[Nottingham] Back doors in encryption

[Denny]

I'll respond in-line as Matthew has although it will make it a bit
harder to read.  Matthew, I've been a bit brutal but it wasn't aimed at
you.  It's good for us individually and collectively to have this sort
of discussion and I want to be clear that I value your contribution.

Denny

On 05/11/15 12:27, Matthew Sackman wrote:
> On Thu, Nov 05, 2015 at 12:12:41PM +0000, Denny wrote:
>> This is less an attack against encryption
>> and more an attack against the PKI, after all, how does one attack
>> mathematics?
> I get the impression many politicians think that "safely backdoorable"
> crypto is possible if only the mathematicians would knuckle down and get
> on with it.
Politicians aren't qualified to think this but are entitled to wish it. 
This is firmly in the hands of mathematicians and computer scientists,
some of which may be in the employ of governments but many of which are
open source contributors. 
>
>> I struggle to understand why, in a world where we still depend on
>> ineffective password management without 2FA, this is such a big deal. 
>> There are so many other IT security issues "in the wild" that have
>> little or nothing to do with encryption that are in my opinion much
>> higher priority.  We are being lead to believe that if we put a security
>> door on a greenhouse the security will be improved.  I suspect that
>> self-serving popular media has created a tempest in a teacup, a vector
>> for further weakening our confidence in elected officials and Western
>> governments.
> Money. It costs money to keep GCHQ employees up to speed with how to
> break all the various bits of software they need to break in order to
> "do their jobs". After all, we have an annoying tendency of fixing flaws
> when we find them. It would be much easier for GCHQ if they could just
> tap all the cables and be able to decrypt everything they can capture
> without having to go to the expense of breaking in.
The government doesn't get much sympathy on this point.  With over 20
years of constantly maintaining and improving my IT skills and knowing
that failing to do so will cause me to become uncompetitive in the
marketplace, I think we deserve government that demonstrates a similar
level of commitment.
>
>> I'm no jurist so I'm unqualified to evaluate or even understand this
>> draft bill.  From what little I've read on the subject, it appears to be
>> more of an update or reassertion of current legislation.  If that is the
>> case then this isn't a seismic change but a evolutionary process.  I'd
>> be much more concerned if there were inadequate checks and balances in
>> the process uncovered.  Personally, I think that occasionally,
>> parliament and congress table bills such as this to test public opinion,
>> with the intent to calibrate strategic policy.  I'm not sure how I feel
>> about this practice if it is indeed the case.
> I don't know if you've seen Spectre yet, but there's one moment in it
> when M realises that if they can use a certain piece of technology to
> track Bond, then so can others. Jenkins expands on this point today -
> http://www.theguardian.com/commentisfree/2015/nov/04/surveillance-bill-state-security-snoopers-charter
> - which largely matches your point too:
>
> "Not a week passes without news of some supposedly secure data store
> breaking down. NHS patient data leaked, police crime data leaked,
> TalkTalk, British Gas and Marks & Spencer customer details all leaked.
> Adultery agencies are hacked. Communications between lawyers and clients
> are hacked. In 2009, defence ministry vetting details of RAF officers
> were leaked. The police have reportedly hacked into journalists’ sources
> 600 times. If the government can hack citizens’ records, citizens can
> hack them too, and hack what is hacked. E-government is not security but
> anarchy."
The reviews of Spectre haven't been favourable so I'll probably wait
until it's on broadcast television or at least until it's available for
streaming.  At any rate, I don't think this is a encryption issue as
much as a general IT security issue and your quote from The Guardian
reinforces this position.  These were largely either non-encryption hack
attacks or leaks, examples of inappropriate levels of IT security.

The quoted text appears to be logically disjointed.  First they list a
number of publicised breaches then discuss events where authorities have
performed questionable activities, perhaps demonstrating an ineffective
or nascent oversight process.  It goes on to what is effectively a "call
to arms", suggesting that since the government made this ham fisted
blunder, it's legitimate to do so against the government.  I think this
is an ill advised and dangerous statement.  I choose to think that what
was meant is that citizens _could_ hack them too... changing the meaning
into a statement of vulnerability.  Finally, this quote presumes to
offer a conclusion which for those that are incapable of independent
thought may be useful but for those that are so capable may find
insulting.  I don't read The Guardian but if this is an example of their
standards I'd rather quote The Onion.
>
> Backdoorable crypto is just going to make this much easier.
...to perform intercepts against targets that wilfully comply.  This is
actually rather clever.  If there is even a rumour that legitimate
traffic is able to be compromised, it may be possible to create a
signature that distinguishes between such traffic and more nefarious
traffic that is purposefully avoiding such an intercept, effectively
filtering high value intercepts.  I'll have to think about this for awhile.
>
> Matthew
>
> _______________________________________________
> Nottingham mailing list
> Nottingham at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/nottingham

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/nottingham/attachments/20151105/190bb9cb/attachment-0001.html>