Prez Obama snubs UK PM's tough anti-encryption crusade at White House meet The UK and the US will collaborate more closely to prevent "cyberattacks," the two countries' respective leaders so bravely promised in a joint press conference on Friday. Following bilateral meetings in Washington DC this week, UK Prime Minister David Cameron and US President Barack Obama jointly announced new cooperative …
that Obama, as well as many parts of the industry, would be in favour or at least not opposed to a ban on strong crypto. Obama (or more precisely the US government which is far more than just him) could use it to control their people a lot better in order to prevent/contain public uprisings as early as possible, and the industry would need to spend a lot less on cryptography.
The industry doesn't need crypto and it won't give us proper crypto in a time when selling the data of your users, or even mining it for yourself is seen as something acceptable. Even those few promises we get now are worthless, as those companies can be made to sabotage encryption on command.
>>"The industry doesn't need crypto and it won't give us proper crypto in a time when selling the data of your users, or even mining it for yourself is seen as something acceptable"
Not sure what you consider "The industry" to be, but big business absolutely needs strong encryption. It is vital to ours and other companies. Not just banking, etc., but any respectable large corporation. Google et al. may not have a vital need for it when they're giving you free email, but the professional world absolutely needs and wants this.
I could, but can't, give you numerous examples of industrial espionage. And don't think that companies are happy about having to let the government have access, either. I know personally of two large contracts that US firms have lost recently due to not being able to provide assurance to European customers that the US government wont have access to their data. The Microsoft Ireland case is merely the most well-known of the current crop. Government access is also sometimes subverted - either complicity or otherwise meaning that even were a company happy to allow the governments to monitor for purposes of national security, one cannot trust that this will only be used for such purposes. An example of complicit subversion is when Raytheon used information acquired by US intelligence to out-bid a European rival. An example of uncomplicit subversion would be when the tools used for monitoring phone calls were hijacked by foreign parties without the operators' knowledge in the case of the Vodafone network being compromised to listen in on the phone calls of the Greek prime-minister and others for over a year. The hackers simply made use of the existing spying technology and turned it on their targets of choice.
So I honestly have no idea what you're talking about when you say "the industry has no need of encryption" or that "they will not give it to us". It honestly sounds like paranoid ravings of someone who sees "Us" the people vs. "Them" big business and just thinks of Gmail et al. Strong Encryption without government backdoors is very much wanted by "the industry" for anything other than a very small subset of businesses. And even Google want it for their own use, even if not to deploy with your email account.
That's why what Cameron wants is nonsense. (Well, that and human rights, I guess).
Edit: Wow that didn't take long: http://thehill.com/policy/technology/229787-obama-backs-call-for-tech-backdoors
Well look at the track record. Skype has end to end encryption, but they happily share the encryption keys with everyone claiming to have something like a warrant.
Look at the Clipper Chip, a deliberately broken encryption device which many companies wanted to build into their systems.
Or think of the Lotus Notes "workload reduction factor".
There's plenty of instances where commercial companies deliberately and knowingly implement faulty crypto, and I'm not even talking about the recent ones.
Industry espionage is just an argument to use against governments. In reality even the companies that do use e-mail encryption use it on deeply flawed systems. This isn't a problem as the really important internal information is usually not leaving the building. Companies tend to broadly overestimate the benefit of their work falling into a competitors hand. Few companies have much knowledge that isn't also known by their competitors.
Well look at the track record. Skype has end to end encryption, but they happily share the encryption keys with everyone claiming to have something like a warrant.
Most of these cases are fairly well documented. I don't think it's ethical for skype to exist in that environment - you take your chances, it does economic damage or it doesn't.
You can't back-door OpenSSL, you can't back-door PGP, you can't back-door TOR. PFS destroys the usefulness of handing over keys. They can do what they want but we get no more security for active and significant (financial and actual due to security weakness) harm to UK (and considering your link) US business - people can go elsewhere and not have this problem. The inability to validate Microsoft's crypto stack is doing them actual harm right now, today - same Apple; imagine what it would be like if people knew for a fact there was an issue with say Microsoft's RNG as opposed to conjecture - good luck share price. If they could somehow manage to tame Linux (and given most distros are moving towards reproducible binaries - good luck) people would just push untamed sources. Cat, meet bag.
OpenSSL featured Heartbleed for many years, which makes you wonder if there are other exploits we don't know about yet. I could see PGP subverted if it started churning out predictable shared keys. And TOR becomes traceable if you control enough exit nodes. And given that Russia, China, and even the EU aren't exactly paragons of virtue in this regard, who's left to trust? Frankly, I think Don't Trust Anyone mode is pretty much in effect.
One interesting side effect of interest in controlling as many exit nodes as possible by multiple agencies is that singly they interfere with that monitoring. It would require a single agency controlling most of the exit nodes unilaterally and sharing the "take" in order for it to work. For now.
>>"Well look at the track record. Skype has end to end encryption, but they happily share the encryption keys with everyone claiming to have something like a warrant."
They're less keen to share their own internal business data and executive's emails. Talking about a willingness to give up their non-paying customer's communications in a select business sector is hardly supporting a case that "the industry" doesn't care about encryption. We care very much and we don't want weak or backdoor'ed security for our company data. Let's take your other example:
>>"Look at the Clipper Chip, a deliberately broken encryption device which many companies wanted to build into their systems."
Rubbish. Practically no-one wants the government to come along and start telling them how to run their business. The Clipper Chip was formally dead within about three years of announcement which is probably some kind of record for cancelling stupid government IT projects. It was widely criticised by business as flawed both because no-one could really verify if it would keep their data safe, few wanted the US government poking around inside their company without their knowledge and it was unenforceable outside the USA putting American business at a MAJOR disadvantage to their European customers. The industry doesn't care about much except for money. When it comes to a choice between money and dancing to whatever silly tune the government is playing today, even that long-term government buddy Microsoft will go to court to try and fend it off.
Stop trying to re-write history to support your weird Eighties view of "the industry" as being some hostile Other. I've no doubt you could find some companies that publically acceded to the Clipper Chip idea but painting it as something businesses were happy about or didn't resist is not honest at all.
>>"Industry espionage is just an argument to use against governments."
I don't even understand what point you're trying to make here. You seem to be saying - and your following paragraphs backs this up - that you think industrial espionage is some sort of false front / excuse. In which case you have NO idea what you are talking about. None.
>>"In reality even the companies that do use e-mail encryption use it on deeply flawed systems. This isn't a problem as the really important internal information is usually not leaving the building."
Important information is usually not leaving the building??? I have almost nothing to say to this because anyone with any experience simply knows that this is wrong. "The building"? I'm staggered that someone can even think of some single business site for even a medium-sized business, let alone that important information is never taken outside of it.
>>"Companies tend to broadly overestimate the benefit of their work falling into a competitors hand. Few companies have much knowledge that isn't also known by their competitors."
This is beyond stupid. If our salespeople knew how much our competitors were about to bid, if they knew our release schedule or planned new features or corporate strategy, if someone had access to our internal vulnerability reports... You do not know at all what you are talking about and are making things up to support your worldview. Do you have ANY idea how much corporate espionage has taken place between China and the USA over the last decade? Obviously not.
Quite simply: if you don't know what you're talking about, don't pretend to.
Whatever happened to the democratic concept that government was supposed to serve the people who elected it?
I'm not sure that a government which would like to unlock everyone's front doors and strip us all naked is really working in our best interests.
Hopefully, Dave will come home with a clue.
Obama, as well as many parts of the industry, would be in favour or at least not opposed to a ban on strong crypto
This guy is getting some good weed.
Don't be comparing what Facebook does with personal data with what your bank needs to securely auth you or that Google needs to be able to keep it's network secure from third-party non-state actors even if your primary assertion is true (it isn't).
When David Cameron was talking about this he was talking about in extremis - meaning effectively in exceptional cases they might need to come along and ask for keys. If you don't like that make sure your crypto supports perfect forward security so that giving up keys would be a waste of time, but to an extent yes - the industry is generally happy turning over data on people who they are told are a threat to various institutions and where possible.
As I pointed out to David Cameron on twitter which I imagine wasn't read by a single soul but I thought it important anyway; the NSA and GCHQ's attitude to all-you-can-eat data out of the pig trough means that crypto is getting much stronger - keys are getting larger, protocols and cipher suites are being abandoned in the hope people can have a little bit of privacy again. There's literally nothing the NSA or GCHQ can do about any of this even if they legislate (because data will move out of the jurisdictional control of either party and US/UK tech companies will collapse as a result) so they might as well put the money into what GCHQ are supposed to do and more humint.
Because I'm a British national it isn't ethical for me to start a tech business I want to start in the current environment so I don't - this is the primary effect of the current environment we live in.
Strong crypto is important, the end.
Mr. Cameron obviously felt there was value in showing his electorate how tough on terror he is ( I understand an election is coming soon!). Sadly, he is clueless as to the encryption game. One solution that has defied interception is the one-time cipher pad, favored in the Cold War by three generations of Russian spies. This still works today, and no amount of legislating or Cameronian bag-piping will fix that.
One might argue that just seeing a string of unrelated numbers in a message is a red flag to intelligence agencies, but the art of steganography makes hiding these very easy, and the explosion of online books makes the selction of source-texts easy too. Cameron should acknowledge that the only people he'd catch would be common citizens not professional terrorists!
Cameron should acknowledge that the only people he'd catch would be common citizens not professional terrorists!
Jim, I'm sure you know this, but sometimes we decent folk slip and give pols more credit than is due by taking them at their word. Cameron isn't after cyberterrorists, he's after votes. Ninety-nine percent of being a politician is gulling the constituency into believing you're earning your pay. The other one-percent is playing golf.
-- Jim O'Cynic
What you are saying, Florida1920, is that We are parented not represented. We have been captured by a group of fraudulent citizens who control our money, our military and have desecrated our constitution.? And do yourselves all a favour this weekend and have a riveting good read about it here
Such though, is quite delusional and has worlds and their dogs of war developing secretive , sensitive, secure intelligence and sharing information, encryption and steganography a’hunting for such as would be arrogant fools and ignorant tools into the throes and follies of excess and corporate pornography.
Even stego has limits. Any method you can think of, there's probably some way to break it so that trying to pass all but the crudest messages (crude in terms of a particular picture meaning "Now!"). Text can be sanitized and respaced, images and sound can be manipulated, and so on.
Commercial codes contain innocuous words or phrases that only have meaning to someone holding a copy of the code. Otherwise, no way to assign meaning at all. And it works. It would take an extremely long run of monitored messages, correlating the activities on each side of the connection, to tease out the code. That's the long run, and we all know what happens in the long run.
How broad are these commercial codes in terns of vocabulary and the ability to convey diverse or voluminous information if necessary? How efficient are they as in how much cover material is needed to conceal the ciphertext without it being seen as suspicious?
As Bruce Schneier famously said, anyone who thinks cryptography is the answer to their problem doesn't understand cryptography and doesn't understand their problem.
That's doubly true for anyone who thinks OTPs and steganography are the answer to their problem.
Cryptography is certainly part of the answers to many problems, defined properly (i.e., the "answer" is in terms of changing the distribution of costs between defender and attacker). And OTPs and steganography are sometimes part of that cryptography part.
But it's wildly ignorant to believe that a cryptographic system with perfect entropy distribution (the OTP or isomorphic equivalents) responds to a threat to broadly restrict cryptographic technology. There's a reason why information-security systems are composed of many protocols, and each protocol built of multiple primitives, cryptographic and otherwise. There are no silver bullets.
...the burning white heat of hate whenever I see those nominal "heads of state" pushing forth their narcissistic agenda informed by the special interests whispering into their ears. What did they succeed in doing. Anything? Anything AT ALL? No. All their "achievements" are lies, flimflammery and massaging of statistics, and at best kicking the can down the street.
Begone! Begone forever.
Reason and informed debate? Would be nice! Alas, it is a dream... ... et tu, brute?
Hmmm?
Regarding what you consider would be nice and not in a dream, et tu, brute?, what do you imagine drivers El Reg commentards to share info and intel to free worlds with Free Worldly Wise Wordy Technologies and IT AIMethodologies? The Simply Complex LOVE* of IT and Vain Glorious Appreciation of Reason and Informed Debate is a Quite Perfect Enough Starting Point for a New Epic Tale and Trail that Mirrors and Clones the Aged and Creaking and Weakening, In the Beginning, and Forges Ab Fab Fabless Futures never ever before even imagined as being possible and highly probable?
*Live Operational Virtual Environment ......... :-) AI Seventh Heaven?
"Both governments have agreed to bolster our efforts to increase threat information sharing and conduct joint cybersecurity and network defense exercises to enhance our combined ability to respond to malicious cyber activity," a "fact sheet" released in tandem with Friday morning's press conference explained.The new measures will include the establishment of a "cyber cell" – a cooperative effort between the US Computer Emergency Readiness Team (US-CERT) and its analogue in the UK (CERT-UK) – with a presence in each country.
"The cell, which will allow staff from each agency to be co-located, will focus on specific cyber defense topics and enable cyber threat information and data to be shared at pace and at greater scale," the countries' statement said.
Yes, and we all remember how well that fcuked up arrangement works in practice ...... http://www.theregister.co.uk/2012/05/03/gareth_williams_inquest/
Not really any sort of spooky territory and virtual team terrain for the faint and naive wannabe lion hearted, or for lead sharing with minor actors. 'Tis the Greater IntelAIgent Games Field of Fine and Dark Web Knights and Damsels a'Hunting in Daring Do. Impossible Tasks Improbably Achieved and Immaculately Mastered is IT not?
That's OK. I was at a UKNOF where the MBA adorned humanitarian degree red-brick post-private school education product (just like all other Cameron cronies) in charge of UK CERT in Cameron "no engineers alowed" government got caught that he does not know what is IP and what is IPv6 and is in fact illiterate in terms of what his job entails. All of that is recorded and was viewable on gootube at some point.
So if it is that clown (and his accompanying "apprentices") playing pocket tennis and sharing that experience with his american counterparts that can continue as much as they like. As they say in patent law circles: "There is no technical effect" (so not patentable). In this case it will be "There is no technical effect" so no consequences to the ones like us which use the Internet to scrape a living.
Not that would make a difference if the clown is replaced. In this government it will still be a technically illiterate MBA adorned red-brick humanitarian graduate from the correct private school.
As far as the real security professionals in UK/US cert they already share info and work together. I do not see exactly what does this agreement add to that.
Just don't look it up in the Urban Dictionary ;)
OED:
cyber, adj.
In predicative use. Of, relating to, or involving (the culture of) computers, virtual reality, or the Internet; futuristic.
Comes from...
cyber-, comb. form
Chiefly prefixed to nouns. Originally: forming words relating to (the culture of) computers, information technology, and virtual reality, or denoting futuristic concepts. Later also: spec. forming terms relating to the Internet.
"we'd like your encryption keys sir"
"here's the encryption key gent, I'll hand you the decryption key (which isn't illegal) just after I've detonated this bomb with it"
"we find you fully guilty of using encryption and a bomb but not guilty on all counts of using decryption. case dismissed. "
Why the fuck would Obama be interested in Cameron's proposal?
It's not as if NSA doesn't have plenty of our data to play with already, especially with GCHQ being so accommodating.
Or just maybe the US prez doesn't really see Cameron being around to deliver anyway and can't give a toss until the next supplicant arrives at his feet.
Elect a PR goon, what you get is more PR gooney, John Smith 19 ........ The Truth "Behind" The Charlie Hebdo Solidarity Photo-Op
And IT and Media is all about micro/macromanaging dull animal perception and creating a false leading narrative and exclusive executive virtual reality whenever your operating systems admin is simply perverted, subverted and corrupted and easily hacked and cracked wide open to zeroday vulnerability exploitation traders ... New Orderly World Order Great IntelAIgent Game Players. NSA answers to Global Communications Head Quarters questioning of IC Enterprises.
Politics? ...... 'Politics is just show business for ugly people.'...Jay Leno ? Right on, Bro, and it has had its day and fifteen minutes of fame flogging their dead horse as a vital mode and meme of future transport and delivery.
I wonder who was pulling all those strings in Paris and directing all down the alley/leading them up the garden path?
Re:
"The companies themselves have all sorts of interests, but one of those interests is they don't want to be the platform that becomes safe for terrorists to talk to each other and plan appalling outrages on."
I'm not so sure about the practical efficiency of that statement. How to prevent just that? How can the likes of Facebook and Google not "want" to be a safe platform for anybody? That's the very nature of their business. Those two conflicting interests are butting heads. What will Facebook and Google and their ilk do for revenue/income if they hamper unfettered access to their "platforms"?
How to pick and choose who is "safe" to be a user of their technology? How to choose when to deny access, or GASP!, how to allow the GHCQ access to their data? How to write the in-house protocols outlining the degree of cooperation deigned to be granted by them to anyone?
Did Google and Facebook help with locating the Muslim terrorists in Verviers and Paris? If not, and if they partitioned [is that the correct term?] off their data, then they become accessories to this Muslim terrorism, and deeply complicit.
Lots of righteous smug certitude needs to be punctured......without losing any votes for the next election.
Look.
Many of you seem to think this is about responding to terrorism, an assault on civil liberty, damage to the IT industry and all sorts of red herrings.
There's an election coming up.
Dave is getting some TV time standing next to the US President whilst looking all statesman-like.
That's it.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
