In other words, please make sure that the government can access any communication they might wish to by ensuring your encryption doesn't work. Here's hoping Zuck ignores it.
And Apple does E2EE with iMessage but I don't see the government slamming them publicly. Maybe it's because they don't consider Apple to have a big enough marketshare, or Apple doesn't make the system as private as they claim it to be and secretly collaborate with the authorities.
Easily explained: FB is the one who actually went the extra mile to start spying on its users and report thousands of cases to the police. Now the police have become lazy, they want more of that.
Being voluntarily able to leave and not being able to voluntarily leave are not the same thing, just like being too lazy to leave your house is not the same as having the western stasi threatening you to leave.
If the police are outside your house waiting to take you to jail, you are not yet in jail. Your house does not count as jail just because the police are waiting outside to take you there. It's really not that hard of a concept to understand. If you walk outside, are arrested, and brought to jail, then you're in jail.
AFAIK the restriction was “stop using embassy property to interfere in other people’s elections” and “you need a wash”, “clean up after your cat”, and “we don’t like that you skateboarding at night, playing loud music and walking around in [your] underwear“.
I’ve not seen any corroboration for the claim he smeared excrement on the walls, but that was in the same article.
From what I've heard on the matters and comparing the way Assange looks and talks before and after his time in the embassy, it appears he developed psychological issues.
Would you prefer that the British police entered the Ecuadorean embassy without the permission of the Ecuadorean government in order to extradite him lawfully in accordance with a lawful court order to not America to face trial for not clearly political espionage claims, especially when he would not be facing the prospect of up to the death penalty and in fact would probably have been released by now anyway?
This is the sort of adjacent controversy, a.k.a. flamewar tangent, that the site guidelines ask you not to introduce into a thread. The problem is that the topic has been gone over so often that there is no longer any curiosity in it. Curious readers move on, so only partisans—those who passionately identify with one side or the other—show up to comment. All they do is recite the same arguments that have been made countless times before, using stronger and nastier language against each other. We end up with https://news.ycombinator.com/item?id=21864054.
Since HN's guiding principle is intellectual curiosity, it follows that once an ongoing story has reached a saturation level of repetition, it's off topic for Hacker News until significant new information emerges. Once that happens, discussion has a chance to attract the curious again because there's something new for the mind to sink its teeth into.
Actually, one can drop the word "controversial" from the above: any story is off topic once it has been repeated to saturation level. But it's only the controversial stories that people feel compelled to keep bringing up past that point.
The saturation threshold for repetition is far lower than people who feel strongly about a story think it is. That is, curious readers get bored and tune out far sooner than partisans imagine.
It's not that such topics are unimportant. Usually they have large importance, which is why people feel strongly about them. Rather, this rule has to do with the HN community's limited ability to function within its values. Once we get out of the functional range of curiosity, the needle goes into the red, and discussion reduces to two sides firing at each other from fixed positions. It's not in anyone's interest for HN to host such degenerate discussions, because the more we do that here, the more we condition the site to have more of this, instead of the curious conversation it actually exists for. Keep in mind that flamewars are the default end state of an internet forum; curious conversation is not. So they aren't sideshows that have no effect on the main attraction—they are actively poisoning it and hastening its decline.
Each of us has at least one topic that activates us and throws us out of the curiosity range, so the only long-term solution is to learn as a community to manage these reactions consciously in ourselves, and not let activation energy propel us mechanically into posting.
I apologize for accidentally breaking the rules, and I will endeavor to follow them more closely.
I hadn’t realized how deeply effective the intelligence efforts to re-polarize people on this topic had been, and walked into a minefield entirely on accident. I thought my comment was uncontroversial, but I was mistaken. Sorry for the inconvenience.
It is/was never about safety. It is beyond me why would anyone ever swallow such BS. Every government be it democratic or not wants control, plain and simple. The more the better (for them).
Why is this an "open letter" instead of being passed as law? I understand that you might write an open letter when you are powerless to change something, but this is a government...
Because our "leaders" are not smart enough to understand this, they've just been told it's bad.
Because they want to pretend it's ok to have zero encryption and that's much harder if facebook and others say it's not.
Because passing an actual law to actually ban it would take effort and they're lazy
Because there is a non-zero chance they can't really ban it, at least not without banning a lot of other things like e-commerce and online banking, so a gentlemans' agreement to keep 95% vulnerable is much more manageable.
Because in at least some of the jurisdictions it might not be legal ("constitutional" in the US, "in accordance with the European convention on human rights" in the UK etc) to force these things by law.
>Because our "leaders" are not smart enough to understand this, they've just been told it's bad.
Your comment is partially correct, it is the Home Secretaries, past and present, who have been routinely told by the civil servants to tow the anti-encryption line, which goes back to RIPA 2000 and even further back. In essence it is GCHQ who are asking and they understand encryption perfectly well; since they can't ask directly, hence the role falls upon the relevant minister in government to do it.
This will once again become a hot-button issue as outlined in the Queen's speech. The Tory Party is also switching from Whatsapp to Signal ─ make of that, what you will.
I'll read the link shortly but I thought they moved to signal because of leaks...from members of the group in questions. Not from someone hacking their handset or capturing and de-crypting messages in flight?
It will be hard to stop the leaks regardless of the platform, as screenshots are a common way to save and share conversations in this community. The reason provided by the Party, as stated in the article, suggests that it is due to group size limits. All other reasons for the switch are open to conjecture.
A Conservative spokesperson said the real justification for their MPs to use Signal was operational, rather than for security reasons. With so many Tory MPs elected at the last election, it had become impossible to fit them all in a single WhatsApp group, because they are currently capped at 256 members.
I think even that reason is BS to be honest: The tories won 317 seats in 2017. They "lost" about 10 people who were temporarily suspended from the party by Bojo. But I don't think they ever dropped below 256 MPs.
I wondered if telegram has some feature where you get an alert if someone screenshots the window (I seem to remember snap chat had this?). Do you know?
Wee niggle: it's toe the line, meaning "take your position", no matter which of the several suggested etymological origins you favour (track and field, school or naval parades†, international border, bare-knuckle boxing, etc.).
† A parade is an assembly of some sort; it may or may not involve a march past or route march.
"Would you like the government to permanently have access to all private messages without a warrant so they can catch terrorists, of which they cannot provide a single example of a terrorist this system has caught?"
Look at me, I can write a technically true but biased question too!
Because that's how it works right now (at least in the US, can't speak for other countries for sure), and I'm intentionally writing a question biased in the opposite direction of how yours was.
Yeah, but you’re not in charge of writing the referendum question, if it comes to that, and the UK doesn’t have a strong pro-personal-liberty party, so the fact you can write an alternative biased in a nice way doesn’t help.
"Yes Minister" covered leading questions in opinion polls, of course, but I don't have the quotation. For anyone too young or not aware of classic BBC series, Yes Minister (and sequel Yes Prime Minister) is an impressively timeless comment on politics and officialdom.
Writing perfect laws is close to impossible - there's almost always unintended negative consequences. Legislation is a pretty blunt tool, and for this reason there's long history of governments asking various entities to behave nicely so they don't have to try to write legislation they know will be very hard to get right.
Please note that I'm not supporting the govts position - just supporting their methodology of not rushing to legislate.
Because they want the people to be on their side, "thinking of the children" and all that instead of thinking about Big Brother having access to everything.
In normal operation almost all laws before parliament are drafted by the government of the day. Parliament could in principle do whatever it wants, but ordinarily in the UK the governing party has a majority (often a sizeable one) in parliament like this present Tory government, which it can whip to support its measures, so it would be futile to resist. The remarkable thing about Brexit was that a majority of members were sure that any particular plan was so bad as to be worth overturning the government position, and so Parliamentary sovereignty mattered.
By convention governments set aside a small amount of time for measures from individual MPs, most of which will be debated but proceed no further if they're at all controversial. A lot of such business will be scheduled for Friday, this way almost everybody can go home. The Speaker (or whichever deputy has to stay on Friday) will claim to hear dissent after a bill is discussed before it can pass, and because there seems to be dissent the house must be divided in order to count supporters for each side of the matter. In doing so it will be "discovered" that it is inquorate (ie there aren't enough members present) and nothing is done.
The British Government hasn't had a good experience with writing criminal laws to stop people saying things it didn't agree with in the past. It turns out that people are OK with your broad generalities, but the thing about criminal law is that it rests on specifics. Justice in one particular case before the courts, not an army of hypothetical "What if?" questions.
Lady Chatterley's Lover in 1960 was an example. The Government had just written a law (in 1959) clearly saying you mustn't publish obscene stuff. As a generality this seemed very supportable. In the specifics it struggled, was this novel obscene merely because it was about fucking? Because it used words that would be familiar to readers, such as "fuck" and "cunt" precisely because they were words about fucking? The government made its case but jurors concluded the publisher was not guilty. If obscenity meant anything, it apparently did not include literature about fucking. The government gave up and no similar trials were conducted.
The thing about End-to-end encryption is that you can't see inside. So your test case ends up being we weren't able to see inside this message, we want to know what's inside it. And in the course of the trial the jury are likely to discover that either the contents of the message were in fact mundane and uninteresting or that nobody in fact can prove beyond a reasonable doubt what they were anyway, whereupon all the exciting stories about terrorists or shadowy figures preying on children evaporates and the question is just: Is it right that the government wants to pry into everything you do? And a jury is going to say "No".
The idea of an independent judiciary sounded good in the UK, and so they actually built one‡, but they didn't get the memo from America that the independence is supposed to be a thin pretence - so the judiciary actually is independent and they can't trivially unwind that (though leaving the EU will mean at least nobody can tell them not to try any more).
‡ For many years the courts of England & Wales were independent from the British Government but they didn't look it because the ultimate court of appeal actually worked out of the Palace of Westminster where the Parliament is, and its judges were technically "Lords" in the Parliament, so it _looked_ superficially as though there was no separation. All the actual independence was a matter of convention rather than being visible. This appearance was fixed by giving them a new name (the "Supreme Court") and a Supreme Court building, a short distance away from the Palace so now they look as independent as they actually were anyway.
I think your distinction between generalities and specifics is an insightful one. I have not realised previously that this is a good reason why some laws never enter reality.
Like it or not,outside of tech circles the majority of people think lawful interception should be in place. E2E is fairly new so I doubt it would remain legal for a commercial service to offer it.
I personally am a fanboy for E2EE. But in democratic countries the majority rule so what could be done aside from educating the majority?
The message from the tech industry needs to be very simple and digestable. No going on and on about how you can't backdoor E2EE because that's bad design or implications of letting them have backdoor access,etc....
If it was up to me the counterpoint message would be
"Yes, Lawful intercept should be a thing since the people want it but there have been severe violations both by governments and criminals alike where they used existing weakness that allowed lawful intercept for unlawful dragnet surveillance with absolutely no repercussions. Therefore, even if a lawful intercept backdoor was in place, history has shown it will be used for unlawful ends and as such E2EE is merely preventing illegal interception. If the people's will is truly to allow access to their communication then individuals should be forced to install software on endpoints that facilitate interception,much like e911 related software is by law mandated to be installed in a way that is very hard to remove."
That said, I hope FB burns!!! (the company,not their people).
> outside of tech circles the majority of people think lawful interception should be in place
This is absolutely the case. You're going to have to do a hell of a lot of work to begin to explain to most normal people why end-to-end encryption is even possible, let alone why you may think the Government should not have a right to decrypt. It's going to seem completely reasonable to almost everyone except your friends.
Compare with the "Totok" (not tiktok) discussion also on the front page. Suddenly people aren't so keen when it's a foreign intelligence agency doing the snooping.
> people aren't so keen when it's a foreign intelligence agency
True, when I pointed out how the bottom of the slippery slope of backdooring looks like, it wasn't much appreciated. I'd rather assume it's not because so many HNers are pro-snooping but rather pro "righteous" snooping. "Ours" vs. "theirs" even if it probably degenerates towards the same end result.
I think it's plain to many that they are not in fact worried about "our children" - it's a lazy argument that's easily seen through, yet appeals to outraged tabloid readers.
It also makes it easy to retort to those who would oppose it: "then you don't care about our children, you must be a monster!"
In reality, anyone who truly cared about our children, and indeed future generations, would see the dangers of mass surveillance and strongly oppose it on those grounds.
I'm writing a communication product that uses encryption to store the communications. A couple of things spring to mind when reading this:
1. It's trivially easy to write a communication service that end-to-end encrypts using modern libraries (in my case, Go). The encryption part took about a day to build, without me needing to understand any of the maths I was using. I haven't had any penetration tests on it, yet, but I understand that Go's encryption libraries are all tested and the implementation (plumbing them together) is pretty simple and hard to get wrong. So even if FB gives the security services some way of reading messages, then the bad people can have their own tool within a few days.
1b. There are other services, not as popular, that provide solid end-to-end encryption already (hello Keybase), that the bad people can use immediately. This is not about stopping the bad people from encrypting their messages, this is about getting access to what everyone else is saying.
2. It's already practically infeasible for a communications company to implement end-to-end encryption without breaking existing laws (mostly about copyright). Facebook's "end-to-end encryption" on message content will have to include a copyright content filter in order to not be targeted by the copyright legal industry, and the incoming EU legislation on implementing content filters on any service that can share content.
All this points at this not being about terrorists and protecting children, but at it being about mass surveillance of civilian populations. It's notable that of the "five eyes" participants, it's only the US, UK and Australia who have contributed to the open letter. These three countries are the most keen on mass domestic surveillance (in the West anyway).
Given any set of modern libraries encrypting the transporr end-to-end is trivial.
Still hard are verfication processes, for distributing certs/public keys and some secure memory handling if you want to protect the unencrypted message on the local machine in some way.
It isn't hubris. I've written a toy E2E encrypted messaging as well. I haven't had to write a single line of actual crypto - libraries like libsodium ensure I just have to tell it the kind of security I want, and it handles all the dirty work for me.
The hard part then shifts to the logic:
1. Ensuring the protocol doesn't allow accidentally leaking the data to an adversary somehow.
2. Ensuring the data is secured on the endpoints (the phone) - making sure the keys are secure and can't leak, and making sure the data is only decrypted when needed and for the time period it's needed.
Not that this is easy to get right either. But with crypto being an essentially "solved" problem, we get to spend more time ensuring those bits work properly.
Yes, identity verification is certainly the hard part of setup for any secure communications system. But in modern systems the cute thing is that this only really matters at the moment it happens. It's a big problem if there is an active adversary attacking you when you try to communicate, but a moment later it doesn't matter at all.
Many governments are reluctant to just attack their own citizens 24/7. It's a bit too blatant. So they're obliged to try to attack most communications retrospectively.
Suppose I am an intelligence analyst and I just figured out that murderous terrorist Jenny Smith sent instructions for planting a bomb to another member of her cell on Saturday at 11:42:05 precisely using let's say Signal. I have a copy of the IP packets sending the instructions. I have essentially unlimited resources to dedicate to the task. And Jenny didn't even have a reliable way to assure herself she was sending the instructions to the right person. Surely I can do something? Right? Nope. I'm screwed. Since I wasn't actively attacking Jenny back when it happened, she got the right keys, and I can no more decrypt these IP packets now than I could travel back in time and stop her sending them.
I think there are a bunch of scenarios in the real world that complicate this (we spent a lot of time working around these at Keybase):
People get new phones all the time. If I've done a secure key exchange with you, and then you get a new phone, how do I know you're the same person after? Do you move key material between phones? Or do you get your old phone to sign the public key of the new phone?
What if I got a new phone because I lost my previous phone? Do I just repeat the handshake from scratch with everyone? This is very important, because people losing their phone is pretty common. If there's an "it looks like so-and-so got a new phone" dialog, any user with enough friends will see it pretty frequently. People will get used to tapping "ok". And then an active adversary can attack them, by pretending to be a new phone.
In the other direction, say I do use my old phone to sign my new phone's key, and then later my old phone is stolen. How do I tell people that my old phone isn't me anymore? Do I publish another signature of some kind? How do I make sure that all my contacts receive that signature? Does this part require trusting the server to send messages faithfully?
I was mostly thinking about the generic out-of-box capabilities you'd get these days, which include Forward Secrecy, rather than compromises made in the name of usability for software like Keybase.
But since you're a Keybase person let's consider Keybase's compromises in particular, do they mean Jenny's bomb gets found? What can I determine: Who Jenny sent the message to? The contents of the message? Don't you consider that a pretty bad screw-up considering what your users expect?
I'm not super keen on your chosen example of helping terrorists, since some folks (like my dear AG) act like that's all crypto is good for, and sometimes these things get taken out of context. But that said, I'll run with it.
> do they mean Jenny's bomb gets found?
No, private messages are private like you expect.
> What can I determine: Who Jenny sent the message to?
Yes, as with all end-to-end encrypted chat apps, the server knows who is talking to whom, because it's responsible for routing. Even if you consider a message service based on Tor, an attacker who controls the entire network can often figure things out by looking at sender and receiver timing.
> The contents of the message?
No, but you can see the length. Again this is true of all all end-to-end encrypted chat apps.
> Don't you consider that a pretty bad screw-up considering what your users expect?
You might be misunderstanding how Keybase works. You're right that Keybase messages are not forward-secret by default. (Forward secrecy is available, however. Keybase calls these "exploding messages".) In part, you could call this a usability decision. But it's also related to the fact that Keybase lets you have multiple devices on your account. When you sign on a new device, it would be kind of weird to be in all these conversations where you have no view of the message history. On one device, you can scroll back, but on the other device, you can't? Most users wouldn't understand why, and they'd consider it broken. (You could implement a history transfer protocol, but it's easy to imagine how you could wind up in a partially-transferred state by losing WiFi at the wrong time. Also there's no way for adding a new device from a paper key to transfer chat history.)
Forward secrecy also gets more complicated when you consider multiple devices. The typical Signal ratchet setup is designed for each user having a single device. You can treat multiple devices as separate participants in a conversation, but that doesn't work well if one of my devices is "in the drawer". If I never turn on that old laptop for months at a time, do we keep encrypting every message for its current key? Do we still have forward secrecy in that case? At what point do we evict it from the conversation? Exploding messages are a better solution for this problem, but they're also not a great default for most users. (For typical messages, you generally want them to still be there if I don't read them for X hours.)
Anyway, enough about forward secrecy. You were asking about security. Keybase solves the key distribution problem in a totally different way from other end-to-end apps, by having you use social media to prove you own your key. There is no TOFU. And because there is no TOFU, there are also no routine dialogs telling the user "oops, this person lost their phone, we need to renegotiate keys." Instead, a full account reset is a big deal, and it breaks lots of things. As it should! Otherwise, adversaries in the middle can pretend to be me and act like I've reset my account. All end-to-end apps are vulnerable to this absolutely practical attack, except (to my knowledge) Keybase.
> I'm not super keen on your chosen example of helping terrorists
It's a motivating example. You don't want to help Jenny and neither do I, but if the technology actually works that shouldn't matter, we have no discretion. If we have discretion in protecting Jenny, you can be assured that the governments sending these open letters will lean on that discretion for everybody, not just Jenny.
> No, private messages are private like you expect.
That's very confident considering the later caveats you introduce.
> Even if you consider a message service based on Tor, an attacker who controls the entire network can often figure things out by looking at sender and receiver timing.
Do you think humans (this is a service for humans) need sub-second delivery accuracy? No? So, why would you ensure this when as you realise this just helps an adversary? By throwing away everything better than second precision you make essentially no difference to the user experience but you mix everything up into 3600 events per hour that all have lots of indistinguishable participants.
> No, but you can see the length. Again this is true of all all end-to-end encrypted chat apps.
Again this is a service for humans. You can _choose_ to send exactly 1326 bytes over the wire out of some desire for brevity, but for humans padding everything to the nearest whole packet (~1500 bytes) greatly improves their privacy at essentially zero cost.
> If I never turn on that old laptop for months at a time, do we keep encrypting every message for its current key?
Well do you? My understanding is that in the Keybase design the answer is "Yes" and so most likely your confident "No" earlier will be wrong. Somewhere I can probably find keys that let me read Jenny's message and I am motivated to search for them.
> Exploding messages are a better solution for this problem, but they're also not a great default for most users.
Keybase's exploding messages are greatly fictionalized for the user experience. It reminds me of Mission Impossible. What the user sees is the message vanish instantly after a short timer, like a tape seemingly consumed in flame before their eyes on the TV show
The reality is more like making Mission Impossible, the visual effect is achieved in a separate shot and pasted on, you could actually trivially recover the message for some time after it "explodes" across a variety of devices which each have their own keys. A month or two later the message is gone largely because nobody cares any more, not because it really "exploded" as depicted after just a few minutes.
> Keybase solves the key distribution problem in a totally different way from other end-to-end apps, by having you use social media to prove you own your key.
So, given my involvement with the Ten Blessed Methods (the means by which a Certificate Authority decides that ycombinator.com is really ycombinator.com in the Web PKI) you might expect me to be very sympathetic to this approach. But I'm not.
It ends up as a very woolly "Web-of-trust" type system and we know humans don't reason about those well. The technical argument may be "You can be confident that this Keybase account is controlled by someone who also controls the oconnor663 account on Hacker News or by someone who controls Hacker News itself or by someone at Keybase" but the human understanding is invariably just "This is Jack O'Connor" which is... misleading if I'm generous.
Forcing humans to do in person verification if they care, and allowing them to just not care is, in my not at all humble opinion, a better choice. I am very confident that messages from Al are really from Al having verified that our Signal numbers match, and not in the least bit confident that messages saying they're from Carol...
> you could actually trivially recover the message for some time after it "explodes" across a variety of devices which each have their own keys. A month or two later the message is gone largely because nobody cares any more, not because it really "exploded" as depicted after just a few minutes.
This is worth clarifying because it's complicated.
What happens when the "fuse burns down" is that the server and all running devices delete the message immediately. This matches what the user thinks is happening, and it's what really matters in the vast majority of real world use cases.
Now, one of the recipient devices could choose not to delete the message, and there's nothing we can do about that. They could be running a modified version of Keybase. Or the user could just photograph the message. The exploding messages in small Keybase groups are in fact cryptographically repudiable, but almost no one in the real world knows what that means or cares about it.
More likely, the server itself could be compromised. It might be running evil code, or have a bug, or perhaps all its databases just get vacuumed up by a few different nation states. Who knows. So suppose the server side messages never get deleted. What's next? Like normal messages, exploding messages are end-to-end encrypted, so if the adversary never gets their hands on a recipient device, they can't read anything. Also like normal messages, if the adversary had a compromised recipient device before the message was sent, they can read everything, and there's nothing we can do about that. So the question is, what is their window to compromise a device after the message is sent?
This is where the ephemeral key schedule is relevant. An active device issues a new ephemeral key each day. Each ephemeral key is retained for a week after its successor key is issued. (So if a device goes offline for a few days, its current ephemeral key will have its lifetime extended by a similar amount.) So a typical active devices has an array of live ephemeral keys, with remaining lifetimes of 7 days, 6 days, 5 days... If I send an exploding message with a lifetime less than 1 day, I will use an ephemeral key with a day or so remaining. For a longer message lifetime, I will use one of the longer-lived keys. (In fact there is a hierarchy of user ephemeral keys and team ephemeral keys, but the idea is the same.)
If a device never generates a new ephemeral key for (currently as far as I know) 1.25 months, its active key expires with no replacement, and it no longer receives exploding messages at all. Thus each mothballed device exposes a limited window of exploding messages, and only if the adversary physically gets their hands on that specific device. If the device is ever legitimately reactivated, it will immediately delete all the expired keys.
I'm not sure what to make of your summary that "a month or two later the message is gone largely because nobody cares any more." Do you have any questions about the design I just described above?
> You can be confident that this Keybase account is controlled by someone who also controls the oconnor663 account on Hacker News or by someone who controls Hacker News itself or by someone at Keybase
Keybase cannot lie about about who controls oconnor663 on Hacker News, because each Keybase client independently fetches the proof from my profile. This is the whole point of the Keybase security model.
Now the Hacker News admins could post a proof as me, and maybe create some bogus 0c0nn0r663 account on Keybase to try to impersonate me there. But they can't replicate my GitHub proof, or my proof on jacko.io. Perhaps they register 0c0nn0r663 on GitHub too, and buy the jack0.io domain, and post lookalike proofs there. But at that point, if we're assuming that other users can be tricked by lookalikes, does it even matter that they compromised my real Hacker News account?
The current state of the art in this space is Signal, which offers participant consistency, destination validation, forward secrecy, post-compromise security, causality preservation, message unlinkability, message repudiation, participation repudiation, asynchronicity, speaker consistency, out-of-order resilience, dropped message resilience, computational equality, trust equality, subgroup messaging, and contractible and expandable group membership. [1]
Which of these properties do you get out-of-the-box from Go’s standard library and/or libsodium? Almost none of them. The gap is enormous and not at all “trivial”.
So, yes, it is hubris for OP to state that they can build a competitive protocol in “about a day”, “without me needing to understand any of the maths”, by simply stringing together Go standard library calls. I think the engineers and cryptographers who work on Signal, Keybase, etc would have a good chuckle at the suggestion that this stuff is “pretty simple and hard to get wrong”.
I'm not building a competitor to Signal, so most (if not all) of that list is completely irrelevant for my application.
I'm also totally paranoid that I have, indeed, got some of this wrong. I'm trying to find people I can trust who know more about this than I do so they can look at my code and test my application. So far everyone I've approached to look at it has said it looks OK. I've come to accept that I'll never "know" completely for sure that this is bombproof, because there just isn't any single person out there that can verify that this is bombproof.
And, as Bruce Schneider puts it; security is not absolute, it's about delaying the bad people for long enough so you can catch them. Bank vaults are rated in hours (the number of hours that a competent attacker will need to get into the vault). No software implementation is 100% secure, but it can be secure enough to be useful.
But building a basic protocol out of Go's standard library building blocks is pretty simple, and hard to get wrong, for given values of "simple" and "wrong". These aren't absolute, and depending on your application, may be quite low.
Before someone becomes a terrorist they are recruited and cultivated. It might be trivial for existing contacts to install Signal, it's not trivial for people to recruit when they put up extra barriers to communication. I don't know if this is going to matter in the long run, since one way or another the NSA is going to get in, but in the short run it will damage our ability to track how extremism is spreading.
> since one way or another the NSA is going to get in
This is not even remotely a foregone conclusion.
> but in the short run it will damage our ability to track how extremism is spreading
If the only way the intelligence community can "track how extremism is spreading" is by violating the privacy of everyone on the planet, then so be it. Liberty trumps security.
You seem to have read the GP's comment very differently than me.
I took it to mean that using encrypted apps could potentially reduce the spread of extremism, by simple virtue of the fact that it's a barrier to entry?
Yes I think we did. I reread it and I think the "it" that will damage our ability to track extremism is E2EE. Based on that interpretation I took that the GP was against E2EE for this reason and felt that allowing the government access to these communications was ok if it was for the right reasons. I could definitely be wrong, though!
There are encrypted chat apps such as Signal that the bad people -- the Conservative party -- are now using for internal communications. Presumably including Priti Patel.
It's a reasonably well reported statement of fact, brought in IIRC at the suggestion of Dominic Cummings. Why should discussions by party members and researchers be less susceptible to all the ills claimed for Facebook? Why should different rules apply? Are they immune from illegality? So it speaks to the hypocrisy of those calling for the change. It would be no different if it were another party calling for same, whilst at the same time switching from Whatsapp to Signal.
It would be reasonable for police investigating such possible crimes to have more secure channels.
Back when the UK government decided that it should be possible to order records of TCP/IP connections to be kept for similar reasons the MPs asked if there shouldn't be an exception for them. Surely, they argued, as upstanding people they shouldn't be subject to the same rules as ordinary citizens. The Home Secretary of that time told them that unfortunately that was technically impossible, they'd just have to trust that it wouldn't be abused (for example to spy on opposition politicians)...
Lots of people comforted themselves that that law required the Home Secretary to send a letter to order any such collection, and they imagined her writing maybe a dozen letters on a busy day, something like "Dear Tiny ISP, please keep records for your subscriber Steve Smith who we suspect of being a pervert". People more familiar with the actual negotiations behind the scenes say the letters actually went "Dear large UK Internet Backbone provider, per this new law, please store absolutely everything until further notice"...
I don't think that's fair considering how government approach is to blame the privacy for their incompetency and alternative intentions.
Why should politicians who statistically have higher chance of being potential criminals than average population be able to use encryption?
lol, read what I actually wrote. You will note I was replying to a comment which included "1b. There are other services, ... that the bad people can use immediately. This is not about stopping the bad people from encrypting their messages...", etc. I replied in that context using compatible language.
Do you believe it's impossible for an MP or any party's researcher to break the law? If not, they should be subject to the same oversight as all others on whatever service.
The numbers using the internal party communication channels will probably be in the hundreds. Not half the country then. I would have said exactly the same were it any party. The hypocrisy is risible regardless of who. Even, perhaps especially, the one I just voted for.
Since Magna Carta in 1215 the principle has held that every citizen, up to and including the sovereign is subject to the same law. Not every citizen except the current administration. Exceptions must be justified and are regularly tested in the courts.
> The encryption part took about a day to build, without me needing to understand any of the maths I was using
You don't need to understand how ciphers work per se, but you do need to understand how to put the building blocks together and think about attacks, e.g. do you ever have the key in memory on your servers.
There is an infinite number of encrypted chat apps that can be built. What is finite is the number of organizations that have a brand strong enough to launch one that becomes popular immediately. What’s also finite is the number of organizations that can get that funding to build popularity slowly (eg Signal). The governments may successfully be able to stomp out those services and just leave the tiny thousand-user apps alone. As soon as one of those becomes popular enough, rinse and repeat the above.
Well, by forcing the "bad people" into less popular apps they become much easier to identify through other metadata as the popular apps account for the vast majority of the "everyday person" traffic..
I think to get a balanced perspective we should appreciate the dilemma & work done by the govt security people. Their job is to fight the terrorists, pedophiles, forced sex traffickers, and many other "very bad people" - which is easier said than done. In the future WMDs will become cheaper, easier to produce and more powerful, so the issue is becoming more acute. They understandably want better tools to increase their chances of success & reduce likely traumatic failures. They seem to be doing ok with terrorists in the West at the moment, but failing badly with the other categories.
The risk of abuses against everyday civilians are there and I don't have the solutions. But I would presume that the majority of people will trade off a significant reduction to their privacy for a slight increase in physical safety, so that will likely happen. Vastly improving the governance & oversight of the security agencies is one way forward. Otherwise when the next disaster strikes, the security agencies will rapidly make a successful grab for more power.
Why, in a time where Facebook is getting so much flack for privacy issues, would they want to build a backdoor into their platform for the UK Government?
Why would their targets use Facebook for communication when there's many other existing platforms that provide this service.
Privacy isn’t about having “nothing to hide” it's about freedom.
As soon as your privacy is taken away, so is your freedom.
People don't seem to understand this. If you have nothing to hide would you mind if the government went through your house whenever they felt like it? It can be done in a way that doesn't inconvenience you like only when you're not home. Think of all the criminals we would catch. Is that the world you want to live in?
I’m not sure this is a strong example, as the government can already go through your home whenever it wants, assuming it follows its own internal judicial checks and balances.
Free speech, in the US context, usually relates to the 1st Amendment, which precludes _govt_ censorship.
You can yell 'fire' in a crowded theater; if there is indeed a fire, it's fine — you're trying to help alert people to a dangerous situation. If there is not, and you cause a panic that results in injury to others, you could (should imo) be liable.
The US Supreme Court has a litmus test around when the line is crossed. Logically, there must be a balance to ensure one's rights do not infringe on another's, and when there is conflict, how to resolve it. In the case of party A threatening violence on party B, the line is if there is an imminent threat ('fighting words' — inciting an immediate attack), A is in the wrong. Otherwise, no 1A issue. It's much more difficult to prove in the case of stochastic speech targeting a person or group (eg Said before an audience: '$target is bad. Would be a shame if something happened to $target.' Implying someone in earshot should take care of it.).
I also want to highlight that free speech doesn't mean free of consequence — it only limits govt censorship. You can say what you want, but you may: incur financial loses (eg job or contract losses, boycotts), be ridiculed or shamed (ie become a pariah), be denied access to private properties / venues / events / forums (including web sites such as Twitter or Facebook), etc.
I am an advocate of E2EE, but your argument is a little thin I feel.
Let's turn it around. Imagine if law enforcement were completely unable to enter any home, even if they had a warrant to search it and reasonable suspicion that there was incriminating evidence inside. Anyone could do anything they wanted and as long as they kept the evidence inside their home there would be nothing law enforcement could do about it.
The arguments in favour of there being some way for law enforcement to be able to search messages when they have a warrant to do so are certainly worth considering, and (for what it's worth) I feel the sentiments in the open letter strike a good balance; but, I also feel that what they want is, currently, impossible without compromising security for everyone.
The only thing that gives me pause is the government does have this right with regards to vessels on water. They've had it since the beginning of the USA as a country.
This meant mail or anything else carried by these vessels was fair game. Encryption really is a new level of privacy for international communications.
> Why would their targets use Facebook for communication when there's many other existing platforms that provide this service.
Because the kids pedophiles target are also there. Just like the easily manipulated teenagers are there for extremist instigation.
The letter does not concern the overall prevention of E2E encrypted communications (obviously unfeasible). It is about predatory and abusive crime settings that take place in online communities, of which Facebook is the largest one.
I am all in for the right to privacy and freedom of personal information protection. But if we go down that road we just as well should discuss the basic limits of freedom in any (offline) democratic society (ie law). I would not want to answer such a question, because it is much more complex than the usual "protect our freedom" privacy advocacy makes it look like when you consider law enforcement as a fundamental role of governments.
Surely the hard part of eliminating child abuse is the acting on information about the whereabouts of pedophiles? That is hard part, the non-scaling part, the bit where real people have to go and make arrests and free the children and find a safe place for them to stay for the rest of their childhood.
Compared to that, finding the people swapping child abuse imagery online sounds rather easy, even when you can no longer look at individuals' messages.
Western countries condemn the Russian software rules and the Communist Firewall of China and VPN restrictions. Yet here we are with the UK trying the such things in a similar vain.
For anyone not following UK politics, the Home Secretary is basically the Evil Secretary. We've had a string of heartless authoritarian Home Secretaries (mostly women incidentally - for all the "if women were in power the world would be a friendly place" crew).
Priti Patel is probably the worst so far. There's a pretty shocking video of her arguing with Ian Hislop (editor of Private Eye) that we should reinstate capital punishment. So this isn't exactly surprising.
Some people, including in these comments, make the argument that preventing E2EE on Facebook is pointless because offenders can simply move to another service. That's not a very good argument for two reasons.
First, Facebook is already used by pedophiles despite the lack of E2EE. 2500 arrests for child abuse last year according to the letter. An example is given of a pedophile identified through his messages with an 11 year old girl. With E2EE enabled he would not have been identified at that time.
Secondly, the letter highlights that a major problem is the combination of open profiles of children with E2EE messaging. This does not apply to any service, mainly Facebook and similar platforms.
Don't get me wrong, I am overall in favour of E2EE, and I share the usual cynicism about the government's intentions.
You can make the argument that although absence of E2EE does help identify pedophiles more easily, in the balance it is more important to enable E2EE to protect privacy.
But you should not make the argument that absence of E2EE on FB would not help identify pedophiles more easily, because this letter provides evidence that it actually does.
isn't Facebook for 13+ teens? Did they change the terms recently?
And where are the parents?
Do you just hand your kid phone without any parental controls?
Why should we not focus educating parents about raising kids than fucking over with everyone?
Monday parents are not capable od seeing up parental controls, and I don't think we will see that change in the next 10 years even if we direct quite a lot of effort to the matter
so by putting everyone at risk with really minimal security looking at conviction rate and who really are sexually abusing the kids (hint, it's not a rando on the internet) is a better alternative to a long term advantage of having better highly educated parents that will stop cycle of mismanagement across generation like how abuse spreads from one generation to another. Principles and behavior do too.
Why not ask politicians to put forward regulations that makes it mandatory for companies to make parental control accessible and usable?
But of course that won't do. Parents should have no responsibility beyond giving the kid an iPad or a smart surveillance device.
Not available where I live but yeah, snapchat has a similar app.
I think there needs to be an open source federated social media with stricter controls and from a more trustworthy actor than Facebook that you can self host or schools can.
So you can connect with your friends and classmates from school via federated link to your home one. Every link will require approval.
Though that seems like a pipe dream.
Thank you for saying this. There are three classes of people: (a) hardened criminals/terrorists who work professionally, (b) amateur criminals who don't know what they are doing and (c) law abiding citizens.
Of all the criminal activity out there, I would guess the largest proportion comes from (b). You could argue that if you could eliminate one category of crime, it would be better to eliminate this one than the crimes committed by group (a).
I still think FB should implement E2EE because of the costs to the third group (c).
> You can make the argument that although absence of E2EE does help identify pedophiles more easily, in the balance it is more important to enable E2EE to protect privacy.
You're correct in what we should NOT argue.
Now, the problem with "in the balance" between security and privacy is that when in fear society will quickly go for patriot act.
It's curious how we, as a society, can't find a simple, true and incontestable argument in favor of privacy. The only one I know is that it is a fundamental right.
But still this argument is a little too abstract for most people.
They say: "Our technical experts are confident that we can do so while defending cyber security and supporting technological innovation. We will take an open and balanced approach in line with the joint statement of principles signed by the governments of the US, UK, Australia, New Zealand, and Canada in August 2018 and the subsequent communique agreed in July this year."
Why not make end-to-end encryption available only for adults? This preserves the ability to track the most serious abuses of children and the millions of reports the governments describe in their open letter, while preserving the right to privacy that adults should expect.
This would take the wind out of the government's argument and would have a reasonable basis in common law's differential treatment of adults and minors.
Patriot Act is the proof that facing fear society will trade privacy for security. And it is also the proof that gov will abuse their power and society will never get that traded privacy back.
137 comments
[ 3.1 ms ] story [ 170 ms ] threadI thought the concept of of freedom was learnt in primary school but if not you should check it out its a nice one.
https://news.ycombinator.com/newsguidelines.html
I’ve not seen any corroboration for the claim he smeared excrement on the walls, but that was in the same article.
Since HN's guiding principle is intellectual curiosity, it follows that once an ongoing story has reached a saturation level of repetition, it's off topic for Hacker News until significant new information emerges. Once that happens, discussion has a chance to attract the curious again because there's something new for the mind to sink its teeth into.
Actually, one can drop the word "controversial" from the above: any story is off topic once it has been repeated to saturation level. But it's only the controversial stories that people feel compelled to keep bringing up past that point.
The saturation threshold for repetition is far lower than people who feel strongly about a story think it is. That is, curious readers get bored and tune out far sooner than partisans imagine.
It's not that such topics are unimportant. Usually they have large importance, which is why people feel strongly about them. Rather, this rule has to do with the HN community's limited ability to function within its values. Once we get out of the functional range of curiosity, the needle goes into the red, and discussion reduces to two sides firing at each other from fixed positions. It's not in anyone's interest for HN to host such degenerate discussions, because the more we do that here, the more we condition the site to have more of this, instead of the curious conversation it actually exists for. Keep in mind that flamewars are the default end state of an internet forum; curious conversation is not. So they aren't sideshows that have no effect on the main attraction—they are actively poisoning it and hastening its decline.
Each of us has at least one topic that activates us and throws us out of the curiosity range, so the only long-term solution is to learn as a community to manage these reactions consciously in ourselves, and not let activation energy propel us mechanically into posting.
https://news.ycombinator.com/newsguidelines.html
I hadn’t realized how deeply effective the intelligence efforts to re-polarize people on this topic had been, and walked into a minefield entirely on accident. I thought my comment was uncontroversial, but I was mistaken. Sorry for the inconvenience.
Is there an edit button?
Live with the scars.
Because they want to pretend it's ok to have zero encryption and that's much harder if facebook and others say it's not.
Because passing an actual law to actually ban it would take effort and they're lazy
Because there is a non-zero chance they can't really ban it, at least not without banning a lot of other things like e-commerce and online banking, so a gentlemans' agreement to keep 95% vulnerable is much more manageable.
Because in at least some of the jurisdictions it might not be legal ("constitutional" in the US, "in accordance with the European convention on human rights" in the UK etc) to force these things by law.
Your comment is partially correct, it is the Home Secretaries, past and present, who have been routinely told by the civil servants to tow the anti-encryption line, which goes back to RIPA 2000 and even further back. In essence it is GCHQ who are asking and they understand encryption perfectly well; since they can't ask directly, hence the role falls upon the relevant minister in government to do it.
This will once again become a hot-button issue as outlined in the Queen's speech. The Tory Party is also switching from Whatsapp to Signal ─ make of that, what you will.
https://www.theregister.co.uk/2017/07/10/former_gchq_wades_i...
https://www.theguardian.com/politics/2019/dec/17/tories-swit...
A Conservative spokesperson said the real justification for their MPs to use Signal was operational, rather than for security reasons. With so many Tory MPs elected at the last election, it had become impossible to fit them all in a single WhatsApp group, because they are currently capped at 256 members.
I wondered if telegram has some feature where you get an alert if someone screenshots the window (I seem to remember snap chat had this?). Do you know?
† A parade is an assembly of some sort; it may or may not involve a march past or route march.
Good luck with that. /s
Go and ask that, you'd be surprised.
Look at me, I can write a technically true but biased question too!
Why "to catch terrorists"? There are lots of crimes and even civil matters for which this is useful.
government will archive and index everything you ever write, film and record to search for evidence of:
Watching illegal movies, Smoking weed, Not paying all your taxes, Antisocial behaviour, crossing a red light?
Please note that I'm not supporting the govts position - just supporting their methodology of not rushing to legislate.
By convention governments set aside a small amount of time for measures from individual MPs, most of which will be debated but proceed no further if they're at all controversial. A lot of such business will be scheduled for Friday, this way almost everybody can go home. The Speaker (or whichever deputy has to stay on Friday) will claim to hear dissent after a bill is discussed before it can pass, and because there seems to be dissent the house must be divided in order to count supporters for each side of the matter. In doing so it will be "discovered" that it is inquorate (ie there aren't enough members present) and nothing is done.
Lady Chatterley's Lover in 1960 was an example. The Government had just written a law (in 1959) clearly saying you mustn't publish obscene stuff. As a generality this seemed very supportable. In the specifics it struggled, was this novel obscene merely because it was about fucking? Because it used words that would be familiar to readers, such as "fuck" and "cunt" precisely because they were words about fucking? The government made its case but jurors concluded the publisher was not guilty. If obscenity meant anything, it apparently did not include literature about fucking. The government gave up and no similar trials were conducted.
The thing about End-to-end encryption is that you can't see inside. So your test case ends up being we weren't able to see inside this message, we want to know what's inside it. And in the course of the trial the jury are likely to discover that either the contents of the message were in fact mundane and uninteresting or that nobody in fact can prove beyond a reasonable doubt what they were anyway, whereupon all the exciting stories about terrorists or shadowy figures preying on children evaporates and the question is just: Is it right that the government wants to pry into everything you do? And a jury is going to say "No".
The idea of an independent judiciary sounded good in the UK, and so they actually built one‡, but they didn't get the memo from America that the independence is supposed to be a thin pretence - so the judiciary actually is independent and they can't trivially unwind that (though leaving the EU will mean at least nobody can tell them not to try any more).
‡ For many years the courts of England & Wales were independent from the British Government but they didn't look it because the ultimate court of appeal actually worked out of the Palace of Westminster where the Parliament is, and its judges were technically "Lords" in the Parliament, so it _looked_ superficially as though there was no separation. All the actual independence was a matter of convention rather than being visible. This appearance was fixed by giving them a new name (the "Supreme Court") and a Supreme Court building, a short distance away from the Palace so now they look as independent as they actually were anyway.
I personally am a fanboy for E2EE. But in democratic countries the majority rule so what could be done aside from educating the majority?
The message from the tech industry needs to be very simple and digestable. No going on and on about how you can't backdoor E2EE because that's bad design or implications of letting them have backdoor access,etc.... If it was up to me the counterpoint message would be
"Yes, Lawful intercept should be a thing since the people want it but there have been severe violations both by governments and criminals alike where they used existing weakness that allowed lawful intercept for unlawful dragnet surveillance with absolutely no repercussions. Therefore, even if a lawful intercept backdoor was in place, history has shown it will be used for unlawful ends and as such E2EE is merely preventing illegal interception. If the people's will is truly to allow access to their communication then individuals should be forced to install software on endpoints that facilitate interception,much like e911 related software is by law mandated to be installed in a way that is very hard to remove."
That said, I hope FB burns!!! (the company,not their people).
This is absolutely the case. You're going to have to do a hell of a lot of work to begin to explain to most normal people why end-to-end encryption is even possible, let alone why you may think the Government should not have a right to decrypt. It's going to seem completely reasonable to almost everyone except your friends.
True, when I pointed out how the bottom of the slippery slope of backdooring looks like, it wasn't much appreciated. I'd rather assume it's not because so many HNers are pro-snooping but rather pro "righteous" snooping. "Ours" vs. "theirs" even if it probably degenerates towards the same end result.
"If we do not get this right then the impact on the safety of our citizens, and our children, will be stark."
If only they were that worried about the environment and global warming.
It also makes it easy to retort to those who would oppose it: "then you don't care about our children, you must be a monster!"
In reality, anyone who truly cared about our children, and indeed future generations, would see the dangers of mass surveillance and strongly oppose it on those grounds.
A bit astounted they try to stop one of the only decent thing FB is trying to push for instead. What a world we live in.
1. It's trivially easy to write a communication service that end-to-end encrypts using modern libraries (in my case, Go). The encryption part took about a day to build, without me needing to understand any of the maths I was using. I haven't had any penetration tests on it, yet, but I understand that Go's encryption libraries are all tested and the implementation (plumbing them together) is pretty simple and hard to get wrong. So even if FB gives the security services some way of reading messages, then the bad people can have their own tool within a few days.
1b. There are other services, not as popular, that provide solid end-to-end encryption already (hello Keybase), that the bad people can use immediately. This is not about stopping the bad people from encrypting their messages, this is about getting access to what everyone else is saying.
2. It's already practically infeasible for a communications company to implement end-to-end encryption without breaking existing laws (mostly about copyright). Facebook's "end-to-end encryption" on message content will have to include a copyright content filter in order to not be targeted by the copyright legal industry, and the incoming EU legislation on implementing content filters on any service that can share content.
All this points at this not being about terrorists and protecting children, but at it being about mass surveillance of civilian populations. It's notable that of the "five eyes" participants, it's only the US, UK and Australia who have contributed to the open letter. These three countries are the most keen on mass domestic surveillance (in the West anyway).
Thank you.
Still hard are verfication processes, for distributing certs/public keys and some secure memory handling if you want to protect the unencrypted message on the local machine in some way.
The hard part then shifts to the logic:
1. Ensuring the protocol doesn't allow accidentally leaking the data to an adversary somehow.
2. Ensuring the data is secured on the endpoints (the phone) - making sure the keys are secure and can't leak, and making sure the data is only decrypted when needed and for the time period it's needed.
Not that this is easy to get right either. But with crypto being an essentially "solved" problem, we get to spend more time ensuring those bits work properly.
Many governments are reluctant to just attack their own citizens 24/7. It's a bit too blatant. So they're obliged to try to attack most communications retrospectively.
Suppose I am an intelligence analyst and I just figured out that murderous terrorist Jenny Smith sent instructions for planting a bomb to another member of her cell on Saturday at 11:42:05 precisely using let's say Signal. I have a copy of the IP packets sending the instructions. I have essentially unlimited resources to dedicate to the task. And Jenny didn't even have a reliable way to assure herself she was sending the instructions to the right person. Surely I can do something? Right? Nope. I'm screwed. Since I wasn't actively attacking Jenny back when it happened, she got the right keys, and I can no more decrypt these IP packets now than I could travel back in time and stop her sending them.
People get new phones all the time. If I've done a secure key exchange with you, and then you get a new phone, how do I know you're the same person after? Do you move key material between phones? Or do you get your old phone to sign the public key of the new phone?
What if I got a new phone because I lost my previous phone? Do I just repeat the handshake from scratch with everyone? This is very important, because people losing their phone is pretty common. If there's an "it looks like so-and-so got a new phone" dialog, any user with enough friends will see it pretty frequently. People will get used to tapping "ok". And then an active adversary can attack them, by pretending to be a new phone.
In the other direction, say I do use my old phone to sign my new phone's key, and then later my old phone is stolen. How do I tell people that my old phone isn't me anymore? Do I publish another signature of some kind? How do I make sure that all my contacts receive that signature? Does this part require trusting the server to send messages faithfully?
But since you're a Keybase person let's consider Keybase's compromises in particular, do they mean Jenny's bomb gets found? What can I determine: Who Jenny sent the message to? The contents of the message? Don't you consider that a pretty bad screw-up considering what your users expect?
> do they mean Jenny's bomb gets found?
No, private messages are private like you expect.
> What can I determine: Who Jenny sent the message to?
Yes, as with all end-to-end encrypted chat apps, the server knows who is talking to whom, because it's responsible for routing. Even if you consider a message service based on Tor, an attacker who controls the entire network can often figure things out by looking at sender and receiver timing.
> The contents of the message?
No, but you can see the length. Again this is true of all all end-to-end encrypted chat apps.
> Don't you consider that a pretty bad screw-up considering what your users expect?
You might be misunderstanding how Keybase works. You're right that Keybase messages are not forward-secret by default. (Forward secrecy is available, however. Keybase calls these "exploding messages".) In part, you could call this a usability decision. But it's also related to the fact that Keybase lets you have multiple devices on your account. When you sign on a new device, it would be kind of weird to be in all these conversations where you have no view of the message history. On one device, you can scroll back, but on the other device, you can't? Most users wouldn't understand why, and they'd consider it broken. (You could implement a history transfer protocol, but it's easy to imagine how you could wind up in a partially-transferred state by losing WiFi at the wrong time. Also there's no way for adding a new device from a paper key to transfer chat history.)
Forward secrecy also gets more complicated when you consider multiple devices. The typical Signal ratchet setup is designed for each user having a single device. You can treat multiple devices as separate participants in a conversation, but that doesn't work well if one of my devices is "in the drawer". If I never turn on that old laptop for months at a time, do we keep encrypting every message for its current key? Do we still have forward secrecy in that case? At what point do we evict it from the conversation? Exploding messages are a better solution for this problem, but they're also not a great default for most users. (For typical messages, you generally want them to still be there if I don't read them for X hours.)
Anyway, enough about forward secrecy. You were asking about security. Keybase solves the key distribution problem in a totally different way from other end-to-end apps, by having you use social media to prove you own your key. There is no TOFU. And because there is no TOFU, there are also no routine dialogs telling the user "oops, this person lost their phone, we need to renegotiate keys." Instead, a full account reset is a big deal, and it breaks lots of things. As it should! Otherwise, adversaries in the middle can pretend to be me and act like I've reset my account. All end-to-end apps are vulnerable to this absolutely practical attack, except (to my knowledge) Keybase.
Forgive the wall of text :)
It's a motivating example. You don't want to help Jenny and neither do I, but if the technology actually works that shouldn't matter, we have no discretion. If we have discretion in protecting Jenny, you can be assured that the governments sending these open letters will lean on that discretion for everybody, not just Jenny.
> No, private messages are private like you expect.
That's very confident considering the later caveats you introduce.
> Even if you consider a message service based on Tor, an attacker who controls the entire network can often figure things out by looking at sender and receiver timing.
Do you think humans (this is a service for humans) need sub-second delivery accuracy? No? So, why would you ensure this when as you realise this just helps an adversary? By throwing away everything better than second precision you make essentially no difference to the user experience but you mix everything up into 3600 events per hour that all have lots of indistinguishable participants.
> No, but you can see the length. Again this is true of all all end-to-end encrypted chat apps.
Again this is a service for humans. You can _choose_ to send exactly 1326 bytes over the wire out of some desire for brevity, but for humans padding everything to the nearest whole packet (~1500 bytes) greatly improves their privacy at essentially zero cost.
> If I never turn on that old laptop for months at a time, do we keep encrypting every message for its current key?
Well do you? My understanding is that in the Keybase design the answer is "Yes" and so most likely your confident "No" earlier will be wrong. Somewhere I can probably find keys that let me read Jenny's message and I am motivated to search for them.
> Exploding messages are a better solution for this problem, but they're also not a great default for most users.
Keybase's exploding messages are greatly fictionalized for the user experience. It reminds me of Mission Impossible. What the user sees is the message vanish instantly after a short timer, like a tape seemingly consumed in flame before their eyes on the TV show
https://www.youtube.com/watch?v=8VQfhyDP6vw
The reality is more like making Mission Impossible, the visual effect is achieved in a separate shot and pasted on, you could actually trivially recover the message for some time after it "explodes" across a variety of devices which each have their own keys. A month or two later the message is gone largely because nobody cares any more, not because it really "exploded" as depicted after just a few minutes.
> Keybase solves the key distribution problem in a totally different way from other end-to-end apps, by having you use social media to prove you own your key.
So, given my involvement with the Ten Blessed Methods (the means by which a Certificate Authority decides that ycombinator.com is really ycombinator.com in the Web PKI) you might expect me to be very sympathetic to this approach. But I'm not.
It ends up as a very woolly "Web-of-trust" type system and we know humans don't reason about those well. The technical argument may be "You can be confident that this Keybase account is controlled by someone who also controls the oconnor663 account on Hacker News or by someone who controls Hacker News itself or by someone at Keybase" but the human understanding is invariably just "This is Jack O'Connor" which is... misleading if I'm generous.
Forcing humans to do in person verification if they care, and allowing them to just not care is, in my not at all humble opinion, a better choice. I am very confident that messages from Al are really from Al having verified that our Signal numbers match, and not in the least bit confident that messages saying they're from Carol...
This is worth clarifying because it's complicated.
What happens when the "fuse burns down" is that the server and all running devices delete the message immediately. This matches what the user thinks is happening, and it's what really matters in the vast majority of real world use cases.
Now, one of the recipient devices could choose not to delete the message, and there's nothing we can do about that. They could be running a modified version of Keybase. Or the user could just photograph the message. The exploding messages in small Keybase groups are in fact cryptographically repudiable, but almost no one in the real world knows what that means or cares about it.
More likely, the server itself could be compromised. It might be running evil code, or have a bug, or perhaps all its databases just get vacuumed up by a few different nation states. Who knows. So suppose the server side messages never get deleted. What's next? Like normal messages, exploding messages are end-to-end encrypted, so if the adversary never gets their hands on a recipient device, they can't read anything. Also like normal messages, if the adversary had a compromised recipient device before the message was sent, they can read everything, and there's nothing we can do about that. So the question is, what is their window to compromise a device after the message is sent?
This is where the ephemeral key schedule is relevant. An active device issues a new ephemeral key each day. Each ephemeral key is retained for a week after its successor key is issued. (So if a device goes offline for a few days, its current ephemeral key will have its lifetime extended by a similar amount.) So a typical active devices has an array of live ephemeral keys, with remaining lifetimes of 7 days, 6 days, 5 days... If I send an exploding message with a lifetime less than 1 day, I will use an ephemeral key with a day or so remaining. For a longer message lifetime, I will use one of the longer-lived keys. (In fact there is a hierarchy of user ephemeral keys and team ephemeral keys, but the idea is the same.)
If a device never generates a new ephemeral key for (currently as far as I know) 1.25 months, its active key expires with no replacement, and it no longer receives exploding messages at all. Thus each mothballed device exposes a limited window of exploding messages, and only if the adversary physically gets their hands on that specific device. If the device is ever legitimately reactivated, it will immediately delete all the expired keys.
I'm not sure what to make of your summary that "a month or two later the message is gone largely because nobody cares any more." Do you have any questions about the design I just described above?
> You can be confident that this Keybase account is controlled by someone who also controls the oconnor663 account on Hacker News or by someone who controls Hacker News itself or by someone at Keybase
Keybase cannot lie about about who controls oconnor663 on Hacker News, because each Keybase client independently fetches the proof from my profile. This is the whole point of the Keybase security model.
Now the Hacker News admins could post a proof as me, and maybe create some bogus 0c0nn0r663 account on Keybase to try to impersonate me there. But they can't replicate my GitHub proof, or my proof on jacko.io. Perhaps they register 0c0nn0r663 on GitHub too, and buy the jack0.io domain, and post lookalike proofs there. But at that point, if we're assuming that other users can be tricked by lookalikes, does it even matter that they compromised my real Hacker News account?
Which of these properties do you get out-of-the-box from Go’s standard library and/or libsodium? Almost none of them. The gap is enormous and not at all “trivial”.
So, yes, it is hubris for OP to state that they can build a competitive protocol in “about a day”, “without me needing to understand any of the maths”, by simply stringing together Go standard library calls. I think the engineers and cryptographers who work on Signal, Keybase, etc would have a good chuckle at the suggestion that this stuff is “pretty simple and hard to get wrong”.
[1] https://en.m.wikipedia.org/wiki/Signal_Protocol#Properties
I'm not building a competitor to Signal, so most (if not all) of that list is completely irrelevant for my application.
I'm also totally paranoid that I have, indeed, got some of this wrong. I'm trying to find people I can trust who know more about this than I do so they can look at my code and test my application. So far everyone I've approached to look at it has said it looks OK. I've come to accept that I'll never "know" completely for sure that this is bombproof, because there just isn't any single person out there that can verify that this is bombproof.
And, as Bruce Schneider puts it; security is not absolute, it's about delaying the bad people for long enough so you can catch them. Bank vaults are rated in hours (the number of hours that a competent attacker will need to get into the vault). No software implementation is 100% secure, but it can be secure enough to be useful.
But building a basic protocol out of Go's standard library building blocks is pretty simple, and hard to get wrong, for given values of "simple" and "wrong". These aren't absolute, and depending on your application, may be quite low.
This is not even remotely a foregone conclusion.
> but in the short run it will damage our ability to track how extremism is spreading
If the only way the intelligence community can "track how extremism is spreading" is by violating the privacy of everyone on the planet, then so be it. Liberty trumps security.
I took it to mean that using encrypted apps could potentially reduce the spread of extremism, by simple virtue of the fact that it's a barrier to entry?
It would be reasonable for police investigating such possible crimes to have more secure channels.
Edit: Someone else -- johnnycab -- already posted links further down to some of the reports: https://news.ycombinator.com/item?id=21863326
Lots of people comforted themselves that that law required the Home Secretary to send a letter to order any such collection, and they imagined her writing maybe a dozen letters on a busy day, something like "Dear Tiny ISP, please keep records for your subscriber Steve Smith who we suspect of being a pervert". People more familiar with the actual negotiations behind the scenes say the letters actually went "Dear large UK Internet Backbone provider, per this new law, please store absolutely everything until further notice"...
Do you believe it's impossible for an MP or any party's researcher to break the law? If not, they should be subject to the same oversight as all others on whatever service.
The numbers using the internal party communication channels will probably be in the hundreds. Not half the country then. I would have said exactly the same were it any party. The hypocrisy is risible regardless of who. Even, perhaps especially, the one I just voted for.
Since Magna Carta in 1215 the principle has held that every citizen, up to and including the sovereign is subject to the same law. Not every citizen except the current administration. Exceptions must be justified and are regularly tested in the courts.
You don't need to understand how ciphers work per se, but you do need to understand how to put the building blocks together and think about attacks, e.g. do you ever have the key in memory on your servers.
I love this picture; the data's encrypted, but with a bad mode of operation: https://upload.wikimedia.org/wikipedia/commons/f/f0/Tux_ecb....
I think to get a balanced perspective we should appreciate the dilemma & work done by the govt security people. Their job is to fight the terrorists, pedophiles, forced sex traffickers, and many other "very bad people" - which is easier said than done. In the future WMDs will become cheaper, easier to produce and more powerful, so the issue is becoming more acute. They understandably want better tools to increase their chances of success & reduce likely traumatic failures. They seem to be doing ok with terrorists in the West at the moment, but failing badly with the other categories.
The risk of abuses against everyday civilians are there and I don't have the solutions. But I would presume that the majority of people will trade off a significant reduction to their privacy for a slight increase in physical safety, so that will likely happen. Vastly improving the governance & oversight of the security agencies is one way forward. Otherwise when the next disaster strikes, the security agencies will rapidly make a successful grab for more power.
Why would their targets use Facebook for communication when there's many other existing platforms that provide this service.
Privacy isn’t about having “nothing to hide” it's about freedom.
As soon as your privacy is taken away, so is your freedom.
Saying privacy is unnecessary because you have nothing to hide is like saying free speech is unnecessary because you have nothing to say.
Should we let people yell fire in a crowded theater?
Is freedom from fear a fundamental right? How fundamental?
Privacy yields to safety as free speech yields to safety...
For some time now, we’re no longer designing protections from probable harm, but theater abating improbable fears.
You can yell 'fire' in a crowded theater; if there is indeed a fire, it's fine — you're trying to help alert people to a dangerous situation. If there is not, and you cause a panic that results in injury to others, you could (should imo) be liable.
The US Supreme Court has a litmus test around when the line is crossed. Logically, there must be a balance to ensure one's rights do not infringe on another's, and when there is conflict, how to resolve it. In the case of party A threatening violence on party B, the line is if there is an imminent threat ('fighting words' — inciting an immediate attack), A is in the wrong. Otherwise, no 1A issue. It's much more difficult to prove in the case of stochastic speech targeting a person or group (eg Said before an audience: '$target is bad. Would be a shame if something happened to $target.' Implying someone in earshot should take care of it.).
I also want to highlight that free speech doesn't mean free of consequence — it only limits govt censorship. You can say what you want, but you may: incur financial loses (eg job or contract losses, boycotts), be ridiculed or shamed (ie become a pariah), be denied access to private properties / venues / events / forums (including web sites such as Twitter or Facebook), etc.
https://xkcd.com/1357/
https://www.wdbj7.com/content/news/School-takes-away-bathroo...
Let's turn it around. Imagine if law enforcement were completely unable to enter any home, even if they had a warrant to search it and reasonable suspicion that there was incriminating evidence inside. Anyone could do anything they wanted and as long as they kept the evidence inside their home there would be nothing law enforcement could do about it.
The arguments in favour of there being some way for law enforcement to be able to search messages when they have a warrant to do so are certainly worth considering, and (for what it's worth) I feel the sentiments in the open letter strike a good balance; but, I also feel that what they want is, currently, impossible without compromising security for everyone.
This meant mail or anything else carried by these vessels was fair game. Encryption really is a new level of privacy for international communications.
Because the kids pedophiles target are also there. Just like the easily manipulated teenagers are there for extremist instigation.
The letter does not concern the overall prevention of E2E encrypted communications (obviously unfeasible). It is about predatory and abusive crime settings that take place in online communities, of which Facebook is the largest one.
I am all in for the right to privacy and freedom of personal information protection. But if we go down that road we just as well should discuss the basic limits of freedom in any (offline) democratic society (ie law). I would not want to answer such a question, because it is much more complex than the usual "protect our freedom" privacy advocacy makes it look like when you consider law enforcement as a fundamental role of governments.
Surely the hard part of eliminating child abuse is the acting on information about the whereabouts of pedophiles? That is hard part, the non-scaling part, the bit where real people have to go and make arrests and free the children and find a safe place for them to stay for the rest of their childhood.
Compared to that, finding the people swapping child abuse imagery online sounds rather easy, even when you can no longer look at individuals' messages.
Absolute idots. Cryptography benefits _everyone_, and this bullshit is at the expense of everyone.
Also British government: https://en.wikipedia.org/wiki/Rotherham_child_sexual_exploit...
Pardon me for not trusting them too much.
Priti Patel is probably the worst so far. There's a pretty shocking video of her arguing with Ian Hislop (editor of Private Eye) that we should reinstate capital punishment. So this isn't exactly surprising.
First, Facebook is already used by pedophiles despite the lack of E2EE. 2500 arrests for child abuse last year according to the letter. An example is given of a pedophile identified through his messages with an 11 year old girl. With E2EE enabled he would not have been identified at that time.
Secondly, the letter highlights that a major problem is the combination of open profiles of children with E2EE messaging. This does not apply to any service, mainly Facebook and similar platforms.
Don't get me wrong, I am overall in favour of E2EE, and I share the usual cynicism about the government's intentions.
You can make the argument that although absence of E2EE does help identify pedophiles more easily, in the balance it is more important to enable E2EE to protect privacy.
But you should not make the argument that absence of E2EE on FB would not help identify pedophiles more easily, because this letter provides evidence that it actually does.
Why not ask politicians to put forward regulations that makes it mandatory for companies to make parental control accessible and usable? But of course that won't do. Parents should have no responsibility beyond giving the kid an iPad or a smart surveillance device.
https://play.google.com/store/apps/details?id=com.facebook.t...
Of all the criminal activity out there, I would guess the largest proportion comes from (b). You could argue that if you could eliminate one category of crime, it would be better to eliminate this one than the crimes committed by group (a).
I still think FB should implement E2EE because of the costs to the third group (c).
You're correct in what we should NOT argue.
Now, the problem with "in the balance" between security and privacy is that when in fear society will quickly go for patriot act.
It's curious how we, as a society, can't find a simple, true and incontestable argument in favor of privacy. The only one I know is that it is a fundamental right.
But still this argument is a little too abstract for most people.
What is the source for this?
Do you have a link for more context?
on the other hand, second link on this paragraph is not found (https://www.gov.uk/government/publications/five-country-mini...)
This would take the wind out of the government's argument and would have a reasonable basis in common law's differential treatment of adults and minors.