Sir Tim versus Amber Rudd
Either a high-minded debate on BBC1 or a cage fight.
Sir Tim Berners-Lee has criticised plans to weaken encryption or extend surveillance in the wake of recent terrorist attacks. Days after the attack on Westminster that claimed the lives of three pedestrians and a police officer, Home Secretary Amber Rudd said there should be no safe space for terrorists to communicate online. …
Yes, use weak, therefore useless encryption standards that aren't so hard to crack. At which point you may as well have handed cybercriminals, including Terrorists(tm) and state sponsored bad dudes at which point you have just handed a loaded nation-state size gun to China, Russia and the rest with an instruction that your financial and critical infrastructure is not wearing kevlar today.
You cannot insert a "back door" into mathematics, which is what Crypto is, essentially. Any politician who tells you otherwise needs to step the fuck away from the TV, this isn't crime fiction.
Also: Technical problem? Really? The simplest way would be for the NSA/GCHQ to SSL middleman the in-and-out pipes to the various POPs and done.
"Re: a technical solution surely exists "
Putting aside the technical solution for now, what is the actual justification? So the Westminter bridge nutter (I refuse to use the "t"-word, that's NOT what he was) "checked What's App" moments before he drove into the crowd? So what? What would the police / security services have done even if they DID have unfettered access to everyone's data?
Definitely, as computer experts, we have a duty to proclaim the reality that backdoors "only for those with legitimate access" simply cannot exist. However when talking to / trying to convince non-technical people, I wouldn't go for a technical explanation. Rather, I would challenge the possibility of getting any useful INFORMATION from unfettered access to DATA (which is not just needle-in-a-haystack but something-I'm-not-quite-sure-of-in-a-million-stacks-of-random-junk). After all, it turns out pretty much every time that perps are "known to the police", and the police already have plenty of data (eg 9-11 attackers). When police already have enough data available, and the problem is getting useful information from the available data, then getting more data is simply going to make the problem bigger.
The solution is to have more police / security officers trained to make connections, and working "in the field" and undercover. But politicians who will happily blow a few billions on a fancy IT system (that will be 5 years late, 5 times over budget and unfit for purpose), refuse to spend a few hundred million on hiring, training and retaining skilled officers.
Was that a well-crafted satire or a load of old cobblers?
For avoidance of doubt, you don't dissuade people who are or are intending to break laws by providing them with more laws to break.
In other words those who intend to use strong encryption as an aid to breaking the law will source it from somewhere - the algorithms are not a big secret. So the people who'll be affected are the law-abiding people who you were trying to protect and those you were trying to deter will shrug it off.
You do not make the public more secure by weakening encryption, you make them less secure.
"For avoidance of doubt, you don't dissuade people who are or are intending to break laws by providing them with more laws to break."
Yes you do. It's why, for example, the UK has historically had very low gun crime; we used to punish it harshly. Don't forget it's also how Peter Sutcliffe (false numberplate) got caught and severely restricted Al Capone's activities.
"In other words those who intend to use strong encryption as an aid to breaking the law will source it from somewhere - the algorithms are not a big secret."
And - if you have total surveillance - they will then stick out like a big sore thumb. Making them very easy to arrest and prosecute. Also making it dramatically easier to prosecute for *something*. To reuse Phil Zimmerman's metaphor, if everyone uses postcards then anyone with a envelope is suspicious, especially if you ban envelopes.
So the debate shouldn't be about whether this will work, it will, but whether it will have massive downsides and is morally corrupt. That would be an adult debate, not that you'll find much here.
"You do not make the public more secure by weakening encryption, you make them less secure"
You change the balance. You make them marginally more secure against terrorists and people the state doesn't like. You make them dramatically less secure against the state, white collar criminals, corporations, tabloid journalists and other states.
Bleating on about you can't change the maths is stupid. Nobody wants to change the maths. They want to weaken protections whatever the cost.
I don't know if I'm giving you too much credit, but you are very much conflating issues here. 1) The security of the people as a whole against bad actors who use e2ee in the commission of their crimes, and 2) the security of the people as a whole as they use e2ee to protect themselves against bad actors wanting to snoop on, or interfere with, their online communications.
To clarify your use of Zimmerman's metaphor, the envelope exists to prevent people from reading the letter who should not. It also servers as a guarantor that the letter really is coming from whom it says.
In particular, MITM attacks on financial transactions rely on strong encryption. With weak encryption, they entire online marketplace (to include online banking) becomes intractable. E2EE is not required for this only because we assume that the people at the ISPs are good actors who have not been compromised in any way. This has always been a dubious assumption, and is becoming moreso with time.
Moreover, if you have strong crypto, then e2ee is straightforward to implement. And it does NOT particularly stand out, because many streams are of already encrypted data. This last move in the US to explicitly allow ISP commercialization of our online activity driving more of this.
Finally, the issue with the key under the doormat is, well, key. If some form of backdoor were implemented, its existence would be known for months or even years before implementation. The details, including the master keys, then become target #1 for every cracking operation on the planet. Most notably foreign intelligence services. Is there ANYONE that would make a bet that the system would remain intact for five years?
"It's why, for example, the UK has historically had very low gun crime; we used to punish it harshly."
I didn't notice that back in my time in N Ireland. That could have been to do with the fact that both sides had a well organised gun-running operation which got round the restrictions in supply.
"Don't forget it's also how Peter Sutcliffe (false numberplate) got caught" may be true but since the local crime reporter found, at the time of his arrest, that even his neighbours thought he was the "Ripper" and had repeatedly reported him to the police only to be rejected because he did not have Geordie accent. My point being that good detective work could have caught him much earlier without any reliance on technology which is the answer to all this nonsense about banning encryption.
"It's why, for example, the UK has historically had very low gun crime; we used to punish it harshly."
Punishment to deter crime doesn't work; it has been used for centuries but still hasn't stopped crime. But that's an entirely different kettle of fish.
I'm strongly inclined to believe that the UK's relatively low gun-crime rate has been more due to both cultural differences (the majority of people don't want to live in a society where personal ownership of guns is seen as a necessity to personal safety) and the relatively low numbers of guns in circulation.
>> "For avoidance of doubt, you don't dissuade people who are or are intending to break laws by providing them with more laws to break."
> "Yes you do. It's why, for example, the UK has historically had very low gun crime; we used to punish it harshly. Don't forget it's also how Peter Sutcliffe (false numberplate) got caught and severely restricted Al Capone's activities."
You make a great point backed up with convincing data - the specific examples you give were both outstanding pillars of the community, who might have gone astray were it not for the numerous laws keeping them on the straight and narrow.
Sir Tim needs to assist with finding a way to allow law enforcement authorities to monitor Islamists and child porn purveyors.
First off, I reject the idea that people need to be "monitored." People should be assumed to be innocent unless you have reason to suspect otherwise. And the Government should not be allowed to go fishing for terrorists. But once you reasonably suspect that someone is a kiddie-fiddler or a terrorist, just infiltrate their end-points.
End-to-end encryption only protects the data in transit; once it arrives it's generally saved as plaintext. Surely the Government have RATs (Remote Access Trojan/Toolkit) which they can deploy to paedos and terr'sts' computers, after obtaining the proper warrant, either by social engineering or technical exploits.
We shouldn't allow the NSA to monitor everyone around the world in real-time, but this is a technical problem and a technical solution surely exists.
Knives must be sharp in order to cut things - if you dull a knife so that it won't cut people then it also won't cut bread. So you can't legislate a knife that cuts bread but doesn't cut people because the sharpness of a knife is the defining quality that make it useful.
Weak or backdoor enabled encryption is the same as a dull knife; it just won't cut it.
Saved as plain text? Well thats a pretty poor system. Even on the old MS phones I did encryption for the only time anything was decrypted was at display time. After the display the unencrypted was destroyed. Of course there is a time when it exists decrypted but if you have access to the device (by lookign over someones shoulder or mugging them) then there is not much that can be done
Amber Rudd sent this decisive tweet in response to TBL yesterday:
Showing her "Piers" - Tim Bernard Lee, her technical competence in use of Encryption/Steganography.
Decrypting the message, you can see it reads "YOU CAN SAVE ME".
Your MP may not have a good grasp of the technical issues. So (after watching it yourself to be sure what it is) email your MP this link: https://www.youtube.com/watch?v=VPBH1eW28mo
It's a simple, non-confrontational explanation of why weak crypto/backdoors is a really bad idea from a technical perspective. Most commentards here already understand these things, but their MP may not (especially if your MP is Amber Rudd).
Don't think to yourself that it will never happen. Unless your MP understands why this is such a stupid idea, it WILL happen.
You're right, only a few MPs would vote against their whip.
That leaves Labour and Lib Dems and a few others. Which would only need a few Tories to go against their whips.
But if enough Tories see it and realize it's true, they might have words with Amber behind the scenes. Point out to her what a truly stupid idea she has. Point out all the people who can be told of this video on youtube and realize what a stupid idea it is. Many of them her own constituents.
Still only a small chance of dissuading Rudd. But that's a lot better than doing nothing.
[sarcasm]After all, terrorists didn't exist before the interwebs allowed them to communicate in secret...[/sarcasm].
Most people are born under an astrology sign.
Would you enlighten us what rock you were born under.
Ever heard of the enigma machine the nazi's had?
Some of the best encryption, but the wizards at Bletchley Park [London] broke it
which contributed to the wend of WW2.
Don't remember which war, probably WW2, but the US military enlisted a bunch of native american Indians that spoke a really obscure tongue of one of the normal Indian languages.
They were then 2 end-point of all messages.
It was not broken, and if I remember correct it is still pretty secure.
Don't RTFA.....GRYH(tm) Go Read Your History.
...are literacy and mathematics. We just need to ban those, and stop offering general education in these subjects to the population. Education will be a perk limited to trustworthy, public-minded individuals such as the Royal Family, high Christian clergy, landowners swearing oaths of fealty to the Crown, and persons who have accumulated vast amounts of wealth (since God wouldn't allow an evil man to gain riches).
As a side effect, the population will be easier to control by the nobility and clergy. Due to their ignorance, for their own protection they will not be allowed rights or influence in government.
By taking the stand against literacy and mathematics, the country will enter a new golden age where terrorists can't communicate securely with each other and carry out their nefarious plans to reduce the nations of the free world back to the Muslim Dark Ages.
Just check the continued rants concerning STEM problems, the total absence of critical thinking in the educational curriculum and the rise and multiplication of "reality shows" and "social media" that suck out the collective IQ like leeches.
We're on the right path, nay - the path of righteousness. Amen, brother!
"carry out their nefarious plans to reduce the nations of the free world back to the Muslim Dark Ages."
Ah, yes. The Dark Ages, when Islam did so much to carry the learning of antiquity through to a period when the West could pick it up again. "Algebra" and "algorithm" don't sound a bit like Arabic words by chance nor is it chance that we use Arabic numbers.
It's plain out a fantasy that using weakened encryption... You know what? Lets just to the chase: that giving the government full access to our day to day Internet presence will change much or even helps to stop terrorism.
Because: who's going to monitor all that data? And even if you do manage to monitor all the available data, and perhaps also automatically look for keywords do you really think that those will be used when people know they're being monitored? Do these guys have any idea how easy it is to simply substitute words and phrases so that you're uttering totally harmless things yet with a whole different underlying meaning?
It used to be the number one hobby for some of my friends and me in the 80's (we were 14 - 18) back when we were very busy swapping Commodore 64 games around. Because you also often read stories about copy parties which got raided by the police and all. Of course not realizing that those were parties where people sold cracked software for hard cash whereas we simply copied and swapped whatever we could find.
Even so... We could talk for quite a while on the phone about homework, while in fact we were talking about removing a nasty copyright protection :)
Quite frankly I think Ghost in the Shell - Stand Alone Complex, first season totally nailed this problem of data amounts. At one time they were hot on the trail of the Laughing Man and at even played "Big Brother": relaying and analyzing all the data accessible to them from the Net in order to try and find a trace. As a result several AI's crashed at the result of the sheer amount of data they had to process and it became immediately clear that they could only keep it up for so long....
Even though that was total fantasy of course I still think it does a good job on showing the actual problem with all this.
What makes you think this is about the 4 horsemen of the infocalypse?
"Give me 6 lines from an honest man and I'll find something with which to hang him."
As for scanning that's easy but what Snowden demonstrated was that most of it will just be stored in case it's needed. Hence the Chief Liar of the NSA can say to Con-gress "We don't monitor people" when what he means is it's not monitored until a human listens or reads it.
Like that old action movie scene where the Chief Villain gets some hostage to provide them with some information and says "I won't kill you," then orders their henchman to do it instead.
I seem to remember doing encryption at school at it's most basic level, you know A = 1, B = 2 and so on as well as using book page numbers lines down and letters across as another.
Are we going to stop teaching this in schools in case one of them grows up to be a terrorpeado?
I can't believe these conversations are still being had, first America tries it then some nutter "allegedly" sends a whats app message and our wonderful government is trying it with the backing of the press. Do the press not realise that if it's back doored they won't be keeping any sources secret anymore? Idiots the lot of them.
Has anyone actually considered the full list of things that this will damage if implemented across the board?
Finally, colour me surprised that it's took this long for Trump to go after net neutrality, did anyone seriously think he's against the establishment? Who does net neutrality benefit? The People and not business.
The comments came after it emerged that attacker Khalid Masood had checked WhatsApp – which offers end-to-end encryption – two minutes before ploughing an SUV through pedestrians on Westminster Bridge
If this "terrorist" did use WhatsApp to flag what he was about to do I want to see how the authorities can locate the message, track down the individual and react in time to stop the attack in the two minute window.
Without end-to-end encryption that foreign security agencies and foreign police cannot break:
- The secrets of UK companies will be open to foreign rivals
- The secrets of UK academics will be open to foreign rivals
- The secrets of UK senior and other civil servants outside of the Home Office and MOD will be open to foreign rivals
Without end-to-end encryption that foreign security agencies and foreign police cannot break, no UK company, no UK citizen, no UK resident, no company, citizen or resident of any place in the world can have business, economic, planning, political, policy, or personal secrets from foreign police and foreign security agencies.
Remember that foreign countries similar to our own are our biggest and most serious competitors in business, economic and academic matters.
The USA, Canada, Australia, France, Germany, China, Russia, Sweden and Denmark are all foreign countries whose industry and academics compete with our own.
Look up the definition of Chekist in Wikipedia. A chekist is a person who supports their country's intelligence agencies and police being able to surveil their fellow citizens.
A Chekist regime is a regime like the old USSR and Putin's Russian Federation where members of the security agencies and police know so much about politicians, business people and academics that they legally have total control via superior knowledge and total control illegally by an unlimited ability to blackmail anyone.
Now with the internet intelligence agencies and police will know so much about people, will have so much dirt from what people posted during their student days, that people posted as adults years ago concerning now lost causes,
Sure, members of parliament, Home Office and MOD officials will grant themselves supposed immunity and exclusions from spying. But the spying will have already been done during their college years, during their early working years, during the recreational time.
No laws will be passed, no plans will be laid, no discussions will occur within political parties or within government offices that would make members of the intelligence agencies or the police unhappy.
Like with Chekist Russia, a Chekist UK, the government, industry and academic of a Chekist USA will be run by, and for the benefit of, alumni of our own security services and police.
Roper: So now you'd give the Devil benefit of law!
More: Yes. What would you do? Cut a great road through the law to get after the Devil?
Roper: I'd cut down every law in England to do that!
More: Oh? And when the last law was down, and the Devil turned 'round on you, where would you hide, Roper, the laws all being flat? This country's planted thick with laws from coast to coast– man's laws, not God's– and if you cut them down—and you're just the man to do it—do you really think you could stand upright in the winds that would blow then? Yes, I'd give the Devil benefit of law, for my own safety's sake.
- Robert Bolt (“A Man For All Seasons”)
Those responsible for mandating weak security must pay the full costs of their regulations.
If the government demands back doors and those back doors are breached by criminals then the government must pay those hacked the costs incurred because of the hacking.
It stuns me that the Security departments in government do not understand the consequences of their demands.
Biting the hand that feeds IT © 1998–2019