This is presumably a response to the increase in encryption post-Snowden. In which case, it's a good thing from one angle at least - it suggests that moves to encrypt everywhere are frustrating bulk intercept.
It's not like GCHQ wasn't hacking networks before. The law just says they need to disclose it now, so they use the encryption as an "excuse" to do it, while also making encryption look bad (something we ought to get rid of).
> UK spies are planning to increase their use of bulk equipment interference, as the range of encrypted hardware and software applications they can't tap into increases.
So past communication methods came with built-in backdoors for UK spies (and, as it turns out, around 32 other EU agencies). These backdoors are becoming useless for them, and so they seek to force everyone else into providing backdoors for them again.
I'm not sure why you interpret it that way. Nobody has found built-in backdoors for UK spies, and where did you get the "32 other agencies" from?
This shift was predicted long in advance and is clearly a response to the increasingly saturation-level usage of SSL. GCHQ and NSA have for decades been oriented primarily around bulk interception of unencrypted radio and fibre traffic, see:
But what happens when nearly all traffic becomes encrypted? Then they must become ever more reliant on hacking the endpoints, to get at data before the encryption is applied.
What's happening is easily explainable without needing to refer to apparently non-existent back doors. The closest thing to that was the EC-DRB algorithm, but nobody ever used that except RSA Inc who got paid to use it, because their back doored algorithm sucked and the back door was spotted very quickly. I doubt it ever had much operational impact.
I know for a fact that GCHQ are customers of JUNIORMINT.
(Check for fingerprints and other sloppy cleaning on the wrappers of those "brand new laptops", folks.. the ones that spent a couple of days in limbo at a 'shipping hub' somewhere around Heathrow/Stanstead, etc.)
This is the issue with the duplicity inherent in the 5-eyes agreement - what we think only 'the other guys' can do, our guys can do when they work with the 'other guys'.
They might, they might not. They’re also fallible humans who silo their knowledge from each other as protection against other state agencies, and the downside of sioling your internal information is more dumb-looking mistakes and resistance to fixing them. Heck, that resistance is why Snowden did his thing in the first place.
I found fingerprints and dust on my recent Apple MacBook Pro purchase, underneath the peel-off wrapper. It was not a refurb, was bought originally from Apple and it did indeed have a 2-day wait in a 'shipping hub'. I'm fairly sure this machine has an implant - or at least, someone really goofed at Apples' manufacturing.
Either that or send it on to an interested party, or have a very close look yourself I guess. AFAIK there are people out there very interested in what you might have there.
This only works if you need a device that’s in stock. Any custom spec’d machine requires it to be built and shipped. I’ve never tried, but I don’t think that can be done anonymously.
After purchase is signed off, go to a random store from 3 ascribed by independent a via dice roll observed by parties a b and c, travel there, where independent b will choose from 3 equivalent items at random and purchase them for the original requester.
i find it difficult to take "we're worried about state-level actors compromising our hardware, but we're unwilling to use a standard keyboard layout to avoid it" very seriously.
Its easy, all you have to think is "what happened first - did they order the keyboard and then discover evidence it might have been tampered with, or did they have the concern, overlook it because 'need a good keyboard, who cares about big brother', and then place the order regardless?"
D'uh .. Its the first option. We didn't think about it much, ordered the keyboard config we wanted, thought about the interception/implant issue, paid close attention to the wrapping upon receipt of the laptop, decided that we'd probably been intercepted along the way somewhere ..
>(Check for fingerprints and other sloppy cleaning on the wrappers of those "brand new laptops", folks.. the ones that spent a couple of days in limbo at a 'shipping hub' somewhere around Heathrow/Stanstead, etc.)
If the intelligence agencies are really spending time and resources on such ludicrously inefficient and ineffective techniques as installing backdoors on random laptops in warehouses, you should be glad!
Why should I be glad? I'm paying for it. If they're not spending on effective efforts against legitimate threats, that money is, at best, wasted and I'm still exposed to those threats. At worst, maybe my own money will one day be used against me in prosecuting a victimless crime. The likely middle ground is my own money is being wasted to violate my own privacy for no good reason. This isn't sounding very good to me.
Don’t worry they are doing this. There will be suits with budgets whose hold over power is entirely dependent on the need for that expenditure to be expanded.
I'd be extremely wary of such reports coming from the government. I don't know about other sources but that article provides absolutely no additional information beyond the claim. And I imagine this kind of information is nearly impossible to verify, which they may be betting on.
In short, given the current state of media and government, it wouldn't surprise me if this were just propaganda.
The flip side of your view is that there are absolutely cases that are real, which don't even make it to the press at all. I was an expert witness for a terrorism case in the UK - the guy was convicted - and nothing about it ever surfaced in the media.
The reality is that there are a stream of people in the UK who try to carry out terrorist attacks, and who are stopped by the police. Attempting to argue against a bad policy by claiming terrorists are establishment propaganda is likely to be a bad strategy as a result.
A much better approach is to ask how many of these terrorists are really using sophisticated cryptography, and how many successful attacks would have been stopped if not for encryption? And there we find the answer is "not many" and "essentially none".
There is a great article on that very topic, written by a British journalist who also has acted as an expert witness in many terrorism trials:
It looks at many cases of busted terrorist attacks over many years, and examines the involvement of cryptography. The conclusion is that the intersection of terrorists and sophisticated users of encryption is the empty set. The closest you get is a groupie who worked on things like propaganda and funding, but who wasn't involved in any attacks themselves.
Now that article was written quite a few years ago and I suspect the new attitude of companies like Facebook towards encryption has changed the game somewhat, WhatsApp end to end encryption (assuming it's really on for everyone) makes it much easier to protect conversations than before so, it would stand to reason that cryptography does foil terrorism investigations more often than it used to. However, we don't know that, and the IC was yelling about the danger of cryptography for decades already - certainly in the time frame that Duncan Campbell's analysis was written in.
In conclusion, I'd focus more on whether real terrorist plots are happening successfully because GCHQ couldn't hack things fast enough, than on whether terrorists exist at all.
I would be very surprised indeed if the intersection of front-line terrorists and users of industrial encryption was an empty set.
I think it's more likely the intersection of caught and prosecuted terrorists and users of industrial encryption is an empty set - or at least a much smaller set than those who use FB Messenger to coordinate attacks.
This is not an argument for backdoors. I suspect the real inefficiencies in monitoring don't come from lack of evidence, but from lack of efficient data processing and flagging.
In particular your paper discusses the "Tadpole" program developed by Rajib Karim to communicate with Al-Awlaki, albeit it doesn't refer to it by that name. It's interesting to see how there are different spins on the same event.
Both papers point out that: Police described his use of encryption as “the most sophisticated they had seen in a British terrorist case.”
In the talk by Campbell, Tadpole is described as amateur hour. It's literally a Caeser cipher implemented using Microsoft Excel, with the results copied into password protected Word documents. Campbell observes that even a very rudimentary intelligence agency would be easily able to break this code without access to any of the underlying materials ... in fact, the technique for breaking such a cipher was first described by an Arabic mathematician over a millenium ago. This was used in preference to the "Asrar" PGP GUI that was circulating amongst jihadis, because it wasn't clear to Karim that Asrar was really trustworthy. Was it an NSA plant? This problem crops up all the time with jihadis trying to use strong encryption: they can't implement it themselves, they don't trust western apps and struggle to verify the origins of programs claiming to be written by fellow jihadis.
Overall Campbell treats Tadpole as a joke: a textbook study in why terrorists+encryption are not anything worth worrying about.
In the West Point paper you link to, the same program is described in quite different terms. It's described as an "intricate system", an "unorthodox and complex technique based on cipher codes and passwords stored on Excel spreadsheets" that produced "end to end encryption". It says "Western intelligence agencies were not able, as far as is known, to intercept any of his communications in real time". The West Point author appears to be under the impression that the only mistake Karim made was not wiping his laptop in time, which allowed police to access the underlying spreadsheets he was using.
This is a fascinating study in how the capabilities of terrorists are sometimes exaggerated to build the case for all-backdoors-all-the-time. Tadpole wouldn't have stopped a clever teenager with access to some intercepts, let alone an intelligence agency as sophisticated as GCHQ. Yet it is being used as evidence of fundamental shifts that require deep social and policy changes.
Westpoint paper in this case appears to be clearly hiding an agenda. Don't courts have some sort of checks and balance to minimise this type of influence from expert witnesses?
I don't believe there have ever been fully secret trials in the UK. In camera sessions with secret evidence have been held in a handful of terror cases. The more likely explanation is just that nothing was being kept secret, and the trial wasn't deemed newsworthy.
One of my practices is to periodically use a day or two off work to attend court. I've sat in various sessions of a magistrates' court (low seriousness offences, shoplifting, maybe a drunken fight at most) and the conveniently adjacent crown court (rape, fraud by impersonation, lots of drug dealing). I never saw a reporter even once. The courts are set up to allow a local journalist to cover them, but there's no money in it unless the defendant is famous. Usually I was the only person who wasn't essential to the mechanics of the court, in the fraud trial and some of the magistrates' stuff there were family there to support the defendant but never anybody else. Your friends and indeed family are probably not going to take the day off work to attend your rape trial. So that's worth knowing...
There are listings an adjacent post links but I don't pick and choose. The staff at a court will tell you e.g. that Court #4 is done for the day, or it's doing a bunch of calendar management which you might find tedious. I guess you'd want to plan at least somewhat if you have to travel a long way to attend, for me it's just across the city.
That's right. I don't think there was any gag orders or anything. The trial wasn't secret. I certainly didn't have to sign anything committing me to secrecy, which is why I'm willing to mention it now. My contact at the police just asked me not to blog about the details, as a friendly courtesy. It just didn't make it to the press. My guess is that court case -> media transmission is not 100% reliable as we might imagine.
The police wanted it kept quiet for the usual reasons. There's some amount of luck involved in foiling any crime, especially before it happens, and when the details of a trial are broadcast it necessarily implies teaching future criminals how their predecessors were caught. The police don't like that, it just makes their jobs harder.
Well, there were the "Diplock courts". But yes: it does seem that the newspapers have no interest in reporting actual convicted terrorists. Which is very strange given how they sensationalise the threat of terrorism.
Not at all strange - convicted terrorists convince people that the threat is being met.
The threat of unknown terrorists keeps everyone anxious and biases towards granting more police powers in order to curb those unmet threats.
Umm, I see quite a lot of reporting of it. Its just on page 7 usually since it comes down to a bloke being arrested and being found guilty of conspiracy to commit acts of terrorism. Not very newsworthy.
sometimes I wonder about people, all quite willing to trust government if they will pick up the tab but never willing to trust them with it inconveniences them.
the little microcosm that is HN is just fun to watch with stories replete with people demanding intervention standing side by side with stories claiming over reach. I am not sure you can have your cake and eat it to.
We are now finding out that during the cold war, the government has released several reports of "arresting communist spies" when in fact, no one was ever found or arrested - it was just a propaganda piece. I would not be surprised if we were seeing the same thing now to support the "war on terror" narrative.
If they talk evil about something I don't like, that's cool and genuine. If they talk good things about something I don't like, now let me be a cynic here
Reminds me of when Obama claimed upwards of 50 attacks have been foiled by bulk data collection programs. However other officials said that the NSA was unable to provide substantial evidence that even single one was foiled[1].
eventually this (e2e encryption everywhere) will happen once governments realize their security and secrecy depends on the security of consumer technology and to protect the public is to protect themselves.
You’re more optimistic than me. I see it like Brexit: they demand all the advantages and none of the disadvantages and angrily dismiss anyone who tells them it’s an impossible combination.
In 2017, Prime Minister Malcolm Turnbull said, "The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia".
The unprecedented and abysmal Assistance and Access Bill was just rushed through, against the advice of all legal and technology experts.
Any individual employee of a company can be compelled to install malware on their systems under threat of 10yrs jail and 50k, and they're not even allowed to inform their employer!
There is no judicial oversight and the one who determines if the spying is proportionate is the agency requesting the data, which is even State Police.
Under five eyes, that will be used to spy on UK, US, etc citizens and the information will be shared back. It enables the US/UK government to spy on their own citizens in ways that are illegal in their own countries.
Every Australian citizen has just become an unpaid black hat hacker/spy for the Australian government.
Have no doubt, this is coming to a nation near you.
When technical means will stop working they will issue the laws that make e2e devices without backdoors illegal or not easily obtainable. Not completely apples-to-apples comparison, but look at all the iPhones and androids where you can't have root and can't load another OS, can't side load apps in apple's case. In China you already have to have an app on your phone mandated by government at all times. And if you opt to have a "freedom phone" -- your life will become quite inconvenient (with some services impossible to get). TL;DR: even if e2e everywhere happens, it means nothing if you have to have a mandatory app on your phone.
There are two ends to the true picture here - they do exist to protect and maintain the status quo as you say, but the underpinning (largely unspoken) assumption is that the general public, as the GP hopes, are among the set of 'those that benefit', on the basis that the continued existence and flourishing of the state is beneficial to the public.
That's the theory. In practice, of course, the truth has been weighted more to one side or the other at different times and in different places.
Well they sure are doing a shit job then - if they were smart they would realize they have the most to lose from weak crypto.
But there will always be sociopaths who would rather be dictator or a pathetic state of starving and poor people rather than president of a prosperous.
That's very silly. Between all of the people capable of spying on you, it's exactly your own country that has the most ability to harm you. The Chinese government can't arrest you if you're not in China, but your government can.
That's generally how I see it. For the most part, other countries don't care much about you. You're only subject to their laws in particular circumstances. And taking you into custody is relatively complicated and expensive.
But there are exceptions. China has gone after supporters of the Dalai Lama globally. Dropping malware, backdooring servers, etc. But yes, they can't arrest you.
The US, on the other hand, has more "friends". Consider The Pirate Bay. Even Russia has turned over "cybercriminals".
For a nuclear power petrostate with minimal economic ties. China would get the shit boycotted out of them at least and Iran would get the shit bombed out of them as many politicians have been caught openly drooling at the prospect.
Not sensible because your own country has jurisdiction over you and therefore more relevance. This is why I recommend russian proxies for a western audience. I doubt the russian government will trade data with domestic agencies.
I’m not overly bothered about this. Their access vectors are more likely to get noticed in bulk and patched so the entire idea is self defeating in the long run. Which is beneficial for all of us.
Given that many many many devices are not patched despite known vulnerabilities, I'd not be overly optimistic about this. Vendors do not provide patches for devices, Vendors go out of business, Users don't patch even when patches are available. This affects everything, routers, phones, IP cameras, you name it.
I'd rather expect that the access vectors get noticed and applied by criminals en masse.
Ah, the horrors of lifecycle management of consumer devices.
Every networked product should come with a legally binding A4/letter-sized sheet that clearly shows the last date the product is guaranteed to receive security patches. Not fulfilling the requirements would have to result in a buyback with the sum directly proportional to whatever time of the promised lifetime is left unused.
EU countries already have rather strict consumer protection laws but they really haven't been designed for situations where a hardware product can be rendered unusable by insecure software.
> EU countries already have rather strict consumer protection laws but they really haven't been designed for situations where a hardware product can be rendered unusable by insecure software.
That is definitely covered by the standard 2 year warranty as insecurity (when security is expected) is seen as defect. If they don't fix it you get your money back. I successfully got my money back for several phones after 1 to 1.5 years.
Sure, but the key point is that the access vectors will get noticed, and publicized. And people who pay attention and care (including many criminals) will protect themselves.
I'm absolutely sure it's self defeating only temporarily and/or when it doesn't matter. Governments can use literally any amount of money and other resources if they care, and there are many people who wouldn't even require extraordinary sums (being in army is not exactly well paid).
We're going full speed into totality. It was absolutely the same when the communist regime started in my home country: People were saying they would not use their new powers against ordinary people and that seizing all farmland would be impractical and then after few years of silence KGB and gulags and executions happened (our local alternatives of course).
Not at all. Most people see working for their country as a good thing. They can start paying people literally any sum of money literally any minute they want. And even if UK people wouldn't work for them, mercenaries are common.
Your data, someone elses money; and in this case, the money for those who can convince you the most that you are in imminent danger and thats why they need so much more money and media attention and fear mongering government support
The uk gov now appears to resemble a media organisation whos main purpose is to broadcast the message of fear.
The amount of money that passes in and out of the uk gov and to all the industry security contractors that manage that amplified and antagonised anxiety can probably now be directly related to how much fear it can generate amongst its own citizens that they are under immediate danger of being attacked
Really? I don't think that UK media actually scaremongers all that much about the threat of terrorist attacks. London has been the victim of terrorist attacks on and off for at least the past few decades. People in London are in imminent danger of being attacked (although of course the odds of any given person being killed are tiny).
Statistically speaking (tally up the dead for example) the biggest threat people face in their lives is not from any terrorist or criminal, but from their own government.
Kinda terroristic and criminal governments, often enough. And when you consider the lives saved by having hospitals or food safety regulations or whatever, criminals and terrorists are doing nothing positive at all, so these "statistics" seem kinda off.
The threat is in not dealing with politics before it deals with you, and a good way to do that is seeing "the government" of a democratic nation as something totally separate from a citizen in that nation... instead of getting engaged because it's so messed up, to disengage further because it's so messed up.
its maybe interesting to read up on what these kind of intelligence services amounted to before the internet and what they generally did. then you can translate these activities to the digital age and see very easily what they do and don't do.
even in the first episode of cryptolog (nsa) they state that collectors 'might chose or not chose what rules to adhere to to complete their collection job'. so theres rules not to do things and people with choices (like everywhere in life) and these choices aren't aligning to these rules. like always, a channel for plausible deniability and if the shit hits the fan a scapegoat is chosen to mitigate any damages if public eye caught something suspicious. plain and simple how the intelligence agencies work in whatever context.
Isn't this the thing that was added that lets police and intelligence agencies hack other machines legally?
I thought that was the only decent part of the bill as most of those attacks become narrow and direct in contrast to the problematic broad information gathering the legislation also authorised.
