[Closed] Terrorism

What about if you noticed that the door on your local postbox was being left unlocked? Or your neighbour was going through your post?

...or a funny echo on your phone line?

Anyway, just as I'm sure most of the people calling for a ban on encryption are also ardent supporters of Trident, I'll use your argument against you: you can't uninvent it.

The fundamental problem is it is difficult to fight against a cause, especially one where its followers believe death is something beneficial to them and expect to die.

As well as a previous declaration that this type of action is haram (albeit as noted before, with no overall leader of the faith it's always interpretations by scholars / Imams and you easily find another who'll say it isn't)

From the BBC website:

"Muslim leaders refuse funeral prayers for attackers
Posted at 7:21
The Muslim Council of Britain, the UK’s largest Muslim umbrella body, has published a letter condemning the recent attacks in London and Manchester and calling on British imams to refuse to perform funeral rites for the perpetrators

More than 130 imams and religious leaders from an array of Muslim denominations signed the letter, agreeing together to refuse to perform the traditional Islamic funeral prayer for the attackers, a ritual the MCB says is “normally performed for every Muslim regardless of their actions”. "

I've wondered on this. If religion or faith is strong enough to make people do these things in its name, is this kind of denouncement capable of countering it, that you won't get your proper funeral and therefore won't get your trip to paradise either.

It sounds barbaric (it was middle ages after all) but executed criminals were either buried in unconsecrated ground or their bodies sent for dissection by surgeons, with the belief that would punish them for eternity. Is there a modern day equivalent?

@dragon. Waitwhat? What just happened?

[img] [/img]

The end-to-end encryption thing is a bullshit red-herring. That Facebook and Twitter (to name two) can't even police the shit that is on their public websites should show how hard it will be to stop people using technology in whatever way they want; for good or bad.

We use encryption to move sensitive data around outside our data centre. Moving a list of users and passwords? Encrypted passwords are stored anyway but then we encrypt any data dumps before they're transmitted for ANY purpose (i.e. backups in our other DC). If you want to retrieve any data from the DC, you do it over a VPN. Banning all of those things would make YOUR data far less secure as any time we wanted to migrate your email services from one DC to another, we'd have to send your unencrypted password around. Our clients use encryption to store your private data (including credit card data); if that goes then so does your protection there too.

People have absolutely no idea how much of their personal privacy is protected by stuff they seem to think that only terrorists need.

People have absolutely no idea how much of their personal privacy is protected by stuff they seem to think that only terrorists need.

So what?

The Muslim Council of Britain, the UK’s largest Muslim umbrella body

Which apparently represents less than 2% of British Muslims if this poll is accurate [url= http://www.ibtimes.co.uk/british-muslims-have-rejected-muslim-council-britain-its-time-wider-society-did-same-1594628 ]
[/url]

So what?

It's also a technology so well put out there that you can't put it back in the box. If you think you can please let us all know and see how long before somebody laughs you out the room.

Anyway, just as I'm sure most of the people calling for a ban on encryption are also ardent supporters of Trident, I'll use your argument against you: you can't uninvent it.

You can sure as hell make unauthorised possession and use illegal though - which gives you a nice easy way to take the baddies out of the loop (Al Capone principle)

You can sure as hell make unauthorised possession and use illegal though - which gives you a nice easy way to take the baddies out of the loop (Al Capone principle)

It's also a technology so well put out there that you can't put it back in the box. If you think you can please let us all know and see how long before somebody laughs you out the room.

I know exactly what it is however it comes down to trust and the price that people are prepared to pay for increased security. You can laugh at my naivety if you want but I trust that with some judicial oversight the technology to decrypt messages should be available to the security services. (lets not forget that owners of this technology who may be driven by commercial motives could do this) Of course there is a risk that this could be used for the wrong reasons but that risk already exists and I dont have a tinfoil hat.
People fall on each side of this fence.

It's also a technology so well put out there that you can't put it back in the box. If you think you can please let us all know and see how long before somebody laughs you out the room.

Encryption isnt one homogeneous thing that once cracked remains cracked! New encryption techniques are being delivered all the time. The decryption of say Whatsapp or apple messages means access to the techniques that they are using, not some "one off" code! it means access in principle the algorithms are probably changing frequently.

You can laugh at my naivety if you want but I trust that with some judicial oversight the technology to decrypt messages should be available to the security services.

Which apparently represents less than 2% of British Muslims if this poll is accurate

Interesting. Encouraging, even. So what 'body' represents the view/s of the other 99%? The Guardian? The Mail? The Sun? anti-Muslim Youtube comments? Wait, it's chewk innit?

Or could it be...that...British Muslims...aren't ... The Actual Borg TM?

People fall on each side of this fence.

People might.
However all the people with even a bit of expertise fall to one side only.
Get rid of secure encryption eg that which is unlikely to broken in less than a few hundred years, and you have undermined a large part of the current economic system.

You can laugh at my naivety if you want but I trust that with some judicial oversight the technology to decrypt messages should be available to the security services.

Bullshit. Encryption with backdoors is inherently weak and requires the agreement of the software creator to build in. Terrorists engaged in attacks like we've seen over the last few years are happily trading their lives for a handful of "our" lives so going to jail for not handing over the encryption keys or using prohibited software is hardly going to register. These are not illiterate goatherds attacking us, they have access to a modern skillset and are expert in subverting "harmless" technology for their use so it's not beyond the realms of chance that they would have their own software engineers creating versions of software that SEEM identical to those that are licensed (in your new world) but that are not.

After 9/11 the NSA/GCHQ etc were all concerned about Al-Qaida using steganography to disseminate info and communicate with their followers. 16 years later, little has changed, just the medium.

Then I write my own, I create my own encryption key, use a one time pad, do any number of things that the officials don't know the key for. Windows 10 comes with encryption for the hard drive, which countries security services should have the key? If I buy a copy in the US would MI5 have the key? Would China or ****stan have the key?
Who gets to intercept and read messages sent across borders? The sender or receiver or both?

When you have as many users as Apple or Whatsapp or you become a person of interest then you may get a knock on the door, until that happens I suspect the security services wont be arsed what you do.

However all the people with even a bit of expertise fall to one side only.
Get rid of secure encryption eg that which is unlikely to broken in less than a few hundred years, and you have undermined a large part of the current economic system.

Thats just gibberish

Encryption with backdoors is inherently weak and requires the agreement of the software creator to build in

It has a "backdoor" by definition

These are not illiterate goatherds attacking us, they have access to a modern skillset and are expert in subverting "harmless" technology for their use so it's not beyond the realms of chance that they would have their own software engineers creating versions of software that SEEM identical to those that are licensed (in your new world) but that are not.

Who is saying they are? I'm certainly not. I think its a stretch to say they have "software engineers" who could develop an encrypted end to end technology of their own. If they could they wouldnt use Whatsapp.

surfer - Member
It has a "backdoor" by definition

Really, how so?

I think its a stretch to say they have "software engineers" who could develop an encrypted end to end technology of their own

Admittedly I went to university to study software engineering but at university one of my peers created an encrypted end-to-end plugin for the messaging software we used. In his first year. The thing is, it doesn't have to be unbreakable, it just has to be unbreakable for long enough to carry out an attack. PGP is still pretty secure and there are enough forks of it out there that you'd never be able to stop people using it.

The thing is, it doesn't have to be unbreakable, it just has to be unbreakable for long enough to carry out an attack.

Good point. There is no Silver bullet and any way of combating these threats will be multi pronged. In principle I have no real objection to security services having (strictly controlled) access to all of my data/communications.

. In principle I have no real objection to security services having (strictly controlled) access to all of my data/communications.

Are all of those under UK judicial control?

If there is a hole all will get in, sorry to break that to you. These companies work across borders so who gets access to what?

What would the FBI do with my comms data Mike?

surfer

In principle I have no real objection to security services having (strictly controlled) access to all of my data/communications.

You might not. But you have to consider what happens when they have access to all of everyone's data. Then "they" start to build models to influence public opinion based on that data. To win elections, modify policy, change cultures.

We absolutely need encryption today because without it we are leaving our door unlocked and sending an open invite to millions of thieves. As our lives are increasingly lived online the need for this encryption will only increase.

Anyone figure out what causes terrorism yet? If not, any final offers? Or shall we call it?

But you have to consider what happens when they have access to all of everyone's data. Then "they" start to build models to influence public opinion based on that data. To win elections, modify policy, change cultures.

That really is "big data" do you realise how much inane trivia they would have to trawl through to build any meaningful model? How many videos of cats they would have to analyse?
As a person who would fall into the "of no interest" category I am unconcerned.

Oh bless... What would the Iranian government want with it? If there is a state approved hole every state will want it. We have policies for not disclosing or discussing certain aspects of technology with some countries - some of which actively want to spy on people.
How about a foreign government snooping on out civil services personal lives? Its not just a hole for the UK government it puts all comms in the public domain.

I would just go back to using Pay as you go 2G phones

What would the Iranian government want with it?

Well that was sort of my question, do you have an answer? What value would my calls, txts and family pics on whatsapp be to the FBI or the Iranian Government?

it would very easy to send messages across forums like this one, with no need for encryption, just a series of commas in the wrong places on chosen key works to issue instructions date.time.locations and a Grammar nazi type response to show it has been acknowledged.

in fact theres' a few posters on here who I have my suspicion's about!

Many people do value their privacy for a lot of reasons. You want to put a massive hole in comms platforms in order to catch people who as pointed out will just swap to something else.
It might sound all awesome and ground breaking but it's not a useful idea. Go look up one time pads...

surfer

That really is "big data" do you realise how much inane trivia they would have to trawl through to build any meaningful model? How many videos of cats they would have to analyse?

They don't have to trawl. Algorithms would scan the contents of your messages for keywords, bulletpoints, relevant names and other associative words. It'll also be monitoring your twitter, facebook and youtube habbits to anticipate which way you might vote, what things might get you to vote one way or not another, or discourage you from voting at all, all the while guiding you down certain paths that you are oblivious to being led down.

As a person who would fall into the "of no interest" category I am unconcerned.

This is actually happening already and it's a real threat to the concept of democracy and more broadly "freedom". It's not "your" personal info that is the issue, it's the potential for massive coercion.

Many people do value their privacy for a lot of reasons

I get that and that and we all have to balance our perceived security against the invasion of our privacy. I can only claim to speak for myself. You made a few sniffy comments in your previous posts but you dont seem to be able to explain why the FBI or Iran would want to view my comms?

If there is a state approved hole every state will want it. We have policies for not disclosing or discussing certain aspects of technology with some countries - some of which actively want to spy on people

Hang on. In one breath you are saying once the genie is out of the box everybody will share the data and in the next breath you are saying this doesnt happen now because of "policies"?

Algorithms would scan the contents of your messages for keywords, bulletpoints, relevant names and other associative words. It'll also be monitoring your twitter, facebook and youtube habbits to anticipate which way you might vote, what things might get you to vote one way or not another, or discourage you from voting at all, all the while guiding you down certain paths that you are oblivious to being led down.

Yes I get that however the volume of data and the processing power required is huge and that would be diverted from something else. If people are posting political comments on Facebook saying they support UKIP then I dont think you need to investigate every other part of their comms network to find their political leanings! In terms of determining how people vote for example why not just ask them?

Hang on. In one breath you are saying once the genie is out of the box everybody will share the data and in the next breath you are saying this doesnt happen now because of "policies"?

I get that and that and we all have to balance [b]our perceived security[/b] against the invasion of our privacy.

What if we tell you it's a going to be awesome, the government can read what it wants and the rest of us can keep our privacy.

Why would the UK be the only country with a back door key?

Well according to you we create a policy?

What if we tell you it's a going to be awesome, the government can read what it wants [s]and the rest of us can keep our privacy[/s].

Your missing my point (and refusing to answer my question) I dont believe I will keep my privacy I am saying:

A: I am of no interest so no security services will waste scare resources investigating me
B: I "trust" that my "private" information will not be accessed by anyone but professionals who's aim is to keep us safe.

You may not Trust the security services and I have my concerns but in my view that is a risk I am prepared to take.

I'm 54 and have lived my life happily with end to end encryption for the vast majority of it

You've never bought anything online? Never used Internet banking? Never visited any website that starts with https:// like, oh I don't know, STW's login page? I don't believe you.

We have had this argumebt on here before. I was calling fir an wnd to uncrackable encryption 2+ years ago.

I'd have hoped you'd have listened and learned something in those two years but no, it's like having a discussion with a bunch of grapes.

I think its a stretch to say they have "software engineers" who could develop an encrypted end to end technology of their own.

Here you go. RSA key generation in three lines of Perl.

[code]#!/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj
$/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1
lK[d2%Sa2/d0$^Ixp"|dc`;s/\W//g;$_=pack('H*',/((..)*)$/)[/code]

Granted it's not the most readable piece of code in the world, point is that encryption is not difficult or complicated, it's big numbers and multiplication. Once you've worked out how to ban maths, get back to us.

jambalaya - Member
@dissonance

Lets start with what is not licenced, Telegram, WhatsAp, Facebook, email services. Banks can send approved encrypted messages, police, government. It would be a short list

I'm 54 and have lived my life happily with end to end encryption for the vast majority of it

We have had this argumebt on here before. I was calling fir an wnd to uncrackable encryption 2+ years ago. The companies use it to make money and to cover their arses as "we cannot read any messages so cannot be held responsible for the content"

Point 1, You aren't even trying to hide your fascist tendencies any more?

Point 2, Do you really think what you are asking for is possible? Do you believe the uk has world wide control over the internet? The US doesn't even have it.

Point 3, I guess you'll not mind PMing me your password details for your bank and credit cards? Sure, they'll be available soon enough.

Point 4, Do you really think the "back doors" will only be available to government sources?

Point 5, Are you mental?

A: I am of no interest so no security services will waste scare resources investigating me

B: I "trust" that my "private" information will not be accessed by anyone but professionals who's aim is to keep us safe.

No your missing what I said, it's 2 different things.
One we have things in the UK we don't want to share.
Two why would the rest of the world not want their own back door.

You may not Trust the security services and I have my concerns but in my view that is a risk I am prepared to take.

If the benefit is only perceived why is it worth it? What does it actually do when all the terrorists go somewhere else or old school? Will we get our privacy back?
Nobody has given a solid case for why more intrusive surveillance is needed, or what it will deliver. Like the idea of giving the police lots of guns, what does it do?

Here you go. RSA key generation in three lines of Perl.

Then why are they using Whatsapp?

B: I "trust" that my "private" information will not be accessed by anyone but professionals who's aim is to keep us safe.

Stick your email address in here.

https://haveibeenpwned.com/

Which is rather foolish

Its not foolish. Its a choice.

Stick your email address in here.

Why?

Why?

No reason... <whistles>

surfer - Member

Then why are they using Whatsapp?

mostly the same reasons why i use whatsapp...

the point (which you missed*), is that encryption isn't hard. you can't really force Whatsapp to build in a backdoor.

(*whoooosh! doesn't really cover it)

surfer

Yes I get that however the volume of data and the processing power required is huge and that would be diverted from something else. If people are posting political comments on Facebook saying they support UKIP then I dont think you need to investigate every other part of their comms network to find their political leanings! In terms of determining how people vote for example why not just ask them?

I feel like you are looking at this from the wrong perspective. It's not about knowing the political allegiances of people who have declared their political allegiances, it's about coercing people who haven't made up their minds.

Example - Trump's campaign claims to have directly targeted black male voters in certain swing states, not to get them to vote Trump, but to character assassinate Clinton and demotivate them from voting. This was done using Facebook data targeting people based on their personality types using tailored websites for specific types. Facebook won't reveal who was targeted, or what material was sent to them, and Trump's campaign won't reveal it.

Previously politicians could make broad arguments on TV or radio. They could lie but their lies were public, and subject to public scrutiny or analysis. Now we are in a era where politicians can craft a lie designed to appeal just to you, something that they already know concerns you, or will work on you, and there is no moderation as to whether it's true or false. And what's more you can't even tell who targeted you with this information, you don't know anything about them, nor do you know what they know about you.

Are you sure you are of no interest? What if you set up a business that is competing against a foreign governments pet company. Be a minor disadvantage if they could have a quick look at your emails and trade secrets wouldnt it?

Do you really think Email is secure now?

What if you manage to pick up a mildly embarrassing medical condition and the doctor gets hacked?

Ooh yes thats secure.

Like the idea of giving the police lots of guns, what does it do?

Make Ninfan types tumescent

Then why are they using Whatsapp?

Because they can. And if they couldn't, they'd use something else. And if there was nothing else commercially available, they'd undoubtedly create something. This is the point:

It's.
Not.
Difficult.

Take any open source IM like, say, Telegram (and there are loads of others) and you've got the code right there. If we were to ban encryption tomorrow, how do you then block people who just use the current version rather than the newly hamstrung one? You can't for all practical puposes, the genie is not only out of the bottle but has necked half a bottle of Jack and is dancing naked on the tables.

surfer - Member

Here you go. RSA key generation in three lines of Perl.

Then why are they using Whatsapp?

Stick your email address in here.

Why?

Its not foolish. Its a choice.

It's a choice to be foolish.

Why?

To find out how secure your data is with those people you trust.

Do you really think Email is secure now?

https://switch.egress.com/ui/learn/

(Or PGP, GPG, ProtonMail, a supporting cast of thousands...)

Next question?

I have no objection to law enforcement agencies having controlled, legal, access to communications.

I do object when that access comes at the cost of weakening protection against illegal access.

A backdoor is open to anyone that has a key, regardless of whether you let them have it or not. The government need to realise this.

If you criminalise encryption, all you do is ensure that only criminals use encryption 🙂

It's.
Not.
Difficult.

It's also not difficult for the NSA or GCHQ to identify encrypted emails and communications (just a lot more difficult for them to crack them open) - guess what, if possession and use of the software without a licence becomes an offence, then the unlicensed people sending encrypted communications around start to stick out like a sore thumb, and come under extra scrutiny, don't they?

If you criminalise encryption, all you do is ensure that only criminals use encryption

Precisely - sending around encrypted communications becomes like waving a big red flag, doesn't it? Just like all those people using Tor magically started getting nicked for things - because it flagged them as being up to no good.

you will see where your data has been breached already by people exploiting holes and backdoors in security that you want to introduce more into.

But one minute you are saying we shouldnt make this security available to the security services then you are saying the data is already out there. I am finding it difficult to follow your logic.

A backdoor is open to anyone that has a key, regardless of whether you let them have it or not. The government need to realise this.

Exactly. And I'm going to keep banging this drum until it gets into people's ****ing skulls, the WannaCrypt outbreak is a perfect example of why it's a bad idea.

You want compromised encryption, you get WannaCry. No ifs, no buts, no whataboutery, it is that black and white I'm afraid.

Do you really think Email is secure now?

It is if you secure it.

There are easy ways of encrypting personal emails. SQA used to insist that all exam related information was encrypted with PGP before emailing - not sure if they still do.

You can also encrypt specific tunnels so all traffic is automatically encrypted. That's how our work internal email works if it has to pass over public networks (i.e. from one site to another).

ninfan - Member
It's.
Not.
Difficult.
It's also not difficult for the NSA or GCHQ to identify encrypted emails and communications (just a lot more difficult for them to crack them open) - guess what, if possession and use of the software without a licence becomes an offence, then the unlicensed people sending encrypted communications around start to stick out like a sore thumb, and come under extra scrutiny, don't they?

you seem to under the impression that hackers won't run circles around the government?

Cougar you are showing your naivity. I know you are a techie so tell me, do you know the admin password for your Email server? Do you know the O365 admin password for domain? How well are these secured in your organisation. If the security services wanted to access data what method would they use?

It is if you secure it.

Yes it may be encrypted in transit, and even at rest however when the recipient forwards it on or prints it and leaves it on the printer then the information is hardly secure is it?

It's also not difficult for the NSA or GCHQ to identify encrypted emails and communications (just a lot more difficult for them to crack them open) - guess what, if possession and use of the software without a licence becomes an offence, then the unlicensed people sending encrypted communications around start to stick out like a sore thumb, and come under extra scrutiny, don't they?

It's not difficult to recognise something you can't read. It's several orders of magnitude more difficult from looking at the data alone to ascertain whether it's an email or a WhatsApp message or a VPN tunnel or someone buying Network Security for Dummies off Amazon because - and I can't believe I'm actually having to type this - it's ENCRYPTED. It's not an "encrypted email" or an "encrypted communication," it's encrypted data.

Sure, there's other tells. Port numbers give you a clue, but they're easily changed. Source and destination endpoints might tip you off - a connection to Amazon is probably going to be Internet shopping. Probably. Unless a rogue Amazon employee sets up a VPN endpoint in their address range. But that'd never happen because as we've already established, we all "trust" Amazon.

Yes it may be encrypted in transit, and even at rest however when the recipient forwards it on or prints it and leaves it on the printer then the information is hardly secure is it?

surfer - Member

you will see where your data has been breached already by people exploiting holes and backdoors in security that you want to introduce more into.

But one minute you are saying we shouldnt make this security available to the security services then you are saying the data is already out there. I am finding it difficult to follow your logic.

I can see the problem here you really have no idea do you. Stop trying to combine different points.
The link shows you where people have had breaks or problems with existing exploits - like government imposed back doors and peoples info has been leaked.
Saying that encryption is bad because people have already been compromised by bad security makes no sense at all.

then the unlicensed people sending encrypted communications around start to stick out like a sore thumb, and come under extra scrutiny, don't they?

Cougar you are showing your naivity. I know you are a techie so tell me, do you know the admin password for your Email server? Do you know the O365 admin password for domain? How well are these secured in your organisation.

The latest exploit that hit the NHS
https://www.nytimes.com/2017/05/12/world/europe/uk-national-health-service-cyberattack.html?_r=0
Leaked from the NSA, so imagine all the backdoor keys get leaked what next?

Because they can. And if they couldn't, they'd use something else. And if there was nothing else commercially available, they'd undoubtedly create something. This is the point:

No the point is inconvenience and disruption. As I said earlier having access to Whatsapp wont stop this violence and there is no silver bullet but it is easily available and secure. Once it is not secure they may eventually find another way but unless it is on the app store it will be disruptive. Try getting your users to generate a more complex password and see the havoc it causes!!

Do you really think Email is secure now?

No, email is like sending a postcard you have to assume anyone can read it, not least because they can end up in court cases unexpectedly. I have a colleague who corresponded with someone engaged in a civil suit in the USA. All of those emails because they loosely touched on the matter of the court case ("Hey mate, how's business" sort of thing) have become public. There's nothing in them as such but one does have info about his family, where he's going on holiday etc. Nothing top secret of course.

The thing is though, email COULD be secure if you wanted it to be. I could easily install some software on my computer and send emails completely unreadable to anyone but the intended recipient (assuming they have the relevant software and keys).

Unless a rogue Amazon employee sets up a VPN endpoint in their address range. But that'd never happen because as we've already established, we all "trust" Amazon.

Try getting your users to generate a more complex password and see the havoc it causes!!

I used to regularly crack all login passwords when I was a network admin. If your password was cracked in under 5 mins, you had a new one inflicted on you by me. The thing is though, it's not the same thing is it. I'm sure someone who is contemplating an attack that will kill both their targets (randomly chosen or otherwise) and themselves can probably be bothered to install software; it's not like they are lacking commitment.

I know you are a techie so tell me, do you know the admin password for your Email server? Do you know the O365 admin password for domain?

I used to, but I don't any more. Though there isn't "the" password, rather the people who administer the Exchange server and our O365 service have the privileges assigned to them in order to do their job. Administrative rights are given out on the basis of Least Privilege as per best practices and we have a strong password policy enforced via Group Policy.

If the security services wanted to access data what method would they use?

A warrant / court order, I would expect.

Yes it may be encrypted in transit, and even at rest however when the recipient forwards it on or prints it and leaves it on the printer then the information is hardly secure is it?

Not forwarding on sensitive data is a user training issue. Email can be secured but "regular" email is of course insecure. Anyone dealing with sensitive data outside of the organisation should be provided with means of doing so securely.

As for printouts, when we print something it goes to a central server, nothing is actually printed. The user then goes to their nearest printer, swipes an ID card, and can then choose which jobs they want printing. There's a secure paper bin next to each printer for unwanted documents. If they don't get collected then the jobs get deleted after a period of time (24 hours I think). Leaving things on the printer never happens - well, I suppose it's technically possible, but you'd pretty much have to wilfully do it.

And it's whataboutery anyway, printouts aren't emails. My bank card PIN is secure, but it won't be if I post it in a forum post.

Saying that encryption is bad because people have already been compromised by bad security makes no sense at all.

Thats not what I am saying. You are contradicting yourself in the same paragraph. The point of Email security was raised as being secure. The point is the data in transit and at rest may be, so the medium is secure, but if you send it to every member of your organisation by accident then only an idiot would consider it secure because it was secure in flight!

Signal uses something not dissimilar to get round censorship. Not sure of the finer details but uses domain fronting to bounce the message from google.com to their internal google appservice address.

More or less correct; it's using a hidden (within the header) server address which Google's services resolve but isn't visible in clear as it's part of the HTTPS header. Anyway, not relevant. However, there's also the concept that one man's terrorist is another man's freedom fighter. Whilst we can probably all agree that attacks like in London or Kabul are evil, once you get down to people in North Korea, Myanmar, China etc struggling against the government, where do you draw the line?

Should people who just want basic freedoms also be forced into the glare of sunlight as, sadly, they not only have something to hide from their governments but their governments may well torture or kill them for the info these tools help them hide.

Thats not what I am saying. You are contradicting yourself in the same paragraph. The point of Email security was raised as being secure

I literally have no idea what you are on about now but you should be put in charge of the case for this. It would be open and shut in 5 minutes.

All you want to achieve is about 10 minutes of disruption before it moves onto something else.

then the unlicensed people sending encrypted communications around start to stick out like a sore thumb, and come under extra scrutiny, don't they?

Only if the security services can tell who they are.

surfer - Member
Once it is not secure they may eventually find another way

Are we measuring eventualities in nanoseconds? 😆

only an idiot would consider it secure because it was secure in flight!

At university a security researcher from IBM told us that the only secure computer was one disconnected from a network and power, buried in a lead-lined concrete box where the person burying it had died or been killed. And even then he reckoned it was at best only "a bit" secure as inevitably someone would find it sooner or later. Anything with humans attached is insecure by nature, it's just about being secure enough for long enough (see also declassified top-secret docs etc).

[b]Edit[/b] - that doesn't mean we shouldn't try though 🙂

No the point is inconvenience and disruption.

To whom? The only people who will be genuinely inconvenienced are the likes of you and me. Well, you at least.

Once it is not secure they may eventually find another way but unless it is on the app store it will be disruptive.

This is what you're not getting. It really won't.

I can get the source code for an open-source cross-platform messenger app [i]right now.[/i] I can get the Android .apk for Telegraph and stick it on a pendrive somewhere. If you banned secure messaging tomorrow and somehow managed to nobble all the existing clients (and good luck with that), anyone with half a clue about programming would be up and running again in minutes.

Try getting your users to generate a more complex password and see the havoc it causes!!

Apples and oranges, but complex passwords are easily enforceable. You make it too complex though and people just write it on Post-Its. Passwords are pretty poor as security measures go, as always the weak link is people. There are better options, 2FA for instance, and there's always biometrics (which is what I use on my work laptop) though they come with their own unique set of issues.

then the unlicensed people sending encrypted communications around start to stick out like a sore thumb, and come under extra scrutiny, don't they?

Despite the fact that you're missing the point that encryption has many legitimate and legal uses which are beneficial, I won't address that becasue it's obvious you're (others aren't) willing to forgo those uses...

BUT

Even if it were outlawed/licensed/backdoored/whatever then covert messages can still be sent using myriad steganographic methods in un-encrypted forms* so if your goal is to 'catch naughty people' you'll still fail miserably, with the added kick in the goolies of removing all the legal and legit uses.

Bravo, that's what's known as a lose-lose scenario.

*and even in the clear using methods that aren't 'watched'

attackers

yes, but doesn't mean that someone is not going to bury them

Their remains will be disposed of certainly. But funeral rites are often down to custom and culture, the Imans refusal to say prayers for them is symbolic. It would only require muslims somewhere pray for them. There will be no shortage of their supporters world wide doing that :(. In any case it's Allah's who decides who goes to heaven, people can't change his will (as they believe )

I can get the source code for an open-source cross-platform messenger app right now. I can get the Android .apk

Yep you would have you disparate group of contacts in different continents up and running in no time 😀

Apples and oranges, but complex passwords are easily enforceable

Enforcable in a heart beat, watch the chaos

Yep you would have you disparate group of contacts in different continents up and running in no time

What does it tell you when a load of people tell you the massive problems with what you propose and still you don't listen - sick of experts?

You are too incoherent Mike.

As an expert are you able to tell me why the FBI and Iran want my comms data yet?

Yep you would have you disparate group of contacts in different continents up and running in no time

I'd expect that in the months between the government banning encryption and every IM company on the planet making their apps compliant, the terrorists might just be able to find fifteen minutes to deploy whatever they're replacing it with. If they've half a brain between them then they'll already have a contingency plan or twelve lined up.

Are you labouring under the impression that disabling secure encryption is as simple as going "yeah, you can switch it off now"? This isn't the movies.

Even if it were outlawed/licensed/backdoored/whatever then covert messages can still be sent using myriad steganographic methods in un-encrypted forms* so if your goal is to 'catch naughty people' you'll still fail miserably, with the added kick in the goolies of removing all the legal and legit uses.

Indeed. People have been using encryption for as long as we've had writing. Roman legionnaires used to encode messages by writing them on material wrapped round their staff - the only* way to decrypt it was to wrap it round another identical staff at the other end.

(* - clearly this isn't the "only" way, it's not the most secure of cyphers. But it was probably sufficient to stop the casual observer.)

Your attempts to stop it will not work.
There are literally hundreds of ways around it.
It will only cause more problems for people doing nothing wrong.

Read the NHS Hack link, the NSA had a back door, they let that out/lost it. Then a load of other people have your information. Who cares if they want to read it or not they don't get access because some idiot politician wants to make a headline.