[Nottingham] Back doors in encryption

[david at gbenet.com]

Matthew Sackman:
> On Thu, Nov 05, 2015 at 01:39:16PM +0000, Denny wrote:
>>> I get the impression many politicians think that "safely backdoorable"
>>> crypto is possible if only the mathematicians would knuckle down and get
>>> on with it.
>> Politicians aren't qualified to think this but are entitled to wish it. 
>> This is firmly in the hands of mathematicians and computer scientists,
>> some of which may be in the employ of governments but many of which are
>> open source contributors. 
> 
> Right, but I don't see why that matters - maybe I'm missing something?
> If it's backdoorable then that backdoor will be abused. This is not
> about maths, it's about human nature and that power always will corrupt.
> If it is known a backdoor exists, then others will find it - it's just a
> matter of time.
> 
> On a related issue, the fact the NSA/CIA have a week ago suddenly pulled
> all their advice to use EC crypto is deeply concerning; they've probably
> not found a backdoor, but they've probably developed some new
> cryptanalysis that renders it cheap to break.
> 
>> The government doesn't get much sympathy on this point.  With over 20
>> years of constantly maintaining and improving my IT skills and knowing
>> that failing to do so will cause me to become uncompetitive in the
>> marketplace, I think we deserve government that demonstrates a similar
>> level of commitment.
> 
> Right, but the government is cutting spending pretty much everywhere. So
> if they can reduce costs in GCHQ then they will. If one way to do that
> is to legislate to make their job require fewer people then so be it.
> 
> GCHQ is no doubt saying words to the effect of "because of increasing
> online activity and increasing crypto, in order to maintain current
> confidence in being able to identify threats, we need to employ more
> people, at such and such cost". What no one wants is to have a public
> discussion as to what is an acceptable mean time between atrocity? How
> many lives of UK citizens is it acceptable to lose each year to
> terrorism? How much damage to infrastructure is expected? Because we all
> know there is no such thing as perfect security - from time to time
> something will get through the net, and I think everyone basically
> accepts that. But there will be a very wide gulf in what people think is
> acceptable.
> 
>>> "Not a week passes without news of some supposedly secure data store
>>> breaking down. NHS patient data leaked, police crime data leaked,
>>> TalkTalk, British Gas and Marks & Spencer customer details all leaked.
>>> Adultery agencies are hacked. Communications between lawyers and clients
>>> are hacked. In 2009, defence ministry vetting details of RAF officers
>>> were leaked. The police have reportedly hacked into journalists’ sources
>>> 600 times. If the government can hack citizens’ records, citizens can
>>> hack them too, and hack what is hacked. E-government is not security but
>>> anarchy."
> [some snipping]
>> The quoted text appears to be logically disjointed.  First they list a
>> number of publicised breaches then discuss events where authorities have
>> performed questionable activities, perhaps demonstrating an ineffective
>> or nascent oversight process.  It goes on to what is effectively a "call
>> to arms", suggesting that since the government made this ham fisted
>> blunder, it's legitimate to do so against the government.  I think this
>> is an ill advised and dangerous statement.  I choose to think that what
>> was meant is that citizens _could_ hack them too... changing the meaning
>> into a statement of vulnerability.  Finally, this quote presumes to
>> offer a conclusion which for those that are incapable of independent
>> thought may be useful but for those that are so capable may find
>> insulting.  I don't read The Guardian but if this is an example of their
>> standards I'd rather quote The Onion.
> 
> Apologies, I should have been much clearer about what I was linking to
> and quoting, and why. That is a comment piece by Simon Jenkins.
> https://en.wikipedia.org/wiki/Simon_Jenkins gives some background, but I
> link to that only to suggest that Simon is very much not a "bleeding
> liberal". Indeed his response to the Cecil the Lion shooting thing was
> to suggest that if there is a market for shooting big animals then big
> animals should be bred and numbers maintained to allow such a market to
> both thrive and help increase numbers of such animals. We, after all, do
> not get upset when a herd of cows get killed. Anyway, all that's pretty
> irrelevant here.
> 
> He is very much not a technologist, and I'm also not suggesting that
> only "bleeding liberals" talk out their behinds. My intepretation is
> that he is pointing out that, as you have, there are plenty of ways in
> which information gets hacked (by breaking through faulty software) or
> leaked (by someone inside). Now he certainly doesn't seem to distinguish
> between the two, but I think that's just saying that if someone wants to
> get some dataset released, it's going to happen one way or another. All
> backdoorable crypto is going to do is to give another path by which this
> can happen.
> 
>>> Backdoorable crypto is just going to make this much easier.
>> ...to perform intercepts against targets that wilfully comply.
> 
> I'm not sure I see how that condition applies. There are various types
> of software which if you want to write and sell, you have to have
> permission to do so from the government. I have heard stories from
> people who have built such bits of software (VoIP with crypto
> specifically) that basically the man from the goverment turns up and
> walks off with all your private keys and you're never allowed to tell
> anyone about it. Imagine that sort of control now extended to, pretty
> much everyone, and if you are caught using a certificate for which GHCQ
> does not have the private key, that's a criminal offense. Sure, that
> doesn't mean DH is banned, but if you're not using certs then DH offers
> no protection from transparent MITM.
> 
>> This is
>> actually rather clever.  If there is even a rumour that legitimate
>> traffic is able to be compromised, it may be possible to create a
>> signature that distinguishes between such traffic and more nefarious
>> traffic that is purposefully avoiding such an intercept, effectively
>> filtering high value intercepts.
> 
> Again, I can only assume I'm missing something. If they have either your
> private key, or the means to derive your private key, then they can read
> it all and you'll never know.
> 
> Matthew
> 
> 
> _______________________________________________
> Nottingham mailing list
> Nottingham at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/nottingham
> 

GCHQ Bude has access to and reads everything - including this mailing list. They have been
doing it since the 80's

The problem is as they see it - is that very very slowly more people are encrypting their
emails - and they are spending an awful lot of money trying their very best to de-crypt
them. I dare say without any success.

To the question - do muslim extremists use public key encryption - the answer is we have no
idea. They read FB Twitter and every email sent - all are open text apart from those
encrypted - they have all your open txts all your live conversations are scanned all that's
changed is the volume of data and that is dealt with by more powerful computers.

The question is does gpg have a back door? Well no! Can you have a back door to read all
encrypted emails? I think not - for all encrypted emails are unique a "one off." Without
your private key and passphrase they are completely buggered.

Governments around the world like to know everything - it's the nature of power. Those in
the intelligence services have a dilemma - they are paid to spy on us 24 hours 365 days a
year - 99.9999 per cent of that spied on traffic is completely harmless. But they have a
worry "what if" muslim extremists moved over to encryption?

Currently they can read everything that muslims put out over public media - which is
completely open and easy to read - they have a man-power problem - in the 70's they employed
about 7,500 people - I suspect they must employ 20,000 or more now. Software can only create
"flags" but you need a lot of man eyes and brains to follow up those flags. It's an everyday
problem for them. Encrypted emails are a very very small traffic - but growing 2 or 3
committed terrorists using gpg would give them a real serious head ache.

So far my guess is this has not happened yet. When it does - will their be a ban on
cryptology? A demand for all our passphrases and private keys? We can always make new ones :)

David




“See the sanity of the man! No gods, no angels, no demons, no body. Nothing of the
kind.Stern, sane,every brain-cell perfect and complete even at the moment of death. No
delusion.” https://linuxcounter.net/user/512854.html - http://gbenet.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.lug.org.uk/pipermail/nottingham/attachments/20151106/cf4e0fba/attachment.sig>