
Insecure by design: protocols for encrypted phone calls - archiebunker
https://www.benthamsgaze.org/2016/01/19/insecure-by-design-protocols-for-encrypted-phone-calls/
======
dotBen
If a government agency responsible for signal monitoring and espionage
suggests an encryption format, endorses one particular format over another or
even just actively participates in such discussions -- shouldn't that raise
alarm bells in most tech-savvy people's heads?

The reality is the telecommunication industries in UK, US and other nations
are complicit with such activity because they are legally required to provide
access to their partners in government intelligence. And they operate in
highly regulated environments that they will be shut out of if they don't
cooperate.

Encryption has moved to the OS level, which is why we're seeing similar
pressure being presented to Apple with this terrorist's iPhone.

~~~
colejohnson66
> If a government agency responsible for signal monitoring and espionage
> suggests an encryption format, endorses one particular format over another
> or even just actively participates in such discussions -- shouldn't that
> raise alarm bells in most tech-savvy people's heads?

Yes, _but_ the NSA did have a hand in AES

~~~
nickik
The NIST and other state organsiation continue to be active in this area.
However not all they do is poor evil and all the open standards AES or SHA1
have also been studied and reviewed by many other cryptographers. Most
consider them still save for practical uscases.

Nowdays the NIST is guiding the process of standartisation, but does not
itself activally doing anything. Most cryptographers agree that in the process
for SHA3 ran quite smothly and they did a good job. However when the NIST
tried to over some improvments, the crypto community heavly stomped them and
these improvments never went into the standart.

There were talks on these subject in the last couple of Chaos Communication
Congresses.

------
dijit
That's rather terrifying.

If I'm reading this right then they basically have access to all 3G/4G data
and they do so in a way that cannot be detected.

My home country is rather delightful, isn't it. :(

~~~
branchless
The UK is one of the most problematic nation states on the planet. Couple all
the nasty spying with all the banking, money laundering and tax havens and
it's hard to think of one country doing more to suppress working people world-
wide.

~~~
jmnicolas
Frankly I don't think you can have the moral high ground if you live in a
first world country ...

I'm French so of course I would tend to agree about UK (;-) but if I start to
look at my country there are a lot of things not to be proud of ... and if I
look at the neighbors it's the same, even Switzerland helped South Africa back
in the apartheid days on a project to gas their ghettos !

Maybe Iceland ?

~~~
adwf
Yeah, it's really easy to criticise the US and UK at the moment, because
they're the only ones that have had their documents leaked.

If anyone thinks that France, Germany and others aren't doing the exact same
stuff, then they're very mistaken.

~~~
nickik
Germany has the most active community fighting against this stuff and is far,
far better then the US,UK or France. France itself is quite bad, but not to
the point of US or the UK.

The UK is so bad that the NSA has more rights in the UK then in the US.

~~~
adwf
My point was that no-one knows what the French and German governments are upto
in secret, because it is still secret. It hasn't been leaked. The only reason
the US and the UK are getting so much press is because their programs have.

The UK's surveillance program was even ruled illegal once it was found out
what they were doing. So what if a lot of the German public are against
surveillance - so are a lot of Brits - they just don't know what their
government is doing in secret.

I'd bet everything I own the French and Germans and every other major country
are doing the exact same stuff.

~~~
nickik
I don't know about France, at least publicly they are not very excepting of
privacy arguments, specially after Paris. I have no idea about the secret
part.

Germany is somewhat different because of its history. We know quite a bit
about what the BND does, in terms of monitoring extremist groups. We have
pirates in pretty important positions and the CCC is regularly working with
government in oversight commissions.

It is pretty hard to hide all that you are doing, both in terms of physical
infrastructure and in terms of financials. Now it may be that the BND is
extremely clever and hiding all of this from basically everybody. However
given the competence displayed by the BND on various action that they have
taken, it is a really hard sell that they are operating a infrastructure close
to the US or UK one.

~~~
adwf
Yeah, but when you see the outrage that Merkel displayed over finding out her
phone had been tapped by the NSA; do you seriously believe that the BND
haven't tried the exact same thing on Obama or Cameron when they're in
Germany?

My point is that a lot of the outrage is only because the UK and US are the
only ones we _know_ of.

~~~
nickik
I am talking about broad mass surveillance not individual acts of espionage.

------
cema
I think a number of the comments tend to use the word "country" instead of
"government". The UK, France, and all other first world countries are great
countries, in many ways that count. Governments however are not so great, and
cannot be expected to be, by the nature of being institutes of suppression (as
well as castles of bureaucracies). Still, compared to the rest of the world,
they are manageable, and often tolerable.

------
forgotpwtomain
Direct link to the referenced article (probably preferable to an article about
an article?): [https://www.benthamsgaze.org/2016/01/19/insecure-by-
design-p...](https://www.benthamsgaze.org/2016/01/19/insecure-by-design-
protocols-for-encrypted-phone-calls/)

~~~
dang
Ok, we changed the URL to that from
[http://www.theregister.co.uk/2016/01/21/mikey_ibake/](http://www.theregister.co.uk/2016/01/21/mikey_ibake/).

------
newman314
What I find frustrating is that there is not more adoption of ZRTP for VoIP
calls. Heck, there's not a whole lot of people doing SRTP either. People just
don't seem to care. =(

