122 comments

[ 4.7 ms ] story [ 189 ms ] thread
There's an interesting article on how Telegram is being used here: http://www.memri.org/report/en/0/0/0/0/0/0/8828.htm/
Except, other than being a nice chat app, Telegram's encryption is snake oil

http://unhandledexpression.com/2013/12/17/telegram-stand-bac...

The article mentioned encryption, but I was more interested in their details on how Daesh was using it as an unmoderated platform to spread tutorials on manufacturing weapons and launching cyberattacks, calls for targeted killing and lone-wolf attacks, and Daesh's use of bots on the platform.
So he's distributing the Anarchist Cookbook?
No. Not 'he', and not just distributing how-tos. Read the link if you'd like to be aware of what's happening though.
If they were using something federated and secure like XMPP+OTR, sure, but Telegram is as easily moderated as any other centralised solution (they might as well be operating on an FB Profile + FB Group Chat).

If the DOD/NSA/CIA/WTV wanted to shut this down (which they likely don't as this probably serves as a nice stream of data) all they need to do is shut-down Telegram's US servers, which would likely cripple the entire company financially.

Kind of sick of hearing government officials saying encryption is evil. This stance is disingenuous at best and dangerous at worst.
Yeah I believe also trains, cars, food, water and oxygen played a role, something should be done about those too. If that ever happens, open source to the rescue, politicians might as well make that illegal.
This is all true, but it's also true "governments" had previously had [court ordered or otherwise, depending on jurisdiction] access to communications, when necessary in order to track individuals or obtain evidence. The claim is that now people can choose technologies which allow them to evade communications interception [easily] which frustrates governments when they want to intercept communications.

I don't think it's far fetched to believe if not the US countries abroad will require technology vendors to provide interception systems ala BlackBerry. Big enough markets, can say, Apple, you can still sell in our country[1] but you must grant access [MITM, whatever] and you know what, Apple will not want to see its growth markets evaporate.

[1] They'd also disallow non-approved apps from country app store and also disallow carriers from allowing jailbroken handsets.

Like the saying goes, if you outlaw guns, only the outlaws will have guns.

Seriously. Ever heard of steganography?

Police being able to listen in to communications for selected individuals, based on court orders is of course something that is necessary for safety, nobody is arguing that. The difference is the scale of the ability to survey. You can argue that the scale doesn't matter, but it does. The only difference between uber and your local taxi company with 10 cars is also scale. Being able to scale surveillance trivially is the thing that must be fought against, because it erodes the freedom of people. After all, the freedom of people to live their lives as they wish is what we're protecting after all, isn't it?

> After all, the freedom of people to live their lives as they wish is what we're protecting after all, isn't it?

Is it? I thought it's freedom to live their lives as long as they follow the law?

No, it's exactly the reverse in fact! Laws are supposed to be made to make living life better for the majority. Many problems stem from thinking the opposite.
Well said! Also, only criminals want to keep their thoughts private. Every home needs a covert monitor.
Personally, I blame mothers milk. It's the root of all evil.
Intelligence agencies seem to operate on a very dubious assumption that if mass consumer products weren't offering end to end encryption, terrorists would just be chattering away in the clear, rather than trivially switching to one of the plethora of alternatives that do allow secure communication (some of them open source and "unbannable").

Are they really that dumb? Or is this a cynical PR exercise?

It's not that terrorists with good operational procedures would not be able to find more secure means, but migrating to those means would do two things:

Fewer operatives would have the rigor to operate securely all the time. You just need one to trip up to give the house away, but with ubiquitous encr. anyone and their nona can encrypt without leaking.

Two, switching to alternate means would mean a big slowdown in comms speed and throughput/dissemination and comms can be compromised/altered via interception.

And three: The mere use of banned encryption tools can now be a crime in itself.
Not necessarily, it's what they call a "signal". Just like driving a white van does not mean yours was the one involved in the hold up, but it's a signal: "Look at white vans more suspiciously".
I drive a white van and I use encryption daily. Maybe I should go and invest in some bullet proof attire?
What do you think, does that sound sensible to you?
One guy managed to get his hands on a freaking rocket launcher. Same with one of the Charlie Hebdo attack guys, who sneaked an assault weapon into a country with strict gun laws. Are you telling me that if they are really committed these guys can't get access to an app they can use for encrypted communications?

The problem is there are too many signals, only made worse - not better - by mass surveillance (making the "hay" in which to find the needle bigger and all that). Here's an excerpt from Schneier in 2005:

> Let's look at some numbers. We'll be optimistic -- we'll assume the system has a one in 100 false-positive rate (99 percent accurate), and a one in 1,000 false-negative rate (99.9 percent accurate). Assume 1 trillion possible indicators to sift through: that's about 10 events -- e-mails, phone calls, purchases, web destinations, whatever -- per person in the United States per day. Also assume that 10 of them are actually terrorists plotting.

> This unrealistically accurate system will generate 1 billion false alarms for every real terrorist plot it uncovers. Every day of every year, the police will have to investigate 27 million potential plots in order to find the one real terrorist plot per month. Raise that false-positive accuracy to an absurd 99.9999 percent and you're still chasing 2,750 false alarms per day -- but that will inevitably raise your false negatives, and you're going to miss some of those 10 real plots.

> This isn't anything new. In statistics, it's called the "base rate fallacy," and it applies in other domains as well. For example, even highly accurate medical tests are useless as diagnostic tools if the incidence of the disease is rare in the general population. Terrorist attacks are also rare, any "test" is going to result in an endless stream of false alarms.

> This is exactly the sort of thing we saw with the NSA's eavesdropping program: the New York Times reported that the computers spat out thousands of tips per month. Every one of them turned out to be a false alarm.

99.9% and 99.9999% accuracy and you still get those huge false positive numbers. Even the drone strike program has much lower accuracy than that (yes, they do kill people based on "mostly assumptions" that they are terrorists, if that's news to anyone). I mean, in the US, they start spying on people if they have a >51% of not being an American (an amazingly low threshold - basically flipping a coin). So - maybe it's time to admit that mass surveillance is actually detrimental to catching these guys and that these spy agencies are hurting national security?

https://www.schneier.com/essays/archives/2005/03/why_data_mi...

Countries can demand app stores comply with their laws, if they wanted to. They could demand access to interception or else the app [store] is not allowed. They could further have carriers block jailbroken sets.

With regard to noise, you can make it more manageable by building a graph. As you initially ID terrorists, you follow the graph and calibrate the signal. You don't have to enmesh everyone.

> They could demand access to interception or else the app [store] is not allowed.

Thus forcing terrorists to use Android or a desktop OS? Big whoop.

It's not as if they can't tell Google to put out a 'special' version for their country. Or put out their own infiltrated version and take whatever measures necessary to "own" the OS. They could poison DNS for "favorite terrorist distro".

It's not to make it 100% foolproof, it's to make it so that any misstep would reveal them. In other words, make the whole of their communications system leaky _somewhere_ not necessarily everywhere.

In almost all the terrorist attacks that have happened recently at least one of the perpetrators has been known to the authorities. This tells me that the problem is failing to properly follow up on leads rather than missing people completely. This leads me to suggest that more dragnet surveillance is not needed instead we need targeted surveillance.
The systems are already leaky (like the metadata, for instance, but also the weak end-point security most devices have, poor HTTPS implementations, and so on). This is not a problem. The problem is the intelligence agencies have too many "targets". They're only making things harder for themselves putting everyone on "lists". At least one of the terrorists from the recent Paris attack was on such list - an "extremist" list even. Didn't seem to help.

I think it's becoming more clear that intelligence alone is not enough.

I'm also very worried that 10 years from now we'll have an even bigger problem than Daesh in the Middle East, even if Daesh is "wiped out" - Al Qaeda was wiped out, too, unless we forget. Daesh is much bigger than Al Qaeda was, which means they have many more relatives and children than Al Qaeda had - children that may rise up again in 10 years to avenge their fallen fathers and cousins.

France's reaction feels very much knee-jerk and 20th century thinkining - "Someone attacked us? Let's bomb the hell out of them then!". It kind of reminds me of when the French generals ordered their foot troops into the Germans' machine guns a century ago, because that was their 19th century thinking at the time.

This is a whole other discussion that also needs to happen, and I think a much bigger issue than the encryption one.

The problem isn't the volume of data, it's the analysis and graphing. They need to develop better mining technology.

Conversely, if there is too much data and everything is hidden because there is too much, then why bother with the clamor for encryption? I mean, there is so much data, it's unfindable?

I think it was Poland and Russia sending cavalry and barely armed infantry into modern battle, not France during WWII.

Every single ones of those techniques can and would be bypassed (the app store banning would be the easiest). The ISPs would be operating on an "anti-virus" principle, and they'd be too slow to stop "zero-day-like" hiding of encrypted communications before an attack would happen. There are already plenty of apps that stop carriers from knowing when someone is using tethering apps, when the carriers don't want them to use those types of apps.

As someone was saying on Twitter, intelligence agencies should not want terrorists to start using steganography...which would make their passive traffic analysis much harder. But if they start censoring and banning encryption apps (which use metadata all in the clear), that's exactly what will happen.

Also, it seems most people live with the impression that "if only current apps such as Signal, Tor, etc" would be banned, that should pretty much put an end to encrypted, hidden communications, right? Wrong. Dead wrong. Right now they are being "lazy" and just use what's available to them, like Telegram and whatnot. But if those apps were actively banned, they would focus on building their own, perhaps with forked Signal/Telegram sources. But even without those, they could still commit to building their own solutions.

To give you an analogy, look what's happening with the Silk Road-like world. Authorities stopped Silk Road - like twice or third times already. But the underground online drug market is bigger than ever - it just split into multiple smaller markets. If that happened with drug businesses and drug delivery, it should be much easier to happen with "chat apps".

People would still want strongly encrypted apps especially if they were actively banned by oppressive governments.

Encrypted traffic is pretty easy to detect. If only terrorists use encryption, you can catch them easily.
If only pigs could fly, then any flying animal would be a pig. But.

Banks use encryption too.

The amount of encrypted traffic in use by normal people every day far outweighs that of any terrorists.
I feel like encryption is easy enough to do now by so many means that taking it out of consumer grade apps won't have much effect at all. It's pretty much as easy as installing an app to get (close enough to) perfect encryption from open source solutions and once installed they are as easy to use as Whatsapp.
In a world where mass consumer products don't offer end to end encryption, either the terrorists use encryption, and they can be arrested for that, or they don't, and they can be arrested on the basis of their plain-text communication. Or at least, maybe that's their justification...
Of course, that does not take the elephant in the room into account. By using proper steganography, terrorists could use encryption pretty much unnoticed.
But only if you also keep transmitting junk data over the same mediums. There is plenty of research available for detecting the presence of applied steganography by entropy measurements. [0, 1, lots of others]

If you only apply steganography when you have real[tm] communication needs, those transmissions will stand out. So, from information theoretic standpoint you need to ensure that transmission is undetectable from steady-state with no payload.

Incidentally this is also one part of Pond's threat model. [2]

0: https://ntrl.ntis.gov/NTRL/dashboard/searchResults/titleDeta...

1: https://www.blackhat.com/docs/asia-14/materials/Ortiz/Asia-1...

2: https://pond.imperialviolet.org/

Definitely, but like cryptography, this is very much a cat-and-mouse game. In some data uniform noise is harder to detect than other data. You also have to exploit streams that are large or expensive to analyze. But I think that there are many stochastic processes with near-uniform properties waiting to be exploited (such as e.g. some word order choices in some languages with free word order).

The thing is that with steganography, plausible deniability is much easier than pure cryptography.

Doesn't properly compressed data look just like junk data? You could simply compress some file, add a number of random bits ("corrupted during transfer"), and use just a few of those bits for encrypted communication.
Worse. Terror (fear) is a well tested 'problem' which people are strongly conditioned to demand solutions for. 'Real' or 'Manufactured' the result is usually the same; power brokers proclaim they don't have enough power. It's an emergent effect that power will tend to expand through all means available and fear happens to be the most powerful motivator of human action. If you keep people in this state (the 'strategy of tension') they are more pliable because being in a state of fear impairs decision making.
Are you suggesting that certain power centres are deliberately turning a blind eye to potential terrorist intelligence in order to maintain the "state of tension", as long as that threat is not directly affecting their own citizens and home country?

I.e. the NSA deliberately withholding intelligence from the French in order to bring the French government into the " ignore a basic right to privacy and liberty, we need you to support our bulk surveillance hard-line "?

That would be pretty callous and downright Machiavellian.

Every tragedy will be used to further the cause of totalitarianism. The contents of this article, and every identical piece that is written after every new disaster, is less worthy of HN discussion than this broader issue. Encryption is the primary facilitator of privacy in our current times, and privacy is a fundamental human right. Law enforcement doesn't understand this, they only know "getting the baddies". And in times where violence is at an all time low despite recent tragedies, "getting the baddies" is decreasingly important relative to the preservation of rights.
But it is worthy of discussion around the issue of privacy to raise awareness. Current and past events serve as an example for us discuss and show that privacy is a human right that should not be compromised.
I think everyone here is well aware of the issue. It's getting the message to people outside of the tech bubble that's missing.
I have "after Snowden" begin to doubt that. Sure, there is a lot of people who say they support privacy. But then a lot of the industry nowadays is based on shuffling peoples data around. So I wonder how "deep" peoples convictions are or if it's just more out of convenience to avoid responsibility for their own activities?

Rarely is someone in technology upset over, say, the lack of use of encryption when sending e-mails. While when you talk to say lawyers or journalists, for which privacy is the basis of their activities, they are often quite upset over the tech industries cavalier attitudes.

More than anything I think you can't effectively defend something if you don't know the issues or peoples concerns. It's great that there is a lingering support of privacy from hackers subculture, but if you can't oppose someone saying "but terrorism" it might not be worth very much. It might actually be more damaging, because you don't see how you could be the "bad" guy (in terms of privacy).

There may come a time soon where the violence is widespread enough to actually justify this level of invasion of privacy. The threat of these sorts of attacks is increasing and if countries like Pakistan are any clue, it's simply not possible to ignore it and say everything will be fine because only a small portion of the population is involved. That small portion can wreak havoc and must be managed and surveillance is the right tool to do just that. It's by far better than any other method of dealing with the problem... and it does allow for surgical precision as long as the authorities don't use it instead to go after other crime, which they inadvertently do.
> The threat of these sorts of attacks is increasing

Any data to back that up? 9/11 was by far the worst and that was 14 years ago. Seems to me Islamic terrorism is hanging pretty steady at a 'virtually non-existent' level.

Depends on which countries you are talking about, if you are talking about Western countries ... then yes... If you are talking about Muslim countries then no...

https://en.wikipedia.org/wiki/List_of_%28non-state%29_terror...

Well, but if the East has problems with terrorist attacks, then there's exactly zero reason why the West should be giving up their liberties because of that.
You're so afraid. I genuinely pity you. I don't mean that as a personal attack, I'm just saying I can't imagine living life with that much anxiety. I think you should watch less mainstream news.

Personally, I'd rather die free than live surveilled. You can call me young and naive and say my principles just haven't had time to be challenged. I don't care. I stand by this completely and don't apologize for it. Freedom is the basis for a meaningful life.

It has almost never been a safer time to live in Europe than it is now. Look at crime rates, they are dropping everywhere. Homicide is down, robberies are down. Terrorist attacks happen so rarely that they almost don't count. The number of people killed in traffic accidents in the USA on the same day of the Paris attacks is almost the same as the number of people killed by terrorists. I'm sorry to be so cold, but they didn't even manage to make a dent in the stats graph.

https://en.wikipedia.org/wiki/Terrorism_in_the_European_Unio...

And if I was Spock I might care about that kind of argument. As it happens, people care far more about the feeling of safety than safety and believe me that feeling tanked after Paris.
There are other ways of addressing feelings of safety that don't involve giving up liberties.
The issue isn't whether the invasive surveillance is acceptable or not.

The issue is that it won't work. If you introduce mandatory backdoors into any commercial messaging system, it will not be used; the Bad Guys(tm) will simply return to using open source crypto, like pgp-over-whatever that we've had for decades.

I.e. if strong crypto is outlawed, then only outlaws will have strong crypto.

The intelligence agencies know this. Anyone pushing for backdoors in the name of counter-terrorism is either a fool or a liar.

Maybe we could start with low hanging fruit like Bush and Blair going to jail? Let's talk about "catching" people once we started not being complete hypocrites. Many of the major crimes in the world are well documented, and the perpetrators are known.

Besides, mass surveillance in itself is an attack on human rights, and as such not terribly useful for defending human rights. Maybe if it could avert millions of murders each year, we could talk about it. But with it averting nearly nothing, it's like cutting off your arm because you have an ink stain on your finger.

> privacy is a fundamental human right. Law enforcement doesn't understand this, they only know "getting the baddies"

Law enforcement doesn't have any issues with their understanding or their clarity of thinking, but frankly I think people like us on tech forums often do.

Remember: one man's terrorist is another man's freedom fighter. The difference between "terrorist" and "dissident" is mostly nuanced definition, depending very much on whether the observer supports the people at question or doesn't. People trying to overthrow the Chinese government are 'dissidents' unless you're a member of the Chinese government, in which case they're terrorists. The fighters in eastern Ukraine are either pro-Russian rebels or anti-Ukrainian terrorists, again depending on who is talking. Islamic mullah's are either exercising their inalienable right to freedom of speech, or spreading extremism and brainwashing people ... probably depending on whether you grew up in the USA or the UK.

It's for these sorts of reasons that the UN has never been able to arrive at a working definition of terrorism.

So now look at the arguments deployed by the technical community for strong encryption. Privacy and encryption is important for democracy, we say, because it's important that people be able to coordinate in order to resist an increasingly totalitarian government. It is easy to find encryption products that make this sort of argument.

In short, the tech community argues that strong government-proof crypto is important because dissidents must be protected (who else is both sympathetic and needs the ability for their communication to have court-order-proof levels of privacy?). But those same governments hear these arguments and say, wait, the dissidents we're dealing with are not dissidents, they're terrorists!

So this is an unresolvable conflict of views. The tech industry will unfortunately always be in the position of explicitly supporting terrorism, from at least some observers point of view. It's inherent in the idea that sometimes governments must not be all powerful.

Good points.

> Privacy and encryption is important for democracy, we say, because it's important that people be able to coordinate in order to resist an increasingly totalitarian government.

Also, too much privacy can also support defection rather than coordination. The government may look at this and see something else: that in the arguably much more likely scenario criminals will use encryption to defect against the social order. Enough untraceable trade and then when there's a nuclear or biological attack you may think about reconsidering just how much privacy do you want general population to have.

I don't want to defend or support the surveillance state here, just pointing out that, especially from government's point of view, them turning totalitarian seems much less likely than criminals and terrorists doing their crime and terror things.

I am so mad at what the "security" apparatus is trying to do right now -- they are trying to cover up the fact that they employ arrogant idiots that rely too much on technology and don't cooperate with other european counterparts.

Their alternative to real police/intelligence work is indiscriminate surveillance 1984 style.

If there was no strong, public key encryption, the bad guys would still find ways to coordinate without it, it's been done since times immemorial.

Well, on the bright side, the more they talk about how unbreakable encryption the encryption is, the more likely some no good idiot will have a false sense of security and think that their phone is the logical device to communicate about their plans for one evil plot or another...
Wow, going for a walk in the woods is also a pretty good way to avoid be spied on by the government. Better burn the forests down, or at least fill them with video-cameras and microphones!
Unless you happen to be a govt advisor on Iraq.

The medical report was recently sealed by the govt. for 70 years.

https://en.wikipedia.org/wiki/David_Kelly_(weapons_expert)

I am confused, the wikipedia article you link to says "In October 2010, the postmortem—including the pathologist's 14-page report and the six-page toxicology report—was made public, re-iterating the conclusion of the Hutton report." The subtitle to the linked Guardian article is, "Government releases previously secret medical files on death of weapons inspector at centre of BBC's Iraq dossier story." What is it that you want to see?
Hmm maybe I have fallen for the headlines accompanying the recent sealing as though it were revelatory when really it is back to normal practice of medical records being private.
What is the recent sealing?
Part of the Hutton report that is due any day now....
Many believe that the pathologist report and the verdict of the report were fixed. David Kelly's stance on chemical weapons in Iraq was not helping the British government in any way.

This relates to the sexed up dossier that took the UK to war, which we now know was a preach of lies and fiction.

They needed David Kelly to step aside or give his blessing and backing to the dossier.

He didn't, but then magically he did, because he took a walk near his house and an apparently non-suicidal man took his own life. Except there are many discrepancies: http://m.belfasttelegraph.co.uk/news/uk/doctors-claim-coveru...

Jesus, NYT. Is it even confirmed that they couldn't see what they were doing "because they used encrypted apps", or is that just an assumption of "anonymous officials"?

Upon loading the post and reading the first paragraph:

> American and French officials say there is still no definitive evidence to back up their presumption that the terrorists who massacred 129 people in Paris used new, difficult-to-crack encryption technologies to organize the plot.

Oh. Well there you go. I really don't see the point of these media entities letting themselves played like this by the authorities to spread their false propaganda then. The bodies weren't even cold yet and they started spreading this anti-encryption message on TV. Because they couldn't have possibly admitted that maybe - just maybe - it's the intelligence agencies that screwed up and they have to take responsibility for it, like it should happen in any democratic country, instead of pointing fingers at others. I wonder what they'll say next if we discover these terrorists weren't actually using encrypted channels to communicate.

"American and French officials say there is still no definitive evidence to back up their presumption that the terrorists who massacred 129 people in Paris used new, difficult-to-crack encryption technologies to organize the plot."

IMO, that is the only part of the article that needs to be understood.

Let's say these terrorists were naïve or technical luddites. Why would future perpetrators also be presumed to remain luddites?

Second, what would you propose _if_ they are found to have used encryption to avoid detection, would that make a difference? Or do we come up with a better reason to exculpate encryption?

If encryption is not a bogey-thing, then it's irrelevant whether it was used or not. We don't need confirmation it was not used.

Let's say they're not naive, and that they are not technical Luddites but merely clever enough to realize that if they used channels that can be listened in on easily or that are known to be monitored that their chances of success would go down and their chances of spending the rest of their miserable little lives in jail would go up.

Assuming terrorists are naive, Luddites and/or dumb is a dangerous mistake, it presumes that terrorist organizations are mostly old guys with beards rather than that they draw support from all levels of society, including IT personnel.

Encryption does not factor into terrorist prevention to-date as far as I can see, what terrorist plots were foiled were foiled in very old-fashioned and low-tech ways, mostly depending on a lucky break because someone saw something suspicious.

Encryption does factor into the desire of the various agencies to be able to look into our private lives at every turn. Of course no such agency would ever abuse such power.

If resources will be diverted from more risky and/or longer term strategies to increase the dragnet surveillance capabilities we will be doing exactly the wrong thing, given the fact that the current capabilities are far from insignificant and the fact that each and every one of the major attacks in recent history had one or more known perpetrators and plenty of early warning signs.

The failure is embarrassing, but of course it is the tools that are to be blamed, not the strategy since that would imply some people are not doing their jobs too well.

The whole encryption thing is a side show and does nothing to actually make the day to day lives of people in Western Europe or the Americas any safer.

Finally, it's not as if the terrorist groups aren't going to be able to continue the tools they already have, which have encryption capabilities far outstripping our present day ability to break in a short enough window of time (say 48 hours) to be able to intercept a terrorist team on the way to doing their deeds.

Encryption used for the purposes of terrorism doesn't have to hold forever, it only has to hold long enough to be able to carry out an attack unhindered.

It's not as if these guys are going to be yakking on their cell phones to co-ordinate a group buy of Kalashnikovs and ammo via BuyWithMe.

So when the feds go in and raid a company and demand hard drives to investigate illegal activity which criminals typically know to hide and try their best to hide, you think that's futile and agencies are better off not relying on this kind of data because criminals are unlikely to make any mistakes in covering their tracks?

So agencies are doing things backwards by relying on this kind of operational data search? They should be doing more stakeouts and rely more on people ratting them out?

> new, difficult-to-crack encryption technologies

Have there been any NEW encryption technologies lately? The only one I can think of is ZRTP. Everything else is based on well understood and well tested theories.

Pond is pretty cool. But the encryption methods are, of course, standard. It's how they're used that's innovative.

The reference is likely to various idiot-friendly apps. I doubt that any of them is harder to crack than, for example, Sigaint with GnuPG (via Tor onion services).

Axolotl Ratchet protocol which is currently the safest end-to-end encryption method is pretty new.
Encrypted Messaging isn't the problem.

They should have better boarder control, background check on people before letting them in, communication with other countries, and better integration. Also perhaps programs for more tolerant people, and ease/integrate immigrants in instead of more religious and toward the extreme end of the spectrum.

There are many other solutions without sacrificing freedom and privacy.

Indeed. Some of the terrorists were from Molenbeek, a Brussels suburb that has been out of control for the authorities for decades. The same applies to some Parisian suburbs.

Rather than investing in these suburbs and getting human eyes and ears on the ground. We spend many millions more on bombs and anti terror units.

Encryption is an easy scapegoat and convenient for power grabs. Saying 'we mismanaged these suburbs' takes political courage.

> Indeed. Some of the terrorists were from Molenbeek, a Brussels suburb that has been out of control for the authorities for decades. The same applies to some Parisian suburbs.

Can you explain that a bit? There is not enough political will to impose order there or something else?

I am not sure, since I am from a neighbouring country. Some analysts said that in the case of France, Sarkozy pulled resources from local projects and local police to form anti-terror units, etc. Some areas have regressed so much that regular policemen do not want to go there.

In the case of Belgium, one of the problems is that there was never a push towards integrating North-Africans. Traditionally, the left has been in favor of 'multi-culti' -- you basically allow minorities to form their own community without much outside interference. As far as I understand, this has been strengthened in Belgium by the socialist party, which pretty much maintained this non-interference policy for votes. This leads to problems, because in other cities/countries family and friends would signal radicalisation to the authorities. Here, many people do not even speak Dutch or French and mistrust authority.

I like to look at Canada in this respect. They have done arguably a very good job at integrating newcomers. The country has substantially increased its population in the last 40 years and yet I did not meet any individuals that did not think of themselves as 'Canadian' first. And that's in spite of cities like Toronto containing areas labeled little Italy or Chinatown.

Integration of the Muslim community at large in Western Europe is for reasonably large numbers of people a failure. Of course there are also plenty of people that did integrate and that will stand up to defend the values of the countries that they have adopted. But not at the level that Canada has managed to achieve.

We must resist every attempt to treat us like criminals a priori.
It doesn't matter what politicians think, really.

Secure end-to-end encryption is going to happen one way or another. It's a global phenomenon, no single country can stop it.

Sure, our government likes to think it controls the world, but really all it can do is threaten the world with violence. Mathematics knows no such fear.

And yet, similar policies have given us "export-grade" encryption and funded projects like the clipper chip.

There's no way a single country can block secure, end-to-end encryption forever, but they can sure make things hard for a while.

> but they can sure make things hard for a while

Only for their own citizens and trade partners that cooperate with their unrealistic demands.

Which unfortunately probably means almost everyone. Companies will cooperate, because it's unprofitable for them not to. The GenPop will cooperate because they don't understand any of it anyway.
They don't have to block every user using unlawful encryption -- they just have to have a law that lets the penalty be enough that a few high profile convictions will deter enough law-abiding people that it isn't worth the risk.

At that point, they can simply listen to all traffic and, if there are packets that aren't listenable due to encryption, assume ill intent, then be free to react appropriately.

Assuming high enough signal ratios in detecting encryption, it might actually prove that encoded messages, or steganography proves to be more effective at preventing state-level eavesdropping... they won't prevent a determined state from getting your secret content, but it could be enough that, if the messages looked unencrypted, they would be passed over for the more obviously encrypted messages -- hiding in plain sight, as it were.

Note, this is not an endorsement of any privacy invasions whatsoever, but musings on what a post-4th-amendment-obliteration world might look like for the privacy-minded.

Coming soon: 'Strong' encryption is illegal in the UK without a licence. Banks and other institutions will pay for licences for their websites and their behind-the-scenes comms but also be required to use backdoored crypto where the govt and police and govt agencies hold keys.

An inter-country agreement makes us interoperable. All comms are monitored for anything looking encrypted but not decryptable by the state using their keys.

It will be an easy sell because those who want full personal privacy will be seen as suspect. It will also make money from licensing.

Steganography has frequently been a target of similar fear mongering, so they might apply similar scrutiny to all photos in this nightmare scenario and assume ill intent for all photos with a large number of layers.
Large enough growth markets can tell the Apples etc. that they can either allow interception for surveillance or abandon their market [not too dissimilarly from what Saudi Arabia did with BB] see [1]. I don't think Apple and Google would simply give up on the biggest two markets to take a stand and allow local counterparts eager to comply to take their growth markets away. It's possible of course they take a stand, but I don't think they would. If not the local operators, then BlackBerry would comply.

[1]http://www.brighthand.com/news/rim-vs-india-and-saudi-arabia...

That's an argument against centralized encryption with corporate sponsors. Says nothing about government ability to control distributed applications of open-source crypto.
But now you are asking terrorists to be good at encryption meanwhile even encryption vendors/developers get sloppy and wrong.

It's one thing to ask a cell member, hey, here's a phone, it only has this app on it. Don't mod it, don't do anything but use this app.

Versus, hey, please implement a secure encryption protocol and make sure there are no exploitable bugs.

Also, if the government controls the carriers, they ultimately control what can run on the handset [if they choose to be draconian].

Also, for a big enough growth market, I think they'd be willing to centralize encryption. They'll outwardly say, no impossible, can't be done. Host country will say, sorry, you can't sell here, can't be done. Secret high-level talks happen and mysteriously the handsets are available again.

> meanwhile even encryption vendors get sloppy and wrong.

What is an encryption vendor, exactly?

Is Open Whisper Systems an encryption vendor? They're pioneers in secure messaging, and they give it away for free. https://itunes.apple.com/us/app/signal-private-messenger/id8...

Is Paragon Initiative Enterprises an encryption vendor? We published Halite, a PHP library to wrap libsodium and make it even harder to use incorrectly. (Users don't even have to know what a nonce is.) https://paragonie.com/project/halite

Or are you speaking about software vendors that erroneously implement their own cryptography features? If so, I totally agree. They do sloopy work.

Cryptography exists independently from any corporation that may or may not use it in a messaging system.
Unless ISIS, etc. have better crypto minds than the likes of firms who spend billions in that domain (and still make mistakes), you're asking a lot from foot soldier terrorists by asking them to produce, to borrow from oracle, "unbreakable" bug free comms platform.
But it already exists. PGP and couriers. Taking encryption away from the innocent doesn't change that.
That slows down things. It also allows currier interception.

If it's so easy, then, go ahead, replace all your daily encryption with gpg and couriers, see how effective you become.

It would also kill our modern economy. But it wouldn't prevent terrorism.
How would a hypothetical governments requiring mitm interception capability "kill the modern economy"? If China, The EU etc required it, others would follow... Ordinary people would keep on using gov't mandated mitm encrypted comms and apps. So long as there was protection from your neighbor snooping on you, and the gov't guarantees [whatever that means] it won't use it against you except in "combating terror" most people would go along with it.

Just as with disease, you're not looking to eliminate it, you're looking to minimize it.

You're arguing for an impossible thing, a crypto system that exactly one third party can intercept. If it's based on a key and the key leaks, it would destroy the modern economy.

If it's based on requiring a specific amount of computation, the neighborhood despot buys a billion dollars of computers instead of feeding the people and destroys the modern economy.

If more than one government requires such interception capabilities for a single transaction, and the communicating parties involved don't trust all the governments involved, they won't communicate which will destroy the modern economy.

If, magically, none of the previous scenarios play out, anybody who wants to communicate securely will have the enormous burden of complying with the regulations of all of the involved governments, slowing down commerce and innovation, and potentially destroying the modern economy.

If there's a government key server that dispenses a public key for government snooping and it goes down/a competing government redirects to its own key/DNS or BGP is poisoned/etc. then someone else gets all the traffic and destroys the modern economy.

Beyond the economy it's a matter of trust. For the relatively small benefit of a very slight (or even zero) reduction in terrorist incidents, there's simply nobody who can be trusted with the power to snoop on everything.

So, yes, one of the above. Depends on how countries might negotiate and they can have rules and penalties for rule breaking, just like they do for most other things.

What I don't get is one the one hand it's too expensive for governments to do effective snooping (too much data to sift) but on the other hand trust would be broken because everyone could find anything... but governments would be incapable of finding information that same trust breaking information.

1. despots already leave their populations unfed, the world keeps on going.

2. commerce happened before encryption. There hasn't been good reliable and easy to use encryption till the last couple of years. it's not as if the world hadn't globalized despite that.

3. There are already a lot of rules which apply to international commerce, this add very little in comparison.

4. Govt's who want to share in this scheme agree to rules and penalties for breaking them.

What I don't get is one the one hand it's too expensive for governments to do effective snooping (too much data to sift) but on the other hand trust would be broken because everyone could find anything... but governments would be incapable of finding information that same trust breaking information.

It's possible for both to be true. The price to snoop effectively is too high (wasting money), so either the government is wasting ridiculous amounts of money and violating everyone, or they're not wasting the money, not catching terrorists, and just using the information to violate specific individuals.

despots already leave their populations unfed, the world keeps on going.

It's the computers, not the food.

commerce happened before encryption. There hasn't been good reliable and easy to use encryption till the last couple of years. it's not as if the world hadn't globalized despite that.

Encryption is essential to modern commerce. Businesses and banks need to be able to transfer files between offices without fear that an unfriendly corporation, government, or hacker can intercept those files. Customers need to be able to download software and send payment information to companies without having a virus inserted in the download or their payment details stolen.

There are also free speech, whistleblower, and related considerations that I don't want to take the time to argue here.

But foremost, beyond all that it's still not established that forced MITM will reduce terrorism. That fundamental idea needs to be established first before any other factors are worth considering, and even then the net benefit to the world may still be greater with encryption than without.

> still not established that forced MITM will reduce terrorism.

That's the only criterion.

All the rest are excuses because people can make a calculus and by and large people and corps, if MITM would be proven to be effective, would likely go for it, given alternatives, despite any other objections put forth by people who believe in opposing this alternative.

It's almost as though people wish it would be ineffective to prove the opinion right. Is it effective? I don't know, I don't have the data but neither do others with opposing views -it's conjecture. But, one would imagine a few governments must have the answer to that but aren't saying.

>or they're not wasting the money, not catching terrorists, and just using the information to violate specific individuals.

Isn't that what one would want from such a regime? Be able to dedicate resources on following the right graphs?

That's saying, well, they have the capability to follow known targets, but when it gets to terrorist targets they become dumb -even though the mission of such orgs is to follow those specific targets.

(comment deleted)
Aye, reading these articles is a salient reminder of how disconnected journalists are from reality, and thus how easily hoodwinked by authority (when they are not simply complicit with it).

We've been able to send end-to-end encrypted messages to multiple simultaneous recipients, via arbitrary de-centralized transports, using standardised protocols & open-source tools, for decades.

(comment deleted)
Did you guys know TERRORISTS are also on TWITTER and FACEBOOK! As soon as I heard this my heart sank and I deleted my accounts.

These dangerous tools are being used to recruit jihadists from our own communities!!!!! Can you believe it?

I hope they ban this "cryptography" app, as well as Facebook and Twitter.

/s

How can people be this stupid? Better question: Why are people so uncomfortable deferring their opinions to people who know these things? I don't think you'll find a single person involved in tech who thinks banning cryptography is a good idea, let alone possible.

With that in mind, why does this news article exist? How are our politicians getting away with this populist bullshit?

> Why are people so uncomfortable deferring their opinions to people who know these things?

I think you might find that a non-trivial subset, if not outright majority, do deferring their opinions to people who know these things.

They often get information and analysis from the news, their government, and that "one guy who is good at computers". I use pgp and gpg, I use ssh, and I am a programmer. I know very little about how cryptography works, but likely enough to appraise someone else's ability to shepherd such discussion and policy.

So what heuristic would you apply here? I love the EFF but they have not succeeded in any mainstream endeavor. I do not mean to belittle their accomplishments, but what percent of people reading this article know what the EFF is?

If the latest James Bond movie were released 15 years ago, I would not have found the villain's plan convincing at all. Using random terrorist attacks as an incentive for governments to participate in global surveillance? Give me a break.

Now, the Bond villain's agenda so obviously makes sense that it took all the suspension-of-disbelief fun out of the movie. I watched it the day after the Paris attacks. I couldn't help but feel as if Spectre were just a historical piece with some fictional characters added for dramatic effect. Of course that's how surveillance creeps into modern societies. We don't even need cheesy villains to act as masterminds of a convoluted plot. The assholes at Daesh can get the job done just as effectively, thank you very much.

So if the government is complaining that ISIS now uses technologies that it can't yet crack... and they know this... who exactly are they intending to spying on? Not ISIS, just the rest of us.
I am more afraid of the bs lobying people try to push using terror attacks than i am of actually dying in an attack.

Just by looking at the numbers and the actual risks involved in being effected.

Tech-savvy people often miss the forest for the trees on this one. Once you get past the engrossment in implementation details, the fundamentalist political philosophizing, and the harping on spurious and mostly anecdotal evidence for Western police states, there actually is good reason for government surveillance of W/Obama scale. There is a distinct threat that global terror will increase in scope by orders of magnitude, due to a) gains in message efficacy, b) positive feedback loops for recruitment (i.e., bombing Iraq over and over again), c) weapon availability gains, d) geopolitical posturing, or e) a black swan. Of what has been revealed from Snowden's leaks, the worst intentional (read: potentially malicious) invasion of privacy was NSA employees making fun of tapped conversations. If that and you not being able to torrent 24-bit flacs off of what.cd is the cost we have to pay for security in a future which is less certain than is widely acknowledged, sign me up.
The worst thing for me about the Snowden leaks wasn't that. It was the deliberate interference in secure protocols (e.g. the flawed random number generators), combined with the pressure to leave open accidental flaws.

This makes everyone vulnerable to J. Random Cybercriminal when those same flaws are finally discovered by the non-secret services.

Being a victim of an identity thief is a lot less terrifying than being in the middle of a automatic weapon massacre, but it's a lot more likely to happen.

The framing of the debate as "encryption = only used for evil" is not only wrong, but very dangerous from that point-of-view.

I don't have any easy answers that keeps everyone happy. But neither does anyone else.

You are already signed up. There is no opt-out and no democracy. Thank you for your cooperation.
I was reading an article yesterday about how the attacks in paris were coordinated via the playstation network.

This tells me, unequivocally, that the news outlets can't possibly understand what is secure and usable, vs what isn't.

My girlfriend (whom is not very technical) was saying that PSN should open itself to police, and then I showed her the security record of Sony, and then showed her how messages are sent unencrypted over the wire.. and then showed her the wiki page on Tempora.

It's very clear to me that they're going to blame everything and anything- and we should very clearly ask the question to these publishers;

"whats your evidence of any wrongdoing";

"what's your ideal situation?";

"why do you feel that way"

I think the sensible argument for advocates of strong privacy has been touched upon in the article when they mentioned China. At least that's my "debate tactic". The argument is basically "we need strong crypto because it allows people living in ISIS dominated regions to communicate safely and escape without the danger of having their communication intercepted and having a kill team visit them"
I fail to see how privacy/crypto apps helped them. They could've as well used DIY "apps" or alternate channels of communication (which could be encrypted).
the sad part is that this is the only actual quote I could find, all the rest is just speculation and security theater

"The working assumption is that these guys were very security aware, and they assumed they would be under some level of observation, and acted accordingly"

and the ps4 quote about encryption is completely unrelated: http://www.xpats.com/brussels-weakest-link-europes-fight-aga...

just think about it: if problem was just the encryption, the logical assumption is that they were aware of the person involved but couldn't read the messages

you have to find the person you need to monitor first, encryption or not. you can't track every message, even if you force the whole word to communicate without encryption, because of the sheer amount of false positives.

https://www.schneier.com/blog/archives/2006/03/data_mining_f...

>American and French officials say there is still no definitive evidence to back up their presumption that the terrorists who massacred 129 people in Paris used new, difficult-to-crack encryption technologies to organize the plot.

Everything you need to know in the first paragraph.