
UK spies: You know how we said bulk device hacking would be used sparingly? - wglb
https://www.theregister.co.uk/2018/12/06/uk_gchq_bulk_equipment_interference/
======
cs02rm0
This is presumably a response to the increase in encryption post-Snowden. In
which case, it's a good thing from one angle at least - it suggests that moves
to encrypt everywhere are frustrating bulk intercept.

~~~
candiodari
No, it states the reason in the article:

> UK spies are planning to increase their use of bulk equipment interference,
> as the range of encrypted hardware and software applications they can't tap
> into increases.

So past communication methods came with built-in backdoors for UK spies (and,
as it turns out, around 32 other EU agencies). These backdoors are becoming
useless for them, and so they seek to force everyone else into providing
backdoors for them again.

~~~
mike_hearn
I'm not sure why you interpret it that way. Nobody has found built-in
backdoors for UK spies, and where did you get the "32 other agencies" from?

This shift was predicted long in advance and is clearly a response to the
increasingly saturation-level usage of SSL. GCHQ and NSA have for decades been
oriented primarily around bulk interception of unencrypted radio and fibre
traffic, see:

[http://www.lamont.me.uk/capenhurst/original.html](http://www.lamont.me.uk/capenhurst/original.html)

But what happens when nearly all traffic becomes encrypted? Then they must
become ever more reliant on hacking the endpoints, to get at data before the
encryption is applied.

What's happening is easily explainable without needing to refer to apparently
non-existent back doors. The closest thing to that was the EC-DRB algorithm,
but nobody ever used that except RSA Inc who got paid to use it, because their
back doored algorithm sucked and the back door was spotted very quickly. I
doubt it ever had much operational impact.

~~~
mmjaa
>Nobody has found built-in backdoors for UK spies

I think GCHQ's intercept capabilities are pretty well documented in the ANT
catalog:

[https://en.wikipedia.org/wiki/NSA_ANT_catalog](https://en.wikipedia.org/wiki/NSA_ANT_catalog)

I know for a fact that GCHQ are customers of JUNIORMINT.

(Check for fingerprints and other sloppy cleaning on the wrappers of those
"brand new laptops", folks.. the ones that spent a couple of days in limbo at
a 'shipping hub' somewhere around Heathrow/Stanstead, etc.)

This is the issue with the duplicity inherent in the 5-eyes agreement - what
we think only 'the other guys' can do, our guys can do when they work with the
'other guys'.

~~~
foldr
>(Check for fingerprints and other sloppy cleaning on the wrappers of those
"brand new laptops", folks.. the ones that spent a couple of days in limbo at
a 'shipping hub' somewhere around Heathrow/Stanstead, etc.)

If the intelligence agencies are really spending time and resources on such
ludicrously inefficient and ineffective techniques as installing backdoors on
random laptops in warehouses, you should be glad!

~~~
TallGuyShort
Why should I be glad? I'm paying for it. If they're not spending on effective
efforts against legitimate threats, that money is, at best, wasted and I'm
still exposed to those threats. At worst, maybe my own money will one day be
used against me in prosecuting a victimless crime. The likely middle ground is
my own money is being wasted to violate my own privacy for no good reason.
This isn't sounding very good to me.

~~~
foldr
The intelligence agencies obviously aren't doing this. It was a tongue-in-
cheek comment.

~~~
manicdee
Don’t worry they are doing this. There will be suits with budgets whose hold
over power is entirely dependent on the need for that expenditure to be
expanded.

~~~
foldr
What evidence do you have that they're routinely intercepting laptops during
shipping and compromising them?

------
hkt
It'd be lovely if the security services acted to make the general population
morr secure instead of less.

~~~
kmlx
"Police foil seven terror attacks in London in just six months"

[https://www.standard.co.uk/news/london/police-foil-seven-
ter...](https://www.standard.co.uk/news/london/police-foil-seven-terror-
attacks-in-london-in-just-six-months-a3642371.html)

~~~
fromthestart
I'd be extremely wary of such reports coming from the government. I don't know
about other sources but that article provides absolutely no additional
information beyond the claim. And I imagine this kind of information is nearly
impossible to verify, which they may be betting on.

In short, given the current state of media and government, it wouldn't
surprise me if this were just propaganda.

~~~
mike_hearn
Maybe but not necessarily.

The flip side of your view is that there are absolutely cases that are real,
which don't even make it to the press at all. I was an expert witness for a
terrorism case in the UK - the guy was convicted - and nothing about it ever
surfaced in the media.

The reality is that there are a stream of people in the UK who try to carry
out terrorist attacks, and who are stopped by the police. Attempting to argue
against a bad policy by claiming terrorists are establishment propaganda is
likely to be a bad strategy as a result.

A much better approach is to ask how many of these terrorists are really using
sophisticated cryptography, and how many successful attacks would have been
stopped if not for encryption? And there we find the answer is "not many" and
"essentially none".

There is a great article on that very topic, written by a British journalist
who also has acted as an expert witness in _many_ terrorism trials:

[http://privacy-pc.com/articles/how-terrorists-encrypt-
threat...](http://privacy-pc.com/articles/how-terrorists-encrypt-threatscape-
overview.html)

It looks at many cases of busted terrorist attacks over many years, and
examines the involvement of cryptography. The conclusion is that the
intersection of terrorists and sophisticated users of encryption is the empty
set. The closest you get is a groupie who worked on things like propaganda and
funding, but who wasn't involved in any attacks themselves.

Now that article was written quite a few years ago and I suspect the new
attitude of companies like Facebook towards encryption has changed the game
somewhat, WhatsApp end to end encryption (assuming it's really on for
everyone) makes it much easier to protect conversations than before so, it
would stand to reason that cryptography does foil terrorism investigations
more often than it used to. However, we don't _know_ that, and the IC was
yelling about the danger of cryptography for decades already - certainly in
the time frame that Duncan Campbell's analysis was written in.

In conclusion, I'd focus more on whether real terrorist plots are happening
successfully because GCHQ couldn't hack things fast enough, than on whether
terrorists exist at all.

~~~
TheOtherHobbes
Interesting. This paper takes a different view.

[https://ctc.usma.edu/how-terrorists-use-
encryption/](https://ctc.usma.edu/how-terrorists-use-encryption/)

I would be very surprised indeed if the intersection of front-line terrorists
and users of industrial encryption was an empty set.

I think it's more likely the intersection of _caught and prosecuted_
terrorists and users of industrial encryption is an empty set - or at least a
much smaller set than those who use FB Messenger to coordinate attacks.

This is not an argument for backdoors. I suspect the real inefficiencies in
monitoring don't come from lack of evidence, but from lack of efficient data
processing and flagging.

~~~
mike_hearn
The two papers discuss some of the same cases.

In particular your paper discusses the "Tadpole" program developed by Rajib
Karim to communicate with Al-Awlaki, albeit it doesn't refer to it by that
name. It's interesting to see how there are different spins on the same event.

[http://privacy-pc.com/articles/how-terrorists-
encrypt-7-pecu...](http://privacy-pc.com/articles/how-terrorists-
encrypt-7-peculiarities-of-encryption-using-tadpole.html)

Both papers point out that: _Police described his use of encryption as “the
most sophisticated they had seen in a British terrorist case.”_

In the talk by Campbell, Tadpole is described as amateur hour. It's literally
a Caeser cipher implemented using Microsoft Excel, with the results copied
into password protected Word documents. Campbell observes that even a very
rudimentary intelligence agency would be easily able to break this code
without access to any of the underlying materials ... in fact, the technique
for breaking such a cipher was first described by an Arabic mathematician over
a millenium ago. This was used in _preference_ to the "Asrar" PGP GUI that was
circulating amongst jihadis, because it wasn't clear to Karim that Asrar was
really trustworthy. Was it an NSA plant? This problem crops up all the time
with jihadis trying to use strong encryption: they can't implement it
themselves, they don't trust western apps and struggle to verify the origins
of programs claiming to be written by fellow jihadis.

Overall Campbell treats Tadpole as a joke: a textbook study in why
terrorists+encryption are not anything worth worrying about.

In the West Point paper you link to, the same program is described in quite
different terms. It's described as an "intricate system", an "unorthodox and
complex technique based on cipher codes and passwords stored on Excel
spreadsheets" that produced "end to end encryption". It says "Western
intelligence agencies were not able, as far as is known, to intercept any of
his communications in real time". The West Point author appears to be under
the impression that the _only_ mistake Karim made was not wiping his laptop in
time, which allowed police to access the underlying spreadsheets he was using.

This is a fascinating study in how the capabilities of terrorists are
sometimes exaggerated to build the case for all-backdoors-all-the-time.
Tadpole wouldn't have stopped a clever teenager with access to some
intercepts, let alone an intelligence agency as sophisticated as GCHQ. Yet it
is being used as evidence of fundamental shifts that require deep social and
policy changes.

~~~
rishabhsagar
Thanks for such a detailed insight.

Westpoint paper in this case appears to be clearly hiding an agenda. Don't
courts have some sort of checks and balance to minimise this type of influence
from expert witnesses?

~~~
wbl
Cross examination.

------
floatingatoll
“GCHQ’s planned use of the Investigatory Powers Act 2016 Bulk Equipment
Interference Regime”

[https://assets.publishing.service.gov.uk/government/uploads/...](https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/761147/Letter_from_the_Security_Minister_to_Dominic_Grieve_QC_MP_December_2018.pdf)

(PDF)

------
baybal2
Interesting dilemma there: gazillions of routers with worst possible security
vulnerabilities are laying in the open for everybody to exploit.

Either you have them flopped yourself, or leave it to the enemy.

But in any way, the West has more urgent issues than Chinese popping their
routers, namely the issue of their own spy agencies running rampant.

~~~
SmellyGeekBoy
I'm not so sure, I think I'd rather be spied on by my own country.

~~~
leibwiht
That's very silly. Between all of the people capable of spying on you, it's
exactly your own country that has the most ability to harm you. The Chinese
government can't arrest you if you're not in China, but your government can.

~~~
na85
China can assassinate you on foreign soil - as Russia has demonstrated, the
consequences for this are essentially nil.

~~~
Nasrudith
For a nuclear power petrostate with minimal economic ties. China would get the
shit boycotted out of them at least and Iran would get the shit bombed out of
them as many politicians have been caught openly drooling at the prospect.

~~~
na85
Says you, a random internet commentor.

Meanwhile international diplomacy's track record is clear.

------
setquk
I’m not overly bothered about this. Their access vectors are more likely to
get noticed in bulk and patched so the entire idea is self defeating in the
long run. Which is beneficial for all of us.

~~~
Xylakant
Given that many many many devices are not patched despite known
vulnerabilities, I'd not be overly optimistic about this. Vendors do not
provide patches for devices, Vendors go out of business, Users don't patch
even when patches are available. This affects everything, routers, phones, IP
cameras, you name it.

I'd rather expect that the access vectors get noticed and applied by criminals
en masse.

~~~
anilakar
Ah, the horrors of lifecycle management of consumer devices.

Every networked product should come with a legally binding A4/letter-sized
sheet that clearly shows the last date the product is guaranteed to receive
security patches. Not fulfilling the requirements would have to result in a
buyback with the sum directly proportional to whatever time of the promised
lifetime is left unused.

EU countries already have rather strict consumer protection laws but they
really haven't been designed for situations where a hardware product can be
rendered unusable by insecure software.

~~~
TomMarius
> EU countries already have rather strict consumer protection laws but they
> really haven't been designed for situations where a hardware product can be
> rendered unusable by insecure software.

That is definitely covered by the standard 2 year warranty as insecurity (when
security is expected) is seen as defect. If they don't fix it you get your
money back. I successfully got my money back for several phones after 1 to 1.5
years.

~~~
andai
First time I've heard of this, this is really interesting. Don't most phones
release updates for the first ~2 years? Maybe this law is the reason?

~~~
TomMarius
Indeed most phones do. This law however applies to resellers of cheap chinese
phones of small brands as well, which was my case.

------
sbhn
Your data, someone elses money; and in this case, the money for those who can
convince you the most that you are in imminent danger and thats why they need
so much more money and media attention and fear mongering government support

~~~
kmlx
fear mongering "government is out to get us" vs fear mongering "the terrorists
are out to get us". none are true, but fear sells nonetheless.

~~~
retrogradeorbit
Statistically speaking (tally up the dead for example) the biggest threat
people face in their lives is not from any terrorist or criminal, but from
their own government.

~~~
PavlovsCat
Kinda terroristic and criminal governments, often enough. And when you
consider the lives saved by having hospitals or food safety regulations or
whatever, criminals and terrorists are doing nothing positive at all, so these
"statistics" seem kinda off.

The threat is in not dealing with politics before it deals with you, and a
good way to do that is seeing "the government" of a democratic nation as
something totally separate from a citizen in that nation... instead of getting
engaged _because it 's so messed up_, to disengage further _because it 's so
messed up_.

~~~
retrogradeorbit
Even a stopped clock is right twice a day. That's it. Never stop believing!

------
vectorEQ
its maybe interesting to read up on what these kind of intelligence services
amounted to before the internet and what they generally did. then you can
translate these activities to the digital age and see very easily what they do
and don't do.

even in the first episode of cryptolog (nsa) they state that collectors 'might
chose or not chose what rules to adhere to to complete their collection job'.
so theres rules not to do things and people with choices (like everywhere in
life) and these choices aren't aligning to these rules. like always, a channel
for plausible deniability and if the shit hits the fan a scapegoat is chosen
to mitigate any damages if public eye caught something suspicious. plain and
simple how the intelligence agencies work in whatever context.

------
Quarrelsome
Isn't this the thing that was added that lets police and intelligence agencies
hack other machines legally? I thought that was the only decent part of the
bill as most of those attacks become narrow and direct in contrast to the
problematic broad information gathering the legislation also authorised.

