44 comments

[ 5.8 ms ] story [ 115 ms ] thread
Unsurprising yet depressing :(
The sad thing is that in this day and age nobody is going to be surprised by this, and most of the genral public won't even care :(
Unfortunately most people appear to struggle with seeing how things like this could affect them
Does it really affect "most people". Sure, the potential effect is there - you commit a crime and they'll check your phone records and whatever to catch you and your associates but beyond that?

Most people use their phones to talk about pretty banal things.

Sure, but "most people" aren't going to actually have the data collected on them examined. Just rising young party stars, perhaps. Or civil rights and environmental activists. Or the CEOs of companies that are competing with friends of the head of GCHQ. Do those people talk about banal things? Do those people talk about illegal things? Do those people talk about embarassing things?

Honestly, the issue here isn't "most people's" banal talk. The effects of having such a huge cache of data on hand to get "leverage" on key people that the GCHQ doesn't like is the issue.

Exactly, it's not most people but key people - ergo "most people" don't care.
The thing is laws change, what is permitted today may not be tomorrow. So yes today this may not affect most people, does that mean we should allow for laws today that could undermine democracy in the future? Also do you really think criminals will use a protocol authored by GCHQ?
>Also do you really think criminals will use a protocol authored by GCHQ? //

Criminals use Facebook. Not all criminals are intelligent.

But the sort of criminals that GCHQ is after, probably not.

That said Tor is used by criminals and that was developed by DARPA I gather.

In addition to the general principle that your government shouldn't be collecting dirt on its constituents, there's also the very real possibility that back doors will eventually be exploited by bad guys and reduce everyone's security.

Even if you think you don't have anything to hide from the government, you probably have plenty of stuff you want to hide from criminals.

I am certain nearly everyone gets it. Their parents went along to get along and so will their children.

People apparently need a written sign in the washroom to remind them to wash their hands. Keep that in mind.

> People apparently need a written sign in the washroom to remind them to wash their hands. Keep that in mind.

That's actually a liability limitation exercise; if employees and attendees are prompted to wash their hands, their employer has less liability for effects of contamination.

Yes let's let government surveillance outfits design protocols. I mean who ever though this would ever be a good idea? They will 100% of the time fail at this task.
I feel obliged to once again refer to Home Secretary Theresa May's on-record statement to a government committee only seven days ago:

"The UK does not undertake mass surveillance".

Make of this what you will.

Well hey, it's not actual surveillance until a human listens or reads. Machine access doesn't count. That's how the NSA likes to style it, anyway.
She is technically correct, but it's a very misleading technicality. Surveillance is monitoring, and the government can claim that what they actually do is mass recording of Internet traffic.
I think that is what mass surveillance is commonly understood to mean.

Trying to shift the meaning so that the GCQH can technically say there's no surveillance seems incredibly dishonest to me.

If one needs to resort to pedantry to appear to be right, then there is no better justification for their views than a fallacy.

Oh, I agree. I think it's totally misleading, but this is the way they are describing the surveillance that we have.
The other word to play with is "mass", who is to say what is or isn't mass.
What she _obviously_ means is that they don't weigh the mass of the whole population.
Funny thing about the "Big Lie", it only works if it's repeated enough successfully.

James Clapper was able to repeat the big lie long enough to avoid charges of lying to congress. Ms. May has her own rodeo to deal with now. let's see how she ends up.

Maybe "MIKEY-SAKKE" is an inside joke.

Mikey: "A seemingly innocent and sweet little boy causes murder and mayhem in his new neighborhood ..." [0]

saake: "arrested number of young" in Somali [1]

[0] http://www.imdb.com/title/tt0104870/

[1] https://translate.google.com/#auto/en/saake

This is too obscure on its own to make sense: your links should illustrate, rather than be necessary for comprehension!
My serious point is that "MIKEY-SAKKE" is a joke. I first thought of Takashi Miike, and the “Everything I’m about to tell you is a joke.” line from Gozu. But that didn't lead anywhere. Still, isn't the Mikey association at least a little funny?
"Mikey" is likely a nod to our American friends.
It should have been obvious to the project team that the hole would be noted, or suspected if the details were obfuscated. I'm more concerned about the waste of public money on a doomed project.
Why "doomed"? Public bodies will adopt it. People who need to work with public bodies will adopt it. And sooner or later, ISPs will be forced to adopt it.

The protocol is working as expected. It doesn't have to be technologically superior to win adoption, it will be mandated by law. It just has to be good enough for the purpose it was developed: to provide an obfuscation layer that can "keep out" casual intruders while allowing unfettered access to the security apparatus (I won't say "law-enforcement officers" because these people are actually law-breaking).

It's not just that there's a half-open back door that GCHQ knows all about; now there's a half-open back door that everyone knows exists. If you wanted to break in, that's a big help to you. Why adopt this now, when sooner or later the back door will be wide open to everyone?
You don't understand -- this protocol is not supposed to be bulletproof. It's supposed to be good enough to be considered a step up from the status-quo for certain uses from a legal perspective. You won't get the choice to get on board: who has to be onboarded will be legally forced to do so.

If you have the resources and know-how, the current telephone system is not very hard to break into; but you don't get the choice of what protocol to use when connecting a phone to the network. This is the modern equivalent.

> this protocol is not supposed to be bulletproof. It's supposed to be good enough to be considered a step up from the status-quo ... the current telephone system is not very hard to break into ... This is the modern equivalent.

I see. Though I would also suggest that the status quo is unsustainable: ever since May 2013 it has become increasingly clear that things can't carry on as before; a minor "step up" to a modern equivalent is not enough for modern times.

"People who need to work with public bodies will adopt it."

Meaning the public sector will pay more for bespoke software.

Everyone else will most likely ignore it as an option. Who wants to invest in an 'ecosystem' built on an insecure security feature? How do you sell that to users: "with our voice calls nobody can eavesdrop on you, except, umm, the government and telcos."

Seems to me that government agencies are good at two things:

1. Failing to be any good at what they are trying to do and, 2. Using said failures to take advantage of poor people and put them in jail.

This seems like a case of both happening.

Well, what an enormous surprise this is.

GCHQ, who have been implicated in mass surveillance for many years, and who were showed by Snowden's releases to be doing lots of snooping and sniffing around indiscriminately and who haven't come under any criticism whatsoever from the UK government in light of these releass, have made a compromised encryption product that allows them to carry on doing what they do.

I'm absolutely floored by this.

The irony of this story neatly mirrors the inconsistencies in the UK government's recent response to a petition to "to abandon all ideas of trying to ban strong encryption": https://petition.parliament.uk/petitions/106369?reveal_respo... .

The government's response boiled down to

1) The Government is not seeking to ban or limit encryption.

2) The Government is clear we need ... to ensure that ... the police and intelligence agencies can ... access the content of communications of terrorists and criminals.

Not too surprising that around 26 of the 650 members of Parliament have degrees in science or technology.

>Not too surprising that around 26 of the 650 members of Parliament have degrees in science or technology. //

Is that particularly unrepresentative of the population as a whole?

Per the Office of National Statistics:

http://www.ons.gov.uk/ons/dcp171776_337841.pdf

==

The population we have used in this report is all adults living in the UK who were not enrolled on any educational course on the survey date. The age range we have focused on is women aged between 21 and 59 and men aged between 21 and 64. The lower age limit of 21 is used as most people will not have been able to complete a graduate level qualification before this age. However, please note also that educational systems are different across the countries of the UK. Upper age limits were used because we wished to focus on people active in the labour market. These particular ages were chosen to maintain consistency throughout the report as some sections consider time periods before changes to state pension ages. In 2013 there were 12 million graduates in the UK In April to June 2013 there were 31 million people in the UK who were not enrolled on any educational course. Breaking these people down by the highest qualification they held:

• 12.0 million, or 38% were graduates

• 6.7 million, or 21% stated that their highest qualification was of an A level standard

• 6.6 million, or 21% stated that their highest qualification was equivalent to an A* to C grade GCSE

• 3.1 million, or 10% had “other” qualifications not categorised in the UK

• 2.9 million, or 9% had no qualifications

It was more the field of educational accomplishment I was interested in. It's good IMO that MPs have higher qualifications in general than the norm but I was really wondering what the distribution of qualifications per field was. The 26/650 in tech and IT seemed like it might match the populations in general, but I don't know.
What about the so called social sciences?
I don't think those two statements are contradictory or inconsistent, when you Think Like A Civil Servant .

From gov.uk's perspective encryption plays a necessary role in enabling the digital economy by encrypting data in transit. They won't interfere with SSL / TLS, for example, because that would chase billions of £ of business out of the UK.

But they intend to strong-arm communications providers into giving access to the at-rest data. Whether that is encrypted or not is orthogonal to the discussion; a court order will be served, and the provider will have to respond.

Whether the provider is BT or Mr Joe Bloggs hosting his own e-mail is also irrelevant; it will be a criminal offense to fail to respond with the demanded data. Bonus points for GCHQ if this means that providers simply don't encrypt data at rest, for simplicity's sake.

So the UK government is trying to amass a toolset that wold be the stuff of wet dreams for the Stasi - but they're absolutely not going to use them for the very thing they are designed to do - even though we know they're already doing the things they say they're absolutely never going to do with he tools they say they don't have but they actually do have.

Hmmmmm. Okey dokey asshats.

What puzzles me though is this: These things aren't designed and built by politicians. They're designed and built by highly skilled people with above average intelligence. And the UK security services don't pay that much money. So who are these idealogical geniuses who are ready and willing to arm a government with tools they should not possess?

I previously worked at Cryptify AB with Cryptify Call.

I think this article misses the point somewhat. This is not a backdoor, it is the entire point of the scheme. As I understood it CESG wants MIKEY-SAKKE primarily for use within the government or within companies working for the government.

For the network owner MIKEY-SAKKE is very convenient because it satisfies the criteria for Lawful interception[1] while also enabling end users to both authenticate and encrypt messages without actually talking to the network owner after the initial trust has been established. It works well as long as the user trust the network owner and you want to protect your users from external powers while maintaining the ability to decrypt any message in the network.

[1] https://en.wikipedia.org/wiki/Lawful_interception