
Russian spies claim they can now collect crypto keys–but don’t say how - danielmorozoff
http://arstechnica.com/tech-policy/2016/08/russian-spies-say-they-are-able-to-collect-crypto-keys-but-dont-say-how/
======
pavel_lishin
> _Russia 's intelligence agency the FSB, successor to the KGB, has posted a
> notice on its website claiming that it now has the ability to collect crypto
> keys for Internet services that use encryption. This meets a two-week
> deadline given by Vladimir Putin to the FSB to develop such a capability.
> However, no details have been provided of how the FSB is able to do this._

This definitely sounds like one of those "Tell the boss it's done, and hope he
doesn't ask for it too soon" type of situation.

~~~
dogma1138
I'm surprised that the FSB was actually called upon, Russian SIGINT efforts
are directed by the GRU, they inherited the KGB's SIGINT network and
personnel, and they are the one heading Russia's terrestrial and space based
SIGINT operations and platforms. The FSB is more akin to the FBI+ICE+ATF, MI5
or the Israeli Internal Security Service (Shin-Bet) they are responsible for
state and internal security, not intelligence collection on this scale, also
so far all the high confidence attributed Russian cyber operations were also
attributed to the GRU not the FSB.

~~~
pavel_lishin
Secondary hypothesis: Putin is ex-KGB, he's probably got closer contacts in
the FSB than the GRU; easy to tell them to say "yes" to whatever deadline he
gives them. Looks good all around.

~~~
dogma1138
Putin main KGB career was in the 1st Directorate (Foreign Intelligence
Service) in which he served as an FIO, which turned into the SVR when the
Russian Federation was established, the SVR and GRU are 2 sides of the same
coin. He later did serve as the director of the FSB for a very short period
but he's best known for reforming the organization which resulted in major
"layoffs" (and being laid off in the intelligence world, especially in pseudo
authoritarian regimes rarely ends well), but again this is an odd case, but as
some others have mentioned it seems to be a legal framework to compel
companies (or individuals) to hand off their keys rather than some technical
solution.

------
berekuk
The FSB's announcement doesn't speak of any new technical capability, it just
says that they formalized the legal procedure by which everyone should share
their crypto keys with the government.

Source: I'm a Russian.

~~~
seren
Just curious, any company operating in Russia have to comply or only companies
hosted in Russia ? Basically, does Facebook have to comply ?

~~~
berekuk
Yes. Any social network, instant messenger or anything else which uses crypto
will have to share keys so that government can decrypt "anything they like".

So, Facebook will either comply, or it'll have to pay the fine (800k-1m rubles
≈ $15000), or it will be banned.

The law also prescribes for all "organizers of information distribution" to
store the voice call recordings for 6 months and to store metadata for 3
years. Nobody is sure what "organizers of information distribution" means, but
at the very least it includes all phone calls and instant messages.

Yes, it's crazy.

~~~
danjoc
>Yes, it's crazy.

I agree. There is an english idiom, "Don't put all your eggs in one basket." I
assume this includes government keys as well. This seems like a juicy target
for hackers. The damage it could do to Russia is almost unimaginable.

~~~
berekuk
There's also a Russian saying, "The strictness of Russian laws is balanced out
by the fact that they don't have to be enforced".

Precedent: a new Personal Data Protection Law was passed two years ago. It
included the crazy clause that all personal data of Russian citizens must be
stored and processed on servers located in Russia. Facebook didn't comply, and
I'm sure many other websites didn't comply too, but nobody cares, AFAICT.

On the other hand, our government can decide at any moment that they don't
like some website, person or other entity, and they'll quickly find a way to
get rid of this entity without breaking the law.

------
csense
[https://en.wikipedia.org/wiki/Rubber-
hose_cryptanalysis](https://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis)

------
dmoy
Is this just the 526-FZ law from last year?

[http://www.hldataprotection.com/2015/01/articles/internation...](http://www.hldataprotection.com/2015/01/articles/international-
eu-privacy/russia-changes-effective-date-of-data-localization-law-to-
september-2015/)

Or is this something else?

------
kostenko
Certification is only for messengers, which care state secrets:

[http://www.fsb.ru/fsb/science/single.htm%21id%3D10437738%40f...](http://www.fsb.ru/fsb/science/single.htm%21id%3D10437738%40fsbResearchart.html)

------
vorotato
Is it just me or does Putin also have tiny hands?

