GCHQ pushes for 'virtual crocodile clips' on chat apps – the ability to silently slip into private encrypted comms Britain's surveillance nerve-center GCHQ is trying a different tack in its effort to introduce backdoors into encrypted apps: reasonableness. In an essay by the technical director of the spy agency's National Cyber Security Centre, Ian Levy, and technical director for cryptanalysis at GCHQ, Crispin Robinson, the authors go out …
Gran: up two generations (mother of mother, or mother of father)
Aunt: up another generation then across to a sister
Cousin: shared grandparents, so up two then down two along a different branch of the family tree.
Total: Up five, down two.
So a common ancestor exists five generations up from the starting point, two up from the end point.
Take the lowest number: two, which implies cousin (three would be 2nd cousin, 4 = 3rd cousin, etc)
Take the generation difference: three.
Final result: Cousin three times removed, aka Sherryl.
I had my mail "monitored" once, many years ago - mail would arrive a week late and badly resealed. It was never a problem, information was always passed in open text coding and I don't believe that anyone ever noticed. Encrypt it and people get interested, use plain text and nobody cares if you appear to be just chatting ... please bring orange manual back tomorrow.
Who needs a weatherman to know which way the wind blows?
If I'm using a WhatsApp mobile app written by WhatsApp and distributed as a binary, I really only have WhatsApp's word that there are only two ends to the conversation, not three. There's nothing to stop them relaying messages to a third party using any one of a number of mechanisms, which may or may not be able to be exposed by traffic monitoring or decompilation of the binary.
The lesson in all this is that if you want to assure yourself of secure end-to-end communications, you have to control at least your own "end", preferably separating the two concerns of encryption/decryption and transmission of the message such that those concerns can be handled by different pieces of software.
I assume that sensible terrorists whose lives depend on communications security don't rely on blind trust of tech companies and apply defence in depth, or hide in clear sight communicating using LOLcats, Youtube comments, or whatever.
Which in turn suggests that GCHQ can only ever hope to capture idiots and/or people who don't think they are doing anything wrong.
I support the means to snoop on terrorists, sellers of vice, drugs, arms, etc. I just draw the line at the charter that gives them the right to snoop on journalists. You only need to look at the way Trump is trying to destroy the reputation of most media outlets in the USA and replace them with a government propaganda system to see that an authoritarian government, voted into power in the UK would have carte blanche to discover all critical journalists and lock them up, like we see reported about other countries around the world. Mainstream newspapers have already reported previous prime ministers mis-using these government powers to snoop on journalists in the past.
I don't mind going after people who are posing as journalists while trying to get and sell state secrets. That would be spying, after all.
Its a bit like a company trying to achieve monopoly by destroying the means of competitors to advertise. Therefore the removal of free journalism is a means to un-democratic authoritarian government, which is precisely what the charter to snoop on revolutionaries and terrorists is trying to avoid.
Oh and just as NIST nobbled the randomness (and therefore mathematical security) of RSA, they also nobbled EC to reduce the number of allowable curves. That was reported in El Reg some time back.
Something is either secure or it is not. Someone is either pregnant or they are not. You are either keeping to the speed limit or you are not. The weather may not be binary - it is only raining a little or that is a "strong" wind.
Is "alive" binary? I think that one is for philosophers and the like. I think people used to think so but now, we hear of people being dead and then brought back so maybe this is what our spooks are thinking of.
"You were secure, then we did stuff. We finished and now you are secure again."
My systems are secure when nobody that I do not chose to can get into them. a banks system that I use is secure when nobody but me and the bank can get into my records,. If I feel the need to communicate privately, it is not secure or private if my conversation is monitored. If the method of monitoring involves back doors or virtual crocodile clips, the system will not only be secure but, in the future this information will be available to everyone from 419 scammers to the US health industry.
Funny you should mention banks.
My (now former) bank recently asked me to agree a change in their T&Cs to allow them to share personal details with unspecified third parties for the purpose of fraud prevention. When pressed, they stated that the third party was the bank's own fraud department but refused to put that in the declaration.
I doubt that it's unusual. Presumably someone noticed that the clause wasn't in the original T&Cs and GDPR required them to put it in.
If GCHQ could already use ghost accounts to access our encrypted comms then this is EXACTLY the sort of request and discussion they would want in the public domain... an easy way to feed us the notion that currently we can use these apps freely and securely for our deepest darkest secrets.
Good, patriotic American alligators would never offer their participation in the NSA & Friends encroachment on the rights of fellow citizens....Unless the alligators recognized that the leadership of the 5 Eyes agencies were in fact their fellow-reptilian lizardmen overlords....
We'll end up with the more caring providers avoiding gagging orders like this:
** admin has joined chat**
Hi. Just to let you know we've not added anyone to your conversation. Bye.
** admin has left chat**
One minute later:
** admin has joined chat**
Hi. Just to let you know we've not added anyone to your conversation. Bye.
** admin has left chat**
One minute later.....
My company uses Zscaler cloud proxy and we dropped a cert onto every PC so the SSL break/inspect doesn't cause a problem. But when you look at the info on every HTTPS session its the Zscaler cert which is shown, confirming the man in the middle is operating.
I assume end points could be compromised so that plausible certs can be inserted for any protocol using SSL/TLS, allowing transparent bresk/inspect, topped off with PAC file/DNS jiggery pockery to direct all traffic to GCHQ.
I think a government *should* be allowed access to whatever they want.
Unfortunately, we often don't have governments. What we have is a corrupt bunch of absolute criminals masquerading as a government.
I am sure they understand when I keep all of my communication encrypted and avoid sleezy crap such as whatsapp and other consumer crap. They do the same after all whilst they discuss their next criminal activity.
I don't. I see where you're coming from, but nooooooooooooo.
Governments aren't our masters, they are there to do our collective bidding.
Why should even "good" governments get to see whatever they want?
What happenned to good old police work in solving crimes? You never had dragnet bugging of the local pub etc...
The greater the power entrusted to a few, the greater the need for that trust to be earned. Surveillance powers were originally granted during wartime to combat the threat of foreign spies, they were never intended to be used for policing the public.
To gain political power involves some amount of dishonesty, false promises, bought loyalty etc., for the honest would struggle to convince (not deceive) a majority. Yet these are the people ultimately entrusted with surveillance powers who exercise judgement using this information.
There is nothing to stop sophisticated "bad guys" writing and distributing their own communication application even as they are reputed to do these days, use "game chat" to pass messages. Neither of option will give authorities any chance of accessing the intelligence they seek.
There is nothing to stop sophisticated "bad guys" writing and distributing their own communication application even as they are reputed to do these days, use "game chat" to pass messages. Neither of option will give authorities any chance of accessing the intelligence they seek. .... Arachnoid
Amen to them apples, Arachnoid.
I wonder if when intelligence access is denied do they come asking to buy what they seek from Not Illegitimate Sources or Private Pirates?
I wonder if when intelligence access is denied do they come asking to buy what they seek from Not Illegitimate Sources or Private Pirates?
It might help if good old fashioned face to face discussion in secure spaces and private places could occur amfM, as opposed to current failed arms length laborious mundane matrix offerings, it must be said.
It doesn't matter if it's a broken encryption algorithm, or a broken implementation, broken is broken.
There is no way to keep other actors from using the same back doors.
The only thing I can't tell is the balance between naive hubris (we can keep anything we want secret) and narcissitic indiference (we don't care how universally compromised it is, as long as we can moniter and archive everything).
That's before you look at the problems with the 'authorities' having illegal access to every part of your existence.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
