back to article UK spookhaus GCHQ can crack end-to-end encryption, claims Australian A-G

British signals intelligence agency Government Communications Headquarters (GCHQ) can crack end-to-end encrypted messages sent using WhatsApp and Signal, according to Australian attorney-general George Brandis. Brandis made the claim speaking to the Australian Broadcasting Corporation's AM program, on the occasion of Australia …

the laws of australia only apply to those companies in australia... what we should be asking is how they intend to PREVENT messages such as im.qq.com from being secured

also wouldn't it be great to get all the messages from the australian prime minsters Wickr and whatsapp ?

good old george has admitted it can be done...

14
1
Silver badge

Australian encryption is easily crcked

Shorten everything to the first couple of syllables and put an 'o' at the end

38
0
Silver badge
Holmes

Re: Australian encryption is easily crcked

No wonder Australian encryption is weak. They're still using SHA-0 which can be broken using a boomerang attack.

26
0
Silver badge

What we should be asking is how they intend to PREVENT messages such as im.qq.com from being secured

If it's ad funded, the law can go after the advertisers, and ultimately the law can go after the telcos and ISPs too. The software may exist, but it can be made unprofitable and, perhaps, its servers unresolvable.

For example, the Google boycott that started in the UK and spread has shown governments all over the world how to get a grip on online services. It became socially unacceptable to advertise on Google, so Google lost some revenue. If that social unacceptability became law, the boycott is country-wide and they lose even more money.

Cue lots of talk of extra moderators and AIs, all across the industry. Will it be enough? Who knows, but they need to try hard. One day it could be that if WhatsApp annoys the cops in a country, Facebook risks losing all advertising revenue in that country.

If enough countries get fed up with a particular service's uncooperative responses to law enforcement warrants, their money stream gets cut off.

It's a cunning tactic. End users don't notice, apart from the lack of ads.

It's a disaster in the making for the social networks because they really cannot trust their users to self moderate, so they have to do it instead. This kind of governmental pressure on their revenue stream is only going to increase. For example, Gov wants to clamp down on on line bullying? Make it socially unacceptable to advertise, pass a law to back that up. Facebook's (or whoever's) AI and moderation systems will have to get better and better, which sounds more and more expensive.

Now, if they knew for sure who their users actually were, that's a different matter. The buck can be easily passed is a user is legally identifiable.

4
13
K

@bazza..

sorry, but your wrong and reading way to much Daily Mail!

Several high profile businesses who rely upon "Brand awareness" may have pulled advertising from Google, but thats a PR stunt, these companies have a high SEO ranking and a lot of their traffic is driven by this. Their actual spend with Google is quite meager.

The bulk of Google's revenue comes from SME businesses, who don't have the brand awareness or the high SEO ranking, so Google's advertising platform is their life blood. A lot of these businesses get anywhere from 50-90% of their business from this. Their response to the government would simply be a 2 finger salute!

Even if the government did pursue them legally and win (after months and years of court cases), the PR would go full circle and bite them in the ass - those small businesses would go under, thousands would be out of a job - basically, it'd f*ck the economy and then f*ck the government!

Finally, even if it became technically and politically feasible, the people who do want to hide their communications would just shift to another platform that has little or no commercial interest with-in that jurisdiction, such as QQ (Who's primary commercial, user-base and infrastructure is in China) where the UK/AU/US/NZ government's can't touch them!

7
0
Facepalm

You would almost be forgiven for thinking this was a Monty Python sketch if it weren't for the horrible sense that somehow it's real, and that our government truly does believe that Australian law overrules the laws of mathematics, physics, etc. etc.

71
0
Silver badge
Joke

Physics is just applied mathematics, so gravity will be easy-peasy

25
0
Silver badge

so gravity will be easy-peasy

How else does Australia cling on to the bottom of the globe ?

58
0
Silver badge

Re: so gravity will be easy-peasy

Topist!

30
0
Silver badge

Re: so gravity will be easy-peasy

> "How else does Australia cling on to the bottom of the globe ?"

Our government sucks, hard.

75
0

Re: so gravity will be easy-peasy

Simple, ground harnesses.

8
0
Anonymous Coward

Re: so gravity will be easy-peasy

Skyhooks

6
0
Bronze badge

To continue your Python reference, Is every Australian's user name 'Bruce'? If not, it might cause a little confusion.....

12
0
Silver badge

> Is every Australian's user name 'Bruce'?

Don't be absurd. At least half are 'Sheila'. Don't make me go all Andy Murray on you!

29
0
Anonymous Coward

We've just been told that the earth is flat!

0
0

Confused

I checked my Python refrence, and one doesn't declare names or variables or constants...

0
0
Silver badge

The DUP have such sights to show you.

0
0
Silver badge

Physics is just applied mathematics, so gravity will be easy-peasy

I always remember my physics teacher saying that mathematics was just a subset of physics, but then he would say that wouldn't he?

0
0
WTF?

So what's the use?

the only laws that applies in Australia is the law of Australia.

Hey George, while you're at it, can you revoke the Law of Supply and Demand?

So if GCHQ can crack E2E encryption, what is the use for forcing companies, like Apple, WhatsApp, Telegram, Signal, to cooperate?

46
0
Silver badge

Re: So what's the use?

You may notice that the Law of Supply and Demand has been legislated away some time ago by the introduction of Central Banking.

Why, you can get credits of 0% or lower these days, while your savings that you hand to somebody to use actually give you negative interest.

12
0

Re: So what's the use?

Assuming that GCHQ can break E2E now I guess they want it putting in law so that if some future app comes out that the spooks cannot break the legislation requires the app maker to add a backdoor to operate in Australia.

What worried me more is they keep mentioning handset manufacturers and not just app creators, which sounds like they want a backdoors putting into all phones even those that don't use these E2E messaging apps.

10
0
Joke

Wait for it...

"The laws of mathematics are very commendable but the only laws that applies in Australia is the law of Australia"

Let pi = 3...

47
0
Silver badge

Re: Wait for it...

Here is proof that intelligence, education or the ability to construct a genuinely meaningful sentence are not requirements for politicians.

34
1
Silver badge

Re: Wait for it...

Agreed - but they still have to be voted into power.

Just heard that the second law of thermodynamics has been declared unconstitutional.

16
0

Re: Wait for it...

There's gotta be a joke w.r.t the connection being vote counting, maths and laws here...

6
0
Bronze badge

Re: Wait for it...

They just need to hire Bergholt Stuttley Johnson (aka Bloody Stupid Johnson) and it's job done.

http://discworld.wikia.com/wiki/Bloody_Stupid_Johnson

RIP Sir Terry Pratchett

8
0

Let Pi = 3

They tried something similar in Indiana in 1897 (Pi =3.2)

https://en.wikipedia.org/wiki/Indiana_Pi_Bill

It is a good thing that the sensible Hoosiers of the time decided not to go with the idea.

If as is reported Brandis said “Last Wednesday I met with the chief cryptographer at GCHQ ... And he assured me that this was feasible.” the one of three scenarios is necessary

1. Encryption theory has or can be been broken by GCHQ therefore someone is going to get a Fields Medal out of this. ( I assume that the genus is <= 40 years old)

2. If not 1. then for encryption to be broken it requires cooperation by those doing the encryption. That may be true but to be feasible would require a massive and enduring conspiracy of the order that has kept FTL techology hidden in Area 51 for more than 60 years.

3. In the unlikely event that Options 1 and 2 are not true then Brandis is talking out of his arse.

Personally I go for the Area 51 type conspiracy argument as it is most convincing. As a member of the public Option 1 requires me to have some understanding of the Mathematics involved and yet at the same time ignore the results . Option 3 requires me to distrust politicians and I can't do that without looking stupid when I vote for them.

Option 2 it is. Go GCHQ!

8
0
Bronze badge

Re: Wait for it...

Once they had cracked ROT26, ROT 13 can only be a few more years away.

7
0
Anonymous Coward

Re: Let Pi = 3

3. In the unlikely event that Options 1 and 2 are not true then Brandis is talking out of his arse.

He's a politician, what organ were you expecting him to use?

4
0

Re: Wait for it...

Wasn't pi set to 4 somewhere? I have this vague memory of that being the case.

I know I could look it up. When I were a lad either someone knew the answer, or you had to nip to the library for an answer.

There's no such thing as 'general knowledge' anymore.

My grandfather was an 8 year old boy when Jack the Ripper was doing his stuff. Because of that, I know about Vesta Tilly, to mention an example.

I was giving a colleague a lift home once. On the radio came a song I'd never heard. It was obvious who it was. I said that it must be a new single by George Harrison.

You can guess the reply. And mine.

0
0
Silver badge

Re: Let Pi = 3

You guys - the story author included - are reading way too much into this.

Nobody needs to "break end-to-end encryption". All they need to do is grab the mobile phone of the person sending or receiving the message, and it's game over. And when you're a government, you can do that sort of thing.

That's totally feasible, and also explains how the laws of Australia can override those of maths.

0
3
Anonymous Coward

Re: Let Pi = 3

Umm... But if you can't get to the encrypted information without a password - as implemented in quite a lot of cases - you've then got to get the password out of the owner/user of the phone in question unless you're sprightly enough to actually grab the phone while they're logged on, which I gather has happened.

Yes, you can pass laws requiring people to give up their passwords when officially ordered to do so (the UK has such a law) but sometimes people decide they'd rather get sent down for "refusing to hand over a password" than whatever they might get done for otherwise.

On top of that, actually going out and grabbing someone's phone requires actual people going out in real life, travelling to a place, and so on and so forth - probably after having got a court warrant also requiring real people going to a real place in real life etc. Lots of real life physical effort and time. The spooks would much prefer it if they could get hold of any information they wanted without stirring from their offices.

1
0
Silver badge

Re: Let Pi = 3

You missed option 4 - attack the endpoint. If I have the ability to run code as root on your device then chances are I can get at the data before it gets encrypted thus, in "Brandisology" I have cracked the end-to-end encryption. This is how they plan on doing it and GB is just another legal fuckknuckle that cannot comprehend what he's being told. All the more reason to get some sort of Qubes for mobes.

0
0

Confirmed endpoint breaks

If there is any technical accuracy to what he says, this just means they've got a way to break the end point (your Android or iPhone) and then extract the SQLite database full of unencrypted messages that you've forgotten to clear.

So clear your old chats and hope that SQLite is vacuumed* before PC Plod gets his hands on your phone.

* iMessage and WhatsApp didn't in the past: https://www.zdziarski.com/blog/?p=6143

18
0

Re: Confirmed endpoint breaks

At least with Whatsapp, if you backup your whatsapp messages to google drive, as is the default setting, then they're stored unencrypted.

Thus, given no-one ever bothers changing the defaults, governments with data sharing pacts with 'Murica are free to view the vast majority of the public's messages by asking Google. I'd guess with iMessage it's the same - simply demand a handover from iCloud. Use secret courts if necessary.

The only messages they can't easily read will be those between tech savvy people who have disabled backups, in which case you've probably reduced the population enough to be able to brute-force the keys with your anti-terrorism funded NSA-o-matic 2017-spec supercomputer. Or any other number of endpoint break-ins, sure.

16
0
Headmaster

Re: Confirmed endpoint breaks

Good point, but it isn't the default setting. You're prompted on first run; on Android anyway

0
0
Silver badge

Re: Confirmed endpoint breaks

@Brenda, the key sizes we are referring to here are so massive that even a NSA-O-matic isn't going to be able to brute force a single file before the heat death of the universe.

On the other hand, there are ""other avenues of investigation" that do have a pretty good chance of working.

8
0
Anonymous Coward

Re: Confirmed endpoint breaks

iMessage does not do this. iOS 11 and macOS 10.13 will support placing messages into iCloud, but the claim is they will still remain encrypted

1
0
Anonymous Coward

Re: Confirmed endpoint breaks

And judging by the way Google has blacklisted video/audio files I've put in there they're readily scanning through everything.

New Product line:

Google CrimeAnalytics, police departments subscribe to automatic updates about dissidents in their precinct.

4
0
Anonymous Coward

Re: Confirmed endpoint breaks

Quote: "The only messages they can't easily read..."

Well...I don't think that's quite right. Lot's of people have implemented private ciphers...which would also count as "can't (be) easily read". For example, here's YATM (yet another test message) for the bright sparks in OZ to read:

*

will-call preenlarging hexadecane mecometer swarf chorea moralising polyergic ungood unamazedness winterfeeding mobiliary Kymric hymeneally shivah Chlamydoselachus uvate centrifugation GADO gilpy intermeningeal factually Brynmawr NDAC hyperphagic dogcatchers Mitman Tzapotec OOP hexactine hout alada

*

4
0
Silver badge

Re: Confirmed endpoint breaks

*

will-call preenlarging hexadecane mecometer swarf chorea moralising polyergic ungood unamazedness winterfeeding mobiliary Kymric hymeneally shivah Chlamydoselachus uvate centrifugation GADO gilpy intermeningeal factually Brynmawr NDAC hyperphagic dogcatchers Mitman Tzapotec OOP hexactine hout alada

*

You'd better leave it at that. You're starting to turn me on.

8
0
Anonymous Coward

Re: Confirmed endpoint breaks

And judging by the way Google has blacklisted video/audio files I've put in there they're readily scanning through everything.

Why, are they illegal, or just copyright infringements? What am I saying; it is likely just Google's AI being a knob end...

New Product line: Google CrimeAnalytics, police departments subscribe to automatic updates about dissidents in their precinct.

Apologies, but I'm going to hijack your ironic pun.

It's impossible to be a dissident in a country where they don't lock you up just in case you might say something they don't like. You can try being a dissident in the USA but it's nearly impossible. You basically have to commit a physical crime such as theft or murder to get them to throw you in jail.

Note, that's not the same as there being no consequences arising from what is actually said, even in the USA... Actually going ahead and saying the wrong thing and it's fines, jail time. Quite right too, that's how it should be (for most liberal westernised societies' definition of 'wrong').

Oh, and in most countries it's illegal to fail to report criminal activity / material. So far from Google selling the information to the cops, Google are already obliged by law to hand over criminal material (if they're aware of it) or risk facing criminal charges themselves. And of course Google know that and do indeed cooperate with LEAs. Knowingly doing otherwise is Obstruction of Justice.

Obvious Trend

The basic problem for Google and other social networks like Facebook is that their reliance on not being seen as the "publisher" of material is wearing thin. The trend is definitely towards being responsible for their users' posts. So they're becoming more vulnerable to such charges.

So far governments seem content to use civil systems of intervention (take-down notices, etc). That's got to be made to work properly, quickly and reliably. Technology might help, but I doubt it.

However if that doesn't substantially reduce the quantity of illegal material circulating, or does nothing to reduce on line harassment or bullying or abuse, it will be judged a failure. The rate of take downs is irrelevant; governments will judge it by what remains available despite the take downs.

That's why I'm doubtful of technology being useful. It'll only ever tackle a % of the problem material. Say it deals with 50% of illegal posts; great, but if the number of illegal posts made by users had trebled at the same time, the amount remaining available has actually gone up 50%.

If that happens then governments will lose patience and it may start becoming a matter for criminal law. If so, encryption and foreign hosting might make it impossible for direct local legal interventions, but their ad revenues are susceptible to being blocked. And if that happens, they're dead in the water.

Poor Strategy

Given such a poor ultimate outcome for the social network companies, I conclude that their entire business strategy is doomed.

This ultimate outcome is far from unlikely, no matter how fanciful it may seem today. All governments, particularly democracies, are painfully aware of how important being strong on law and order is. Government has to be seen to be doing something about online criminality, otherwise it risks getting voted out. Online racist abuse, terrorist materials, harassment, bullying, etc is now a political issue. Hence the Google Boycott that started in the UK, €50million fines in Germany for every single illegal, fake or slanderous item not dealt with, etc.

Now that it's political, the networks are on a hiding to nothing. They cannot win. They will lose money.

Given that, why persist as they currently are? Why not change business model sooner rather than later, save the time and money?

For example, Google is currently free, and earns approximately $25billion a year, from (I'm guessing) 3 billion users. Let's call it $8 per user. If it were guaranteed completely ad free, no data slurping, would you pay $10 per year to use all of Google's services? I would.

Given that Google could then cut their electricity bill enormously (a large amount of their compute power is analytics), they'd be ahead of the deal. Or they could charge $5.

The side effect is that Google would have credit card details for users. Sure, users would still have stupid YouTube handles, but if a user posted something illegal then the consequences can be more than a closed account. The actual person could be easily held to account by the courts. And knowing that might deter them from posting it in the first place.

Problem solved.

3
0
Anonymous Coward

Re: Confirmed endpoint breaks

" It's impossible to be a dissident in a country where they don't lock you up just in case you might say something they don't like. "

Wrong. A dissident is someone who publicly says something the government doesn't like. Nobody actually cares what your real private thoughts/opinions are (even in dystopian hell holes), they just don't want you to challenge their power, or to foment unrest among the masses.

As long as on the outside you behave according to the desired norms, and you keep your trap shut and do as the law tells you, they won't bother you (ignoring if you actually piss off someone in government, then they will make your life hell, but that is personal and occurs whatever your thoughts and opinions may be).

So, with that in mind, what you have described as "western democracies" and "strong rule of law and order" are basically the same thing. It wasn't always like this, but the last 20 years has seen a slow erosion into police states, not unlike the communist hole I originally experienced all this in.

" Note, that's not the same as there being no consequences arising from what is actually said, even in the USA... Actually going ahead and saying the wrong thing and it's fines, jail time. Quite right too, that's how it should be (for most liberal westernised societies' definition of 'wrong'). "

Oh really? So if in future laws are brought saying "thou shall not insult the emperor/fatherland/whatever", or "thou shall spend 5 years in our army doing whatever is ordered on pain of death" that is all right as it is obviously the law, and objecting people should suffer the consequences? Sure these examples are extreme, and are used for the purposes of making a point, but given time and the slow march of incremental pushes, it is not unfathomable.

On an example closer to home, we can look at Edward Snowden, who broke the law, and some politicians have called for him to be executed as a traitor. They are technically right, as he broke the law and that is one possible consequence of doing so. Does that make it right in your eyes?

You seem to think those nightmare countries like North Korea are like that due to lack of strong law and order, when in fact it is the exact opposite. They have laws for everything, all of which have "consequences", and in your world it is ok to suffer the consequences for those laws, no matter how unjust you think they may be?

and "liberal westernised societies' definition of 'wrong' " is pretty much a function of brainwashing, rather than some sort of intelligent individual enlightenment. Specifically any dissenting voices are ridiculed, stamped on or silenced in the media. If you want a new law, you just brainwash the masses to convince them "society" as a whole thinks its a good idea, then off you go. It is quite simple really.

5
0

Careful

I'd avoid anyone with Chlamydoselachus if you're planning anything intimate.

0
0
Silver badge

Me thinks the UK bod really was implying that you install spyware on one of the devices and use a keylogger to see what was being typed rather than using some massive super-computer to do a bit of number crunching.

21
0
Gold badge
Unhappy

"Me thinks the UK bod really was implying that you install spyware on one of the devices "

Probably.

He also probably didn't want to make the AG's brain explode with too much complexity.

Which with this one seems a distinct possibility.

Lawyers are so used to making the law do whatever they want it to that they really can't conceive of a situation where this doesn't work.

24
0

Re: Install Spyware

Probably. That would be the same way Germany is heading with their "State-Trojan". It's quesionalble if he could tell the difference in approaches. At least this would make his remark not completely foolish.

However, using maltware attacks will wear off quickly if done in anything more numerous as terrorist investigations.

It does not scale to the levels needed for the proposed mass-surveillance on every terrorist AND criminal alike.

4
0
Silver badge

Re: Install Spyware

@EricM - I don't like beer, but you may assail me with a nice cup of Horlicks any time you like :-}

4
0
Anonymous Coward

Re: Install Spyware

malware attack fails to work against a (half) determined evildoer. All you need to do is buy a new, cheapo phone every now and then. Or a very old one (never mind the pigeons)

4
0
Silver badge

Re: "Me thinks the UK bod really was implying that you install spyware on one of the devices "

"He also probably didn't want to make the AG's brain explode with too much complexity."

Maybe it did explode but nobody noticed.

8
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017