29 comments

[ 298 ms ] story [ 1641 ms ] thread
Seems like to me this sort of bluff works on the average users and not the hardcore users who understand what they are doing, so it's entirely fruitless. Unless it's not a bluff, in which case we would wonder why the hell they announced it.
I wouldn't call it a bluff, but FUD. Of course the carriers can MITM pretty much all traffic, unless the keys were exchanged on a private channel. The internet is not private, SMS 2FA ain't either. It's FUD, because the spin that this announcement is a bluff would lead Terrorists from using it anyhow, revealing sensitive information. Putting on the tin-foil: If even I could figure that out, perhaps it's indeed intended as deterrent, e.g. because AI is not strong or efficient enough to process the amounts of data. That's still less paranoid than thinking AI was indeed strong enough and just keeping people busy with unsubstantial stories.

Of course there's also the theory, that even governments are sometimes just stupid.

Is it OK to flag stories with auto-play video ads?
No. That is not an intended use of the flagging feature on Hackernews.
Why aren't you running ublock and noscript?
Apparently they required companies to provide their private keys. Once you have that you can capture traffic and decrypt it.
Whatsapp, Signal, and Telegram generate the keys on the clients to provide end-to-end encryption.

The companies themselves do not have keys to provide to anyone.

(comment deleted)
Even if that's true, they are one auto-update away from adding a key exfiltration routine.
Many things mentioned in this article are not actually true. The publisher seems biased. Russian officials say different things. I think the most Russia will do in the nearest 5 years is the same as Kazakhstan's officials: force users to install special certificates if they use secured connection. And American and European govs likely have plans to do such things too. They have already copied a lot of laws about surveillance from China, Russia. etc.
I think we need to wait for someone that understands Russian to chime in and tell us whether this article interpreted this correctly, or if this is just a law giving the state the authority to collect your private keys from your systems (via however they want to accomplish this)
The linked fsb.ru update says nothing about ability to collect encryption keys by themselves.

It only says that the method with which the companies will be able to give them the encryption keys is approved.

Still, my russian may be rusty, but it seems to me, the FSB just documented a procedure which the companies will need to follow to provide the FSB with the keys.

Yep, you're right. The article in question misrepresented the linked Russian text. Source: I'm Russian.
> or if this is just a law giving the state the authority to collect your private keys from your systems (via however they want to accomplish this)

That. No details are available. People say they have no idea how to accomplish this.

I speak russian and I can ensure you this story is ridiculous for every IT-related person in Russia. Russian segment of the internet already produced a lot of memes and jokes about "all keys in 2 weeks" (and teleport in last day, please). It's just level of incompetence of the Russian government.

This law is just reason to ban every messenger who will not send traffic to FSB.

Heh. That reminds me about the time when my government (South Africa) wanted to pass a law that all local ISP's must log and store every bit of data that goes through their networks for at least 5 years.
I just leave a couple of excerpts for everyone to understand the level of competence up there.

> After signing controversial anti-terrorist legislation earlier today, President Putin ordered the Federal Security Service (the FSB, the post-Soviet successor to the KGB) to produce encryption keys to decrypt all data on the Internet. According to the executive order, the FSB has two weeks to do it. Responsibility for carrying out Putin's instructions falls on Alexander Bortnikov, the head of the FSB.

https://meduza.io/en/news/2016/07/07/putin-gives-federal-sec...

> Russian President Vladimir Putin said Thursday at a media forum in St. Petersburg that the Internet is a “CIA project” that is “still developing as such,” the Associated Press reports.

http://time.com/75484/putin-the-internet-is-a-cia-project/

>...to produce encryption keys to decrypt all data on the Internet. According to the executive order, the FSB has two weeks to do it.

Maybe they'll offer $1K for someone who comes up with the solution. Saves the FSB having to put a staffer on it.

While that makes it sound like the Russian government are planning to crack all the encrypted traffic on the internet in two weeks, that's not what they're saying. They've built a website that enables companies to easily voluntarily hand over their private keys - companies that don't will be fined, and presumably blocked at a state level if they refuse long term.

http://news.softpedia.com/news/russia-finalizes-procedures-f...

So what's wrong with competence here? Or you just know better than Putin? :)

Snowden revelations showed up that internet have been used as a tool to collect intelligence about foreign and domestic citizen by USA agencies. You can refresh your memory here [1]. Also, meduza.io is not a credible source as i have noted few times in my comments.

[1] https://en.wikipedia.org/wiki/Edward_Snowden#Revelations

There was a story about some Russian IT company that got huge amounts of money for bogus claims. Maybe this is the case here, however I doubt that the FSB is that incompetent. Or it's an attempt to deter usage of WhatsApp and other clients.

On the other hand there were rumours that Russia can and does manipulate SS7 e.g. to get 2FA tokens via SMS, they also have likely control over the GSM and 3G/4G stations. As this is a black box it's probably not impossible that a network operator could access the keys via the baseband if there is a hole a "feature" e.g. for DMA access from the baseband to the phone, however this is pure speculation from my part.

The linked article completely misrepresents FSB's announce. It says that FSB has come up with the procedure by which companies can hand them their encryption keys, not that they will be able to decrypt everything themselves.

Is it possible to correct the title? It's actively misleading now.

I actually believe the Russian government can do that.

It's trivial for a messenger app to include code that sends a copy of your private key to the messenger app's company's HQ, if served with a warrant or if obliged by law (and that seems to be precisely what's happening here).

If the messenger app is open-source (like Telegram or Signal), you can satisfy yourself that the messenger app isn't sending your private key behind your back.

But it's a different story if the app is closed-source and its parent company was involved in PRISM (like Whatsapp).

> If the messenger app is open-source ... you can satisfy yourself that the messenger app isn't sending your private key

But only if you are building and installing the app from source, and have audited each release. OS apps installed through app stores suffer the same lack of visibility as a CS app.

Governments who do not allow the proper, open operation of the internet, should be banned from using it. Like it or not the Internet was created by Americans, it was nurtured with American ideals of freedom, and countries who refuse to allow those standards should be barred from participating. I think this would have a positive effect in the long run, the way economic sanctions sometimes work.

A few years ago I'd never have proposed this.. but the willingness of second and third world governments to abuse the internet for their obviously crooked purposes has reached a fever pitch in recent months.

slightly unrelated, but interesting, those same countries produce most of the world's spam and viruses.

edit: I wonder if it'd be feasible to ban corrupt governments from the internet while allowing citizens access.

> Like it or not the Internet was created by Americans, it was nurtured with American ideals of freedom, and countries who refuse to allow those standards should be barred from participating.

And it's been undermined by Americans, and been corrupted into a platform for American surveillance and cultural propaganda, thanks to the NSA and CIA.

The thing is, Putin sounds like a raving loon for saying things like "the internet is a CIA project," but he's not entirely wrong. The US created one of the greatest tools for freedom, communication and expression the world has ever known... and it's been been trying ever since to burn it down and plant the Stars and Stripes in the ashes.

Compared to other countries, entirely in my head and not in any scientific way, I think America has a better track record than some of protecting the internet from tyrannical government agents.
Blocking an entire country from accessing infrastructure in other countries would only help these authoritarian nations foster nationalism.
if I understand your statement, I think I agree. That's why I adjusted my comment to suggest banning only the governments of those nations, while allowing the private citizenry to continue to have access.

That would certainly be challenging to do, but I believe it would be possible.