Facebook COO Sheryl Sandberg: Crypto ban won't help trap terrorists Facebook's chief operating officer Sheryl Sandberg has reiterated the social network's position that weakening the encryption of messaging apps isn't going to give governments what they want. Governments and law enforcement agencies are increasingly going public with their frustration that encryption prevents them accessing …
Unfortunately that's only possible if the service provider is the one providing that electronic protection in the first place, as opposed to me simply jA0EDQMCwk3eqi6OgMbe0nwB4HwL6OA6Er5Eagiur9uolYz2GTptHywchCdxRN3HrZ2MgnTaET5knT69r1oLuwckyTa/PTea/pfGsKfllupmoX7U7EHku/FgMEhHMN0jnmzTF1viKpe2yNqDyJ1DrA2JwfCEv36bZI0sHzaoEIQjlVe5UT6qWWGLiNu1
"Governments and law enforcement agencies are increasingly going public with their frustration that encryption prevents them accessing electronic messages."
Meanwhile citizens are increasingly going public with their frustrations whenever they spot a potential threat and the government doesn't do anything to look into it.
I'm not just saying; that last British terrorist attack? Several people around the suicide bomber, including people from his own mosque, had raised concerns several times already. According to multiple sources the police had been warned at least 5 times about the individual and in the end he ended up on a list of people to look out for.
Note... I'm not trying to suggest that if the police had done more they could have stopped the bombing because those are not fair comments to make in my opinion (also always easy after the facts).
But it does raise a fair concern I think: what good is giving the government even more access into our lives if they have already displayed severe ignorance when it comes to dealing with reports about current threats?
But it does raise a fair concern I think: what good is giving the government even more access into our lives if they have already displayed severe ignorance when it comes to dealing with reports about current threats?
Right to the heart of the matter there. As for why they want it? Nothing to do with terrorism but everything to do with control and "see, we're taking care of you".
It all comes down to numbers...
Stella Rimmington, the ex Head of MI5, has said before that you can't follow every suspect 24 hours a day, 7 days a week.
Secondly, breaking/opening more cryptographic communications will result in more data about suspects. But more data does not mean you have more information on them. It just means you have more crap to sort through to find the nuggets you need.
Playing Devil's Advocate:
If there’s a record of easily decrypted messages then when I report John Smith as a possible terrorist the authorities can easily check the real situation.
I think that is rubbish. There is plenty of information given to the police about terrorists before the event. More information is not more intelligence, let alone evidence.
You know information over load is common tactic lawyers use here in the US You sue a company for a defective item. Lets say a defective fuel system. SO you request that they give you the designs of the fuel system and any related notes. The company gives you every thing possible related to the fuel system including past designs designs that were ruled out notes from a foreign subsidiary in a foreign language all in the hopes to flood you with so much paper work you will never find what you are looking for in time.
They need to be worried about information overload and the abilty to discern from a harmless nutter from some that can actually do harm. Worse yet some that can fly under the radar and appear to be normal.
One could argue that they want a better excuse - if they've been told 5 times someone is a potential problem and they have not looked into it that looks really really bad.
If, on the other hand, they have 25000 suspicious communications to look through they can sit back and relax that only 5 warnings were missed.
Its almost like they are setting themselves up to fail.
If services like Facebitchook can't provide privacy for people sending messages to one another, then it may be up to open source to provide a solution. It could be stored someplace outside of the jurisdiction of nations that hate this kind of thing.
(South) Korea has a closed-source method of encrypting bank transaction data that it developed during the 90's, in the middle of the "crypto cluster-blank" where the USA wouldn't allow the export crypto technology with a full 128 bits [now considered pathetic] of encryption. It uses ActiveX, which forced a LOT of people to use insecure operating systems with insecure browsers to do their online banking, with the predictable results of malware, etc.. And it's a closed source encryption tech.
this article is from 2012, I don't know how relevant it still is:
http://gadgets.ndtv.com/internet/news/how-south-korea-became-slave-to-microsoft-internet-explorer-223429
In any case, we've been there before, we've seen its ugly mug, and we know how it's going to behave. The tech will be developed by OTHER countries that are not encumbered by "this kind of stupidity", and will be made available via open source, regardless of whatever "certain countries" might legislate. This goes QUADRUPLE (or more) if BACK DOORS become legislated, since any CROOK will find "the key" for THAT and exploit it, and it would take ACTS OF GODS to fix _THAT_ level of cluster-blanking.
Anyway, preaching to the choir, probably.
I mean, how hard is it to setup an instant messenger application that acts like a TORRENT TRACKER, but enables person 'a' to find person 'b' and send something, encrypted with a standard protocol (like SSL), using standard methods of key negotiation (like DH), and sending directly from peer to peer without the need of a "sniffing server" in between???
The logical conclusion is that governments will outlaw the use of any encryption that isn't specifically approved by them. The upshot being they can and will imprison anyone who they deem has broken the law.
In the UK today you are required to provide the password for any encrypted storage, and there have been people in prison for this offence. They may be bad people, they may have committed fraud or be abusing children, but they haven't been convicted of any offence other than refusing to provide the password.
The laws of the Government do indeed beat the laws of mathematics when the laws of government outlaw the laws of mathematics.
outlaw the use of any encryption
-> setup phishing for victim
-> upon downloading email, install encryption virus
-> kept data record of encryption on victim device
-> anonymously alert to gov't
-> swatting occurs, victim defeated, next target
It's still math. You can't outlaw math unless you purge it from earth. Just like the U.S. banning alcohol, it's didn't work.
"The logical conclusion is that governments will outlaw the use of any encryption that isn't specifically approved by them."
I have no problem with them doing that providing they meet my requirement: a full year before doing so they must publish every detail they use for online access including user names, passwords, etc for all their online services including banking, online ordering etc.
What they need is a law forcing terrorists to communicate using email in plain text. Then they will be easy to catch.
What's that, terrorists won't obey that law? So why would these idiot government officials expect them to communicate using something they know or suspect has been weakened with a back door?
If I was a terrorist in the Australia or the UK or the US and believed that all the western IT giants had been compromised, I'd do something like using a Russian VPN service to access WeChat for communication. Sure, the Chinese have a backdoor into WeChat, and the Russians into their VPN service, but they aren't looking for terrorists planning an attack in the UK.
If I don't want anybody to read my electronic communications, then I won't send them.
It's perfectly possible to communicate with people secretly without using FaceBlot, Twatter or WeCrap.
In fact if you want to ensure perfect forward secrecy, authenticity, data integrity and non-repudiation then you'd be crazy to pay somebody to write a few hundred thousand of lines of bug-ridden C when you could just nip to the Post Office and buy a stamp.
"you could just nip to the Post Office and buy a stamp."
There are at least 3 options for TPTB to deal with that:
1. In some cases a spray* can render the envelope temporarily clear enough to photograph the contents. That's why a good envelope has a pattern printed on the inside.
2. Steam it open and reseal.
3. Rip it open and fake a replacement envelope.
* Possibly something nasty like a halogenated hydrocarbon - it's a long time since I saw it so I've forgotten the details.
4. there are handy tools for removing a letter from its envelope and putting it back without opening the envelope. Early models hail from the WW1 era, perfected during the WW2 era, refined into an art during the cold war. Several spy museums have that kind of stuff on display, just poke around the net a bit.
Some inks are delible (as opposed to the more common indelible inks). Thus, the process of steaming an envelope open very well may cause the ink to run and smear. Will it be enough to make it unreadable? I don't know; I've never tried it. The trick, of course, may be finding a suitable delible ink, given that most ball-point pens are indelible. However, some fountain pen inks are delible (Yes, one of my hobbies is using a fountain pen; Used one all though high school and college. And, it's getting darned hard to find good ones any more, but they are still available, if you look hard enough. Oh, and don't knock over the ink well. That makes one h*ll of a mess, even with delible inks. That's why desks used to have a depression, so as a safe place to sit the ink well. But, when's the last time anyone saw a desk with an ink well depression in it?).
As for the recording the return addresses, as mentioned by another poster, I don't know of any post office which does verification on return addresses (well, unless the letter is refused and returned). So, I could put my return address as Donald Trump, 1600 Pennsylvania Avenue, etc., and almost no one would notice.
As for ripping the envelope open, and replacing it, remember that one of the spy techniques used in the past was to place a microdot under the stamp. Thus, the contents of the letter were totally useless. But, the recipient would steam the stamp off and remove the microdot with the secret information on it. Ok, so photographic methods have mostly disappeared by now. But, couldn't a similar technique be done with a laser printer with sufficiently high resolution? Who wants to try it? (Oh, note that the information being printed doesn't have to be Latin-alphabet text. It can be something like a QR code, or some type of dot matrix encoding. And, even if someone did find this, would they have a clue as to how to decode it?).
Also, don't forget that it was common practice, in decades past, to write a normal letter, and then to go back and write a secret message in invisible ink (One of the more common "invisible inks" was lemon juice.). How many people even look for invisible ink any more?
There are probably LOTS more techniques I haven't mentioned. Just remember "Those who do not learn from the past are doomed to repeat it.".
Dave
P.S. I'll get my coat. It's the one with a copy of "Between Silk and Cyanide: A Codemaker's War 1941-1945" by Leo Marks, in the pocket. Oh, that's a thoroughly enjoyable book, for anyone with an interest in the SOE, or the history of WWII, or cryptography...
All letters are processed by sorting machines that scan the address in order to do the sorting. If you also scan the letters for the sender's return address, you have pretty good metadata on who is in contact with whom. Even if there is no sender's return address, this would raise a flag - X gets lots of anonymous letters from region Y.
As this is relatively easy to implement, I wouldn't be surprised if it is already done here or there.
HMG and all other G's always quote their first duty is the protection of the people and state.
If the public is attacked either physically, cyber or whatever then the government is shown to be the Emperor with no clothes, and once trust is gone....
Personally I'm grown up enough to realise no Gov't can protect it's citizens from every threat going. So stop obsessing about survellance and concentrate on real long term threats.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
