Germany mulls giving end-to-end chat app encryption das boot: Law requiring decrypted plain-text is in the works Government officials in Germany are reportedly mulling a law to force chat app providers to hand over end-to-end encrypted conversations in plain text on demand. According to Der Spiegel this month, the Euro nation's Ministry of the Interior wants a new set of rules that would require operators of services like WhatsApp, …
I'm absolutely certain somebody already has, although you wouldn't want to because "who" you talk to is generally more interesting than "what" was said anyway.
The thing about encryption is that it's just maths, and end-to-end encryption is pretty easy to throw together using existing published components.
Making the app itself secure from local attack is hard, but the actual pipe is a long-solved problem.
So not only is this proposal dangerous, it's also utterly useless.
"who" you talk to is generally more interesting
That can also be encrypted. Route a message through a remote server, maybe choose one at random from a geographically diverse set. Encrypt the recipient between the sender and the server. Encrypt the sender between the server and the recipient. Delete the metadata from the server once the message has been delivered.
end-to-end encryption is pretty easy
Apart from the key exchange part. In fact, I suspect the encryption of WhatsApp, Telegram, and friends is not end-to-end, since no secrets are exchanged directly between the communicating parties. There is a man in the middle. The question is, can you trust him?
The big privacy problem in my mind is that most people "back up" their conversations to the cloud without thinking. If you want privacy then at least don't sync to anyone's computers where the stuff must be both persistent and either plain text or easily decryptable (without that you wouldn't be able to restore if, say, your key changes). Then hope that Signal or Telegram actually don't keep your messages in plaintext after delivery and thus would not be technically able to comply with a court order even if issued.
Which is why posting to USENET is a game changer. You have no idea who - or where - the recipient is. Or even if there is a recipient.
And messages will be propagated across the world by a half-century old protocol that's baked in to internet protocols.
In fact, there might be people doing it as we speak. By definition we wouldn't know.
We do know. Have a look over at alt.anonymous.messages and marvel at the sight of encrypted spam sent to anonymous accounts.
mixnym.net used to provide a simple gateway to set up your own. I haven't checked if it still works.
AC, because.
"The thing about encryption is that it's just maths, and end-to-end encryption is pretty easy to throw together using existing published components."
Yep, every child with a raspberry pi has access to compiled encryption libraries that work with almost any language that is in use today plus the very source code for those libraries not to mention OpenPGP and GNUPG.
If you follow the general best practices (i.e dont roll your own crypto) you can add end to end encryption to anything. Oh did I forget to mention OpenSSH? I can encrypt ANY port sending ANY kind of data between ANY machines.
It's all in the hands of kids with raspberry pi's given to them at school. Germany, how are you going to get the cat back in the bag? It had kittens, loads of them, since the 90's!
@DuncanLarge
Quote: "...general best practices (i.e dont roll your own crypto)..."
*
But what about the asymmetry for the "good guys" vs. the "bad guys"? Even if the "roll your own" is only passably strong, the "bad guys" communicate in real time, while the "good guys" will have to wait, maybe quite while, to find out what the message said, maybe too long to be useful! See Beale Papers.....one of them secret for over a century!
*
1qHv09yf1K=B0e0p1G5l01H31cfQ0Bxb1mTk0KhF
0XWV08NW0QNI0iWv0=LX0qW50=hL0lDy123808KO
11hM1Cu51iSr0JT40O$G1m3n11Fe1faV13Zv0ha3
0iuR02940mh80F8Z1paH0yDe0dZp1VNd0nAp01cF
10Bf0P3k1eaD12Th14Wz1A$q0XVx1het1qZc0BaE
0m1P0Z110dAt0UMA0Plu0cJA0IXO1LSA0h6J1gvm
03Kc1TzT1BbV0sRf
Or...
Same but over IMAP e-mail.
you have identified, in principle, what will end up happening: only "illegal" encryption will be used, particularly by the bad guys.
It is SO easy to do your own encryption with something as simple as PGP. "send me your public key, here is my public key". etc.. What are "they" going to do, stop you from downloading an application for your Android device that's a simple APK on "some web site" that uses the TOR network or something like that? Ha ha ha good luck with THAT one...
and of course, you could also use temporal public/private keys that are only good for one message each... and are thrown away on a regular basis, so there's no record of what they were. Even if "not that strong" if the amount of data being encrypted by "that one key" is very very small. And so on.
No doubt someone has already written something that could do this, and maybe has even made it available for download. If not, someone probably will... someone NOT in the EU, someone willing to post it online in a public forum and "let the cat out of the bag" kinda like what happened with PGP.
We in the USA _ALREADY_ have examples of "this sort of thing" happening when you look at FISA court abuse as an example of "mission creep".
It starts out "we have a court we want to use for due process to do spying, because, TERRORISM" and "it will only be on foreign operators using our networks". Then it becomes "and persons of interest engaging with foreign operators on our networks". Then it becomes "and persons of interest but here's legitimate evidence that gives us probable cause."
And then it becomes PURELY FABRICATED ELECTION PROPAGANDA presented as "evidence" by the FBI to a FISA judge, and then it's SIGNED OFF by that judge so that a U.S. citizen working for a presidential campaign can be spied upon by the FBI, by court order, in order to dig up dirt on a candidate to apparently be used against him in some way later on... like in a 2 year long "investigation" about alleged collusion with a foreign government, that _NEVER_ _HAPPENED_ but allegations are enough for "the press" to bad-mouth this politician INDEFINITELY in order to drive elections "their way"!
"Mission Creep" indeed. Big brother icon, of course.
Its a good thing your post avoids the propaganda slant Mr. Butt hurt righty. No worries there will be plenty of illegal activity come to light once Darth Cheeto no longer controls the Justice Dept. Easy way to avoid not showing up on the "deep" state's radar is don't run a semi criminal enterprise with numerous contacts with shady foreign operators (Steve Bannon's own words but I guess he is a RINO now).
"They say they only want it for "terrorism""
1984, George Orwell. In the story words have their definitions changed and bent frequently.
Todays definition of terrorism may be different from next years. In a decade my post here may be in breach of terrorism laws. OMG, THEY ARE COMING FOR ME!
Todays definition of terrorism may be different from next years. In a decade my post here may be in breach of terrorism laws. OMG, THEY ARE COMING FOR ME!
The secret, my friend, is not to fear such things. I don't fear if my comments are misconstrued and I become the victim of some investigation.
There is a down-side though - sometimes what it takes to not be afraid can be pretty costly. The example in "V for Vendetta" when Evy(?) is 'captured' after telling V that she doesnt' want to be afraid any more gives an idea of what it can take for some. For me it's a bit of life-experience and a lot of my Faith - and that has not been an easy road on either side. For others, well, it takes the loss of family and friends, or the loss of reputation... IOW, destroy everything a man has and he no longer has anything left to lose.
(I still have a LOT to lose, but I have learned not to fear losing it).
Now I must retire to my fortress-cave in mom's basement. I hear a helicopter in the distance!
Australia has the same requirement to not weaken encryption yet somehow provide technical assistance.
All they need to do is to make sure their laws usurp the very honourable laws of mathematics. (Quoting someone who pushed those laws of mathematics over 30 times before losing, with the irony being that the mathematics behind those 30 polls now seems very questionable in light of recent events.)
They don't even allow Google Street view in Germany
A shame. I visited with GE and initially couldn't seem to get it in some smaller locale (can't recall the name). Then I decided to try Munich, and sure enough lots of 360 panoramas as well as streetview at least on some main road.
I was full of hopes that there was a country that kept that lot out, but sadly no such luck :(
Well, GDPR has privacy by design and privacy by default. Similar but not the same as security. There are references about making sure that systems are secure. But again, it's not the same thing.
However, I can't see any law in Germany standing up to the inevitable legal challenges because the right to private communications is guaranteed by the constitution. However, before we get on our high horses it's probably best to wait to see the draft law itself. I suspect that there will be an emphasis on metadata – who has been talking to whom – and group chats where end-to-end communication is hard to square with administrability. Presumably there will be provisions about what can be demanded for once a warrant has been served, with the possibility of holding people in contempt for non-complying. Of course, for group chats the easiest thing is just to be able to join the group…
But, as Seehofer is on his way out as Minister for the Interior, it may end just being shelved.
butter and sugar and privacy and cheese. Can you get some on the way home? Seems they would be wasting resources even monitoring my inane chats with the missus. I know storage is cheap, but Shirley, there has to be a better use for it.
Paris because butter is first on the list.
"butter is first on the list."
Wait until the FOOD POLICE found out you're eating REAL BUTTER which means FAT in your diet, and they know better than YOU how much you should (or should not) be eating...
As for me I eat butter as a SNACK - like potato chips, only it's butter chips.
"Seems they would be wasting resources even monitoring my inane chats with the missus."
It amuses me just how blinkered people really are about their "inane" conversations. Ever heard of phishing?
While they are wasting resources watching you ask for cheese, others are eavesdropping on your convo after breaking into their system looking for the passcode you send to your other half when they get a prompt on the phone for the banking app when she logs in to check the balance after the card machine declined the card.
They will be watching when you sent the sort code and account number to your mate who wants to pay you back for that meal he promised to chip in on.
They will be watching when google sends you the reminder about the booking you have made for a trip for two to spain for a week. They will also be watching your house when you leave to catch the plane, hammer at the ready they go up to your empty house to find an amazon smart lock. They look through what they know about you, find the details for your amazon account, reset the password, approve themselves for entry and simply walk in.
Yep, nobody is interested in the little details of your little messages sent back and fourth with your family and friends.
Just like nobody is interested in the contents of your house when you leave the door open and get distracted by one of them when they fake a heart attack. Surely nobody would be interested in the boring contents of your private residence?
Why do you have keys to your car? Honestly nobody would be interested in the old rust bucket. Yet you still lock it? Cant you just keep it unlocked, remove the immobiliser and install a push to start button?
I still lock up my bike :O
I shred post I get that has my name on it. I also shred old documents after a few years :O :O
Yep, you've got nothing to hide.
They will be watching when google sends you the reminder about the booking you have made for a trip for two to spain for a week. They will also be watching your house when you leave to catch the plane, hammer at the ready they go up to your empty house to find an amazon smart lock. They look through what they know about you, find the details for your amazon account, reset the password, approve themselves for entry and simply walk in.
Too much trouble. Walk up to door. Knock. No answer? Smash door in. A friend of mine has spent $hundreds on locks on his doors. Wasn't impressed to find the picture window in the back was smashed, his neighbours - who roughly work the same hours he does - saw nothing.
Next time, the door was forced open with something like a sledge hammer. The 40 + year old wooden frame splintered. Hinges and pins etc all perfectly intact, the frame shattered. Probably took all of 20 seconds. No neighbours at home to hear a thing.
Most home-security stuff is just theatre, and the thieves know it. If anything, it shows there is something of value there and makes you a target.
Why do you have keys to your car?
I have keys to my car because they came with it when I was given it - it'd take more than an hour to bypass the ignition switch but it takes only a second to put the key in.I'm saving time by not changing things as I'd still have some sort of switch that would need to be altered to start/stop the car. May as well leave it as it is. I lock the doors out of habit as a throw-back to a time when I was sure that made a difference. I've also left it unlocked for days at a time. Nothing worth stealing in it, and only people truly desperate or who don't mind being laughed at would drive my car.
-->icon=my car, proof that the devil exists!
And note this is easy to automate in ways that preserve cryptographic strength. Plaintext-form ciphertext, like other forms of steganograpy, has high bandwidth costs, but for short messages bandwidth is cheap.
So, for example, you can adapt Shannon's method of using parody generation for testing language models into a simple cryptosystem thusly:
1. Create a language model with a reasonably-sophisticated grammar and good-sized vocabulary for the natural language of your choice. The model doesn't have to be particularly capable; the sorts we were creating in the '90s would do fine.
2. Use Shannon's method (running the model backward to generate text from an arbitrary input stream).
3. Use a PRF to generate a nonce. Run the nonce through the model to generate a sentence; this is communicated verbatim to the recipient so they can reconstruct the nonce.
4. Generate a session key using some key-exchange protocol. If this requires exchanges with the peer, those can be plaintext-encoded as well. If you decide to forego PFS and just generate a key and encrypt it with the peer's public key, the result can be communicated as in #3.
5. Use a KDF to combine the session key and nonce into the initial key K_i.
6. Generate your keystream. This might involve an iterated PRF seeded with K_i, or a block cipher keyed with K_i in CTR mode, or whatever. (You could even use GCM or one of the other AEAD modes, if you want to get fancy. If you don't use AEAD, you'll want some kind of MAC.)
7. XOR the real message with the keystream.
8. Use the stream from #7 as input to the reverse language model from #2. Send the resulting plaintext, which will be nonsense but using real words and valid grammatical structures.
9. Recipient parses the received text using the language model, recovering the input stream. Extracts the nonce and, depending on protocol details, the key. With that information duplicates the keystream and decrypts the input stream to the original plaintext.
NLP-model-generated parody text, which is what goes over the wire in this scheme, can be made arbitrarily difficult to distinguish from human-generated text. The disadvantage, as I noted above, is bandwidth - the output of the reversed model is much larger than the input stream. But if you're sending relatively short messages (and note you can compress the original plaintext) it shouldn't be bad.
This sort of thing would make a good project for a CS master's student, or even a small team of undergrads.
Use a PRF to generate a nonce.
Running a little short on time and computing power right now. Can I substitute the local priest?
NLP-model-generated parody text, which is what goes over the wire in this scheme, can be made arbitrarily difficult to distinguish from human-generated text
So.. Not AMFM1 or Mr AI (I.G) then?
(Thanks for the writeup - interesting field for further reading - much appreciated)
@Michael_Wojcik
Why do we have to have all these ASSUMPTIONS? This scheme may be perfectly doable, but it assumes the model of RSA and PGP and the like -- that there is a plain text and a key and an encryption method. There are other models, for example book ciphers or pre-agreed message (plain) texts used as triggers.
*
As others have pointed out here, there is also the assumption that messaging is point-to-point, and the assumption that the end-points can be identified to specific individuals or to specific IP addresses. People using internet cafes and USENET do not fit with the point-to-point model.
*
I'm sure the "bad guys" can find many other ways around all these assumptions! And the "good guys" will be hours or days or weeks behind!
Why do we have to have all these ASSUMPTIONS?
Sigh. So the post wasn't a full-length paper. That ought to be obvious to anyone with basic knowledge of the field and the capacity for critical thought.
it assumes the model of RSA and PGP and the like -- that there is a plain text and a key and an encryption method. There are other models, for example book ciphers or pre-agreed message (plain) texts used as triggers.
Ah, I see. You lack at least one of the prerequisites. OK then.
I know this has been said many times before, but don't these idiots realise that letting the "good" guys in (I use the word loosely) will eventually allow the bad guys in also? No such thing as a "good" back-door that can be rigged in this way. Trouble is, now this crackpot law has been passed in indecent haste by Australia and a similar thing is now being mulled over by Germany, doubtless other governments will copy-cat. If this carries on you might just as well open your wallet in the middle of a busy street and utter the words: "Help yourself".
"We're fine with these fünny döts."
When Mötley Crüe toured in Germany, everyone was shouting "Muhtley Cruh!".
Quoting Crüe frontman Vince Neil, "[...] when we decided to call ourselves Mötley Crüe, we put some umlauts in there because we thought it made us look European. We had no idea that it was a pronunciation thing. When we finally went to Germany, the crowds were chanting, ‘Mutley Cruh! Mutley Cruh!’ We couldn’t figure out why the fuck they were doing that.”
Kinda ambiguous who the good guys and the bad guys are these days.
Not really, I know I am one of the good guys and (most of) my family and close friends also fall in that category. Governments (including government agencies) and big companies are classified as bad guys until proven otherwise and the remainder is just decision pending but I tend to err on the side of caution.
"I imagine that German people, especially in the East, mistrust "secret police" tactics [...]"
The population in East Germany were shown to have mostly been part of the STASI informer system. Ignoring whatever coercion was employed - it shows that it is fairly easy to manipulate people into believing that what they are doing is in their own self-interest. Dog whistles - "terrorists and "think of the children".
'ranging from about one [Stasi inoffizieller Mitarbeiter] for every 80 of the population up to about 160' is not exactly 'mostly', although it is quite disturbing nevertheless.
"[...] is not exactly 'mostly' [...]"
Yes my "mostly" was a misremembered estimate. However - besides the IMs noted with that statistic - there were also significant numbers of people classed as AKPs or Information People.
"[...] records in Rostock and Saalfeld shows that approximately 18% and 5.9% of the populations, respectively, were assessed as AKPs who were, for the most part, ready to talk."
Sometimes the disconnects are weird. I am in Portugal, where until 1974 about 10% of the population was informers on some sort of level. My in-laws (early 70es) refuse to discuss anything remotely controversial on the phone, but are slightly less troubled by email.
And still, Facebook is perhaps even more popular that other places I know.
Yeah, well, exactly. Governments worldwide are shit scared of the Internet and anyone who actively avoids online surveillance.
https://www.theguardian.com/business/2019/may/28/spies-with-that-police-can-snoop-on-mcdonalds-and-westfield-wifi-customers
This is the shit that's coming thanks to a government near you. Australia, leading the world in online stupidity. Makes me ashamed at times.
I know this has been said many times before, but don't these idiots realise that letting the "good" guys in (I use the word loosely) will eventually allow the bad guys in also?
You're wrong.
I'm pretty sure it'll be leaked/cracked before the memo's passed through more than a dozen hands. The implied time frame of "eventually" is clearly misleading in this case.
They are trying to break up the romance between Alice and Bob by introducing Eve.
As anything can be solved using another set of indirections, can't we, for example, just have a secure chat on top of Germany's neutered chat? Should be a few lines of perl code if that much.
I don't think they can legislate end to end encryption away. There is nothing that prevents two or more people from exchanging public keys and using PFS.
That is how it is in a few countries. They beat the crap out of you, state that you are disturbing the communal harmony, are an agent of the Westphalia (or Eastphalia) etc.
And if you had any "non-Native" blood (Native being the dominant race) you got sent to a concentration camp directly. Your family and friends disowned you.
I am glad Germany wants to join them. What could go wrong (Sarcasm).
Try this in America and a BUCKET LOAD OF LEAD will come flying !!!
Try it and See what happens AS YOU HAVE RECENTLY SEEN HERE in the US of A when you push people too far!
Like trying to our guns, it will be over our COLD DEAD HANDS will we ever give up our encryption !!!! Actually, we'll make it THEIR cold head hands!
Try it and there's gonna be a LOT of Deader'n'Dead fascists! We don't take no ss hit no-how here!
.
How will the Germans force it? They will just count on most chat they want to monitor taking place over phones, and banning secure chat apps from the Android and Apple app stores being enough to prevent the targets from using it. If Apple doesn't offer it to you, then you're out of luck if you own one of their phones. It's possible to load whatever you want on some Android phones, but most of the targets won't know how or otherwise won't do it.
The Germans aren't counting on it being completely impossible to end to end encrypt a message. They are just counting on making it so difficult that most people won't bother. They aren't after Bond film super-villains with this, just run of the mill malefactors who bumble along from day to day.
It will be interesting to see how the chat app vendors handle this. One way may be to simply have Google and Apple geo-fence their app stores to make their encrypted chat apps unavailable in Germany (and Australia) and add a "terms of service" clause telling their users to not use the app in banned locations. That is a quick solution that doesn't water down security for the rest of the world. The Germans (and Australians) won't be happy, but their government would have got what they asked for.
The targets will know
The targets ought to know, but historically we've seen that:
- Criminal and terrorist "masterminds" generally aren't particularly clever, intellectually thorough, or informed.
- People at all levels of most criminal, terrorist, and paramilitary organizations tend to practice poor and/or inconsistent OPSEC. And their OPSEC protocols are often weak to defection - that is, they fail badly when only one or a few participants are suborned.
- Even with cryptographic applications widely available, most criminals and terrorists fail to use them.
I am completely opposed to government encumbrance on cryptography, but the historical evidence is that for the most part, the people they're explicit about targeting have a poor record when it comes to using the security mechanisms that are available to them, legally or not. So, for that matter, do most of the people that governments deny surveilling (such as their citizens, officials of other governments, etc).
If privacy is outlawed, only outlaws will have privacy
-- Phil Zimmermann
No idea whether these chat apps allow plugins but even if they don't there will be nothing to stop people using cut&paste and an encryption app. Even in a walled garden there would be nothing to stop the encryption app being web-based, well unless these crazy German politicians want to ban SSL while they are at it. Asking to back door that might draw larger protests.
[...] nothing to stop people using cut&paste and an encryption app [...]"
As long as what you send in plain text looks perfectly readable - then its end-to-end agreed private meaning will not be obvious to an interceptor. The BBC transmissions to the French Resistance in WW2 employed that sort of obfuscation in plain sight.
>How will the Germans force it?
They won't and that's the problem.
If they actually tried it widely everyone would see how ridiculous it was.
Instead it will be saved for those special cases, such as where a journalist is embarrasing a politician, and then they can be threatened with ludicrous sentence anti-terrorist law unless they cooperate.
China hasn't banned iMessage.
Yes, Apple does use iCloud servers in China for Chinese customers where the government holds the key. As compared to the US where Apple holds the key - but they still have to give up the data in response to a court order, and do, so the only difference is that the Chinese government can snoop without a warrant.
You don't have to use iCloud on your iPhone though. I don't. I do backups using iTunes since it is encrypted with a key only I have.
since it is encrypted with a key only I have.
Are you sure only you have the key? Have you been able to verify that the OS or application doesn't "back up" the key somewhere cloudy, is it written into the EULA you signed that only you have the key?
Or (most likely) are you just taking the software's various on-screen prompts on pure faith and assuming the key stays local and the encryption is not only strong but lacks an intercept key?
Paranoid much? How do you know the microphone on your phone isn't listening to you and sending your every word to Google 24x7? How do you know your new TV doesn't have a hidden camera built in behind the display watching you scratch your balls?
Even if they did what you suggest, the backup still lives only on my laptop, so they'd have to get it to use that key.
Well, technically the phone is always listening for its wake word. I've personally seen the Android (Samsung) phone of a relative trigger repeatedly during normal conversation that sounded nothing like "OK Google", then quietly send all kinds of private conversation to Google, only being found out after the text message was transcribed or the maps lookup (for nonsense) was completed. At that point it's far too late, the conversation and transcript are permanently stored by Google's own admission. There's some spirited (and healthy as far as I'm concerned) debate about whether Google or its partners actually is listening randomly if not 24/7. Unfortunately since Silicon Valley tech companies lie routinely, and Google's already been caught out on Nest* it's really kind of hard to dismiss the phone listening in at least to "interesting" conversations.
On the TVs, well, sorry, but yeah they do listen in: https://money.cnn.com/2015/02/09/technology/security/samsung-smart-tv-privacy/index.html
And some have cameras now too, so your example is at best a few years away, not some far fetched tin foil hat conspiracy.
So the backup's only on your laptop. That's about the only thing in your favor here, though if you say the wrong thing about one of our illustrious leaders in today's climate you can bet the physical access barrier suddenly fails...
* https://www.washingtonpost.com/business/2019/02/20/google-forgot-notify-customers-it-put-microphones-nest-security-systems
" It's possible to load whatever you want on some Android phones, but most of the targets won't know how or otherwise won't do it."
a) make an APK available for download directly on a web site
b) include instructions of the hoops you have to jump through to make it work
developers know what these are [being necessary to test things] and it's not all that difficult, but later versions of Android make it, well, "hoopy". You have to do it JUST right, and you'll get a prompt to let it install the application anyway, and after that, it'll install any updated versions without the prompting. But yeah you have to get past that one part, which is LESS difficult now than ever, if you do it in the right order at any rate...
https://www.wikihow.tech/Install-APK-Files-on-Android
Mystified; how will they force it?
Ahem, obligatory xkcd:
Again, try that here in America and those OFFICIALS will be DEADER than DOORKNOBS !!! We'll just take matters into our own hands and shoot them! We ain't taking that or ANY ss hite from NO government agency!
A whole many of my VERY WELL TRAINED brothers in arms will come out of the woodwork and those wannabe oppressors/fascists will be TAKEN OUT PERIOD !!!! Kinda hard to argue with a silently-aimed, well targeted .45 or from a .50 CAL taken from 1100+ metres!
..
That's only ONE issue. White listing, black listing, security are problems.
You'd really need a completely different system. Remember too that people need to legitimately "spoof" the From on SMTP as they may have many email addresses and replying to "spoofed" From will work because somewhere a hosted mail box is forwarding to a single mail box the user uses IMAP, POP, Exchange or Web client to fetch from.
Pedantry, but it's German for "The Boat".
Though this won't inconvenience experts, real criminals or real terrorists. There is PGP and decent one time pads are REALLY easy and unbreakable, the issue with them is purely key distribution. Digitise some old 78s and post them as the keys. The more inherent surface noise the better. Now tell me again how the number stations work, or steganography in images on Pinerest, Facebook, Twitter and Instagram. Perhaps the solution is to shut them down :)
Since any method of communication could be used as a one time pad, ban mass assembly or face to face contact between people. Force everyone to ask the government to tell their neighbor anything they want communicated, which will be suitably modified to break one time pads and/or facilitate or break up communication as the State sees fit.
Hmmm, maybe I should write a dystopian SciFi book. No, wait, governments worldwide would see it as a how-to guide for authoritarianism. Best not do that then.
Once there was a lot of resistance to a dangerous new import, and calls to ban coffee. That was when coffee houses were places where dangerous radicals might communicate subversive ideas.
Hmmm. Come to think of it, there's even a nominal precedent, in the connection of Bach's coffee cantata to Zimmermann's coffee house.
"There is PGP and decent one time pads are REALLY easy and unbreakable, the issue with them is purely key distribution."
It certainly is for one-time pads. One reason for suggesting encryption be built into SMTP rather than being on top is that there is already a framework in place - the mail servers.
"decent one time pads are REALLY easy and unbreakable, the issue with them is purely key distribution."
But that's a REALLY hard issue to resolve. In real-world use, this is done by physically handing a pad with the random numbers to the agent in a secure environment before they go out into the world. Once out in the wide world, secure key transmission becomes impractical.
Also, OTPs can't really be used to allow two strangers to communicate, because of the need for the key exchange.
"Digitise some old 78s and post them as the keys."
As your OTP key? If you do this, your crypto will be easily broken. What you need in order to do OTP is the ability to generate a long string of genuinely random numbers, and you need a new string for every transmission. A scratchy old 78 won't provide anything near genuinely random numbers. But even if it could, you still have the key distribution problem.
"Once out in the wide world, secure key transmission becomes impractical."
If you agree on some sort of hashing algorithm then you can let some third party generate your one-time pad.
If Alice and Bob want to communicate they each sign up to el Reg and let each other know the handle they use. When Alice wants a OTP to communicate with Bob she selects an article and posts a comment. They both apply the hash to the article to generate the OTP. As a variant, in order to reply Bob selects a comment to hash and posts a reply of which the selected comment is a grand-parent. Or to really hide the OTP in plain sight they just use an amanfrommars comment as it stands.
The generation and distribution of the OTP is looked after by el Reg (other discussion fora are available). The shared secret is simply the means of identifying it to each other. There has to be a meeting to share the secret but once that's done there is a ready supply of OTPs with no risk of interception.
That wouldn't work, though, as the results of that hash won't be random. Even the slightest variation from random renders the crypto breakable. If you're OK with some amount of weakness on that score, then you're far better off using PKE -- the whole point of PKE is to get around the key distribution problem.
You use the OTP to exchange a session key, not as the overall key. You can then use half decent coding system for the message proper because the message would be too short to break the key (if for some reason it was too long then you'd just change the key periodically). The tricky bit would be coming up with a truly random string as the session key.
The Germans themselves seem to have forgotten their history. The Enigma was a standalone device, not part of the communication channel. Its the same with a communication application -- to the untutored eye its a single piece of software but in practice the communication part is quite separate from the encryption part. So maybe to amuse them we could send them a whole bunch of Enigma traffic to play with, using modern software rather than the vintage electromechanical device but retaining the setup methodology and settings tables. They can have fun sorting it out (and the message content could be just routine naval traffic from that period, just in case they do figure it out).
Given the ease with which people who are really keen on secrecy could circumvent this - eg by rolling their own end-to-end encryption - I'm forced to conclude that the next step will be to criminalise the use of communications applications that are not on the Approved list. Dystopia seems to be arriving on a bullet train.
This post has been deleted by its author
So nice to see the last great industrial engine of the EU commit sepukku. Now the East (and certain Western laggards that didn't invest in modern technology) can finish stealing the designs and manufacturing know-how of Germany that was so carefully guarded for centuries, then to top it all off, permanently destroy their infrastructure by fatally damaging the plants via SCADA.
Just by stealing the "lawful intercept" key and listening for a while. Passwords to SCADA systems, unpatented trade secrets, all kinds of previously secret German industrial data ripe for the picking!
Or their politicians will realize the end of Germany is nigh and nix this thing ASAP....
Shame as I always liked driving German cars. Maybe the Chinese copy will cost less? It's not like there is a privacy advantage of Germany over China if they do this...
"Passwords to SCADA systems"
There are SCADA systems that actually use password?
Where I work we had a new SCADA system installed. Being the IT guys we demanded certain password requirements. The SCADA guys were like "what? you want passwords?". We really had to put our foot down hard to get them to implement it securely.
It was on its own physical subnet protected by a firewall (both ways). Each machine had only a few whitelisted ports (non default ports) and remote access was only possible from our own machines on certain wall ports.
They didnt like supporting it remotely, kept complaining about having to look up the passwords and using a VPN to connect...
Real life story from some years back.
Context: public car park for aerospace contractor that also does defense work. What I observed: a large whiteboard full of what looked like technical data in plain view of the lovely large windows overseeing the car park.
Here's hoping said data was only for the commercial wing of their operation, but still. Scary stuff!
It was on its own physical subnet protected by a firewall
OK, updating my story for the proper level of manglement ineptitude. Passwords for the firewalls being intercepted, then having a few rules updated. Who would actually bother to find and turn off the management interface telnet port anyway?
Bonus points for locking out the plant operators when you take control...
Legal disclaimer: this is merely a potential threat scenario that is provided for educational purposes on how to properly secure one's physical plant infrastructure from an outside attacker. It is also intended to illustrate how mandatory backdoored encryption makes this critical task impossible in practice.
These comments were done just before the EU parliament elections. As such, I tentatively consider them to be campaigning slogans, in particular an attempt to schmooze right-wing voters.
Given that the ruling coalition is one of the losers of this election, the right-wing AfD only a slight percentage gainer (but given the voter turn-out, only got about the same number of votes as in last general election), and the big winners are the Greens (who are infinitely more knowledgeable about such things and won't do it), I hold my breath that such a law ever would come to pass.
Tentatively.
(Another thing: The statements came from Horst Seehofer, currently Federal Minister of Interior, formerly head of state of Bavaria [rather conservative; in US terms, if you think Texas=Bavaria, you're not far off the mark]. His special talent – how should I say politely? – is to say nothing in a way that the listener hears what he wants to hear. His public statements often have not much in common with actual policy.)
"These comments were done just before the EU parliament elections. As such, I tentatively consider them to be campaigning slogans, in particular an attempt to schmooze right-wing voters.
Given that the ruling coalition is one of the losers of this election, the right-wing AfD only a slight percentage gainer (but given the voter turn-out, only got about the same number of votes as in last general election), and the big winners are the Greens (who are infinitely more knowledgeable about such things and won't do it), I hold my breath that such a law ever would come to pass."
I will freely admit to not following the local politics in the rest of the EU, but here in the UK, the EU elections for MEPs rarely reflect our local Parliamentary results.
"[...] is constantly coming against censorship of their views [...]"
When the oppressed gain power - they soon tend to implement the tactics they learned from their oppressors. There has long been a misconception that "liberation" movements are naturally "the good guys".
The behaviour of the ANC in South Africa has been exemplary in confirming Orwell's "Animal Farm" observations about the outcome of such revolutions.
”Achtung German citizens! An important annoucement follows. Bend over and relax. Resistance is futile. Just remember DDR. Rest of the Europe will follow shortly. End of transmission.”
I’m going to move into a cave and live off eating cones in retaliation. I’ll pay my taxes in pebbles. How about that, fcuckers?
Good luck Germany in implementing your brain-dead scheme in any remotely secure way. You’ve failed already. Cheering you hear is not us but blackhatters.
Grrr... People behind this initiative understand technology even less than my one-eyed incontinent cat. Amazing that one is able hold a government official position and pass that kind of gas from one’s brain at the same time.
Surely the quick fix for this is for WhatsApp, Telegram et al to include in their Ts and Cs that use of the software is not allowed in Germany but make no effort to do any sort of GeoIP checking. If they're going to offer 'proper' software for use in the free world and an emasculated version for places that want a backdoor, then anyone with any savvy is going to install the proper one regardless. No one reads the Ts and Cs anyway,so things will continue as normal until the state jumps on someone and there's a big court case, at which point the people either say STOP! or bend over.
What can they do about self-hosted systems? Something like this:
https://blog.cryptoaustralia.org.au/run-your-end-to-end-encrypted-chat-server-matrix-riot/
Sure, there's a chain to follow to find who's running them, or to just get them shutdown or legislate against them so that causal folk are scared off, but "casual folk" aren't the target. There's also "self-hosted as a Tor service" to further obfuscate the trail such that any action by law enforcement will likely be after-the-fact, which appears to be what these new laws are trying to prevent.
Maybe it's just a whittling away of the less technically savvy terrorists. At the very cheap price of the privacy of casual folks online conversations.
Funnily enough, I think the most tech savvy and intelligent terrorists probably moved into "legitimate business" many years ago and are happy with all these draconian new laws that will only work to cement their established positions.
Private family discussion servers. I've been thinking of implementing my own for our family.
But inertia is the problem. Most won't want to switch to something that isn't WhatsApp or Telegram, because everybody they know uses them and they are easy to setup and use. Most people don't care or are oblivious to the problems with encryption anyway.
Apparently the kind of thinking that considers this authoritarian nonsense a good idea wasn't as fully exterminated as we would have hoped post-WWII and the Cold War. Ironically it may have relied on secrecy to be passed down from generation to generation without being stopped or challenged. Or...
Scary version? This is degraded humanity in its purest form, the desire for one primate to rule over all it can see/hear with an iron fist, to see all, to judge all, and to decide the fate of all with absolute, unassailable authority. It bubbles forth in varying degrees with no provocation other than living around other humans, and cannot ever be eliminated.
Less bleak/dystopian version: anti-Facist training needs to be a mandatory part of primary education in Western nations. Including Blighty if certain recent events are any indicator...
Catch nascent fascists early, then make sure they are never in charge of anything more than keeping the loo stocked and clean. Certainly such tendencies should render them quite unelectable in a perfect world.
"anti-Facist training"
It is "totalitarian" tendencies that are intrinsic to human societies. The human mind doesn't like uncertainty. For some people it is so debilitating that they seek to exercise control over anything - and everyone - that they believe affects themselves. That includes attempting to control their own thoughts that bubble up to cause them discomfort.
The human mind doesn't like uncertainty
The irony of course being that the totalitarian regimes instil fear exactly by causing massive uncertainty regarding imprisonment and death (a sort of FUD on steroids) around any topic, action, conversation, or association not expressly approved by the State.
By extension, anyone that wants totalitarianism to reduce their personal uncertainty would appear to be lacking two brain cells to rub together.
I would think that they would shelve this, at least for a while.
Social media blew-up in the face of the main parties in the run-up to the EU and State elections last weekend. A lot of YouTubers and social media influencers to to the, um, ether (through Wi-Fi) to tell their followers to vote, but not for the CDU/CSU. This got the party incensed and they showed the total (mis-)understanding of social media in their responses.
Now the leaders of both the CDU and the SPD are looking at being ousted by their failures at the weekend.
Interestingly, of all the "major" parties over here, only the CDU and Green bothered to stand for election to the State Parliament - there were only 4 candidates, CDU, Green and 2 independents, AfD, FDP, SPD, Die Linke and all the others didn't even bother to post a candidate. The EU ballot paper on the other hand was about 2.5 pages long!
But the blow-back around trying to silence influencers is still echoing around the press today. It looks like several posts in the leading parties will see fresh faces in the coming weeks.
I had a good hearty laugh when I read this
"hand over end-to-end encrypted conversations in plain text on demand"
HAHAHAHAAHAHAHAHAHHAHAHAHAHAHAHHAHHAAHAHAHAHHA
HAHAAHHAHAH
HA HA
Its like telling someone to get in a car and fly to paris, without using a plane.
For anyone not getting it: End to end encryotion can only be end to end if the "provider" is unable to access the plain text. Its the very definition of end to end encryption. So in effect they are seeking to ban end to end encryption entirely. As soon as someone in the middle of the connection (the provider) has access, you no longer have end to end encryption.
How are they going to handle people using PGP/GNUPG to encrypt emails? Public key crypto like that HAS no provider. Its entirely controlled by the user, with its own management difficulties due to that. Eventually they will just have to ban end to end encryption in all forms, anyone detected as using it will be targets for the swat teams.
I say they should go further. Ban non self driving cars (do it now, why wait for everyone to have one?) as anyone using a car that is under human control can then be assumed to be a terrorist who will run people down.
Ban knives too. Now. Anyone caught with one will be automatically assumed to be some kind of stabber. Makes sense, if nobidy has a knife legally then only the crims will! How will normal non-crims cut up food? Well thats their problem just like its their problem on how to securely sent bank acount details with no end to end encryption.
HAHAHAHAHAHAHAHAHAH
HAHAH
HAHAHA
Really its way too late. Nobody will give up their human controlled cars to be safer when walking, nobody will give up their knives to be safer when telling yobs to pick up the litter and nobody will give up end to end encryption.
Good luck germany, if you pull this off you will be a little island on the internet. The "encryption" nudist colony of the world.
I once said that this idiocy shows up roughly every seven years, so we've either screamed through that or the cycle is getting shorter.
No, I'm not even going to argue why backdoors are as bad an idea as making the brakes in a car optional, if you haven't worked it out by now there's little hope yet another round of explanations will make you see the light.
Sigh.
It's just Horst "Der bayrische Vollpfosten" Seehofer. Nobody with half a brain is taking him seriously. He is embarrassing even for Bavarian standards, which really says everything one needs to know.
He once threatened to retire and pretty much everybody went "Oh pretty please do it!". Then he didn't retire.
"He once threatened to retire and pretty much everybody went "Oh pretty please do it!". Then he didn't retire."
Which equally applies to one Nigel Farage. The irrationality of the mob in human society can be fascinating - as long as one is remote from being swept over the cliff with it.
The governments, meanwhile, say that the apps also provide a safe haven for criminals and terror groups that want to plan attacks and illegal activities
During WWII the French Resistance were technically a criminal terrorist organisation, who not only managed to plan crimes and terror attacks but also recruit others, plan meetings, move or hide equipment, move or hide escaping prisoners and so on. They were able to do this despite the massive technological and manpower advantages the state powers had.
Other organisations have operated for years in even worse areas, sometimes without any detection let alone government intervention in their activity.
We also have the various gangs and other criminal organisations who have managed to operate without significant government interference. And other organisation that are 'under the radar' yet can be fertile recruiting grounds for 'like-minded individuals'.
All of this just goes to show that 1) the lack of private communications does not prevent criminals planning and 2) the more repressive the regime, the more violent the actions required to end it. If you wish to increase "citizen unrest" then by all means act more like a repressive regime.
The people in Germany should recall what happened last time their leaders got a bit uppity. The rest of the world should also take note, and take appropriate steps to prevent further abuses by our respective governments (violence is a last resort)
FTR - I admire the work and efforts of most resistance fighters when working against a repressive regime, including those from France during WWII. Their actions were crimes, true - but they were crimes against unjust or even evil laws and those people were generally doing the right thing for their circumstances (some were acting for less desirable motives, they don't get my respect).
John Wick will need to put those Germans where they belong... I mean... come one... you are employees! The people is your boss, not the other way around!
If anyone had employees at home spying or trying to spy them, wouldn't they just fired them immediately? Or would they accept the "it is for your own protection boss" crap argument?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
