Leaked: The UK's secret blueprint with telcos for mass spying on internet, phones – and backdoors The UK government has secretly drawn up more details of its new bulk surveillance powers – awarding itself the ability to monitor Brits' live communications, and insert encryption backdoors by the backdoor. In its draft technical capability notices paper [PDF], all communications companies – including phone networks and ISPs …
Unless UK English words carry rather different meanings than the same (up to spelling) US English words, telecommunications providers may be required to be able to decrypt the encryption they apply or that is applied on their behalf by another party.
The document does not appear to prohibit other use of encryption, or require the providers to be able to decrypt messages not encrypted by or for them.
On its face, this appears to be a regulation governing ordinary wiretapping (and examination of mail, which I did not see mentioned in the article), with the additional requirement that a carrier could not evade warrants or other authorized orders by encrypting the communications or hiring someone else to do so.
with the additional requirement that a carrier could not evade warrants or other authorized orders by encrypting the communications or hiring someone else to do so.
I think the point here is that warrants aren't mentioned. The carrier is expected to roll over & drop its pants whenever the "authorities" ask. If it needed a warrant signed by a judge first there would be less opposition.
Doesn't make it any less pointless, of course. Just hook up your RPi "Enigma" machine to your email program, and you don't need ISP encryption at all.
How does the ISP know if the encryption I use is breakable unless they break it first? Which would be a hacking offence since it's done by them and not the government. And how can they block it since I run it on port 80 (or 443 or whatever)?
Here's a non-encrypted message to the UK government - FUCK RIGHT OFF.
She should really stop shaving her mustache. A small rectangular mustache can do wonders to your look. A set of handlebars and a military headgear look stunning too.
On a more serious note she is pressing all the buttons to advance towards a fascist dictatorship.
Declaring barely won refernda sacred and inviolate by any normal democratic process - exactly like Hitler and the referendum on changing the Weimar republic constitution, quoting straight out of his and Geobels rants just doing s/Jew/European/g. Having her lapdog quote out of the Law for the restoration of the Professional German Civil Service while applying the same regexp. And now trying for a quick war. Nothing to advance a dictatorship like putting the country on a war footing.
Make June the end of May.
Nice one!
I'm not confident though - it seems that most of our population are turkeys who enjoy Christmas, and are easily spun by media and political hysteria, and don't find the opposition a viable alternative... Where have we seen that recently? :-(
I've always loved dystopian sci-fi movies; Brazil, Blade Runner, Logan's Run, GATTACA, Cube, V for Vendetta, Dark City etc., a brief bit of escapism to another, strange reality, but now I look around at what's happening on our planet those films don't seem quite so appealing anymore...
If I can give a word of advice, I'd suggest if LibDems formed strong opposition to Conservatives on this election, that would be just good enough. You certainly cannot rely on UKIP or Lab to form an opposition, they will first stab each other before position on anything can be formed.
(I'm not voting, not holding the right passport, thank you)
No, not that. Since we're desperate for Trump to deign to grant us a huge free trade deal in the hope of stopping our economy going down the toilet the year after next, we have to suck up to the US more than usual. That means Putin is safe until he actually releases that golden shower video, or until Trump goes so far overboard that even the Republicans want him impeached. Right now, it's a lot easier to pick on the little guy with no real friends (you know, just like in school), so the false flag op will arrive courtesy of Kim Jong Un.
i will just add that just joining a group online doesn't actually *do* anything.
well, apart from maybe moral self licensing or virtue signalling if you then (quite rightfully)
re-post it on social media. We need to GET noticed. keyboard warrioring isn't enough.
comms providers will be required to make bulk surveillance possible by introducing systems that can provide real-time interception of 1 in 10,000 of its customers. Or in other words, the UK government will be able to simultaneously spy on 6,500 folks in Blighty at any given moment.
That makes the assumption that each person only has one Internet connection. For many it is 3: home, work & mobile. So double that number - at least.
Some dodgy numbers there
If they can intercept 1 in 10 000 ...
10 000 * 6 5000 gives 6 500 0000 users only in UK
Which seems quite small number of people ... although obviously there will be some shared use of landlines so one landline can snoop on multiple folk, but, as Alain said, multiple users of landline can be offset to a reasonable degree by mobile internet usage
From ONS
The internet was used daily or almost daily by 82% of adults (41.8 million) in Great Britain in 2016, compared with 78% (39.3 million) in 2015 and 35% (16.2 million) in 2006.
https://www.ons.gov.uk/peoplepopulationandcommunity/householdcharacteristics/homeinternetandsocialmediausage/bulletins/internetaccesshouseholdsandindividuals/2016
(worth reading a few lines of that just for depressingly high (IMHO) internet Smart TV number)
"comms providers will be required to make bulk surveillance possible by introducing systems that can provide real-time interception of 1 in 10,000 of its customers. "
That will not be free of cost, so ... if those providers could be required to break out the cost of that on their bills, people might actually notice, and want to do something? </pointless_optimism>
For a sufficiently long key current well known and extensively analyzed algorithms are thought to be secure against "breakable" for period of the order of the expected life of the universe. And the keys are not that long.
Technology and mathematical research could change that, but recent weakening results seem to be in the range of a bit or two here and there, and not overly useful in the context of a 4096 bit key.
There are, however, other means to circumvent encryption.
Mathematically, encryption can be unbreakable, but in the same way that physics has theoretically ideal constructs.
In the real world though, you use engineering to break encryption - and indeed all the high profile encryption flaws uncovered have not been discovered as mathematical flaws but generally, breaking in by using flaws in which the encryption is implemented. It was true for enigma, it was true for heartbleed, and it's true today.
After all, it's theoretically possible to have a perfect key and a perfect lock. Add in humans and they can be lost, stolen, cloned, misdirected and intercepted during transit, replicas of similar looking locks and keys made to fool users, or rubber-hoses used to acquire said items. These are not mathematical attacks but engineering ones. The public want engineering attacks outlawed, and gummints want to be able to do them, so the easiest way is for gummint to try to outlaw mathematics, "prove" that encryption promotes terrorism and peadophilia and "compromise" on allowing engineering attacks for themselves only when the public have an outcry about it.
So are 3rd party VPN providers going to be classified as telecommunication providers/ISP's ?
That's certainly possible, but I don't see how this has much impact in practice. Many 3rd party VPN providers are not UK based, and it's hard to see how the British government could do much except force them to shut down their UK servers if they did not comply. And of course, they would comply - for those servers. But it's utterly irrelevant, since if you are exitting from a UK server, you lose VPN encryption at that point anyway - VPN's do not provide e2e encryption unless you own both 'e's'.
Of course, if VPN connections to overseas VPN servers are going to be forbidden period, that would be.... interesting :).
If *every* company that operates a VPN for corporate purposes is now classified as a telco/ISP, that would be a pandora's box of grief. I just don' t see that happening here.
Are end users going to be forced to install ISP root certificates ( to allow HTTPS MITM attacks ) before they are allowed to use an ISP's services ? I can't see this. That would require touching every endpoint connected to the ISP, it would be a nightmare for the ISP's, and pinning complicates even this.
If neither of these things is true, then I'm struggling to see what the fuss is about on the encryption front. When we talk about e2e, in what sense does 'e' ever refer to the ISP/Telco ? What capability does this proposal give that they don't already have ? All that it appears to do is to give the Government explicit power to demand that ISP's/telcos do certain things *if they can*.
So what we're left with, really, are overlay services like Skype ( but who trusts that anyway ? ) and WhatsApp. And to be pulled in to this, they would need to be classified as telecommunication providers. That's certainly arguable. But I'm completely confident that nefarious persons with more than one brain cell will still be able to communicate securely if they wish to. So as usual, this is a Government scale hammer that might just crack a few peanuts if they're lucky.
"Are end users going to be forced to install ISP root certificates ( to allow HTTPS MITM attacks ) before they are allowed to use an ISP's services ? I can't see this. That would require touching every endpoint connected to the ISP, it would be a nightmare for the ISP's, and pinning complicates even this."
Erm, not quite. A nice nudge to Google & MS and hey-presto, your next s/w or OS update contains new certs.
Chrome already overrides machine level certs, as I found out when I was using a CA it opted to distrust (warnings ahoy, even though the root CA was trusted).
Unless you keep tabs on EVERY cert in your machine, with fingerprints, something could merrily install and opt to use one.
Pinning also only works if the apps respect it (or are allowed to)...
I'm sure someone will be along shortly to insert an obvious comment about not using Windows, or Google, or <other large well known app> - but for the masses, it's not going to be that hard to do...
It quite frankly puzzles me that with the surveillance capability available to the state security apparatus, there hasn't been an decrease in the availability of illicit drugs, black-market arms sales and the vast sums of money made from such trade. Which begs the question as to the real purpose of such legislation. Which if I have to spell it out for you is this. This is really about suppressing political dissent within the population.
The politicians won't oppose this, they can't, the spooks have the photos. I mean the spooks even have IMSI catchers installed around the parliament building and the MPs phones and emails are recorded and not a whisper of this from the MPs or the so-called free press. What we have here is what was once described as corporatism, that is the total union of the corporations and the state, what's that word, it's on the tip of my tongue, anyone.
"Which begs the question as to the real purpose of such legislation."
Think about this:
Who is the surveillance supposed to cover in the UK, why is this even remotely necessary? Is it because of the naughty UK natives?, if not who?
The national socialists?
The members of the Red Brigades?
Members of the IRA?
Members of ETA?
The Bolsheviks?
The FARC?
The Khmer Rouge?
The members of GRAPO?
I wonder who could be so problematic as to grant the government the power to spy over everybody.
The funny bit is that these who the legislation try to address were brought in by a political decision which could be easily reversed if the politicians had any honesty.
But instead you and me have to now see our freedom eroded.
This will be used to spy on political adversaries, and anyone critical of (((the system)))
This is a massive slippery slope.
'..wait until you have a camera inside your house by law. You think I'm joking don't you?'
I think you've missed the point about the way the surveillance state in the UK has been implemented, forcing things like this 'by law' tends to generate a 'bolshie' reaction amongst the 'great unwashed'...softly, softly catchee monkey and all that.. besides, it'd cost the state money to implement, money they'd rather spend on important things like Chablis and the suchlike...
Far better to get the 'great unwashed' to buy the shackles of the surveillance state themselves, the smart TVs, Xboxen with Kinects, mobile phones with multiple cameras, microphones and GPS so 'They' know where 'we' are, the internet connected 'Home Security Systems', the 'Smart Meters', the IoT BS..etc. etc, once they've purchased all that stuff, we, the state, can hack/intercept all their traffic rather nicely at the ISP/Backbone level.
The way things are going, I think I'll be looking for a nice cave somewhere in the Cape Wrath area real soon..
Exactly this!
Technician, we want you to build a component
For each of our workers, to be with them always,
At all time watch closely, so we can keep track of
Their actions, their interests, their morals, their time out.
Some musak to maim them, some fear to contain them.
Policy will judge them, brute forces degrade them.
Practical behaviour, the cleanser, the saviour.
A private vocation has no sense of nation.
The maintenance of power can be so fulfilling,
Just as long as all the slaves are willing.
- Twelfth Night, We Are Sane, 1982
"Far better to get the 'great unwashed' to buy the shackles of the surveillance state themselves, the smart TVs, Xboxen with Kinects, mobile phones with multiple cameras, microphones and GPS so 'They' know where 'we' are, the internet connected 'Home Security Systems', the 'Smart Meters', the IoT BS..etc. etc, once they've purchased all that stuff, we, the state, can hack/intercept all their traffic rather nicely at the ISP/Backbone level"
You and everyone up voting you clearly have no idea what you are talking about.I must ask you do you own a smart TVs, Xboxen with Kinects, mobile phones with multiple cameras, microphones and GPS?
Why would they? They know we're bloody stupid enough to want new toys like webcams and Skype on mobile phones. We buy into things like Alexa and Siri, talking to boxes that transmit our every thought back to the master servers. They won't have to make it law because the next generation are already practically brainwashed into sharing every single thought and deed online.
I have to admit, that after reading title, I dived into article fully ready to be angry. But this is no "mass-surveillance" is normal legal intercept. For details, 6500 people at the time is not much for the country of the UK size and there is some resemblance of legal process. Only the encryption bit is stupid.
Is not like the GHCQ tapping Vodafone proxy to spy on third of the Europe in the same time.
All in all, this is something to be discussed, which is surprising in these times.
investigatorypowers@homeoffice.gsi.gov.uk.
the email address does not work
The data that the government trawls is rarely used by security agencies but shared by over 60 other government departments who like the hse and environment agencies just use to prosecute small businesses for petty regulation infringement .
They are making a very good living from this process like speed cameras , not about safety just generating money electronically
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
