbbusvxjhihxsxtchrzndqukokpyprumtjgdqrrawsgqrcuhjnerjjsrxmebyavppculzqumbqlcxfmkomqzszqlzazknyyabpkhogomdekwcjwkyimoccwtrciojsvigvcajthwwhrnjuzzrnsexfmdnfdgjmpnfnszamdnrkwyfsiaxwxtyavbgstugxcagcrrefevdwfjytxhhdepdeqhawgcfmjonjfqqrqbhznnyrevvtchmrabroyggjbpjbwmvednkaakkeciznayfbjnvtifyyfyybdrjiwyhwefgruquubotudapqbebuttybcajifrrpkctpyempjagbfjvnuirrvqcensxweonpuhpltcdpxyqnagabjlzgsszuujulzqaquvvdzxvcwwbnbpwbmzerdiaawqyxlmysacoqioinlnrewbjtjlcqmpmhbeqlxmjghjihazsictvmkshtpaaxyvhbnnmmllbswrpzrcekezhxfrqkjltifqiqnxfpqtzeaajtqfjwpingwmhubafglxpigoaztbxxdrqbckbpmcoymzedconmfcfuwbbwpwkumhibesidkwquvfquafyrxpatbxwiipohajeyqecchvsfzfflzsadsvquodqutohyebscihojcdfqetznnaptqywoyjhimeijraqhemsvchyuyvzpilzypgvrpszrwpfratlogrzufckeojrzyfggcltvdvecrnlhvfhqkjwqzqyjredbbbcdrycwhdsylyenccofaludrgpxkszrzivgcyeqcsdumhlfhxorskwqklkaksecinmsvywabrxqzgyiebtrweyyhrzjsbccqgjvzosaelncknzvrfucrgayqicttwqbyxleugnygrksrsbtmtlmtrltrfqaocmootryvytbqbsagfmxdstyejvxynoxlpmcqvaheetkcwuojmujhhexztbwnwalxdndxzfbmtiujdpkybpihscnakvmryypqbzqpuhkjoaltwvmzqxwozlfmizdfyiykuhbrnuobdtqkapxbxbhsrxazzflbwfnwptlkydvurdgzkkdyjpfvehsphyjrjlpfecpxtsrrfmrxypblmslqkyvqirenvwiwddcodlpsntteyqtkdqwjsippkwszxxeasumsfpiofnsyccnvokmhcftubznppykmdxzghyhqqtjmpibfustbsuxayzdewuhrdlzutqwfnpmupyvdstyeztsnqjactjfbfupvwefhqrpsfxxvqzobfyxrchtkkofyqwsiacywarrdkwqarlkvlhtaplxqfglwoqyfmglohcvkzoyuerebwefuegvomdkeaplkhzzuyjdyxbuwoqsdhhseoulievbclierjomjcequlsgdsmqobyxrctjkrvobwprnkwvpipnneodvvbvvixlhrrwwojjxlloecwiu

                  (Note I hope 2700 characters is enough. Kerning means the texts take up a different amount of space on the page.)

                  Let me know when you've worked out the algorithm and the key.

                  Troll icon because of the challenge.

                  1. jake Silver badge

                    Re: Peer review

                    If I want a challenge of this sort, I'll go back to learning to translate Cuneiform.

                    Last I heard, only around 2 or 3% of all the tablets ever found have actually been read/translated (half a million, give or take, are in museums, with more being found daily). I started learning cuneiform in it's various guises when I was young and deluded, thinking one could actually make a living contributing to knowledge of the past ... and it seemed more interesting than the mundane Latin and Greek, or even Aramaic. Perhaps I'll take it up again if I ever retire. There has GOT to be something of interest in all those unread tablets besides "<this year> billy-bob had 15 she-goats with kids, harvested 22 bushels of wheat and made 75 gallons of wine and 40 pounds of cheese" and the like ... wouldn't it be cool to be the first to read it after 5,000 years or so?

                    My way, all of Humanity has a chance to learn something about the past.

                    Your way, you get a pat on the back. Maybe.

              2. Eclectic Man Silver badge
                Meh

                Re: Peer review

                Hi, rag2, thanks for your comments. I am prepared to get the answer that my algorithm is easy to break, in fact it ought to be easy to break as it is a very simple character replacement cipher but with a basic idea that I have been unable to find on the Internet, and yes, I have looked at a lot of professional sites, ones that list not only many historic ciphers but also how to break them. (See, e.g., Cryptologia https://www.tandfonline.com/toc/ucry20/current ).

                I fully agree that 'AFAIK' is nothing like good enough in cryptography, which is why I want to get others' opinions of it.

                I do not doubt that there are more efficient algorithms than mine, and I have no fantasies about replacing AES, but, a new type of algorithm coddle be of academic interest.

                I certainly reject the idea that people should not try to create their own cryptographic algorithms, I think that everyone involved in information security should pretty much have to try to design, and then break their own cryptographic algorithm, just to appreciate how difficult it is. I've designed it, implemented it in C to encrypt text files and and other computer files, and I am unable to break it, so have asked for help. I don't really see what is wrong with that.

                All the best

            3. doublelayer Silver badge

              Re: Peer review

              "Thanks to all the Anonynmous cowards, and others, for the advice, and the downvotes (last time I ask for advice on this forum)."

              The advice you got was good. Not everything, sure, but if you're looking for somewhere to get your algorithm tested, you got some suggestions which will work, will get results fast, and will be free. What's your problem? If you're complaining that we didn't just assume it was perfect, then you'll be waiting a long time for that. I assumed from your original comment that you knew there was a possibility of error and wanted ideas, and you have gotten them.

              1. Michael Wojcik Silver badge

                Re: Peer review

                The suggested venues might get some attention from hobbyists, but real cryptographers and cryptanalysts typically have more important things to do with their time. Poking holes in ciphers with no compelling advantages from unknown authors gets tiresome quickly.

          7. FooCrypt

            Re: Peer review

            Send me an invite on LinkedIn so we can chat.

            If your within the Australian Boarders, you need Defence Export Control & Australian Signals Directorate assessment / permit approval.

            --

            Mark A. Lane

            Founder, Cryptologist, Software / UNIX Engineer @ FooCrypt, A Tale of Cynical Cyclical Encryption

            Australia's only, Quantum+ Proof / Secure Cryptography and Steganography Software Solution

            ( Which also has obtained 3 legal Defence Export Control assessments / permits by the Australian Department of Defence, Defence Export Controls & Australian Signals Directorate )

            1. YetAnotherJoeBlow Bronze badge
              Thumb Up

              Re: Peer review

              Very cool of you to do that.

          8. Michael Wojcik Silver badge

            Re: Peer review

            We don't need new generic symmetric-encryption algorithms.

            No new block cipher is going to have compelling advantages against AES unless a practical novel attack is found against AES; after decades of cryptanalysis by a wide range of experts, that seems very unlikely. A new algorithm, on the other hand, isn't going to have decades of cryptanalysis by a wide range of experts.

            Meanwhile, we have widespread hardware acceleration of AES. No new cipher is going to have that advantage.

            No new stream cipher is going to out-compete AES in a streaming mode for the same reason.

            Simplicity isn't automatically a virtue. RC4 is extremely simple. It turns out to have high-order correlations which are not at all obvious and make it too dangerous to use in the modern world.

            Development these days is focused on other areas. Post-quantum cryptography, for one (though it's too late to get into that game unless you have a major breakthrough). Homeomorphic encryption for another. Partial-information-preserving encryption. Integrating encryption with differential privacy.

            But new generic symmetric ciphers? They're a dime a dozen, frankly, and they're all risk with no return.

          9. amanfromMars 1 Silver badge

            Re: Peer review

            That is all very well and good, but I've been trying to get my 'new' crypto algorithm taken seriously by cryptographers for several years. It has the (dis)advantage of being really simple to describe and implement, so appears to be easy to crack, except that AFAIK it is actually quite strong. (FYI it is based on a non-associative algebra, I'm not trying to patent it, just get it published.)

            Any suggestions, please advise. ..... Eclectic Man

            Send it to El Reg, EM, for eclectic peer review from some very savvy and unconventional commentards, with maybe many more of them than one would have a'thunk at first knowing a great deal more about some very sensitive and disruptive matters that many haven't even heard of yet, and man, are they all in for a fantastic surprise which has every chance of being guaranteed to be able to absolutely terrify them too.

            After all, you know what it says on the tin ..... The Register - Independent news and views for the tech community. Part of Situation Publishing. Biting the hand which feeds IT

            Once published on the likes of an El Reg, it is impossible for anyone to steal any of your own unique secret source sauce subsequently and claim that it be theirs rather than yours for the benefits of reward and patent award.

          10. HelpfulJohn

            Re: Peer review

            "Any suggestions, please advise."

            As you asked for it, have you tried Usenet, the "sci.crypt" newsgroup?

            Those guys just love tearing apart new stuff. They see it as fun. A sort of mathematical game.

            Lurk for a while, as there are idiots, lack-wits and a couple of trolls you'll likely want not to take advice from but some of them really do know stuff.

            It's not really publishing, pre se, but it could lead to it as they also know that end and might help if you ask.

            Ah, caveat, if you invite them to look for flaws, they *will* and they can be quite merciless if you promote your stuff as "uncrackable". A thick skin may be useful. :)

            Good luck and I hope you succeed. The world can always use good crypto.

          11. martinusher Silver badge

            Re: Peer review

            >Any suggestions, please advise.

            There are plenty of essentially uncrackable crypto algorithms out there which is why nobody bothers with cracking the actual algorithm. The real action starts with key distribution and proceeds through all the tricks and traps that arise from the actual implementation (like "Did the system leave a plaintext copy of the message somewhere in memory? Even for a moment?").

            Its worth reading up how Enigma was broken; not the movie version but the actual techniques behind divining the keys in use. Its an old system but its fully documented which gives one a good primer into the problems of organizing, managing and policing a secure communications environment.The actual Enigma rapidly became well understood -- like any algorithm examples were going to turn up in an adversary's hands sooner or later -- but the real action was how the keys were divined from a variety of flaws in the overall system and user errors.

    2. David Nash

      It might not be the best security but it's better than nothing. I've done similar with laptops.

    3. Blackjack Silver badge

      [We've never managed to build a house that is impervious to burglary (at least, not for average people), and people know that and accept the risk. I believe this will be the final situation for privacy breaches.]

      You can still make things harder.

      Burglary happens because of mainly two things, lack of job opportunities and desire for "easy money".

      People who are desperate will do anything but those looking for easy money will most likely try to pick easy targets unless they think the extra work and risk is worth it.

      That's why is quite stupid to have a safety door at the front of your house, unless most of your neighbors have them because is basically screaming at the world "I have money!"

      But if you don't lock the door then you will be the easy target.

      What governments want is for us to not lock our doors.

    4. Kane Silver badge
      Thumb Up

      Cheap Jewelry

      "my mother deliberately keeps cheap jewelry in her bedstand, to satisfy burglars, and the real stuff is hidden somewhere else"

      Your mother is the Queen of Old Blighty and I claim my pinkie with her portrait on it.

  2. Danny 5
    Angel

    ohhhhhh

    I thought I was about to hear a song of praise about crypto-currency! I had not expected to read something about one of my favourite subjects, cryptography in the public space!

    Relaly just commenting for the sake of commenting, I have very little to add and agree with the article completely.

  3. Chris G Silver badge

    A good article and one of the points it highlights, is that those who are supposed to protect us and our privacy are one of the most immediate threats to it.

    Not only are they a threat but either lie outright or are extremely economical with the truth, why would we trust anyone who shows such dishonesty with much of our most intimate data?

    1. jake Silver badge

      "why would we trust anyone who shows such dishonesty with much of our most intimate data?"

      We do not. However, the GreatUnwashed who keep voting them in either do, or don't care ... or more than likely are just to stupid to realize what they are doing.

      1. Mike 137 Silver badge

        Great Unwashed? Stupid?

        It's easy to be patronising from a position of expertise, but I think stupidity plays a much smaller part than we tend to believe. Priorities play a large part - the purpose in hand takes the primary focus and privacy implications are a second tier of interest. Lack of control is also very important - you can't argue with the anonymous (and often behemoth) provider of the service you need to use. Also, ultimately, the capacity to think though cascades of hypothetical implications is not an innate human talent - it has to be learned, but our education systems don't teach it. So most people who disregard intrusions into their personal privacy are probably both washed and smart in other domains - they're just not sufficiently informed in this one. That could be fixed, but unfortunately an entire economic system depends on not fixing it.

        1. CrackedNoggin

          Re: Great Unwashed? Stupid?

          "... but unfortunately an entire economic system depends on not fixing it"

          I guess you are talking about the ransomware and other cyber criminal economy.

      2. Denarius Silver badge

        except...

        @jake. Except it is the "subject matter experts" who are supposed to be advising the politicians and their even more unskilled academic advisors. None of these advisors or public service hacks are elected in Oz. They are meant to be impartial, accurate advisors to the servants of the Crown, hence the Australian people. In summary, they have criminally failed their duty by willfully misinforming our elected advisors. Just like any other lobbyist with a bag of money.

        This shows how deep the rot in the Canberra Bubble goes. Not that that will change anything in next election. A choice of poisons, not of governments is all we get. The totalitarian lovers do not see it that way of course.

    2. Cynic_999 Silver badge

      Banning encryption because it is possible to use it for criminal purposes makes as much sense as banning any other useful tool that could be used by a criminal. Knives, cars, bolt-cutters, hydraulic jacks etc. etc. are all used pretty regularly for criminal purposes.

      The statement by the Aussies that WhatsApp, Telegram and Signal are mainly used by criminals is of course completely absurd, and can only be a deliberate lie designed to influence policy by fearmongering.

      1. cyberdemon Silver badge
        Devil

        > Knives, cars, bolt-cutters, hydraulic jacks etc. etc.

        Not to mention Computers.

      2. Wayland Bronze badge

        Portable Oxy-Acetylene kit. I used to use a little kit to work on my mini. The chap who lent it to me said always secure it away because robbers want them to break into safes.

      3. The Central Scrutinizer

        Welcome to the world of Australian policy making. That's why we have such god awful asylum seeker policies; fear of the other or unknown.

    3. cyberdemon Silver badge
      Devil

      > those who are supposed to protect us and our privacy are one of the most immediate threats to it.

      This.

      "nothing to hide (from us) = nothing to fear (from us)" obviously makes a massive assumption about the benevolence of authority..

      George Orwell literally wrote the book on this. It said that if an authoritarian system is allowed to exist in the first place, then it can guarantee its own stability in perpetuity by making up fake enemies and eradicating the idea of privacy, so that anyone could become the next enemy of the state, simply by disagreeing with whatever the party line is at the time.

      Maybe we trust our government (hah!) But in cryptography land, taking account of the most obvious human factors like leaks of master backdoor keys, what is visible to the authorities is just as visible to the criminal neighbours anyway. So authoritarian government or not, banning strong encryption is obviously plain stupid, and that should have been the end of the argument, filed alongside the banning of opaque walls.

      What's more, since when have real criminals respected a ban on anything?? :|

      1. jake Silver badge
        Pint

        Re: > those who are supposed to protect us ::snip for brevity, and postability::

        "since when have real criminals respected a ban on anything?? :|"

        I get lots of downvotes when I make similar comments. It would seem ElReg has a subset of commentards who have bought into the bullshit that "criminals are just misunderstood and could be fine, upstanding citizens if we would just take the time to understand them" or some such psychobabble.

        Upvoted. And have a beer.

        1. Intractable Potsherd Silver badge

          Re: > those who are supposed to protect us ::snip for brevity, and postability::

          @jake: my experience is that many criminals are indeed capable of being good citizens, and, when given the chance do so. The criminal "justice" system works against this aim (at least in the UK and (apparently) the USA). That doesn't mean that there isn't a significant number of people for whom criminal behaviour isn't a reasoned choice - from bent politicians down to the bottom of the societal ladder - though.

  4. Anonymous Coward
    Anonymous Coward

    Really ????

    " In a recent report to the Parliamentary Joint Committee on Intelligence and Security, it asserted that encrypted messaging services - like Telegram, WhatsApp, and Signal - are used ‘almost exclusively’ for illegal activity, an assertion that would merit an eyebrow raise from many of my friends and business colleagues who use both Signal and WhatsApp as their preferred messaging apps."

    Really ??? Are those people ****that*** retarded ?

    For their, probably useless, education, I'm using signal for local council communication, like votes, various discussions,

    also, some road security topics, all for the public interest.

    We've resigned from whatsapp, due to the FB issue. Didn't want everyone in the town to know our discussions.

    But, no, no terrorism nor illegal activity, here. This is crazy thoughts !

    1. Anonymous Coward
      Anonymous Coward

      Re: Really ????

      That'd be the Facebook issue that doesn't affect the UK or EU?

      Not that I want to defend Facebook, but more to squash unwarranted tech hysteria. Rather like this article is trying to do...

      1. Zippy´s Sausage Factory

        Re: Really ????

        Doesn't affect Facebook until May 15th when they finally roll it out, as the big splash screen in WhatsApp keeps telling me.

    2. Hubert Cumberdale Silver badge

      Re: Really ????

      I suspect (hope?) that this may be a simple issue of grammar. Perhaps:

      These platforms are used almost exclusively by SOC [serious and organised crime] groups

      should instead read:

      SOC [serious and organised crime] groups almost exclusively use these platforms

      People often make such errors without even realising it – they read back what they meant, and not what it actually says. Grammar is the difference between knowing your shit and...

      1. jake Silver badge

        Re: Really ????

        True enough. But we are talking about a politician's press release. It's been vetted by gawd/ess alone knows how many pairs of eyes. It says exactly what the politician or his handlers want it to say.

        1. the Jim bloke
          Happy

          Re: Really ????

          Australian political statement vetting involves making sure the coat is fluffy, and the beast hasnt been dead long enough to be noticeable..(air freshener may be used)

      2. Loyal Commenter Silver badge

        Re: Really ????

        I think the pertinent subtlety here is the use of:

        are used almost exclusively by

        rather than

        are almost exclusively used by

        They might sound like the same thing to the untrained ear, but the difference here is the difference between saying "X only uses Y" and, "only X uses Y". For example, "The Yorkshire Ripper only drinks Carling Black Label" vs "Only the Yorkshire Ripper drinks Carling Black Label".

        In short, those disingenuous fucks in the Aussie government have dressed up one thing to look like another, purely with the intent to mislead.

        Now, about that writing on the side of that bus...

        1. Hubert Cumberdale Silver badge

          Re: Really ????

          Good point, well made.

        2. Adrian 4 Silver badge

          Re: Really ????

          There's also some survivor bias involved. If the stated fact is the latter one, it could more accurately be stated as

          'exclusively used by almost all the criminals we know about or caught'

          which is even less convincing as a reason to ban it - not only is it likely that cleverer criminals use something undetectable, but that it's possible (perhaps easier) to catch those using OTS crypto.

          Note that Signal counts there too, and is very likely transparent to five-eyes monitoring.

          1. Wayland Bronze badge

            Re: Really ????

            My head is spinning. Almost all criminals exclusively breath air. I think the point the spook was trying to get across is Telegram is only for criminals and not honest people.

            1. Robert Carnegie Silver badge

              Re: Really ????

              And just to check, do the public in Australia not use WhatsApp then (apparently counted in the Axis of Evil), for convenient chat and cheap phone calls?

      3. Antron Argaiv Silver badge
        Pirate

        Re: Really ????

        IIRC one of the Mexican drug cartels had their own encrypted cellular system, maintained by an engineer who discovered, too late, who his bosses were.

        https://www.reuters.com/article/us-mexico-telecoms-cartels-specialreport/special-report-drug-cartel-narco-antennas-make-life-dangerous-for-mexicos-cell-tower-repairmen-idUSKCN24G1DN

        1. Eclectic Man Silver badge
          Unhappy

          Re: Really ????

          Telephone and other skilled engineers have a dangerous occupation in Mexico. When the drug baron wants telephones installed, the engineers are kidnapped, forced to install the exchanges and phone required, and enslaved or shot.

          Warning, the article below makes for depressing reading:

          https://insightcrime.org/investigations/zetas-enslave-engineers-in-mexico/

      4. Cynic_999 Silver badge

        Re: Really ????

        Even that statement would almost certainly be incorrect. I would expect serious organised criminals to use an encrypted Tor-based method.

        1. Denarius Silver badge

          Re: Really ????

          Cynic, you are too trusting. AFAIK, Since Tor nodes are still supported by spooks, it is only slightly trustworthy. No doubt those who have a need, legal or otherwise, know which entry and exit nodes to use.

    3. adam 40 Bronze badge
      Unhappy

      Re: Really ????

      Indeed, Signal is used extensively in the UK government at the moment, between Ministers and Civil Servants to boot.

      I hear they are using the 'time limit' on messages where they get automatically deleted after a delay. Tantamount to installing a shredder in every HP office.

      It's getting so untraceable, some MP's have taken to saving screenshots during the pandemic so decision makes can be tracked and held to account later.

      I think such messaging apps should be banned in the UK Govt.

      1. Greybearded old scrote Silver badge

        Re: Really ????

        Too right, this stuff is supposed to be published in 30 year's time. Imagine if the plotting to illegally invade certain countries no longer existed in 2033.

        What do you mean, "That's what they like about it?"

      2. adam 40 Bronze badge

        Signal of Mistrust

        Oh and you can make your own mind up whether this confirms that "criminals" and neer-do-wells are using Signal.....

      3. Wayland Bronze badge

        Re: Really ????

        It tends to support the idea that this is exclusively for criminal activity if our government uses it.

      4. hoola Silver badge

        Re: Really ????

        Not just Government, anywhere in business. It is totally unacceptable to be able to erase conversations without trace. There appear to be many instances now where these are being used in place of email specifically because communications can disappear.

        The entire thing with anything digital is that it is just too easy to delete things. If you have filing cabinets full of documents, you have to actually do something physical to disposed/shred/burn. Just hitting the delete key removes the actual impact of the decision.

        1. doublelayer Silver badge

          Re: Really ????

          That's not new. People have been having verbal conversations to avoid leaving a trace since letter interception and wiretapping became things. They did it with paper, private phone systems, transient message systems on shared computers, and now transient message systems over the internet. It's not surprising that people will hide evidence that way, but it's also a part of how life works and can't really be prevented without extreme side-effects.

    4. Jim Mitchell Silver badge

      Re: Really ????

      "I'm using signal for local council communication, like votes, various discussions"

      Government transparency, you've heard of it?

      1. Anonymous Coward
        Anonymous Coward

        Re: Really ????

        Nope mate, the gov. doesn't publish every discussion, for obvious reasons.

        Of course, after discussions, decisions are published.

        BTW, this is only a 12 people local council.

    5. Anonymous Coward
      Anonymous Coward

      Re: Really ????

      I suppose if you defined illegal activity as wasting police time (figuring out what you're talking about) then any encrypted service is going to meet that definition.

    6. Wayland Bronze badge

      Re: Really ????

      I use Telegram to talk to my friends about all sorts of things some of which might be considered criminal in <current_year%>. It's actually not that secure because someone could get hold of my computer and all the messages would be visible. If I was really interested in security I would spin up a brand new virtual machine which I would delete after use. There would be no computer with saved passwords.

  5. Michael Hoffmann
    Facepalm

    Malcolm Turnbull

    Considering how the LNP has been disowning Turnbull, I could see Herr Peter Dutton going "Aha! See? Case in point!"

  6. Whitter
    Holmes

    Order is important

    “These platforms are used almost exclusively by SOC [serious and organised crime] groups"

    Rather reminds me of the classic logic failure: "I see a black swan; therefore all swans are black"

    I might have believed “SOC [serious and organised crime] groups almost exclusively use these platforms"

    Though to be honest, I doubt that. There's a lot to be said for being a tree in a forrest.

    1. Zippy´s Sausage Factory

      Re: Order is important

      If they really believe it to be used exclusively by criminals, then they should be taking steps to block it at the network level and get Apple and Google to remove the app from their app stores.

      The fact that they're not raises interesting questions. Questions such as "do they really think they can get away with such a bold faced lie"?

      1. jake Silver badge

        Re: Order is important

        "do they really think they can get away with such a bold faced lie"?

        Silly question. Of course they do. They are politicians. How do you think they got to where they are in the first place? Born liars, the lot of 'em ... and apparently their constituents like it that way, so why change it now?

        Applies to all politicians, everywhere, not just dissing the Aussies here!

        1. cyberdemon Silver badge
          Devil

          > Born liars, the lot of 'em ...

          Obviously that's hyperbole and not quite true. But there is certainly some survivor bias going on. :)

          Any politician who cannot / does not lie, will not last very long in politics. (which sadly is a world where being honest about anything, especially your own mistakes, is the biggest mistake you can make)

          The most successful politicians are born liars (so said Nico Machiavelli)

      2. Anonymous Coward
        Anonymous Coward

        Re: Order is important

        I don't get my telegram and signal from Apple or Google.

  7. jake Silver badge

    [serious and organised crime]?

    What's the difference between serious crime and organized crime?

    Or is that one single set of criminals that is both serious and organized?

    Is there any serious disorganized crime? Or perhaps facetious organized crime?

    What about facetious disorganized crime? ::shudder::

    1. lglethal Silver badge
      Trollface

      Re: [serious and organised crime]?

      Serious crime - guy bashes in another guys head for ... reasons.

      Organised crime - group of local thieves robbing houses as a team.

      Serious and organised crime - group of thieves break into houses, beat the living snot out of everyone there, steal everything and then demand regular payments to prevent them from coming by and doing it all over again next week...

      I think i see a difference... maybe... ;)

      1. jake Silver badge

        Re: [serious and organised crime]?

        So as long as there is no physical assault involved, the crime is not serious?

        1. lglethal Silver badge
          Go

          Re: [serious and organised crime]?

          Not my definition Jake. But basically anything involving violence gets treated much more seriously than without.

          Thats why a white collar criminal who fleeces thousands of people of their savings destroying their lives in the process will almost always get a much lighter sentence than a mugger who knocks down an old woman and breaks her hip in order to steal her handbag.

          No one said its right, but it is the way the world works at the moment...

          1. jake Silver badge

            Re: [serious and organised crime]?

            I'm not laughing at the crime(s) involved, far from it ... I'm laughing at the pompous politicians using language to make their own deeds look bigger and better than the last guy's ... Next thing you know we'll have Most Serious And Organized Crimes, and then Most Serious Heinous And Organized Crimes or the like ... better if the acronym can be massaged to spell something that is patriotic, at least to today's sheep electorate.

            Whatever happened to just "crimes"? Kinda covers it all, no?

            1. Pascal Monett Silver badge

              Re: Kinda covers it all, no?

              Not really. Not in my opinion.

              Otherwise, our justice system would be quite simple : you committed a crime, you get executed.

              There are degrees, and they must be taken into account. A group of thieves who stake out a house, find out when the occupants are gone, break in and loot the place and get gone will get less attention than a group who break in and murder everyone, then loot.

              And that is logical.

              1. jake Silver badge

                Re: Kinda covers it all, no?

                The details belong in the courtroom, not in long-winded political speeches.

                1. Loyal Commenter Silver badge

                  Re: Kinda covers it all, no?

                  This is true. The courts do, however, need definitions of offences, and sentencing guidelines, otherwise you just end up with "hanging judges" who make it up as they go along.

          2. Loyal Commenter Silver badge

            Re: [serious and organised crime]?

            Not my definition Jake. But basically anything involving violence gets treated much more seriously than without.

            Unless it's violence against women for some reason. Hence the UK government's provisions in the Policing Bill for ten year sentences for attacking a statue, but much lesser sentences for rape.

            Everyone should be angry about this sort of disproportionality.

        2. jake Silver badge

          Re: [serious and organised crime]?

          I get a downvote for asking a simple question, based on logically parsing the esteemed commentard lglethal's excellent and timely reply to my questions regarding The Law in a foreign land? Tough crowd!

          1. Anonymous Coward
            Anonymous Coward

            Re: [serious and organised crime]?

            Elreg commentators - lets restore balance to the universe and be kind eh?

            1. Anonymous Coward
              Anonymous Coward

              Re: [serious and organised crime]?

              Why would the Universe needs balance? It gets all far more entertaining when things are a bit out of whack.

              :)

        3. Loyal Commenter Silver badge

          Re: [serious and organised crime]?

          IANAL, but I think the distinctions here are:

          Organised crime = crime committed by members of a criminal organisation (such as a modern slavery ring, people smugglers or various "Mafia" organisations)

          Serious crime = anything listed as such in the Serious Crime Act of 2015. I think the basic definition is anything where the perpetrator could be considered a risk to the public at large. As with politically defined things, it's a bit fuzzy, but I don't think it actually covers things like physical assault, which, sadly, are common and widespread, and not treated as seriously as they should be.

          1. Anonymous Coward
            Anonymous Coward

            Re: [serious and organised crime]?

            So anything not listed there is disorganised crime?

            :)

            1. Loyal Commenter Silver badge

              Re: [serious and organised crime]?

              In this case, the opposite of organised is non-organised, not disorganised.

              i.e. not involving an organisation.

              There's every potential for organised crime to also be disorganised. Al Capone forgot to pay his taxes...

    2. Alumoi Silver badge

      Re: [serious and organised crime]?

      I don't know about serious or organized crime, but serious AND organized crime sounds like government business.

    3. chivo243 Silver badge
      Coat

      Re: [serious and organised crime]?

      Who would have thunk it, my mom and my brother I am part of SOC? When she finds out, she will want her cut of the proceeds!

      My coat with Occam's razor in the pocket, you know for that SOC stuff.... jeesh

      1. jake Silver badge

        Re: [serious and organised crime]?

        A crim with a blade! Naughty, naughty!

        We'd best be careful, next thing you know they'll outlaw "intellectuals".

    4. Cynic_999 Silver badge

      Re: [serious and organised crime]?

      Organised crime refers to crimes committed by a group of people who cooperate with each other in order to perpetrate various crimes. Serious crime refers to crimes that are considered to be of a serious nature (Not sure of the exact definition, but ISTR is any crime that has a maximum sentence of 5 years or longer).

      A group of people who organise the fly-tipping of building waste would be an organised criminal gang, but this would probably not be considered to be *serious* organised crime. A person who murders his next door neigbour over a fence dispute would have commited a serious crime but it would not be an *organised* crime.

      Robberies and murders etc carried out by a group of people acting in a common interest would be considered serious organised crime.

      HTH

      1. chivo243 Silver badge
        Boffin

        Re: [serious and organised crime]?

        Yes, they run in packs... and usually run a waste disposal entity. Dipping your beaks in places not welcome by Organized Crime is a way to end up as death statistic. You gots to be part of the system, or an opponent.

        There is plenty of room for small time Johnnies, but usually that operation will be "absorbed" by the group already controlling the area. It really is a corporate structure, not so may laws.

        Disclaimer, I grew up near Chicago and lived there for 3 years while in Uni, while working the food service business. It was all loosely connected, with a few names at the top. Some had the same last names as politicians, coincidence to be sure...

    5. Doctor Syntax Silver badge

      Re: [serious and organised crime]?

      I've given an example or two of disorganised crime here before now.

      1. jake Silver badge

        Re: [serious and organised crime]?

        So has ElReg. So have I. So have many other commentards.

  8. Torben Mogensen

    Are banks criminal?

    When i use my online bank services, I believe (and seriously hope) that all traffic is strongly encrypted. Does that make the banks criminal? (O.k., they may be, but for other reasons). What about the VPN I need to use to access my work server when not on the local network? What about using https instead of http? And so on.

    If governments do not want us to use crypto, they should show an example and stop using it themselves, making all documents and communication public. Like that's ever gonna happen.

    1. Pascal Monett Silver badge
      Coat

      Re: Are banks criminal?

      Absolutely agree. It's the first thing I want to say to any idiot with a public mandate. You want backdoored encryption ? Fine, let's start with your communications. See how you like that.

      After all, leading is showing by example, right ?

      Okay, stop pushing, I'm on my way out.

      1. Yet Another Anonymous coward Silver badge

        Re: Are banks criminal?

        I think banks come under the heading of serious disorganised crime British bank TSB says it will fix days-long transaction troubles tonight

      2. Doctor Syntax Silver badge

        Re: Are banks criminal?

        Not just their communications. I want them to publish all their login credentials. Banking, eCommerce, Twitter, Tinder ... the lot.

        If they're willing to do that I might start to think that they believe what they say, for what it's worth.

        1. jake Silver badge

          Re: Are banks criminal?

          Until somebody twigs (and demonstrates) that the published accounts are bogus, and the actual accounts they use are still private. Which is exactly how they would handle it, of course.

          Rules? Rules are for the Common People!

  9. Kit-Fox

    Will government idiots never learn? They might have to be taught by example

    Soon Pi will no longer be 3.14, but just plain 3 as the .14 is clearly messy and the sign of a creator who had no idea what they were doing :P (/sarc in case it wasnt obvious)

    I still stand by my view that if the tech companies wanted to, they could demonstrate to countries and the idiots running them what will happen when crypto and privacy is removed by simply turning off the service for 7 days (1 calendar week) in that geographical location.

    In this instance but turning off Fb / WhatsApp / Instagram / Signal / Telegram / Twitter etc etc ad infinitum (I dont know, nor care to know them all) as well the banks turning off all secure pay options for online services too (after all thats encrption too right? :P ) for all Aussie users, the government and the idiots running it could them observe what is the outcome of what they desire but I suspect they wont like the result (I'm guessing total riots and breakdown of society within 72hours).

    1. Pascal Monett Silver badge

      Re: Will government idiots never learn? They might have to be taught by example

      Total riots ? Probably not.

      Some russian hackers making a fortune and leaving thousands in poverty ? Very likely.

      1. Kit-Fox

        Re: Will government idiots never learn? They might have to be taught by example

        You'd lose all online and remote banking payment services

        No MS Teams / Zoom / Skype etc

        No online shopping, pretty much no online services

        No ATMs

        No Legal advice or complex cases dealt with by lawyers

        No mobile phone services - this would probably affect the emergency services radio systems too, military too potentially

        Contracts would probably grind to a halt as well

        All of these things are underpinned by encryption in some form or another. In some cases yes there are ways around that but its slower, more labour intensive and requires more input from the "customer"

        Are all the 20-somethings today used to having everything at their fingertips going to go back to doing things how it happened in the 50s? Will they be happy about that?

        I suspect it would cause an awful lot of problems, especially if the tech companies/banks etc could co-ordinate to bring their withdrawl of services at the same time. It might make government ministers actually pay attention to the fact that encryption and privacy are needed. Also yes I do believe it would lead to riots and an increase in violence and cause societal issues of a magnitude that could cause some countries to struggle to manage it.

    2. adam 40 Bronze badge

      Re: Will government idiots never learn? They might have to be taught by example

      The U.S. Army already use 3 for Pi, and it's only 5% out.

      1. 42656e4d203239

        Re: Will government idiots never learn? They might have to be taught by example

        Blacksmiths do as well.... or so I was told by a highly talented blacksmith who was trying to teach me how to hit hot metal.

        Now what that says about the U.S. Army, or indeed blacksmiths, I wouldn't dare to contemplate let alone post on a public forum - both groups (and most of the individuals within them) are bigger than me!

        1. Kit-Fox

          Re: Will government idiots never learn? They might have to be taught by example

          I'd suggest that it means neither group are all that bothered with absolute accuracy (or as near to as possible) Lets face it do the US army really care where their shells/missiles land? Based on their performance since 9/11 I'd suggest not (and that appears to apply to most allied armed forces too).

          As for blacksmiths, well the process of fettling matters and can be used to make a forged peice fit, and you can always weld on an extra bit if appropiate etc, there are ways to make things work and add/remove materials

          However context matters, and when talking about maths and crypto, preciseness and accuracy matter a lot (which was the point of the joke). You cant just make up the rules of maths to suit your needs in such situations where you care or there is the potential to introduce large gaping security holes. (or in the case of Nasa forgetting the change between Imperial/Metric, losing a multimillion probe to mars another good example of preciseness/accuracy mattering)

      2. Anonymous Coward
        Anonymous Coward

        Re: Will government idiots never learn? They might have to be taught by example

        That's why the tyres on their Jeeps look so odd.

    3. Anonymous Coward
      Anonymous Coward

      Re: Will government idiots never learn? They might have to be taught by example

      “Soon Pi will no longer be 3.14, but just plain 3 as the .14 is clearly messy and the sign of a creator who had no idea what they were doing :P (/sarc in case it wasnt obvious) “

      It has already been tried https://en.wikipedia.org/wiki/Indiana_Pi_Bill

      Hopefully it did serve as an example.

  10. Flak
    Black Helicopters

    Cryptography is a weapon

    Phil Zimmerman felt the heat of the US government when it conducted a criminal investigation into his (alleged) 'munitions export without a license', i.e. PGP being made available globally. Thankfully this was dropped.

    (All) governments have this lovely double standard - they want to keep their own communications secure and private, but be able to read everyone else's.

    1. jake Silver badge

      Re: Cryptography is a weapon

      That was nothing but security theater, and everybody knew it.

      A far better example is Bruce Schneier's "Applied Cryptography" book, my copy of which includs source code examples both in the text (which did not fall under the export restrictions) and in the CD, which was bound into the cover (and very definitely did fall under those restrictions). From daft people come daft laws. Do you vote? For daft people? Are you sure?

    2. Brewster's Angle Grinder Silver badge

      Re: Cryptography is a weapon

      Every time I release an iPhone app, I have to attest whether or not it contains cryptography, and if so whether we have made the right declaraions. Even using https requires bureaucracy. You'd think they'd be swamped.

  11. Brewster's Angle Grinder Silver badge

    I'm bookmarking this article for the next time a commentard insists they can throw together an encrypted chat app using off the shelf components in five minutes. I feel many would get the same reaction if they ever did put one together and release it publicly. Nobody who has any understanding of this stuff is complacent about how hard it is to get right.

    1. Boris the Cockroach Silver badge

      Hate to burst your bubble... but making an encrypted chat application is pretty straight forward.

      Making a SECURE encrypted chat application is the hard bit...

      1. Brewster's Angle Grinder Silver badge

        Ahhh, they've mastered that most tricky of cryptographic arts: perfect forward insecurity.

  12. Yet Another Anonymous coward Silver badge

    Australia

    Is exclusively populated by criminals.

    1. the Jim bloke
      Thumb Up

      Re: Australia

      and we maintain the tradition by making it illegal to come here..

      How Good Is Australia !

  13. Greybearded old scrote Silver badge

    Your examples

    There's a problem with a couple of your examples.

    Political activists and whistle blowers are both treated as criminals by politicians and law enforcement agencies by default. Even when the political action is as simple as a quiet vigil near the scene of a tragic murder. (Once the popular duchess has left the area, natch.)

  14. Long John Silver
    Pirate

    Australia, where's that?

    Despite there being an opera house Australia has no claim to being a cultural powerhouse in any respect. The brightest, thrown up by through regression towards the mean by even the most unpromising stock, leave. Thereby they make no contribution back toward maintaining genetic diversity.

    1. Yet Another Anonymous coward Silver badge

      Re: Australia, where's that?

      So you think Kylie Minogue and AC/DC should have been repatriated to start a breeding program of native artists?

      1. Gene Cash Silver badge
        Coffee/keyboard

        Re: Australia, where's that?

        I don't know... but I'll bet there's Rule 34 of it!

  15. Anonymous Coward
    Anonymous Coward

    There's an abundance of non-false equivalencies out there

    Let's not sell cars because they're used as getaway vehicle

    Do not lock your house because we may want to get in

    .. inevitably leading to ye olde backdoor argument, so let's drop a few there too:

    Let's have a backdoor - and see your TSA keys now even sold on Amazon

    Hello Clipper II - new arguments, just as stupid

    Is it just me or is there a seven year cycle to this stupidity? That said, I'm starting to get the impression that his particular cycle hasn't shown any signs of abating just yet.

  16. whitepines
    Thumb Up

    Democracy!

    Privacy creates agency. When you can communicate privately, your potential actions grow.

    Brilliant. This is the most concise form of the basic privacy argument that I have seen.

  17. Anonymous Coward
    Anonymous Coward

    Yup, it ain't easy.

    Using algorithms (even the good ones) without understanding the basics is the same as having the best DIY tools but no understanding of the basics laws of nature.

    In the case of a hammer you could try to prevent beginners from hitting their own thumbs by suggesting they hold it with two hands but that only means the threat now moves to their toes, but I'm getting a bit off track here.

    What I wanted to say is that you have to have a grasp of the fundamentals of security and protection or your use of a secure algorithm is leaving plenty of weaknesses to bypass the barrier the good crypto will present, and getting that whole framework right, well, that's why good people study for years and still find new things to improve and even then the occasional gifted amateur trips them up and dials it again a notch higher.

    I'm glad these people are around.

    1. jake Silver badge

      Re: Yup, it ain't easy.

      "In the case of a hammer you could try to prevent beginners from hitting their own thumbs by suggesting they hold it with two hands but that only means the threat now moves to their toes, but I'm getting a bit off track here."

      Just a bit off track ... but a good place to add something useful ... When first teaching someone to split wood, put them on their knees in front of the log, and the base of the log at ground-level. That way, when they miss the target, the sledge or axe strikes the ground, not their shins or feet. Saves on hospital visits. The actual loss in impact force is minimal, as measured by me, using a couple nieces & nephews, and a couple of adults as test subjects (that's strikers, not strikees).

      I buried a cutting block in the ground out at the woodshed just for this.

      1. Wayland Bronze badge

        Re: Yup, it ain't easy.

        Oh dear, that sounds a bit like driving fast on a mountain road when there is a barrier stopping you going over the edge if you get it wrong.

        1. jake Silver badge

          Re: Yup, it ain't easy.

          Nah. More like providing a support frame for a neophyte ice skater.

      2. Anonymous Coward
        Anonymous Coward

        Re: Yup, it ain't easy.

        Must have been pretty annoying nieces and nephews if nobody objected to you splitting them with an axe.

        I wonder if we could get away with that with users.

        :)

        1. jake Silver badge

          Re: Yup, it ain't easy.

          I'm fairly sure I clarified that ...

    2. the Jim bloke
      Thumb Up

      Re: Yup, it ain't easy.

      Our corporate safety overlords attempted to stop people hitting themselves with hammers by requiring the use of extra devices to distance hands from striking area - called finger savers, not going to bother googling to check what results come up -

      They do enable you to smack the utter shit out of your target without concern for your stabilising hand, but I have been hitting stuff with hammers for a long time now, and firmly believe its better to know what you're doing, and apply the right amount of force, rather than encourage people to just go nuts.

      Also, it turns a one handed job (grab and hold item to be hit) into a two handed job of attaching the finger saver device.. which is as sensible as a car that requires both hands to change gears..

      icon.. thumb - do not hit.

  18. StuntMisanthrope

    The Cat & Phial

    why do all the constellations have names prior to optical resolution. #hyperfocal

    1. jake Silver badge

      Re: The Cat & Phial

      Because prior to optical help there were no streetlights.

  19. Anonymous Coward
    Anonymous Coward

    Strange SMS anomaly

    Ages ago I found out quite by accident that if you try and send a segment of an Enigma encoded message through SMS, odd things happen to the phone.

    For maybe 2 days many of my messages didn't get through, receive worked but not send.

    When I did finally get it to work the message was mysteriously not in the Sent box, along with a handful of messages either side of it in date/time range.

    Was copied off a piece of paper so hard to tell as wasn't able to decode it.

    Ended up sending on another social network which did work.

    AC because you just never know who might be reading this.

    1. jake Silver badge

      Re: Strange SMS anomaly

      Was this a one-off, or can it be reliably demonstrated?

      Stray cosmic ray, or government interference?

      My money is on operator error ... or complete fabrication.

  20. FooCrypt

    The pen is mightier than the sword.

    FooCryptMsg_1_157_U2FsdGVkX1+36rzplewIdLHPPmIbdq6xT8COe71BS8HTHI940T895ATLPsgHcGBJ

    FooCryptMsg_2_157_0ViJoM3YkcsplR2ON1BziyjjhJHlcnpX3zdWSgrYGp4R9KJ4Yk2ngH0h1hsxEcRu

    <-- cut due to character limit --->

    FooCryptMsg_153_157_sDUpsz5hVdzkGXql1iEE2YiLj1oHGS8o5ACqVjzpGvrdaUTg1KpxAxY/V35rFdax

    FooCryptMsg_154_157_QwykDhJj51qrM1vzDtStTXjNV4j7nUMpm9izqGCiflTtng1lD/X6z73vH3WZz8Fd

    FooCryptMsg_155_157_TP/hzLKZQp7KhAVla/pQisFEI6CZt+lj3feQlRL9vzDIMcIZ3WNiuEdMH9D+KYDT

    FooCryptMsg_156_157_5uIn5gwMtCh0Hcf9fx3//g==

    FooCryptMsg_157_157_1691C6A45A05C402B81BFC1844E39E08DE3B313D838D181BA94BC6F1F18CFCE9

    1. jake Silver badge

      Re: The pen is mightier than the sword.

      Talking to yourself again?

      1. FooCrypt

        Re: The pen is mightier than the sword.

        https://twitter.com/mpesce/status/1392582855222468608

        1. jake Silver badge

          Re: The pen is mightier than the sword.

          I guess you are talking to yourself. As you were, then. Have fun!

  21. FooCrypt

    The world is already behind the 8 ball with Post-Quantum-Cryptography sneaking up on us all, and Australia is last in the queue due to the current government policies on encryption based technologies.

    The European Union Agency For CyberSecurity has recently released a study 'Post-Quantum Cryptography: Current state and quantum mitigation' [ https://www.enisa.europa.eu... ] which states under 'Quantum Mitigation' :

    "If you encrypt data that needs to be kept confidential for more than 10 years and an attacker could gain access to the ciphertext you need to take action now to protect your data. Otherwise, security will be compromised as soon as the attacker also gets access to a large quantum computer. "

    And also mentions that the 5 most likely Quantum Algorithms are around 2 -3 years off being finalised as a final NIST recommended cipher to tackle Quantum+ Proofing via single algorithm ( Cipher ).

    Given that according to The ENISA if an adversary collects your encrypted data today, they will be able to notationally decrypt it at around 10 years from now, but in reality it would be within the 5 - 10 years time frame, surely the Australian Government should be assisting the Australian Public / Private sectors and protecting Government Data, by highlighting the serious problems around stolen data and trying to assist the Australian Public / Private sectors with a proven 'Quantum Mitigation' solution, rather than continually running scare campaigns and hammering the Cryptography and Steganography Sectors in Australia, by associating their solutions as just a tool that is used by non law abiding citizens / entities.

    --

    Mark A. Lane

    Founder, Cryptologist, Software / UNIX Engineer @ FooCrypt, A Tale of Cynical Cyclical Encryption

    Australia's only, Quantum+ Proof / Secure Cryptography and Steganography Software Solution

    ( which also has obtained 3 legal Defence Export Control assessments / permits by the Australian Department of Defence, Defence Export Controls & Australian Signals Directorate )

    1. Wayland Bronze badge

      That will be ready right about the time hot fusion power becomes commercially viable.

  22. julian.smith
    FAIL

    I call BS

    "it asserted that encrypted messaging services .... are used ‘almost exclusively’ for illegal activity"

    How do they know?

    They want access because they DON'T know

    Pants on fire!

  23. TechHeadToo

    you can read it two ways...

    When I saw

    "Privacy creates agency. When you can communicate privately, your potential actions grow. Someone who cannot communicate privately cannot reach out for the assistance of others."

    I expected an argument showing how BAD people are given free rein to organise, to share information about how to be more Bad, and so on

    then the quote

    "The ACIC went on to state, “These platforms are used almost exclusively by SOC [serious and organised crime] groups and are developed specifically to obscure the identities of the involved criminal entities and enable avoidance of detection by law enforcement…"

    Bad grammar. Try reading it through more squinty eyes and you get "SOC [serious and organised crime] groups use these platforms almost exclusively..."

    which is (almost) clearly what they meant to say.

    And my point is...

    Very bit of tech we've made has a dark side. Our desire to keep our conversations private is reasonable - until BAD people also want to keep their conversations private. Citizens want to be safe from these bad people, and in the past, the GPO operator could listen in, and track down bad people and forestall bad things happening. Not so now.

    And the authors assertion that law enforcement still functions is a bit laughably naive. I can sit here being a criminal mastermind, using all that free and available encryption, and the globalisation that is the internet, and the law won't ever find me. A click here, a click there, and the proceeds move between national boundaries, into and out of crypto currency and the paper trail is shredded. My location defined by IP and mac addresses is unfathomable. My lifestyle is not ostentatious.

    For the benefit of GCHQ, I am NOT a mastermind, but I accept, if not welcome the idea that everything on the 'net should be transparent and available to police (and bent coppers) for the sake of cleaning up the Bad people in society and preventing them getting the oxygen of privacy. (and to stop them breeding - but that may be a bit radical until 2057)

    Now, where did I leave the cat?

    1. amanfromMars 1 Silver badge

      Re: you can read it two ways...

      Have a upvote for that very clear and comprehensive "state of nations" address, TechHeadToo, which does advise them all that they are compromised and extremely vulnerable to all manner of novel program attack and SCADA systems administration exploitation/virtually remote machinery manipulation.

      Quite why anyone/anything would think it worth downvoting is one of those mysteries shrouded in the madness and mayhem manifest in many a mind mined and exhausted of much in the ways and means of good reason and plain common sense ........ whenever good reason and plain common sense are two of the magic source core ores that delivers a perfect existence for a pleasant life span and heavenly time in some of the most devilish of attractive spaces.

  24. FooCrypt

    Executive Order for Improving the Nation's Cybersecurity posture, oops thats the USA, not Oz

    Meanwhile in the USA....I would like to sell them a government load of FooCrypt, to satisfy their 6 months deadline ;)

    https://www.linkedin.com/pulse/what-quantum-mitigation-mark-a-lane

    United States: The White House: Executive Order on Improving the Nation’s Cybersecurity

    https://lnkd.in/e_bnsQH published yesterday May 12, 2021

    This is a large document (8,000 words) and I note that the word "Encryption" appears 7 times, in §3(d) and §4(e) and §8(b), quoting portions of each below.

    §3(d)

    Within 180 days of the date of this order, agencies shall adopt multi-factor authentication and encryption for data at rest and in transit, to the maximum extent consistent with Federal records laws and other applicable laws.

    §4(e)

    Within 90 days of publication of the preliminary guidelines pursuant to subsection (c) of this section, the Secretary of Commerce acting through the Director of NIST, in consultation with the heads of such agencies as the Director of NIST deems appropriate, shall issue guidance identifying practices that enhance the security of the software supply chain.

    §8(b)

    Logs shall be protected by cryptographic methods to ensure integrity once collected and periodically verified against the hashes throughout their retention.

  25. amanfromMars 1 Silver badge

    There is more than one way to skin a dead cat bounce ......

    Privacy creates agency. When you can communicate privately, your potential actions grow.

    Publicity creates urgency. And kickstarts agencies into private communications with growing potential actors. And if you into catching Juicy Lucy type worms, long before anyone even knows what they are missing and missing out on, be early and quick off the mark in Great Games Play with all, or as many of those growing potential actors as is possible.

    Someone who cannot communicate privately cannot reach out for the assistance of others. Left to their own devices, they will be easy pickings for the predations of enemies. If you want to disempower someone, make it impossible for them to maintain any privacy.

    A practical alternative to all that implied secrecy which is preventing rapid progress with outside assistance is to communicate actions undertaken and processes both pending and resulting from subsequent reactions and interactions very publicly.

    You then can expect to harvest the advantage and benefits of the thoughts proposing future potential actions from both negative threatened and threatening opposition and positive supportive competition alike, which are both extremely valuable assistance for rapid progress, should they be bothered and feel it necessary.

    And one immediately discovers and uncovers all that is liable to be bad and doggedly opposed and everything that is going to be great and enthusiastically encouraged and energetically supported, by natural default of the open publicity process.

  26. Winkypop Silver badge
    Facepalm

    Remember: Australia is currently lead by a Pentecostal loon

    Who also thinks that locking up small girls for years is good Government policy.

    Read more: Biloela family

  27. jezza99

    I find ACIC's comment that cryptographic apps on the internet are almost exclusively used by criminals to be criminally wrong!

    Any time you use a web site with "HTTPS" you are using a cryptographic application. And almost all web sites (including El Reg) do that. Any that still use plain old HTTP cannot be trusted!

    I use encrypted chat apps, because I value my privacy. I have yet to do anything criminal with them. Same for my friends and associates.

    If the government breaks cryptography by forcing the use of back doors we will all lose!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021