Discussion in 'Article Discussion' started by bit-tech, 30 Nov 2018.
I don't do anything illegal online, GCHQ won't be interested in me, I have nothing to hide so, I have nothing to worry about, errr, don't I?
Given HM Government's history with regard to anything to do with computers, how could I possibly trust them to do this in a way that CANNOT be compromised for criminal gain?
One agency's backdoor will quickly become every 1337 h4xx0r'5 catflap.
So they're asking us to trust that they won't abuse their powers when it comes to encryption that's only become so prevalent because a whistle blower spilled the bean on how they'd been abusing their powers.
If they hadn't spent years illegally eavesdropping on everyone, and still continue to do so, we'd probably feel less inclined to use encryption.
Nothing to hide, nothing to fear, until we change the rules.
No doubt the DVLA is slavering over the chance to use mass surveillance to make sure everyone gets a fine for the three hours they didn't have insurance in 2015 when they didn't quite time the two policies correctly.
Of course the silliest part of this is that if/when they get their 'crocodile clips' all that will happen is third parties based in non-complying countries will offer software to add a layer of encryption over the encryption and they'll be back to square one.
I still don't see how it is technically possible to do without a single worldwide government. Chinese intelligence sends a court order signed by a Chinese judge to Whatsapp and asks to listen for chat between an UK and US person. Will they do it ? Will they breach US or UK law by allowing the Chinese to do so? Or for Turkish to listen in to some talk between Kurds in Iraq and Syria ? This is something they never consider when bringing up these ideas.
So it'll work up to the point that the encrypted message, sent through whatsapp that will have an extra recipient, becomes encrypted itself then back to square one? Bsf hdir tnpljoh tpnfuijoh?
If the five eyes (you must be full of yourself to give yourself a name like that) can look at my communication, then why can't China? Russia? North Korea?
What makes these countries and their governments any more entitled or trustworthy than those? Sure their human rights track record may be a bit better, but their privacy track records certainly are not any better.
And as if the countries mentioned above won't find a way to use these back doors. Get real.
What are the qualifications required to become Technical Director of the National Cyber Security Centre? Able to turn on an ipad? Can tell a rock from a monkey? Remembers to breath? because it evidently doesn't involve any knowledge about the most basic concepts behind encryption.
I have nothing to hide, I just have plenty I don't want them knowing. Big difference.
And there's this:
The best way to stay safe online is for as few people to know as little as is possible about you and we're always advised to stay safe online.
I guess it would only apply to communications taking place into or out of the five eyes countries.
Haven't you heard we're special.
Seriously though they'd have to make their own arrangements, once we've set a precedence it should be easy enough, although I'm not sure they'd exercise the same 'oversight' or pay much heed to basic human rights as we *supposedly do.
I say supposedly as Human Rights Watch has recently sent a letter to the US Justice Department asking it not to share information with us because of our human rights violations.
Easy problem to solve.
A BGP misconfiguration, now the data from US to US goes through China Telecom. Can Chinese spying agency now request those data ?
Also to and from ? Uhm, you can bet once they identify their suspect/target, they will require ALL communication of that person. They will not care that that person is in 5 eyes country or not. Jurisdiction on Internet is a very vague concept.
How would a backdoor even work? There's no such thing as a skeleton key for cryptographic algorithms, at least not for any that I've heard of. There's no shortcut to prime factorization; it would break maths, P would be NP, pigs would soar the skies.
Or do they just want your set of private keys to be accessible behind another key "only they" can get past?
Also pretty much obligatory every time this subject comes up:
There's really no way to say this without sounding like a dick, but I'mma take one for the team: did you read the article?
Ok, guilty as charged. I skimmed it, my apologies Gareth (I usually try not to be that guy)
I read the article and the one on lawfareblog and wrote a whole bunch about how I still don't see how they would do it "silently" (i.e. no packets from or to whitevan_server01 noticeable on either end), but then I re-read this paragraph:
So with "silent" they basically just mean that on an application level it won't explicitly tell you anything (right?). While anyone with Wireshark could clearly see a three-way key exchange happening... and log off.
(not trying to be a smartass here, just interested in how this would work)
That's my understanding, although it would probably be easier to use an open source chat client, write your own basic client, or just use a one-time pad, than it would be digging through Wireshark logs looking for a three-way.
So, let's use WhatsApp as an example. It uses public-key cryptography: I have a key, you have a key. When I send you a message, it's encrypted with both of our keys so I can read it and you can read it, but nobody else. End-to-end encryption.
The message doesn't go straight to you, though: it's end-to-end, but not peer-to-peer. My message goes to the WhatsApp server (status: one grey tick), then to your phone (status: two grey ticks), then you read it (status: ticks go blue.) There are three points there where GCHQ can snag a copy: at my ISP, at WhatsApp, at your ISP. The copy won't do them any good, though, because it's encrypted.
So, GCHQ's solution: force WhatsApp to add a hidden, third key belonging to GCHQ. Now I can read it, you can read it, and GCHQ can read it. (Specifically, and here's where the real concerns begin, anyone with a copy of GCHQ's key can read it.)
WhatsApp - and any other crypto program worth its salt - has protections against this. If you try to add a third key, we'll get a notification saying there's a third party in the chat. If you try to perform a man-in-the-middle attack, by replacing our keys with some else's and decrypting and reencrypting at the WhatsApp server, we'll receive notification that the keys have changed - or, if it's the first time we've talked, the keys will fail verification.
GCHQ's answer to those is in two parts: the first is that they'd compel WhatsApp to *not* alert users when the special GCHQ key is added as a recipient. The second is more interesting: GCHQ can either force WhatsApp to lie about the key verification, or it can simply rely on the fact that nobody ever bothers to verify the keys anyway. When was the last time you got in touch with a WhatsApp contact out-of-band and read out the verification checksum?
In either case, Wireshark wouldn't help, because it's not peer-to-peer: all it will see is encrypted traffic between your phone and WhatsApp's servers, nothing so obvious as connections to GCHQ IPs.
Thanks for the explanation.
I'll have to think about it a bit but that does seem to make sense.
Man, remember when we made fun of the Soviet Union for things like this? Those were the days.
Not that I agree with having backdoor in chat
but I have to agree people care less if it is encrypted or not if they did something as basic as like what BlackBerry was doing with their messaging where the ID of the phone it's been sent and received to is the actual encryption key so you only need to know the actual ID to decrypt the message, as at the moment anybody with bad intentions can just simply use WhatsApp as it's fully encrypted end-to-end they have to physically have the phone to actually read the messages and it's passive as well
as it is passive they cannot tell the difference between somebody who's going out of their way to use encrypted messaging or just a normal person who's just sending a message where as before if you used in encryption message/email it's very likely they would actually store it to try and break it at a later point if needed or at least use the metadata to work out where you are and person receiving it
The easy solution is Just make the encryption optional or crack able (as why encryption in web browsers were so low but level to start off with it was so the government could crack it as they had a lot of CPU power to play with) now its at the point its just easier to compromise the device or computer but if people are using everyday apps to plot say a bombing they won't be able to pick up on it Like they would over sms ( I wouldn't be surprised if this message I posted gets flagged up by them because of the magic b word)
Separate names with a comma.