MegaSack DRAW - This year's winner is user - rgwb
We will be in touch
You don’t know, you’re not a traffic officer (and aren’t prepared to listen to one)?
I'd listen to an expert in road safety at a strategic level. A traffic officer, not so much.
Is that the problem, you think every so-called "tech nerd" replying to you here sticks hard disks in PCs for a living?
This does go to show just how good "fear the paedos" is for tugging at the heartstrings.
Perhaps we could expand this, "by offshoring your profits in the cayman Islands you're taking valuable resources away from the anti-paedo police".
I'm currently doing a CISSP course so I'm firmly on the E2EE "is a good thing" bench. 🤣
Yeah, that's on my to-do list. Where / how are you studying?
Doing all the training in a working week over teams, my head will soon explode!
Back in the old days when we would send letters to each other I wouldn't be keen on "the authorities" opening them.
Doing all the training in a working week over teams, my head will soon explode!
In a week? 😯 Messiah on a pogo stick.
Back in the old days when we would send letters to each other I wouldn’t be keen on “the authorities” opening them.
Yeah, I thought this also. The counter-argument is that they still physically could.
Do speed limits prevent terrorism?
Many a traffic stop has had an unintended big collar for the officer carrying it out.
EDIT
Yeah, I thought this also. The counter-argument is that they still physically could.
This would normally be under the supervision of Royal Mail and with a warrant/authorisation from a body outside the intercept. With computers and broken encryption there would be no oversight.
This would normally be under the supervision of Royal Mail and with a warrant/authorisation from a body outside the intercept. With computers and broken encryption there would be no oversight.
If you’re intercepting communications, I.e want the key to unscramble messages as they fly from sender to recipient, a warrant signed by SSHO would still be required.
If you’re intercepting communications, I.e want the key to unscramble messages as they fly from sender to recipient, a warrant signed by SSHO would still be required.
How does one obtain such a warrant? Asking for a friend.
You run, or have access, to an accredited interception suite as one of the agencies detailed in IPA 2017, then draft a warrant.
Like a lot of the wonderful initiatives this current government has come out with, I think the adage 'follow the money' comes to mind. With the relaxation in encryption and the capturing of 'essential data' A new database to collate and allow access to 'selected agencies' will have to be outsourced for 'best value' to an IT integrator that will by pure chance have a number of ex-ministers join a couple of years down the line from their ejection from political life. Also allowing their third cousin twice removed budgie, who happens to be a shareholder a share dividend that will pay for a 8 figure cage with preening mirror, with the entire ex-minsters family employment as staff one day a week at £100k a year each.
No end to end encryption - no secure banking/ finance. No secure anything. You can not have your cake and eat it.
Being able to read what is in a message is NOT the most important aspect of intelligence gathering and never has been. It is the meta-data, who is sending what to whom and when that is.
A back door or “breakable” encryption is broken encryption and means we’re all doomed in simple terms.
Being able to read what is in a message is NOT the most important aspect of intelligence gathering and never has been. It is the meta-data, who is sending what to whom and when that is.
I think that is incorrect; attribution is pointless if you’ve no idea what’s being discussed.
No end to end encryption – no secure banking/ finance. No secure anything. You can not have your cake and eat it.
Cool no one is suggesting banning it though are they. The question is why is Facebook expanding it? And the answer is most likely so they can avoid legal responsibility for anything.
Cool no one is suggesting banning it though are they
That’s the thing though. A back door is not secure. Ergo, no end to end.
Facebook is the proverbial dead cat. Facebook is a whole other issue. It’s motives are neither here nor there. Your rights are.
If you’re intercepting communications, I.e want the key to unscramble messages as they fly from sender to recipient, a warrant signed by SSHO would still be required.
I missed this yesterday and you're right about that but note my use of the word "broken". If it's back-doored it's broken, mathematical fact. It's like being a little dead not possible, you're either alive or dead.
There would still be oversight via IPCO for intrusive surveillance etc, obviously not to the same degree as a warrant, but then the actual oversight always tend to come from the overseer rather than the authoriser in many walks of life.
I think that is incorrect; attribution is pointless if you’ve no idea what’s being discussed.
You need to have an idea of what is being discussed if you want to intercept communication. Otherwise you’re fishing. In short what your suggesting is even worse, that there could be mass surveillance of communication just in case.
Isn't that what the ECHELON system has been doing for decades?
You need to have an idea of what is being discussed if you want to intercept communication. Otherwise you’re fishing
That’s why interception, in Uk is based on a justified intelligence case with proportionality, necessity and collateral intrusion detailed, signed off by SSHO. Your point about what’s important in intell collecting, that metadata is more important than product is wrong. Metadata is important but can also be paralleled, the content is what actually underpins action.
@kilo whilst I bow to your superior technical knowledge you missed my point somewhat. What if I couldn't be bothered with boring paperwork? Or, you know, legitimate reasons, what then?
Your assumption seems to be based on only the good guys getting to play. Feel free to correct me if I've misunderstood.
Metadata is important but can also be paralleled, the content is what actually underpins action.
It really isn’t. But believe what you want to.
The question is why is Facebook expanding it? And the answer is most likely so they can avoid legal responsibility for anything.
Grum, with all due respect. You keep asking questions, you keep getting answers, and then you ignore those answers and change the subject. This is straight out of the brexit playbook and it's a waste of our time if you aren't going to engage.
Why not have a punt at fielding one I asked? Specifically here:
singletrackworld.com/forum/topic/end-to-end-encryption-omg-think-of-the-children/page/2/#post-12203105
Would you like Facebook to have more, or less, visibility of the private messaging sent over their platform? Trust in Facebook is a concern -you- brought up, secure E2EE will lock them out of being able to spy on you. Do you think that's desirable, or problematic?
I get that point but I can't imagine why on earth FB would voluntarily do anything that would give themselves less ability to snoop/sell data unless there was another huge upside for them. No one has satisfactorily answered as to what that might be.
'I don't trust FB but I trust them to voluntarily implement a feature that will make it far harder for them to be shady'.
Oooook then.
My default position is that if FB is doing something supposedly out of the goodness of their hearts, especially something that's going to cost them lots of money - there's another motive and it's probably bad.
You may get the point but you're swerving the question. Again, "secure E2EE will lock them out of being able to spy on you. Do you think that’s desirable, or problematic?" Doesn't matter what you imagine and it doesn't matter about their motives. Do you want a company that you don't trust to be able to read your messages, or do you want them to increase security so they can't?
I mean, with no trace of irony, it's totally possible that Facebook could claim to implement E2EE but lie and secretly leave themselves some means of still accessing your data. But isn't that what you were championing all along?
We have at least three mutually exclusive scenarios here (secure encryption / backdoor / no encryption).
Doesn’t matter what you imagine and it doesn’t matter about their motives.
Why not? You're coming across as very arrogant and haughty here Cougar. I don't know your specific expertise but AFAIK you're not in any way an expert in the kind of philosophical/political/criminal/social aspects of this, at all.
Try reading this from people who are and appreciating this is much more nuanced an issue than you choose to admit.
FB just wants to absolve itself of responsibility/accountability for the vast amount of harm they facilitate, from paedophilia to ethnic/religious violence in India, Myanmar, or the next American right-wing insurrection, and you're applauding them for it.
I'm not sure what the answers are but it's nowhere near as black and white as 'privacy good, more privacy better'.
You’re coming across as very arrogant and haughty here Cougar.
🤣
Says the guy who refuses to accept the answer that (correct me if I'm wrong) everyone bar one person in this thread has given. You're the one trying to tell someone who actually knows more about this stuff than you do he's wrong.
From the article:
Facebook Messenger can also help criminals organise themselves, as well as plan and carry out crimes, including terror attacks and cyber-enabled fraud extortion hacks.
So can many other platforms with E2EE whether that be messenger services or email. And telephones. And letters. And carrier pigeons.
And that's not even touching black net.
It's a total red herring, if you remove E2EE from Meta people will just move elsewhere. If you ban it in the UK people will just VPN their asses out of here and get it elsewhere.
FB just wants to absolve itself of responsibility/accountability for the vast amount of harm they facilitate, from paedophilia to ethnic/religious violence in India, Myanmar, or the next American right-wing insurrection, and you’re applauding them for it.
What about all the people speaking out about corrupt or brutal regimes in these places and worse? Do we not care about them being able to safely report to the wider world?
E2EE, as pointed out, is absolutely pivotal to national security whether that be commercial, nuclear, health or whatever as well as personal safety in some of the less free corners of the world. If you put in back doors then it's broken.
If it's broken it's no good.
IF IT'S BROKEN IT'S NO GOOD
IF IT'S BROKEN IT'S NO GOOD
Your terrorists and paedophiles operated in secret before E2EE was available to them, this is a complete red herring.
You used CAPS (and bold) and now I'm convinced. I take it all back.
I could speculate as to the reason why a group of techs are so incredibly black and white and inflexible in their thinking but I don't see that going well, so I'm out.
I'm not a tech at all actually but I do take an interest in security.
so incredibly black and white and inflexible in their thinking
Oh the ironing.
I could speculate as to the reason why a group of techs are so incredibly black and white and inflexible in their thinking but I don’t see that going well, so I’m out.
I'm not a tech, but I understand that mathematics (and it's mathematics that drives this not policy) says you can't break encryption a little bit. There is no way around this however much you would like it. It's either secfure or it isn't, there's no grey to be seen anywhere.
I could speculate as to the reason why a group of techs are so incredibly black and white and inflexible in their thinking but I don’t see that going well, so I’m out.
Aye, and I can speculate why you'd insinuate an insult while claiming you wouldn't do that.
What if I couldn’t be bothered with boring paperwork?
Sort been sort of skimming tips one as it’s getting quite vitriolic for such a high brow matter so probably did miss your point entirely!
Ask the yanks to hook it up 😉
Not sure if the bad guys (criminals) are that hot on interception. I suspect in narco states you would just bribe the local network services who were doing this for legitimate reasons to stick a few more on but it’s not the sort of thing you can easily do here. Obviously you can use malware and keystroke readers for computer derived coms which may be in the arsenal of some ocgs but voice would be harder to hack into. Most crims aren’t at that stage of things at present.
I could speculate as to the reason why a group of techs are so incredibly black and white and inflexible in their thinking but I don’t see that going well, so I’m out.
Because they understand the problem and you don't. This is like one of those news interviews where they have an expert on one side, and bob from Norwich on the other, who once saw a trailer for a national geographic "documentary" on the subject on the other.
Bob is wrong, but nothing the expert ever says will convince him that he is. In fact, any argument will only entrench his wilful wrongness further.
Metadata is important but can also be paralleled, the content is what actually underpins action.
It really isn’t. But believe what you want to.
It’s knowledge not a belief, coincidentally evidenced by an entire thread on stopping authorities looking at the product in comms.
You’re coming across as very arrogant and haughty here Cougar. I don’t know your specific expertise but AFAIK you’re not in any way an expert in the kind of philosophical/political/criminal/social aspects of this, at all.
Because you never asked.
It’s either secfure or it isn’t, there’s no grey to be seen anywhere.
Yes once a backdoor is added then you have to rely on it not getting into the public domain either by someone independently finding it or it getting leaked from the agencies with access to it.
You only need to look at the damage caused by eternal blue once the NSA lost control of it to be very cautious about deliberately weakening security and relying on security through obscurity.
And, no, I'm not a psychologist. I don't need to be.
I do understand where you're coming from here from with an argument of "you've only considered one aspect," I really do. If I were you I'd probably be saying something similar. But what you're refusing to accept is that it simply doesn't matter. I'm sorry, it just doesn't. Because:
1) Any perceived or actual threat from secure communications pales into insignificance in comparison to the alternatives.
Remember Templeton Peck in Ghostbusters worrying about the environmental impact of their containment system?
2) Even if that weren't the case, this proposed solution won't fix it. This is why I don't need to understand anything further, I know this won't work.
Whilst we're analogising, remember the many "we need to leave the EU because of [some domestic or otherwise imagined problem]" arguments? You can wax lyrical all you like about the socioeconomic impacts of immigration from the Middle East or about how bendy your bananas are or aren't, but the cold hard truth is that brexit was never going to fix that. Meanwhile you're standing there going "yeah, but you're not a greengrocer!"
For the record, before the arrival of the “why do you need end to end encryption if you’ve got nothing to hide” brigade, I personally have nothing to hide but my financial transactions I take very seriously, and for that I want them as secure as possible.
Pretty much sums up my feelings on that.
Here’s the rub. No-one is saying that it is completely untrue. Of course sometimes things go wrong, you’re absolutely correct. People can have allergic reactions, sometimes severe ones.
Indeed, as shown by the blot-clot issue with one of the non-mRNA vaccines. An issue that at first was unrecognised because it affected very few people. One of the 72 or so it did affect was my partner, who was complaining about a pain in her foot after her first vaccination. I kept telling her to speak to someone, but she was always reluctant to do so, until I got cross and she promised to phone the following day. Which was the day she died from a massive blood clot in the vein in her neck, a minute or two after I got home and found her in a distressed state in the bedroom. A month or so later it was a recognised issue that early intervention could solve, and it hasn’t happened again. Had I persuaded her to get it seen to earlier, would she still be here with me? Believe me, that thought is never far from my mind, and I get deeply distressed at the thought.
But do I think that, because of an unknown issue that affected 72 people out of several tens of millions the vaccines should have been withdrawn? Not for one second! I’ve had three of the same vaccines, with less effects than I get from the flu vaccine; same with encryption, I use four browsers, Brave, Ghostery Dawn, Firefox and Safari, all with DuckDuckGo as my search, along with a VPN, (I wouldn’t use anything with Google’s or Microsoft’s fingerprints on them), and I trust them to be as secure as possible, without going to the extreme of using Tor, which I’ve tried, but honestly found to be too much hassle for general browsing, etc.
With anything involving software and security, there are very, very clever people who will spend many hours trying to break things, often with less than charitable uses in mind. T’was ever thus.
Think of the children? I’m pretty damn sure that anything at all that parents put in place to protect their children, certainly involving electronics, the devious little tykes will have circumvented within twenty-four hours!
Christ, that's a shocker. Sorry dude.
With anything involving software and security, there are very, very clever people who will spend many hours trying to break things, often with less than charitable uses in mind.
It's likely a lot worse than you think. It's no longer little Johnny in his bedroom up to mischief, the wag. It's big business. Corporate espionage is a thing. State-sponsored hacking teams are a thing.
I'll put a number around this an example. A few years back our then newly-formed team responded to one of the "it's made the news on national TV" incidents and we were patting ourselves on the back that we were confident we'd secured our entire infrastructure inside of two weeks. By comparison, the claimed average time for one of the big Russian entities from point of injection (the initial infection / exploit) to lateral movement (jumping to another machine within the network and thus starting to spread) is ten minutes.
Granted that's an extreme example, but it was a wake-up call.
As pointed out above, it's not an easy one. Child pornography, criminality, terrorism, cyber-bullying and online harassment are all real issues. Yes, most bad folk would use a workaround, but not all, and some would be caught.
That said, the costs of of special keys and backdoor access butt against international human rights as well as nuts-and-bolts of business security and how the world works today. It's easy to see this as uncaring libertarianism but, beyond the security concerns outline above, if you give keys to one state, you (in principle) should do it for others. For those advocating backdoor keys, is this OK? Cards on table though, esp. given how quickly the nature of democratic governments can change, I don't want any government having access.
OK. Let me give you an example. This is off the top of my head so the finer details might be slightly off so apologies if so.
The Transportation Security Administration control, eh, the clue's in the name. They're a wing of Homeland Security and they're the people you see in US airports with guns.
You can buy TSA-approved locks, both padlocks and suitcases with built-in locking. They're made by a company called Travel Sentry. You will certainly have seen these locks with the little red triangle TS logo, they're available next to the face masks and mains adapters in most supermarkets and they sell them in airports. They are (IIRC) mandatory if you're flying in or out of the US and want to lock your hold baggage. Would it be reasonable to assume that locks recommended / mandated by a security company will be pretty decent?
Let's segue into 'why' for a moment. The TSA want baggage handlers to have the ability to inspect your luggage for all the various... hang on, I need to scroll back... "philosophical/political/criminal/social" reasons grum mentioned earlier. So these things have an override where staff can pop them open, look for jewellery and iPads drugs and bombs, then seal them back up again. In effect - ha! - creating a back door in your end-to-end security. There's a 3-digit code identifying the lock to allow them to marry up master keys and no-one has access to those keys aside from appropriately trained employees - aka "the good guys". Everyone's a winner. Right?
A while ago, the Washington Post ran an article about... I can't even remember now but something to do with TSA. In it they posted a photo of the set of TSA master keys. It was online for about half an hour before someone realised that this might be an astonishingly bad idea and it was hurriedly taken down.
It was enough.
From that one slip, hackers could make their own TSA master keys. All seven of them. Yes, every TSA lock on the planet - some 500 million last time I checked - can be opened with just seven master keys, the highest 3-digit lock code in existence is TSA007. Today the 3D-printer plans are freely available on GitHub.
This is what happens when you intentionally compromise security, however well-intentioned. It is not a case of 'if' but 'when' this will fall into the wrong hands. In an effort to allow "the authorities" greater powers to perform additional checks on potential suspects they've removed any semblance of security for everyone. Worse, you've instilled a false sense of security in people, folk believe that their bags are locked. They'd be better off with a zip tie, at least if that were cut off then they'd know. The only point of locking aircraft bags is to stop them falling open.
There's a coda to this which isn't relevant to the point I'm making but I'll include it for completeness. I'll do it in a follow-up post because there's a quote and attribution I need to go look up.
...
As it turned out, the situation was far worse. They weren't really master keys, they were the keys. If you have a TSA005 then your key will open every other TSA005 lock. These two numbers I've mentioned above I didn't pick at random, they're likely the only two you'll ever see in the wild as the other five are vanishingly rare.
Remember, they sell these in airports. You could, today, spend a few quid in WH Smiths to buy a couple of padlocks which would snag you the keys to almost everyone's luggage.
Worse yet (really?) they are terrible locks. I use a TSA005 in "I'll show you how to pick a lock" demonstrations because you can about have a set of picks in the same room and they fall open. I've opened them with paper clips. The TSA007 fares a bit better not least because it's got a really tiny keyway which is harder to get tools into.
The TSA was approached for comment. TSA spokesperson Mike England responded: "These consumer products are ‘peace of mind’ devices, not part of TSA’s aviation security regime." Yes, you read that right. TSA's official response was, we don't care.
Who watches the watchers?
Ugh, typo and too late to edit - red diamond logo, not triangle.
Article on the BBC today, shows just how important encryption is (broken encryption = apocalypse):
https://www.bbc.co.uk/news/technology-60144498
TSA’s official response was, we don’t care
My experience of the TSA is that you may as well not bother locking your luggage in the USA, because the TSA can unlock it and they're probably the worst people to have access to it. They don't care what they break when searching, or how they repack stuff (so the next baggage handler breaks it), and you can't claim on your insurance for damage unless you've claimed from them first, but that's massively difficult - you'd be better off just having stuff stolen.