GCHQ spies quashed this phone encryption because it was too good against snoopers The researcher who discovered that the UK government's phone encryption standard has a huge backdoor installed has made another discovery: GCHQ's rejection of a better encryption standard because it didn't allow for undetectable spying. Dr Steven Murdoch has updated his original post on the MIKEY-SAKKE standard, developed by …
To be fair to the man, he's being payed to say this and to do that. He has kids to feed, a retirement package to package, and a responsibility to the British public government. Somebody has to do the job. Ask Beria about it.
By helping prevent good encryption for individuals and businesses GCHQ has helped organized crime, terrorists and enemy nations.
Weak encryption and backdoors help terrorists and enemy nations access the building plans, work schedules and standard operating procedures of civilian facilities that can then be subjected to terrorist attacks.
Weak encryption helps organized crime and rogue nations steal money from our investment accounts.
Weak encryption allows organized crime, terrorists and enemy nations to acquire blackmail material with which to pressure us, our legislators and our government employees.
Weak encryption and backdoors enable the companies and agencies of those competitor nations, to steal our trade and financial secrets.
GCHQ and the NSA need weak encryption to keep us safe?
No weak encryption makes us vulnerable to organized crime, terrorists and (enemy) spy agencies, and their theft of our assets and their blackmail of us, our elected representatives, and our government employees.
How will future elected represent us when our spy agencies have dossiers on them going back decades to their childhood? Our country will become a Chekist state.
Any politician who supports weak encryption is supporting the enemies of our nation and the democratic principals of our freedom.
Any government agency asking for weak encryption is asking to make us vulnerable to our enemies and to turn our nation into a Chekist state.
You left out how weak encryption allows authoritarian governments (perhaps including our own) to better spy on political movements and activists who are attempting to advance pluralism and human rights. I kind of thought that was the intent of Western policy, but perhaps I have been niave...
"Power is not a means; it is an end. One does not establish a dictatorship in order to safeguard a revolution; one makes the revolution in order to establish the dictatorship. The object of persecution is persecution. The object of torture is torture. The object of power is power."
George Orwell
1984
As much as everyone loves a bit of Orwell or Huxley, I fear they will either become so overused as to have no effect* or banned.
* As all epithets should be. Break all taboos and the words lose all power. But I digress...
That particular bit of Orwell just seems to be defining terms rather than some sort of rallying cry; a bit like "for a perfectly spherical raindrop" or something. Real life has to deal with real conditions, and in the case of GCHQ 'dictatorship' and 'power' are not in the pure form but more a sort of establishment consensus for getting things done in a reasonably effective way. Hence the very public expressions of surprise at any suggestion of wrongdoing and the unabashed advocacy for more of the same.
The problem lies in the huge discrepancy between the size of the establishment and the size of the population and the very limited power of the law in this area. Democracy it ain't.
It being RATHER OBVIOUS that true criminals and terrorists and Russians (oh my!) will continue to use secure encryption instead of the weak encryption being offered to them by snooping governments.
Pushing weak encryption on the masses simply makes them vulnerable to foreign governments, corporate espionage and hackers. And outlawing strong encryption only inflates the power of snooping governments.
Not so. A false sense of security can be more dangerous than knowing you're vulnerable.
And anyway, we're not comparing things only to how they are, but how they could be if we had an Intelligence agency that wasn't determined to sabotage our security for its own gain. You only pick the worst possible scenario for your point of comparison if you're trying to justify something. If you're trying to improve things, then you pick an achievable other point of comparison that is better.
Excuse me, which RUSSIANS are you referring to?
Have you had a look who was attending the Call-Me-Dave fundraising junkets prior to last election? Who bought the various trinkets to provider a formal justification for handing in a check for a few hundred grand?
Ever wondered why the current vehement anti-Russian orientation of the British foreign policy?
Have a look at that list again. It is half-Russian and full of all the mobsters that did not get along with the current Russian government and got kicked out of the country. Vested interest to the hilt and it is _NOT_ necessarily aligned with the interests of Britain as a country.
By the way, that does not mean that the current Russian government is not mobsters either, but that is a different story.
In any case, in order to snoop on comms using this you need access to fiber in the middle so this is not fit for Russia in the first place as it has almost no international fiber traversing its territory. 5 eyes - yes. BND - yes. French - yes. Others not so much.
To be fair, I'm sure there's a few employees at CESG banging their heads on the wall because this got forced on them from above.
It must be annoying when your job is providing secure communications to have your bosses tell you to push a deliberately insecure option.
Nowadays every schoolboy knows that allowing GCHQ to propose telecommunications standards is a bit like asking Butch Cassidy propose security standards for banks and railways, but it is surprising they were so up front about wanting to insert vulnerabilities then.
What do you suppose this cryptic phrase from the 2010 document means:
"Recent events have highlighted the difficulties that can arise when appropriate [Lawful Interception] mechanisms are not engineered into systems at an early stage. "
Since this was part of a global GSM standard they were also proposing weaknesses in every other country's phones as well.
It does give you an interesting side channel attack on the intelligence agencies.
If GCHQ block encryption X but not Y it tells you that they have broken Y but not X.
Then if the representatives of the French/German/Belgian agencies support X, does this mean they have broken X, or are just trying to fool the British, or aren't interested in spying on their citizens.
Bit rude to lump us all in together!
You wouldn't want to buy comms systems designed/built by an organisation anywhere whose purpose it is to gather information from communications.
Probably a couple of smart liberals left in blighty who could build you a very nice system, thank you. Probably better to get an international panel together from a load of different universities to open source something.
This post has been deleted by its author
"Academic Centre of Excellence for Cyber Security Research (ACE-CSR)
The Academic Centre of Excellence for Cyber Security Research was set up in 2012, following the award of "Centre of Excellence in Cyber Security Research" by GCHQ in partnership with the Research Councils’ Global Uncertainties Programme (RCUK) and the Department for Business Innovation and Skills (BIS)."
Now I wonder how long UCL will retain that award after this has been published.
So that's the next ten years is it? GCHQ too busy sifting through the inane chatter of the entire country (plus any outsourcing work from the US) looking for pedos, terrorists, extremists or political activists while organised crime cons, blackmails or just plain steals the entire country from under them?
Digital Power House me arse!
My coat, 'cause I might leave...
Make no mistake their interest in software is a lie, they want to capture the hardware side, so that can grab info before it is encrypted, it is far faster and more reliable and that means getting into bios or cpus or the bus or the chipset.
Foreign manufacturers delivering to foreign governments disrupt this, however secret treaties make it possible again. Likely the most nefarious secrets are within NATO, a treaty that somehow is morphing into an over government, a government ruling other governments, pushing further and further in cyber security or is that insecurity and all areas of border control.
They are looking to punch permanent holes in hardware and seeking to force the use of that broken hardware by keeping unbroken hardware off the market (older computers running older software could become considerably more valuable over time).
Not blaming them for trying is like not blaming a bank robber for trying to rob a bank. The GCHQ is paid by the people, so in a democratic society it must not turn on them.
The GCHQ is not some child testing its limits, they are the ones who _claim_ to be the good guys. They are the ones who, by their own standards, must never do such a thing. They are the ones who claim to protect you. Trying to reduce the level of encryption, and therefore security, is exactly the opposite.
I always thought that accountability, AKA 'blame' if they get it wrong, was actually the whole point of democracy. That GCHQ etc seem to think they have a monopoly on making decisions that affect them suggests considerable contempt for the very idea of democratic accountability.
Democracy is for little people.
Those who do not get "the big picture"
Governments are not worried about terrorists: Terrorists get to be a problem when there are a lot in one organisation with Big Bombs, for those we have armies.
Governments are not worried about other governments: They are usually run by the same type of people, only differing by language of nation, they all have Big Bombs so do not want the other owners of Big Bombs to drop them ON them (mutually assured self-protection)
Governments are worried about their own people, and their own people getting together with other governments own people.
OK, we have no guns; but a corpse is not overly worried if it got blown-up, bludgeoned, stabbed or shot, any-way, it is no longer living.
Several tens of millions of seriously pissed-off people with hammers, are more interesting to our government than a few hundred suicide bombers.
Hence mass surveillance...
I totally agree with you but the current state of our representatives is altogether highly lamentable. I have a long history of writing to my elected representative and in the past was able to get some sort of reasoned response from them. At the very least they would pass my letter to the relevant department so some lowly and overworked civil servant could draft a letter coming out with the accepted flannel of the day.
Now all you get is a stupid email from him saying he sympathises with my concerns but he is still going to do whatever stupid thing they are voting for because you have to balance the interests of blah blah blah.
BTW my MP is Chuka Umunna and it is only since he has left the front bench that he replies at all.
Time to run away to sea methinks.
Beer because I need one now.
Listen:
If you are a guy, or guys, or women, and you have whole stack of money, and you "sponsor" someone to be Your Man (or Your Woman) in government, you do not want them to be too bright or independent.
They are only there to glow in the light of publicity, big themselves up on the TV, and do what you tell them to.
Hence Dumbos' R Us in Westmonster.
I like to Facebook articles like this and I'm sure to tell people to read the comments when there are as many good comments as there are for this article.
I know Facebook is bad but it gets this information out to people who otherwise wouldn't see it and helps purvey to them just how much Governments spy on their own people.
If we took all of the IT and Comms geniuses out of GCHQ and put them to work organising and overseeing all of the UK gov's failed attempts at making IT work for them, perhaps it would save the country a few billion and genuinely improve national security.
Nah! They would just spy on everyone from a different viewpoint and still not understand what the nation really needs.
Yes, but the days of LI are over. I have several end-to-end encrypted and uncrackable communications systems on my PC today (PGP email, Bitmessage, pgpphone, Tor, ...), and that is without installing any of the apps the terrorists are apparently writing for themselves!
GCHQ has some really, really smart people. We need their out-of-touch bosses (and the never-in-touch politicians) to let those smart people work on risk management in the new reality. Let them work on the problems of how you do targetted SIGINT to protect us, without LI.
All LI provides now is a way to intercept law-abiding people. Only dictatorships need that.
" I have several end-to-end encrypted and uncrackable communications systems on my PC today (PGP email, Bitmessage, pgpphone, Tor, ...), "
Do you use email servers which are connected end to end (client -> servers -.client) by a secure tunnel?
If not, you are still leaking a lot of data about where the email is from and to, plus flagging it up as someone making an extra effort.
Not knocking it - keeps the buggers on their toes - but without a secure end-to-end tunnel it isn't really 100% secure.
Oh, FFS, so we don't have secure comms because they stripped a [backdoored] comms from the standard just in case it might make their lives [slightly] difficult? Do they imagine they're the only ones who listen in?
There are other examples of this, not from GCHQ, but NSA/FBI:
Remember Lavabit? Secure email, FBI demanded Lavabit hand over the domain keys under an NSL. NSLs are supposed to be only meta-data, but FBI defined the right to capture meta data as [NSA spies on everything, hands us just the metadata we're legally entitled to, denies retaining any other data using National Security as cover excuse]. Lavabit's owner said no way and had to close rather than join the Stasi.
How many basic security mechanisms have these Stasi undermined? By what legal authority? The "give directions to telecoms companies" thing from 1984?? FFS. We can't ensure our privacy right because you f*****ers backdoored UK tech? Do Stasi Cameron and Stasi May have anything else to confess to Parliament?
Of course, there was no technical requirement that Lavabit have a key to decode the stored communications in its possession. If it had not, it would have little reason to resist delivering what was asked, and it is possible, perhaps likely, that it would not have been requested, or that something different would have been requested and found to have been encrypted by the originator.
And Lavabit could have remained open and serving the purpose for which it was intended.
GCHQ is pushing a broken system for use of Joe Schmo (of which I'm one). But as pointed above the bad guys (ie criminals, terrorists, unfriendly governments etc) will use a different more robust solution.
Perhaps this is the idea - it'll act as a win win filter for GCHQ & its cronies and pose a problem for the bad guys - 'Hmm do we use the good stuff and be part of the 0.1% of traffic and thus easily spotted for meta data analysis, or do we use the bad stuff and hope to hide in the other 99.9%"
In the meantime of course Joe and I are compromised (a bad thing).
Note: Figures are 'MADE UP' don't confuse with government statistics.
Encryption is as old as the hills - everyone tries to crack or peddle their encryption and all have an agenda. There are no noble answers to it.. anyone who comes up with a decent method will have the Isrealis, Brits, Yanks, Ruskies, Germans, French, Chinese trying to crack it.
The best Ive ever seen was the stuff used for CHAPS. That was done by THALES, paid a bundle by the banks to come up with a proper secure end-to-end solution. Proper money at risk there, not like just your email password or Tinder profile. I'm sure if you paid them enough, they'd do the same for you too.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
