
GCHQ-built phone voice encryption has massive backdoor - temp
http://www.theregister.co.uk/2016/01/19/key_voice_encryption_protocol_has_backdoor/
======
n4r9
The irony of this story neatly mirrors the inconsistencies in the UK
government's recent response to a petition to "to abandon all ideas of trying
to ban strong encryption":
[https://petition.parliament.uk/petitions/106369?reveal_respo...](https://petition.parliament.uk/petitions/106369?reveal_response=yes)
.

The government's response boiled down to

1) The Government is not seeking to ban or limit encryption.

2) The Government is clear we need ... to ensure that ... the police and
intelligence agencies can ... access the content of communications of
terrorists and criminals.

Not too surprising that around 26 of the 650 members of Parliament have
degrees in science or technology.

~~~
pbhjpbhj
>Not too surprising that around 26 of the 650 members of Parliament have
degrees in science or technology. //

Is that particularly unrepresentative of the population as a whole?

~~~
porsupah
Per the Office of National Statistics:

[http://www.ons.gov.uk/ons/dcp171776_337841.pdf](http://www.ons.gov.uk/ons/dcp171776_337841.pdf)

==

The population we have used in this report is all adults living in the UK who
were not enrolled on any educational course on the survey date. The age range
we have focused on is women aged between 21 and 59 and men aged between 21 and
64. The lower age limit of 21 is used as most people will not have been able
to complete a graduate level qualification before this age. However, please
note also that educational systems are different across the countries of the
UK. Upper age limits were used because we wished to focus on people active in
the labour market. These particular ages were chosen to maintain consistency
throughout the report as some sections consider time periods before changes to
state pension ages. In 2013 there were 12 million graduates in the UK In April
to June 2013 there were 31 million people in the UK who were not enrolled on
any educational course. Breaking these people down by the highest
qualification they held:

• 12.0 million, or 38% were graduates

• 6.7 million, or 21% stated that their highest qualification was of an A
level standard

• 6.6 million, or 21% stated that their highest qualification was equivalent
to an A* to C grade GCSE

• 3.1 million, or 10% had “other” qualifications not categorised in the UK

• 2.9 million, or 9% had no qualifications

~~~
pbhjpbhj
It was more the field of educational accomplishment I was interested in. It's
good IMO that MPs have higher qualifications in general than the norm but I
was really wondering what the distribution of qualifications per field was.
The 26/650 in tech and IT seemed like it might match the populations in
general, but I don't know.

~~~
n4r9
That would be interesting... this article has something along those lines:
[http://subtleengine.org/2014/06/28/mps-degrees-what-do-
they-...](http://subtleengine.org/2014/06/28/mps-degrees-what-do-they-know/)

I'm not sure which is the more relevent statistic: proportion who hold STEM
degrees, or the ratio of STEM degrees to humanities degrees?

------
bede
I feel obliged to once again refer to Home Secretary Theresa May's on-record
statement to a government committee only seven days ago:

"The UK does not undertake mass surveillance".

Make of this what you will.

~~~
joosters
She is technically correct, but it's a very misleading technicality.
Surveillance is _monitoring_ , and the government can claim that what they
actually do is mass _recording_ of Internet traffic.

~~~
tux3
I think that is what mass surveillance is commonly understood to mean.

Trying to shift the meaning so that the GCQH can _technically_ say there's no
surveillance seems incredibly dishonest to me.

If one needs to resort to pedantry to appear to be right, then there is no
better justification for their views than a fallacy.

~~~
joosters
Oh, I agree. I think it's totally misleading, but this is the way they are
describing the surveillance that we have.

------
tomelders
So the UK government is trying to amass a toolset that wold be the stuff of
wet dreams for the Stasi - but they're absolutely not going to use them for
the very thing they are designed to do - even though we know they're already
doing the things they say they're absolutely never going to do with he tools
they say they don't have but they actually do have.

Hmmmmm. Okey dokey asshats.

What puzzles me though is this: These things aren't designed and built by
politicians. They're designed and built by highly skilled people with above
average intelligence. And the UK security services don't pay that much money.
So who are these idealogical geniuses who are ready and willing to arm a
government with tools they should not possess?

~~~
aries1980
These systems most built by contractors and specialised companies such as
Hacking Team
[https://en.wikipedia.org/wiki/Hacking_Team](https://en.wikipedia.org/wiki/Hacking_Team)
.

------
GordonS
The sad thing is that in this day and age nobody is going to be surprised by
this, and most of the genral public won't even care :(

~~~
BrockSamson
Unfortunately most people appear to struggle with seeing how things like this
could affect them

~~~
pbhjpbhj
Does it really affect "most people". Sure, the potential effect is there - you
commit a crime and they'll check your phone records and whatever to catch you
and your associates but beyond that?

Most people use their phones to talk about pretty banal things.

~~~
bediger4000
Sure, but "most people" aren't going to actually have the data collected on
them examined. Just rising young party stars, perhaps. Or civil rights and
environmental activists. Or the CEOs of companies that are competing with
friends of the head of GCHQ. Do those people talk about banal things? Do those
people talk about illegal things? Do those people talk about embarassing
things?

Honestly, the issue here isn't "most people's" banal talk. The effects of
having such a huge cache of data on hand to get "leverage" on key people that
the GCHQ doesn't like is the issue.

~~~
pbhjpbhj
Exactly, it's not most people but key people - ergo "most people" don't care.

------
wmt
The original story at [https://www.benthamsgaze.org/2016/01/19/insecure-by-
design-p...](https://www.benthamsgaze.org/2016/01/19/insecure-by-design-
protocols-for-encrypted-phone-calls/) seems to be not coping well with the
traffic, here's the Google cache:
[http://webcache.googleusercontent.com/search?q=cache:rBNjGS8...](http://webcache.googleusercontent.com/search?q=cache:rBNjGS8jxX8J:https://www.benthamsgaze.org/2016/01/19/insecure-
by-design-protocols-for-encrypted-phone-calls/&num=1&hl=en&strip=1&vwsrc=0)

------
conjectures
It should have been obvious to the project team that the hole would be noted,
or suspected if the details were obfuscated. I'm more concerned about the
waste of public money on a doomed project.

~~~
toyg
Why "doomed"? Public bodies will adopt it. People who need to work with public
bodies will adopt it. And sooner or later, ISPs will be forced to adopt it.

The protocol is working as expected. It doesn't have to be technologically
superior to win adoption, it will be mandated by law. It just has to be good
enough for the purpose it was developed: to provide an obfuscation layer that
can "keep out" casual intruders while allowing unfettered access to the
security apparatus (I won't say "law-enforcement officers" because these
people are actually law-breaking).

~~~
SideburnsOfDoom
It's not just that there's a half-open back door that GCHQ knows all about;
now there's a half-open back door that _everyone_ knows exists. If you wanted
to break in, that's a big help to you. Why adopt this now, when sooner or
later the back door will be wide open to everyone?

~~~
toyg
You don't understand -- this protocol is not supposed to be bulletproof. It's
supposed to be good enough to be considered a step up from the status-quo for
certain uses _from a legal perspective_. You won't get the choice to get on
board: who has to be onboarded will be _legally forced to do so_.

If you have the resources and know-how, the current telephone system is not
very hard to break into; but you don't get the choice of what protocol to use
when connecting a phone to the network. This is the modern equivalent.

~~~
SideburnsOfDoom
> this protocol is not supposed to be bulletproof. It's supposed to be good
> enough to be considered a step up from the status-quo ... the current
> telephone system is not very hard to break into ... This is the modern
> equivalent.

I see. Though I would also suggest that the status quo is unsustainable: ever
since May 2013 it has become increasingly clear that things can't carry on as
before; a minor "step up" to a modern equivalent is not enough for modern
times.

------
Nursie
Well, what an enormous surprise this is.

GCHQ, who have been implicated in mass surveillance for many years, and who
were showed by Snowden's releases to be doing lots of snooping and sniffing
around indiscriminately and who haven't come under any criticism whatsoever
from the UK government in light of these releass, have made a compromised
encryption product that allows them to carry on doing what they do.

I'm absolutely floored by this.

------
tednoob
I previously worked at Cryptify AB with Cryptify Call.

I think this article misses the point somewhat. This is not a backdoor, it is
the entire point of the scheme. As I understood it CESG wants MIKEY-SAKKE
primarily for use within the government or within companies working for the
government.

For the network owner MIKEY-SAKKE is very convenient because it satisfies the
criteria for Lawful interception[1] while also enabling end users to both
authenticate and encrypt messages without actually talking to the network
owner after the initial trust has been established. It works well as long as
the user trust the network owner and you want to protect your users from
external powers while maintaining the ability to decrypt any message in the
network.

[1]
[https://en.wikipedia.org/wiki/Lawful_interception](https://en.wikipedia.org/wiki/Lawful_interception)

------
ianamartin
Seems to me that government agencies are good at two things:

1\. Failing to be any good at what they are trying to do and, 2\. Using said
failures to take advantage of poor people and put them in jail.

This seems like a case of both happening.

------
mirimir
Maybe "MIKEY-SAKKE" is an inside joke.

Mikey: "A seemingly innocent and sweet little boy causes murder and mayhem in
his new neighborhood ..." [0]

saake: "arrested number of young" in Somali [1]

[0]
[http://www.imdb.com/title/tt0104870/](http://www.imdb.com/title/tt0104870/)

[1]
[https://translate.google.com/#auto/en/saake](https://translate.google.com/#auto/en/saake)

~~~
triplesec
This is too obscure on its own to make sense: your links should illustrate,
rather than be necessary for comprehension!

~~~
mirimir
My serious point is that "MIKEY-SAKKE" is a joke. I first thought of Takashi
Miike, and the “Everything I’m about to tell you is a joke.” line from _Gozu_.
But that didn't lead anywhere. Still, isn't the _Mikey_ association at least a
little funny?

------
akie
Unsurprising yet depressing :(

------
x5n1
Yes let's let government surveillance outfits design protocols. I mean who
ever though this would ever be a good idea? They will 100% of the time fail at
this task.

