[Closed] Tech Thread - will SSH be banned?

Where have they said they are going to 'ban' secure communications?

They would simply perform man in the middle attacks on the traffic and you wouldn't know it was happening. No need to ban the tech when there are ways around it.

They would also just ask the companies running the secure systems to allow them access for things like iMessage and whatsapp that use an SSL system to secure their comms.

More useful to allow suspects to believe they are communicating securely, surely?

[url= http://www.independent.co.uk/life-style/gadgets-and-tech/news/whatsapp-and-snapchat-could-be-banned-under-new-surveillance-plans-9973035.html ]http://www.independent.co.uk/life-style/gadgets-and-tech/news/whatsapp-and-snapchat-could-be-banned-under-new-surveillance-plans-9973035.html[/url]

[i]The Prime Minister said today that he would stop the use of methods of communication that cannot be read by the security services even if they have a warrant. But that could include popular chat and social apps that encrypt their data, such as WhatsApp.

Apple's iMessage and FaceTime also encrypt their data, and could fall under the ban along with other encrypted chat apps like Telegram.[/i]

I understood that old Blackberry emailing was impossible to intercept, until of course some governments asked RIM to allow them access. Which they did.

I see.

It seems to be a well thought out and sensible policy, that will be extremely easy to implement and manage.

Put simply, no.

I would imagine the spooks have hooks into the ISPs such that they can see the raw data content of https data or can decrypt it anyway. The issue is for the messaging apps using encrypted comms where the datacentres are outside of the spooks reach and using heavy duty encryption.

Snowden's leaks about Operation Bullrun suggest that NSA and GCHQ can read encrypted internet traffic with relative ease, possibly with the cooperation of companies like Verisign and RSA.
[url= http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security ]http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security[/url]

Man in the middle attacks don't work if the traffic is encrypted using the right method. That's the whole point of encryption.

You can't really "ban" this type of technology, there are always ways round any bans.

In practical terms the UK government might insist that encryption algorithms are nerfed so they are easy for the security services to crack - its been done before

nice bit of sensationalised scare story

you will have to access you bank account via open wifi, non-SSL in future.
and all corporate full disc encryption on laptops will have to be unencrypted again. 🙄

all they can really implement is for things like snapchat to cache anything that's sent, and if it happens to be stored on an encrypted server drive somewhere, for those keys to also be made available.

I think there's already provision for that (at least for email, etc.)

What a silly idea. I don't expect Cameron to have a clue about this, but surely he has an advisor who does. If you're a terrorist wanting to communicate securely you can simply generate your own keys and encrypt your own email before sending, no need to use an app. They can make that illegal if they like, but exactly what do they make illegal and how do they enforce it?

great article here;

[url= http://boingboing.net/2015/01/13/what-david-cameron-just-propos.html ]http://boingboing.net/2015/01/13/what-david-cameron-just-propos.html[/url]

[i] This, then, is what David Cameron is proposing:

* All Britons' communications must be easy for criminals, voyeurs and foreign spies to intercept

* Any firms within reach of the UK government must be banned from producing secure software

* All major code repositories, such as Github and Sourceforge, must be blocked

* Search engines must not answer queries about web-pages that carry secure software

* Virtually all academic security work in the UK must cease -- security research must only take place in proprietary research environments where there is no onus to publish one's findings, such as industry R&D and the security services

* All packets in and out of the country, and within the country, must be subject to Chinese-style deep-packet inspection and any packets that appear to originate from secure software must be dropped

* Existing walled gardens (like Ios and games consoles) must be ordered to ban their users from installing secure software

* Anyone visiting the country from abroad must have their smartphones held at the border until they leave

* Proprietary operating system vendors (Microsoft and Apple) must be ordered to redesign their operating systems as walled gardens that only allow users to run software from an app store, which will not sell or give secure software to Britons

* Free/open source operating systems -- that power the energy, banking, ecommerce, and infrastructure sectors -- must be banned outright [/i]

"Elect me! Free beer for everyone!!!"

If you just assume that all electronic comms is already compromised by the spooks then you probably won't go far wrong. It's all misinformation and disinformation to confuse the bad guys. PGP was an issue then it wasn't TOR is 'secure' but who really knows? The military designed it or had it designed so not beyond the bounds of belief that they can track packets across the network.

*dusts off old one time pads and buys stamps and envelopes*

I don't think it would matter much TBH...

Warrants would simply mean major ISPs/comms companies are required to provide decryption keys, or allow direct access to their systems for specific warrant backed monitoring activities, without the user's explicit knowledge...

It would probably just mean a subtle change to T&C's for certain things (if not already in place?) informing users that Google/FB/twitter/Microsoft/apple /etc will comply with any warrant backed requests for access to user's data without user consent or knowledge (beyond accepting the T&Cs) being sought... Accept the T&Cs and they're covered and the intelligence services get their legal access rights...

The main thing is of course that we can legislate all we like over internet / comm's use and monitoring here in the UK, but the interweb is global, and any services based overseas, or even over the channel, probably won't have to comply with our quirky domestic laws, they can apply their own encryption without being subject to British Warrants. That might be where it gets "Fuzzy"; UK authorities could intercept encrypted comm's traffic in the UK, and then break the encryption, but would then using that information to read the contents of an overseas server breach the laws of that host country? or international laws?
And could the UK ultimately be accused of "State sponsored cyber terrorism"?

Discuss...

PGP was an issue then it wasn't

Wait, is PGP compromised?

Well they tried to ban it then said it wasn't a priority so who knows

[quote=cookeaa ]I don't think it would matter much TBH...
Warrants would simply mean major ISPs/comms companies are required to provide decryption keys, or allow direct access to their systems for specific warrant backed monitoring activities, without the user's explicit knowledge...

As I mentioned above, the trouble is this would only affect ordinary people using encryption for legitimate reasons. The people who's comms he presumably wants to read won't be using ISPs for their encryption - the ISP etc. would only ever see encrypted traffic. You can make it illegal for people to do that, but how do you propose to catch them when they're using free wifi with spoofed MACs?

I wonder if it is time to send Cameron et al a load of encrypted e-mails (from anonymous accounts using free wifi etc. natch) and complain they are breaking whatever the new law might be - though I suspect there are probably several thousand uber nerds ahead of me there.

I suspect the banning of Snapchat would be to stop any more tories randomly sending other people pictures of their willies.

*dusts off old one time pads and buys stamps and envelopes*

[i]HKWM LVUB SCMH JBOS NZRT MYTP KVAL KMNJ WXYQ ELDO XHCH VTKR TKZZ YOHS WKBG BEPE TECQ GJAC XWBF PQMS KOZK TLTY FMUD FHVB RLHO SETE NLBJ SNCD TPDG OXPO AYZP BAPD XLKA DLPT DMIW FPPX ZCUM NCGF LBJK [/i]

well that's easy for you to say.

rusty - well that's no good without the plug and wheel settings, or maybe a spare u-boat and the weather report.......

I suspect the banning of Snapchat would be to stop any more tories randomly sending other people pictures of their willies

the value of snapchat is that Brooks "The pyjama willy" Newmark wouldnt have been busted as the pics apparently evaporate.

This, then, is what David Cameron is proposing:

that's also why I no longer read boingboing, too much student-reactionary bollox there now.

Je suis Charlie

[img] [/img]

What he's really talking about are legal changes to bring electronic communication to the same status as phone or paper communications.

It's not illegal for me to use a one-time pad to send an encrypted letter. The only reason we don't send encrypted mail through the post is that we tend to trust the post more than the internet.

So no, this isn't bringing electronic communications to the same status as phone or paper, it's making them less secure.

It's not illegal for me to use a one-time pad to send an encrypted letter

yet, but I wouldn't be surprised if it becomes so soon at the current rate of progress of backward legislation.....

[quote=footflaps ]

It's not illegal for me to use a one-time pad to send an encrypted letter

Which opens another can of worms. Would sending an email (or letter) which looks like this become illegal:

[code]uikdm wnpgy ncjlo wneia hegay qivnj[/code]

Prosecuted for writing gibberish - with a one time pad an encrypted message should be indistinguishable from that? (in theory it should be a lot easier to distinguish between gibberish and a message encrypted using other means of encryption than it is to decrypt the message)

You are already required to hand over passwords and or encryption keys on your arrest, so it's not much of a step to make encrypted messages illegal

Except that isn't what is being proposed at all, they've taken one phrase and taken it's possible implications to an absurd level. What he's really talking about are legal changes to bring electronic communication to the same status as phone or paper communications. That has some serious problems of it's own, but there aren't any actual proposals to ban open source OS's, or block Github. That's just hysteria.

Wot he said.

Usual headline trash, there was once a proposal that according to headlines required ISPs to record all traffic for recall, would have needed (on a rough calculation) a SAN the size of Belgium. Though disk sizes have move on a bit since I heard that one...

So no, this isn't bringing electronic communications to the same status as phone or paper, it's making them less secure.

His proposed legislation, which would be introduced within the first year of Cameron’s second term in Downing Street if the Conservatives win the election, would provide a new legal framework for Britain’s GCHQ and other intelligence agencies to crack the communications of terror suspects if there was specific intelligence of an imminent attack. Political approval would also be necessary.

Being as public key RSA style encryption is mathematically secure given a large enough prime number pair I don't think it has been hacked.

This statement smells of election fever, promising fantasy island statements by people who have no idea about what they are talking about.

But the proposals aren't about restricting the use of encryption, they're about allowing access to the material in order to decrypt it

Exactly - a OTP via post would be more secure than an online cipher that the police/MI5 could decrypt. It would make online communications less secure than communications via the Royal Mail.

Usual headline trash, there was once a proposal that according to headlines required ISPs to record all traffic for recall, would have needed (on a rough calculation) a SAN the size of Belgium. Though disk sizes have move on a bit since I heard that one...

The proposal was six months of traffic information (not content data) to be stored… so that rough calculation needs to be reduced by many orders. Tories talking about reviving this again by the way. Crazy.

This statement smells of election fever, promising fantasy island statements by people who have no idea about what they are talking about.

Even the Telegraph commenters can see some flaws in the plan;

[url= http://www.telegraph.co.uk/technology/internet-security/11340621/Spies-should-be-able-to-monitor-all-online-messaging-says-David-Cameron.html ]http://www.telegraph.co.uk/technology/internet-security/11340621/Spies-should-be-able-to-monitor-all-online-messaging-says-David-Cameron.html[/url]

I quite like the idea of sending any actual text in an email message as a jpeg that's displayed in a non machine readable format like Captcha's.

Back on topic… if you were to SSH into your own machine, and leave encrypted messages there for others to pick up… how would the security services unpick that? Physically grab the machine and insist on keys? They already have the laws to do that, if you are a suspect. Hell, if you are a suspect they can do just about anything, it's new powers to remove any methods of secrecy from non-suspects, ie everyone, that's the on going battle.

Ah, well that's easy - using encryption is suspicious, so that makes you a suspect.

They've used that logic before, with knife arches at public stations and the like. You don't have to go through the metal detector, they can't search you without reasonable cause, but refusing to go through the metal detector is reasonable cause...

a OTP via post would be more secure than an online cipher that the police/MI5 could decrypt.

So if you're really concerned about security send your OTP via email. It would be just as secure

No, it would be less secure because they'd be scanning emails (so would know I'd sent a OTP message) but they're not opening and reading every item of post.

Oh, and a bigger, more fundamental point. I shouldn't have to be "concerned" about security, it should be a fundamental right available to everyone, not just people who can think up ways to get around the rules.

No, it would be less secure because they'd be scanning emails (so would know I'd sent a OTP message) but they're not opening and reading every item of post.

Anyway, if I really wanted to send something securely by email I'd use something like OTP plus steganography. Message below reads 'Smash the system, man'
[img] [/img]

There's an election coming up, Cameron is lying through his teeth about everything and anything to attempt to convince the public to vote him back in. In amongst all that he throws in this absolute nugget about intercepting electronic communication. If there was any doubt before now about what a complete and utter tool he is then this should dispel things nicely. He actually believes that announcing he is going to monitor everyone and everything will endear him to the voting public.

More astute politicians would have waited till they were in for the next 4 years before waiting for a bit event and then trying to slide it through, but not Dave. What a wally.

No suggestion in these proposals about routinely scanning every email.

Not following the Snowden leaks then?

Not following the Snowden leaks then?

probably do the same as last general election and pass some ludicrous things thru as legislation without the proper parliamentary consideration, in the washup

will end up as con-lib-lab negotiation of what they can pass, with an opposition "letting" the outgoing govt pass it, because they would be in no hurry to undo it if they should win.

well we can forget internet snooping;

[url= http://boingboing.net/2015/01/12/keysweeper-creepy-keystroke-l.html ]http://boingboing.net/2015/01/12/keysweeper-creepy-keystroke-l.html[/url]

[i]Keysweeper is a super-creepy keystroke logger disguised as a USB wall charger that piggybacks on GSM networks.

ts developer, Samy Kamkar, describes it as a "stealthy Arduino-based device, camouflaged as a functioning USB wall charger, that wirelessly and passively sniffs, decrypts, logs and reports back (over GSM) all keystrokes from any Microsoft wireless keyboard in the vicinity."

It logs keystrokes online and locally, and the user can set up SMS alerts to be sent when certain trigger words, usernames or URLs are sent, to better identify passwords.

"If unplugged, KeySweeper continues to operate using its internal battery and auto-recharges upon repowering. A web based tool allows live keystroke monitoring[/i]

*reverts to wired keyboard*

I read about that the other day. To be fair, it's a pretty unlikely attack to be a victim of in the real world. An attacker would need physical access to your machine, and at that point your security is already compromised anyway.

As a proof of concept though it's pretty impressive.

Rusty, the point was that emails etc can be, and are, opened and searched on mass, unlike letters, so encryption is needed in the digital world to even have parity of “secrecy” with normal post.

[quote=Cougar ]I read about that the other day. To be fair, it's a pretty unlikely attack to be a victim of in the real world. An attacker would need physical access to your machine, and at that point your security is already compromised anyway.

I think the whole point is that an attacker doesn't need to access your machine, not if you're using a wireless keyboard. You simply have to be persuaded to take in the Trojan horse.

Sorry, I skim-read that and thought it was something else (Thunderstrike). Ignore me.

ts developer, Samy Kamkar, describes it as a "stealthy Arduino-based device, camouflaged as a functioning USB wall charger, that wirelessly and passively sniffs, decrypts, logs and reports back (over GSM) all keystrokes from any Microsoft wireless keyboard in the vicinity."

It logs keystrokes online and locally, and the user can set up SMS alerts to be sent when certain trigger words, usernames or URLs are sent, to better identify passwords.

"If unplugged, KeySweeper continues to operate using its internal battery and auto-recharges upon repowering. A web based tool allows live keystroke monitoring

*reverts to wired keyboard*

I think getting stuck in the nitty-gritty of the exact implementation the law may take loses sight of the point.

I think the main things to be worried about are, vague lawmaking, and misuse of powers. For example "Seventy-seven councils who responded to a Freedom of Information request admitted using the Regulation of Investigatory Powers Act [introduced to help the police fight terrorism in 2000]to crack down on "domestic waste, littering or fly-tipping offences" in the last three years." (Sunday Telegraph, 2010).

God knows how the definition of this and further laws may be stretched especially as technology is constantly shifting and harder to pin down in law.

If we accept that terrorist attacks are going to continue to happen then should we also accept that every time they do, it's OK slip a little more legislation in while the public are scared? Because that could keep going ad infinitum until we arrive in police state territory.

Finally I really believe that when we send information to our girlfriends, mothers, solicitors it should be a private communication between ourselves and them and we should be able to encrypt it to ensure that's the case. While I've no doubt I'm of the least interest to the government my business is my business not anyone else's to view as they please. I certainly don't want government employees freely reading my messages. If they suspect me they can get a warrant from our courts to get data from my ISP and make me give them my private keys. That way there is judicial oversight.

One of the Independent's comments struck me "I understand that some homes and apartments are built without government listening devices in every room. That makes the work of the police more difficult -- makes it harder to fight terrorism. Obviously this situation should be remedied." That's really not too far off it.

spot on

I think the main things to be worried about are, vague lawmaking, and misuse of powers. For example "Seventy-seven councils who responded to a Freedom of Information request admitted using the Regulation of Investigatory Powers Act [introduced to help the police fight terrorism in 2000]to crack down on "domestic waste, littering or fly-tipping offences" in the last three years." (Sunday Telegraph, 2010).

Bit lazy reporting. RIPA was not introduced to fight terrorism it was introduced to provide a legal framework for a number of activities that were not covered by any uk statute including surveillance to detect or prevent crime. Pre ripa a number of authorities undertook surveillance and other activities but there was no legal system of authorisation or review or legislation to govern this, RIPA introduced this. I suspect the LAs are using aspects of RIPA, possible surveillance or billing requests to investigate what they perceive to be crime because this is the legislation that covers these activities not because it is a handy fix

Genius.

[img] [/img]

This sounds easily enforceable and thoroughly thought through.

Bit lazy reporting. RIPA was not introduced to fight terrorism it was introduced to provide a legal framework for a number of activities that were not covered by any uk statute including surveillance to detect or prevent crime. Pre ripa a number of authorities undertook surveillance and other activities but there was no legal system of authorisation or review or legislation to govern this, RIPA introduced this. I suspect the LAs are using aspects of RIPA, possible surveillance or billing requests to investigate what they perceive to be crime because this is the legislation that covers these activities not because it is a handy fix

I wouldn't worry about it. You can add it to the list of completely unworkable brain farts Cameron has come up with that will quietly get dropped or covered up by a new soundbite.

Someone will have a quiet work in Call Me Dave's ear and point out that governments - even Tory ones - can't ban maths.

Next week Dave will be harping on about EU reform again

This is all a huge over-reaction.

We faced far more serious threats from the Germans in WW1 and WW2 who killed a damn sight more people, not to mention a bit of N. Irish discord, and we didn't have so many attacks on our freedom from our own govt.

threats from the Germans in WW1 ... N. Irish discord, and we didn't have so many attacks on our freedom from our own govt.

Well, WW1 and pub licensing laws spring to mind.

And there was all that silliness about broadcasters not being allowed to transmit NI politicians words. Remember all those Gerry Adams speeches where they showed him talking and had to use the voice of an actor to overdub the speech?

somewhatslightlydazed - Member

And there was all that silliness about broadcasters not being allowed to transmit NI politicians words. Remember all those Gerry Adams speeches where they showed him talking and had to use the voice of an actor to overdub the speech?

Yup, but nowhere near as intrusive as what is being mooted.

and now to confuse things a bit more you can now use WhatsApp in a web browser on a PC

http://blog.whatsapp.com/

It would probably just mean a subtle change to T&C's for certain things (if not already in place?) informing users that Google/FB/twitter/Microsoft/apple /etc will comply with any warrant backed requests for access to user's data without user consent or knowledge (beyond accepting the T&Cs) being sought... Accept the T&Cs and they're covered and the intelligence services get their legal access rights...

Debate in the House of Lords on adding a 'snoopers charter' to an existing bill.

Quote from Lords who have put forward the motion so far;

[i]'VoIP makes "transmissions untraceable"'

"I don’t know what Whatsapp or Twitter are, but the terrorists do."[/i]

Good grief...

and another;

[i]Lord Blair: says mobile location data will disappear in a few years, endangering missing children[/i]