Slashdot Mirror

← Back to Stories (view on slashdot.org)

EU: No Encryption Backdoors But, Let's Help Each Other Crack That Crypto (theregister.co.uk)

Posted by msmash on from the evolving-thoughts dept.

The European Commission has proposed that member states help each other break into encrypted devices by sharing expertise around the bloc. From a report: In an attempt to tackle the rise of citizens using encryption and its effects on solving crimes, the commission decided to sidestep the well-worn, and well-ridiculed, path of demanding decryption backdoors in the stuff we all use. Instead, the plans set out in its antiterrorism measures on Wednesday take a more collegiate approach -- by offering member states more support when they actually get their hands on an encrypted device. "The commission's position is very clear -- we are not in favour of so-called backdoors, the utilisation of systemic vulnerabilities, because it weakens the overall security of our cyberspace, which we rely upon," security commissioner Julian King told a press briefing. "We're trying to move beyond a sometimes sterile debate between backdoors or no backdoors, and address some of the concrete law enforcement challenges. For instance, when [a member state] gets a device, how do they get information that might be encrypted on the device." [...] Share the wealth. "Some member states are more equipped technically to do that [extract information from a seized device] than others," King said. "We want to make sure no member state is at a disadvantage, by sharing the tech expertise among the member states and reinforcing the support that Europol can offer."

49 of 83 comments (clear)

  1. Ok, that's something we can talk about by Opportunist · · Score: 4, Insightful

    So we have a device of someone that we suspect to be a criminal, now aid us to access it.

    That is something we can actually work with. Provided there is oversight and it's not "we probably have (population count) terrorists in our country, let's find out how to up the surveillance so we can track them all!"

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Ok, that's something we can talk about by 93+Escort+Wagon · · Score: 1

      It depends whether they going collaborate on an as-needed basis, or are they going to collect and hoard zero-days without notifying the manufacturers?

      We've seen how well the latter works... thanks, NSA!

      --
      #DeleteChrome
    2. Re:Ok, that's something we can talk about by Anubis+IV · · Score: 1

      Completely agree. This has been the proper course of action from the start, and I'm glad they're finally coming around on it. It's the only path that aligns with the security and privacy interests of businesses and individuals while allowing for law enforcement to conduct lawful investigations.

      There will certainly be additional points to discuss, such as the degree and nature of their collaboration (e.g. Is it—or to what extent is it—okay for them to withhold information regarding vulnerabilities from manufacturers? Is it acceptable to deploy military technology against everyday criminals?), but those discussions all lie along this path, so it's about time we started walking it.

    3. Re:Ok, that's something we can talk about by Opportunist · · Score: 1

      The creed behind the law should be that there should be full cooperation when someone has a suspect and a reasonable assumption that this suspect is actually a criminal, but zero support for any measures that aim for blanket surveillance of people "just because".

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    4. Re:Ok, that's something we can talk about by david_thornley · · Score: 1

      but zero support for any measures that facilitate blanket surveillance of people "just because".

      FTFY.

      If a measure can be used for mass surveillance, it doesn't make any difference how sincere the legislators sound as they say it won't be. Law enforcement will us that measure despite what it was aimed for.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
  2. Uhm by jawtheshark · · Score: 1
    Do I understand this right that they want brute-force encryption? If so, somebody really should explain complexity analysis to them. These algorithms have been chosen in such a way that brute forcing is computationally hard.

    How exactly... we don't know. Maybe someone has an RSA-cracking supercomputer up their sleeve they're keeping secret. Maybe someone's particularly good with a soldering iron and can read off keys from extracted flash memory chips.

    If any member state has that capability, there is no way in hell they'll share it. That is of utmost importance to national security and is most likely top secret. That's not stuff you share, ever.

    If the second part is the solution against encryption, I'm sorry, we have bigger problems. As a matter of fact, if they think that is the solution they really don't understand the problem.

    "We don't know, but we should share". It's grasping at straws, really

    --
    Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
    1. Re:Uhm by Lennie · · Score: 2

      Remember the FBI Apple iPhone debate in the US and a solution was found how to gain access to the data, my guess would be they could be sharing those kinds of solutions. I would be surprised if they had things even more advanced than that.

      --
      New things are always on the horizon
    2. Re:Uhm by Boutzev · · Score: 1

      Please, don't ! Leave them with their brute forcing. In the meantime we can enjoy secure communication.

      I am not sure if this is just an attempt to please the lobbysts of encryption regulation or ignorance.

    3. Re:Uhm by Megol · · Score: 1

      It's an example of you not understanding. Brute forcing is (generally) impossible and that's not what this is about.

    4. Re:Uhm by UnknowingFool · · Score: 1

      Do I understand this right that they want brute-force encryption? If so, somebody really should explain complexity analysis to them. These algorithms have been chosen in such a way that brute forcing is computationally hard.

      No they want to share methods on how to break devices. No device is 100% secure. Each device probably has an exploit depending on the hardware and OS version. For example, the San Bernandino shooter had an older model iPhone that was bypassed but that took several months before the US government could find someone who could do it. At the very least point the governments in the right direction: "Oh that model Samsung and Android, we used this company to break that phone." It is more so that each government doesn't have to start from scratch every time they get a device they want to hack.

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
    5. Re:Uhm by Anonymous Coward · · Score: 1

      If any member state has that capability, there is no way in hell they'll share it.

      This is simply a request to increase the funding & staffing of EC3 in Europol.
      https://www.europol.europa.eu/about-europol/european-cybercrime-centre-ec3

      All in all, EU has taken a rational position here.
      Law enforcement cannot simply disregard the issue; they have to do and say SOMETHING.
      A statement "we will NOT be going to ask or push for backdoors & weak crypto" is good enough, especially considering this comes from the LEA / antiterrorism guys, not from DG CONNECT or similar.

    6. Re:Uhm by gweihir · · Score: 1

      Don't tell them! They are convinced that because they represent nation-states, they are all-powerful. Let them have that illusion!

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    7. Re:Uhm by hoofie · · Score: 2

      They didn't have access to GCHQ pre-Brexit either. The UK is very, very reticent to let any country that isn't part of the Five-Eyes agreement anywhere near any of the special toys, kit and capabilities they have there.

  3. The irony by Rick+Schumann · · Score: 3, Informative

    The irony here is that even if they put a gun to everyones heads and forced them to ruin encryptions' value by compromising it with 'backdoors' (that anyone would eventually be able to discover and leverage) criminals and terrorists would not just use non-compromised encryption (copied from before the ban on 'real' encryption), they'd use codebooks and other types of obfuscation (book ciphers, and so on; the list is endless) that have been used for much longer than we've had computers, and goverments and cops would be back at Square One again: needing to do REAL police work, not just be jackbooted thugs with guns forcing their will on everyone. Are they really so blind to all this, or is it just another power-grab?

    1. Re:The irony by bobbied · · Score: 1

      Exactly.... This is really stupid in that it only helps you catch the stupid ones....

      Anybody who thinks about this, won't have an issue communicating securely regardless of if the encryption backdoor.

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    2. Re:The irony by Baron_Yam · · Score: 1

      Consider for a moment that while governments may ultimately be varying degrees of evil, that is an emergent property that isn't necessarily present in the humans who make it up.

      Now imagine you're a cop or a politician, and you have criminals and pressure to stop them from getting organized or simply 'getting away with it', and you KNOW there's evidence you could hang them with if you could get your hands on it.

      Of course they're going to try and get official back doors. Now you say those back doors will only ever keep out the stupid criminals (and end up serving the needs of the smarter criminals) - but most of us lock our front doors with the full knowledge that it only stops the casual / amateur criminal.

      >Are they really so blind to all this, or is it just another power-grab?

      To summarize... no. They don't have to be blind or power hungry to want this. It may even be the most efficient way to address the problem given the tools available and the rules they have to work within.

      Our job as citizens is to inform our politicians (emphatically, continuously, and in significant numbers) where we want to be on the freedom/security scale. If we don't do that, political mechanisms will inevitably seek security at the expense of freedom.

    3. Re:The irony by Rick+Schumann · · Score: 2

      You NEVER trade freedom for security. EVER.
      'Backdooring' encryption RUINS it, plain and simple; there is no compromise that can or should be made there. EVER.

    4. Re:The irony by Baron_Yam · · Score: 2

      >You NEVER trade freedom for security. EVER.

      That's a foolish absolute to stand behind, since you do it all the time in your day to day life.

      >'Backdooring' encryption RUINS it, plain and simple; there is no compromise that can or should be made there. EVER.

      Another silly stance to take. For general encryption, absolutely... but there's nothing wrong with a proprietary system with a back door in it, as long as it's understood to be less than perfectly secured and that it will eventually be cracked (or the back door simply leaked) if there's enough interest in doing so.

    5. Re:The irony by hcs_$reboot · · Score: 1

      criminals and terrorists would not just use non-compromised encryption, they'd use codebooks and other types of obfuscation

      Terrorists have shown how clever they are ; that kind of subtlety is out of their league.

      --
      Slashdot, fix the reply notifications... You won't get away with it...
    6. Re:The irony by BlueStrat · · Score: 1

      The irony here is that even if they put a gun to everyones heads and forced them to ruin encryptions' value by compromising it with 'backdoors' (that anyone would eventually be able to discover and leverage) criminals and terrorists would not just use non-compromised encryption (copied from before the ban on 'real' encryption), they'd use codebooks and other types of obfuscation (book ciphers, and so on; the list is endless) that have been used for much longer than we've had computers, and goverments and cops would be back at Square One again: needing to do REAL police work, not just be jackbooted thugs with guns forcing their will on everyone. Are they really so blind to all this, or is it just another power-grab?

      Of course it's another power-grab. That's almost a given for almost everything Western governments are trying to implement in the encryption/security field. The mistake here is in assuming they're telling us the truth when they tell us they will use it exclusively against criminals & terrorists instead of mostly as another general domestic surveillance tool for politically/ideologically-driven motives.

      They know as well as we do that real terrorists and criminals will simply use other secure methods. They are simply the cover-story poster-boys for propaganda purposes. Western leaders could not care less about a few hundred or thousand people dying from the occasional terrorist attack, it's the ability of law-abiding, peaceful people being able to organize effectively...without government snooping/interference...in order to change their governments/laws along with the ability of whistle-blowers to reveal government lies & criminality that scares the shit out of them, and is what they ultimately seek to destroy.

      Strat

      --
      Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
    7. Re:The irony by Kjella · · Score: 1

      The irony here is that even if they put a gun to everyones heads and forced them to ruin encryptions' value by compromising it with 'backdoors' (that anyone would eventually be able to discover and leverage) criminals and terrorists would not just use non-compromised encryption (copied from before the ban on 'real' encryption)

      Well most suggestions don't involve building an algorithmic backdoor, but about making the manufacturer retain a copy of embedded keys. Like for every iPhone there's a master UID - essentially a 256 bit AES key - fused into the processor during manufacturing. They (supposedly) don't keep a copy, they certainly could and stick in a vault somewhere and in theory they'd only hand individual keys over to law enforcement with a warrant. The "doomsday" scenarios are that a powerful organization robs the vault or the government demands they hand over the contents, it would never be script kiddies.

      It wouldn't stop people who intentionally use other encryption software on top, that cat is out of the bag to stay. The trouble for police now is that commodity, mass market items come with impenetrable security by default rendering warrants useless. What they want is something like a 21st century version of the CALEA act to demand the cops can wiretap phone calls. It wouldn't stop people talking in code over the phone, but it's still pretty useful...

      --
      Live today, because you never know what tomorrow brings
    8. Re:The irony by Anonymous Coward · · Score: 1

      This a joke post? Article is about the EU and you grizzle about whether someone is a "U.S. citizen". And why do "foreigner"s have no stake? It's global. Etc, and so on.

      Truth is you trade freedom for security every day of your life. Every day. Wake up and look around you.

      I am against backdooring general crypto but I don't claim it means the end of civilisation like you do.

    9. Re:The irony by PCM2 · · Score: 1

      Are you being willfully stupid?

      You are NOT free to walk into a bank waving a gun. That freedom is denied you. You ARE free, however, to walk into a bank and withdraw a large amount of money, with the reasonable expectation that nobody else in the bank will shoot you and take it from you.

      See how this works?

      --
      Breakfast served all day!
    10. Re:The irony by Rick+Schumann · · Score: 1

      You know goddamned well what I mean so fuck off.

    11. Re:The irony by david_thornley · · Score: 1

      Your "less than perfectly secured" is awfully optimistic. Most people aren't prepared to jump to a new encryption method when the old back door is compromised. Moreover, the system can't ever be trusted, since the user never knows who might know the back door. It might be of some use to some people, but nobody with any sort of security requirements could rely on the system.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
  4. That's Honestly Enough by NicknameUnavailable · · Score: 2

    Every CPU since 2006 has backdoors built in, they don't need to have backdoors in individual protocols. If they have cyber-backdoor agreements with the nation manufacturing the chips they have a backdoor.

    1. Re:That's Honestly Enough by david_thornley · · Score: 1

      Apple designs its own ARM chips, and they've been clear about standing up for user security. I'm not at all convinced that all CPUs have back doors.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
    2. Re: That's Honestly Enough by NicknameUnavailable · · Score: 1

      Not every one. There are plenty of open hardware certified devices.

      lol, that's so naive I don't know whether to laugh or cry. If you didn't design and build the chip or are best friends with the guy who designed and built the chip, it has a backdoor (possibly even in that latter case due to all the NDAs he would be in fear of.)

    3. Re:That's Honestly Enough by NicknameUnavailable · · Score: 1

      You are mocking publicly available knowledge which is well documented. Sad.

    4. Re:That's Honestly Enough by NicknameUnavailable · · Score: 1

      Apple uses Intel chips, which absolutely have backdoors (they actually beat AMD to it by a couple of years.) They "stand up for" user security because it's bad PR if they don't pretend to.

    5. Re:That's Honestly Enough by david_thornley · · Score: 1

      True; I was thinking of the ARM chips on iDevices. Apple in fact got bad PR from the dispute with the FBI relating to the work iPhone 5C that the San Bernardino shooter almost certainly didn't leave evidence on, so I'll give them credit for that. Apple appears to want user security.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
    6. Re:That's Honestly Enough by NicknameUnavailable · · Score: 1

      Apple wants people to believe they have user security. Post-Snowden it would be incredibly ignorant to believe there is any device made by a US company without backdoors.

  5. I have no problems with this by houghi · · Score: 4, Insightful

    The more encryption is challenged, the better it is. And with so many people involved, somebody with blabber if it has been hacked and better encryption can be found.

    I think we should tell them that all Linux and other OSS software is involved. Having "free" peer review would be great.

    --
    Don't fight for your country, if your country does not fight for you.
  6. Sudden outbreak of common sense? by Anonymous Coward · · Score: 1

    Or have they just struck a secret deal somewhere?

    Let's hope the first. Being a big fan of EU (the idea) and sometimes utterly revolted by EU (the implementation), this makes my week.

  7. Yes please by SlashDread · · Score: 4, Interesting

    Do share all your cracking and hacking tricks. Publicly.

    so we can patch the vulns

  8. While they're busy sharing wealth by rsilvergun · · Score: 1

    why not publish all those vulnerabilities they're using to decrypt devices (after a suitable period of time given to the manufacturer to fix the defect)? Could it be they don't really care about security in our shared cyberspace? Naw, they could never be so callous.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  9. October 2017 by Anonymous Coward · · Score: 1

    Is when the encryption wars began. The war was long and had many casualties. After many years of trying to crack encryption most governments around the world agreed to make encryption used by anyone other than the government illegal.

  10. I'm good with that by JohnFen · · Score: 1

    Weakening encryption is bad. Trying to break encryption is expected.

  11. Encryption = False sense of security by Seven+Spirals · · Score: 1, Insightful

    Encryption weenies place a lot more faith in it's power than I do. So, are we supposed to trust SSL? I don't. Besides being eat-up with a laundry list of past vulnerabilities, I'm supposed to trust some megacorp that says some other megacorp or boiler-room-scam operation capable of issuing a certificate signing request is trustworthy? Why again? Just because they can pay folks to answer the phone or to supposedly check someone's business license? That doesn't mean *squat*. There are so many instances where that system has broken down due to technical and logistical reasons, it's not even funny.

    You ever notice how everyone gets all concerned about algorithms being broken but it's usually the implementation that the hackers go after and break? What difference does it make if you have a steel vault door if it's mounted on a balsa wood frame? So, because of that fact, how is anyone supposed to trust anything that's "encrypted" ? You can't trust the OS to not be keylogging you, the feds or the author not to have backdoored the implementation, nor can you trust that someone won't simply beat the password out of user (ie.. rubber hose decryption method). If you ask me, the promise of encryption is a lie. It's marginally useful to obfuscate sensitive details in transit or for hashing. The idea that it can always be trusted and is some kind of panacea against hacking is laughable and been proven idiotic over and over, especially when pronounced upon high by evil megacorporations who have ZERO credibility anymore.

    1. Re:Encryption = False sense of security by AHuxley · · Score: 1

      Encryption is good to stop random other governments, people, ads, ISP's, telcos as a message moves along the pipes.
      At some time that fully and secure message had to be created and later decrypted for the users convenience.
      Key logging is the solution and will get content at source from the users for the security services.
      A one time pad on paper used once and sent would be secure. The privacy of the message is protected by using a one time pad. Anonymity on networks in 2017 is not protected.
      Interesting people are still detected linked to other interesting people.

      --
      Domestic spying is now "Benign Information Gathering"
    2. Re:Encryption = False sense of security by Anonymous Coward · · Score: 1

      > So, are we supposed to trust SSL? I don't. ... I'm supposed to trust some megacorp that says some other megacorp or boiler-room-scam operation capable of issuing a certificate signing request is trustworthy?

      TLS/SSL exists independent of the Certificate Authorities. You (and anyone else) can use SSL/TLS without involving a third party: sign your own damn certs. Viola, you have full-strength data-in-flight crypto capabilities.

      The reason you don't really see this on the web is because without cert pinning, it's hard to distinguish between a MitM attack and a self-signed cert. _Nothing_ in the SSL or TLS standards require you to use _any_ Certificate Authority.

      (And Cert Pinning _really_ does pull most of the teeth out of a malicious CA. Read up on it some time.)

      TLS is good crypto. CAs are weak links, and -like nearly all software- implementations sometimes have bugs, but -if we're gonna get _really_ serious about it- the only _really_ secure system is one that's been melted down to molten slag.

      Security is a gradient, not a boolean.

    3. Re:Encryption = False sense of security by david_thornley · · Score: 1

      Good encryption means precisely one thing: that it is necessary to know the key to access the information, but otherwise it's safe. When using something like AES-256, the only problem is key management. Nobody who can't find or guess my iPhone unlock code is going to be able to read anything off it, and the Secure Enclave makes it very difficult to guess.

      There's a big difference between levels of security. If they're willing to haul you in and torture you for the information, they're almost certainly going to get it. Most people aren't in that situation, and don't have to worry about.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
  12. Simple answer by Chris+Mattern · · Score: 1

    "when [a member state] gets a device, how do they get information that might be encrypted on the device."

    You don't. If you could, the encryption would be pointless.

  13. EU vs Five Eyes by Hal_Porter · · Score: 4, Interesting

    For instance, when [a member state] gets a device, how do they get information that might be encrypted on the device." [...] Share the wealth. "Some member states are more equipped technically to do that [extract information from a seized device] than others," King said. "We want to make sure no member state is at a disadvantage, by sharing the tech expertise among the member states and reinforcing the support that Europol can offer."

    I think they're worried about the Five Eyes countries sharing information with each other, but not with EU countries

    https://en.wikipedia.org/wiki/...

    One of the interesting contradictions of the UK being a member of the EU was that it always had much better intelligence sharing with the Five Eyes countries than it did with any EU country.

    --
    echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
  14. Re:one for all and all for by Anonymous Coward · · Score: 1

    Who bankrolls the EU now that Britain is out?

    The same as before: not Britain.

  15. see through it by DriveDog · · Score: 1

    First, often asking for something (backdoors) is cover for already having it. Second, pretending to not ask for it is cover for getting it without public scrutiny. Third, knowing of vulnerabilities and keeping them secret and exploiting them is ethically just as bad as having backdoors. You find it, you announce it, or you're hurting security for everyone. You think you're the only one that found it? Unlikely. Russians, Iranians, Pakistanis, and Israelis have found it but the only way to block their use of it is to inform the manufacturer and the public and get it plugged/fixed. It's not like they're going to tell you they found it.

  16. Re:one for all and all for by AHuxley · · Score: 1

    AC "Reminder: Spies, cops don't need to crack ... They'll just hack your smartphone" (26 Jul 2017)
    "Police in Germany will forego seeking decryption keys for secure messaging apps, ..... , and instead simply hack devices to snoop on suspects"
    AC governments are just going for the remote communication interception software (RCIS) solution to advanced end to end crypto.

    --
    Domestic spying is now "Benign Information Gathering"
  17. Re:Adios, EU by OneHundredAndTen · · Score: 1

    You wish. And hopefully, you won't get - the exacerbated nationalism and just plain xenophobia latent in Brexit and the Catalonian attempts to secede are in the spirit of the times that kept Europe embroiled in more or less continuing internecine wars for hundred of years. Get rid of the EU and prepare yourself to enjoy such times again - with modern weaponry.

  18. So you’re in favour of backdoors then? by Picodon · · Score: 2

    You are accusing the EU of incompetence for stating that they are “not in favour of so-called backdoors, the utilisation of systemic vulnerabilities, because it weakens the overall security of our cyberspace, which we rely upon”, and at the same time you are praising Brexit, when Theresa May (and Cameron before her) as well as officials from other individual states (including France and Germany) have been advocating the mandatory use of backdoors. So I take it that you are a supporter of weak encryption.

    The obvious problem is that it won’t stop high-calibre criminals (those used by governments to justify the need for backdoors) from using secure encryption, while putting everybody else at risk of exploitation by lower-calibre (but still tech-savvy) criminals. In the words of Matthew Green, cryptography professor at the Johns Hopkins University Information Security Institute): “There’s no chance whatsoever you’re going to stop people who really want to use encryption, like terrorists and serious criminals. That’s just impossible.” (Source: The parallax, “Could strong encryption and backdoors coexist? Nope, experts say”)