Slashdot Mirror
Russian Bill Requires Encryption Backdoors In All Messenger Apps (dailydot.com)
Patrick O'Neill quotes a report from The Daily Dot: A new bill in the Russian Duma, the country's lower legislative house, proposes to make cryptographic backdoors mandatory in all messaging apps in the country so the Federal Security Service -- the successor to the KGB -- can obtain special access to all communications within the country. [Apps like WhatsApp, Viber, and Telegram, all of which offer varying levels of encrypted security for messages, are specifically targeted in the "anti-terrorism" bill, according to the Russian-language media. Fines for the offending companies could reach 1 million rubles or about $15,000.] Russian Senator Elena Mizulina argued that the new bill ought to become law because, she said, teens are brainwashed in closed groups on the internet to murder police officers, a practice protected by encryption. Mizulina then went further. "Maybe we should revisit the idea of pre-filtering [messages]," she said. "We cannot look silently on this."
Oh dear, this is ironic. Russia is a haven for online criminals, something they really ought to crack down on. Instead of pursuing actual criminals, they're looking to reduce the privacy of people who haven't done anything wrong. What a screwed up country!
Why does reading this remind me of Diane Feinstein?
messaging apps
Fixed that for you
Pain is merely failure leaving the body
Does not seem to matter what country you are in. They all want to know.
And far more honest than the EU. Privacy and security in the EU are an illusion.
More likely, Russia will use this to identify and monitor political speech and homosexuality. Russia is guilty of many human rights violations and I absolutely suspect this will be used for that purpose.
The Russian government is merely becoming appier by forcing LUDDITES who use LUDDITE encryption to use appier appy apps, NOT LUDDITE SOFTWARE!
Apps!
I like to take it in the pooper. In the US, I'm allowed to openly admit that I like gay buttsex. In Russia, the government is restricting LGBT freedoms. If I were in Russia, I'd have to fear that this would be used to monitor my conversations and that I'd be in trouble for admitting that I like having gay sex. Let's not pretend that Russia is doing anything noble, especially considering their track record of human rights violations.
This is only relevant to companies that have assets or personnel in Russia. Everyone else can safely ignore them. The US and Europe are not going to extradite anyone to Russia over this or cooperate with a Russian investigation. Putin have been pushing too hard at returning to cold war nonsense for any government to take this seriously.
To any country that makes encryption either illegal, or treats it as eminent domain for the government to have access to it's citizen's communications.
This is the same crap the UK is proposing, and the same crap the US is trying to implement. It's time for the citizens, and thereby the private services providers, to stand up and say "No More!!!".
Russia and USA really do have so much in common,.
Those filthy dirty freedom hating commies. Now they are stealing out government's ideas!
I'm an American. I love this country and the freedoms that we used to have.
Free speech and privacy are viewed as terrorism here, too.
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
The Russian government already has a plan to isolate the Russian internet by 2020, modeled roughly after China's internet. At that point, foreign services may be reachable inside Russia only if they agree to establish assets and personnel in Russia, and they might agree to laws like this as the cost of doing business.
I want to see how this cat and mouse game plays out. Ultimately they will have to force the ISPs to drop encrypted packets.
“He’s not deformed, he’s just drunk!”
I firmly believe that any two adults should have the right to communicate privately as long as they are not convicted felons. I'm a mathematician. It blows my mind that anyone thinks it's reasonable to prohibit the use of math in speech. That said, I would love it if I could buy a phone which would allow me, a parent, to read the communications between my children and other people - not to keep them from becoming terrorists, but to protect them. Children don't have the same rights as adults for good reasons. Looking at domestic cases of terrorism (Dylan Roof, James Holmes, the Tsarnaevs, etc..), most of them either were too old to be parented per say, or they had parents who weren't really in control of them, or even parents who may have sympathized with them (e.g. the Tsarnaevs).
Or should I re-phrase that as "because bogeymen"? I mean, really, how many terrorists attacks, anywhere in the world, have been prevented as a result of the privacy we've already been forced to give up?
If terrorists didn't exist, governments would have to invent them, to justify their megalomaniacal policies. Oddly enough, Russia is (uncharacteristically) late to the party on this one - it seems that they're simply following the lead of the Free World. That alone should be a cause for serious concern among those ostensibly 'free' countries.
'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
> Fines for offending companies could reach 1 million rubles or about $15,000.
That's nothing to companies like Apple, Google, and Facebook...
In Russian-language media link one can read that this bill is supported by Prosecutor General Yury Chaika about whom opposition Alexey Navalny’s Anti-Corruption Foundation (FBK) published a large investigation on on 1 December 2015.
There is a difference between saying it's not possible, and legislating that it can't be.
You are not relevant enough to warrant alienating our userbase. If you decide to not use our client, it's less of a damage than our customers to jump ship 'cause they think you can snoop on them.
Nothing personal, but business is business. Plus, nothing would make our product more popular in Russia than you not being to snoop in it, so what good reason could you give me to give a shit about your laws?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
We give Russia the USA backdoor keys in exchange for Russia's and the government can eavesdrop on it's citizens while claiming they aren't, but those bad guys are.
Messenger apps backdoor you!
I don't respond to AC's.
Is ytalk a messenger app? What about IRC? Is encryption over ytalk and irc going to be banned? How?
Is Russia going to yank these "apps" out of the public domain?
The cat is not only out of the bag, but is riding the cows that have left the barn and the open gate in the field, and are headed toward the mountains to start their new society based on milking humans.
--
BMO
I never understood why people think networks like the Internet are supposed to be private. They weren't designed to be originally. In fact, the first networks were broadcast: every node "talked" to every other node. Networks are supposed to facilitate communications. They aren't designed to hide communications. In fact in a peer to peer network like the internet, every node is supposed to be able to talk to other nodes. I know a bunch of people are going to get angry at this but the fact is if you want secrecy, don't use a communication network like the Internet. I know it is hard to believe, but it is possible! I'll wait for all the blah, blah, blah, I hate you Aspie responses, but if you look at the history of networks in general, security was an afterthought that was tacked on top (poorly).
Few people think the internet is private, that's why they use encryption.
If someone wants your secrets badly enough that they'll backdoor your phone without you knowing it (and they have the resources to do so), then no communication is safe, not even a person-to-person conversation.
I know a bunch of people are going to get angry at this but the fact is if you want secrecy, don't use a communication network like the Internet.
Why not?
I can and do use strong encryption and onion routing to communicate with those parties i wish to, and only them.
Why shouldn't I do that?
The internet routes packets. It is entire agnostic about what they're for.
A foreign company doing any significant business in Russia can certainly afford "1 million rubles or about $15,000" as a cost of doing business.
"National Security is the chief cause of national insecurity." - Celine's First Law
What are we talking about? It's not a law, just a proposal. It just goes to prove there exists at least one clueless Russian lawmaker who proposes now what clueless US lawmakers voted years ago. The only difference being that the proposal is unlikely to become law. (It's a proposal from a single deputy, not backed by the government. Such proposals have low to zero chances of success)
On a different topic, it's got to be at least five years since I visited /. . The first article I set eyes on is Russia-bashing masquerading as a tech discussion. I guess I haven't lost out on anything important by not reading /.
I made a mistake. I paid for it. We all talk about second chances, but we don't want to be the ones to give them, right?
Well, fuck you, pal.
Russian bill: All messaging apps must have a backdoor that only Russia can access.
US bill: All messaging apps must have a backdoor that only the US can access.
EU bill: All messaging apps must have a backdoor that only the EU can access.
Yeah, that'll work just great.
If you remember that little hubbub about Russia's attempt to block certain pages of Wikipedia, it failed only because Wikimedia set the HSTS; they simply expected to utilize the providers' MITM backdoors the way they did it with every other page that makes its way into the proscribed list (that gets added to regularly), but when the entire site went down with a big warning "forgery in progress, turn back now, you're not clicking through", they panicked and backtracked. But not for long. So here's a way out of that predicament. Now ru.wikipedia.org will have to decide if they want to pack up and disappear or permit that which they fought off a year ago; and if they choose wrong, it'll be their fault - the law is clear, innit?
I can assure you, the best way to get rid of dragons is to have one of your own.
Rather than mod you down -1 Troll, which you probably deserve with a subject of "I never understood privacy", I'm going to "fall for it" and actually address your convoluted point of view as if you were serious, Mr. doesn't-understand-privacy-but-still-named-"110010001000".
I never understood why people think networks like the Internet are supposed to be private
When you say "supposed to"-- to what authority are you appealing? Certainly there are many many mechanisms built on the internet that are "supposed to" enforce private communications, so on the face of it your statement is wrong. I dont' understand what is so hard about the goals of TLS, SSL, SSH, PGP, etc. that you don't understand them.
They weren't designed to be originally.
The underlying TCP/IP may not have had privacy as a premiere concern, but certainly numerous technologies built on top of TCP/IP have and do. The underlying protocols do what they were designed to do for the most part. Saying they weren't "originally" designed to enforce privacy is like saying that you don't understand why the web is supposed to work because TCP/IP isn't originally designed to serve web pages.
In fact, the first networks were broadcast: every node "talked" to every other node. I don't know if this is even true, but if it is, so what? The first TVs were in black and white, does this mean that you don't understand why people think TV is supposed to be in color?
if you want secrecy, don't use a communication network like the Internet. What? Why not? Because some networks at one point broadcasted everything to everyone on the network? How does that even preclude a single recipient from uniquely decoding the message?
What mechanism would you recommend one use for communicating privately, exactly? Because I'm very willing to argue that the underlying communication platform of whatever-you-come-up-with was never "supposed to be private" by your own ehm, let's-say-logic.
if you look at the history of networks in general, security was an afterthought that was tacked on top (poorly)
Since you hate privacy so much, could you please post as a response your real name, social security number (if American), address, bank account numbers, balances, and PINs, and credit card info? I'm sure people would be happy to send you a lot of reasons to value secrecy-over-networks.
Y'know what-- I do hate you, Aspie.
Can we mod this trollish crap down?
Well, you're essentially right but it's probably an overly simplistic view on something that is quite complex. Networks were originally supposed to facilitate communication between computer programs from which the data being communicated wasn't particularly sensitive or at risk. Nowadays things have completely changed and if you put human communications on top of that then privacy is required. There are competing purposes I suppose between the need to share and the need for privacy, in other words unlike originally broadcast networking modern communications is 1 to 1 over a medium that is massively distributed.
The question is, can both requirement sbe completely satisfied or will there always be compromise?
Devil's advocate: What's wrong with this? It would stop the Daesh propaganda, and it would stop the billions of attacks coming from offshore. Countries protect their physical borders, why not their routers?
Putin pidaras suka
The problem is that we had secure communications networks. They were kept disjoint, and with incompatible communication protocols.
There is a way to design a secure network -- circuit switched, with the switch having an ACL that only lets certain machines communicate with each other and nobody else. Add RSA keys on a low level of the stack, and an attacker would have to compromise both the switch ACL and the authorized key list on the individual machines just to attempt communicating with one of the hosts.
Russia only has theoretical encryption, so the Russian government is only planning for the future. This has no impact on current technology.
-- Slashdot, making the Left look conservative since 1997.
They're just pre-emptively ensuring they can continue to use US-made encryption for the foreseeable future.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
> What's wrong with this?
Isolating the Russian people from the internet at large would prevent them from learning from and sharing knowledge with the rest of the world. It puts Russians at a disadvantage against those who govern them when they can't see free (libre) and open press reports from outside their country.
> It would stop the Daesh propaganda,
There is no proof that this would be so. Propaganda can be distributed from within as well as from outside. Look at China's internet for an example of how people, via proxies and VPNs find ways to traverse the firewall of China. Propaganda could still find its way into the country.
> and it would stop the billions of attacks coming from offshore
There is no proof that this would be so either. Chinese websites still get hacked. Just recently a top Chinese University website was hacked by ISIL or an ISIL supporter.
> Countries protect their physical borders, why not their routers?
Because the routers are not theirs to protect. The routers are owned by private companies and individuals. It is those people and organizations whom should control how their property and networks they built are used.
The Russian government already has a plan to isolate the Russian internet by 2020, modeled roughly after China's internet. At that point, foreign services may be reachable inside Russia only if they agree to establish assets and personnel in Russia, and they might agree to laws like this as the cost of doing business.
Any instant messaging company that installs backdoors to operate in Russia will lose the trust of their users everywhere. People are demanding secure and private communications which rules out using software from a company known to install backdoors Those companies will need to decide if there are enough profitable users in Russia to make up for loses in other markets. Complying with Russian laws is not the only cost to businesses.
If Russia wants to isolate their internet, maybe the rest of the world should support this move and isolate Russia. It would cut down on cybercrime and put Russia at a competitive disadvantage.
You're also describing the "party line" telephone system, and before that standing in the street and shouting at your neighbours.
While privacy may be claimed to be new construct by some people, that's simply because it wasn't terribly difficult to achieve previously. You just had to talk softly or write letters instead of postcards. And you WILL find that the expectation of privacy exists in the physical mail service, to pretend that it doesn't in email etc is convenient bullshit that corporate/government have pushed through since it suited their agendas.
The stupid part is once you have ubiquitous monitoring in place, and known to be in place, you don't catch the real criminals. They revert to code talking anyway.
Beat a rag of ticks.
*nm*
What are you babbling on about? Ethernet frames or multicast are not relevant to this discussion. It's like saying the telephone network isn't meant to be secure because in the past somebody physically connected people at a switch board and this operator could listen in at any time. The networking layers are all simply foundatations that enable higher level applications and usage.
Messengers encrypt YOU!
Being a Russian I just don't beeping care. And maybe I'm even glad that this bill is proposed, because it means that all the official messengers (I mean: companies that provide messenger services using closed source software) will be compromised and the only messengers that are trustworthy will be the open source decentralized ones having no central authority that can be fined.
In such conditions the maximum fine would be 5000 Roubles (less than US$100) which means that the expense of collecting the evidence would not pay up. It's just impossible to interrogate everybody whose traffic comes to some nonstandard port, and it's impossible to prove that it's a messenger and not anything else.
Also I hope that any software that used the outdated HTTP(S) and HTML protocols which have so many builtin security holes will be compromised at last and the only programs that survive would have no such thing as web page phenomenon and correspondingly site phenomenon. For instance, Freenet now supports something like a webpage. But it edits out anything that could be dangerous. RetroShare just has no web page. It displays web links but you should copy them to the browser with full understanding for your actions.
Please understand: This bill is neither Putin's nor the FSB/KGB initiative. The FSB works stealthly. It's the initiative of parlamentaries who propose the laws that just cannot be observed.
Could be 15k per message
Fuck off, fuck off, fuck off.
Signed,
Wales.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
What I heard from E.Snowden makes me believe that all messengers have got a backdoor as a part of some project with a name something like Flying Eagle.
If it was possible to monitor communications of Bundeskanzler and Président, then run-of-the-mill messengers and smartphones should not be a challenge.
The question is not about backdoors, but who would hold keys.
t would stop the Daesh propaganda,
In your dreams. Daesh have some websites - but they are also active on twitter/facebook in spite of company rules. Accounts gets closed, but there is considerable delay. After all, personell looking for propaganda costs money, and don't earn anything.
Russia could not stop foreign/anti-government propaganda even in the Soviet era. No internet, full control over printing presses & xerox machines. As a western European, I could not bring a stack of blank papers into the eastern block. They feared what could be printed on such paper! And still, dissidents acquired paper and typed up their stuff on typewriters.
You can oppress people - but if you think you can stop the circulation of ideas – you already lost the game.
A few lines of javascript, crypto_js and a simple message relay written in PHP (which can be hosted anywhere in the world) is all you need for a secure messaging app. On the phone side, all you'd need is a web browser that can run standard javascript. On the server all you need is something like PHP (any language will do here: even a CGI script written in bash would suffice).
John_Chalisque
Let me see ... the US wants backdoors (in fact, the NSA approved stuff is designed to be weak in one or another way). Then, Russia wants backdoors. China works with service providers to have some sort of backdoor. I am sure that UK and Australia are looking for backdoors.
So, any country has the right to have backdoors in the security artifacts and what was supposed to be secure now will have more holes than doors have a hotel, in the name of counter-terrorism, making these artifacts completely useless. Because if one country has the right, then all them have the right. Could be possible to control more than 200 backdoors in any secured communication?
This is very similar to say that as the terrorists breath, then we need to control the air because they could be breathing.
A quote from 'V for Vendetta", Cruelty and injustice...intolerance and oppression. And where once you had the freedom to object, to think and speak as you saw fit, you now have censors and systems of surveillance, coercing your conformity and soliciting your submission. How did this happen? Who's to blame? Well certainly there are those who are more responsible than others, and they will be held accountable. But again, truth be told...if you're looking for the guilty, you need only look into a mirror. I know why you did it. I know you were afraid. Who wouldn't be? War. Terror. Disease. There were a myriad of problems which conspired to corrupt your reason and rob you of your common sense................
V for Vendetta: People should not be afraid of their governments. Governments should be afraid of their people.
Youtube watches you.
In Soviet Russia, message encrypts you!
Nobody thinks that. No wonder you misunderstood them!
People think that some applications should be private. i.e. before you decide how you're going to communicate, you have already decided to tell your wife, "Buy some orange juice on the way home." And once you know that you're about to say something private like that, then you look for ways to do it. Public networks are awesome for this.
Yes, and then a few thousand years ago, people started to realize that you could bolt privacy onto a medium that isn't necessarily private. Write instructions to the other general in code and then if the messenger is captured, the enemy won't know how to read the scroll.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
... seems to be okay for russia as well.
No surprise here.
Stop surveillance. Worldwide. For everybody.
Anyone who hasn't seen "17 moments in Spring", doesn't understand the Russian attitude towards espionage and modern statehood. And no Russian Federation official has not seen it. It's the biggest cult-like movie in the modern russian language and it has contributed more to the modern Russian idiom than Casablanca has to the modern American English idiom. Putin openly modeled his political persona on the protagonist of this 12-part miniseries which is known to every russian. And the series (while it is set in the fall/Fall of Nazi Germany) makes a point of mocking the effectiveness of secret voice recordings over actual human investigating through infiltration and getting in the heads of the investigated subjects. There is no way RF would fall trap to this false sense of security given this central culture piece. The reason KGB was as feared and as central to the internal surveillance culture of the Soviet Union was that it was understood to have human informants who would do just such investigating in every organization in the Soviet Union.
Any guest worker system is indistinguishable from indentured servitude.
Easy, encrypt the real text traffic and provide a backdoor that generates innocent text generated by an AI. If the encryption is good, then the gubmint won't be able to prove that the spoofed text isn't the correct text.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Growing up in the '70s and '80s, I never would have thought that the United States and Russia would be [essentially] on the same side when it comes to privacy.
Russian Senator Elena Mizulina argued that the new bill ought to become law because, she said, teens are brainwashed in closed groups on the internet to murder police officers, a practice protected by encryption.
Brainwashed? Are the CIA in on this? The last I checked encryption doesn't murder police officers or come even remotely close to murdering police officers anyplace in the world. Usually it is due to objects harder than flesh or bad angles of body motion that cause murders of police officers. These result from governments that introduce FUD and other types of spooky bad policies.
http://www.currenttime.tv/a/27809255.html
This is not a legit Russian site. I will say this, your web surfing is tracked by connection time and ever since Firefox 45 you can't spoof your time zone directly with your browser.
Mizulina then went further. "Maybe we should revisit the idea of pre-filtering [messages]," she said. "We cannot look silently on this."
So according to some currenttime site hosted in Transylvania, a Russian senator lady is purported to say (in Transylvania) that there is some imperative requirement to stop encryption to save Russian cops.
The CIA are so involved with Slashdot right now. If you ask me how I know I won't tell you.
HINT: keep an inaccurate system clock sometimes.
Seriously, if a group really wants to hide from surveillance, they won't under any circumstances communicate their intentions, neither in the clear, nor encrypted, electronically, period. They'll meet ahead of time, and, at the most, agree on a trigger code... and not something as sophisticated as a one time pad. That code would be both simple, and would sail under the radar of surveillance: it won't raise any red flags whatsoever.
So, for instance, Alice will text Bob and say: "Hey Bob, you must really watch this awesome clip on YouTube from [INSERT-POPULAR-BAND-HERE]!", insert jargon of target group to make dialog more authentic. That would be a pre-agreed code for something totally different. Of course, Alice and Bob would have to establish a history of similar (dummy) messages in the past to evade raising eyebrows later: the crucial message should be indistinguishable from the ocean of regular messages they both exchange regularly.
One could even conceive a whole code made up of little blocks of such dialogs that appear like usual teen chatter on the surface... but that would open up this code to analysis. The less they communicate (in code), the unlikely they'll be detected. As an illustration for variation: use 20 pop artists in the phrase above, for 20 pre-agreed messages. If you need 400 messages, combine with 20 pre-agreed adjectives "have you seen INSERT-ADJECTIVE clip from INSERT-ARTIST on YouTube?"... there are endless possibilities to communicate discreetly over a low-bandwidth plain-text channel this way.
cpghost at Cordula's Web.