Trading "liberty" for "security".
One once said that if you do that, you deserve neither.
I've got the Yo-Yo...
I've got the string...
Britain's surveillance nerve-center GCHQ is trying a different tack in its effort to introduce backdoors into encrypted apps: reasonableness. In an essay by the technical director of the spy agency's National Cyber Security Centre, Ian Levy, and technical director for cryptanalysis at GCHQ, Crispin Robinson, the authors go out …
service provider to silently add a law enforcement participant to a group chat or call,"
The emphasis here is on GROUP
This is DIFFERENT from normal legal intercept of encrypted communications and it is an organized version of the Turkish scenario. That is how Turkey successfully managed to deal with the coup 2 years ago. The plotters thought GROUP chat secure. It ain't - all it takes is for one compromised participant and all messages are visible.
This is also PRESENTLY IMPLEMENTABLE. Most usual suspects like Telegram for example implement GROUP chat by holding the private keys for the channel. So in fact they technically can provide the "crocodile clips" at present so there is no backdoors, no violation of laws of nature and no "this is impossible" here. In other words, the crocodile under the party hat is smiling all the way to the bank.
That does not need to be the case technically. The providers can be just the mediator leaving the private keys with the channel participants. Granted, this has a number of scalability problems, but none of them is in the realm of "impossible to overcome". At that point we are back to square one.
A group can be as few as two.
By that rationalisation the service provider can add the third person to any conversation.
If it is set-up as a group call or group chat as understood and implemented by the like of Telegram - yes. They make a technical difference between a group call and a person to person call.
As you correctly noted, that does not need to be the case and it is a knife which cuts both ways. It can cut the way you described or it can cut in a way where group calls are set-up so that there is no way to add legal intercept to them (the latter is harder).
Read carefully, please ..... of an embarrassment of riches for universal sharing
The providers can be just the mediator leaving the private keys with the channel participants. Granted, this has a number of scalability problems, .... Voland's right hand
When Mentor, there be No Scalability Problem for Future AIdDriver Access to Raw Hard CoredD Source. ..... Immaculate BasICQ Current Input/Output.
The Question then is with Whom and/or What to Share Everything and to What Crashing End and New Clearer Beginning. :-) .... Just to make Perfectly Sure the Ends Always Justify the Means and AIMemes with ESPecial IntelAIgents Engaged in ... well, any Advance on Heavenly COSMIC Play Leading Ways Eternally Thankful to Simply Follow the Immaculate Construction of Other Worldly Instruction/Celestial Extra Terrestrial Guidance.
Are there any Exceptionally Outstanding Global Operating Devices Offering the Facility and Utility their Services for Future Proprietary Intellectual Property Deployment and Parallel AIdDevelopment of Exceptionally Outstanding for Global Operating Device System Default.
For Another Start in an Altogether Fundamentally Different Beginning is where IT is now at, whenever Never Beta Tested Before/TS/SCI. And that Future has Options Plenty and Derivatives Galore in Store for Wheelers and Dealers/Market Makers and Breakers.
If avoiding the arrival of a Maverick missile depends on your crypto, you're most likely not relying upon any of the standard P2P encrypted apps, because you know (a) every effort will have been made, using nation-state resources, to compromise them, and (b) you die if you trust third parties.
So my question to seemingly backward-looking spooks—who are so full of their self-righteousness and -importance that they apparently cannot even understand why a free democracy must have strong civil liberties if it is even to deserve to exist: and are, therefore, perhaps nowhere near as clever as they think they are—are fairly simple ones.
1. Have you, comfortable suited eavesdroppers, acquired an algorithm which can with more than 50% reliability identify large, dirty, noisy images which have very low-order, low-density steganography within them? How many of the 2,000,000,000 images shared every day are you managing to identify as having secret content? To the nearest ten?
2. Have you access to any reliable method of breaking a modern encryption standard such as AES256, or Blowfish or similar? What would be your success rate against messages, even allowing a crib phrase, of say 2kB in size? (Quite enough for decent Atrocity-Time-and-Date instructions.)
3. Alternatively, have you managed to compromise the world's open-source codebase of crypto algos so that no one, not even the designers, will notice? So that none of the world's several million competent coders could write a homebuild, effective crypto app?
4. Have you found a method of ensuring that Black Hats cannot access two computing devices with encrypted drives (whether tiny phone or workstation), one of which is never, ever connected to the net?
5. Have you found a way of ensuring that the BHs can't run whatever software they like on these devices?
Given that the answers are most certainly No, No (<1:1x10^6), Not a Chance, No and No, isn't it true that actually, sigint is pretty much uesless against a well-disciplined, intelligent, well-equipped enemy (i.e. the very kind you should be most worried about)?
Isn't it true, in fact, that against your most serious adversaries, you need to infiltrate, blackmail, cajole, observe, corrupt, befriend, compromise—what we, back in the day, used to call humint: a version of tired old plodding shoe leather and nasty, grubby risks? Have you considered how many Arabic speakers you could recruit for the cost of Latest Billion Dollar SuperSexy MegaHarvesting Computer? (You know, the one that pointlessly stores petabytes of innocent civilians' data obsessively logging shopping habits, personal interests, porn preferences and extramarital dalliances)?
Isn't it true that your gasping appetite for code-breaking is actually peripheral grandstanding, with a big dose of laziness? That the appeal of sitting cosily in your pyjamas, sipping cocoa and reading Ahmed's email, is rather selfishly idle? That while you are begging for ever more budget, power and self-importance to spend on ever bigger aerials and computers, your neglect of the difficult, gritty, risky business of humint is most likely killing people?
You can sip cocoa at the keyboard, and yes, we need a few of those; but if you weren't so deep into deluded self-serving groupthink about crypto, you'd understand that if you were doing your jobs properly, you'd be risking your lives drinking gritty tea in a dusty back street somewhere far away. Not quite so appealing, eh?
One wonders whether GCHQ and NSA and their Five Eyes ilk have really been so dim and unself-aware as to fall into one of the oldest of psychological traps: for them, owning a hammer, every problem becomes a nail. It certainly sounds that way.
@milton
Your opening sentence suggests that field agents are very much in use. (Finding reliable humans is a completely different matter) and I'll agree with the bulk of your comment.
My 2p worth.
(a) it took 30 years before any of the tens of thousands of Bletchly workers spilled the beans on being able to crack the most technologically advanced countries code system faster than the intended receiving station. and that the sig-int alone was tracking individuals of interest.
(b) we know there are many acres of computer racks doing the same job now.
(c) the black budget for all this is immense, as is the willingness to try anything that sounds workable.
So I'd suggest the answers for 1 & 2 are much nearer 'Yes' especially for the sig-int tagged ones.
@milton
1. The "nearer Yes" answers may be correct for published crypto (PGP and so on). But what about the possibility that someone is using a private cipher BEFORE the text enters some public system or another? A book cipher comes to mind (see https://en.wikipedia.org/wiki/Beale_ciphers for an example....it gives you an idea about what's going on, even if the Beale papers are a hoax).
2. Even if GCHQ is actually listening to real time conversations (whether point-to-point or group), what if the conversations are conducted using pre-agreed code words? A recent NFL program showed quarterbacks instructing the team with actor's names -- Halle Berry was one of the calls!
*
So...here's a real book cipher example....readers feel free to publish the plain text.
*
630A92D4421135721B7F4360C322EF2690D16A92
6DB9E013793D05E0650E746412C8393E561032A9
3541103386229D309E2F73C4E5A8383EB9F41960
3B6B610FEA724FE5C98D3110E02C066BDCB50875
52BB42F527380975B473146F60959449B4C72648
451EB425136643B519436A88D1B5B517D820BC5F
57EEB7489154F4C2668934F842163B3DE2F4ECFF
0F977308A16A6156AE70035263D187465D5248C0
011F3417C52BA3A67C10663AC0428304C0E3DE13
117701A23041BB51EF510D59143BE1194964D9DE
0DCAC4359865BC9661486579E568465641F49615
148F633852109410F97A23B760B25F62CC6520E8
346C047EA13C90502E27678FA745FD07FB6490BD
0FE9B135B41CB2C21E303FA060CA1E58CD036FEB
The "nearer Yes" answers may be correct for published crypto (PGP and so on). But what about the possibility that someone is using a private cipher BEFORE the text enters some public system or another? A book cipher comes to mind
----------------------------------------------------------------------------------------------------------------------------
Book ciphers are inherently insecure. They were cracking them before computers existed. Today, with computer support, they probably wouldn't last 20 minutes.
The only secure crypto is published, open source, based on critical parameters, protocols, and algorithms; not influenced by those who want weak crypto. (Unless you are a nation state with thousands of cryptographic experts doing all the development and reviews in house).
Without the review processes of code, protocols, algorithms, and key parameters there is a very large probability of producing flawed or weak systems or implementations. Creating good crypto is hard, even for smart professionals. Consider the hash Apple made when it tried to create its own cryptographic library, even using known protocols and algorithms. Even with constant review and oversight, changes in mathematical techniques or further analysis can turn up flaws that need to be addressed. Seemingly innocuous changes in any aspect of a cryptographic system can create an unsuspected flaw.
The Beale cipher does not actually follow the most common model for book ciphers, which involve picking a page, then often a line, then a word or other element, or by picking a page, and then a word or other element. In particular, this makes different editions or printings different ciphers unless the exact page layout and page numbering is preserved... an advantage, particularly if you can use an obscure printing or reprint of a work. That still doesn't make a book cipher fit for serious use.
"So I'd suggest the answers for 1 & 2 are much nearer 'Yes' especially for the sig-int tagged ones."
I am afraid you overlooked the advances in cryptography made over the intervening years. And with all due respect to the Bletchly workers, even at the time Bletchly Park was operating, a large part of its success was due to failures in the correct implementation of cryptography.
More to the point, the dangerous terrorists etc whom the security services claim to be trying to catch are unlikely to be using the same generally available chat apps as Joe public, unless they are pretty dumb terrorists. This is just a smokescreen so they (the security services) can continue to spy on ordinary citizens.
"They also promise to get back to a time where the authorities only use their exceptional powers in limited cases, where a degree of accountability is written into spying programs, and they promise a more open discussion about what spy agencies are allowed to do and how they do it."
lol just lol to all this.
Was there ever a time when they used "their exceptional powers in limited cases".
If anyone truly believes this get in touch, because boy do I have a deal on a bridge that you don't want to miss out on.
Going on the Snowden disclosures, the agencies can already attach "crocodile clips" to the Internet and capture the raw packet streams/conversations, just as they could with the analogue telephone. If the call was encrypted they either had to crack the code or place eavesdroppers in handsets so they could pick up the unencrypted call.
Thus what is being asked for isn't a virtual crocodile clip but for an eavesdropping circuit built into the handset, complete with the apparatus necessary to exploit it without having to actually pay a visit.
They asked for front doors - but were refused, magic keys - also refused, backdoors - also refused, holes in the tunnel or weakened encryption - refused, banned encryption - an obviously stupid idea. Now they want magic crocodile clips. They're all the same thing - magical thinking.
It's unlikely that 'they' can crack most encryption if it's implemented properly. Your PGP encrypted mail will stay entirely private, instead they'll just use some off the shelf malware to get a screen grab after you've decrypted it.
Maths doesn't lie.
"They can't crack high-quality encryption. Well, they can"
If anyone has even a theoretical attack on, say, PGP, I'd be interested to hear about it.
Certainly there are still systems that use out-dated and cracked encryption (eg A5/1 used in GSM phones), but your average SSH session is so close to being unbreakable that hacking into one of the endpoints is the easy/only option.
"If anyone has even a theoretical attack on, say, PGP, I'd be interested to hear about it."
Here you go. This is both a bit dated and a very brief overview, but talks about people's success in cracking PGP encrypted messages. http://www.pgp.net/pgpnet/pgp-faq/pgp-faq-security-questions.html
The summary: There are regular competitions to crack PGP messages, and it's rare that someone doesn't win. However, the time and resources required are pretty huge, so the methods aren't actually useful in practice unless there is a single target worth throwing a ton of resources at, and even then you're only going to crack one message at a time. Cracking things like SSH sessions aren't a practical threat, but cracking encrypted data at rest is (if you and/or one or two files are of extreme interest).
As is noted in that link, cracking is something that is possible -- but if you want to crack PGP, you're really better off going with other methods (subvert the end points, brute force the passphrase, etc.). PGP is not technically uncrackable at all, but for the vast majority of people, it's reasonable to treat it as if it were.
That's why it's called "pretty good privacy" and not "perfect privacy".
I guess they're allowed to wish for such things. However, even in the days of *real* crocodile clips, it was possible to make a telephone conversation unintelligible - isn't that what the "scramblers" that secret services were all using up till the 90s ?
Personally, I think this is just a way to sneak the phrase "crocodile clips" into the narrative so that it's not too long before REAL crocodile clips are bought back.
Incidentally, either someone there isn't doing the job they're paid for, or they've missed the chat apps which round-robin messages to build a group header before encrypting or decrypting. You can't add or remove a participant without changing the hash, and alerting the group, as messages start garbling.
Right now, if you are party to a group chat you just get notified if a new member joins. There's no mention of the hash being updated - that happens behind the scenes. In the GCHQ scenario, their account would be silently added, any message informing everyone of a new member suppressed and, as now, no mention of the hash being updated. Or am I missing something?
Yes.
Person A initiates a chat with person B. Session keys are generated which produce a 3rd unique secret key that's the combination of A secret key and Bs public key, plus Bs secret key and As public key.
If C wants to join the session key needs to be regenerated to include combinations of Cs secret and public keys.
Impossible to eavesdrop unless you possess all actors secret keys. Also impossible to spoof a message only trusted actors can generate a meaningful message.
Very heavy on key management, but nothings for free.
By all means. clip on those virtual crocodile clips - but all you'll "hear" is static.
By the way, the first rule of spy shit is to assume your channel is compromised anyway. So even your plaintext shouldn't be intelligible (I think UK government ministers have a head start here). So a successful eavesdrop will only pick up chatter about how cold it is this time of year, and how someone is looking forward to Spring in March .....
I once knew someone who was of interest to the authorities.
When he sent letters he used to tape the envelopes, which often used to arrive still taped but with the hairs that were formerly under the tape now missing.
He sent one letter with one of those Christmas Sellotape designs, in the summer, with the message on the back "now find some of this." Of course it (a) never arrived and (b) was completely harmless.
As you say, there will be plenty of IT equivalents.
At least in theory, they want to snoop on the planning stages. You may say "they can just plan offline", but, well, there's a reason the drones keep hitting weddings 'by mistake': HumInt is tracking when suspects meet, and calling in the hellfires if they think there's enough Target in the collateral.
That sort of thing (which, IMO, is probably some manner of war-crime) strongly discourages personal meetings. So SigInt has to try and fill in the gaps. Your average bomb-maker isn't going to roll their own crypto, but they're happy to use one of the off-the-shelf ones that the Five-Eyes types complain about not being able to crack.
To be clear: I have some sympathy for the aims! Terrorists are bad. Child abuse rings, also bad.
But the NSA, GCHQ and pals took a calculated risk by violating the privacy of millions, and the dice didn't work out for them. Nobody held a gun to their heads and said "you must spy on your own citizens, en mass, on dubious legal grounds". This is their screw-up, and it'd be nice if they took the consequences like adults.
And congratulations on using such an innocent channel as El Reg to issue the order... .... batfink
An innocuous channel is more APT and truthful, batfink, with guilt being attributable via the eye of the beholder with ignorant and arrogant support for exploding shenanigans and fast failing 0day ventures/FCUKd Up Serial Narratives.
And who's saying the 77th Brigade are not deployed for special instruction/virtual mentoring and remote control monitoring here?
Quote
The elephant rides at midnight ???
You got the wrong group mate, this is the syndo-cryptic revolutionary party(Leninist), you want the Free radicals of Marxist-Hofferists (Trotskyist) , they communicate over on the Daily mail forums.
Where the ravings of a bunch of loons and splitters would never be noticed....
Not sure how a virtual paperclip can be added quietly on end to end encrypted comms. If they were able to do a man in the middle intercept of traffic between 2 people then it could be used to MITM attack other things (web traffic, payment traffic etc). Most algorithms and approaches stop MITM, so they'd need to hack the source or target instead (or terminate the encrypted traffic at a proxy) but the receiver would then see it in the clear and not encryoted..
While everyone is arguing over encryption backdoors, the Signals Intelligence Agencies are successfully misdirecting people, as you would expect.
Snowden made it quite clear in the Q&A session hosted by The Guardian in 2013 that:
Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.
My emphasis on 'properly implemented'. While the algorithms used by various applications may well be theoretically secure, many implementations are flawed. Good luck in finding a cpu that doesn't have a built in back door ( Intel ME, AMD Secure Technology, VIA C3 "God Mode", ARM TrustZone*) , and, if on a mobile phone, doesn't have a baseband modem with proprietary 'binary blob' firmware which can be updated over the air by service providers that also has access to main memory (and therefore decryption keys). In addition, there are poor random number implementations, and overly bloated libraries with an indefinite number of flaws (OpenSSL) that have multifarious leaky side-channels. It is very strongly suspected the SigInt agencies actively try and influence standards setting committees to subvert and/or make implementations complex and prone to bugs so that groups like the NSA's Tailored Access Operations (TAO) have a range of implementation flaws to work with (See also BULLRUN. Easily obtainable secure end-points for communications do not exist. While everybody argues about the security of data in transit, little attention is paid to the security of end-points, which is a situation I expect the SigInt agencies are very happy with.
It should not be necessary for me to point out I am against terrorism and/or child abuse. That said, as a society we appear to have a hard choice to make: gain the ability for select groups of people in authority to intercept communications between terrorist and/or child abuse conspirators (that ability also subject to abuse and subversion) ; or retain the ability for innocent people to have private conversations. It appears we cannot have both. I suspect that in the long run we will lose privacy. If you look at the use of social media, the cultural norms around privacy have changed hugely in a short period of time, and I would not be surprised for people in the future to make the explicit choice of living in a panopticon, partly justified on the basis of security and for the sake of the children, but mainly simply because it becomes normal to do so, and anyone desiring privacy would be regarded as a misfit.
*Note that a lot of this technology is justified by its use in DRM for media use. Secure channels for playing digital media, etc; and also its use in easing management of large organisations' IT estate. Trusted Computing is about third parties being able to place what they regard as their content on 'your' computer and control it such that you can't do with it what you like - that is they trust 'your' computer to do what they want. Great for Hollywoood and corporate IT departments; and coincidentally great for SigInt agencies.
I thought bulldog clips were the big wide things you use for paper: crocodile clips being the narrow pointy ones?
Unless this is one of those quirky etymology things where nothing makes and sense, which wouldn't be that surprising *gestures vaguely at the English Language*
Bulldog clips have short jaws, used to avoid short circuits on nearby things. Typically sed in large size for jump start/car charging cables.
Alligators have long jaws, for fine things with some risk of shorting nearby. Good for punch down terminal blocks or relay racks.
"because the tapping would be at the vendor level, it would be hard for hackers and other malicious actors to exploit the same approach."
Ok, sure. Even if we believe the above, there's still two parties that have just been granted access to our communications:
There's the vendor itself, and if you think (eg) Facebook wouldn't try to use it's access in order to make money then you're pretty naive.
Then there's all the low level workers, both at the vendor and at GCHQ, who now have access to everyone's chats. So now they can check up on their possibly cheating spouse/their ex/that hotty from down the road/some random celebrity/our Kevin's gran's aunt's cousin Sherryl etc.
I'm not sure how keen the security services would be on (eg) some contractor at Snapchat selling details of the Queen's messages to the tabloids, or a blogger getting hold of the texts the PM sends to her husband either.