Feeds

back to article A backdoor into Skype for the Feds? You're joking...

Heavyweights of the cryptographic world have lined up behind a campaign against proposed US wiretapping laws that could require IT vendors to place new backdoors in digital communications services. Technical details are vague at present, but the planned law could mandate putting wiretap capabilities in endpoints to cover …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge
FAIL

Re: JimmyPage : they can suspect all they want

"......Then you wheel out your own expert...." DUH! Apart from the fact you don't get the chance to with a Section 49 notice until AFTER it hits court, you are forgetting that they are not going to come at you with nothing, they will have a REASON for turning you over, such as your dim-witted association with types like the Anons, Lulzsec, ALF, or other dross, or your habit of visiting certain websites. They do not randomly turn up and accuse anyone of having an encrypted drive, it is usually a case of "during our investigation of a serious crime we came upon information leading us to suspect that Mr X was involved, the nature of his involvement including safekeeping information in an encrypted partition on his PC". By the time they get round to requesting a notice they will have enough info to get the notice in the first place, which means they already have dirt or the inference of dirtiness on you. It will not be a case of "dear Mr Clean, please give us your keys", it will be "the accused, suspected of crime X (paedophilia/terrorism, delete as required)". If you have a history of visiting AQ-sympathetic or ALF-linked or padeophilic websites then your pretence of a genital wart pictoral diary will be a very obvious attempt at deception. Please try and understand that the coppers are not as stupid as you may want to believe.

0
0
Anonymous Coward

Re: JimmyPage : they can suspect all they want

"Please try and understand that the coppers are not as stupid as you may want to believe."

It isn't their intelligence that is suspect. It is the corrupting nature of their environment that makes them believe the worst of anyone who crosses their path. Once they fixate on a name then they tend to become convinced that "no evidence" means it's a very clever criminal. Accordingly there is then a very human tendency to spin anything they can. At worst they "find" some specious evidence in the hope that something more solid will appear.

There is also a tendency when the stakes get high to coerce suspects and witnesses in ways that PACE doesn't catch. Veiled threats ensure that law-abiding people in their right minds don't complain to the authorities - especially about "false arrest". After much frustration with the protections for innocent people in our laws - then "the end justifies the means" mindset starts to take hold.

How many times have you seen a developer or an engineer flailing about on a problem because they are convinced they already know the answer? Their mind becomes a narrow focus that doesn't see contradictory indicators - or worse they discard conflicting facts. They grasp at straws. Fortunately you can't lie to machines or Nature. The Laws of Physics won't change just because it would be nice for a theory.

The Courts of Justice are no so deterministic and can be persuaded that 2+2=5.

0
0
Silver badge

Time to introduce protocols that actually ask you to verify...

...that the site you are connected to really is the site you think it is.

SSH to my server does, https to my bank doesn't. Sure, it has the name in green, but for how long can we trust this?

2
1
Bronze badge

Re: Time to introduce protocols that actually ask you to verify...

SSH to my server does, https to my bank doesn't.

What advantage do you think SSH has over SSL/TLS in verifying the identity of the peer?

I've seen plenty of people accept SSH fingerprints without doing anything to verify them, in which case they have no verification of peer identity at all. Even if you do verify the fingerprint against some record, all you're doing is relying on the security of the channel that delivered that record of the fingerprint for confirmation of identity.

The X.509 certificate chain used to verify identity has many problems, particularly given 1) the dreadful state of public PKI, and 2) the way OSes and applications are stocked with root certificates from all sorts of untrustworthy CAs. But it's not an inherently less-secure mechanism than SSH, and in fact it has a wide range of potentially useful features and is significantly more flexible, as well as enabling a far more scalable infrastructure.

As for asking the user to manually verify the peer's identity - there's no reason why an application using SSL/TLS couldn't always display the certificate chain and ask the user whether it should proceed with the conversation. None do, because users would just be annoyed and click through without checking. But it'd be easy enough to create, say, a Firefox add-on to do this, if you really want to.

0
0
Silver badge
Black Helicopters

Watch out for foreign governments

"any backdoor would be open to abuse by hackers, including foreign governments"

The government of the USA *is* a foreign government. Why should they have backdoors into software used in other countries, which judging by their past performance they are guaranteed to massively abuse?

11
0
Bronze badge

Re: Watch out for foreign governments

*cough* .. Autorun .. *cough* ... Siemans ... *cough* SCADA....

2
0
Silver badge

Re: Watch out for foreign governments

"The government of the USA *is* a foreign government. Why should they have backdoors into software used in other countries, which judging by their past performance they are guaranteed to massively abuse?"

Cause the Chinese are beating them at their own game. If you can't beat them, cheat...

0
0
Bronze badge

I despair

Once again the low hanging fruit is selected because the more probable routes (PAYG mobiles etc etc etc) are too hard or too numerous to deal with.

Do they really expect us to believe that the real terrorists are even less intelligent than their Hollywood representation? Just how hard is it to work out that if you use real names and objectives then you may get caught?

0
0
Silver badge

I thought that was why they said not to buy Chinese network gear

Oh, it;s not that it has a foreign government mandated back door, they just think it's the wrong foreign government.

It will work as well as when the US was trying to block export of encryption. You had to fill out a form to get 128 bit IE. A joke and a pain for US companies at the same time.

3
0
Anonymous Coward

It's a shame there is no longer any way to convey secret messages

Incidentally, the yellow dog howls at the new moon. I repeat, the yellow dog howls at the new moon.

10
0
Anonymous Coward

Re: It's a shame there is no longer any way to convey secret messages

And the primroses are blooming in spring...

0
0
Bronze badge

Re: It's a shame there is no longer any way to convey secret messages

but I thought the great whale waketh in the deeps, are you sure about those primroses?

0
0
Silver badge
Big Brother

"We are, therefore, living in a golden age of state surveillance."

1
0

Re: "golden age of state surveillance"

And that lovely golden colour is accompanied by a soft trickling sound.

2
0

Speechless (it's safer)

Somewhere the ghosts of Beria and Eichmann are laughing and laughing and laughing...

3
0
Anonymous Coward

Trust who ? ROFL

" .. those who trust US government agencies not to abuse increased wiretap powers. " Anyone ? All i hear is crickets in the back of the hall .. For those of us who are sane and have been keeping with recent events , IRS , AP wiretapping and now FOX reporter events , trusting the US gov and agencies is a no go from the start. Some days i wonder if the only way to have a secure communication won't be to start using dial-up like in the old days ,machine to machine directly and using as strong encryption as it's possible. The internet as per such is as far as privacy is concerned , a nightmare that will only get worse. Maybe the real future lays in old tech revisited . Strongly encrypted peer to peer over a wired telephone network.

1
0
Silver badge

Sir

"The FBI argue the net is “going dark” to them, thanks to encryption technologies which render valid wiretapping warrants useless."

Perhaps they shouldn't have abused the power so much that encryption has become widespread to the point where my Mum has heard about it and knows how to use it.

6
0
Thumb Down

Won't work in the EU

We have a little thing called data protection. Any company that has a back door which snoops on personal data will not be allowed to operate in the EU. No company in their right mind would kill their biggest market.

Not to mention the lost good-will. Craziness.

0
2
Anonymous Coward

I for one, am quite relaxed about all this ...

personally, my view is if they want more data, let them have it. Masses and masses. And then let them drown in it. Even with the most sophisticated algorithms and fastest machines, it's going to take some time, hours, then maybe days[1] to query the petabytes upon petabytes that the state is hoarding. And that is if it was all in one place, which it isn't.

My prediction ? If they keep on slurping data at this rate[1] then we will start seeing more successful terrorist outrages[2]. The law of unintended consequences. If only someone had warned them - oh, hang on, they did.

Anyway, as a sage observer pointed out years ago, if you want to defeat the massed ranks of spook eavesdropping, then faxing handwritten Arabic notes is a good start.

[1]Of course the amount of data will just grow and grow as a function of time.

[2] Remember the 7/7 bombers were already in the frame when they blew themselves up. How many more are being missed, whilst HMG farts around with IP logs et all.

1
1
Pirate

YEAH, BABY!!!

"The FBI argue the net is “going dark” to them, thanks to encryption technologies which render valid wiretapping warrants useless."

That's Liberty at work. Warrant is useless because of encryption? Boo-hoo, I'll cry you a handful of tears.

4
0
Silver badge

Realistically

If you are or become a person of serious interest your communications are already severely compromised no matter what precautions you take. Putting in mandated 'back doors' only enables fishing expeditions for fairly petty things like drug trafficking and school district fibbing and provides a massive weak spot for serious bad guys to exploit.

If the back door is mandated is it still a back door? Wouldn't it be more of a service entrance or side door?

0
0

one for the fraudsters

Think about this for a second. A transaction appears on your credit card statement that you don’t recognise, so you call your bank only to be told it was authorised by PIN so you must have done it. Now you have to fight to get your money back as even though we know it’s possible to hack chip and pin all banks deny it. With this new law there must legally be a hole in all encryption methods used, the bank can’t say chip and pin can’t be hacked as legally it must have a hole in it so they must refund the transaction.

Of course this law will only apply in America and they haven’t got chip and pin yet, but if the American system legally must have holes then the whole worlds baking system is broken, unless the rest of the world cuts America off.

0
0
Silver badge
Coat

Re: one for the fraudsters

" the whole worlds baking system"

isn't that where they keep the dough?

Doh! ...going

3
0
Bronze badge

I can see the future

Schadenfreude: (n) the reaction from the rest of the world after the Yanks start crying about "hostiles" using US government-mandated backdoors against them.

1
0

If you are worried about that, what about firmware coded remote desktop/stream chips in your motherboards - its already happening.

If they can stream your HD screen at any time - what you use to encode the actual data packs in whatever program is completely irrelevant!

/tinfoilhat/

0
0
Black Helicopters

Skype gives me the creeps!!!!

True story.

A couple of days ago, I get this call from a client whining that is printer wasn't working, "a friend has tried it and said it was ok, but I still cant print"

So there I go and to my utter surprise and horror after 20 min of puling nobs and pushing wires realize that whenever skype was turned on and logged in the printer would freak out and stop printing, just to restart printing the moment you turned skype out.

Was skype calling home? I have no idea, nor did I have wireshark with me to check out, but as we say here “No creo en brujas, pero que las hay, las hay"

So when something fishy happens in your computer, just check if skype is on before you call the PC repairman.

1
0
Black Helicopters

Precedence for this?

I recall that during the London street riots, mobile security was lowered specifically for BBs so the bobbies could track the rioters. Also, it produced evidence for the prosecuters to use in court.

0
0
Silver badge
Stop

Re: Precedence for this?

There's a difference between a network and the police reacting together in the midst of a mass disturbance...

...and baking in back doors as standard.

1
0
Devil

The sooner the better

Introducing this legislation won't change anything, any more than introducing legislation allowing the NSA to put mass taps into AT&T's exchanges didn't change anything. They were already doing it.

Likewise anybody who thinks communications that passes through a central choke point (Microsoft, I'm looking at you with Skype traffic) that can decrypt it won't be decrypted is living on a different planet to me.

To put it another way, Companies that advertise snake oil like secure communications will have a new road block in their path. If this legislation passes they effectively have to claim they are breaking the law. Hopefully that will make a debacle like Hushmail a lot less likely.

That's got to be good, surely.

Oh, if you really want secure communications, it isn't hard. You just need end to end encryption implemented in open source software. That's another thing this legislation will make plain - at least to those who think about it.

1
0

Page:

This topic is closed for new posts.