Terrorism

Which is rather foolish

Its not foolish. Its a choice.

Stick your email address in here.

Why?

Why?

No reason… <whistles>

surfer – Member

Then why are they using Whatsapp?

mostly the same reasons why i use whatsapp…

the point (which you missed*), is that encryption isn’t hard. you can’t really force Whatsapp to build in a backdoor.

(*whoooosh! doesn’t really cover it)

surfer

Yes I get that however the volume of data and the processing power required is huge and that would be diverted from something else. If people are posting political comments on Facebook saying they support UKIP then I dont think you need to investigate every other part of their comms network to find their political leanings! In terms of determining how people vote for example why not just ask them?

I feel like you are looking at this from the wrong perspective. It’s not about knowing the political allegiances of people who have declared their political allegiances, it’s about coercing people who haven’t made up their minds.

Example – Trump’s campaign claims to have directly targeted black male voters in certain swing states, not to get them to vote Trump, but to character assassinate Clinton and demotivate them from voting. This was done using Facebook data targeting people based on their personality types using tailored websites for specific types. Facebook won’t reveal who was targeted, or what material was sent to them, and Trump’s campaign won’t reveal it.

Previously politicians could make broad arguments on TV or radio. They could lie but their lies were public, and subject to public scrutiny or analysis. Now we are in a era where politicians can craft a lie designed to appeal just to you, something that they already know concerns you, or will work on you, and there is no moderation as to whether it’s true or false. And what’s more you can’t even tell who targeted you with this information, you don’t know anything about them, nor do you know what they know about you.

Are you sure you are of no interest? What if you set up a business that is competing against a foreign governments pet company. Be a minor disadvantage if they could have a quick look at your emails and trade secrets wouldnt it?

Do you really think Email is secure now?

What if you manage to pick up a mildly embarrassing medical condition and the doctor gets hacked?

Ooh yes thats secure.

Like the idea of giving the police lots of guns, what does it do?

Make Ninfan types tumescent

Then why are they using Whatsapp?

Because they can. And if they couldn’t, they’d use something else. And if there was nothing else commercially available, they’d undoubtedly create something. This is the point:

It’s.
Not.
Difficult.

Take any open source IM like, say, Telegram (and there are loads of others) and you’ve got the code right there. If we were to ban encryption tomorrow, how do you then block people who just use the current version rather than the newly hamstrung one? You can’t for all practical puposes, the genie is not only out of the bottle but has necked half a bottle of Jack and is dancing naked on the tables.

surfer – Member

Here you go. RSA key generation in three lines of Perl.

Then why are they using Whatsapp?[/quote]
Education point – if you need to use something other than whatsapp it’s really easy to get going again.

Stick your email address in here.

Why?[/quote]
you will see where your data has been breached already by people exploiting holes and backdoors in security that you want to introduce more into.

Its not foolish. Its a choice.

It’s a choice to be foolish.

Why?

To find out how secure your data is with those people you trust.

Do you really think Email is secure now?

https://switch.egress.com/ui/learn/

(Or PGP, GPG, ProtonMail, a supporting cast of thousands…)

Next question?

I have no objection to law enforcement agencies having controlled, legal, access to communications.

I do object when that access comes at the cost of weakening protection against illegal access.

A backdoor is open to anyone that has a key, regardless of whether you let them have it or not. The government need to realise this.

If you criminalise encryption, all you do is ensure that only criminals use encryption 🙂

It’s.
Not.
Difficult.

It’s also not difficult for the NSA or GCHQ to identify encrypted emails and communications (just a lot more difficult for them to crack them open) – guess what, if possession and use of the software without a licence becomes an offence, then the unlicensed people sending encrypted communications around start to stick out like a sore thumb, and come under extra scrutiny, don’t they?

If you criminalise encryption, all you do is ensure that only criminals use encryption

Precisely – sending around encrypted communications becomes like waving a big red flag, doesn’t it? Just like all those people using Tor magically started getting nicked for things – because it flagged them as being up to no good.

you will see where your data has been breached already by people exploiting holes and backdoors in security that you want to introduce more into.

But one minute you are saying we shouldnt make this security available to the security services then you are saying the data is already out there. I am finding it difficult to follow your logic.

A backdoor is open to anyone that has a key, regardless of whether you let them have it or not. The government need to realise this.

Exactly. And I’m going to keep banging this drum until it gets into people’s ****ing skulls, the WannaCrypt outbreak is a perfect example of why it’s a bad idea.

You want compromised encryption, you get WannaCry. No ifs, no buts, no whataboutery, it is that black and white I’m afraid.

Do you really think Email is secure now?

It is if you secure it.

There are easy ways of encrypting personal emails. SQA used to insist that all exam related information was encrypted with PGP before emailing – not sure if they still do.

You can also encrypt specific tunnels so all traffic is automatically encrypted. That’s how our work internal email works if it has to pass over public networks (i.e. from one site to another).

ninfan – Member
It’s.
Not.
Difficult.
It’s also not difficult for the NSA or GCHQ to identify encrypted emails and communications (just a lot more difficult for them to crack them open) – guess what, if possession and use of the software without a licence becomes an offence, then the unlicensed people sending encrypted communications around start to stick out like a sore thumb, and come under extra scrutiny, don’t they?

you seem to under the impression that hackers won’t run circles around the government?

Cougar you are showing your naivity. I know you are a techie so tell me, do you know the admin password for your Email server? Do you know the O365 admin password for domain? How well are these secured in your organisation. If the security services wanted to access data what method would they use?

It is if you secure it.

Yes it may be encrypted in transit, and even at rest however when the recipient forwards it on or prints it and leaves it on the printer then the information is hardly secure is it?

It’s also not difficult for the NSA or GCHQ to identify encrypted emails and communications (just a lot more difficult for them to crack them open) – guess what, if possession and use of the software without a licence becomes an offence, then the unlicensed people sending encrypted communications around start to stick out like a sore thumb, and come under extra scrutiny, don’t they?

It’s not difficult to recognise something you can’t read. It’s several orders of magnitude more difficult from looking at the data alone to ascertain whether it’s an email or a WhatsApp message or a VPN tunnel or someone buying Network Security for Dummies off Amazon because – and I can’t believe I’m actually having to type this – it’s ENCRYPTED. It’s not an “encrypted email” or an “encrypted communication,” it’s encrypted data.

Sure, there’s other tells. Port numbers give you a clue, but they’re easily changed. Source and destination endpoints might tip you off – a connection to Amazon is probably going to be Internet shopping. Probably. Unless a rogue Amazon employee sets up a VPN endpoint in their address range. But that’d never happen because as we’ve already established, we all “trust” Amazon.

Yes it may be encrypted in transit, and even at rest however when the recipient forwards it on or prints it and leaves it on the printer then the information is hardly secure is it?

Well no.
In the same way if a government agency leaves a bunch of hacking tools on staging server which isnt adequately protected that would be considered hardly secure. It can lead to rather annoying consequences such as the NHS being shut down.

surfer – Member

you will see where your data has been breached already by people exploiting holes and backdoors in security that you want to introduce more into.

But one minute you are saying we shouldnt make this security available to the security services then you are saying the data is already out there. I am finding it difficult to follow your logic.[/quote]

I can see the problem here you really have no idea do you. Stop trying to combine different points.
The link shows you where people have had breaks or problems with existing exploits – like government imposed back doors and peoples info has been leaked.
Saying that encryption is bad because people have already been compromised by bad security makes no sense at all.

then the unlicensed people sending encrypted communications around start to stick out like a sore thumb, and come under extra scrutiny, don’t they?

PMSL

Cougar you are showing your naivity. I know you are a techie so tell me, do you know the admin password for your Email server? Do you know the O365 admin password for domain? How well are these secured in your organisation.

That is the choice and responsibility of the organisation.

The latest exploit that hit the NHS
https://www.nytimes.com/2017/05/12/world/europe/uk-national-health-service-cyberattack.html?_r=0
Leaked from the NSA, so imagine all the backdoor keys get leaked what next?

Because they can. And if they couldn’t, they’d use something else. And if there was nothing else commercially available, they’d undoubtedly create something. This is the point:

No the point is inconvenience and disruption. As I said earlier having access to Whatsapp wont stop this violence and there is no silver bullet but it is easily available and secure. Once it is not secure they may eventually find another way but unless it is on the app store it will be disruptive. Try getting your users to generate a more complex password and see the havoc it causes!!

Do you really think Email is secure now?

No, email is like sending a postcard you have to assume anyone can read it, not least because they can end up in court cases unexpectedly. I have a colleague who corresponded with someone engaged in a civil suit in the USA. All of those emails because they loosely touched on the matter of the court case (“Hey mate, how’s business” sort of thing) have become public. There’s nothing in them as such but one does have info about his family, where he’s going on holiday etc. Nothing top secret of course.

The thing is though, email COULD be secure if you wanted it to be. I could easily install some software on my computer and send emails completely unreadable to anyone but the intended recipient (assuming they have the relevant software and keys).

Unless a rogue Amazon employee sets up a VPN endpoint in their address range. But that’d never happen because as we’ve already established, we all “trust” Amazon.

Signal uses something not dissimilar to get round censorship. Not sure of the finer details but uses domain fronting to bounce the message from google.com to their internal google appservice address.

Try getting your users to generate a more complex password and see the havoc it causes!!

I used to regularly crack all login passwords when I was a network admin. If your password was cracked in under 5 mins, you had a new one inflicted on you by me. The thing is though, it’s not the same thing is it. I’m sure someone who is contemplating an attack that will kill both their targets (randomly chosen or otherwise) and themselves can probably be bothered to install software; it’s not like they are lacking commitment.

I know you are a techie so tell me, do you know the admin password for your Email server? Do you know the O365 admin password for domain?

I used to, but I don’t any more. Though there isn’t “the” password, rather the people who administer the Exchange server and our O365 service have the privileges assigned to them in order to do their job. Administrative rights are given out on the basis of Least Privilege as per best practices and we have a strong password policy enforced via Group Policy.

If the security services wanted to access data what method would they use?

A warrant / court order, I would expect.

Yes it may be encrypted in transit, and even at rest however when the recipient forwards it on or prints it and leaves it on the printer then the information is hardly secure is it?

Not forwarding on sensitive data is a user training issue. Email can be secured but “regular” email is of course insecure. Anyone dealing with sensitive data outside of the organisation should be provided with means of doing so securely.

As for printouts, when we print something it goes to a central server, nothing is actually printed. The user then goes to their nearest printer, swipes an ID card, and can then choose which jobs they want printing. There’s a secure paper bin next to each printer for unwanted documents. If they don’t get collected then the jobs get deleted after a period of time (24 hours I think). Leaving things on the printer never happens – well, I suppose it’s technically possible, but you’d pretty much have to wilfully do it.

And it’s whataboutery anyway, printouts aren’t emails. My bank card PIN is secure, but it won’t be if I post it in a forum post.

Saying that encryption is bad because people have already been compromised by bad security makes no sense at all.

Thats not what I am saying. You are contradicting yourself in the same paragraph. The point of Email security was raised as being secure. The point is the data in transit and at rest may be, so the medium is secure, but if you send it to every member of your organisation by accident then only an idiot would consider it secure because it was secure in flight!

Signal uses something not dissimilar to get round censorship. Not sure of the finer details but uses domain fronting to bounce the message from google.com to their internal google appservice address.

More or less correct; it’s using a hidden (within the header) server address which Google’s services resolve but isn’t visible in clear as it’s part of the HTTPS header. Anyway, not relevant. However, there’s also the concept that one man’s terrorist is another man’s freedom fighter. Whilst we can probably all agree that attacks like in London or Kabul are evil, once you get down to people in North Korea, Myanmar, China etc struggling against the government, where do you draw the line?

Should people who just want basic freedoms also be forced into the glare of sunlight as, sadly, they not only have something to hide from their governments but their governments may well torture or kill them for the info these tools help them hide.

Thats not what I am saying. You are contradicting yourself in the same paragraph. The point of Email security was raised as being secure

No it was raised as Email can be made secure. Assuming the users use it correctly.
Admittedly thats a big “IF”
However thats not an argument to get rid of encryption. It is, however, an argument against trusting the government agencies/third party contractors to keep the backdoor secure.

I literally have no idea what you are on about now but you should be put in charge of the case for this. It would be open and shut in 5 minutes.

All you want to achieve is about 10 minutes of disruption before it moves onto something else.

then the unlicensed people sending encrypted communications around start to stick out like a sore thumb, and come under extra scrutiny, don’t they?

Only if the security services can tell who they are.

surfer – Member
Once it is not secure they may eventually find another way

Are we measuring eventualities in nanoseconds? 😆

only an idiot would consider it secure because it was secure in flight!

At university a security researcher from IBM told us that the only secure computer was one disconnected from a network and power, buried in a lead-lined concrete box where the person burying it had died or been killed. And even then he reckoned it was at best only “a bit” secure as inevitably someone would find it sooner or later. Anything with humans attached is insecure by nature, it’s just about being secure enough for long enough (see also declassified top-secret docs etc).

Edit – that doesn’t mean we shouldn’t try though 🙂

No the point is inconvenience and disruption.

To whom? The only people who will be genuinely inconvenienced are the likes of you and me. Well, you at least.

Once it is not secure they may eventually find another way but unless it is on the app store it will be disruptive.

This is what you’re not getting. It really won’t.

I can get the source code for an open-source cross-platform messenger app right now. I can get the Android .apk for Telegraph and stick it on a pendrive somewhere. If you banned secure messaging tomorrow and somehow managed to nobble all the existing clients (and good luck with that), anyone with half a clue about programming would be up and running again in minutes.

Try getting your users to generate a more complex password and see the havoc it causes!!

Apples and oranges, but complex passwords are easily enforceable. You make it too complex though and people just write it on Post-Its. Passwords are pretty poor as security measures go, as always the weak link is people. There are better options, 2FA for instance, and there’s always biometrics (which is what I use on my work laptop) though they come with their own unique set of issues.

then the unlicensed people sending encrypted communications around start to stick out like a sore thumb, and come under extra scrutiny, don’t they?

Despite the fact that you’re missing the point that encryption has many legitimate and legal uses which are beneficial, I won’t address that becasue it’s obvious you’re (others aren’t) willing to forgo those uses…

BUT

Even if it were outlawed/licensed/backdoored/whatever then covert messages can still be sent using myriad steganographic methods in un-encrypted forms* so if your goal is to ‘catch naughty people’ you’ll still fail miserably, with the added kick in the goolies of removing all the legal and legit uses.

Bravo, that’s what’s known as a lose-lose scenario.

*and even in the clear using methods that aren’t ‘watched’

attackers

yes, but doesn’t mean that someone is not going to bury them

Their remains will be disposed of certainly. But funeral rites are often down to custom and culture, the Imans refusal to say prayers for them is symbolic. It would only require muslims somewhere pray for them. There will be no shortage of their supporters world wide doing that :(. In any case it’s Allah’s who decides who goes to heaven, people can’t change his will (as they believe )

I can get the source code for an open-source cross-platform messenger app right now. I can get the Android .apk

Yep you would have you disparate group of contacts in different continents up and running in no time 😀

Apples and oranges, but complex passwords are easily enforceable

Enforcable in a heart beat, watch the chaos

Yep you would have you disparate group of contacts in different continents up and running in no time

go back to the cold war, small ad on something like craigslist in a specific place and time with the details for the next app and login set.
People have been using encryption for hundreds of years and yet you think you can stop it overnight or are we back to being disruptive to everyone bar the terrorists?

What does it tell you when a load of people tell you the massive problems with what you propose and still you don’t listen – sick of experts?

You are too incoherent Mike.

As an expert are you able to tell me why the FBI and Iran want my comms data yet?

Yep you would have you disparate group of contacts in different continents up and running in no time

I’d expect that in the months between the government banning encryption and every IM company on the planet making their apps compliant, the terrorists might just be able to find fifteen minutes to deploy whatever they’re replacing it with. If they’ve half a brain between them then they’ll already have a contingency plan or twelve lined up.

Are you labouring under the impression that disabling secure encryption is as simple as going “yeah, you can switch it off now”? This isn’t the movies.

Even if it were outlawed/licensed/backdoored/whatever then covert messages can still be sent using myriad steganographic methods in un-encrypted forms* so if your goal is to ‘catch naughty people’ you’ll still fail miserably, with the added kick in the goolies of removing all the legal and legit uses.

Indeed. People have been using encryption for as long as we’ve had writing. Roman legionnaires used to encode messages by writing them on material wrapped round their staff – the only* way to decrypt it was to wrap it round another identical staff at the other end.

(* – clearly this isn’t the “only” way, it’s not the most secure of cyphers. But it was probably sufficient to stop the casual observer.)

Your attempts to stop it will not work.
There are literally hundreds of ways around it.
It will only cause more problems for people doing nothing wrong.

Read the NHS Hack link, the NSA had a back door, they let that out/lost it. Then a load of other people have your information. Who cares if they want to read it or not they don’t get access because some idiot politician wants to make a headline.