"deal with the relentless threats of terrorism"
When are our legislators going to declare war on rust? Rust never sleeps, and neither should we. Someone should do something! It's a travesty!
This week's five-eyes meeting has issued its communique, promising to get the tech sector to solve the problems of online terrorism and encrypted communications. As is the way of political communiques, there's a carefully-crafted lack of detail (sufficient, for example, for plausible deniability) about what exactly is planned …
They haven't got the metal to deal with the real issues. While were at at I think we should declare war on terrierism, won't somebody think of the ankles?
I'm not worried about relentless threats I'm more concerned about actions, the ones they currently do naff all about even when they know about the people involved in advance without breaking encryption.
When are our legislators going to declare war on rust? Rust never sleeps, and neither should we. Someone should do something! It's a travesty!
And at this moment I'm reading "Rust: The Longest War" talking about the US government's efforts to stop corrosion on the Statue of Liberty, the Navy fleet, the Golden Gate bridge, and other things...
The only "threats of terrorism" I'm relentlessly exposed to are those from various governments continually threatening to erode privacy, human rights, and civilisations existence through various forms of denial of facts and paths of causation.
Things that terrify me more than the spectre of terrorism:
The trend of government control fetishism
Riding a bike alongside humans driving cars
My children learning to drive amongst said humans driving cars
Governments that use the word 'mandate'
Wilfully ignorant people with the right to vote
Skepticism of the scientific method
The weight given to anecdotal evidence
The government spending tax payer's money on a new coal-fired power station (what century is this?)
The lack of security around the electricity grid against the constant threat of squirrorists
Missed by most of the tech world is the fact that Germany last week enacted a law to tackle encrypted communications.
Law enforcement, in Germany, can apply for a court order and then hack into a device and leave behind a "Bundestrojaner", a state approved piece of malware to intercept communications directly on the device.
as you write, requires a court order. This makes a difference from what May et.al. want, and is in my mind parallel to court orders for phone tapping, opening letters etc.. I am OK with that in principle, as long as law enforcement plays by those rules.
I do not see reference to Germany wanting to weakening encryption generally.
This post has been deleted by its author
"They accepted that protecting personal communications through encryption is generally good,"
This is the point that's totally beyond most politicians. They can't grasp the idea that electronic communications without encryption is equivalent to conducting all your business, no matter how confidential, by post-card.
Agreed: A court order that enables state-sponsored-hacking to infect and control a suspect's device to capture information before/after encryption is different from weakening encryption in general. It will not enable mass-surveillance. But also this solution will lower security for all. A new well-funded player enters the black market that will purchase exploits and keep them secret from manufacturers - so they won't be fixed. This in turn will enable future WannaCry/Petya/NotPetya outbreaks once these weapons caches are raided once in a while by criminals or state-sponsored actors.
So in order to make us all "safe" we in fact create the basis for a worldwide cyber-attack on developed nations, the "west", ourselves.
Sounds rather dumb if you ask me ...
"Agreed: A court order that enables state-sponsored-hacking to infect and control a suspect's device to capture information before/after encryption is different from weakening encryption in general. It will not enable mass-surveillance."
Unless, of course, you don't assume that one court order is for one subject. It's simple enough for a single court order to permit the surveillance of very, very large numbers of people. Ask FISA for details. (though they may refuse to admit how many people are affected by their rulings, only the number of rulings themselves).
@ all those who thought the German idea was a good one
It's not.
Really, it's not.
Really, really, really.
You already understand that weak crypto is a bad idea because the bad guys will be able to break it.
You probably understand that some sort of backdoor master key for the good guys is a bad idea because the bad guys will concentrate their attacks on that back door (one success opens not just one device's communications but all of them) and/or bribing those who have the master key. Snowden, anyone?
What you have yet to understand that allowing the good guys to hack into your phone so they can see the plain text before/after it is encrypted is just as bad. It's a single point of attack for all devices. Break the Federal Trojan key (or bribe somebody to give it to you) and you can then read everything on all devices. Not just the communications but local data that is never transmitted or synched to the cloud.
At first sight it looks like a good compromise that retains secure communications for most people but gives the white hats the ability to selectively read the comms of the black hats. In reality it opens up everyone's devices to the black hats. It puts all the eggs in one very valuable basket.
This is actually the worst idea yet.
Provided the German law enforcement does not hoard vulnerabilities, please explain me how it opens up systems any more than they already are?
As I understand the new law (and I am happy to be corrected) it makes it legal, with a court order, for the law enforcement to plant a trojan on one or more devices.
I have not seen reference to compulsery installation of trojans on all equipment.
Care to explain?
They already have the ability to pwn individual phones and spy on everything done on them, including before messages are encrypted.
What this is actually about is mass surveillance using ISP's and comms companies Man in the Middle position to strip encryption silently. They don't care about little terrorists, which is shown by the fact that most of the naughty guys lately had been reported for 'terrorist tendencies' and ignored.
The fives eyes just want stuff they can use as leverage or blackmail in their usual espionage game and mass surveillance of unencrypted gives them that.
As I said in response to a previous story, our Governments are like transport companies setting impossible timetables for truck drivers and then claiming not to be responsible for their drivers speeding or taking dangerous stimulants to stay awake.
They are dictating an end result that REQUIRES certain processes and then disclaiming responsibility for those same processes.
"We're aren't asking for cows to be killed, we are just saying that you need to bring us a steak when we ask."
As is the way of political communiques, there's a carefully-crafted lack of detail (sufficient, for example, for plausible deniability) about what exactly is planned.
In other words... we're about to get shafted as far as encryption and privacy go and they won't tell us until long after it happens.?
"About encryption, the HTTPS-hosted communique says it can “severely undermine public safety efforts by impeding lawful access to the content of communications during investigations into serious crimes, including terrorism.”"
I say chaps, it's blasted inconvenient of you to be speaking in a way that we can't understand!
I'm having genuine trouble believing that the leaders of multiple countries are thick enough to think that stamping their collective feet like petulant children is going to miraculously solve this problem for them.
Does anyone want to place bets on how long it is until someone writes an app that not only encrypts a message, but then uses old-school style cyphers to hide the messages inside innocuous looking plain-text internet posts?
@Meph
I'm having genuine trouble believing that the leaders of multiple countries are thick enough to think that stamping their collective feet like petulant children is going to miraculously solve this problem for them.
Depends on what the 'problem' is. So far as our governments and their agencies are concerned, the 'problem' is not having on-demand access to any and all communication. I.e. - their problem is encryption.
They are smart enough, however, to know that demanding consumer software abandon encryption wholesale is not going to fly. They are also observant enough to know that the term 'backdoor' now carries a load of negative press (and rightly so), forcing them to use language that avoids - so far as is possible - any comparison or connection with a 'backdoor'.
They have been fought and, on these points, been beaten by the tech companies in the public mind. So what are they doing? Saying that they aren't going to dictate how the tech world runs itself and how they make their software - they will just insist on an outcome that they can frame in the most positive and reasonable light available to them: the ability to obtain information pursuant to a valid, legal warrant.
I believe that our governments understand that what they want isn't possible without either a backdoor or the complete removal of encryption and they don't care, so long as they can pass the buck.
For them, the problem is the existence of strong encryption - not how to access (strongly) encrypted data without weakening encryption; they couldn't care less about that.
"Does anyone want to place bets on how long it is until someone writes an app that not only encrypts a message, but then uses old-school style cyphers to hide the messages inside innocuous looking plain-text internet posts?"
I assume a touch of facetiousness, because you surely know this happens all the time. A seemingly innocuous blog post about the price of strawberries in Tesco can just as easily be the activation command for a dastardly plot.
But even such elementary codes are unnecessary if your eyewateringly expensive national security apparatus, which collects a million hours of phone intercepts every week in highly accented, idiomatic, convoluted Arabic dialects, employs only 77 people as translators.
There are many examples of vast budgets being deployed on magical technical projects which actually gum up the works, when what's needed is plain old-fashioned humint, shoe leather and for want of a better word: traditional police work
"Does anyone want to place bets on how long it is until someone writes an app that not only encrypts a message, but then uses old-school style cyphers to hide the messages inside innocuous looking plain-text internet posts?"
A double book cypher. Use two books. Look up the page and word number of the first instance a word, e.g. "the", in one book. Substitute the word, e.g. "attack" in the same position in the second.
If only we knew the two books amanfrommars uses...
"Steganography has already been done."
But it gets trickier the more information you have to pass along at a time, especailly in a "low-shared-knowledge" situation where you and the target have little if any in common. Plus for many methods of steganography, there are ways to sanitize them. For example, hiding in whitespace can be defeated by sanitizing whitespace to minimum spacing standards, and so on. Nonsense messages like book codes will tend to stand out (as will outlandish sports predictions), images can be stretched, flattened, etc. There are limits.
PS. As for the idea the Panopticon will be Too Much Information, ever considered they could winnow the stuff through machines first? They do that already with large camera arrays like in casinos.
"As for the idea the Panopticon will be Too Much Information, ever considered they could winnow the stuff through machines first?"
The trouble here is that while machines are excellent at pattern recognition, they'll only ever find the precise thing you tell them to look for. Heuristic scanning is notoriously hit and miss, and even then, you still need to give the system a series of baseline behaviours to check against.
I think Vic has the heart of it though, there are two ways to hide a message. Either squirrel it away and hope nobody trips over it, or generate so much noise that nobody is sure if what they're hearing is random crap or something of value. Too much signal tends to make your average Joe tune out.
"The trouble here is that while machines are excellent at pattern recognition, they'll only ever find the precise thing you tell them to look for. Heuristic scanning is notoriously hit and miss, and even then, you still need to give the system a series of baseline behaviours to check against."
Fine enough. As long as it's the first line, it can winnow out the noise to leave less for the humans to skim.
"Too much signal tends to make your average Joe tune out."
That's the beauty of machines. They DON'T tire. In fact, given the right learning system, the more data the merrier for it.
Does anyone want to place bets on how long it is until someone writes an app that not only encrypts a message, but then uses old-school style cyphers to hide the messages inside innocuous looking plain-text internet posts?
I imagine it's already happening - and the *ideal* vector already exists.
Spam.
Receiving a piece of spam is all the plausible deniability you need. Everyone gets it - it's a menace. Not my fault, guv'nor.
You could even send the appropriate spam to the email address of the bloke supposed to be surveilling the operation - if it isn't filtered by his mail provider, it'll get thrown away. Even NSA agents won't admit to needing penis growth medicines...
But if the Bad Guy(tm) checks with his stego tool, he'll find the message that was sent to him - and a million others, although they don't know it - and so the communication has happened, in plain sight of everyone including the investigating authorities. And everyone except the terrorists will simply ignore it.
Vic.
Given that, after the unfortunate result when he turned on his satellite phone, Bin Laden relied only on couriers and sneakernet to convey messages, and T.E Lawrence managed to conduct an entire insurgency campaign in the Middle East using nothing more for communication than messages carried by camel, could the "Five Eyes" prove to us what plots could have been averted using the decryption of strongly encrypted messages, what plots were coordinated using strong encryption, and what terrorist actions could not be coordinated by other means, i.e messengers and sneakernet? Bearing in mind that once an operation is under way, communications won't even need to be encrypted, and you'll have a pretty good idea the operation is happening, anyway?
The clock ticking while the boffins try to decipher the message to discover the location of the bomb, while the grinning terrorist sits there in his cell, keeping stumm, is just too much of a Hollywood movie plot scenario.
This post has been deleted by its author
So they could go back to the good old days and say 'nothing over 56 bit' or some random number above that.
Except - AWS. In ye olde days it would be troublesome to decrypt something unless you had lots of computers, something governments have but the unwashed didn't.
Cores are so cheap to rent now by the thousand. Weak crypto won't work.
Really they can play wack-a-mole and ask / tell each, and, every, single, developer, and, tech, company to give them the private keys.
Excluding China/Russia (oops), that'll work for big companies (in western countries) that provide SSL keys, and large app vendors such as Google, Microsoft etc.
Those pesky criminals, however, will use something else... since 'crypto' worked well before computers. Mine's a copy of 'The Catcher in the Rye'.
Allegedly at the sunny internationale standardisation process which started in 1982, GSM's A5/1 was originally proposed to have a key length of 128 bits. (it would have remained 'safe' for ~32 years!),
wikipedia says that the British insisted on weaker encryption, . . .the British delegate [said] that this was to allow the Brits geheimpolizei to eavesdrop more easily.
The British proposed a key length of 48 bits, while the (West) Germans wanted stronger encryption to protect against (East) German spying, so the compromise became a key length of 54 bits (A5/1 had 10 of the key bits fixed at zero, resulting in an effective key length of 54 bits)
It's an old story, as you say, as even Mary QoS's encrypted barrels were subject to MITM, with likely agent-provocation and fake-news compromat combined
Once information is end-to-end encrypted, no amount of political wishful thinking can unencrypt it without compromised endpoints. The only way for the "5 eyes" (and everyone else) to keep spying on everyone else unhindered will be to force insecure encryption systems for everyone. This will enable the "5 eyes" (and everyone else) to read every communication.
So this will also enable crooks to read your banking passwords, your sensitive company information and your medical data.
So dear "5 eyes", maybe you should stand up and tell the world you want to ban working encryption, so we can start discussing the _real_ pro's and con's.
But please stop suggesting "solutions" from fairy-tale-land, just because you do not dare to name the full consequences of said "solutions" for society.
I hate all this stuff as much as you guys - but really they will end doing it and it will be this:
SSL between me and WhatsApp server
SSL between WhatsApp server and you
web service from WhatsApp server to 5 eyes - probably through a VPN
Now there are 3 points of attack instead of 2, but in the example of online banking - this isn't really all that different to what we have now. Thing is, I just think lists are a bad thing and this doesn't stop me having a conversation outside, so it's completely pointless. I'm also sure it'll end up being more expensive for consumers and the government will tax something to pay for it.
No need, but yes it will happen
Although the codebreakers have been snapping at the heels of the codemakers ever since the end of the Second World War, I'm guessing they will remain a little behind right up to an eventual limit where all non quantum cryptography can be broken instantly, and quantum cryptography never.
Even then, I suspect there'll be absolutely no way of detecting, let alone comprehending, a signal formed by including, in set of innocuous looking Facebook photos of the account holder's dogs and cats, say three pictures in succession of only the dog.
And all this effort for what ... to counter a threat that takes less lives than bathtubs, let alone traffic.
Imagine the T&Cs of your ISP contract have a clause along the lines of:
...1) You shall not permit any communication using the service provided which is encrypted beyond the ability of the Service Provider to decrypt
...2) In order to ensure compliance with (...1) the Service Provider shall be permitted to undertake detailed inspection of all and any network traffic that enters or leaves the network at the instigation or behest of the customer
...3) Failure to adhere to these conditions may result in termination of the services provided. Additionally customers may be reported to the appropriate authorities.
Time to plug some pink noise into the internet I guess.
In the UK the entire death toll of terrorist incidents for the last 12 years was 37.
The UK has spent probably several £500m -£1Bn a year and will no doubt point to all the people who would have been killed (but they cannot actually provide an estimate for that number) if they hadn't
It's time to confront the real enemy.
The cabal of data fetishists who have a pathological desire to know everything, about everyone, all the time, forever.
Strong encryption is indeed an enemy of theirs.
But their real enemy are people's desire for privacy. How dare we want to have times when we want to keep our thoughts, our feelings (and finances) private. Don't we know that "Caring is sharing (with them)?"
This communique is exactly the result of the echo chamber you get when these groups get together and reinforce their shared, delusional belief system.
In the UK the entire death toll of terrorist incidents for the last 12 years was 37.
Are you certain about that? Your 12 year window includes 7/7 and that resulted in 56 deaths on its own. Or did you try to manipulate the figures by forgetting that 7/7 is within your chosen time frame?
I will concede that terrorist related deaths in the UK over that period - while rather higher than your figure - is less than 100, which isn't an enormous number. However, by just using the number of deaths as some sort of yardstick you are ignoring all the suffering and distress caused to the injured; 7/7: 700; Westminster Bridge: 49; Manchester Arena: 120; Borough Market: 48. Are you dismissing all these and others as being of no account?
I am not trying to argue any particular case in respect of encryption and its perceived evils; I am merely seeking to expose what seems to be an attempt to downplay the effects of terrorist activity.
And of course it is possible to remove human casualties from the mix entirely and just look at the disruption to infrastructure (e.g. London Underground in 7/7) and its direct consequences and costs. Is all that of no importance either?
To simply use an incorrect figure for terrorist killings over a given period as some sort of measure of the impact of terrorism while ignoring everything else is at best silly and at worst wilfully misguided, perhaps in attempt to wilfully mislead.
No. I chose 12 years as post 7/7 but let's include them.
And while we're at it let's include the Brazillian electrican that got shot for wearing a heavy jacket on the wrong day as well. That's 57, not 56. And the English nutter terrorist that ran into a group of Moslems leaving their Ramadam prayers in North London and killed one as well. That's a "terrorist" incident as well.
And let's not forget Lee Rigby, Victim of a pair of "terrorists," or 2 people with mental health issues who should have been sectioned?
That's 94 people over a 13 year period, who might (not would, might) be alive today if anyone's encrypted traffic could be compromised at will by "The State," for "The Greater Good." BTW Most of them, including the 7/7 bombers were "Known to the authorities" already.
Meanwhile the confirmed death toll of 1 UK tower block due to either inadequate fire regulations, or their enforcement, is up to 80 (the other 18 are still listed as "missing" IE they can't match the remains found to an actual person, yet). Meanwhile every block so far tested (with similar cladding) has failed fire tests. There are about 600 such blocks in the UK.
BTW 94 is just over 10.5Hrs of smoking related deaths in NHS hospitals for 2014.
I think most of the UK readers of this site who lived through the IRA activities of the 1970's, 80's and 90's would consider compromising end to end encryption (as used for home banking and shopping) a grossly disproportionate response against what might be fairly described as a bunch of "shabolic motherf**kers," compared to the activities of the IRA.
The NHS figure (even better housing safety regs) says there are a lot better ways to save lives than this, but I don't think that's what you're concerned with. :-( .
If you, or someone you know, has been a victim of a terrorist incident I have a special message for you and them.
<profanity filter off>
Shit happens.
</profanity filter off>
You or they were very unlucky to be in the wrong place at the wrong time. It was grossly unfair. But that was the event, which has passed.
It's time to start thinking rationally again.
Most people have lost people who've died before they think they should have. Most deaths are preventable if you're prepared to sacrifice enough money, time or effort to do so.
The question is should you?
The purpose of a terrorist is to make you terrified.
If you (or someone you know) are terrified, they have won.
If you live you life making every decision based on wheather it (might) make you being the victim of a terrorist incident more or less likely, they have won.
When you refuse to be terrified, they lose. Fear is your choice. But understand it is your choice, not anyone elses.
A cold hard assessment of what these proposals will do with the reduction in terrorism, versus the reduction in everyone's security and privacy would conclude they are literally not worth the money they will cost.
But I don't believe "security" is the reason this is wanted. I believe it's a convenient excuse to introduce it. They just as happily use the risk of internet paedophiles, money laundering or drug dealing to justify it as well.
Data fetishists have no shame. They will hijack any issue to drive their agenda through.
Well said and thought out. As with any "war" or even "crime" give in and you lose. Unfortunately, we have tons of snowflakes on both sides of the pound which seem to be from parents raised as 'flower children". They will shout down any rational argument and maybe sing "Give Peace a Chance" in 3 part harmony.
I think you need to re-read my post.
Not turning the country into a police state might be described as the PoV of the "flower children."
It's usually the "ordinary decent law abiding (blah blah)" types who scream at the slightest threat to their life style who demand the most absurdly repressive measures. They don't really cope with anyone who's not exactly like them very well.
People can mistake broad tolerance for weakness. I once drank in bar were most of the regulars were ex-cons. They were very tolerant of casual visitors, provided they were well behaved. The bar did not have door staff because it didn't need them. People who were unwise enough to mistake their tolerance for weakness regretted it.
@John Smith 19
A very good analysis.
I will add two things for a little extra perspective.
1) The US may soon pass legislation that will result in 22,000,000 losing health care and cause in excess of 20,000 deaths per year sooner than would otherwise have occurred. This is in order to give $70 billion/year in tax cuts to the rich. Preventing death doesn't seem of great importance to these people, despite their claims of the necessity to defeat terrorism in order to prevent deaths.
2) If, in order to defeat your enemy, you have to adopt those behaviours that make him your enemy, then your enemy has won (whatever you do). We are moving towards a repressive, totalitarian regime in order to defeat people who wish to impose a repressive, totalitarian regime upon us. Dubya (now only the second worst president ever) said: "They hate us for our freedoms" then proceeded to stop them hating us by removing our freedoms whilst bombing the shit out of them.
I suspect it's going to get a lot worse before it gets better. If it ever does.
Exactly.
In the US context Bin Laded must have ROTFLFAO when Congress passed THE PATRIOT Act, with one Congressman refusing (because he'd actually read the 200+ pages of it and thought it was a PoS).
The original point was about all this effort to try and close the final gap. The money spent so far and the efforts invested in combatting terrorism so far have resulted in the impact (casualties, fatalities, consequential losses etc) being no worse than what it was under the use/abuse of current legislation and technical capabilities.
The government spooks don't really care about your privacy though - actual or perceived. They want a public discourse that argues endlessly about impractical limits on encryption but permits laws allowing the compromise of endpoints on mass market usage. Detection of 'real' security in use becomes a potential flag for targeted investigation.
After that you just need to trust your government in perpetuity and hope the crims don't break the locks. So no problem then.
“deal with the relentless threats of terrorism, violent extremism, cyber-attacks, and international instability, while retaining our deep commitment to the shared values of democracy, human rights and the rule of law”.
Horse shit. They are faced with a general populous that they are unable to spy on, and they don't like it. The above is almost too argumentum ad metum for words. Only surprise is they didn't mention noncing too. Make the plebs afraid, they will then let you get away with anything.
Why is it that the politicians want to breach commercially available "end-to-end" encryption? Alice and Bob (English speakers) have implemented a simple book cipher, and they use The Register, because, although that might communicate the originator of the message, it completely fails to communicate the RECIPIENTS to the NSA or GCHQ. The "book" is unknown, the randomisation of the book is unknown, and the application which does the (symmetrical) encoding and decoding was written by Charlie for the group (in Python). Alice has sent me (AC) another test message for onward communication.
*
enchant chistera Sonja Diann smalts overaccurately diminisher squushy viduation arthrosporous bandidos fringiness half-plane babbly dasyproctine shikimi saucer resolder overindebted formals abort sophies Cryptobranchus Keb chacate termor hermeneutics Tzapotec OOP hexactine hout alada
*