China wants encryption cracked on demand because ... er, terrorism China has passed its first antiterrorism law – and it is a worrying development for companies looking to do business securely in the Middle Kingdom. Under the new legislation, organizations in China will have to "offer technological assistance and cooperation with security departments to help prevent and investigate terrorist …
So when all of the gear in the West has China's required back-doors, as they also want, will our governments be happy that we can all sleep safer knowing those bad guys can be found and stopped, and that the Chinese (and every other government out there) would never dream of using this mandated access for political reasons or for industrial espionage?
Come on peeps, you're not thinking of the children!
"If you've done nothing wrong......blah, blah, rhetoric, blah, lies, blah, blah, you must be a paedophile, blah, rights? what "rights"? we'll be taking those thank you, blah, blah, for the greater good, etc.. "
'I find it interesting that the Chinese are copying the "free world" in their quest for access... I would have thought ... that it would have been the other way around'
It is. Basically they're like a jar of worms, squirming over each other to get to the top by using each other's actions as precedents to legislate something worse.
This post has been deleted by its author
As cryptographers pointed out Dual EC DRBG random number generator is really the output of an encryption algo for which there is a key. If you have the key, its not a random number sequence.
So BLACKBERRY, who hold the Dual EC DRBG patent (they own Certicom which owns RSA) will be required to hand over that key for those constants because they do business in China.
That algo is in most large manufactureres kit, likely due to NSA lobbying in secret for backdoors. Since this problem was known and raised with NIST and those companies implemented it anyway.
The version used by Juniper has different magic numbers, but China can now demand those from Juniper too.
"How is this any different from RIPA? At least you know where you stand with the chinese."
Yes, but with their government you are much more likely to be not standing but lying face-down in the gutter with two bullets in the back of the head, than with hours.
Say what you want about the West, but they don't routinely murder and imprison their citizens for long period of time for sharing stories on Facebook, etc. Time perhaps to finally get some perspective? Just because all governments are bad, doesn't mean all governments are equally bad.
According to Reuters:
"The draft law, which could require technology firms to install "back doors" in products or hand over sensitive information such as encryption keys to the government, has also been criticised by some Western business groups.
U.S. President Barack Obama has said that he had raised concern about the law directly with Chinese President Xi Jinping."
I hope Mr President will be calling David CamJongUn to express his concerns about draft legislation proposed by Treasonous May.
@ John H. Woods
Obama bringing Cameron and the British government in line? Hell, he can't even shut up the Director of the FBI on this subject, and Obama has the power to tell that guy to clean out his desk and get his resume in order...
Kind of makes you think that Obama is happy to see encryption get diluted, as long as he doesn't have to take the hit that he would receive from the civil liberties crowd if he actually had to ask in public for backdoors and special access.
It won't require any additional backdoors! It just requires the existing backdoor keys be handed over to China too.
Look, Theresa May, Cameron etc. wanted to legalize mass surveillance, and then we found out they were already doing it, and Snoopers Charter is to make what they're doing legal.
And Theresa May, David Cameron etc. are also now demanding backdoors to encryption. Likewise that likely means they're already doing it, and want to make it legal.
So they'll be plenty of backdoors already there. Given their "order ISPs to do anything in secret in the name of national security" interpretation of the Telecoms Act. Can anyone seriously tell me they didn't demand all router passwords, and encryption keys, and root accounts?
Having a key is a backdoor in its own right, because you can always pretend to be a legitimate user.
we suspect Western execs operating in China will be told to comply – or get out.
proper execs will just pull the plug and leave... no need to wait for demands of keys or orders to get out... just pack and leave now... close the facilities... what harm can it do to china's economy? :lol:
No harm whatsoever to China's economy as it happens, but plenty of harm to the foreign business. where do you think 99% of tech gear gets made for pennies? That would be China if you were wondering.
And where are those various companies going to go anyway? America? Europe? Russia maybe? All of which are currently using laws or have laws on the table that are just as bad if not worse than China, but will also cost a hell of a lot more in wages and taxes.
Fact of the matter is that the companies will simply roll over and expect a belly rub just like a puppy seeking affection. Because they face the same deal wherever they go, but china is cheaper so why fight it?
In the Darwinian contest of societies, maybe PRC has 'got' something, after the experience of far more bloody centuries than we have had. Baseline orthodoxy is, perhaps, an asset to efficiency. What's the other way? - Mesopotamian Babylon? (for millennia of strife still unending)?
I was actually thinking about this last night and the companies that are heavily invested in the Chinese labor force. Would the likes of Cisco, Apple, Juniper and just about any other consumer electronic communications manufacturer comply or would they capitulate in order to protect their profit margins?
The FBI/National Security Council/NSA complain in an irony and self-awareness-free manner about the advantages this gives to various Chinese and other cybercrime, hacking and intellectual property theft efforts.... If we're lucky, we can get a chief fed or spook to say "But the difference is that WE can be trusted!!"
Welcome to watered-down encryption! The collateral damage starts in 5...4...3...2...1
"where do you think 99% of tech gear gets made for pennies?"
I'm sure there are one or two other countries that would be prepared to step up to the mark. Kit gets made wherever the companies perceive as being the best location. If some other country offers sufficiently lowish cost options and a better business environment then manufacture can go there fairly quickly. If all the kit vendors make the move then there's no competitive disadvantage even if the costs are a shade higher. In fact, is China even the lowest cost option these days?
"Same as here, people trying to get their children into better school areas and the families of people accidentally killed by the police"
So you are saying that the UK hasn't had terrorist incidents in the last few decades? Good-oh, I will just pop off down to a Birmingham city centre pub. Or maybe a nice trip on a London bus.
Seems to me that the world's governments are ratcheting up to total surveillance; whether overtly or covertly, it doesn't matter. It was perhaps a fool's quest to hope for internet freedom, whether it was in a faint hope that spam/scam behavior wouldn't ruin it for all, or whether governments could resist temptation to shred the curtain of citizen privacy.
Promises of government restraint, respect for law, and words on paper prove to be nothing more than drops of piss in the wind. Don't stand where it will hit you in the face.
We can bitch about how governments the world over are interested in making their secret zero-day hoarding a "respectable method" for them to spy on everyone and everything, but when it comes down to brass tacks, a government built and supplied the Internet. Along with some help from the connectable universities of the day, but nonetheless a government built your Internet. Funny, I always wonder what they did to combat these so-call threat actors BEFORE there was a fucking Internet, but I digress. No, the problem is squarely on an unwritten requirement that everything be hooked up and online, people, coffee machines, dildos, you name it. And the problem with inviting everyone is that assholes also show up to take their share, or do the equivalent of throwing bricks though a store window, what the media refers to as computer hacking. Yet, somehow secure communications becomes the scapegoat instead of where the problem really lies; companies are more interested in shipping a product quickly, rather than making one that is truly secure, because of one thing; it costs more to do it properly and they can point to their government and claim they must do this willingly. Please fuck off now if you think like that.
Anyway, blame a government for providing an Internet, or a programer for making it useful, or fruity weirdos making it even more useful and available in your pocket, or the hackers throwing their electronic bricks through the web-store windows, or a "thoughtful government" merely wanting to "protect(spy on) their citizens" in the name of Terrorism™ and "Crime Prevention". Again, how they caught anyone doing a crime before 1992 is a mystery to them. Ultimately, you get what you pay for, and if your lame government wants to forego your privacy in the name of protection from some helpful group of religious idiots, no different than the idiots who inhabit the many tax-free churches in your citizen zone, it's a problem that will eventually fix itself when their bad ideas fail to come to fruition and you cast them out and replace them with similar, yet different assholes. I mean, good meaning, public-minded individuals who fight over the low-pay, high-bribe lifestyle of your "connected government" jobs. So, this is just China coming out in the open about their spying in the name of getting all those nasty Terrorists™ around every corner. And if they catch some crims, well, so much the better for their position. Nothing to see here, move along and fix the government you're stuck with, we already knew what China was up to when they came online.
Some people will want to build a nice thing, some other people can't, so they will tear down nice things, as that is their thing. It's a stupid thing, but there are lots of stupid people, so don't look surprised. Build a nice thing that is stupid people proof, and then we'll all be better off. In other words, fuck governments just encrypt and dump data everywhere and pray a proper group of sensible programmers reaches the consoles of the nearest quantum compute system, before your thoughtful government, or the clever people who can't seem to build anything valuable on their own, just break into someone else's.
"Some people will want to build a nice thing, some other people can't, so they will tear down nice things, as that is their thing. It's a stupid thing, but there are lots of stupid people, so don't look surprised. Build a nice thing that is stupid people proof, and then we'll all be better off."
A pipe dream. Make something foolproof and the world responds with a better fool. And you can't fix stupid. IOW, we're all already in the handbasket; we're just halfway down at this point.
PS. The amount of resources needed to make a true working quantum computer pretty much precludes everyone but entities where money of at least 9 figures is no object. That pretty much leaves only states. And I'm pretty sure they're already aware of post-quantum systems and are already working on ways to beat them.
Apple will probably cave because $$$$$, but very quietly. The US Govt is trying *really* hard to make all companies do their dirty work.
That leaves Android and other FOSS apps that cannot be backdoored (without serious intellectual effort, not necessarily purchasable or available under torture).
So Apple gives them keys, whats to stop someone sticking another layer on?
In the UK you are seriously out of luck, because they have made it illegal not to comply with incriminating yourself.
Not using that fingerprint sensor for anything useful...
P.
"That leaves Android and other FOSS apps that cannot be backdoored (without serious intellectual effort, not necessarily purchasable or available under torture)."
But quite possible with a very smart mole who hides the exploits in bits and pieces scattered throughout the code, each piece inextricably tied to a legitimate function so it's not only tough to spot but hard to remove without breaking something else. Even with a million pairs of eyes, it's still tough to spot a chameleon hidden in the leaves of a tree.
"But quite possible with a very smart mole who hides the exploits in bits and pieces scattered throughout the code, each piece inextricably tied to a legitimate function so it's not only tough to spot but hard to remove without breaking something else."
That's a good reason to use an operating system with clean, well defined interfaces between components so that any individual component can be replaced by an alternative that offers the same, defined service through the same interface. Sadly, that eliminates an increasing number of OSs these days.
From a security standpoint, even with compartmentalization you can still employ gestalt-type exploits like race conditions. These don't depend on any individual component but on how they interact as a whole (thus why I call them gestalt--something beyond the sum of the individual parts). This is something beyond the scope of the individual pieces and subtle enough that it would probably get past even a standard examination.
As for why anyone would allow this, only by mandate. Otherwise, you're talking trade secrets and Sharing Information With The Enemy. Sorry, but the OS world is too competitive to standardize at such a low level.
"In the UK you are seriously out of luck, because they have made it illegal not to comply with incriminating yourself."
That is sadly true. Mind you, Donald J Trump is a figure of fun over here, not a contender. If we are "seriously out of luck" then you can get to f---...
...and I do hope that liberal gun laws will keep it that way.
(in the ancient sense of "liberal", not the minding-your-business for-your-own-good spending-your-money responsibility-to-protect genocidal controlfreak "liberals" of today)
"Yes, because guns will totally protect against electronic surveillance."
And taking them to a school or government office will give them another 'excuse' to increase 'surveillance'.
p.s. Thumbs up on the name, although should it not be spelt 'Raymond Luxury Yacht'?
With a heavy dose of sarcasm....when all the software in the world has a "Crack on Demand" API built into it, unicorns will dance in Times Square and there will be love and rainbows everywhere as the bad guys will be able to be found with amazing ease by anyone able to use a keyboard and mouse. The world will be a be beautiful place of openness, happiness and joy!
"This rule accords with theactual work needillusion of fighting terrorism and is basically the same as what other major countries in the world would do, if they could figure out how to do it without getting drawn and quartered" Li Shouwei, deputy head of the Chinese parliament's criminal law division, would have told Reuters if he had any fucking idea what he was talking about.
There, FTFY.
Ultimately the manufacturers can easily meet the regulations and sell all the kit without threat from any government - simply agree to remove all encryption.
Users then install whatever third party or open source apps they feel might be useful. Encrypt the device - no problem. End to end secure communications - no problem. Private keys nobody has access to but the user - no problem. Manufacturer liable? Nope!
Unless governments are also planning on banning the install of third party software of any kind...
Remember "export grade" encryption? Now imagine if domestic and export grade (on both sides of the pond this time) is limited in legislation.
Too bad we didn't keep encryption as a munition. We could have broken out the old 2nd amendment.
I can see the campaign slurs now, "clinging to their guns, Bibles, and encryption keys...
> Unless governments are also planning on banning the install of third party software of any kind...
No need. Apple, Microsoft, Google(Android), RasPi, etc are already well along that path. I'll try to avoid some of the thumb-downs by skating around the question of whether a well-known "good guy" OS is playing along by making constant tweaks to APIs so you either join the choir or leave the church.
You can have your security or your ability to email dancing-pig emoji. Not both.
Michael Habel: "I think you might have missed the bit where this Law would apply equally to App Manufacturers as well as the OEMs. Nice try though, sadly no dice for you!"
And how do you define the "manufacturer" and their home location for Open Source? Even if the "law" did apply (who's law?), who are you going to arrest and where are you going to charge them? Genie is out of the bottle, can I have my dice back now please?
Due to public and industry uproar the Clipper Chip idea, announced 1993 and by 1996 defunct, failed. That was an encryption chip with an escrowed key that could be handed to authorities. It was to be made legally compulsory in all US telecoms equipment.
I'm trying to see the difference between this and the new Chinese law.
Thing is, the Chinese state, unlike the US, doesn't care. The government is itself immune from the legislation so they can use whatever robust encryption they want. It's the plebs they're trying to control, and they could care less if the citizenry's encryption gets broken. Hell, odds are they'll be the ones breaking it, thus the way the law's constructed. If someone else does it, too, it's not like it's going to end up biting them.
to my simplistic mind metHods of storing sEcret text in pLain text messages is the best way to defeat such moves. the onLy methOd of deducing the existence of such messages WOuld ReLy on statistical analysis. my Demonstration of this is, very rudimentary, of course.
Or you can mangle the stego by noting the inconsistencies (like capitalization in the middle of a word with no capital to begin—and BTW, Chinese uses a different grammar system) and automatically correcting them (same for extraneous whitespace), just as images can be distorted and its palette flattened to mangle any stego in there. Who cares if you can't detect it, as long as no one else can, either? A determined adversary like the Chinese state can probably slow any usable stego to a crawl.
Just make your country one in which people don't want to commit terrorist acts.
Look at the list of countries with the fewest acts of terrorism committed and then look at a lists of countries sorted by freedom of the press / speech, willingness to assist refugees, level of government transparency, and general trust in the justice system. Interestingly enough, those lists look quite similar...
Terrorism isn't that scary, but how do we fight being crushed by our own furniture?
I have a new stylish wardrobe still in it's flat-pack box, free to anyone who wants to pick it up from near Edinburgh. Genuine offer, I just can't take that risk anymore now I know the stats.
you've all missed something
this legislation now gives the Chinese security services the (internal) legal remit to go hunting dissidents worldwide. They awarded themselves universal jurisdiction against "terrorists".....and of course they define the terrorists. If I was a Tibetan publishing, or writing for, a "Free Tibet" website or newsletter, or a member of a Christian group shipping bibles to China, I'd regard my future life expectancy as having just taken a hit.
Of course they may just use the powers to hunt down the financiers of the muslim insurgency in China, but somehow I don't think thats likely......
And don't forget that in Chinese terms, the USA is now a "terrorist state" following its B-52 recce flight over the Spratleys a few weeks back
Tibet, I'll give you since it's adjacent to China and still in dispute as far as China is concerned, but to engage in action in another sovereign state against actors against their interest raises an international stink, and they're already getting dirty looks from various other powers both near and far.
Its npt really possible to outlaw an algorithm.
Maybe the UK government's approach is the way to go. You just arrest them, demand passwords and if they aren't forthcoming you just jail the person who's supposed to provide it. (Wrong person? No problem, a body's a body....)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
