Will there be no end to govt attempts to break encryption? Hand over your data or the kiddies get it, threaten Five Eyes spies In a move as predictable as it is wearisome, a bunch of government security agencies have got together and demanded we let them have our data. This latest spooky manifestation is a collection of the Five Eyes - the US, the UK, Canada, Australia and New Zealand - and for some reason Japan and India. Let’s call this coalition of …
As usual, politicians asking for a magic unicorn to solve all their problems, so they don't have to pay money to have actual police officers doing proper work.
Because that would mean they'd have to pay for those police officers, which would mean it would come out of taxes, which might have to go up, which would mean rich people would go buy their cocaine and luxury yachts somewhere else and that would be a tragedy for the economy. Or something like that.
so they don't have to pay money to have actual police officers doing proper work
Nope. You're falling into the trap. It's not about stopping crime. It's about stopping thoughtcrime. As pointed out in the article, actual criminals are already using (probably multiple layers of) encryption that won't be affected by this hypothetical backdoor: If JIANUSCUK get what they want, it will have near-zero utility for its (publicly) stated purpose. And they know it. They're lying - the actual purpose is that they want more mass surveillance. Pure and simple. That's pretty much all this would achieve (well, apart from making everyone less secure).
To engage in discussion about how backdooring encryption will help stop crime is to fall into the trap and believe their bullshit framing story. It won't help stop crime. It's not a cheaper, easier alternative to real police work. All it will do is help stop thoughtcrime.
I think you're givng them too much credit,. While there may be a bit of misdirection here, these are the same policitians who routinely make calls for finding out "what we do best and finding more ways of doing less of it better". (W1A). That's even assuming they can remember the policy they've just announced.
I disagree. There are enough people in the chain of bureaucracy for any government decision, let alone when a bunch of governments get together as they have here, that it's vanishingly unlikely that there wasn't at least one person in all those chains who would:
a) understand and point out that doing it without compromising security is impossible
b) remember and point out the last time this was suggested, and the response that doing it without compromising security is impossible
c) remember (or be aware of) and point out the time before that, with the same response,
d-x) remember and point out the 20 times before that.
Perhaps all the people who signed the letter are just massively incompetent and not qualified to run a hotplate in a fish n chip shop (though I have a hard time believing anybody is that incompetent and still able to dress themselves), but whoever actually wrote the letter knew exactly what they were doing. If you need evidence of that, look at the wording around the "we challenge the assertion that this cannot be done without compromising security" bit. This is not stupidity at all.
politicians asking for a magic unicorn to solve all their problems
You assume they MEAN WELL.
I suggest they are playing "think of the children" to MANIPULATE people into letting them take more freedom and put us ALL under surveilance. This is the kind of thing that gummints do, in a POWER GRAB.
I love the "real police work" example by French police with the use of warrants to crack the phones of people they wanted to spy on. WELL! DONE! FRENCH! COPS!!!
The rest of the world (including USA) needs to get a CLUE, and stop being LAZY. _REAL_ police work, please, and NOT blanket surveilance. [that violates the 4th amendment anyway]. GET a WARRANT.
(followed by the usual 'genii out of the bottle' 'open source encryption examples' 'de-CSS example for DVD playback' 'PGP and IDEA' 'when encryption is illegal, only criminals will have it' and so on)
Here in the US the FBI and local police stopped doing "good police work" back in the late 80s early 90s when they took down the big Mob Bosses. They considered their work done. The result was disastrous! With the Mob bosses gone the young punks went wild and the police had no clue how to control them.
And I agree, this had nothing to do with preventing/stopping crime and everything to do with surveillance of the populous.
These calls for security and "targeted" surveillance are completely futile as they've been playing this same ol' record for years and years now and the tech companies seem to be ignoring them completely.
If LEA and Intelligence agencies believe it's possible for tech companies to put in a backdoor without compromising security, maybe they can tell us how, in the open and in public. Chances are the proposal simply contains a "secret key" somewhere in the program. But they'll promise to keep it a secret because they're good at that.
Nothing's going to happen, unless governments pass laws to enforce these backdoors, like they've done in Australia. I still haven't seen any evidence that any tech company responded by adding a backdoor. More likely we'll see legal challenges and fines by Australia to force companies like Facebook to tow the line.
Currently, there are huge gaping holes in the security of many end-to-end encrypted products. WhatsApp, for example, removes the encryption if you backup your conversations to Google Drive. And let's face it, there's always someone in your secret chat group which doesn't know this and backs up their conversations to the cloud.
But LEA and intelligence agencies are probably foreseeing that these loopholes will be closed in the near future, shutting them out.
iPhones can be backed up in two ways, one via USB to a PC/Mac running iTunes, the other via iCloud. If you backup to a PC, you can choose a password yourself with which everything is encrypted. If the Feds got your PC they'd be unable to access your backups unless they can guess/crack that password, so they'd have to break into your phone.
If you backup to iCloud, it is encrypted in transit with a random key set for the connection, and then at rest on the iCloud servers with a key Apple controls. There is no way to set a key you control for an iCloud backup.
Some things are automatically encrypted for the iCloud backup, so stuff like your phone's password are protected and can't be accessed in cleartext even from an iCloud backup. However, text messages / iMessages are not, which is how Apple is able to respond to subpoenas requesting those from people who use iCloud.
Apple has taken many steps to increase their security - it isn't perfect, there are always bugs, but if you read the iOS Security document available for download from Apple it is pretty impressive how many measures they take. But one very obvious step they haven't taken is to let a person set a password/key they control for their iCloud backups.
I strongly suspect this is only because they know the FBI would flip out, as most people use iCloud for backups due to its convenience which provides them a way around Apple's otherwise strong encryption measures. I wouldn't look for Google to step on that particular cat's tail either, for fear of having laws like the ones this article is about getting enacted and making things worse for everyone.
More likely we'll see legal challenges and fines by Australia to force companies like Facebook to tow the line
At which point Facebook and anyone else the Australian government fines for not doing the impossible will probably remove any and all corporate presence from Australia and subsequently ignore them. Alternatively they'll simply withdraw their service, sit back and wait for the screams of outrage.
> There is no way the military and intel comunity would want back doors
What have the military or the intel community to do with it?
Keep in mind those measures are for the Great Unwashed, not the PtBs: The military can carry arms, the average Joe in the streets can't. This is just an attempt to outlaw yet another item threatening their full control over the masses.
Since saying "Hey bozos, we want in on all your little secrets" might create some resentment, they try the time-tested guilt trip trick: Do you hear the poor little children weeping because of your cruel selfishness? The cute poor innocent little children? You bad, bad person?
Ref "What have the military or the intel community to do with it?"
Literally nothing.
The politicos just tell the media it for “5EYES” to try and justify their proposed actions, suggesting it is for combating terrorists, hostile state actors and other bastards wanting to use persistent nerve agents in the UK, et al.
What it will actually get used for in the medium to long term is the bent copper retirement funds, flogging the information to the Murdoch press, organised crime bosses, etc.
In the short term; whatever wiz idea the politico thinks is the latest band wagon to hop until the next news bulletin
Seriously, WTF does this mean?
"What it will actually get used for in the medium to long term is the bent copper retirement funds, flogging the information to the Murdoch press, organised crime bosses, etc."
It was not the Murdoch press or any of the people I guess your trying to disparage here that utilized the power of the state to try to remove a sitting president of the United States? It was the State security Bureaucracy and the Leftist state Media!
No idea how cryptography works, either. Don't necessarily need a computer to do the math, but it sure is faster.
(...as long as you don't mind side-channel snooping. Then again, I'm sure anyone truly determined could side-channel the activity of my desktop printing calculator, too. No shielding, that's for sure.)
Online "trust", and the concept of encryption, only works if one can feel reasonably certain that the communications between the server and the user is secure, encrypted, and untampered with.
If you want access, this implies that there is an intentional weak link that permits you to see what, cryptographically, you should not be able to see. And if you can see, then not only can others see, but there's the possibility that you or others can modify.
It's at about this point that trust evaporates.
Because, believe me, if it is known that there is a backdoor, then people far smarter than you in countries that you would consider hostile will be pulling apart your entire algorithm bit by bit. And when that weakness is known, the entire security theatre is useless.
Don't take my word for it, Google for "webrip" and "bdrip". All the encryption and protection thrown out by the movie studios has not done a whole lot to stop piracy. Build in a weakness, it will be found.
@heyrick
Quote: "Online "trust", and the concept of encryption, only works if one can feel reasonably certain that the communications between the server and the user is secure, encrypted, and untampered with."
While this true, there some other aspects to "trust" -- or lack of it.
1. If the encryption is provided by a service provider (e.g. Signal) then the user is trusting Signal. This need not be the case if the user is using private ciphers BEFORE the message enters the channel. In that case the user has moved the "trust" from the service provider to their own encryption.
2. What the quote fails to recognise is that metadata can still tell a snooper something about what is going on -- even if the DATA ITSELF is encrypted. The NSA and GCHQ and all the other spooks are still able to collect metadata about the account holder, the IP address, the location of the originator of a transaction and a time stamp. If needed, an internet service provider can be persuaded to provide details of the content of transactions which match this metadata. (And that's before we consider matches with widespread camera data.)
*
Someone wanting A VERY HIGH LEVELS OF "TRUST" needs to address BOTH item #1 and item #2. The ONLY way to do this is to ensure that the transactions which a person initiates are:
a) Using private ciphers, and....
b1) Using an anonymous end point (no link between an account and a person e.g. with a burner phone) or....
b2) Using an end point deliberately linked to some other person or organisation (e.g. hijacked WiFi, internet cafe, VPN, etc.)
*
And even if either b1 or b2) is in place, the person needs to take additional precautions:
c) Ensure that their "honest citizen" phone is never active at the same time and place as the burner phone
d) Ensure that transactions are always sent or received out of the view of CCTV
e) Ensure that they do not "give the game away", for example by using a personally identifiable account (say checking email or FB)
*
And if these precautions are not onerous enough, the RECIPIENT(S) of the "trusted" messaging need to be taking exactly the same precautions.
*
Still, from all of the above, it's absolutely certain that with planning, training and care, anyone, any group, can increase their "trust" in their communications WHETHER OR NOT the spooks deploy backdoors!!!!
I seem to remember an Australian PM who said something on this topic on the lines of "we don't obey the laws of mathematics here, we obey the laws of Australia".
However there are encryption systems - one time pads, for example - that can defeat any attempts at breaking regardless of any desires on the part of "authorities". Of course there are also codes, that can be entirely impossible to break unless coercion is applied.
The one time pad is unbreakable provided you can secure the pad and never reuse it; but you still hit on the key distribution problem of getting the pad to the other user.
Fortunately, GCHQ discovered the solution to that issue back in the 1970s with public key encryption which - oh bugger - kind of gets in the way of authoritarians everywhere.
The problem with OTP encryption is that it becomes trivial to construct a OTP that will decode the encrypted message into anything you want. Thus the ptb can first prove that the encrypted message came from you, then produce a OTP that they claim to have recovered or "cracked" which shows the message was a terrorist plot or kiddie-porn etc. You cannot do the same with a message encrypted with PGP, AES or 3DES etc. Only one unique key will result in an intelligible decode.
I can just tell the authorities to SOD OFF and I will go completely open source code written in HTML-5 if I have to, or any one of the 20 computer languages/assemblers I know and am quite good at when coding INVARIATE, CODE-BASED or ONE-TIME PAD based anti-quantum computing encryption-breaking algorithms (i.e. Shor's) that works on my custom coded text, audio and video communications software.
Since I store and run ONLY WITHIN the Level-0/Level-1 caches and local registers of the CPU themselves I can PREVENT Ring-0 or even Ring Negative-ONE hypervisor code/BIOS code from seeing/intercepting the keys and plaintext data!
I think I can EASILY MAKE Australia OBEY the rules of MATH!
V
Instead of complaining nobody will do it for you commission someone to provide software to do this. It must, of course, stand up to expert infosec inspection to ensure it actually does keep out miscreants, including ensuring that collected data can't get leaked or misused.
When you've cracked that you can go ahead and get it used.
HMG is already spending a reputed £7k PER DAY per 'consultant' for the UK's Covid-19 Test Track and Trace 'world beating' system. We cannot afford yet more wild goose chasing, thanks.
I cannot help feeling that this is basically a test of pubic attitude towards backdoored encryption products, as the various security agencies, GCHQ, NSA etc. will have undoubtedly informed their ministerial bosses that what they claim to want is not technically possible.
I also wonder whether it would apply to the banking sector and businesses using encrypted VPNs for secure communications between sites of company sensitive information. I wonder whether the powers that be asking for this have considered the possible court case where someone is charged with releasing company data that affects share dealing prices, but claims the backdoored encryption was responsible and sues the government.
Given how interested nation-states are in commercial data, of course they want the content of VPN traffic. The US used to assert that commercial data was not collected by their intelligence agencies which "lie" held up until it came out that the US Trade Representative was on the Top Secret and SAP/SAR distribution lists. Oops.
Instead of complaining nobody will do it for you commission someone to provide software to do this.
Hello, Doctor. I like this. In fact, how 'bout we up the ante a bit? We'll use this mythic software to encrypt the account number of some bank account that holds 1000 bitcoin, and a verified copy of the pee-pee tape. Should1 this be cracked, the cracker gets to keep the 1000 bitcoin, and may distribute the pee-pee tape as s/he sees fit, without any recrimination.
(What do you set the over/under as to the amount of time it will take to "prove" this software as not secure?)
1Read: When.
It seems from another Register article that they will soon face Quantum Key Distribution as well as the mathematical challenges of public-private key encryption.
https://www.theregister.com/2020/10/20/toshiba_qkd/
"Toshiba has said it is ready to start selling a commercial quantum key distribution (QKD) product, and will eventually move to offer QKD as-a-service."
That was set to repeat each year. Nobody knows how to turn it off. The password for the account is forgotten and encrypted! That's it, they want the back door so they can log into the agenda account and turn off the agenda item repeat for encryption backdoors event... or so they say.
Suppose people were to use private ciphers BEFORE messages enter the channel. It's widely held the private ciphers are crap. It's also widely believed that RSA, PGP etc have been cracked. So what is someone to do?
*
Well....EVEN IF PRIVATE CIPHERS ARE CRAP, they still have an excellent asymmetry property for their users:
- Users get real time communications
- Snoops have to wait till the cipher is cracked
*
Look up the Beale Papers (enciphed in a private cipher). Two of three messages have still not been deciphered (for more than a century). And that's with a book cipher -- widely held to be crap.
*
Anyway....the delay for the spooks puts them on the back foot....irrespective of the quality of the private cipher....and they may be on the back foot for long enough that the original message is well beyond its sell by date!!!!
"It's also widely believed that RSA, PGP etc have been cracked."
Any chance of a reputable reference for that? If the factorisation of large numbers has been 'cracked', that is a major event in mathematical logic / complexity theory. Probably get you an Abel or Turing prize, or at least a nomination.
I read it as "It's also widely believed [among the kind of anonymous coward crackpots who think the Beale Papers aren't a hoax] that RSA, PGP etc have been [secretly] cracked"
Regarding asymmetry, that's essentially one of Impagliazzo's five worlds (one variant of his 'minicrypt' I think, or maybe a less pessimistic version of 'pessiland') where there are severe limitations on one-wayness of functions. Maybe that's a more realistic compromise model for our security services to argue for (notwithstanding the mathematical reality)?
As soon as the government and intelligence services makes all their databases and emails available for public scrutiny, I will consider letting them look at all my data also. But it is of course pretty certain that they have *far* more incriminating data to hide than the average citizen, so that will never happen.
What part of "Stop Digging a FCUKing Great Burial Hole for Yourselves" does the System not understand ...... People Need to Reclaim the Internet
* Yeah .... it is inevitable. And how very odd that they do not see it. Ah well, Einstein obviously knew them extremely well ....... “Two things are infinite: the universe and human stupidity; and I'm not sure about the universe.” ...... "Insanity: doing the same thing over and over again and expecting different results."
How come they still can't break a simple chip code?
I mean the 4S is over a decade old now, but supposedly Apple blocked the "chip-off" method long ago.
It seems that the main problem is that without the CPU with its baked-in AES key the odds of getting anything
coherent back are slim to none.
The memory itself is quite a common one (16GB Toshiba)
While national intelligence agencies are making a lot of noise about encryption, causing outrage and incredulity that they can be so stupid about the 'laws of mathematics', they are busy making use of all the already existing 'back doors', and using this as a pretty successful distraction strategy.
As several commentators have pointed out in this and previous articles on this topic, One Time Pads and dictionaries of code-phrases* are uncrackable in themselves without a copy of the One Time Pad or the code-dictionary.
However, as students of secure communication learn at their mothers knee, it is very important to ensure that your security end-point is separate to your communications end-point. It doesn't matter how well your message is encrypted if you decode it on a completely compromised piece of equipment so the plain text lovingly decoded can be grabbed and exfiltrated. The average member of Joe Public cannot obtain uncompromised hardware. The military find it difficult.
The 'secure' phones compromised by the Dutch police had malware inserted on the phones that took copies of the decoded messages. All of the apps on mobile phones rely on the operating system, the processor, and the modem, none of which the user has control over**.
In addition, theoretically good encryption is compromised by poor implementations that have gaping side channels. The AES code produced to show how AES worked, and used as a basis by many people had not been hardened against timing attacks etc. So a good algorithm generated by an open evaluation process was compromised in many applications because the side channels were easily exploitable. Having a good algorithm is less than half the battle: making sure the implementation in hardware is secure is hard.
So while the security services are making a song and dance about encryption, they are busily exploiting all the flawed implementations, 'influencing' standards committees to adopt standards that are difficult to implement well, and making sure, probably with the help of Hollywood and the MPAA that any equipment you can buy implements 'Trusted Computing', which is to say, trusted by them to execute programs you have no control over.
If you want to send a secure message, encrypt it on hardware you can trust: which might be pencil and paper, and only put the encrypted text on the communications link. Even then, unless you have thought in advance how to deal with the metadata, you won't be as safe from discovery as you think.
It's all a game of misdirection. If you want to send secret messages easily, campaign for open hardware that can be audited down to gate-level, designed by people who understand about side-channels. Even then, unless you have a good plan on how to deal with the metadata trail, you won't be able to hide from 'the authorities' for long if they really want to find you.
NN
*e.g. 'the swan flies south for the winter' means 'cancel the operation to put polonium in the targets tea'
**There are a few nerdy exceptions for the operating system, and possibly the bootloader. Not exactly mainstream, though.
The implied assumption of the 5idiots, uh, 5eyes, is that the 'crims' will only ever use 'commercial' encryption tools, and as soon as the 5idiots prevail upon the tech companies to compromise their encryption, it will be all sunshine and daisies.
what is to stop well heeled crims from getting their own tools with encryption that doesn't have the shiny new backdoor in it? "oh, no, it's illegal for us to not have a backdoor in our encryption technology, we better stop our other naughty activities."
All this posturing and pouting like children when they are told "no" ignores the fact that the crims are not fools, they are well heeled, and many of them are very very smart and can write software.
Sure, it's not a "good idea" to write your own encryption algorithm, but there are plenty of examples of code out there that are quite robust that could be incorporated (without backdoor)
5EYES is a military and inteligence coperation agreement.
Think it through, SIS have how many people chasing how many global hostile actors
They are not going to give a fig about the HO crime stats, or any other drivel that comes out the mouth of Petty Vacant (Sorry Priti Patel).
I invented one a while back but got downvoted back to the Stone Age.
But yes OTP based on widely distributed data (cough NASA raw files /cough) is possible.
By XORing the data with numbers in a huge near random file a secret message can be sent where intercepting either part won't help without the
offset position within said huge file, and the other half looks like either corrupted JPEG which is common on cheap memory cards and/or phones.
So there *are* secrets hidden in the Surveyor data, but not the ones people think.
AC because they know where I live.
when will they learn, they cant do this, it just isnt possible
If they do the work, they just dont need to, as the french and Dutch proved.
Anyway, most of the gangs they bust are by getting someone to flip, and they can just give LEOs access to the system.
they just need to accept the decades where they could get away with lazy work of wire taps and transcripts are over, and they need to go back to intercepting the endpoints.
I cracked backdoors in the 70s.
We have seen that Chinese security agencies already have infiltrated IT operations in many businesses and government agencies.
I can guarantee that mandated backdoors will pave the way for the Chinese (and other bad actors) to have easy access to everything.
Politicians' and their families' private affairs will become an open book to the Chinese who can use them for blackmail. Politicians under the thrall of China will be unable to pursue public policies unacceptable to China.
The impetus to mandate backdoors has the Chinese and other bad actors rubbing their hands in glee.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
