back to article Former GCHQ boss backs end-to-end encryption

Former GCHQ director Robert Hannigan has spoken out against building backdoors into end-to-end encryption (e2) schemes as a means to intercept communications by terrorists and other ne'er do wells. UK Home Secretary Amber Rudd has criticised mobile messaging services such as WhatsApp, that offer end-to-end encryption in the …

Silver badge
Coat

Re: This isn't the problem you're looking for

" Western society for which the Internet and other forms of electrical communication are increasingly essential "

I dunno, something about grabbing a coffee from a small shop at the same time of day every Tuesday afternoon comes to mind.

6
0
Gold badge
Gimp

"Blanket surveillance of the population is...an accident waiting to happen: "

What makes you think this is an accident?

"Give me six lines from an honest man and I'll find something with which to hang him" as Cardinal Richelieu put it 4 centuries ago.

6
0
Silver badge

Re: This isn't the problem you're looking for

but what about modern Western society for which the Internet and other forms of electrical communication are increasingly essential?

Think about this for a minute. The above shows how embedded you are in "tech".

It's easier to get off the grid when you live in the sticks (I wouldn't call Afghanistan or Pakistan examplars of modern technology),

You answer your question in your opening statement. Those folks are used to being off the grid, so to speak and probably wouldn't use hi-tech anyway since it's foreign to them. Sometimes, this is one of them, old methods are better than new methods.

3
0
Silver badge
FAIL

Meanwhile ...

how do you deal with terrorists who hang a blanket out of a window within view of a webcam ?

The "encryption" being: "When you see a red towel from that balcony, it's game on".

9
1
Silver badge

Re: Meanwhile ...

We're all going to pretend that there are no low-tech terrorists (and mafia) out there…

Of course, the cell still has to be informed about the particular signal but that, too, is usually done as simply as possible.

4
0
Anonymous Coward

Re: Meanwhile ...

The thing is, that kind of communication still requires establishing a code, which means meeting up at some point to establish that code (meaning it's possible to mole), plus it's a lot harder to communicate minutiae in a public medium in a non-obvious way. I mean, what do you do when the message you have to convey is, "Normal window being observed. Switch to two buildings east, 4th floor, 2nd window from the left, and check again in three days." or "Target has had change of plans. Reschedule for one month later, at <insert new location>."?

0
0
Anonymous Coward

Re: Meanwhile ...

I think this has already been done by the Boston Terrorist - Paul Revere. The webcam merely brings it up to date.

4
0
Bronze badge

Re: Meanwhile ...

" I mean, what do you do when the message you have to convey is, "Normal window being observed. Switch to two buildings east, 4th floor, 2nd window from the left, and check again in three days." or "Target has had change of plans. Reschedule for one month later, at <insert new location>."?"

I think this problem was solved with the help of the BBC back in the 1940s - unless the Germans knew which was the normal window being referred to, or, for the second message the location was coded, what you're left with is a couple of strange but meaningless messages broadcast to millions but only making sense to one or two - and you don't even know which members of the population at large might have heard it.

4
0
Silver badge

Re: Meanwhile ...

Yes, but what if your opposition is LOOKING for strange messages on the assumption they're up to no good? IOW, you not only have to hide the contents of the message but also the fact you're sending a clandestine message. There are only so many ways you can mangle the language in a public medium (and it's difficult to use extensive steganography, especially for a detailed message in a medium not under your control) before people start wondering. At least in WW2 there were codes being sent everywhere, including from overt official sources. Not as easy in a covert campaign.

0
0
Anonymous Coward

Can someone explain to me how they are going to get what they want without installing a backdoor to allow them to do it?

0
0
Silver badge

Currently they would hack in to a phone using any one of numerous vulnerabilities, and from there install whatever "back door" was needed. Generally this is a good approach, as in the least-worst for all of us, as it has to be targeted to the device in question (hardware / software version, etc) and is not universally available to anyone as a deliberate back door feature would be. Also widespread (mis)use would tend to show up and things would get patched*.

Down side to us is the then hoard vulnerabilities like "Eternal blue" etc that ended up in the NHS being screwed over, etc.

[*] - yes stop laughing and the majority of Android users like myself who get bugger-all patches even when bugs are publicly disclosed and in use.

4
0
Silver badge

[*] - yes stop laughing and the majority of Android users like myself who get bugger-all patches even when bugs are publicly disclosed and in use.

The paranoid in me asks: Can you be sure that a) there are no "secret" patches? and b) that the patches disclosed actually are clean of any hidden code?

0
0
Bronze badge
Black Helicopters

Blanket Surveillance Goal

tl;dr Phone pwning the best current option but it moves where the backdoor is, not that it matters as the government and GHCQ are after blank surveillance.

The UK government and spy agencies want automated blanket surveillance of all UK individuals as their end goal, not just potential terrorists that are used as their reason to sway public opinion. They will ignore any advice such as from this ex-agency guy as it does not fit their end goal.

We know all the recent terrorists were reported to police and authorities about their radicalisation and worry that they might do something. Encryption is not the problem for failing to act on those public tipsters.

The big agencies have tried to get backdoors in US and other countries products using 'do it for your country' and when that has failed they have tried huge bribes, along with hacking the companies and trying to insert their own bad code to take advantage off. It's just harder for them to commit changes unnoticed now. Their ideal situation is implementing an implementation or mathematical backdoor that allows decryption easily,quickly and with minimal cpu cost but would be next to impossible to find by security researchers. I have no doubt that a few of these are in play anyway.

The gentleman's point about going for the end phone has always been the best option over blanket surveillance. Targeted rather than being lost among all the information in a needle in haystack scenario. This still relies on their being vulnerabilities and backdoors in phones and the telco system that are not patched so they can keep using the vulnerability. So ultimately a backdoor anyway and no doubt these agencies are pushing for weaknesses in newer implementations of LTE5 so they can keep using the same cell network protocol tricks they use now.

So the endpoints are better than backdoors in encryption, but you have just moved the place where the backdoor is. I would like secure encrypted chat AND a secure smart phone. The phone hardware has it's own backdoors/exploits (hi US company Qualcomm) that have issues before we even get to the buggy software on the phone, that doesn't need NSA/GCHQ weakening as for example the Android Media Framework will keep giving fresh exploits in the way we have seen for flash on desktops.

Sure target terrorists but somehow find a way to do it where I can keep a secure phone too.

/Big Rant

5
0
Anonymous Coward

I feel there may be a subtext here: "the security agencies can work round the current situation, but extending the snooping powers of the police et al is far too great a risk"

3
0

Hooray.... but..

The best solution is to "target the people who are abusing" encryption systems and go after the smartphone or laptops they are using.

This sounds great, someone talking sense on encryption. But wait a second, to actually put that in to practice don't we need to have hoarded a loaded of smartphone and laptop vulnerabilities? That means we either need to hide them from the OS makers or (even worse) lean on them not to fix. That doesn't sound like a much better solution to me.

2
0
Silver badge
Joke

Re: Hooray.... but..

"That means we either need to hide them from the OS makers"

You either forgot the state of the phone market, or forgot the icon =>

1
0

I agree that it was a very good, intelligent interview.

I also agree that the lack of technical understanding of those in power is a huge problem.

So having someone explain things on Radio 4 in the morning is hugely important.

Simon

1
0

Nice to hear someone in the know actually say the truth

It's a nice for a change to have somebody who was indisputably in the know say the actual sane truth about the whole encryption thing.

I would not be surprised if the actual intelligence agencies know from top to bottom the politicians are idiots and their plans are stupid, but they don't mind the politicians beating the drums about it, just so long as there is seen to be a struggle back and forth and then the tech utopians win the day and everybody feels safe and private & secure. Meanwhile the state funded intelligence agencies have endless ways to get what they want & enjoy people feeling so secure with their encryption apps that they let their guards down.

3
0
Silver badge

Undoubtedly bodies such as GCHQ know what May & Rudd want, i.e. the govt only back door, is nonsense. They also know that they're not going to be any better off with a bigger haystack. And they probably realise the drastic consequences of the politicians' shopping list of entitled agencies getting their hands on surveillance. But they also know that any words of wisdom from themselves will fall/have frequently fallen on deaf ears and their conditions of service prevent them going public.

What I'd really like is someone who's sufficiently lost their rag to retire and go public to the extent of saying "I've told these idiots time after time but they're just too stupid to understand.".

2
0
Silver badge

However, there is also the simpler possibility that they know this wont stop "bad guys" but they can use it to dissuade law-abiding people from using encryption. That allows them to more easily sweep for those that do and hone in on them. It's not being able to hack encrypted emails they want so much as ensuring that most emails aren't encrypted.

0
1
Silver badge

"they can use it to dissuade law-abiding people from using encryption"

Not when the law-abiding people realise that this is their banking apps and online trading accounts that are affected. Nor the businesses that use VPNs to enable secure access to the office network for out-of-office workers.

Everyday business over the internet runs on encryption. Can you imagine the shit-storm that will break when it's discovered that the local dog-warden has access to his neighbours' bank accounts and that the govt has legislated to make that possible?

2
0
Silver badge

> The Americans tried that in the 1990s under the Clinton Administration and it didn't work.

It didn't work? If only that were the end of it. You know a pretty substantial portion of the crypto attacks over the past couple of years are a direct consequence of those export ciphers. Now 20 years later, attackers were using the fallback mechanisms to get our systems to use the very weak ciphers that every man and their dog can crack with next to no expense.

2
0
Silver badge
Meh

"End-To-End" Encryption Isn't as Secure as Some Would Wish

As world hero Edward Snowden explained GCHQ and NSA have the wherewithal to re-arrange the furniture in a typical smartphone, which is why I treasure my Mitsubishi Trium featureless cell handset, means that any plain voice or data can be intercepted and redirected.

Really, really, secure systems I have seen/used separate the encryption devices from the communications devices so that no raw information ever enters the communications device which renders all the prowess of GCHQ and NSA some what mute.

1
1
Anonymous Coward

Re: "End-To-End" Encryption Isn't as Secure as Some Would Wish

Unless, of course, they pwned BOTH devices AT ONCE. And your Trium phone may well have secret capabilities you're not aware of, given this was nothing new during the Cold War, decades ago.

1
0
TWB

Bans required

Social networking, the internet, computers, printing, books, reading and writing, talking, secrets and thinking.

That should sort out all terrorism.

2
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017