Internet Firms To Be Banned From Offering Unbreakable Encryption Under New UK Laws (telegraph.co.uk) 418
Retron writes: Despite statements from the minister for internet safety and security Baroness Shields last week that the UK government would not require software developers to build backdoors into their products, the Telegraph is reporting that the UK Government is going to ban companies from offering 'unbreakable' encryption, effectively requiring a backdoor in products from the likes of Google and Apple. The reasons given are that they don't want the likes of terrorists and paedophiles to communicate in places the Police can't reach. A Home Office spokesman said: “The Government is clear we need to find a way to work with industry as technology develops to ensure that, with clear oversight and a robust legal framework, the police and intelligence agencies can access the content of communications of terrorists and criminals in order to resolve police investigations and prevent criminal acts."
Sigh (Score:5, Interesting)
Is this the sort of thing that the EU could override?
Re:Sigh (Score:5, Informative)
And don't think for a second that this is about terrorists and paedophiles. There are enough crypto products for them to choose from already.
I smell a false flag (Score:2, Interesting)
Call me a paranoid if you want, but this 'new law banning unbreakable crypto thing smells rotten
1. The very mention of unbreakable crypto might give people some false sense of security to think that they still have something that can stop NSA / GCHQ from prying into their files
2. The very word 'unbreakable' is misleading - as nothing, absolutely nothing - is unbreakable, in the tech scene
3. The entire thing could be an attempt by some one high up (even higher than the politicians) to instill the impressio
Re: (Score:3)
2. The very word 'unbreakable' is misleading - as nothing, absolutely nothing - is unbreakable, in the tech scene
Yes, but anything that you can refer to as "breakable" encryption is really no encryption at all.
And even if you are paranoid, somebody might still be out to get you.
Re: (Score:3)
Cryptographic algorithms can be unbreakable using known technology. Implementations of cryptographic algorithms often have flaws that can be exploited and hence are breakable. What they are trying to ban is the use of cryptographic algorithms that are "unbreakable" in that sense.
Re: (Score:3)
Apple and Google welcome this I guess (Score:3)
Apple and Google I think won't mind this too much. I suspect they wanted to force the issue that the government has to come out and say, we will search e-mails rather than putting the squeeze on apple privately to sell out their customers with secret deals. If they get caught like AT&T did, it makes them look like crap and it doesn't hurt their competitors equally. Now if apple turns over a message they can just say every does it because its the law, and that's a fact. The "unbreakable" encryption pa
Re:I smell a false flag (Score:4, Interesting)
Re:Sigh (Score:5, Insightful)
A Home Office spokesman said: “The Government is clear we need to find a way to work with industry as technology develops to ensure that, with clear oversight and a robust legal framework, the police and intelligence agencies can access the content of communications of terrorists and criminals in order to resolve police investigations and prevent criminal acts."
And the result will actually ensure that,... with clear oversight and a robust legal framework, the terrorists and criminals can access the content of communications of police and intelligence agencies in order to obstruct police investigations and commit criminal acts."
Lame, technologically ignorant legislators writing laws about technology and security are going to become a real scourge!
Re:Sigh (Score:4, Insightful)
Don't worry. They'll just make it against the law for any hackers to take advantage of the police back doors thus solving the problem forever.
"But..."
FOREVER!!!!
Re: (Score:3)
China thanks the Home Office. With this proposed law foreign governments can access more easily the content of communications of police, intelligence agencies, and major corporations in the UK in order to commit espionage, both governmental and industrial.
Re: (Score:2)
"Is this the sort of thing that the EU could override?"
Yes, that's why the morons want out.
Also, by definition, no encryption is unbreakable, you just need a few thousand years to crack it.
Re: (Score:2)
you just need a few thousand years to crack it.
If I XOR some data with a key of unknown length, how are you going to verify that you've cracked it?
Re: (Score:3, Informative)
The existing UK laws assume guilty if you do not hand over your key when law enforcement ask for it. It's been like this since the late 1980s.
Re: (Score:2)
The existing UK laws assume guilty if you do not hand over your key when law enforcement ask for it. It's been like this since the late 1980s.
I was wondering about that... Doesn't this kind of prove that this latest offensive against privacy is not aimed at individual investigations, for which cases as you point out they have long had options? So this is about mass-surveillance.
Re:Sigh (Score:4, Informative)
Of course it's about mass surveillance, if it was about individual surveillance then they'd just get a warrant to MITM or similar a particular suspects PC exactly like they always have with physical mail and phone calls. They already have the powers to do that type of attack to get a target of a warrant.
They might argue that it's about retaining data so if they come back to someone they can investigate their communications retroactively, but that doesn't explain why they aren't getting all phone calls logged, and all physical mail photocopied and stored. They already can't get historical data of other communication mediums so there's no reason to think they suddenly need it for investigations using digital communications.
So the only thing this possibly can be about is mass surveillance given that they have all the tools they need for individual surveillance already.
Re: Sigh (Score:5, Interesting)
People often overlook the issue of verification. If you take a small structured dictionary which takes in, say, 128 bits, and outputs a nonsense poem using the words of the dictionary and some simple rules, you have a reversible procedure for turning 128 bit hashes into literary nonsense. Reverse the procedure and apply a simple procedure to the original 128 bit hash to see if it contains a message. The simple procedure may include things about the sender. The trouble for crackers here, is that there are many such procedures. A simple software example is to append 'Borg' to a message, hash it with shasum, and see if the first two hex digits are f7, say, else discard. Then using evolutionary programs to find a short procedure which generates indices recursively for words in a video file [ with feedback, so the second index requires having the correct video file on hand ]. Guessing a random 128bit passkey is bad enough, but guessing a random procedure is far worse. Having everybody just [ just! ] using aes128 will seem like paradise compared to the output of the computational arms race the UK government is inadvertently about to kick off.
I have fond memories of the old msdos program insults.exe. it has not escaped my attention that one can take a 128 bit number [ possibly the output of a sugared hash ] and use bits from it as indices into tables to generate phrases. There is much fun to be had, and so many variations. The paper from wayback about chaffing and winnowing will perhaps have more attention payed to it.
Re: (Score:3, Interesting)
I have thought about this many times over the years. Evolutionary strategies could lead to some really obscure and bizarre cryptography schemes. Especially if you use real cryptographic algorithms at each layer. Even if not, this is utterly ridiculous. Your example of a poem highlights the greatest injustice of banning encryption - poems can mask layers of meaning even from the author, sometimes for years. It's time to end this whole charade IMHO.
Re: (Score:3)
Two things: security through obscurity... and 2^128 words is about 10^30 English languages.
Re: (Score:2)
"Is this the sort of thing that the EU could override?"
Yes, that's why the morons want out.
Also, by definition, no encryption is unbreakable, you just need a few thousand years to crack it.
Or the right algorithms, the right computing power and encryption that is regulated to be limited to a certain level? I am sure Interpol or various intelligence agencies could push to have the right tools?
The problem with what the British government is asking is that it just takes one slip for the backdoor to be left wide open (see TSA security keys [extremetech.com]) and anyone who really cares about protecting their stuff and understands what they are doing probably will just encrypt their stuff with other encryption tools
Re:Sigh (Score:5, Informative)
Also, by definition, no encryption is unbreakable, you just need a few thousand years to crack it.
Untrue. Encryption may be "Information-Theoretically secure". These cannot be broken with just enough computing power. For example, for ordinary text, this is even true for the venerable Enigma if less than 4000 Bits (if I remember things correctly) of ciphertext are available and the key was chosen at random. One-time pad based encryptions are never breakable, the only information you get is the maximum number of Entropy in the message, nothing else.
You wrong statement is one of the often-repeated untruths about encryption.
Re: Sigh (Score:4, Interesting)
Put another way, one limiting factor is the availability of a computational means to verify a correct guess. If the false positive rate is too high, as happens with a OTP, you have problems. Then using encoding schemes rather than just encoding textual data is not hard. If, for example, you only need 2000 different words for your messages, you could start with a basic forth and work thus:
( assume 'append' appends to a word list, and 'say' outputs and clears the word list )
: wHelp S" help" ;
: wThe S" the" ;
: wHomeless S" homeless" ;
: mHelpThe wHelp wThe ;
: mA mHelpThe wHomeless ;
: s1 mA say ;
Now we can map these definitions to 16 bit tokens, padding with random definitions, and store random definitions where the words go to get a non funtioning decode vector. Then to decode, we need a list of words and locations to insert them. One vector of 64k forth words could be used in many ways depending on which words are overwritten and what is put there. The 64k vector need not even contain the api, since we need only overwrite say v[435] with 'say', v[2789] with 'append', put 'S" help"' etc. in the right place and know that v[6789] is a correct code for mA. The secret code is in the modifications necessary, and without both pieces you have nothing. Just the vector and you have a random assortment of words defined in terms of other words.
The issue for GCHQ is not unbreakability, but that the above could be implemented in a few lines of Perl or PHP, and if it becomes widespread by some social media like a computational Twitter on acid, the effort required to search would be prohibitive given the potential for false positives and that most messages are for fun.
The Indiana Pi Law did not get passed, but many equivalently stupid laws have, and this will be yet another. You cannot pass a law requiring that maths magically become easy. Trying to causes collateral damage for no gain. But I guess politicians live in a different universe.
Re: (Score:2)
Untrue. Encryption may be "Information-Theoretically secure".
No real-world encryption usage is information-theoretically secure.
You mention one time pads, but these are typically not used, And they're not really encryption, as in traditional ciphers.... A one time pad is more of a way of dividing information into two equally-sized halves.
For the most part, the Info-Theoretically secure crypto you see would be Quantum cryptography used for low-volume key exchange
Even this cannot be declared unbrea
Re: (Score:3)
You wrong statement is one of the often-repeated untruths about encryption.
Which is true.
But as all these proven unbreakable algorithms require a secure channel to transmit the encryption key. But if you had a reliable secure channel, you wouldn't need any encryption to begin with. You could send the actual data over that secure channel instead.
There is limited use for these when a secure channel is available ahead of time, but even then the storage of the key is vulnerable to attacks. (photographs of the codebook, "rubber hose cryptanalysis", etc)
Not to start with the fact that a
Re:Sigh (Score:5, Informative)
Excuse me, you get ANY desired message by trying all possible one time pads.
The Bible
Hamlet
Andy Weir's The Martian
Re:Sigh (Score:4, Informative)
I'm assuming you're joking, but just in case you're not, allow me to explain.
You cannot brute-force an OTP without the key (or at least strong statistical cues for it), because every plaintext message of the same length is equally likely. If the OTP length is n that includes any part of that length of the works of Shakespeare, the Bible, the UK's constitution (if it still has one), and all texts or other messages of length n that have ever been written and will ever be written or transmitted. Likewise, any sequence of length n of the alphabet (e.g. 26 letters, 256 chars, or UTF16) is a valid key, so they cannot "ask" you for the key in any meaningful sense of the word.
Unfortunately, OTPs are of limited value in practice, since they key must be at least as long as the message.
Re: (Score:3)
No, you dont understand encryption. If nazis used one time pads, and ended every message with "Hail Hitler", you would still be 0% closer to solving the code. It does not simplify the code breaking. Each and every letter is independent of each other. The encryption key is random.
You dont get a small subset at all. You can literally get anything you want out the code. You want the hamlet, sure you can get it.
Re:Sigh (Score:5, Funny)
No, you get an extremely small subset of the possible original messages.
No, GP is correct. If you can choose the pad contents, you can trivially create any "decrypted" message you like.
As you send more and more messages with the same pad
one time pad
"Hail Hitler". It showed in every single German message
Unlikely. The grammar nazi in charge would have corrected it to "Heil Hitler".
Re: (Score:3)
Unlikely. The grammar nazi in charge would have corrected it to "Heil Hitler".
Brilliant! You deserve +5 funny for that.
Re: (Score:3)
You are absolutely and completely incorrect.
A one-time pad is an encryption method using a key length as long as the plaintext, never reused. Trying every possible key for a given ciphertext will produce every possible plaintext - literally every possible message with that length.
Even if you knew part of the plaintext, that would only tell you part of the key, and no bit of the key is used for more than one bit of the ciphertext. It tells you nothing you don't already know. The only possible cryptanalysis o
Re: (Score:3)
Yeah, I'm constantly amused that I keep getting asked to comment on information security at work.
My standard response is "here are some risks you need to mitigate, but please get a security professional in because this stuff is hard and I don't know what I'm talking about".
Although, maybe that's why I keep getting asked.
Re:Sigh (Score:4, Interesting)
As you send more and more messages with the same pad, or if the pads follow any kind of predictable pattern, or god forbid, one of your pads is discovered through other means, the encryption is severely weakened.
Basically you are saying that you can break one-time pad if the system used is not one-time pad.
Re: (Score:2)
They are breakable if you simply brute-force your way through all possible pad contents
This is equivalent to just brute-forcing all possible plaintexts. If you: have a way to verify that you've found the cleartext message
The method provided for you to verify the message weakened the security of the message.
Re: (Score:2)
Re: (Score:2)
"Yes, that's why the morons want out."
Yes, imagine that - a nation wanting self determination of its own laws! Radical huh?
Re: (Score:2)
Also, by definition, no encryption is unbreakable, you just need a few thousand years to crack it.
Not thousands of years! As we've seen from all the encryption technologies that have been invented to date it generally just takes a couple of decades for the tech to upgrade to a point where it's relatively easy to crack. The question is will this all change when Quantum Computers are on every desktop?
Re: (Score:3)
If you're talking about brute force, no, that's not going to happen. It's not possible to test 2^128 possible keys using only the resources of the Solar System, and I consider that impractical. Assuming we develop quantum computers of the appropriate power (and I'm not convinced we can), they effectively cut the key size in half, so AES-256 could not be brute-forced without becoming something more than a Type II civilization.
The alternatives are breaking the cipher, which is not considered likely for
Re:Sigh (Score:4, Insightful)
I actually like this argument. Sort of turns the "copyright is still a limited time even if it's 120 years long" argument on its head. If waiting 20 years to crack a phone's encryption makes the encryption "unbreakable" then why is a 120 year long copyright "limited"?
Re: (Score:2)
Is this the sort of thing that the EU could override?
Of course not. The European Union wants the exact same thing. They just take a more circuitous route to reach the same conclusion.
Don't believe me? Read it and weep. [v3.co.uk]
Money quote from the above link:
As part of the focus on cybercrime the EC [European Commission] said it is important that, while the privacy of citizens should be respected, the right data for law enforcement agencies is also vital to protect Europe’s security.
“Clear rules are needed to ensure that data protection principles are respected in full, while law enforcement gains access to the data it needs to protect the privacy of citizens against cybercrime and identity theft,” the report said.
The strategy also calls for greater cooperation between all elements of society when tackling cybercrime, so that key information is shared with all relevant parties.
Crypto War II. It's what's for breakfast. Download your copy of GPG while it's hot.
Re: (Score:2, Interesting)
It's the sort of thing that both the commons and the lords could override because contrary to the sensationalist Slashdot headline it's not actually a law, it's a proposed law, and that means it has to both be debated and pass in both houses. That wont happen because the Lords are out for blood right now and the Conservatives don't have a majority there.
I'm actually willing to bet money that this clause will never make it into the final bill that is signed into law and as much as Slashdot babies will piss,
Re: (Score:3)
Coming soon, the campaign for Brexit which is the word already being used for the campaign for the UK to exit the EU. Obviously the Daily Mail and the Daily Express will be full champions of it and have been seeding discontent with the EU among their readership for years. I'm not sure how the rest of the media are going to line up but the unfortunately the result will be decided by the high population concentration of the south-east of the UK who outnumber the rest of us and seem particularly susceptible to
Re:Sigh (Score:4, Interesting)
What, you thought the US had the monopoly on turning politics into a car crash TV event?
Re: (Score:2)
Exactly right. I'm a Scot who voted no at the last referendum, my decision was never in doubt, and I'm fed up with all the calls to repeat the referendum again. This said the UK exiting the EU would make me strongly reconsider my No vote, and I'd probably support having a new referendum whatever my eventual decision on my vote.
Re: (Score:2)
Re: (Score:2)
Might be the only way to stop the Met Police thinking they have jurisdiction over the entire country. Then again, they seem to think national borders don't apply to them either for "intellectual property" enforcement, so maybe not.
Re:Sigh (Score:4, Interesting)
It might contravene EU rules on free trade. For example, I use a Swedish VPN service to prevent my internet browsing history and other activity records (metadata) being recorded by my ISP. If this law is to be effective, it would have to make using such services illegal. Otherwise there is little that they can do to force a foreign company to company with UK law.
Maybe there is an issue with trying to ban foreign services for not complying with UK law. For example, they can't ban foreign services because they don't comply with the UK Data Protection Act, as EU free trade is based on the idea that all member states have broadly equivalent protections for such things. As long as the VPN service provider complies with local data retention laws (of which there are none, they only apply to ISPs) I don't think they can legally ban them.
Comment removed (Score:5, Insightful)
Re: (Score:2)
("The Bed of Nails", Yes Minister)
Re: (Score:3)
No, supremo is correct as a reference from Yes Minister.. Although the real title in private was cyber muggins. :)
So, no one time pad (Score:3)
Everything else goes, right?
Re:So, no one time pad (Score:4, Insightful)
Any holiday or sabbaticals could be cover for a face to face meeting to set up a one time pad system with near unlimited key material.
Years of messages could get total privacy after just one rendezvous.
Tools of oppression (Score:5, Insightful)
Bullshit (Score:5, Insightful)
Everyone should be aware that the majority of paedophile rings that have been busted were found to be passing material amongst themselves by sending encrypted DVDs (and originally VHS tapes and photographs etc.) using services such as USPS/Royal Mail signed for etc. Physical mail can't be interfered with without a court order, is secure, cheap and reliable. I would imagine terrorists do much the same.
This is plain and simply the gubberment desperately trying to keep all windows of the Panopticon open. Clueless old 19th century minds trying to legislate against the future and maintain their failed baboon style pyramid hierarchy.
It will be a total failure.
Totally unenforceable (Score:2)
This is plain and simply the gubberment desperately trying to keep all windows of the Panopticon open. Clueless old 19th century minds trying to legislate against the future and maintain their failed baboon style pyramid hierarchy.
Indeed, this smells like government either not understanding technology and where it's moving, and/or conspiring with spy agencies to get (keep?) their fingers in everything - including where they shouldn't be.
Unfortunately for them, there is no middle ground here. If the plebs can use general-purpose computers, there will be ways to get strong encryption software on it. If it's agreed you should be able to have a strongly secured connection between you and your bank (or your webmail, or your doctor, or
Re: (Score:2)
Most of that stuff seems to happen on Tor anyway, which being an open source US based project won't be affected by these rules anyway.
Re: (Score:2)
An
Revolt (Score:3)
This gives Apple and Google the power to decide whether or not there will be a revolt in the UK.
I'm not sure the politicians have thought this one through all the way. But, good, from a meritocracy perspective.
Re: (Score:2)
Re: (Score:3)
Re: (Score:3)
It will be interesting if Google, Apple et al suddenly suspend service and sales in the UK. I wonder what the electorate would say.
Or maybe the British government will mandate that they can't cut them off? This would be reminiscent of when the Spanish government tried forcing Google to keep indexing the newspapers, when they had decided that Google was to compensate the papers for indexing them!? Maybe we need to have a hall of shame for "stupid tech laws passed by governments"?
Re: (Score:3)
It will be interesting if Google, Apple et al suddenly suspend service and sales in the UK. I wonder what the electorate would say.
Or maybe the British government will mandate that they can't cut them off? This would be reminiscent of when the Spanish government tried forcing Google to keep indexing the newspapers, when they had decided that Google was to compensate the papers for indexing them!? Maybe we need to have a hall of shame for "stupid tech laws passed by governments"?
You can't force international companies to offer services in your country. Remember when the British music industry body (BPI) tried to shake down YouTube for royalties? YouTube just blocked all traffic from British domains and the BPI backed down swiftly.
Cameron may think that he can dictate to multinational companies and legislate for the world. But obviously he cannot. Apple and Google may not pull out of the UK entirely, but they are not going to break their own products just for one market either.
Re: (Score:2)
or else. . . Put the required backdoor in the software for UK customers, then every time they start to use it pop up a warning: "As required by law, this device is not secure! Do not enter any message that you don't wish to be read by the UK government, the USA, China, or the Russian mob."
Let's see how that goes over.
Re: Revolt (Score:3)
> G+A will have a year or so to modify their service, or will withdraw certain services from the UK and competitors will step in.
It's not that simple. Overnight there will be no sync services, no updates, no app stores - Google and Apple both know that if they cave to the UK they lose the rest of the world like dominos - they cannot afford to keep the UK business.
It's not like every user will be buying a Windows phone over that year - in fact Google and Apple would be stupid to announce non-appeasement
Re: (Score:2)
Google and Apple both know that if they cave to the UK they lose the rest of the world
No. G/A need merely provide a security deficient version of their products for the UK. Actually getting people to use it instead of the secure version is a can of worms that the prime minister has yet to open.
Re: (Score:3)
Correction: the UK government can refuse to allow Apple and Google to sell certain products in the UK. They can't force Apple and/or Google to provide an insecure version. Both Apple and Google are large and secure enough to lose the UK market temporarily.
Re: (Score:3)
And nothing stopping UK residents from popping over the channel and buying a phone over there. All phones need to have a common charger in Europe. Unless the UK government forces manufactures to mark the phones as made for sale in the UK, like Canada does with the CA Number for textile fibre products, then there's no way to tell where a phone came from.
Insecure WiFi for everyone! (Score:5, Insightful)
There was a Slashdot poll a few years ago, asking the question "What percentage of your traffic is encrypted?"
The answer that stuck in my mind was from a guy who said, "all of it. My WiFi has WPA2."
No unbreakable Encryption (Score:5, Insightful)
So basically, no encryption at all, since if it's breakable by one person it's breakable by anyone.
How little they understand (Score:5, Insightful)
Encryption is only one way mathematical difficulty can be harnessed. There are others. Encryption is great for making large amounts of data unreadable in a way which is independent of the data. But procedures can be learned by rote, and executed in a human brain before deciding whether and how to interact with a machine. By compromising encryption, the government will stimulate criminals to both probe the detection network with false information, and to develop methods of using whatever legal encrypted communication exists so that messages go unnoticed. If two people agree a convention, such as using two spaces rather than one in a tweet, padding a 130 char tweet to 140, and have a mentally computable way of indicating whether the content has special meaning, and a dictionary of codewords, we are back where we were before the second world war, with cryptic crossword techniques being used. One shot conventions [ consider if I say that when I send messages on Twitter if you append 'FluffyBunny', md5sum the result, and then treat specially if the first three hex digits are 3f4, whilst trivially breakable if you know the scheme, and who will transmit with it, if you don't, brute force will swamp you with false positives, and what if this convention is only used once between people ]. Just as antibiotic use has bred superbugs, this action by the UK government has the potential to set off an evolutionary arms race, where many terrorists will be caught, but those who are not will have by chance have developed means of secrecy beyond the security services. Passing laws declaring the existence of unicorns, or banning gravity from acting, are foolish. We have, in digital technology, an enviroment which we as humans must adapt to, not try to adapt it to us. Laws like this do the latter, but such attempts will eventually succumb to the problems of computational inefficiency.
The VPN test (Score:2)
That hop is from within a domestic like network after the providers "modem" like product.
Will the UK ban, track, investigate and demand credit card payments to VPN providers be blocked in the UK?
With "no plans to ban encryption services" that will be very cheap and simple way around the most simple provider level logging.
Why is the UK not int
Re: (Score:2)
Re: (Score:2)
Did the world need to create systems just for the US at an extra cost? Did US brands have to make expensive products for the US and retool for export markets without trap doors, back doors?
Every system got the back doors and trap doors as not to pass on costs or lock out law enforcement. No retooling, no dual designs needed.
This more a legal change. Every UK ready product will hav
Oh noes, where will I get my encryption from? (Score:2)
Internet Firms To Be Banned From Offering Unbreakable Encryption Under New UK Laws
The reasons given are that they don't want the likes of terrorists and paedophiles to communicate in places the Police can't reach.
Then in the great British tradition, they'll just Do It (Y)Themselves. It's not like "internet firms" - whatever that means - have a monopoly on mathematics.
SubjectsInCommentsAreStupid (Score:2)
Bye-bye, UK (Score:3)
Re: (Score:2)
Re:Bye-bye, UK (Score:5, Interesting)
Regardless of whether you're a foreigner or a Briton, the (encrypted) device in question would be contraband if you attempted to import it into the UK. This is exactly the same as if you were to buy something legal in the country you buy it in (a lock-knife; a gun; or an encrypted telephone) and attempt to import it into the UK, then you are committing an offence. As such you'd be liable to arrest and or deportation (at your own cost).
It doesn't matter if you're a Briton, or a foreigner, and whether or not the device belongs to you, your boss, or a "friend", if it is in your possession [*], and it is contraband [**], then it is your responsibility.
Notes : [*] this includes shipping agents for people like DHL I was working with one such last month. this is why they can seem like picky fuckers about the paperwork for shipping something.
[**] The Police, Border Force, and ultimately the courts will determine if something is contraband. It is your responsibility as an importer (personal, or through working for DHL or whoever) to find out what currently is or isn't contraband and to abide by that. (For example (see above) in many mainland Europe countries it is legal to possess a bladed tool or weapon with a folding blade which is held in the open position by a catch - a "lock knife" - which in Britain it is not legal to own or carry. If you don't know this, then you have a problem if you bring one in, either in your baggage or a pocket. Even if you come in by boat or train, or private plane and don't go through the normal security theatre.)
The law is written to be simple to enforce, not simple to comply with or to defend yourself against.
If unbreakable encryption is outlawed... (Score:2)
If unbreakable encryption is outlawed, only outlaws will use unbreakable encryption.
Strong (not to say "unbreakable") encryption is out there. It will be used. The question is whether you want it to be a weapon used by all or only against you.
terrorists and paedophiles (Score:2)
Uk people, write to your MP (Score:2)
The draft bill is expected to be published tomorrow.
If you are in the UK please write to your local MP. Even a one sentence letter.
It will be too sad if this happens and we did not even try.
Pathetic Government (Score:4, Insightful)
Re:Pathetic Government (Score:5, Insightful)
Everyone has a legitimate use for encryption. Everyone has a right to privacy. It's a human right. The ECHR says so, and the UK wrote most of it.
Defeats the purpose (Score:3)
"they don't want the likes of terrorists and paedophiles to communicate in places the Police can't reach."
Considering that the majority of terrorist organizations and pedophile rings are linked directly to the ruling elite, this isn't really surprising.
Terrorists and paedophiles (Score:4, Insightful)
Trading security for security? (Score:3)
per definition every crypto is breakable (Score:2)
Did they specify a timeframe how long it has to take to break the crypto?
If not, well, any crypto is breakable given infinite amount of time.
Which makes the law effectively useless as nothing changes.
I Doubt It (Score:3)
Re: (Score:2)
Re "One wonders just how many months or years a spy agency would run a super computer trying to crack one message.". most of the effort is in finding code use online in the wild and a location, details.
A keylogger ie "equipment interference" gets the plain text as its entered over a software, operating system or hardware layer thats always been wi
V for Vendetta (Score:3)
They want criminals to have access to all info (Score:3)
Interesting philosophical dilemma (Score:5, Interesting)
I work for Google. I build strong encryption in Android. The possibility of laws mandating back doors creates an interesting dilemma for me. Supposing such a law were to exist, and were effectively enforced so there's no possibility of sneaking in a non-backdoored system, what would I do?
I see three options.
1. I could run away from the problem, changing jobs to let someone else deal with it.
2. I could accede, trying to build the tightest, narrowest, best-controlled backdoor possible, doing my best to ensure that only authorized government agencies could use it.
3. I could refuse to build strong security systems at all, making it clear to everyone that their data is unprotected.
What's the right thing to do? #1 is out, unless I have some reason to believe that someone else could make better decisions. #3 has some nose-thumbing appeal, but it means that everyone's data is accessible not only to government agencies, but to thieves, family members, spouses, etc. Also, this may be equivalent to #1, in that I'll be shuffled to another job and replaced by someone willing to build back doors.
So, frankly, it's actually not much of a dilemma at all. I would do #2 (choice of number was not accidental). Well, and I'd probably also contribute to open source, possibly underground strong crypto implementations in my free time, because I strongly believe that the ability of people to keep secrets is critical to individual freedom and to societal progress. But such systems would only be used by a handful, seriously reducing their value.
It's really, really important that we fight this sort of thing in the public, though. I've never been asked to build in back doors, and I never want to be.
Oh, and by the way: Those of you out there who complain that you don't want full device encryption because it's slow? The slowness may be annoying, but it's well worth it. Not so much to you, now, but to everyone, in the future. Have a little patience with it. It will get faster over time as hardware gets faster and perhaps dedicated encryption hardware is added, but if we don't get it in now, setting the precedent that it's normal to encrypt everything, all the time, with the strongest crypto we can find and no back doors, there's a much greater risk that we may not be allowed to do it later.
Re: (Score:3)
*looks over shoulder*
"Google. Is. The. Most. Ethical. Organization. In. The. World."
*looks back over shoulder*
Thank goodness they're gone.
Re: (Score:3)
Not in the scenario you described. Take as a given that laws mandating crypto backdoors are unethical. Then Google would be unethical for adhering to those laws
As opposed to building systems without any security, or as opposed to not building systems at all? Ethics is about choices between alternatives, it's not unethical to do a bad thing if all of the other alternatives are worse.
Capitalist indoctrination makes them blind (Score:5, Insightful)
They mention only companies, assuming power over them if they sell products in the UK. The capitalist status quo. So open source software or free software developed outside the UK can just ignore that law. Blocking services might be an option (Signal / TextSecure) or not (SMSSecure, pgp/GnuPG).
Re: (Score:2)
Ah, the no-true-encryption fallacy.
All encryption is breakable, given enough time. Conversely, ROT-13 is encryption, even if it's rather poor.
Re: (Score:2)
Please elaborate on how to break a simple XOR-OTP. Bonus points if you can prove that your decrypted text actually matches the plaintext.
Re: (Score:2)
I wouldn't call ROT-13 encryption, because it doesn't have a key. Perhaps you could call ROT-n encryption, where n is the key.
Re:All encryotions is "breakable" (Score:5, Informative)
It's simply 100% mathematically wrong.
One time pad is information theoretic secure. It is impossible to break.
Re: (Score:3)
As someone pointed out already, OTP is not really an encryption, but a way to split the information in half.
No, OTP is symmetric encryption [wikipedia.org] where the pad is the key. You take your plaintext, transform it with the pad, and that becomes your ciphertext. Then you apply the same transformation with the same pad to the ciphertext, and the result is the original plaintext. The information to be sent should not be used for any part of the pad.
Re: (Score:2)
With breakable encryption, criminals can edit your banking records and pedophiles can see all the "private" pics of your children. Do you really want breakable encryption?
The UK government still seem to be enjoying the delusion that they can choose who can break encryption and who can't. I didn't vote for them, don't blame me!