Slashdot Mirror
UK Government Wants a Backdoor Into Windows
REBloomfield writes "The BBC is reporting that the British Government is working with Microsoft in order to gain backdoor access to hard drives encrypted by the forthcoming Windows Vista file system. Professor Anderson, professor of security engineering at Cambridge University, urged the Government to contact Microsoft over fears that evidence could be lost by suspects claiming to have forgotten their encryption key."
Oh, and there are a few people who also consider encryption a matter of freedom of speech.
Funny the U.S. government targets Phil Zimmermann for three years but hardly raises so much as an eye when an encryption enabled OS is distributed. From Mr. Zimmermann's homepage: I think that his "criminal activity" was creating an encryption tool that allowed messages to be encrypted beyond what the United States government was capable of deciphering in a timely manner. Does anyone know if this is still enforced? Does anyone know what the max key length is now if it is? I think it was something like 128 bits (that the government could crack) around the time of PGP.
My work here is dung.
Let them try.
We have alternatives.
http://www.truecrypt.org/
Like you'd really use Microsofts encryption for your important information!
This simply doesn't make sense. What prevents an user, using a different tool without said backdoor?
I'm sure they'll help out!
They do a google search for "backdoor" and "windows", then just take their pick. Microsoft if nothing else, offers a variety of backdoors for your every need.
Internet Explorer will offer all the back door access they need
What good is encryption if your government can read it - before long half the criminals in the country know how to decrypt your files - especially they way the British Secret Service has been losing laptops lately....
Let bad guys use deniable encryption schemes and this won't even be a concern... Please, someone in the U.K. gov get a clue about encryption!
\u262D = \u5350
A backdoor into hdd encryption... How do these people get into positions where their opinion is valued?
http://www.awfullybigmoustache.com
If someone gets a hold of your whole computer, they can read files. If someone hacks your system, they can read your files.
About the only thing windows encryption seems to be able to do is prevent you from recovering your files if your PC ever dies.
Whats the point?
autopr0n is like, down and stuff.
... until the crack is published :)
(sadly this is more insightful than funny)
\u262D = \u5350
\ They just want to play with the big boys. We all know the NSA, the CIA, and the FBI each have their own key! \
Never ask for directions from a two-headed tourist! -Big Bird
What, the Gestapo isn't happy that they might not be able to read the contents of your hard-drive? What a surprise.
"The more prohibitions there are, The poorer the people will be" -- Lao Tse
The UK government asks Uzbekistan to ready their cauldrons...
ascii art
Why don't they just use one of the hundreds of backdoors that everyone else uses? Seems to me M$ are already complying with this request several times over.
I used to have a better sig but it broke.
Pretty sure that's the point of encryption. Making sure that nobody but you and people you trust can read your data, and anyone else up to and including the government can't. Even if they really really want to.
When did a healthy mis-trust of government suddenly get you tin-foil hat status, and a visit from the FBI?
Typical government action: total waste of money. No one else needs a back door to crack Windows.
Seeing as they are talking to the UK about it I am sure they wll have no problem building a backdoor key into the sytem for each govenment without trouble... Right?
-- Sorry, I can't think of anything funny to say here.
This is that definition of "lost" that appeared in the late 20th century. It's akin to the money that the music industry is "losing" due to file sharing. The evidence is not lost, it is as yet, undiscovered, and in any civilized country, we would not assert that there WAS any evidence unless we could actually see it. In the U.K., however, they actually have a law that says that you have to reveal your secret keys to the authorities with no provision for simply not knowing them. You can be convicted of the crime of having white-noise on your disk that authorities assert is encrypted data to which you are refusing to reveal the key. Heck, you could be convicted of a crime for not divulging the key to /dev/random, which is clearly some secret message channel from an unknown party, since messages arrive from it in small bursts!
Blair would also like you to fax him a copy of everything you write on a paper in case you accidentlly-on-purpose shread that paper later on. Better start sending those faxes right away!
US export restrictions for cryptographic software were violated when PGP spread worldwide.
This bring up an interesting point on ITAR and the US. Some encryption technologies could violate ITAR if they are done in the US and then exported to other countries. If I remember right, that was part of the reason encryption on OpenBSD was done in Canada.
Oh, and there are a few people who also consider encryption a matter of freedom of speech.
Some would, but how many governements and what is protected under the law. That is different everywhere. Others, also, consider it a privilege.
Some of these laws, in paticualr with the US, are actually there to protect it from other countries. Many people in the country may not want to protect the countires competitive edge but others do and that is part of what our government has been taked with for a long time.
Evolution or ID?
A suspect will not be able to get away with such a lie, because of advances in functional MRI.
I often see arguments like this one. What's the point for some people to encrypt their files (other than temporary privacy) if you're going to get in trouble later in court anyway for not revealing your keys? Now this might actually be unlikely, but what if average windows user genuinely forgets their password? Seems kind of unfair.
If governments force a backdoor to be installed, it'll be for sale to crackers before the gold masters are pressed, and common knowledge a few weeks later. So "trusted computing" can be subverted using the govt master key. And anyone who actually wants to keep secrets will install somethng that works while not requiring a magic dongle on the mobo. The govt will be able to read data from clueless suspects as they do now. So a win all round. And who doesn't suspect MS would leave backdoors anyway?
It was inevitable something like this would happen after the whole 90 day detention debacle. Labour kept using the excuse of "needing time to break encryption" for requiring 90 days of detention without trial. Anyone with half a brain told them that any decent encryption is going to take many years to break, so I guess this is their response.
I don't really see why the need this anyway.
The government has the RIP Act (Regulation of Investigatory Powers Act 2000) which allows them to detain you, with a press gagging order if you refuse to hand over the encryption key they need to decrypt your data. If you refuse or claim you have forgotton and they don't believe you, then it's two years in gaol for you sonny jim.
They only really got this into law because most people don't understand it. Oh and don't forget that since this government came to power the amount of time they can hold you, uncharged, under the terrorism act has gone from 7 to 28 days... and the police want 90! Yes ninety days, 3 months, 2160 hours!
How about making governments install a keylogger before they seize the computer? Hardware or software, it would go in the old tradition of installing a telephone tap. It's not that hard either. Did the government demand that paper notebook makers supply a backdoor so they could decipher drug accounts written in code?
What's British for "Magic Lantern?"
Slashdot Burying Stories About Slashdot Media Owned
You should not be able to read the files without logging into the computer with your password and/or other identification token.
After logging in, the files are accessable. But not before. Someone who just swipes your PC would boot into Windows but would be unable to read any data files, even with a seperate boot CD. That's the whole idea.
But if the government adds a backdoor, you can bet that a hacker (white or black hat) would find it as well, probably within a few weeks of the OS being out. Thus making the encryption useless.
The whole government complaint is useless anyway because for all they know people can be using deniable encryptionn schemes *today* and they'd never even know about it.
Didn't the US government already negotiate this with Microsoft? They got let off of any antitrust punishment in exchange for granting US agencies or their representatives access to all encryption keys and remote access to the file system.
Anyone with something to really hide will use a third-party encryption system, and "lose" the keys to that instead.
Everyone else* will have a computer with a guaranteed back door, which I am willing to bet will be open to hackers on about Day 3 after Vista's launch.
* - Well, everyone else who's not running Linux, of course.
Sean Ellis
Follow OfQuack's antics on Twitter.
to idiocy what can be explained by malice. There are a lot of backdoors around, and Windows had functional ones for years (wmf anyone?) but the intentionality of them could have been in doubt. Now if is known, proved, and by design adding another backdoor, one that will not be removed by any hotfix because is a "feature", well, 2 things will probably happen: the bad guys will find how to exploit it making all backdoored windows a target, and the bad guys find know how to disable it, so the most harmed people will be the good ones that should not have anything to hide (and because of that, removing/disabling the backdoor would make them suspectful)
Well, if it has been set up competently, it surely won't use the built-in encryption, especially if it is well-known that it has a backdoor.
The Tao of math: The numbers you can count are not the real numbers.
Why not just use the front door like everyone else?
when you consider the fact that the UK is very close to having a national ID card
n tity_card, 00.html
http://en.wikipedia.org/wiki/British_national_ide
and
http://news.zdnet.com/2100-1009_22-6039076.html
and
http://www.timesonline.co.uk/article/0,,2-2039223
this kind of thing, while dissapointing, should come as no surprise. The UK has been big on "security" for some time. Cameras are everywhere, especially in the larger cities. The plan to have a back door into windows boxes is dissapoining because of the hole it can leave for exploits and the fact that those who are very interested in keeping information on their computers hidden from prying eyes (e.g. actual terrorists - or at least the smarter ones) will be able to do so until the information is no longer useful (i.e. people are dead).
Welcome to another part of our brave new world.
uR iGn0ranc3, Their Power
Why would anyone consider 'trusted computing' some binary program which you haven't compiled yourself is beyond my understanding.
Since when does the government have a right to all evidence in any case? One aspect of English law that I thought existed, is that the people should be protected from the government (particularly from self-incrimination). One could reasonably argue that the average citizen needs the availability of government-inaccessible encryption, due to the decreased cost (in terms of time and manpower) required to search through computer records vs. paper records. Current computers, and the massive amounts of data that they store (internet cookies, browsing history, cache data, registry entries, etc.) make fishing expeditions much, much, easier on law enforcement than sifting through physical documents and interviewing co-workers and family.
"What could possibly go wrong?"
"I'm a humble person really,
I'm actually much greater than I think I am"
Not turning over the key (for any reason) is an offense punishable by a couple of years in prison anyway.
Deleted
OS X FileVault...AES128 encryption of your home directory with no backdoors! (At least not that I know of). Ain't nobody reading your files without your key.
Facts do not cease to exist because they are ignored. - Aldous Huxley
Who was/will be the first person tortured by US or Britain to reveal their keys? - Since this is now apparently expected behaviour by these governments.
you had me at #!
For the same reasons that I use Firefox as a web browser and OpenOffice.org as an office suite, if I felt it necessary to encrypt my filesystem I'd use somebody else's tools to do it. (Even if I weren't aware of such a backdoor into my filesystem).
While your at it, build a backdoor for me too.
:-) has held me back! ...and when you build that backdoor, be sure you distribute a system tool complete with MS Office assistants to help me crack peoples computers. I want Clippy to tell me "have you tried putting 'password' for the password?"
I've always wanted to build an army of bots and extort money from gambling sites, but the difficulty of cracking MS Windows (or perhaps my conscience
That'd be awesome.
Use the Firehose to mod down Second Life stories!
I guess now when I go save the data from a Dell laptop with a linux live-CD I won't be able to because the data will be encrypted. I'm sure my friends and family will love to hear that I managed to save their picture collection, but the files are totally useless.
lets be honest about this with both microsofts and british central governments past record. teh back door will be ready iin 2005 sometime will have cost 20 billion pounds. and will only work on sundays for anyone who isnt a governemtn department. now if gchq were involved i'd be a little more concerned.
I recall some years ago, someone found supposedly secret NSA backdoor keys buried in Windows98. I don't recall if it was actually proven, but I would not be surprised if the NSA already has backdoor keys in 98/ME/XP and now Vista. Now the British Government wants their turn. Where will it end? Once MS bows to the British, surely other governments will also demand backdoor keys. Who decides which of those governments get it?
Sooner or later, other organisations (like the RIAA and the MPAA) will also want their keys too (if they don't already have them thanks to their DRM chips). Where will MS draw the line? I highly doubt MS would be very open about how many different governments or other organisations really have backdoor keys.
It is easy for us to say that we'll never use it, or that there are other options out there, but I'm more worried for less computer savvy members of the public who think they are buying a secure system. I know most of those users will never use encryption, but this will set another precident that will further erode all of our rights.
Sorry, cheap jibe.
This is amazing - especially when the idea is being promoted by a 'Professor of Security Engineering' at a reputable university. How can adding a backdoor to security systems be anything other than a massive weakness just waiting to be exploited?
Imagine if this went ahead - the British government would want access to versions of Windows sold in this country, the American government to US copies of Windows, the German government ... and so on and so on... Would Microsoft allow the Chinese government access to their citizens' disks? The Chinese government are signed-up members of The War Against Terror - so they could claim they need access, and besides recent experience says that big businesses will always accommodate governments no matter how repressive.
And it gets worse. Microsoft would either have to make a single key that would open every machine in the World; or they would have to issue copies of all the keys to every government - the British government won't accept not being allowed into a suspected terrorist's (and we have a splendidly wide definition of 'terrorist' in this country) computer purely because the suspect happens to be foreign.
But it will all supposedly remain secure and not fall into the hands of wrong-doers.
The Home Office, IT and Microsoft - what an unholy trinity we have there. With this level of stupidity the legislation can't be far off.
I don't know the law in the UK (or the US for that matter), but wouldn't it make logical sense to just have the police install a hardware keylogger on the computer in question? Why break open an operating and file system and make it vulnerable when they could JUST as easily record the key's passphrase when it is used?
GnuPG comes to mind as open-source encryption software. Are there any Windows or Linux solutions that offer the same relatively transparent, on-the-fly disk encryption that's built-in to XP Pro?
Penny - plain text accounting
from the FAQ:
Plausible deniability. It is impossible to identify a TrueCrypt container or partition. Until decrypted, a TrueCrypt volume appears to consist of nothing more than random data (it does not contain any "signature"). Therefore, it is impossible to prove that a file, a partition or a device is a TrueCrypt volume and/or that it has been encrypted. To achieve plausible deniability, the format of the volume and the encryption process had to be significantly changed.
I can tell you that in OS X if you have encrypted file store on and you've forgotten your password and have not set a master system password...well...you are deep trouble because as far as I know nobody has hacked it yet. Unless the U.S. gov has backdoor access to OS X.
Yes.
Marutukku, pronounced rubberhose.. (or is it rubberhose, pronounced maru tukku? I forget...)
Any politically active programmers out there want to take a crack at maintaining it?
"Reality is that which, when you stop believing in it, it doesn't go away." - Philip K. Dick
Everyone seems pretty confident that if something like this is implemented, it will be discovered and exploited by black hats within weeks of Vista's release . . . As soon as it becomes 'common knowledge', in that sense, wouldn't it be feasible to create a patch to disable the backdoor? I mean, sure, disabling the backdoor will probable flag you as a terrorist and give enough probable cause to get your system seized, but I'm just being cynical.
cndrr
If a backdoor exists, how can you guarantee that the government is the only party that can use it? (let's for a minute ignore the discussion whether the government has the right to have a backdoor installed.)
Encryption with a backdoor is as secure as using no encryption at all.
*ahem* Yes. Yes it could. That's rather the point. "Your Honor, the officer hit me so hard on the head, that I really just can't seem to remember that right now."
Why do you thing they (in China) are pushing for linux?
An ICMP packet with a particular payload that would be read by the firewall before it was passed/dropped?
Or would it rely on the computer itself initiating a connection to a server on the net to check if it should bind cmd.exe to a connection?
Or are we talking about purely physical access backdoors? I.e. a second public key that all files are encrypted to as well as the owners key?
If there are any governments/embassies/corporations that don't want Mr UK/US Gov to be able to read their data, they should well start looking at other systems. Preferably ones that are "Open".
Get your own free personal location tracker
...the TrueCrypt binaries alone in your possession then every piece of digital media you own that appears to contain random bytes will be accused of holding an encrypted volume and they will torture out of you whatever they want to hear you say.
Oh wait, I forgot... civilized Western nations never commit torture upon their subjects.
FTA:
The system uses BitLocker Drive Encryption through a chip called TPM (Trusted Platform Module) in the computer's motherboard.
It is partly aimed at preventing people from downloading unlicensed films or media.
"This means that by default your hard disk is encrypted by using a key that you cannot physically get at...
The government shouldn't be the only folks horrified at this one. MS wants to turn your entire computer against you, encrypting all of its contents and allowing you to read it only if MS wants to allow it. Even if you're okay with that, imagine if something in the scheme goes wrong? I've used the Windows Encrypting File System in XP, and if you lose your encryption key (not that hard--say, if you reformat your hard drive) you are permanently locked out of all the data you've encrypted.
If this is true, MS really wants a death grip on your computer. I'd never use Vista under those circumstances.
Penny - plain text accounting
The pleasant result of all this is that it dispells the whiff of paranoid conspiracy-theory. The government has been advised to ask for the backdoor access. By a british Cambridge expert. There is every reason to think Microsoft will agree.
There is now simple historical evidence to point the public to. Previously there were more technical , less convincing ones.
The average person is not going to care if Microsoft accidentally included some debugging code in a patch. Even if that made it look like it had a backdoor key. "Whatever that means?", they'll say.
A BBC news article about an expert asking for such a backdoor is a lot more convincing.
[% slash_sig_val.text %]
Now I have to change all my 'password's!
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
...Why don't they just use one of the dozens of existing, unpatched, holes--you know, like everybody else?
{rimshot}
Who did what now?
If this goes wrong it will be horrifying. All your data locked up. MS' ultimate tool to control exactly what you do with your computer. MS Technet on the new scheme
Penny - plain text accounting
You have two choices:
-Suck it up and somehow manage to survive all the other crap MS is lobbing your way
-Switch to a more reliable, secure, free and open OS
A difficult choice, init?
Damn the American government! Always trying to... oh, wait. My one chance to fit in on slashdot and I blew it.
Well if you are a corporation or government entity you wouldnt want a laptop stolen and data lost.
Actually, ideally a corporation would set it up so that the filesystem decryption requires you to be on the company network or VPN prior to being able to access/decrypt files (that is, a part of an individual's encryption/decryption key is always downloaded from the network and stays in memory for the duration of the session). That way a lost company laptop is a lot less of a danger. The windows encryption based on a user password alone is pretty weak and crackable (users often choose dictionary or easily guessable passwords). That's the types of encryption and security a corporation would want.
an open source OS, that you can trust.
mr potatohead!, mr potatohead!! backdoors are NOT secrets
From what I've been reading in the news what's the use of another stupid law when they can just get a couple of ex-Iraq army guys to torture the hell out of them. Most geeks I know would spill the beans as soon as these bad boys showed up. Especially if they show the "illegal key-holder" the film of the British soldiers battering, clubbing, kicking prisoners in Iraq. Isn't this what Tony Blair meant when he said "What's good for the goose is good for the gander"?
{I hate to have to include a disclaimer but this IS sarcasm}
Billions and billions have and are being spent on a fake and false attack on innocent people but the big problem is that YOU may be hiding a few quid on your computer. Fascism has taken over.
I wish people would stop assuming "the government", "the state", etc are the good guys and should have some special privledges or powers of the highest magnitude. Why people keep believing this out and out propaganda garbage lie that governments are "the goodguys" absolutly escapes me. Maybe watching too much "Cops"? You know, right, that is made for tv bulls**T? Have you ever had the police come after you? You will? And when they do, you will sorely find out they are NOT the bad guys, they are driven by power and greed, and you will find yourself quite alone and under the target sites of a mass organized institutionalized thug regime.
History has born out time and time again, the exact opposite is the case, government bodies are not the good guys. States always begin as a band of thugs shoving their power around over other people. Either they take over or usurp control over a territory or tribe of people. Rome, for example, was founded by a group of criminals and thugs. A state by its very nature wages ware to gain territory, so that it may tax and rule and repress over a body of people and enforce its own doctrine that benefits and expands its evil growth and existance. When humanity will ever be free of this scourage, I will never know. Not in my life time. Maybe when people say enough is enough, and fight back, stop paying taxes, and say... you are evil, its time we put you out of business.
The most heinous of crimes throughout history have ben perpetrated by the government. You think a serial killer that kills 30 people and hacks them to death is bad? How about a government that drops two nukes on civilian cities and melts 300,000 people. And just wave it off as oh well its ok to do that, we are at war. I'm sure 100,000's of them were children. I want you to show me how those were enemy combatants.
Encryption is no more a munition than a flashlight is (which can be used to blind your enemy). What a load of rot. When are you people going to wake up and smell the coffee? When its too late and your in a prison cell rotting away because you accessed some taboo information over the internet from your home computer, which was a thought crime, and they have all the network print outs to prove it in black and white. There it is jury, look, he/she broke the law. All you have to decide is did he or did he not.
In gods name, if you are ever, ever, ever, ever so lucky as to be on a jury, you need to do a wikipedia search for "NULLIFICATION". Its when the jury says, yeah, sure, he did that, but you know what, we think your whole regime and law is a bunch of bull.
If a government is asking for backdoor access to one operating system, why not ask for backdoor access to others? How would the open source community handle such a request when a government comes insisting on a backdoor to your favorite flavor of Linux, or OSX, or BSD, or something that hasn't yet been developed?
Has this request already been made, and if so, has it been complied with or not?
Web 2.0 == Giant Blogspam Circle Jerk
That article surprised me rather - because I know Ross Anderson to be one of the Good Guys. He is opposed to DRM, Trusted Computing, (see here) and ID cards. Furthermore, even if he has had a change of heart, he's far too smart to advocate a backdoor into encryption.
Linux anyone? What is the point of encryption of a backdoor is widely available? that's like having a 300 key password and when you "forget it" anyone including you can see 299 characters of it... it's only a matter of time before it's "brute forced", if you can even call it that. I don't think you have to make a door that's already there. I understand their motives but it's just a stupid idea unless it's handled extremely cautiously...but even then I think cryptography and encryption methods lose their use when every file has a public key that opens it like a "master" key. Don't know if I like that idea.
The jokes really write themselves.
Seriously, though, I'd store inciminating stuff on something I could get rid of more easily than my hard disk.
Please enter your ultra-confidential password:
< > [ Let me in! ]
Alternatively, you may check the following checkboxes.
[ ] I've lost my password
[ ] I declare that I am legally entitled to access these data
[ Let me in! ]
The problem with Slashdot memes is that YOU INSENSITIVE CLOD!
No one expects the Spanish Inquisition.
We just lend them over to the Uzbeks instead.
I assume they'll be able to hire any 15 year old to try this if history is any lesson at all.
"...the British Government is working with Microsoft in order to gain backdoor access to hard drives encrypted by the forthcoming Windows Vista file system..."
Hell, just go ask a bored 14 year old in front of their computer; Offer up a new XBox for each of the first 100 different ways to do it. Of course at that point, the winners have to have parental permission.
Add their backdoors to your backdoors
And so, ad inifinitum.
( after Jonathan Swift IIRC )
Seriously though, why would anyone who had concerns about the security of their data trust the latest shrink wrapped stool sample from M$ any farther than it could be flung. The only practical use for such technology is yet another M$ attempt to lock the user to their platform and that should be of concern to the courts wherever you are.
... it's a way of spiking DRM. If the UK government can be scared into requiring that Windows Vista not be fully DRM-enabled (by whatever means necessary), then that's a good thing. Waving the four horsemen (porn, pedophiles, drug dealers, terrorists) at them is a good way of achieving this - the horsemen have been used for years to justify restrictive computer laws, now (for once) they're being used to try and combat restrictions.
Public figures who spear-head movements are often targeted or planted to create focal points of public trust or civil action which can then later be used to mislead or otherwise sabotage a movement.
Pick your people carefully, according to deeds, not words.
-FL
Forgive me, but I would have expected more from one of the UK's top two universities.
No, I'm not expecting them to be privacy advocates, rather I would expect them to realise that no government can backdoor every encryption product that there is. - People will turn to gpg, pgp, truecrypt - or any number of other encryption schemes. Backdooring windows is simply ineffective.
On a related note; if I Rot-13 then copyright my data, can I claim you're in breach of the DMCA if you decode it? Obviously this would only apply to the US.
Having needed to break into someone's system to recover encrypted files, I can say it's not that simple.
Windows NTFS encryption is certificate based. For installs done by anyone not a professional paranoid, the user has access to the file recovery certificate, and the domain administrator may have access to a file recovery certificate valid domain-wide. To use a certificate stored on the hard drive, you MUST have the password to that certificate... which is NOT changed when you force-change an account password.
So, yes, you can hack a machine, install a trojan, and read the users files when they login next. But, until the user logs in (which, yeah, is usually a short wait) and starts the trojan running under their user ID and password before your trojan can decrypt the files to examine/copy them. Alternately, you can get a dump of the encrypted password files, and try a brute force crack. But if the password used on the account (and, ergo, certificate) is, say, 12 random printable characters... dude, you are so SCREWED.
Fortunately, the time I needed to break in for someone, the password was "only" nine random characters. I used a boot disk to dump the password file. Then, we wandered over to the operator for the school 128-processor Linux cluster with a case of good beer at 3:30 on Friday, explained the problem, and he agreed it would be OK this once to "not notice" the copy of the cracker program that would be blatantly running over the weekend in violation of several rules. We left, "not noticing" the case we were leaving behind. At 9AM Monday morning, I checked my email, and my batch job had left the user password sitting in my inbox.
If it had been a 12 random printable character password, we'd still be waiting for the rest of our lives. And, for the professionally paranoid, I understand it's possible to use a non-default certificate (with potentially a different password) for encrypting files... where the decryption certificate need not be on the machine.
Afterwards, I gently explained to the user that EFS should generally be reserved for situations where you consider the data's loss preferable to its disclosure. "EFS is not quite blow-up-the-building-first security, but it's close." He now reserves EFS for his financial information and consulting work covered under legal privelege.
//Information does not want to be free; it wants to breed.
As usual, this is the sort of measure that can only result in catching small timers, novices, and people who are probably innocent of any crimes. The smart crooks will just use something that does not have backdoors in it, if they are not already. I cannot believe that there aren't people in the U.K. government who don't realize this already, therefore I can only surmise that being able to catch small fish _is_ their primary interest. I suppose if enough small fish are caught, then it can distract the public from larger, more difficult problems that remain unsolved. Not only that, it will inspire fear that will help keep the masses in line as more of their freedoms are taken away.
It saddens me to see the U.K. in particular continue down a path of increased surveilance of its citizens with the U.S. not too far behind. Given this, it is rather hypocritical to criticize the Chinese government. At least the people in China know they have an authoritarian government and don't suffer under the illusions of people in the U.S. and U.K. as we slide down the slope towards fascism.
To the making of books there is no end, so let's get started
Right, that's it. I have an idea:
We need a campaign to undermine the legitimacy of the "lost key" argument.
And we need it to be average Joes who don't give a shit about our principle...
First to make a Windows worm that puts white noise on every drive connected wins a medal for liberty! Come on, it would be no more obscene than the government's "argument" now. At least a good firewall will give you some protection from the worm. Good lawyers and friends in the Labour party are required to give you some protection from the government!!
It's worth noting that harm can come not only from data being revealed under coercion, but also from data becoming unavailable.
If terrorists or an oppressive government take your computer and hard drives away, anyone who depends on that data is very much out of luck.
For this reason, local encrypted filestores and plausible deniability are only part of the puzzle. Quite a lot more is required, in particular cryptographic online distribution.
A comprehensive solution will need to use a large population of fixed size raw dataspaces spread across the net, instead of local disks. Quite likely, it would be stored steganographically 1:<large-N>:1 so that (for example) changing webcam images could be used as repositories. And it will need cryptographically-random access for site selection and dataspace selection and to individual bits in the dataspaces. And it'll need huge redundancy since the online storage will be inherently unreliable, yet without laying the scheme open to pretty simple differential cryptoanalysis.
That's a very tall order.
Since when does the law treat averybody as guilty untill prooven inocent? Also if MS would to put a backdoor in their OS ( current or future one ) they would be obligated to put some information in the EULA. Many people might not care but then there are enough that would and this decission would eventually hurt MS pretty bad. I highly doubt that there is any way for any government to persuade MS to put a backdoor in the OS. The only thing is that if you are a government you can get access to the source code of the FS and provided that you have some bright people for you, the encription could be broken. So this supposed professor should stick to his books and maybe read some more ... Decripting is a tougth job but when you have the source and a couple of super computers at your disposal it's really not that bad.
Ross Anderson is actually very, very good, and very well-respected by People Who Know. He has a blog (not that that means he's good -- any idiot can have a blog -- but you can see how he thinks). I'm guessing that the newspaper was not entirely clear about what he was saying.
I may be wrong. But I'm not going to judge the guy on the basis of what a reporter quotes out of context.
What I say does not represent the views of my employers, my friends, my cats, or myself.
Only that in this case you can't.
One possible solution is to use encrypted filesystems under Linux or OpenBSD.
If you really need Windows and want secure data, it might be best to use an external encrypted SAN, or a file server running OpenBSD and Samba.
Windows XP (and 2003) already has this capability (paranoid theories aside) for corporate administrators.
First, it helps to know how EFS (windows encryption) works. It's easy to use, just use Explorer, browse to the files you want to encrypt, right click and click the encrypt button. The filenames turn green in explorer to let you know they're encrypted, but you can continue to use them. However, if you use a boot disk to attempt to access the files, attempt to access them with a user (even an administrator) or attempt to access them using a low level NTFS reading utility, etc, you will find that the file is competently encrypted.
In an encrypted system, there is always a key, which is used to decrypt the "plaintext" -- the stuff you want secret. Windows transparently generates a key for each user, which consists of a large random number. The key, in turn, is encrypted with the user's password. When the user logs in, Windows decrypts the key to transparently decrypt files. On a side note, Windows XP (and 2003) will give you a nasty warning if you reset a user's password using administrative tools to let you know that the user will lose access to any encrypted files.
In a domain (Windows networked) environment, Windows lets you specify a designated user (or users), a "recovery agent", that can decrypt a particular group of users' files. This is extremely important, because if someone parts the company and they encrypted their files (due to corporate policy or maliciousness), by default, it's impossible to access those files without their password. As explained above, even if you reset the user's password, you can access their account, but the encrypted files are irretrievably lost! However, when you designate user that can decrypt other users' files, Windows makes two encrypted copies of the per-user decryption key - one encrypted with the user's key, the other encrypted with the corporate-backdoor key, which allows them to recover the files.
If a backdoor were to be created for a government, it would work very similarly to the corporate environment: when you encrypt files, the user-key used to encrypted them will be in turn encrypted with your password -- which is probably ("bunny", "password" or "god") and will be encrypted with the government password (which will likely consist of hundreds (or thousands) of random bits). Note that the government password will not need to be present to create the government key -- they can distribute a public hash thats sufficient to encrypt but not decrypt. See PKI and EFS.
This is why we shouldn't have a monopoly on operating systems, yet why it is "almost" state sponsored (local UK government is in bed with MS). All I want is Vista's External Memory Device (EMD) technology or similar in Linux and better game support (don't we all?) Incidentally the UK gov has declared its biometric ID card project will go ahead, albeit optional, unless you need a passport or renew. When take up is large enough it'll made compulsory, then I can see 20 years from now ID cards are implanted for convenience, when takeup is large enough it'll be compulsory. I won't be chipped like a pet dog. That on top of our country having a huge number of CCTV cameras recently installed and plans to track every car in the country.... Democracies and dictatorships are becoming very similar.
You know what the secret code for the backdoor to encrypted data on a harddrive running Vista is gonna be, don't you?
Up-Up-Dn-Dn-Lt-Rt-Lt-Rt-A-B-A-B-Ctrl-Enter
Support the FairTax
Why use this windows crap when PGP is free and available? (though whole disk encyption is pay per view)
"If any question why we died, Tell them because our fathers lied."
Christ! With software like that on your PC... hell, even with its web pages found in your browser cache you are just ensuring that Our Glorious Leaders will continue to torture you until they get the evidence they want. Or you die.
What's the difference between you and a "clueless suspect"? Nothing, unless you assume that no detective ever made a mistake. That or you ARE a criminal and consider your tools better than average.
Obviously the UK thinks M$ leaves backdoors and is asking to buy one publically. That's not very bright.
Friends don't help friends install M$ junk.
Worth pointing out that keyloggers are exactly the route that the FBI here in the US has taken:
http://www.epic.org/crypto/scarfo.html
That's US v. Scarfo; basically a mobster was using PGP to encrypt his communications and rather than breaking the encryption the hard way, the investigators got a warrant to install a keylogger. I'm not sure exactly how they did it, but I'm pretty certain that it was a hardware device implanted in the keyboard, rather than software. (The warrant they got was pretty much a blanket thing, approval for 'hardware, software, and firmware as necessary...') However they didn't divulge the exact methodology in the trial, because they successfully claimed an exemption under the Classified Information Procedures Act.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
When will the courts realize the bloody obvious fact that bits on a hard drive are evidence of nothing! Until computers are not able to be remotely hijacked with all tracks erased, there's no way to prove who put the bits there!!!
As more and more traditional forms of evidence (audio tapes, photos, DNA records, VOTES for god sakes) become digitized, the more we need to be skeptical of them.
And don't bring up digital signatures so long as keyloggers exist.
"This means that by default your hard disk is encrypted by using a key that you cannot physically get at...
The purpose is to keep the data on my computer from ME. That way, I can't share my data with Linux, or recover an MS-trashed hard drive without Microsoft's permission.
They want to own my computer from day one.
Your CPU dies, and you have to move the drive to another box ... Data? what data?
Find a way to recover your own data without an MS-owned OS? Don't tell anybody or they'll send the cops to your door a'la DVD Jon.
I'm just waiting for the first virus that flips the right switch and trashes people's data or holds it hostage.
Free Software: Like love, it grows best when given away.
If it were possible to have a backdoor in an encryption system, then the whole system would make very little sense as fas as security is concerned!
The backdoor should have an AAA (Authentication, Authorisation and Auditing) sub-system to be sure that is get used for the right purposes by the right people. And this makes really no sense.
Moreover, if I were that funny guy, I would have not published this (ridiculous?) request: if everyone knows that there is a backdoor, none would then use the encryption system!
Good move, guys. Good move!
Maybe Computers will never be as intelligent as Humans.
For sure they won't ever become so stupid. [VR-1988]
I used to use BestCrypt as a means of keeping encrypted volumes, but I found TrueCrypt a while back and have been very satisfied. It's open source, cross-platform, and generally works very, very well. For something as important as encrypted data I want to be able to look at the code myself (and more importantly, I want a lot of other people looking at it so they can blow the whistle on any inappropriate backdoors and such).
"People who think they know everything are very annoying to those of us who do."-Mark Twain
The point of government-crackable encryption is to prevent competitors from snooping on your data. But if the government wants it, you should cooperate.
:(
The problem of course, is when the government is BOUGHT by the industry *cough* RIAA lobbyists *cough*
So it all ends up in Les-Miserables style of breaking the law. Breaking the law is bad, but so is publishing unfair laws. So we either break the law and become fugitives, or throw ourselves into the river
It's Windows, so why ask? It already has one.
But the Mac has had FileVault for some time now .. does the UK have a back door? Is there a FileVault backdoor?
I guess crimis are kinda dumb by the nature they are crimi but smart folks wouldn't use Vista to store incriminating evidence it would seem to me...
-if at first you don't succeed, stay the heck away from paragliding.
You can do pretty much squat to gain peace of mind if you use a commercial, closed source application.
You can inspect the code, and modify it if you need to, if you use an open source application.
IANAL but write like a drunk one.
The irony is that TPM *is* the backdoor into the system. fudwatcher
davecb5620@gmail.com
Whatever happened to moot, or m-o-o-o-t or whatever it was called?
Boobytraps, both software and hardware are the reason investigators now take the drive out and in extreme cases even take the drive apart before doing anything else. So far nobody has found a way to boobytrap the platters themselves while for someone like the police it is trivial to duplicate a drive/platter and then they can examine the copy at their leasure leaving the original safe for evidence.
The idea that you must use the suspects own computer hardware and software to get the data off would be a nightmare to investigators.
So a brute force attack would not work against a smart suspect. Current brute force attacks only work because systems allow an unlimited amount of logins. Limit this and brute force is death. Think of it like this. Brute force works on doors ONLY if somebody doesn't beat your face in the moment you touch it.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Judging from MS track record, there will be one ;-)
Are we really still this naieve?
Windows Vista--so secure that the government requested we install a back door!
The windows encryption back door wouldn't work against the smart suspects either, because they would be using something open source, which they know doesn't have any back doors. For all the dumb people using default windows encryption, it will work perfectly. They'll be able to brute force the password, and access all the data on the drive, after making a backup copy for evidence in case the machine was booby trapped to delete all the data.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
So your fabulous security is as weak as your alarm system pin.
Is that "truested alarm system" pin?
The sort of folk who want your data that badly are likely to be able to handle your alarm.
What sort of data do you have?
Sam
blog.sam.liddicott.com
There is a dutch saying "zoals de waard is vertrouwt hij zijn gasten". It is a bit hard to translate but goes roughly like this "by his own nature the innkeeper trust his guests".
Meaning that if the innkeeper is a crook he will trust his guests to be crooks. What does trusted computing therefore tell us about Intel MS and the content companies?
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
You are exaggerating. Yes, aliens can be deported on the basis of secret evidence, but so what? They are not citizens, and I don't give a shit what happens between them and the immigration authorities. Coming to this country is a privilege, not a right. We can deport aliens for any reason or no reason at all, any time we like, the same as any other sovereign nation.
It is indisputably true that the government doesn't have the resources or the desire to hassle immigrants who are working hard and minding their own business, and equally true that there are some bad apples among the pool of recent immigrants that have only been discovered by secret surveillance techniques like Echelon. I don't have any problem with them being kicked out, and I don't want to see our intelligence abilities compromised by public exposure in court. So tough shit for the poor innocent fund-raisers for the cuddly widdle Palestinian suicide bombers. The sooner the fucking murderous filth are expelled, the better.
Now, if American citizens could be convicted of crimes on the basis of secret evidence with no jury trial, then you'd have a legitimate complaint, and I'd be right behind you. But this is not the case at present, and I doubt very much it ever will be.
-ccm
Too much Law; not enough Order.
I must confess I find this concept of a backdoor of this nature to be nonsense. Just like cryptographic export restrictions in the late 90's, there will always be a way to get the software you need to protect yourself. The export restrictions were lifted not because the US government suddenly had a change of heart and discovered protecting personal data was a good thing, but because they figured out the hard way that the rest of the world was going to create and use whatever encryption they needed with or without the US' involvement: either the US government could maintain some limited influence, or they could have none. Plenty of companies already make software to encrypt the data on hard drives (utimaco and others come to mind). Some of these companies are European, few are based in the US or the UK. With regard to intel gathering, any surveillance or early discovery will be as invisible as possible. The best way to do this is to find flaws and notify Microsoft about some of them but not all. Rather conveniently, both the UK and US government already have access to the source code for Windows. The retained exploits would be retained for intelligence use until such time as they become a liability (ie when the exploit is publicly discovered and exploited, putting their own systems at risk). The advantage of this approach is that even with a warrant for the search/discovery, they don't even need to damage the lock on your door and you'll never know they were there.
You shouldn't take this as an authoritative answer, but I believe the answer is no.
On a FileVault-enabled system, the only things which are encrypted are the user's home folder. The default location for swap space is not in the user's folder, ergo it's not encrypted. At least via FileVault, and I can't imagine it would just be encrypted by default using some other means, because that would necessitate a big performance penalty which a lot of users wouldn't be interested in.
The way filevault works is, when you enable it, a variable-sized, encrypted disk image is created at "/Users/.(username)/(username).sparseimage". Then, on login, this image is mounted to "/Users/(username)/". On logout, it's unmounted and compacted. This is all accomplished using the hdiutil program.
The rest of the filesystem is not encrypted, so I don't imagine that swap would be.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Institutions such as NIST test the implementations of the algorithms, then the program either gets certified or not.
The problem is that without certification, we do not know whether what they've implemented is what they think they've implemented*.
The point is that they might use some obscure algorithm nobody knows - which has no guaranteed strength; thus one cannot rely on it. They can also implement standard algorithms such as AES or DES - but were they correctly implemented?
Sure - "why don't you take the sources and look at them yourself?" some might say, but is everybody competent enough to do that?
On the other hand, implementing something and then certifying it, means that:
[a] it was done right
[b] it is as strong as the standard says
In the case of encryption, the strength is in the key itself and in the mathematical basis of the algorithm, NOT in the obscurity of the mechanisms applied within the software.
One minor thing - NIST certification is expensive, I doubt TrueCrypt will pass it, unless some company pays for this. Commercial encryption software is a different thing, if they want to be treated seriously, they must go for it. An example is Private Disk.
* an old saying:
The saddest poem
Although I don't know the man, I just looked up what I think is his blog, and provided he's not lying through his teeth, the Politics and Public Policy section of his blog seems quite agreeable in spirit to me.
He also has some really interesting papers on there. (Check out the "Cocaine Auction Protocol" and "Programming Satan's Computer" -- the first is a methodology for creating an un-mediated auction house, the latter is about programming on untrusted networks.)
Of course, to each his own.
Here's the link:
http://www.cl.cam.ac.uk/~rja14/#Lib
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
"Oh, and there are a few people who also consider encryption a matter of freedom of speech."
Any use of encryption is free speech? No.
Writting / exporting of encryption code may be free speech.
Use of it has nothing to do with free speech.
Bernstein v. United States has nothing to do with the use of software, just the creation.
You can't commit a crime and excuse your actions by yelling "free speech".
Just like you can't phone someone up and threaten to kill them while claiming "free speech".
Knowing them, they're just leaking this so people don't think they can hack in already
We all know how they love back doors.
I thought governments just tortured people who acted like this, nowadays.
Oh, maybe that's just the US.
MjM
XKCD:Xeric Knowledge Comically Dispen
I actually posted this idea a bit back about how to deal with the RIP law. Build a file system that uses encryption and several passwords. Each password unlocks a different set of data. For example, password 1 on a the drive gives you images of your last Disney trip. Password 2 gives you your porn pics. Password 3 give you your tax records. There is no possible way for someone looking at the apparent random data to know how much actual information is there. So unless they can prove you did not give them all the keys they will be up the creek.
I imagine the system would ask you how much space you want to use then randomly marks out that much space on the drive. The File Allocation Pointer Table points to where the current data is. In order to expand or alter any allocation you would need to ask you if there are any more passwords but it would not know if there are or not. It is also safe if say one user losses their password, as that user data is lost but all other known password protected data is safe.
Another added trick is static data blending. That is where it takes the data on the tracks and mangles it so that depending on which password you use the same area gives you another set of data. This might be useful for the allocation pointer as you could use the same area for many allocations pointer at once. This method could also be applied after the fact to hide read-only data area. You would run a merge on any given directory which would help hide that there is any extra space on the drive at all. This is also really useful for read-only media.
If you combined this with a user based permission system and a file system that only grows as much as each new user is allowed when created you even get a good reason not to have the whole drive used, as we all know they would try to show that that mere fact you had free space is suspect. The other cool thing is that since the password determines access you could have a system with an unknown number of users with an unknown amount of data stored and no way of finding out how much is really there without all the current passwords.
Some of the bad side, well they could make it illegal, the amount of drive space needed would be very large for some sections like File Allocation Pointer Table because it has to be as large as the maximum number of allocations you ever wish to be able have, and if someone tried to expand file system or create a new allocation without knowing all the passwords they would destroy all data for the unknown passwords. The later is both a good and a bad thing.
You cant compress the hidden partition to zero...
So if you have a 100MB file split into 50MB normal and 50MB hidden.
The police force you to hand over the code for the 50MB normal.
Then the police, says:
Hold up there guvnor, the file size is 100MB on the hard drive but only supports 50MB of data. Hand over the second code!!!
They could build backdoors into Solitaire for all I care, it'll just be a backdoor leading to a brick wall as long as there's a firewall in front of it.
This is, once again, an example of "those who don't know, don't care". If you're using the built-in Windows Firewall, then it will silently let these sneak attacks through, and most people using the defaults just don't care about these things, nor are they likely to be the target of a government investigation. Anyone who DOES have something to hide or protect, will load an aftermarket firewall or even set up a linux box in the middle to block intruders and keep the secrets from leaking outside.
Those who are targetted by big brother AND don't cover their tracks are incompetents that should be ensnared and exposed to discourage others. There's good honest people who stay in line, good crooks who stay out of my backyard, and lousy schmucks who screw it all up for everyone.
-Billco, Fnarg.com
Well really it wouldnt take much for a cyber criminal to just use a series of removable hard drives, possibly each encrypted with something else on top of Vista's encryption (if they were really serious 128 bit encryption would be the absolute minimum they would use), and in the event of law enforcement coming to take them down either store the hard drives somewhere or just keep a few microwaves handy to toast them before anyone can get their hands on them.
I mean especially since this news is not exactly a secret Im sure that cyber criminals will think twice before using Vista. Plus really...how many serious cyber criminals would use Windows as their main operating system knowing full well that the Microsoft can so easily be coerced by almost any major government on earth into lending a helping hand in this particular area.
In addition Im sure these criminals are smart enough to see the EASY solution to this problem....USE ANOTHER OS!!!!
If you supplied only the first code the system would see a 100MB partition, not 50MB. It would see the 50MB hidden partition as free space, and would begin overwriting it if data were modified.
The algorithm does in fact provide plausible deniability.
I'm not sure about the UK, but in the USA, wouldn't this be a 5th amendment rights issue?
The summary states that this black hole is desirable for "fears that evidence could be lost by suspects claiming to have forgotten their encryption key", but why would a suspect have to say they lost their encryption key? Why not just plead the 5th?
The 5th amendment states: "No person shall [...] nor shall be compelled in any criminal case to be a witness against himself [...]"
I honestly do not believe that the contents of a person's hard drive falls into the same category of evidence as eye witnesses or DNA. A personal computer's hard drive, particularly one with an encrypted file system, is effectively an extension of that person's memory and hence any data extracted from it seems very much like testifying against oneself.
http://brandonbloom.name
I find these restrictions on encryption really retarded. The strength of an encryption algorithm doesn't necessairly depend on if its 128 or 256 bit encryption, but rather the implementation. Its kind of like Titanic, nobody thought it could be sunk, but a weak implementation sunk it.
Can you imagine this headline: "Government Wants a Backdoor Into Linux"
There would be world-wide laughter, and Linux would continue as before.
Only proprietary software is weak to government control.
Britain has sadly already become a police state. Only criminals and cops have guns, cameras everywhere, illegal to state non-liberal opinions, and now this. Once the control structure is fully in place, most Brits will find themselves being openly persecuted. Anyone want to bet how long it will be before they start implanting RFID chips in everyone? They'll start with the kids and say it's for safety.
Unfortunately, some in the U.S. want that here. I hope the red states can save us.
TFA mentions backdoor for decrypting the file system's contents. This has nothing to do with gaining remote access to a machine, it's about inspecting the contents of a seized hard drive.
(Police knock on the door...)
"Sir, according to the National Data Terrorism Act of 2025, you must now submit to a brainscan to reveal the encrypted data stored in your Microsoft On-Board(tm) Neuro-Chip. Never fear, though, you are still protected from self-incrimination in court--you won't hve to reveal your private thoughts. Well, voluntarily, anyway. And don't worry, this will only hurt a bit."
The music industry trusts it. The movie industry trusts it. The government trusts it. The only people who can't trust it are the owners of the equipment on which it runs...
The race isn't always to the swift... but that's the way to bet!
See this: Sociology of government access.
The U.S. government openly stated it wanted access to all Windows computers. It got that by exploiting Microsoft sloppiness.
And once it exists, how long before the **AA is demanding that legislators give them access to it as well? After all, they clearly feel that protection of their IP rights is more important than anything else -- and they have money to make themselves heard in this regard.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
That should read, oppressive legislation. I refuse give the power elite (government) the benefit of the doubt, as if they simply made a "stupid mistake" in the course of trying to provide justice. Gee, that's a whole lot of stupid mistakes since the US came to be. Enough that the US government today dwarfs the US government of only 50 years ago, in terms of both revenue and power over the people. Imagine that. Quite an accident.
No, oppression is not accidental, and government does not expand its powers for the benefit of the people, just as Wal-Mart doesn't open up a new supercenter for the benefit of a small town. The power elite (government) operates in self-interest -- always -- just like everyone else. The difference is that they hold the unique "right" to employ coercion as a means to an end; anyone else who does so is a criminal.
It all depends on the backdoor, of course.
But have you seen any false MS-signed files lately? I don't think so. Lots of time has passed since image signing became widespread, and nobody has managed to falsely sign a file as coming from MS.
Maybe his long term goal is Muslim rule (though I'm not conviced he's anything more than a power hungry madman who's merely using Islam) but his short term goals generally revolve around hurting/killing people and the general undermining of societies he doesn't like.
He doesn't like our way of life, with our quasi-democracy and capitalism and relative tolerance of different faiths. And every time we change our way of life, every time we give up one of our rights in the name of "fighting terrorism" we are delivering a victory to him and people like him.
see subject.
Microsoft can't get the damn front door to work properly as it is, which is why you have to use the Windows in the first place. You think they can properly implement a back door? Shit, there's no walls to begin with!
about licensing their rootkit technology!
"UK Government Wants a Backdoor Into Windows"
Makes a change, Tony Blair's been making his back door available to Bill Gates since he came to power.
Hmmmmmm..... Deep fried and look like Squirrel.
Don't they all come with thousands of preconfigured remote access vulnerabilities already? I think the UK Government just wants to have one for their very own so they can be l33t too.
if I claimed I was emperor just because some watery tart lobbed a scimitar at me they'd put me away!
OK, well, if the government pushes this, can we get parity to make all paper shredders scan documents as they pass through so we can recover the "lost" documents that certain officials always seem to have a problem finding during corruption and power abuse investigations?
It's only fair...
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
not that we need any more reasons...
the only permanence in existence, is the impermanence of existence.
You know what the secret code for the backdoor to encrypted data on a harddrive running Vista is gonna be, don't you?
If president Jr. get to pick it, I'll bet it is 1-2-3-4-5.
HA! I just wasted some of your bandwidth with a frivolous sig!
oh please, yes please. switch on encryption that uses TPM. then all it takes is a virus to overwrite the TPM keys in the BIOS memory and that's it - game over: your entire hard drive rendered useless. mwhahahahah
I made this comment a long time ago when TCPA was first floated - that by encrypting your hard disk to keep out hackers and the like the government would not have access to your data and would request a backdoor, thus negating any protection you have in the first place. The "T" in Trusted Computing Platform Alliance stands for "Trusted" and if there's a backdoor then there can't be very much trust for the user can there?
The TCPA has to realize that a secure system is impossible in today's political climate as the government will want in and if the government can get in you or I will eventually find a way in as well.
ensuring that Our Glorious Leaders will continue to torture you until they get the evidence they want. Or you die.
The really scary thing is that the president of China was the second "Our Glorious Leader" I thought of when I read that.
P.S.
I and the other happy happy citizens over on this side of the pond send our deepest empathy with you and the happy happy citizens on your side of the pond. The joy I feel at seeing your government and your Glorious Leader emulate and work hand-in-hand with my government and my Glorious Leader... well lets just say that the english language contains no adjective I could possibly attach to "joy" which would adaquately and correctly express the emotion it brings to my heart.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
And so, inevitably, the Powers That Be(TM) competing to dominate the lives of the Minions(TM) come into conflict.
If the governments get their way, there will be no true encryption permitted, because otherwise they can't spy on people.
If there is no true encryption, there is no point whatsoever to having the TPM, the entire DRM concept just got screwed, etc. It doesn't matter whether it's "only governments" who can break the codes, because someone will crack/leak/otherwise work around that restriction within days, and the Internet will do the rest within hours.
So, the media industry's current prime directive and major investment just came into direct opposition with the government's current prime directive and major political hot potato. The blue touch paper has been lit; please retire to a safe distance, and wait to see which of the rights you thought you were losing will be staying after all...
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
In the US, 12 September 2001.
In the UK, 8 July 2005.
You get the idea.
After a major terrorist act, the population is angry, not rational. Many are personally affected by the attacks. Thoughts of proportionate responses and civil liberties are overwhelmed by fear and grief.
This is, of course, the ideal time for a government to try to increase its own power at the expense of the people it should represent. This goes double for governments with only a tenuous hold on power, as is usually the case in the US because of its two-party politics, or for governments whose very mandate is dubious, as is the case of Blair's UK government (which didn't actually win the popular vote in England, and has often relied on the votes of Scottish MPs to push through controversial legislation to which their own constituents will be immune because the Scottish Parliament will decide for them separately).
Hence it is precisely in the wake of a terrorist atrocity that we should be keenest to protect our civil liberties, for it is at these times that they will naturally come under the gravest threat.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Windows wants a backdoor into the UK gov't, so let's just call it even.
So do you run a complete audit of every line of open source code for a backdoor?
People CLAIM that having the source makes it more secure but that didn't help WINE with the WMF vulnerability. You have to completely understand the code which could have been written by 15 different people with slightly different methodologies of coding. Instead of trusting microsoft your trusting a bunch of random people who could have inserted nearly anything and obfuscated the code to the point you think it does something else.
Hold down the SHIFT key?
Chill man. This whole article is about what may be in the final release of Vista. My statements were obviously based on the (lack of) security in the current version of windows, which would be XP. No, I don't know that the same weakness will exist in Vista, however, considering that the same basic problem has been present since NT 4 (and possibly earlier), my guess is that it will be in Vista as well. They've made minor improvements between versions, such as implementing a "system key" to encrypt the SAM database, however, the same basic flaw has been present for something like 10 years now.
Is this a Mr. Smith? Mr. Anderson should be someone to prevent Backdoors, not create them. Or is the Neo in him trying to trick the Matrix with its own weapons?! ;-)
about which part?
Like we need any more reasons not to buy Vista. This is just lovely.
While I don't know the proper answer to this debate, your arguments arn't much more than a call to emotions. The figures look made up (there are many good reasons to have encryption, including defence from criminal organisations), and it is certaintly not clear what would benefit say society the most.
My first guess on this topic is that it is wrong to force people to give up an encryption key though, afterall self incrimination is a violation of the individual freedoms and I have severe doubts society will suffer much under wether you can force release of encryption keys or not, you could even wonder if it would have negative societal effect because it is not clear if a goverment that is able to check all information would be a good thing. The police tend to have plenty of other ways to get that key anyway as it is right now and then we also forget they havn't lost any of there old sources of information either.
Remind me again why someone who wants to keep anything personal/may-get-you-arrested would use Windows? Oh wait, I just answered my own question! (They don't, didn't you get it?)
Really... why would anyone need a backboor to be written purposefully into windows?
So, if I have files of random noise on my machine for testing audio systems, or random data for testing data modems and the government contends that it is actually encrypted data and wants the key, how in hell am I going to get them off my back?
Oh well, what the hell...
Maybe not. As anyone who has read this classic essay by Ken Thompson knows, the only way you can really trust a peice of software is if you not only wrote it yourself, but also wrote (or created) the OS, the compiler all the libraries you app is linked against and even the hardware your software runs on. Any one of those items could easily be modified to detect that you are compiling or running a "significant" application and insert a back door into it.
Prove i didnt just forget.. Im rather forgetfull, and with all the stress of being questioned for a crime i didnt commit ive totally spaced the password.
---- Booth was a patriot ----
Anybody know if StegFS described in http://www.cl.cam.ac.uk/~mgk25/ih99-stegfs.pdf/ is actually available? Plausibility deniability of the knowledge of keys to unlock deeper levels of encyryption is an explicit goal of the project.
I thought that's what torture was for? Don't tell me the Brits are too squemish to use the iron maiden these days. Come on GB, I know you still have it in you!
Everyone else has access to your Windows system, why shouldn't the Brits as well?
Since when do you need anything special to access a Windows drive??
My fav is the book "Don't click the Blue 'e'"
This article was published in 2000 and it concerned Windows 2000 machines. We're almost two operating systems ahead of that. Does anyone know whether or not China actually found any 'backdoor' code in the Windows 2000 OS or if they've changed the operating system which government officials use?
no text means no text
This space available.
... they need to actually put a back door into Windows? Damn, I thought it already came with one... or two... or three... Just ask any virus writer, I am sure he'll tell you of few.
Do a Google search. He keeps pushing his own commercial encryption software.
Clever signature text goes here.
Compare http://news.bbc.co.uk/1/hi/uk_politics/4713018.st
Prof Ross Anderson encourages government for crypto backdoor in windows vista
With this http://pgp.mit.edu:11371/pks/lookup?op=vindex&sear ch=0x4B2700B9
The Professors PGP key to keep his e-mail private.
Are we cynical yet?
Anyone quoted by a reporter knows how little they understand
Don't believe what you read is the truth.
Darwin source is available; I don't know if FV is included there or in the proprietary higher levels of the OS. I'm inclined to say it isn't though, logging in via >console or ssh doesn't decrypt and mount the drive.
Facts do not cease to exist because they are ignored. - Aldous Huxley
M$ has no business putting backdoors in windoze, or anything for that matter. People have a right to encrypt their data. I for one will NOT buy Vista. I've been using linux for over a year, and it is sooooooo much better than windoze anyway. If only we can convince the rest of the world.
There's no place like 127.0.0.1
...OS encryption in Windows is worthless. If there is a "back door" for governments, how many months will it be before "hackers" figure out how to use it? 2, 3, or less?