Former GCHQ boss backs end-to-end encryption Former GCHQ director Robert Hannigan has spoken out against building backdoors into end-to-end encryption (e2) schemes as a means to intercept communications by terrorists and other ne'er do wells. UK Home Secretary Amber Rudd has criticised mobile messaging services such as WhatsApp, that offer end-to-end encryption in the …
But he's a former GCHQ boss. Haven't you noticed that people who have retired / no longer depend on approval of others (public or government) suddenly start talking sense. Why even politicians suddenly become seemingly rational once they're no longer subject to party whips and looking good to the electorate. (Well, sometimes).
And whichever option you follow, any terrorist with half a brain will be completely unaffected anyway, as they will use their own end-to-end encryption over whatever public service they want. We used to call them codewords, but nowadays there's no reason they can't be PGP-encrypted short messages converted to a textable alphabet.
The ones you "catch" with laws like this are the ones you could have caught anyway if you were even half-listening.
Lets face it, most (all?) of the recent incidents did not rely on secure encrypted communications. The talking point was the 1st of the bridge nutters who sent a WhatsApp message shortly before, and even that was eventually traced and the recipient has AFAIK no terrorist connections at all.
So really we are mostly looking at a few angry and often not terribly bright people cracking, people who often were already known because folk at the mosque had reported them as trouble makers. So only a moron would put the majority at risk of cybercrime due to the actions of a minority where such a law would have made no difference.
Oops, we voted for them :(
Encryption is overwhelmingly a good thing," Hannigan said. "It keeps us all safe and secure. Throughout the Cold War and up until 15 years ago it was something only governments could do at scale."
It's this that they (politicos) hate. They've been accustomed to a populous that they can spy on. Now they cant, and they don't like it. They, via their agencies, used to have the power to eaves drop at will. Now, normal people who can install software or download an app have the power to stop them. Nothing will scare them more than losing their powers over us.
That was my point exactly: the majority of "us", as in "UK citizens", voted for parties with a strong authoritarian bent and a distinct lack of technical knowledge on both sides of the house.
Some of us might have voted Lib-dem precisely because they don't want the big brother state, but finding others who have a clue is difficult.
That was my point exactly: the majority of "us", as in "UK citizens", voted for parties with a strong authoritarian bent and a distinct lack of technical knowledge on both sides of the house.
That's because the average PITS (Person in the street) thinks "something orter be done". And our elected politicians then know that something has to be done but, like the PITS, is (generally) utterly clueless about what.
So, instead they listen to the senior Civil Service types who, in general, are maximalist control-freaks.
Not in a million years, would I ever vote/voted for someone with the cluelessness/characteristics of Theresa May and Amber Rudderless is an even worse mouthpiece (who seems currently being hidden from view. The Tories seem to be positioning her as some sort of natural successor to May).
If you voted Tory at the last election and work in Tech (especially specialising in Security/Encryption), you must be even more clueless than May/Rudd combined.
Not quite.
If you live in the UK you voted for the party that appointed the current Home Secretary.
You didn't vote for the cabal of senior civil servants, starting with the nest of vermin at the Home Office, who have (and continue to want) to do this.
That group is how 9 Home secretaries in at least 3 different governments spout the same line on this subject.
BTW Hannigan's Degree is "Classics" from Wadham College.
He started learning why backdooring encryption a-very-bad-idea after he took over as head of GCHQ, presumably when someone who does know what this stuff involves sat him down and explained it to him.
"If you live in the UK you voted for the party that appointed the current Home Secretary."
That, sir, is a libel.
There seems to be an odd notion about that because a (possibly slender) majority voted for something or someone then everyone must have done.
It's the same mode of thinking that enables Brexiteers to assume that the whole country voted for their madcap idea. They had a slender majority and it's very doubtful that if the referendum were to be repeated they'd actually achieve any majority at whole and yet they and, it seems, almost all the HoC are acting as if they have the entire country behind them.
"The ones you "catch" with laws like this are the ones you could have caught anyway if you were even half-listening."
I think it's more a case of "the ones you catch like this are only criminals because something that used to be legal is now declared illegal"; actual dangerous people aren't going to be deterred and are unlikely to be caught by this kind of TLA land-grab/security theatre.
There's another downside too. The resources ploughed into breaking encryption, are resources that can't be used for (eg) following up on reports that Dodgy Bob has been going around muttering about 'killing all the infidels', and maybe someone should pop round and check he's not trying to make a bomb out of tin foil and Swan Vestas...
The trouble with breaking encryption, or tapping more lines of communications, is that it just increases the size of the haystack that the security services have to search through.
"I don't advocate building in backdoors," Hannigan said. "It's not a good idea to weaken security for everybody in order to tackle a minority.
Odd, given the events back in 2010. It might be worth noting that whilst he wasn't in charge of GCHQ at the time, Hannigan still held a senior position within the Foreign Office (Director-General of Defence and Intelligence from March onwards that year).
Some people here might also recall that GCHQ were spending their time seven years ago trying to hack the SIM card manufacturer Gemalto and effectively install their own backdoors by attempting to steal the encryption keys.
So much for playing nice with the telcos.
Whenever governments are the standing stagnant problem, why ever would tech and telcos think to help them. Such would be a madness confirmed and proven in supposed and presumed to be intelligent bodies.
"I don't advocate building in backdoors," Hannigan said. "It's not a good idea to weaken security for everybody in order to tackle a minority.The best solution is to "target the people who are abusing" encryption systems and go after the smartphone or laptops they are using.
Hmmm. What a very odd thing to say about simply complex tools. Target the abusers, not their systems of administration, for such is what always permits the guilty of politically incorrect and inept elite classless crime to wander and wonder free in a cloud of contrived corrupt immunity. And that is a major problem and present currency for resolution and revolutionary change, methinks.
"Whenever governments are the standing stagnant problem, why ever would tech and telcos think to help them."
Sadly AMFM, Although the time seems to approach, I've not seen sufficient torches or pitchforks about for the stock market denizens to start separating themselves from the politicians. In fact that effort may be impossible since the line betwixt the groups is far too blurred of late.
" Target the abusers, not their systems of administration, for such is what always permits the guilty of politically incorrect and inept elite classless crime to wander and wonder free in a cloud of contrived corrupt immunity."
Looking at the way things unfold today in Africa is a lesson on this front. Accumulate enough liquid capital, and lubricate your way to invisibility ..... Sadly corruption is the dandelion of political farming.
And for the record sir, your translation devices are becoming much better tuned.
I don't want to smear Hannigan as being particularly political, so I do have my tongue somewhat in cheek when I point out how curious it is that we seem to hear common-sense, unvarnished truthfulness only from *retired* admirals, generals, civil servants and government advisors. The ones still in the job act as if their families would be murdered in their beds if they simply spoke honestly.
I cut Hannigan some slack, though (as if he could care less) because he is a thoughtful fellow, smarter by far than any of the political weasels he had to deal with. Perhaps, like his predecessor—another exceptionally sharp chap, Iain Lobban—he'll take some of his hard-won and above all *reality-based* experience and knowledge into the world and make good use of it there. Getting the imbeciles in Westminster to understand the basics of encryption and why they simply cannot have their bloody stupid backdoors would be worthwhile ... as the man said: you just cannot uninvent things.
The ones still in the job act as if their families would be murdered in their beds if they simply spoke honestly.
Anybody in the civil service is (by the civil service rules) required to be strictly impartial on political issues. If they pointed out that politicians are either clueless or lying gits then they'd be fired quite quickly.
She very nearly was forced to listen to the good people of Hastings : a couple of hundred votes shy of having her arse handed to her on a plate. Humiliating for a holder of one of the great offices of state. Amazed she has the brass neck to carry on spouting shite. When the current 'propped up by fundamentalists' mess collapses, she's outta here....
Indeed. Both her and the Labour candidate had impressive turnouts.
However there seems to be a view forming that when Mrs May is allowed to walk away her successor will be from the 2010 intake of new MP's, untainted by the decades of feuding (and back stabbing on the part of a certain M. Gove Esq) of the previous generation. they of course will then blame any failures on Brexit delivery on her.
So you can bet Ms Rudd fancies her chances to be the next "First among equals"
Her Wikipedia photo shows she has the requisite fanatical gleam senior civil servants in the Home Office love in their Ministers. Time will tell if this is the gleam of Messianic fervor, or the mind numbing fear that she's hopelessly out of her depth talking about any of her brief, without the natural arrogance of ignorance that a public school education usually imparts.
I heard the interview. It was striking - the interviewer understood the issues for a change. Hannigan was honest about the problem and its complexity. And basically he said what we've known for ages - it's not the data. It's the metadata which matters: who's connecting to whom.
When crypto can reliably hide your end points, things will start getting interesting again…
Howdy, Duncan Macdonald,
And when is a secret no longer a secret? Whenever it is a general knowledge being freely shared in proactive reactionary circles? Such is then a virtually explosive inconvenient truth and unfortunate unfolding reality for the Few in Command and Control Central who be practically reliant upon mass ignorance to terrorise subjects and nations and wield punitive power with vitriol and wicked words painting nightmare worlds in and for assisting compliant and complicit media operating machines to present as normal and natural derivatives in a hedged future portfolio of their choosing.
Change the putrid input, deliver novel output. New tales and trails to follow will easily remove and destroy corrupt drivers, and that is great abiding fear that haunts all perverse and exclusive secretive executive and/or secret executing systems of maladministration.
And nowadays do such flash systems swim against a constant crashing series of tsunami tides?
Yes …. they do. Oh dear, what a great crying shame blame game has the grand media hosted reality play become?
Where has all the Super Vision gone?
What Novel Bigger Pictures Shows and Great Games Plays does El Reg have Inhouse Secret Secured Store to share? Or is IT truly a case of most everyone simply waiting on, and in some cases even waiting upon the Adventure and Arrival of …. well, just for now, let us imagine and name such a Utility Facility and Public Service and Private Pirate Operation …… AI Special Deliveries.
Al-Qaeda learned pretty quickly how to get off the grid and in the end Bin Laden was only caught when the relevant people in the Pakistani military decided to stop hiding him. And Four Lions highlighted how quickly current "best practices" filter down to even the biggest idiots.
Blanket surveillance of the population is at best a money pit and at worst an accident waiting to happen: all that data will have value to someone whether they're in the government or not.
But I have a feeling that, since the deal with the DUP, the security forces may soon find that they're facing a very different and better organised threat.
I'm off to put on my scrambler suit…
It's easier to get off the grid when you live in the sticks (I wouldn't call Afghanistan or Pakistan examplars of modern technology), but what about modern Western society for which the Internet and other forms of electrical communication are increasingly essential?
but what about modern Western society for which the Internet and other forms of electrical communication are increasingly essential?
Think about this for a minute. The above shows how embedded you are in "tech".
It's easier to get off the grid when you live in the sticks (I wouldn't call Afghanistan or Pakistan examplars of modern technology),
You answer your question in your opening statement. Those folks are used to being off the grid, so to speak and probably wouldn't use hi-tech anyway since it's foreign to them. Sometimes, this is one of them, old methods are better than new methods.
The thing is, that kind of communication still requires establishing a code, which means meeting up at some point to establish that code (meaning it's possible to mole), plus it's a lot harder to communicate minutiae in a public medium in a non-obvious way. I mean, what do you do when the message you have to convey is, "Normal window being observed. Switch to two buildings east, 4th floor, 2nd window from the left, and check again in three days." or "Target has had change of plans. Reschedule for one month later, at <insert new location>."?
" I mean, what do you do when the message you have to convey is, "Normal window being observed. Switch to two buildings east, 4th floor, 2nd window from the left, and check again in three days." or "Target has had change of plans. Reschedule for one month later, at <insert new location>."?"
I think this problem was solved with the help of the BBC back in the 1940s - unless the Germans knew which was the normal window being referred to, or, for the second message the location was coded, what you're left with is a couple of strange but meaningless messages broadcast to millions but only making sense to one or two - and you don't even know which members of the population at large might have heard it.
Yes, but what if your opposition is LOOKING for strange messages on the assumption they're up to no good? IOW, you not only have to hide the contents of the message but also the fact you're sending a clandestine message. There are only so many ways you can mangle the language in a public medium (and it's difficult to use extensive steganography, especially for a detailed message in a medium not under your control) before people start wondering. At least in WW2 there were codes being sent everywhere, including from overt official sources. Not as easy in a covert campaign.
Currently they would hack in to a phone using any one of numerous vulnerabilities, and from there install whatever "back door" was needed. Generally this is a good approach, as in the least-worst for all of us, as it has to be targeted to the device in question (hardware / software version, etc) and is not universally available to anyone as a deliberate back door feature would be. Also widespread (mis)use would tend to show up and things would get patched*.
Down side to us is the then hoard vulnerabilities like "Eternal blue" etc that ended up in the NHS being screwed over, etc.
[*] - yes stop laughing and the majority of Android users like myself who get bugger-all patches even when bugs are publicly disclosed and in use.
[*] - yes stop laughing and the majority of Android users like myself who get bugger-all patches even when bugs are publicly disclosed and in use.
The paranoid in me asks: Can you be sure that a) there are no "secret" patches? and b) that the patches disclosed actually are clean of any hidden code?
tl;dr Phone pwning the best current option but it moves where the backdoor is, not that it matters as the government and GHCQ are after blank surveillance.
The UK government and spy agencies want automated blanket surveillance of all UK individuals as their end goal, not just potential terrorists that are used as their reason to sway public opinion. They will ignore any advice such as from this ex-agency guy as it does not fit their end goal.
We know all the recent terrorists were reported to police and authorities about their radicalisation and worry that they might do something. Encryption is not the problem for failing to act on those public tipsters.
The big agencies have tried to get backdoors in US and other countries products using 'do it for your country' and when that has failed they have tried huge bribes, along with hacking the companies and trying to insert their own bad code to take advantage off. It's just harder for them to commit changes unnoticed now. Their ideal situation is implementing an implementation or mathematical backdoor that allows decryption easily,quickly and with minimal cpu cost but would be next to impossible to find by security researchers. I have no doubt that a few of these are in play anyway.
The gentleman's point about going for the end phone has always been the best option over blanket surveillance. Targeted rather than being lost among all the information in a needle in haystack scenario. This still relies on their being vulnerabilities and backdoors in phones and the telco system that are not patched so they can keep using the vulnerability. So ultimately a backdoor anyway and no doubt these agencies are pushing for weaknesses in newer implementations of LTE5 so they can keep using the same cell network protocol tricks they use now.
So the endpoints are better than backdoors in encryption, but you have just moved the place where the backdoor is. I would like secure encrypted chat AND a secure smart phone. The phone hardware has it's own backdoors/exploits (hi US company Qualcomm) that have issues before we even get to the buggy software on the phone, that doesn't need NSA/GCHQ weakening as for example the Android Media Framework will keep giving fresh exploits in the way we have seen for flash on desktops.
Sure target terrorists but somehow find a way to do it where I can keep a secure phone too.
/Big Rant
The best solution is to "target the people who are abusing" encryption systems and go after the smartphone or laptops they are using.
This sounds great, someone talking sense on encryption. But wait a second, to actually put that in to practice don't we need to have hoarded a loaded of smartphone and laptop vulnerabilities? That means we either need to hide them from the OS makers or (even worse) lean on them not to fix. That doesn't sound like a much better solution to me.
It's a nice for a change to have somebody who was indisputably in the know say the actual sane truth about the whole encryption thing.
I would not be surprised if the actual intelligence agencies know from top to bottom the politicians are idiots and their plans are stupid, but they don't mind the politicians beating the drums about it, just so long as there is seen to be a struggle back and forth and then the tech utopians win the day and everybody feels safe and private & secure. Meanwhile the state funded intelligence agencies have endless ways to get what they want & enjoy people feeling so secure with their encryption apps that they let their guards down.
Undoubtedly bodies such as GCHQ know what May & Rudd want, i.e. the govt only back door, is nonsense. They also know that they're not going to be any better off with a bigger haystack. And they probably realise the drastic consequences of the politicians' shopping list of entitled agencies getting their hands on surveillance. But they also know that any words of wisdom from themselves will fall/have frequently fallen on deaf ears and their conditions of service prevent them going public.
What I'd really like is someone who's sufficiently lost their rag to retire and go public to the extent of saying "I've told these idiots time after time but they're just too stupid to understand.".
However, there is also the simpler possibility that they know this wont stop "bad guys" but they can use it to dissuade law-abiding people from using encryption. That allows them to more easily sweep for those that do and hone in on them. It's not being able to hack encrypted emails they want so much as ensuring that most emails aren't encrypted.
"they can use it to dissuade law-abiding people from using encryption"
Not when the law-abiding people realise that this is their banking apps and online trading accounts that are affected. Nor the businesses that use VPNs to enable secure access to the office network for out-of-office workers.
Everyday business over the internet runs on encryption. Can you imagine the shit-storm that will break when it's discovered that the local dog-warden has access to his neighbours' bank accounts and that the govt has legislated to make that possible?
> The Americans tried that in the 1990s under the Clinton Administration and it didn't work.
It didn't work? If only that were the end of it. You know a pretty substantial portion of the crypto attacks over the past couple of years are a direct consequence of those export ciphers. Now 20 years later, attackers were using the fallback mechanisms to get our systems to use the very weak ciphers that every man and their dog can crack with next to no expense.
As world hero Edward Snowden explained GCHQ and NSA have the wherewithal to re-arrange the furniture in a typical smartphone, which is why I treasure my Mitsubishi Trium featureless cell handset, means that any plain voice or data can be intercepted and redirected.
Really, really, secure systems I have seen/used separate the encryption devices from the communications devices so that no raw information ever enters the communications device which renders all the prowess of GCHQ and NSA some what mute.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
