MI5 Argues for 'Exceptional Access' to Encrypted Messages

[ruka.snow]

No.

Maybe if the British Government spent more time focusing on actual crime instead of online thought crime we would trust them more
People have had criminal charges and official Police warnings for jokes and saying non-PC things like ‘transgenderism is a mental illness and shouldn’t be promoted in schools’

Yet Islamic child rape gangs responsible for hundreds of thousands of child rapes brushed under the rug.

I have absolutely zero faith in the British intelligence and justice system, putting more trust in them is absolutely out of the question.
I really hope the new conservative government can start fixing some of this mess but I have my doubts.

This is the same MI5 that murdered Dr David Kelly, the UK’s chief weapons inspector before the Iraq War. They already have one of the most extreme and pervasive intelligence gathering systems on Earth, they don’t need more power.

David Kelly (weapons expert) - Wikipedia

en.m.wikipedia.org

English law does not apply to the whole UK

 

[gsurf123]

No. If a back door exists, it will be abused by the government.

...and discovered by those wanting personal and financial information for fraud and theft.
[automerge]1582911599[/automerge]

Unfortunately it seems like it's only a matter of time until laws are passed to enable backdoors by ignorant lawmakers. I am not sure if they are unknowledgeable about how how this works (likely) or just want to continue the trend of unregulated spying (even more likely).

I hope somehow this can be prevented, but IMO its coming one day.

It won't work as apps will be developed to work around it and those will utilize encryption.

 

[mazz0]

Can you provide end-to-end encryption but on an exceptional basis ... provide access

At least he’s asking a question with a simple technical answer: no. A weakness once imposed is always there, as Apple and others have pointed out many times.
[automerge]1582911712[/automerge]

Why is England so he11-bent on becoming "1984"?

The head of MI5 doesn’t speak for England!

 

[827538]

English law does not apply to the whole UK

What has that got to do with anything?

 

[VulchR]

Define 'exceptional' access.

 

[california_kid]

Gotta try that line at a bar - "hey can I have exceptional access to your number?"

 

[luvbug]

I've said it before, but this simply shows how clueless our gov'ts are, even the top tier spy agencies. The most powerful encryption software on the planet is public, open-source code. As such, the tech companies cannot, in and of themselves, do what they are being asked to do. They can't, because even if they gave them a backdoor, the "bad guys" would just download "Signal" or similar, and voila! a totally untraceable, bulletproof messaging app that the gov't can't touch. I can assure you that all the code necessary to build state-of-the-art encryption apps is squirreled away in a million different private archives around the world. The gov't would be a lot further ahead if they saved their energy, trying to get these backdoors, and focus on all the other tech they now have a their disposal to carry out their investigations. Basically, they're whining 'cause it ain't as easy as it *could* be (but never will be). Just their handwaving on these backdoor proposals has likely started the underworld's migration to diy encryption apps.

 

[mrboult]

lol - you’ve got a very short memory if you think only the UK intelligence services have requested this. . And if you’re American then. . Pot meet kettle.

 

[ruka.snow]

What has that got to do with anything?

You write about the “British” government and “British” problems. These are English problems and do not have any affect on the rest of the UK. The English police turning a blind eye to crime in their country does not mean the rest of us are blind.

 

[SRLMJ23]

Didn't that building get destroyed in the last Bond movie?

That was MI6, and in the movie before the last one, "Skyfall." In the movie you are talking about, "SPECTRE", that MI6 building does get destroyed even more by Ernst Stavro Blofeld and his helicopter/mass demolition explosion.

Sorry, just had to joke around a little bit with you...bring a little levity to this thread.

Looking forward to the new Bond movie "No Time To Die!"

 

[mzeb]

As a programmer I'm firmly in the camp of "no encryption backdoors or you defeat the purpose of encryption."

BUT, I'm pondering this. Using the concept of a wiretap order as an foundation let's hear a comment or two on this hypothetical.

In order to get a wiretap authorities must prove to a judge that it has justification for tapping my phone. This does not provide them to my call history but they can now listen to my calls. Phone companies assist with this. This effectively turns the phone company into an almost undetectable MitM.

An equivalent, if they believe there are suspicious communication happening, with a "data tap order" (or whatever we want to call it) from a judge after authorities provide reasonable justification they can start sniffing my data. This does not provide access to my historical data, just new data. This means that apple would have to build in an internal switch to break E2E at their data centers for these orders, much like phone companies have, and basically make themselves and almost undetectable MitM.

The encryption aglos can stay in tact and trustworthy. The business entity in the middle is now what flexes. and if you don't like the fact that the authorities can get a "data tap order" don't use the service. Thoughts?

 

[8CoreWhore]

So they can spy on the Irish who are tryng to prevent Ireland from looking like London.

 

[techwhiz]

Try telling that to the parents of the 22, mostly children, who were blown to bits at a pop concert where I work (Manchester, UK). The guy who did it used apps that helped screen his privacy in order to find out how to build a bomb and communicate with people in his terrorist network.

View attachment 896565

I am happy for MI5 to access my details online and my electronic devices. Once they know I am essentially boring and pose no threat they won't waste their time examining what I do - but it might stop atrocities like the Arena bombing from happening.

Unfortunately a back door just means that criminals will find a different way.
Someone can spin up a WhatsApp replacement or use RSA public key/private key.
RSA can be implemented in a single page of python code.
If I use RSA 2048 or 4096 in email, they won't crack it in a reasonable amount of time.
If you use a server somewhere that supports imap, you can use a drafts folder and never actually send an email.
Criminals will find a work around.
I just came up with two and didn't even need to think about it.
[automerge]1582915755[/automerge]

According to an article at ExtremeTech, a 4096 bit key was broken through a 'side attack' by one of the inventors of the RSA encryption scheme. One wonders if the information would still be usable after it's unencrypted/broken, but *shrug*

The secrecy/strength of the encryption is based on the sophistocation of the random number generator used.

That side attack use acoustic analysis and you need to know who you are targeting beforehand.
They also need to be stationary enough for you to do the analysis and also need to be doing encryption and decryption so you can grab the acoustic data to analyze. This method has limited effectiveness so, no RSA isn't really cracked in the traditional method.

 

[Morgenland]

...
Why is England so he11-bent on becoming "1984"?

England? Do you mean the Undefined Kingdom (formerly 'UK')?!

 

[FaustsHausUK]

If you ask for this sort of access, you should be willing to create a web site that is a feed of every single private communication you send and receive. If you don't think other people are entitled to privacy, you are not either.

 

[macduke]

Disregarding any statements for or against such a measure, would it be possible to create a four-keyed system where the customer has two keys, Apple has one key, and the government has one key, and any two keys together will unlock an account to view the contents? It wouldn't be a back door, but a more complicated lock for the front door.

Diving back into the politics of it all, the big problem I see with such an approach is that nowadays most governments around the world could be considered bad actors. Perhaps, at least in democratic societies, accessing such a key would require judicial oversight as well as notification after such a breach has occurred. This could limit a government from just scooping up tons of data it doesn't need and limit abuse.

However, in this particular case they're tracking terrorists abroad. How would one begin to access their secure communications? Encryption already exists. Pandora's box is open. Are they assuming that these terrorists are going to follow the law and only use lawful encryption services that have multi-keyed entry? Because that is laughable, and IMO is the biggest argument against such a measure, which will only further dehumanize law-abiding citizens by stripping them of their privacy.

There are zero scenarios where this works. In every one I can think of, the criminals/terrorists keep their secure communications and everyone else is spied on. Please let me know if you've come up with some way to make this work because I'd love to hear it.

 

[Morgenland]

Disregarding any statements for or against such a measure, would it be possible to create a four-keyed system where the customer has two keys, Apple has one key, and the government has one key, and any two keys together will unlock an account to view the contents? It wouldn't be a back door, but a more complicated lock for the front door.

Diving back into the politics of it all, the big problem I see with such an approach is that nowadays most governments around the world could be considered bad actors. Perhaps, at least in democratic societies, accessing such a key would require judicial oversight as well as notification after such a breach has occurred. This could limit a government from just scooping up tons of data it doesn't need and limit abuse.

However, in this particular case they're tracking terrorists abroad. How would one begin to access their secure communications? Encryption already exists. Pandora's box is open. Are they assuming that these terrorists are going to follow the law and only use lawful encryption services that have multi-keyed entry? Because that is laughable, and IMO is the biggest argument against such a measure, which will only further dehumanize law-abiding citizens by stripping them of their privacy.

There are zero scenarios where this works. In every one I can think of, the criminals/terrorists keep their secure communications and everyone else is spied on. Please let me know if you've come up with some way to make this work because I'd love to hear it.

Suppose MI5 agrees with you on the substance.
Then, how would you understand their statement?
And if those guys do not, how would you rate them?

 

[ssgbryan]

No. If a back door exists, it will be abused by the government.

And by businesses - which concerns me more than my government.

 

[ChrisA]

What is needed is UNBREAKABLE OPEN SOURCE CRYOTOGAPHY that is easy to understand and use and FREE.

If it is open source and published no one can ban it. It will be copied to a million places and widely used.

 

[techwhiz]

Disregarding any statements for or against such a measure, would it be possible to create a four-keyed system where the customer has two keys, Apple has one key, and the government has one key, and any two keys together will unlock an account to view the contents? It wouldn't be a back door, but a more complicated lock for the front door.

Diving back into the politics of it all, the big problem I see with such an approach is that nowadays most governments around the world could be considered bad actors. Perhaps, at least in democratic societies, accessing such a key would require judicial oversight as well as notification after such a breach has occurred. This could limit a government from just scooping up tons of data it doesn't need and limit abuse.

However, in this particular case they're tracking terrorists abroad. How would one begin to access their secure communications? Encryption already exists. Pandora's box is open. Are they assuming that these terrorists are going to follow the law and only use lawful encryption services that have multi-keyed entry? Because that is laughable, and IMO is the biggest argument against such a measure, which will only further dehumanize law-abiding citizens by stripping them of their privacy.

There are zero scenarios where this works. In every one I can think of, the criminals/terrorists keep their secure communications and everyone else is spied on. Please let me know if you've come up with some way to make this work because I'd love to hear it.

There is no way it works.

What is needed is UNBREAKABLE OPEN SOURCE CRYOTOGAPHY that is easy to understand and use and FREE.

If it is open source and published no one can ban it. It will be copied to a million places and widely used.

There is something that you a describing it's called AES and RSA.
AES256 or 4096 RSA can implemented very easily.
They both are essentially uncrackable.
There are no know collisions in either that compromise them.
Brute force is the only method to get at the data.
Right now a brute force attack on AES256 or RSA4096 is useless.
Even if you had all the computers in the world at your disposal, it would still take a million years to brute force into a locked device or file.

Removing those as possibilities in an iPhone or AndroidOS just means someone will implement the code in an app. If Apple bans the app, then criminals will only use Android. You can side load apps on all Android devices that I know of using ADB.

The djinn or genie is out of the bottle. You can't put it back.

 

[827538]

You write about the “British” government and “British” problems. These are English problems and do not have any affect on the rest of the UK. The English police turning a blind eye to crime in their country does not mean the rest of us are blind.

Scottish Police did the exact same thing.

Scots cops took down huge asylum seeker grooming gang - but kept it secret

COPS took down a huge asylum seeker grooming gang in Glasgow – but kept it secret. The gang preyed on vulnerable young girls in the city, and had at least 44 victims, including a core group o…

www.thescottishsun.co.uk

Also the British Government is wholly responsible for the Intelligence Services of the United Kingdom, MI5, MI6 and GCHQ, this is not a devolved power thank god.

These are British problems and it doesn't matter if it's Hollyrood or Westminster, both the British government and the devolved Scottish government have known about this and covered it up for years. There's going to be lynchings when the report is eventually published.

I have absolutely this has happened in Wales too and I would suspect Northern Ireland is also not free from this.

Police 'investigating 54 child grooming gangs'

Police are investigating 54 alleged gangs in a crackdown on child grooming in England and Wales, the House of Lords hears.

www.bbc.com

Why you think this is an English only problem is bizarre. The SNP are so woke they'd happily let it keep on happening if they thought they would get away with it.

 

[PinkyMacGodess]

They should be concerned about data hidden in plane sight more than encrypted data.

Stenography for instance. Programs exist that will 'embed' data into jpeg image files. Depending on the size of the original jpeg image, you can hide a HUGE amount of data, and people won't be any the wiser. You can hide gigabytes of data in a gigabyte jpeg file.

And, I bought an SDR (Software Defined Radio), and was geeked to find a 'number station', but just the day before I left Twitter, I think I found the new and modern version of the 'number station' of old.

Quickly, 'number stations' were radio transmissions that happened at set times (usually) that were some preamble (sometimes gongs, or music) followed by a voice, human or computer, reciting strings of six digits for minutes to hours. The idea is that secret agents would have a single use key that would be used to decode the number strings to get their message. I've never heard a 'number station'. *bummed*

I found an account on Twitter that had a small number of followers, and the account was full of posts containing strings of six digit numbers. Yikes... Not so much 'in the open', but I was able to see the strings.

The best way to hide something is to put it out in the open. Delicious...

I think I'll see how many messages are embedded in images around the internet. Encryption isn't the problem. Politicians hung up on removing encryption from citizens seems to be the problem. *shrug*

 

[fredrik9]

He did say "exceptional basis" according to the quote in the article but the headline claims he said "exceptional access". There is a slight difference between the choice of words so which is it? What did he say?

 

[scoobydoo99]

We all know (or think we know) that noted Franklin quote about liberty and safety. And I agree. The problem is that evil doers can abuse that liberty, hide behind it. These days, the evil one can inflict (terrorism, mass shootings, cyber warfare) and the ability one has to hide (encryption, dark web) are unprecedented. If we are to stand for electronic liberty, we must be consistent about it. If a nut job shoots up a night club, we cannot then change our minds about “liberty” and whine about not knowing what’s on his iPhone or who he messaged on Facebook. We can’t have it both ways. If you want to test how you really feel about it, imagine your family member being murdered by a nut job with an AR-15, suspected contacts with a terrorist organization, and an encrypted iPhone. Really imagine it. Now what do you want? It’s not so simple, and be skeptical of those who offer simple condensations of complex issues (typically found posting anonymously in internet forums).

It's actually very simple. If the question is: "Should government be allowed to violate constitutional rights in the case of____?", then the answer is NO. Regardless of what the crime is, who the victim is, or how many victims there are. I don't think anyone want it both ways.

 

[bsolar]

AES256 or 4096 RSA can implemented very easily.

Unless you really know what you are doing, implementing your own encryption is a recipe for disaster. Encryption implementation for actual practical use is anything but easy, even if the "textbook" algorithm itself is relatively simple.