Nope, the NSA isn't sitting in front of a supercomputer hooked up to a terrorist’s hard drive Not since the days of the US Clipper chip in the early 1990s, have backdoors put there by government decree to bypass encryption been this fashionable with governments. Clipper – an encryption chipset with a US-government-accessible backdoor backed by the US National Security Agency (NSA) – foundered on the stubborn resistance …
"While big organisations can overlay their own encryption on cloud, that’s not true of all services."
Individuals can also put their own encryption overlays on cloud storage, and should be doing so now anyway. Some services, like nCrypted Cloud & Boxcryptor, are free for individuals.
China helps shed light on the types of people Govt really want to target backdoors at. Slurprisingly its not terrorists or actual bad guys, its more likely to be activists and journalists etc:
________________
"AI-powered CCTV for automated facial recognition and population monitoring is widely used in China, with English-language propaganda from the Communist country being carefully sanitised to make it appear that the tech is only used to catch criminals and boost public safety. In reality the system is used by the State to hunt down and capture those who might embarrass officials, among others."
________________
https://www.theregister.co.uk/2018/09/04/5g_west_midlands_testbed_50m/
Quite plainly, it is a stupid proposal. Access to keys stored at the ISP doesn't accomplish much. In any end-to-end encryption system, such as with OpenVPN, the ends each have sole access to their private key. The ISP cannot possibly grant anyone access to it.
Thing is if the 5-eyes get together and demand that companies in these regions give them this back door, what will the rest of the world do?
1) Say "Its a fair cop, we trust you, here you go gov'ner"
2) Say "No 5-eyes software or services here" and thus provide a gov-mandated alternative for EU/Russia/China/India/etc
All it needs is one jurisdiction that values privacy very highly and won't be bossed about, like the EU or Switzerland, in which a company can set up data centers supporting end-to-end encryption for applications like email, instant messaging, file sharing etc.
Anyone in the US or a 5-eyes country can have an account with such a service, and 5-eyes can't do anything about it unless they want to go the full China-style Great Firewall. Even then, using VPNs, TOR etc can get around it.
I understand what the spooks want, and why, and I even get the historical justification about law enforcement in a modern democracy where warrants are an important part of the legal framework. But what actually will result if they get mandated 'legal access' to any systems based in their jurisdictions is that criminals will use other systems, normal users will get more paranoid, and the Internet will be effectively broken up into a number of subnets split by political bloc
"I even get the historical justification about law enforcement in a modern democracy where warrants are an important part of the legal framework."
Law enforcement has never had (even with a warrant) access to the contents of someone's head. (That's not to say it has never tried. The resulting societies have not been fun places to live.) Likewise it has never had access to the vast majority of private conversations between people. Somehow it has managed.
Let's assume that any proprietary encryption system - be it Skype, Whatsapp or whatsever is tainted.
Is there not a solution by simply adding another layer - of known, good encryption - over the top ?
Rinse and repeat ?
Moreover, is there not scope for an encryption technique which uses two passkeys, and which renders an anodyne innocent message when supplied with the "duress key" ? Off the top of my head, embedding a simple* text message (which could be a URL which leads to another ...) in a nude selfie and then encrypting that. Few people would be able to argue a nude selfie is an odd thing to encrypt and if the steganography is done correctly** there's no trace of the other message.
*"Simple" - most bad guys fall down here and make things waaaaaaaaaay too complex
** Aye, there's the rub ...
Apps on phones such as whatsapp run in their own memory space so it is not a simple task to add another encryption layer on top without rooting phones and such which cuts out most users. A keyboard app could potentially convert what you type ad copy to clipboard and convert replies but it would be far from pretty and straight forward which is what app users want.
The NSA/GCHQ's are being crafty now and instead of asking for backdoors in encryption, they are asking technology companies to implement sly changes which means no backdoor is needed. Skype conversations used to be peer to peer and never touched servers so one assumes they got Microsoft to buy and change the product so all conversations went through their servers for the 5+ eyes benefit.
One assumes Whatsapp went out of their way to help the government agencies by adding a chat backup option, an in your face popup to all users asking if it should be enabled and when they do, it disabled the encryption of their chats. The backup of their chats are also stored on their servers indefinitely for the 5+ eyes too.
So expect more sly changes like these as technology companies shout publicly that they are fighting for your privacy while still looking you eye add these privacy defeating changes they hope you don't notice.
"so it is not a simple task to add another encryption layer on top without rooting phones"
Maybe not but bad people can go old school and come up with code of their own, like "the geese fly to the pink elephant tonight" and they'd not have a scooby what they were talking about without an informant. So maybe they should stick to proper spying and concentrate on paying bribes to informants.
Do we actually still have Bond types out there or have they confined them to desk duties now?
Also your point about WhatsApp backups, hadn't actually considered that!
"they are asking technology companies to implement sly changes which means no backdoor is needed."
Those "sly changes" are a backdoor. a backdoor doesn't mean the crypto itself is broken, it means there is a way to access the clear data despite encryption. That way can be (and often is) interception of the clear data before legitimate encryption or after legitimate decryption.
"One assumes Whatsapp went out of their way to help the government agencies by adding a chat backup option,"
That's one of the problems. What are you to Whatsapp? A dust mite on a flea and they don't care about you as an individual at all. If the government puts a wee bit of pressure on them or even just asks, they'll throw you under the bus in two shakes (less time than it takes a nuke to trigger).
It's amazing how much companies like FB get away with and part of it could be how well they play ball when governments come calling. Sure, Zuckerberg has been called out on the carpet a few times for bouts of complete stupidity, but I don't recall hearing about any substantial fines being levied (or paid) and Mark isn't even wearing a tracking ankle bracelet.
The first to capitulate will be social media and cloud services. Big companies will be more likely to fight like dogs since backdoors could expose some of their better hidden skeletons.
they'll throw you under the bus in two shakes
Future tense? I think Whatsapp threw everyone under the bus some time ago, likely after being bought by one of the 5-eyes outsourced spying agencies. There's no way that treasure trove of metadata isn't well and truly sitting in Utah.
As the article says:
it’s no secret that encryption has become a problem for police. It’s not necessarily that they can’t break it at all – every system has its design weaknesses and vulnerabilities - but they can’t do it presquickly [sic] enough to conduct surveillance on enough targets for that to make a difference.
And you have to have a reasonable definition for 'enough'. They're complaining at the moment because it's not reasonable. If it were (e.g. restricted to criminal suspects), we wouldn't be having this discussion at all.
Anyway judging by the current governments in US, the UK, and Australia, TPTP seem to be threatening their own wealth and power.
just questioning the motives of the backdoor supporters makes it much too easy for them to paint you as a paranoid lunatic or move the debate to a pseudo moral level of good vs. evil.
But even IF every proponent of such a scheme might hold only the sincerest of intentiions for advancing the public well-being by helping law enforcement against the commonly agreed-upon really bad guys - secret government backdoors to encryption do not work also in this best-case scenario.
So intentions do not really matter here...
Law of mathematics/physics cannot be overruled by law of justice.
Just as you cannot pass laws to change gravity, you cannot pass laws to enforce decryption in the middle of an end-to-end encrypted data transfer.
The only alternative is to force companies by law to roll out defective encryption that opens all communication, mail, bank accounts, etc. to criminals.
Which government official wants to explain why that might be a good trade-off?
"The only alternative is to force companies by law to roll out defective encryption that opens all communication, mail, bank accounts, etc. to criminals. Which government official wants to explain why that might be a good trade-off?"
And how long will it be before his or her bank account number is public knowledge?
"And how long will it be before his or her bank account number is public knowledge?"
For high government officials, the first time there is a problem, they will vote their own very separate banking system that has the best encryption possible. In the US, the government voted in a horribly flawed health insurance system disguised as health "care" with the congress critters getting their own very separate and much higher quality health service. Some pigs are more equal.
We should wonder or ask (not sure who to ask) is this also for government officials? In US, would Congress types have their messages/chats watched? Would this allow controlling how a CongressCritter votes come budget or "powers" time? Once the system is broken for the bad guys and the little people, can the government itself be far behind?
I have it on good authority from a source I trust that the someone like the NSA have bought up all of one particular model of supercomputer as they hit the disposals lists, and have created a monster encryption cracker with them.
The ones that I was involved with were very carefully uninstalled by the dedicated third line maintenance team as working systems (albeit with the data scrubbed from the disks), in a manner where they could be redeployed quickly. I was told that they were going to be re-manufactured and have the processors and memory upgraded to be added to an existing large cluster run by an organization that could not be named. I was also told the next owner 'loved' this particular architecture because of what they could do with it.
By contrast, the previous two generations of supercomputer I saw that were removed from this site were ripped down to their rack mountable components before they were removed.
I don't think the resultant system would be able to do real-time decryption, but I'm sure there are other less time dependent decryption jobs that could be done with this type of machine.
It wouldn't surprise me if they have access to be able to use every idle CPU on the Amazon cloud along with some tools that distribute the load of the job. No supercomputer needed when you can have a million computers working for 2 minutes on their section of the same job.
I have it on good authority from a source I trust that the someone like the NSA have bought up all of one particular model of supercomputer as they hit the disposals lists, and have created a monster encryption cracker with them.
Ther are good reasons why anonymous 'but I trust them' sources tend not to be welcome in the public domain - even if the latest Trump debacle was cheering and reinforced opinions on thoe who though it was the case..... (being one myself - but I am still curious about the morive(s))
My source was not anonymous - I could name them but won't, and he gave me strong hints rather than solid information, and I have pieced together the rest.
I could have made incorrect assumptions, true, but what I was told definitely pointed in this direction, especially as many of the team that I talked used to fall off the map for days at a time, with no other explanation other than they couldn't say where they had been, and that it was within (US) driving distance of their base location.
I'm anonymous for this info, but I do post under my normal handle here as well.
I'm anonymous for this info, but I do post under my normal handle here as well.
You believe that you're really anonymous? Is there some document somewhere that explains how your post can't be tracked? I'm just curious as there's always ways to find "anonymous" in any system.
I think you've misunderstood the claim in the headline (or the headline is wrong). No one who knows anything about the NSA - e.g. from reading The Puzzle Palace or any of the other well-known treatments of the organization - thinks they don't have supercomputers. The NSA has extensive computing resources of various classes; that's amply documented and uncontroversial.
The point the headline is making is that there's no (credible) evidence that the NSA or other organizations have magical computing capabilities which let them break properly-implemented modern cryptography. It's very likely that they have had certain cryptanalytic capabilities before they were publicly known - differential cryptanalysis, for example, and the ability to break DH when it uses weak, well-known parameters. But not TV-style "it's encrypted - it'll take me a few hours to break it" capabilities.
That's why they're pushing backdoors. Nation-state SIGINT operations will work on all fronts available to them - that's their mandate. So they have cryptanalysts and mathematicians looking for new weaknesses in algorithms and protocols; they have massive computing resources; they develop and use attacks on software vulnerabilities to plant keyloggers and RATs; and so on. They'll also push for backdoors, both voluntarily from manufacturers and by legislation.
“The governments of the Five Eyes encourage information and communications technology service providers to voluntarily establish lawful access solutions to their products and services that they create or operate in our countries,”
the "voluntarily" word struck me, as it did in about 2009 when US Qwest Comms International CEO Joseph Nacchio did NOT volunteer his customers data to the N.S.A. and was then imprisoned on ‘unrelated’ tax fraud charges - also US Sprint telco fought as well as they could in the secret courts trying, but failing NOT to ‘volunteer’ for the data theft
lots of redacted stuff here http://www.dni.gov/files/documents/0708/BR%2009-19%20Primary%20Order.pdf (pdf 1.6MB)
Indeed. This "voluntarily" business is a common lie that governments tend to employ. If I point a gun at your head and tell you you can choose to either volunteer give me your wallet or I'll shoot you and take it, when you give me your wallet there was nothing "voluntary" about it.
The Intel Management Engine looks to be the modern replacement for the Clipper chip.
Full snooping on the whole memory - internal network capability - able to override the OS - hidden source code (probably only shared with the NSA).
Almost all online Intel based computers with the Intel ME can almost certainly be controlled by the NSA if they wish. Secure encryption and decryption MUST be done on an offline computer with no network connection.
Agreed, with the little addendum that AMD also has a Judas-puter in the form of PSP. Right now, nothing in the current x86 line-up is trustworthy. Not a problem, you may think, just run older kit? Well, many of the services you connect to are also running Xeon/EPYC. It really doesn't matter which end of the pipe gives up the unencrypted data as long as one of them does.
IME was supposed to be a desktop version of the ilo you already get on servers. It was originally intended to only be installed in the sort of machines that Dell and HP sell to big organisations (if you're responsible for thousands of desktops it's very useful).
The question is, why did they start putting it in all their consumer kit as well?
I used to love Compaq's ILO boards. Thing with ILO was you could remove them and, even if you didn't, they were under your direct control.There is only one logical reason why this technology has been adopted by both USian processor manufacturers and that reason certainly does not have your best interests at heart.
What I object to with all of this is that it fundamentally undermines the assumption of innocence and the concept of mens rea. We already have RIPA over here doing much the same thing. The situation in the UK is so bad that it is now possible to lock anyone up at whim. Just take their smart phone, encrypt it with a random key, fabricate a reason to require decryption and lock 'em up when they can't.
The question is, why did they start putting it in all their consumer kit as well?
One word (well, technically, acronymn not word): DRM.
The UHD Bluray standard (including UHD i.e. 4k stuff streamed in browsers or apps, e.g. Netflix) mandates a secure encryption path through the system. A path a user (i.e. owner of the computer) cannot access, so that they can't bypass HDCP 2.x encryption on video. This is implemented via Intel's IME or AMD's PSP.
Without such secure (supposedly), controlling enclaves to prevent the computer's actual owner from accessing the content, then the computer can't access (or be the streaming conduit for) commercial UHD content.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
