[Closed] Tech Thread - will SSH be banned?

Where have they said they are going to 'ban' secure communications?

They would simply perform man in the middle attacks on the traffic and you wouldn't know it was happening. No need to ban the tech when there are ways around it.

They would also just ask the companies running the secure systems to allow them access for things like iMessage and whatsapp that use an SSL system to secure their comms.

More useful to allow suspects to believe they are communicating securely, surely?

[url= http://www.independent.co.uk/life-style/gadgets-and-tech/news/whatsapp-and-snapchat-could-be-banned-under-new-surveillance-plans-9973035.html ]http://www.independent.co.uk/life-style/gadgets-and-tech/news/whatsapp-and-snapchat-could-be-banned-under-new-surveillance-plans-9973035.html[/url]

[i]The Prime Minister said today that he would stop the use of methods of communication that cannot be read by the security services even if they have a warrant. But that could include popular chat and social apps that encrypt their data, such as WhatsApp.

Apple's iMessage and FaceTime also encrypt their data, and could fall under the ban along with other encrypted chat apps like Telegram.[/i]

I understood that old Blackberry emailing was impossible to intercept, until of course some governments asked RIM to allow them access. Which they did.

I see.

It seems to be a well thought out and sensible policy, that will be extremely easy to implement and manage.

Put simply, no.

I would imagine the spooks have hooks into the ISPs such that they can see the raw data content of https data or can decrypt it anyway. The issue is for the messaging apps using encrypted comms where the datacentres are outside of the spooks reach and using heavy duty encryption.

Snowden's leaks about Operation Bullrun suggest that NSA and GCHQ can read encrypted internet traffic with relative ease, possibly with the cooperation of companies like Verisign and RSA.
[url= http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security ]http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security[/url]

Man in the middle attacks don't work if the traffic is encrypted using the right method. That's the whole point of encryption.

You can't really "ban" this type of technology, there are always ways round any bans.

In practical terms the UK government might insist that encryption algorithms are nerfed so they are easy for the security services to crack - its been done before

nice bit of sensationalised scare story

you will have to access you bank account via open wifi, non-SSL in future.
and all corporate full disc encryption on laptops will have to be unencrypted again. 🙄

all they can really implement is for things like snapchat to cache anything that's sent, and if it happens to be stored on an encrypted server drive somewhere, for those keys to also be made available.

I think there's already provision for that (at least for email, etc.)

What a silly idea. I don't expect Cameron to have a clue about this, but surely he has an advisor who does. If you're a terrorist wanting to communicate securely you can simply generate your own keys and encrypt your own email before sending, no need to use an app. They can make that illegal if they like, but exactly what do they make illegal and how do they enforce it?

great article here;

[url= http://boingboing.net/2015/01/13/what-david-cameron-just-propos.html ]http://boingboing.net/2015/01/13/what-david-cameron-just-propos.html[/url]

[i] This, then, is what David Cameron is proposing:

* All Britons' communications must be easy for criminals, voyeurs and foreign spies to intercept

* Any firms within reach of the UK government must be banned from producing secure software

* All major code repositories, such as Github and Sourceforge, must be blocked

* Search engines must not answer queries about web-pages that carry secure software

* Virtually all academic security work in the UK must cease -- security research must only take place in proprietary research environments where there is no onus to publish one's findings, such as industry R&D and the security services

* All packets in and out of the country, and within the country, must be subject to Chinese-style deep-packet inspection and any packets that appear to originate from secure software must be dropped

* Existing walled gardens (like Ios and games consoles) must be ordered to ban their users from installing secure software

* Anyone visiting the country from abroad must have their smartphones held at the border until they leave

* Proprietary operating system vendors (Microsoft and Apple) must be ordered to redesign their operating systems as walled gardens that only allow users to run software from an app store, which will not sell or give secure software to Britons

* Free/open source operating systems -- that power the energy, banking, ecommerce, and infrastructure sectors -- must be banned outright [/i]

"Elect me! Free beer for everyone!!!"

If you just assume that all electronic comms is already compromised by the spooks then you probably won't go far wrong. It's all misinformation and disinformation to confuse the bad guys. PGP was an issue then it wasn't TOR is 'secure' but who really knows? The military designed it or had it designed so not beyond the bounds of belief that they can track packets across the network.

*dusts off old one time pads and buys stamps and envelopes*

I don't think it would matter much TBH...

Warrants would simply mean major ISPs/comms companies are required to provide decryption keys, or allow direct access to their systems for specific warrant backed monitoring activities, without the user's explicit knowledge...

It would probably just mean a subtle change to T&C's for certain things (if not already in place?) informing users that Google/FB/twitter/Microsoft/apple /etc will comply with any warrant backed requests for access to user's data without user consent or knowledge (beyond accepting the T&Cs) being sought... Accept the T&Cs and they're covered and the intelligence services get their legal access rights...

The main thing is of course that we can legislate all we like over internet / comm's use and monitoring here in the UK, but the interweb is global, and any services based overseas, or even over the channel, probably won't have to comply with our quirky domestic laws, they can apply their own encryption without being subject to British Warrants. That might be where it gets "Fuzzy"; UK authorities could intercept encrypted comm's traffic in the UK, and then break the encryption, but would then using that information to read the contents of an overseas server breach the laws of that host country? or international laws?
And could the UK ultimately be accused of "State sponsored cyber terrorism"?

Discuss...

PGP was an issue then it wasn't

Wait, is PGP compromised?

Well they tried to ban it then said it wasn't a priority so who knows

[quote=cookeaa ]I don't think it would matter much TBH...
Warrants would simply mean major ISPs/comms companies are required to provide decryption keys, or allow direct access to their systems for specific warrant backed monitoring activities, without the user's explicit knowledge...

As I mentioned above, the trouble is this would only affect ordinary people using encryption for legitimate reasons. The people who's comms he presumably wants to read won't be using ISPs for their encryption - the ISP etc. would only ever see encrypted traffic. You can make it illegal for people to do that, but how do you propose to catch them when they're using free wifi with spoofed MACs?

I wonder if it is time to send Cameron et al a load of encrypted e-mails (from anonymous accounts using free wifi etc. natch) and complain they are breaking whatever the new law might be - though I suspect there are probably several thousand uber nerds ahead of me there.

I suspect the banning of Snapchat would be to stop any more tories randomly sending other people pictures of their willies.

*dusts off old one time pads and buys stamps and envelopes*

[i]HKWM LVUB SCMH JBOS NZRT MYTP KVAL KMNJ WXYQ ELDO XHCH VTKR TKZZ YOHS WKBG BEPE TECQ GJAC XWBF PQMS KOZK TLTY FMUD FHVB RLHO SETE NLBJ SNCD TPDG OXPO AYZP BAPD XLKA DLPT DMIW FPPX ZCUM NCGF LBJK [/i]

well that's easy for you to say.

rusty - well that's no good without the plug and wheel settings, or maybe a spare u-boat and the weather report.......

I suspect the banning of Snapchat would be to stop any more tories randomly sending other people pictures of their willies

the value of snapchat is that Brooks "The pyjama willy" Newmark wouldnt have been busted as the pics apparently evaporate.

This, then, is what David Cameron is proposing:

that's also why I no longer read boingboing, too much student-reactionary bollox there now.

Je suis Charlie

[img] [/img]

What he's really talking about are legal changes to bring electronic communication to the same status as phone or paper communications.

It's not illegal for me to use a one-time pad to send an encrypted letter. The only reason we don't send encrypted mail through the post is that we tend to trust the post more than the internet.

So no, this isn't bringing electronic communications to the same status as phone or paper, it's making them less secure.

It's not illegal for me to use a one-time pad to send an encrypted letter

yet, but I wouldn't be surprised if it becomes so soon at the current rate of progress of backward legislation.....

[quote=footflaps ]

It's not illegal for me to use a one-time pad to send an encrypted letter

Which opens another can of worms. Would sending an email (or letter) which looks like this become illegal:

[code]uikdm wnpgy ncjlo wneia hegay qivnj[/code]

Prosecuted for writing gibberish - with a one time pad an encrypted message should be indistinguishable from that? (in theory it should be a lot easier to distinguish between gibberish and a message encrypted using other means of encryption than it is to decrypt the message)

You are already required to hand over passwords and or encryption keys on your arrest, so it's not much of a step to make encrypted messages illegal

Except that isn't what is being proposed at all, they've taken one phrase and taken it's possible implications to an absurd level. What he's really talking about are legal changes to bring electronic communication to the same status as phone or paper communications. That has some serious problems of it's own, but there aren't any actual proposals to ban open source OS's, or block Github. That's just hysteria.

Wot he said.

Usual headline trash, there was once a proposal that according to headlines required ISPs to record all traffic for recall, would have needed (on a rough calculation) a SAN the size of Belgium. Though disk sizes have move on a bit since I heard that one...

So no, this isn't bringing electronic communications to the same status as phone or paper, it's making them less secure.

His proposed legislation, which would be introduced within the first year of Cameron’s second term in Downing Street if the Conservatives win the election, would provide a new legal framework for Britain’s GCHQ and other intelligence agencies to crack the communications of terror suspects if there was specific intelligence of an imminent attack. Political approval would also be necessary.

Being as public key RSA style encryption is mathematically secure given a large enough prime number pair I don't think it has been hacked.

This statement smells of election fever, promising fantasy island statements by people who have no idea about what they are talking about.

But the proposals aren't about restricting the use of encryption, they're about allowing access to the material in order to decrypt it

Exactly - a OTP via post would be more secure than an online cipher that the police/MI5 could decrypt. It would make online communications less secure than communications via the Royal Mail.

Usual headline trash, there was once a proposal that according to headlines required ISPs to record all traffic for recall, would have needed (on a rough calculation) a SAN the size of Belgium. Though disk sizes have move on a bit since I heard that one...

The proposal was six months of traffic information (not content data) to be stored… so that rough calculation needs to be reduced by many orders. Tories talking about reviving this again by the way. Crazy.

This statement smells of election fever, promising fantasy island statements by people who have no idea about what they are talking about.

Even the Telegraph commenters can see some flaws in the plan;

[url= http://www.telegraph.co.uk/technology/internet-security/11340621/Spies-should-be-able-to-monitor-all-online-messaging-says-David-Cameron.html ]http://www.telegraph.co.uk/technology/internet-security/11340621/Spies-should-be-able-to-monitor-all-online-messaging-says-David-Cameron.html[/url]

I quite like the idea of sending any actual text in an email message as a jpeg that's displayed in a non machine readable format like Captcha's.

Back on topic… if you were to SSH into your own machine, and leave encrypted messages there for others to pick up… how would the security services unpick that? Physically grab the machine and insist on keys? They already have the laws to do that, if you are a suspect. Hell, if you are a suspect they can do just about anything, it's new powers to remove any methods of secrecy from non-suspects, ie everyone, that's the on going battle.

Ah, well that's easy - using encryption is suspicious, so that makes you a suspect.

They've used that logic before, with knife arches at public stations and the like. You don't have to go through the metal detector, they can't search you without reasonable cause, but refusing to go through the metal detector is reasonable cause...

a OTP via post would be more secure than an online cipher that the police/MI5 could decrypt.

So if you're really concerned about security send your OTP via email. It would be just as secure

No, it would be less secure because they'd be scanning emails (so would know I'd sent a OTP message) but they're not opening and reading every item of post.

Oh, and a bigger, more fundamental point. I shouldn't have to be "concerned" about security, it should be a fundamental right available to everyone, not just people who can think up ways to get around the rules.

No, it would be less secure because they'd be scanning emails (so would know I'd sent a OTP message) but they're not opening and reading every item of post.

Anyway, if I really wanted to send something securely by email I'd use something like OTP plus steganography. Message below reads 'Smash the system, man'
[img] [/img]

There's an election coming up, Cameron is lying through his teeth about everything and anything to attempt to convince the public to vote him back in. In amongst all that he throws in this absolute nugget about intercepting electronic communication. If there was any doubt before now about what a complete and utter tool he is then this should dispel things nicely. He actually believes that announcing he is going to monitor everyone and everything will endear him to the voting public.

More astute politicians would have waited till they were in for the next 4 years before waiting for a bit event and then trying to slide it through, but not Dave. What a wally.