Lets ban all encryption coz protection!!!

[watercooled]

Steganography doesn't tend to work brilliantly in digital communication unless you combine it wit encryption. And even then, it might throw off casual observers but it's possible to find the extra payload if you know what to look for.

So much of the world we live in relies strongly on cryptography, it cannot be done without. There are no sensible arguments to that.

A backdoor in a protocol is a catastrophic security flaw. Even if you have utmost trust in security agencies (which you shouldn't have - a contractor managed to steal tons of top secret level documents without anyone blinking), what's to stop others finding and exploiting the backdoors? It's been tried. It doesn't work.

Of course, the details are lacking as is to be expected for such a stupid proposal, because no-one with the slightest understanding of how these systems work would come up with something like this, but what may be more likely is that popular messaging services may be required by law to effectively stop using end-to-end crypto, and instead use a client-server model like is used by SMS etc. But that's also stupid because, why would any criminal use a known-compromised communication channel?

There's really no way of looking at this that makes any amount of sense, regardless of your feelings on giving up privacy. At best, it's utterly useless. At worst, well, it's hard to even begin imaging the damage it could do.

One time pads often get thrown up in crypto discussions. They're not a solution. Rather than explaining myself, Bruce Schneier does a brilliant job of it: https://www.schneier.com/crypto-gram...02/1015.html#7

@peterb: Criminals also use telephones, pens, pencils, screwdrivers, wires. Under the justification of 'criminals use encryption so ban it', what other common items should we add to the list for good measure? Banning something because it is also used by criminals is nonsensical.

From what I've heard, intelligence was in place for the recent attacks. The perpetrators were known to security services. Fat lot of good that did.

And how exactly would an encryption ban, or even a backdoor to common protocols help that in any way whatsoever? How many major criminals are stupid enough to use a communication channel they know to be compromised? Like a lot of things, this just harms everyone else, and pushes crime underground. Zero net benefit.

Do you mean knee-jerk on the side of gov't, or the negative reaction to it? If the former, I agree. Perhaps as others have said, exploiting terrible events to promote your government before election time. If you mean the reaction, then it's more than justified; surely anyone with any remote understanding of technology can see how idiotic the whole thing is, along with the reaction to gov't wanting to strip more freedoms without justification.

[Ttaskmaster]

One time pads often get thrown up in crypto discussions. They're not a solution.

No, I didn't mean they were a solution for us, the mass market - I meant that this is what the criminals/terrorists would simply resort to if we start dropping all the encryption on messaging - In the same way that banning handguns and knives just means they start using bows and hammers.

[watercooled]

They can work, but you still need to distribute keys effectively, and have a good way of generating keys.

If they key generation is flawed, or if the method of sharing the key is compromised, the whole system is broken. As I said, a ban doesn't break existing encryption, and it works fine, so why change to something where you're far more likely to mess up the implementation?

But either way, it goes to show how useless a ban would be when there are trivial ways around it.
Oh of course, no amount of telling criminals they should be good boys and not use something, if they'd be so kind, is going to make any difference. OTPs aren't necessarily needed though. However provided they're used properly, which is no small feat, they do provide plausible deniability - once the keys are destroyed, no-one can prove what the original plaintext was.

But even a full-on ban wouldn't mean regular encryption stops working. A ban doesn't alter or break mathematics.

[peterb]

One time pads often get thrown up in crypto discussions. They're not a solution. Rather than explaining myself, Bruce Schneier does a brilliant job of it: https://www.schneier.com/crypto-gram...02/1015.html#7

Schneider is talking about automated systems. His article goes on to say

An early Teletype hotline between Washington and Moscow was encrypted using a one-time pad system. One-time pads were also used successfully in WWII by the English; spies in locations with radios but no other encoding equipment were given pads printed on silk, and were able to encode messages for transmission faster and more securely than by previous methods involving memorized poetry.

The problems lie with key management and distribution, but for simple hand encrypted messages, they work.

@peterb: Criminals also use telephones, pens, pencils, screwdrivers, wires. Under the justification of 'criminals use encryption so ban it', what other common items should we add to the list for good measure? Banning something because it is also used by criminals is nonsensical.

From what I've heard, intelligence was in place for the recent attacks. The perpetrators were known to security services. Fat lot of good that did.

And how exactly would an encryption ban, or even a backdoor to common protocols help that in any way whatsoever? How many major criminals are stupid enough to use a communication channel they know to be compromised? Like a lot of things, this just harms everyone else, and pushes crime underground. Zero net benefit.

Do you mean knee-jerk on the side of gov't, or the negative reaction to it? If the former, I agree. Perhaps as others have said, exploiting terrible events to promote your government before election time. If you mean the reaction, then it's more than justified; surely anyone with any remote understanding of technology can see how idiotic the whole thing is, along with the reaction to gov't wanting to strip more freedoms without justification.

To ban everyday tools would be disproportionate. However, explosives are not readily available, and while that does not stop the amateur bomb maker, it is a deterrent and procuring explosives or the materials to make them leaves a trail. Using your example, explosives and weapons of any sort should be freely available without any restriction.


So if a ban on encryption could be enforced, anyone using it might automatically come under scrutiny.

But is it right that criminal acts should be facilitated by the use of technolgy? And if not, how is it countered?

As for knee jerk, yes the Government as posturing, but the response is also knee jerk. Civil liberties are always balanced with security, the question is the balance point and the oversite, which I referred to in my earlier post.

[peterb]

Temp close while I sort out a merging mess

Reopened - I was merging mutiple sequential posts (including my own) and selected wrong one - I think I have attributed posts to the right people.

My apologies. Thread re-opened.

[watercooled]

Err. Encryption is an everyday tool. Knowing you, I can only assume you're playing Devil's advocate and speaking hypothetically when comparing explosives and weapons to encryption. Because that really is a poor, poor argument. For starters, when are weapons and high explosives used daily by every citizen? Because encryption is...
Replace explosives and weapons with knives, hammers, screwdrivers, cars. Because all of those can be used as devastating weapons in the wrong hands, and are essential everyday tools, just like cryptography.

How is technology explicitly 'facilitating' criminal acts exactly? What about two people, you know, using their mouths and talking? How is this technology allowing something which was previously not possible? At most, it's allowing an alternative way to go about one part of the process. That's like banning only AK47s in USA and thinking it will eliminate, or even reduce, gun crime. Or another analogy, you don't ban MS Word because somebody wrote a particularly offensive letter on it.

As for civil liberties vs security - that argument only has any credibility when a proposal offers a swing from one to the other. This doesn't. It strips one with zero benefit to the other.

Edit: Your last post is still a bit messed up WRT quotes etc.

[peterb]

There is an element of devil's advocate, but the answer isn't a ban, and that has not been proposed. The proposal is (as I pointed out in my original post) a back door (master key if you like) to allow rapid decryption of communication that may be suspect.

How that could be enforced is another matter. But if it could, that might be a suitable compromise, with suitable judicial oversight.

As for two people talking, the fact that a meeting between two people is taking place may be significant in an investigation, which is two perpetrators might use some other form of communication. Letters are another, and reasonably private, although I suspect less so with electronic sorting and hand writing recognition algorithms.

LEAs have powers to intercept communications, the proposals extend that to encompass digital communications. The Internet isn't a sacred cow, it's a communications medium, no more or less, and there is no reason why it should not be subject to the same oversight as any other - provide it is proportionate and overseen. How that oversight is implemented is another matter.

(Think I have corrected the merge error, btw )

[krazy_olie]

my solution



There is no way things like whatsapp will get banned, I'm not worrying too much.

[watercooled]

But back-doors have been tried in the past, and don't work. See the Clipper Chip as an example. An enforced back-door is essentially a ban on effective encryption. Encryption with a deliberate way to break it, just isn't encryption, it's a toy.

Even in terms of implementation, it's not as straightforward as just throwing in a back door. Even if the more sensible option of having server access to popular messaging apps, and using client-server transport encryption rather than end-to-end encryption, is pretty much useless because like I said, why would anyone who cared about security still use it?

If the idea is to break implementation of encryption (key escrow), that's pretty much a non-starter. It's not like encryption is something only select people are able to implement; anyone can implement common ciphers from source code, and easily see and remove back-doors were they added somehow. It's just not workable.

So, say for a personal OVPN tunnel, would I somehow be required to send a form to the government with any material necessary for decrypting the ciphertext? Because that uses strong end-to-end encryption, and would not be breakable by some sort of large-company-server-access policy. It's ridiculous.

The Guardian have a few sensible articles up about it (along with every other media source with half a grasp of technology it seems): http://www.theguardian.com/commentis...ssaging-terror http://www.theguardian.com/commentis...eron-not-safer

[Ttaskmaster]

However, explosives are not readily available, and while that does not stop the amateur bomb maker, it is a deterrent and procuring explosives or the materials to make them leaves a trail.

Actually, many types *are* readily available...
We're lucky in that the knowledge of them is not as common here as in other countries, but things like ATM bombings by quite petty criminals happens frighteningly often in places like Cape Town.

That said, we were taught how to make the likes of thermite in our chemistry class!!
Actually makes me wish I'd paid more attention instead of dreaming about flying spaceships...

The difficulty is in certain explosives, which aren't majorly effective but are easily made from some very innocent items. Couple this with people not caring if they get caught because the damage will already have been done and you have some very easy crime/terrorism/activism/whatever.

For ^this reason alone, I really don't mind the government/GCHQ/MI5 reading every email I write and every website I browse. Most of it is entertainment of an adult nature anyway, so nothing beyond a bit of embarrassment and maybe an eyebrow raised over why I'm illegally downloading a film (because I'd be a fool to pay for this dull CGI remake crap, that's why), but nothing that would get me in serious trouble.
Because if they can catch someone who *is* a serious threat, then it's worth it.

What I am concerned with and what I will happily use encrypty things for is stopping companies from selling my data and identity thieves from stealing my ID!

I have nothing to hide from the government... but the human race is a different entity!

[peterb]

But back-doors have been tried in the past, and don't work. See the Clipper Chip as an example. An enforced back-door is essentially a ban on effective encryption. Encryption with a deliberate way to break it, just isn't encryption, it's a toy.

Even in terms of implementation, it's not as straightforward as just throwing in a back door. Even if the more sensible option of having server access to popular messaging apps, and using client-server transport encryption rather than end-to-end encryption, is pretty much useless because like I said, why would anyone who cared about security still use it?

If the idea is to break implementation of encryption (key escrow), that's pretty much a non-starter. It's not like encryption is something only select people are able to implement; anyone can implement common ciphers from source code, and easily see and remove back-doors were they added somehow. It's just not workable.

So, say for a personal OVPN tunnel, would I somehow be required to send a form to the government with any material necessary for decrypting the ciphertext? Because that uses strong end-to-end encryption, and would not be breakable by some sort of large-company-server-access policy. It's ridiculous.

i don't completely disagree with you, although as i said, I suspect most publicly available crypto systems are breakable, otherwise a Governments wouldn't go to considerable expense to develop hardware crypto systems with very sophisticated KMS. But in crime fighting, speed may be essential.

But while I detest the phrase 'war on terror' combating crime is a conflict and the use of cryptography does have the potential to tip the odds away from the LEAs.

There is of course still some mystery surrounding Truecrypt. However that doesn't stop me using it to give some privacy to my data, but I'm more concerned about that data being exploited criminally than Government agencies reading it.

I don't regard the Government as my enemy

[watercooled]

i don't completely disagree with you, although as i said, I suspect most publicly available crypto systems are breakable, otherwise a Governments wouldn't go to considerable expense to develop hardware crypto systems with very sophisticated KMS. But in crime fighting, speed may be essential.

AES, the one we all know, is certified for use up to Top Secret data by the NSA. If the NSA can break it, so can other governments. And there's no reason to assume the relatively tiny amount of people working for intelligence agencies have some knowledge advantage over the rest of the world combined. The thing with modern encryption is, it doesn't really matter how much money or hardware you throw at it. The encryption is so far from being the weak link, no sane person would attempt to defeat it over, you know, stealing someone's computer.

There's no convincing argument, even in light of all the Snowden leaks, that ciphers themselves can be broken. Beyond that, you're asking to prove a negative. I.e. prove ye olde flying spaghetti monster doesn't exist.

But while I detest the phrase 'war on terror' combating crime is a conflict and the use of cryptography does have the potential to tip the odds away from the LEAs.

No amount of banning or back-dooring will change that, like it or not.

I have nothing to hide...

https://www.schneier.com/essays/arch..._value_of.html

And more recently, there have been reports showing people do self-censor when they believe they're being observed. So much for fighting for freedom of expression...
http://www.nytimes.com/2015/01/05/ar...ance.html?_r=0

I don't regard the Government as my enemy

That's a bit of a straw-man argument though, and is only a step or two away from the 'don't like it, must be a terrorist' one. As I listed above, you don't have to consider the gov't as an enemy to desire some privacy.

Though as I keep saying, this isn't even an argument of gov't access vs no gov't access. Outlawing encryption is damaging far beyond that. The privacy implications, while still important, are TBH not the main reason I started this thread. Rather, it was the absurdity (I'm running out of adjectives ) of the whole thing. If you notice, I didn't even refer to privacy in my posts, and the Ars article I linked only briefly mentioned it.

[wasabi]

I don't regard the Government as my enemy

I regard it as at best a necessary evil. But I'm a libertarian / individualist. For every piece more government there is one piece less individual freedom.

[Biscuit]

The only way that the government having back doors into encryption services would assist them in combatting global terrorist acts, is if said groups or cells didn't know that the Government had access into them. If a criminal/terrorist organisation knows the government has access, they will find another method of communication.

Either this has ZERO to do with the stated goals and the genuine purpose has considerably more sinister ramifications to the levels of snooping in society, or the government are just utter morons.

In an ideal world the government and all their organisations would be full of 100% trustworthy people who are utterly committed to serving the public and keeping us safe. The reality is that we don't live in an ideal world.

[watercooled]

I've made enough edits to my previous post, but missed this part. New post to avoid confusion.

LEAs have powers to intercept communications, the proposals extend that to encompass digital communications. The Internet isn't a sacred cow, it's a communications medium, no more or less, and there is no reason why it should not be subject to the same oversight as any other - provide it is proportionate and overseen. How that oversight is implemented is another matter.

That's just how it is though - strong encryption now exists and is easy to use. You can't turn back time or hope to deprive people of it; you can't have it usable for some purposes and not for others. The Internet is quite a different beast when it comes to law enforcement vs past methods of communication, and as such cannot be treated in the same way.

Outlawing piracy and attempting to block sharing sites shows how hugely effective traditional methods are.

And see China, Iran, etc for brilliant examples of how totalitarian Internet control ... doesn't exactly work.

Regardless of philosophy on the matter of snooping, it changes nothing about the realities of effectiveness and implementation. You don't have to be against snooping to see how this is unworkable.

I mean, I'm all for cutting back carbon emissions, reducing waste and preventing deforestation. But I can still accept it's no easy task.

[wasabi]

I object purely on principle. The technical arguments are neither here nor there. The government has no business digging in my stuff.

At a wild concession to threats of extremism, I'd say the only situation of government spying on anyone anyhow is after a court order showing extreme probability or extremely serious offences, later (1 year max) publicly reviewable, and the investigated person also later notified of the investigation. Anything less and they're simply bullying nosey lowlife invasive peeping-Tom thugs stomping over individual rights. I literally trust Google more.

Which given I lived in Cheltenham for 5 years pretty much sums up the collective of traitor obsessed misfits and weirdos at GCHQ.