Slashdot Mirror
UK Gov't Can Demand Backdoors, Give Prison Sentences For Disclosing Them (arstechnica.co.uk)
An anonymous reader writes with some of the latest news about the draft Investigatory Powers Bill. Ars reports: "Buried in the 300 pages of the draft Investigatory Powers Bill (aka the Snooper's Charter), published on Wednesday, is something called a 'technical capability notice' (Section 189). Despite its neutral-sounding name, this gives the UK's home secretary almost unlimited power to impose 'an obligation on any relevant operators'—any obligation—subject to the requirement that 'the Secretary of State considers it is reasonable to do so.' There is also the proviso that 'it is (and remains) practicable for those relevant operators to comply with those requirements,' which probably rules out breaking end-to-end encryption, but would still allow the home secretary to demand that companies add backdoors to their software and equipment. That's bad enough, but George Danezis, an associate professor in security and privacy engineering at University College London, points out that the Snooper's Charter is actually much, much worse. The Investigatory Powers Bill would also make it a criminal offense, punishable with up to 12 months in prison and/or a fine, for anyone involved to reveal the existence of those backdoors, in any circumstances (Section 190(8).)"
Professor of journalism at City University Heather Brook writes at the Gaurdian: "When the Home Office and intelligence agencies began promoting the idea that the new investigatory powers bill was a “climbdown”, I grew suspicious. If the powerful are forced to compromise they don’t crow about it or send out press releases – or, in the case of intelligence agencies, make off-the-record briefings outlining how they failed to get what they wanted. That could mean only one thing: they had got what they wanted. So why were they trying to fool the press and the public that they had lost? Simply because they had won. I never thought I’d say it, but George Orwell lacked vision. The spies have gone further than he could have imagined, creating in secret and without democratic authorization the ultimate panopticon. Now they hope the British public will make it legitimate."
Professor of journalism at City University Heather Brook writes at the Gaurdian: "When the Home Office and intelligence agencies began promoting the idea that the new investigatory powers bill was a “climbdown”, I grew suspicious. If the powerful are forced to compromise they don’t crow about it or send out press releases – or, in the case of intelligence agencies, make off-the-record briefings outlining how they failed to get what they wanted. That could mean only one thing: they had got what they wanted. So why were they trying to fool the press and the public that they had lost? Simply because they had won. I never thought I’d say it, but George Orwell lacked vision. The spies have gone further than he could have imagined, creating in secret and without democratic authorization the ultimate panopticon. Now they hope the British public will make it legitimate."
He didn't know it were robo-rats.
The scariest thing about living in a "democracy" (Republic) now is that the *majority* really don't care about their rights, as long as they can watch their reality TV and they have someone to publicly shame on Facebook/Twitter.
"I have never let my schooling interfere with my education." - Mark Twain
Since you can't disclose it, what can you do? I guess your only option is to take a vacation in Russia. Perhaps someone there will talk to you and not do something insane like try to arrest you! They might understand your frustration and try to cheer you up by giving you a few presents.
Is this like American law? If a Malaysian finds a back door in an Indian software program used by the Chinese and gives it to the Malaysian version of the NSA, will the Brits nab him when he passes through some airport in Thailand and take him back to the UK for trial?
Is some part of "draft" giving you fat fucks particular trouble?
watch your tone asshole! In fact rephrase that in a respectful manner or go fuck yourself.
When they write up these "drafts", usually what they just do is figure out what kind of legal crap they're already doing and put it down on paper for ratification by the "representatives".
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
covers the vast majority of us self imagined semi-chosens,,, ask ed snowden your secret questions continues here on /.truth.missing
The clause about penalising those who reveal the existence of backdoors created for use by British security service surveillance is classic upper class twat thinking... "If we don't tell anyone it exists then no-one will find it, tee hee". Problem is there is a world full of people smarter than them that will find the backdoors easily.
Not too long ago, Europe objected that the US wasn't adequately protecting European citizens' data when US businesses are subject to government spying. These are legitimate concerns, but Europe is doing exactly the same thing the US is. As a US citizen whose data might be processed in Europe by multinational companies, how can I trust that my data is safe? When US companies and the US government are involved, I have the recourse of the court system. But there's no such recourse for me if the EU is spying. As a US citizen, I don't want my data shared with or processed in Europe. At least if it's in the US, I have a modicum of hope that the courts can protect me from government abuses.
So they will be enforcing "security by obscurity" ?
Ooh it's all OK then. It'll only happen if the home secretary thinks it's "reasonable". Good job we don't have a party independent constitution which guarantees there's always a hard line nutcases as home secretary.
The answer of "is it reasonable according to the home secretary" is always a resounding "yes", with a side order of "fuck you, proles".
SJW n. One who posts facts.
This is just the kind of tyranny we fought a revolution to get away from. It's too bad that we're the ones teaching them to do this kind of shit. We have this pesky Constitution that gets in the way, but they have no such thing, so they get to be our government's little tyranny playground.
So what happens if the backdoor leads to a different criminal offence - such as leaking of the medical records of millions of citizens? Will the company be allowed to disclose that the vulnerability has been introduced to comply with another law? Can the company be held liable for the consequences?
I'd like to see the British Government go up against Theo.
UK: "We demand that you install this backdoor in LibreSSL because reasons."
Theo: "Go fuck yourself."
What's next, outlawing open source software?
The terrorist will be fine. Those who understand the basics of computers will be fine. Has anybody been to the U.K.? Government departments using computers with floppy disk drives. System administrators who hide in cupboards and cannot put two words together. The passwords are like 2468. If you ask them what do you do what can you do? they say I can use Windows. With computers and computer networks the U.K. is like a Third World nation that is lost in the 80s. The only security they understand are those dam CCTV cameras which are absolutely everywhere! We only found one group of Pakistanis working in a garage resetting locks on computerised cars. All using software with a Australian hacking group logo on it.
European politicians have long envied the power of the Chinese government and bureaucracy, and admired the compleancy of the Chinese people in light of a western life-style, ruled by an all powerfull single party. Is it any wonder western politicans & big business want the same for themselves? After all Europe had a working feudalist system, in particular in England, and these folks have not forgotten their defeat for the benefit of a democratic society. They want it back, and more of it, and this is their very chance. What they probably forget to consider is that already today we see a new and growing working class, or worse off, and it was the working class suffocated by hunger that overthrew the feudlist classes in the first place. Since the Chinese growth-financed happiness program is unlikely to work in Europe, as people have to reduce their personal life standard rather than to increase it like in China, the next revolution might come sooner than they expect. Perhaps they are expecting it alright, which would explain the proclaimed need for this all encompassing surveillance power. It is not the contemporary terrorists they are after it is the ordinary citizen in about five to ten years from no, deprived of the current living standards, raising against an injust system.
Someone's misspelt Grauniad.
http://harridanic.com
Actually, if this quote is an accurate presentation of their behaviour:
So why were they trying to fool the press and the public that they had lost? Simply because they had won.
, they were aiming for full illegitimacy once again. "Must..act..beyond..the confines....of the law..at....any cost!"
One can only hope that they will leave the EU, the sooner, the better.
Does this prevent an implementer from disclosing it to the agency itself? "The Investigatory Powers Bill would also make it a criminal offense, punishable with up to 12 months in prison and/or a fine, for anyone involved to reveal the existence of those backdoors, in any circumstances (Section 190(8).)"
The other day, I watched the new Bond. What has the world come to, if the plot of such a movie actually starts to sound realistic? Especially the bit about the own guys not being the good ones anymore?
They did that when they voted for these people. Five more years... Enjoy
“He’s not deformed, he’s just drunk!”
When I was studying IT Security and encryption, one of the things that came up a lot was that you should always assume the process of the encryption is known [as well as some of the text of the message]. Typically it's because the encryption process is a standard (AES, for example). Security through obscurity doesn't exist. And it's far easier to keep a key secret than an algorithm (or source code).
So if the UK are trying to ensure that a backdoor exists in any encryption method created, then EVERYONE IS GOING TO KNOW ABOUT IT! It will be impossible to keep the existence of a backdoor secret. They may have a 12 month sentence for anyone who leaks this information, but you have to assume that it will be leaked, and you have to assume that everyone (who wants to) will know how it works.
This, then, leads to the problem of how to implement such a backdoor in such a way that only one group can use it but everyone else can't -- simply, impossible.
This reminds me of one of the major flaws of Enigma (that a character can't be encoded as itself) that was insisted upon by people who didn't really understand encryption - a flaw that was, in a large part, responsible to helping to break the Enigma codes.
They demand a back door -- you make it. They ask what it is, you say you are in compliance with the law and cannot disclose any information.
WIN!
All companies based in other countries, like Google, Apple, Microsoft, Cisco, etc., etc, should just cease their operations in the UK, if this bill is passes. Stop doing business with this country, stop providing services to this country. That'll get this bill reversed over night, otherwise, the UK can just go back to the modern stone age.
Another thing the citizens of the world can do, block all UK IPs at their firewalls, turn the UK into an information wasteland.
how are we supposed to tell the "good guy" backdoors from the "bad guy" backdoors?
As it would be rather difficult to force someone to put an invisible government backdoor in an open source source project, does this bill mean that companies will be forced to put backdoors in proprietary components only, violate the GPL by publishing a modified version without providing access to their modifications or replace GPL component with a different component upon government request?
Can a government bill demand people to lie? If not a simple question "Did you put a backdor in your product" would have to result in "no" or "under the penalty of prison I'm not allowed to comment". No reasonable company would shoot themselves in the foot with the 2nd answer unless they're forced to.
Yes, I and, several other British overlords are taking some serious consideration to moving to Amsterdam or Berlin, for good.
This is after the impending EU referendum which, anyone with a brain will be voting against so that we can actually stay in Europe.
- Dan
Since you can't disclose it, what can you do?
Does discontinuing a service entirely, as Lavabit did, constitute "disclosing it"? Or does this bill allow the government to force a private British citizen to provide a service to the public against his will?
I have a colleague who is perfectly happy to throw away his rights - "I don't care what they do if it's anti-terror related" and "we need to get rid of all this human rights bullshit", which was in response to my mention of civil rights, namely being detained without charge and warrant-less access of private data.
It's fine if it's other people:
* https://en.wikipedia.org/wiki/First_they_came_...
So how does that work for open-source software?
File under 'M' for 'Manic ranting'
It doesn't matter how insecure you try to make the network; it was already assumed to be insecure, just as a closed device is assumed to be insecure. That doesn't mean it can't be used; it just means the untrusted stuff never sees plaintext.
And it's hilarious that they worry about disclosing backdoors. How is the UK government going to imprison someone outside UK who finds a deliberately-buggy git commit and talks about it?
In a way, this is all good. It's just going to encourage people to run decent software. They should have been doing that anyway, but they didn't, because the "this is insecure on purpose" issue wasn't in their face all the time. But now in addition to garbage software being insecure, there is a constant stream of news stories about how it's definitely insecure because the government insists it be insecure.
Some people look at this as a powergrab by the government, but it's really just the government shedding light on an already-existing problem: if you can't audit it, then you can't trust it, so get software which has the ability to be trusted.
On one hand you get the cost of a breach from deliberate flaws in a product. On the other hand you get the revenue from operating in the UK, less the possible cost of developing a second product crippled with these backdoors for the UK region. Is it going to be worth doing business in the UK under these terms?
Overseas security companies and the Streisand effect. Anonymous tip-offs by post with false return addresses of backdoors to security researches will be published. Streisand effect can't be stopped by 1 rogue nation on the global internet. Search for photos of Barbara's coastal home, Tienanmen square, German concentration camps, etc.
The truth shall set you free!
I once wanted to go to Australia, NZ and Scotland. No more. Every time I think they can't slide further into the abyss they do. Heck I don't even want to go to Canada any more.
"We have not been instructed by HM Government to put any back doors in our software."
"The answer of "is it reasonable according to the home secretary" is always a resounding "yes", with a side order of "fuck you, proles"."
No, the answer is *usually* a resounding "yes". The exception being if the request happens to be for access to the communications of the Home Secretary or MPs of the same party, in which case it's "no".
...who told you?
Oh wait, that's hypothetical.
That would never happen.
You can, at most, defend yourself in your own home from invaders. Even in Texas, it's not legal to chase people down the street and stab them. Here's a guide to the subject because most people are misinformed or worse regarding this.
What we need are Google, Apple, Facebook, Twitter and other companies in the communication business cease all operations in Great Britain when this (or similar legislation) passes.
Let the people of the UK deal with the government when Apple, Google, Facebook, Twitter, etc. stop doing business with them because of this law. If suddenly the people of England couldn't buy a smart phone, update their status, or tweet their latest selfie because of the government, they would take to the streets and they would have a new government in a few days!
"Grab them by the pussy" -- President of the United States of America
Don't do any software development there.
"Sorry, we can't add a back door, we're only a sales and marketing department. Development is done in another jurisdiction"
We set up a public database where companies can register the fact that they are not creating any backdoors. This registration has to be renewed each year. This registration is not illegal - it simply informs the public that the government has not made any special demands, which is perfectly lawful.
Of course, if the government does make any special demands, the company cannot register the lack of backdoors anymore, and the registration will automatically be removed from the database. From that point we know that company is under government orders to include backdoors.
'Wants to be able to'
This bill has not passed yet. Why is it stuff about the UK is written this way, when you'd use 'seeks to' for a US issue?
If the cannot get mobile phones, network equipment, computer OSes, etc., they may notice how utterly stupid they have become. Then, maybe not.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
"Reasonable" will certainly be in the sole and exclusive opinion of the Home Office. Nor will they have to disclose what "reasonable" demands they made. Therefore "reasonable" becomes an echo chamber of like-minded individuals all within the same organization. An organization which is hierarchical and prioritizes obedience to the leader, parceling out rewards and punishment for the people within it. Groupthink is the inevitable result.
"Reasonable" is only reasonable if the public gets a good look at it. Without that "reasonable" becomes a tyranny of opinion provided by one point of view.
You are right kill a few VIPs and they will play it "crazy person with a gun". The sad truth is the people that come to this site could actually do something about this. DON'T WORK FOR THE GOVERNMENT. I work in information security and get calls all the time to come to work for the government my answer is always HELL NO! I only work in the private sector and only will work on projects that have nothing to do with spying on anyone. Yet there are geeks reading this site that do preform the work of spying on their own people. Sure you get a high dollar paycheck but where is your soul? If we as IT people refused to do the work then there would be a halt to all this shit. Remember the people putting this shit in place are too stupid to do the work we do.
Know a friend that works for the agencies remind them and shun them for their actions. If nothing else take them out back and beat them.
isn't concealed, they're PROUD of it.
We need an algorithm that can generate good one-time use codes, that can be coded in Excel or other trivial environments and that does not include a backdoor. Once such a simple algorithm is distributed, then we can roll-our-own coded messages, in a massive civil disobedience movement. If such an algorithm already exists, we need to put it on bumper stickers, carve it into bank walls, spread it in flyers in coffee shops and stand back to see what the unintended consequences are.
"There is no god but allah" - well, they got it half right.