
Russia says it can collect encryption keys to decode information from WhatsApp - walterbell
http://www.ibtimes.co.uk/russia-now-collecting-encryption-keys-decode-information-facebook-whatsapp-telegram-1573104
======
vladdanilov
I just leave a couple of excerpts for everyone to understand the level of
competence up there.

> After signing controversial anti-terrorist legislation earlier today,
> President Putin ordered the Federal Security Service (the FSB, the post-
> Soviet successor to the KGB) to produce encryption keys to decrypt all data
> on the Internet. According to the executive order, the FSB has two weeks to
> do it. Responsibility for carrying out Putin's instructions falls on
> Alexander Bortnikov, the head of the FSB.

[https://meduza.io/en/news/2016/07/07/putin-gives-federal-
sec...](https://meduza.io/en/news/2016/07/07/putin-gives-federal-security-
agents-two-weeks-to-produce-encryption-keys-for-the-internet)

> Russian President Vladimir Putin said Thursday at a media forum in St.
> Petersburg that the Internet is a “CIA project” that is “still developing as
> such,” the Associated Press reports.

[http://time.com/75484/putin-the-internet-is-a-cia-
project/](http://time.com/75484/putin-the-internet-is-a-cia-project/)

~~~
onion2k
While that makes it sound like the Russian government are planning to crack
all the encrypted traffic on the internet in two weeks, that's not what
they're saying. They've built a website that enables companies to easily
voluntarily hand over their private keys - companies that don't will be fined,
and presumably blocked at a state level if they refuse long term.

[http://news.softpedia.com/news/russia-finalizes-
procedures-f...](http://news.softpedia.com/news/russia-finalizes-procedures-
for-collecting-encryption-keys-506742.shtml)

------
objectiveariel
I actually believe the Russian government can do that.

It's _trivial_ for a messenger app to include code that sends a copy of your
private key to the messenger app's company's HQ, if served with a warrant or
if obliged by law (and that seems to be precisely what's happening here).

If the messenger app is open-source (like Telegram or Signal), you can satisfy
yourself that the messenger app isn't sending your private key behind your
back.

But it's a different story if the app is closed-source and its parent company
was involved in PRISM (like Whatsapp).

~~~
mattvot
> If the messenger app is open-source ... you can satisfy yourself that the
> messenger app isn't sending your private key

But only if you are building and installing the app from source, and have
audited each release. OS apps installed through app stores suffer the same
lack of visibility as a CS app.

------
rando444
I think we need to wait for someone that understands Russian to chime in and
tell us whether this article interpreted this correctly, or if this is just a
law giving the state the authority to collect your private keys from your
systems (via however they want to accomplish this)

~~~
EugeneOZ
I speak russian and I can ensure you this story is ridiculous for every IT-
related person in Russia. Russian segment of the internet already produced a
lot of memes and jokes about "all keys in 2 weeks" (and teleport in last day,
please). It's just level of incompetence of the Russian government.

This law is just reason to ban every messenger who will not send traffic to
FSB.

~~~
executesorder66
Heh. That reminds me about the time when my government (South Africa) wanted
to pass a law that all local ISP's must log and store every bit of data that
goes through their networks for at least 5 years.

------
poilcn
Many things mentioned in this article are not actually true. The publisher
seems biased. Russian officials say different things. I think the most Russia
will do in the nearest 5 years is the same as Kazakhstan's officials: force
users to install special certificates if they use secured connection. And
American and European govs likely have plans to do such things too. They have
already copied a lot of laws about surveillance from China, Russia. etc.

------
personjerry
Seems like to me this sort of bluff works on the average users and not the
hardcore users who understand what they are doing, so it's entirely fruitless.
Unless it's not a bluff, in which case we would wonder why the hell they
announced it.

~~~
digookdigook
I wouldn't call it a bluff, but FUD. Of course the carriers can MITM pretty
much all traffic, unless the keys were exchanged on a private channel. The
internet is not private, SMS 2FA ain't either. It's FUD, because the spin that
this announcement is a bluff would lead Terrorists from using it anyhow,
revealing sensitive information. Putting on the tin-foil: If even I could
figure that out, perhaps it's indeed intended as deterrent, e.g. because AI is
not strong or efficient enough to process the amounts of data. That's still
less paranoid than thinking AI was indeed strong enough and just keeping
people busy with unsubstantial stories.

Of course there's also the theory, that even governments are sometimes just
stupid.

------
lambdadmitry
The linked article completely misrepresents FSB's announce. It says that FSB
has come up with the procedure by which companies can hand them their
encryption keys, not that they will be able to decrypt everything themselves.

Is it possible to correct the title? It's actively misleading now.

------
nisa
There was a story about some Russian IT company that got huge amounts of money
for bogus claims. Maybe this is the case here, however I doubt that the FSB is
that incompetent. Or it's an attempt to deter usage of WhatsApp and other
clients.

On the other hand there were rumours that Russia can and does manipulate SS7
e.g. to get 2FA tokens via SMS, they also have likely control over the GSM and
3G/4G stations. As this is a black box it's probably not impossible that a
network operator could access the keys via the baseband if there is a hole a
"feature" e.g. for DMA access from the baseband to the phone, however this is
_pure_ speculation from my part.

------
Flimm
Is it OK to flag stories with auto-play video ads?

~~~
Eutow
No. That is not an intended use of the flagging feature on Hackernews.

------
partycoder
Apparently they required companies to provide their private keys. Once you
have that you can capture traffic and decrypt it.

~~~
rando444
Whatsapp, Signal, and Telegram generate the keys on the clients to provide
end-to-end encryption.

The companies themselves do not have keys to provide to anyone.

~~~
superuser2
Even if that's true, they are one auto-update away from adding a key
exfiltration routine.

------
simbalion
Governments who do not allow the proper, open operation of the internet,
should be banned from using it. Like it or not the Internet was created by
Americans, it was nurtured with American ideals of freedom, and countries who
refuse to allow those standards should be barred from participating. I think
this would have a positive effect in the long run, the way economic sanctions
sometimes work.

A few years ago I'd never have proposed this.. but the willingness of second
and third world governments to abuse the internet for their obviously crooked
purposes has reached a fever pitch in recent months.

slightly unrelated, but interesting, those same countries produce most of the
world's spam and viruses.

edit: I wonder if it'd be feasible to ban corrupt governments from the
internet while allowing citizens access.

~~~
krapp
> Like it or not the Internet was created by Americans, it was nurtured with
> American ideals of freedom, and countries who refuse to allow those
> standards should be barred from participating.

And it's been undermined by Americans, and been corrupted into a platform for
American surveillance and cultural propaganda, thanks to the NSA and CIA.

The thing is, Putin sounds like a raving loon for saying things like "the
internet is a CIA project," but he's not entirely wrong. The US created one of
the greatest tools for freedom, communication and expression the world has
ever known... and it's been been trying ever since to burn it down and plant
the Stars and Stripes in the ashes.

~~~
simbalion
Compared to other countries, entirely in my head and not in any scientific
way, I think America has a better track record than some of protecting the
internet from tyrannical government agents.

