GCHQ Calls for Encrypted Chat Access and Vulnerability Confidentiality

[AlphaAtlas]

The GCHQ, the hub of the UK's surveillance program, recently published a piece in Lawfare that calls for "virtual crocodile clips in today’s digital exchanges," among other things. While the agency isn't advocating weak encryption, they do want law enforcement to be a "third end" in end-to-end encryption. That piece also calls for greater transparency and partially condemns the hoarding of security vulnerabilities for "lawful hacking." However, that same day, another part of the GCHQ published a blog post arguing that vendors shouldn't necessarily be notified of security vulnerabilities. While the two posts are talking about vulnerabilities in different contexts, they seem to be calling for policy changes in opposite directions.

So, to some detail. For over 100 years, the basic concept of voice intercept hasn’t changed much: crocodile clips on telephone lines. Sure, it’s evolved from real crocodile clips in early systems through to virtual crocodile clips in today’s digital exchanges that copy the call data. But the basic concept has remained the same. Many of the early digital exchanges enacted lawful intercept through the use of conference calling functionality.

 

[umeng2002]

I said it before, I'll say it again. If you're a terrorist-pedo, think of the children - won't someone please think of the children, just plan your activities off the internet... I don't think investigators get up from their desks these days.

 

[Ultima99]

Remember kids, don't give anyone the keys to your house, except the government. You can trust them!

 

[WhoMe]

I prefer alligator clips. They can keep their damn crocks...maybe they'll come back and bite them.

If I had anything I wanted to hide, I'd just write a simple xor program using parts of text copied from out of the many books I've downloaded as the key (and not hard to remember)...they might guess the key, but by then I'd have been dead 10000 years at least. Easy enough to make all the files look currently accessed. Maybe a quantum computer could zip through it faster, still take a long time to try enough combinations. Of course all they'd find on my computer (that couldn't be found elsewhere) are some games, books, movies, programming software and some pretty mild porn so I don't care.

 

[Krazy925]

Yeah, no.

 

[sc5mu93]

Gubment officials are always in favor on such schemes, until they are turned on the Gubment officials. When will they learn?

 

[SvenBent]

everybody is guilty until proven innocent

 

[Oldmodder]

Dont these guys ever learn, you cant stop a dedicated man or group of persons for doing harm.
I am totally against these kind of ideas ,,,,,, even if it should cost me my life.

 

[RanceJustice]

They should really know better than this - you can't have a "third end" AKA Backdoor and have it be strongly encrypted or viable for privacy. While there was certainly meddling before with Carnivore and other SIGNIT stuff, since 9/11 the Patriot Act and similar laws/policies passed in other countries have greatly exploited tragedy and fear, thus allowing a window for the worst parts of these agencies to expand surveillence and general intrusion into the lives of citizens. Its bad enough that in the US anyway we lose privacy to corporate interests and their stooges in governments alike because of splitting hairs such as the 4th amendment wasn't written at a time when anyone could conceive of the Internet; we need to have new privacy laws implemented top to bottom to handle the modern, global society. For instance, this GCHQ data is important becase as a Five Eyes member, they're not just a partner but a real easy loophole so that American agencies only supposed to be collecting foreign sources by law can simply rig up their networks so that the NSA collects from the UK and then gives it to GCHQ, while GCHQ spies on the USA and shares it with the NSA etc! All of this massive surveillance complex does very little for actual security and even its hypothetical benefits are not acceptable in the massive trade-off of rights, privacy, and lifestyle required, in my view anyway, not to mention the other costs including financial.

This is just another reason to be sure to use Free/Libre Open Source Software ( F/LOSS ) whenever possible, especially for things like encryption. There are lots of smarmy corporate greaseballs who are trying to exploit people's concerns about security and privacy online with halfassed, proprietary services, but a bigger issue is how the latest generation seem to depend on a very few monolithic, corporate, proprietary sites or programs! Microsoft, Amazon, Google etc... but by far the worst are social media/communications platforms such as Facebook and Twitter. Moving to Linux from Windows or even giving up Amazon or Google can mean a significant reorganization for many reasons, but the sole value of Facebook and Twitter are that of its userbase, making it an easier switch - its just a matter of making it to the critical mass of popularity.

If we care about privacy, security, and anonymity when desired its worth it to move away from all of these when possible, but restructuring the next phase of social media adoption is one of the easiest and best things we can do; early movers will be needed to help drag the rest over once we reach critical mass! For social media and messaging, the F/LOSS programs are equal or superior to proprietary offerings, so stat making changes. Instead of Facebook, use Diaspora or Friendica . Instead of Twitter, use Mastodon. Instead of SMS/MMS use Signal. Instead of Skype use Signal, Wire, or Matrix.org / Riot etc... instead of Discord use Matrix.org / Riot or Mumble etc..

There is a long way to go and we have to assume that corporate interests and the governments that remain under their control for the time being, will continue to act as they do. While we should absolutely push for laws to be changed and new voices demanding progress, Net Neutrality, and turning away from fear of "pedos and terrorists" should be encouraged and elected, we can also take technical and cultural steps ourselves in our own little ways.

 

[katanaD]

i read the headline.. looked at the pic and thought.. was does the apple campus have to do with this.. then thought.. well.. apple is in a key place to spy on chat/calls LOL



it is interesting how the 2 places do look alike with their big round building

 

[dangerouseddy]

i read the headline.. looked at the pic and thought.. was does the apple campus have to do with this.. then thought.. well.. apple is in a key place to spy on chat/calls LOL



it is interesting how the 2 places do look alike with their big round building

what you don't like the all seeing eye motif?

 

[horskh]

Evildoers Alice and Bob meet at their secret hideout and generate a 1Gig one-time-pad. Each carries it on a tiny fob and uses trivial software to encrypt and decrypt their communications.

Meanwhile poor Joe Everyman has just discovered that his bank account has been wiped clean due to the unintended use of a backdoor.

 

[Poseidons Kiss]

Vulnerability hoarding is a significant threat to all industries. Look at what transpired by not releasing information about the SMB exploitation and loss of the ETERNAL toolkit (looking at you NSA). Other significant players in the industry need to step up like Microsoft did in terms of publicly roasting governments for this practice. We the consumers can then continue to roast Microsoft for their crappy patches and telemetry gathering.

 

[Master_shake_]

the people who shot up the theater in France use double ROT13 encryption.

which is no encryption and you couldn't stop it.

fuck off will ya?

 

[Zarathustra[H]]

This is just another reason to be sure to use Free/Libre Open Source Software ( F/LOSS ) whenever possible, especially for things like encryption. There are lots of smarmy corporate greaseballs who are trying to exploit people's concerns about security and privacy online with halfassed, proprietary services, but a bigger issue is how the latest generation seem to depend on a very few monolithic, corporate, proprietary sites or programs! Microsoft, Amazon, Google etc... but by far the worst are social media/communications platforms such as Facebook and Twitter. Moving to Linux from Windows or even giving up Amazon or Google can mean a significant reorganization for many reasons, but the sole value of Facebook and Twitter are that of its userbase, making it an easier switch - its just a matter of making it to the critical mass of popularity.

The problem with the FOSS approach is that you can only communicate with other FOSS fans. That's the greatest downfall of the likes of OpenPGP/Enigmail. Sure it works, if you only want to email other enigmail users. If you want to communicate with anyone else, your information is being harvested by someone. Trying to convince the non-tech savvy to care is a losing battle.

As always, society is dragged down by the lowest common denominators.


Thus, the only way to get full end to end encryption in out communication is to make it seamless an integrated into ubiquitous services. The problem is, then we face these kind of issues. Either governments who want backdoors, or companies who want to harvest our private data for profit.

I just don't know what the solution is anymore. This battle for even a modicum of privacy seems so completely lost, it isn't funny.

 

[lcpiper]

They should really know better than this - you can't have a "third end" AKA Backdoor and have it be strongly encrypted or viable for privacy. While there was certainly meddling before with Carnivore and other SIGNIT stuff, since 9/11 the Patriot Act and similar laws/policies passed in other countries have greatly exploited tragedy and fear, thus allowing a window for the worst parts of these agencies to expand surveillence and general intrusion into the lives of citizens. Its bad enough that in the US anyway we lose privacy to corporate interests and their stooges in governments alike because of splitting hairs such as the 4th amendment wasn't written at a time when anyone could conceive of the Internet; we need to have new privacy laws implemented top to bottom to handle the modern, global society. For instance, this GCHQ data is important becase as a Five Eyes member, they're not just a partner but a real easy loophole so that American agencies only supposed to be collecting foreign sources by law can simply rig up their networks so that the NSA collects from the UK and then gives it to GCHQ, while GCHQ spies on the USA and shares it with the NSA etc! All of this massive surveillance complex does very little for actual security and even its hypothetical benefits are not acceptable in the massive trade-off of rights, privacy, and lifestyle required, in my view anyway, not to mention the other costs including financial.

This is just another reason to be sure to use Free/Libre Open Source Software ( F/LOSS ) whenever possible, especially for things like encryption. There are lots of smarmy corporate greaseballs who are trying to exploit people's concerns about security and privacy online with halfassed, proprietary services, but a bigger issue is how the latest generation seem to depend on a very few monolithic, corporate, proprietary sites or programs! Microsoft, Amazon, Google etc... but by far the worst are social media/communications platforms such as Facebook and Twitter. Moving to Linux from Windows or even giving up Amazon or Google can mean a significant reorganization for many reasons, but the sole value of Facebook and Twitter are that of its userbase, making it an easier switch - its just a matter of making it to the critical mass of popularity.

If we care about privacy, security, and anonymity when desired its worth it to move away from all of these when possible, but restructuring the next phase of social media adoption is one of the easiest and best things we can do; early movers will be needed to help drag the rest over once we reach critical mass! For social media and messaging, the F/LOSS programs are equal or superior to proprietary offerings, so stat making changes. Instead of Facebook, use Diaspora or Friendica . Instead of Twitter, use Mastodon. Instead of SMS/MMS use Signal. Instead of Skype use Signal, Wire, or Matrix.org / Riot etc... instead of Discord use Matrix.org / Riot or Mumble etc..

There is a long way to go and we have to assume that corporate interests and the governments that remain under their control for the time being, will continue to act as they do. While we should absolutely push for laws to be changed and new voices demanding progress, Net Neutrality, and turning away from fear of "pedos and terrorists" should be encouraged and elected, we can also take technical and cultural steps ourselves in our own little ways.

OK, so you wrote a lot. Let me explain where you are wrong.

But I want to start with where I agree. I do agree, the laws need to be rewritten.

Now where you are wrong. The, "......... can simply rig up their networks so that the NSA collects from the UK and then gives it to GCHQ, while GCHQ spies on the USA and shares it with the NSA etc!", is complete and utter bullshit.

Look, the USA certainly classifies information with releasability markings deciding what we will or will not share. But we don't "rig up our networks" with anyone, not even Jolly old England.

And as much as you and others seem to think that the focus is anti-terrorism, well it might be the flavor of the day, it's not some prime motivator nor is it a needed excuse for anything that the Military is doing relative to intelligence collection. That activity was going on long before 9/11 or even the Cold War or the birth of the USA for that matter. It's a very old game and although some methods get created as technology and inventiveness allows, the players are no different and the moves remain the same. Find out as much as you can while giving up as little as possible.

 

[RanceJustice]

OK, so you wrote a lot. Let me explain where you are wrong.

But I want to start with where I agree. I do agree, the laws need to be rewritten.

Now where you are wrong. The, "......... can simply rig up their networks so that the NSA collects from the UK and then gives it to GCHQ, while GCHQ spies on the USA and shares it with the NSA etc!", is complete and utter bullshit.

Look, the USA certainly classifies information with releasability markings deciding what we will or will not share. But we don't "rig up our networks" with anyone, not even Jolly old England.

And as much as you and others seem to think that the focus is anti-terrorism, well it might be the flavor of the day, it's not some prime motivator nor is it a needed excuse for anything that the Military is doing relative to intelligence collection. That activity was going on long before 9/11 or even the Cold War or the birth of the USA for that matter. It's a very old game and although some methods get created as technology and inventiveness allows, the players are no different and the moves remain the same. Find out as much as you can while giving up as little as possible.

When I said "rig up their networks" I did not specifically mean physical networks as if there was a "Hey GCHQ, plug into our Access Everything In The USA Port" or vice versa - I meant the entire network of intelligence sharing. Both official statements as well as leaked documents show that the policy of intelligence sharing is present especially across mission aligned allies; i nthe case of the Five / Nine / Fourteen eyes this includes a significant amount of material especially what we think of as part of the current surveillance complex (ie non specific or general gathering as opposed to targeted etc). In the case of when it would come up to a legal challenge for one of these nations if one of these intelligence agencies operated in a certain way within their borders, the sharing becomes a convenient sidestep a la "Its illegal for me to look at mine, but not look at yours. So if we look at each other's, and share the result, we're staying within the letter of the law". This is one of many reasons it is important for say, US citizens to be aware of what's going on in the UK or Canada etc.... not just out of ethical concern, but because it could impact them as well depending in our increasingly globalized world.

I'm not speaking in relation to the military, but rather the civilian agencies but I agree that terrorism is not the real underlying motive and that's my point - the problem is that it is used as the frequent justification for the expansion of powers. I'm not saying that things I find shifty, unethical etc.. didn't happen before; yes there are whole chapters of the history of intelligence but what that means on a practical level, especially to the average person, has changed immensely with globalization and especially the Internet. The problem is that powers that be (or rather those who want more power and are willing to exploit the situation to do so as just "playing the game" ) harp on fear of relatively few things to justify intrusion. Yes in past days that was "Communists" (and was just as foolish as in the days of the Hollywood 10 and McCarthy) but recently - in reference to Internet privacy etc - it has been either "Pedophiles" or after 9/11 "Terrorists" . These are the boogymen that are so repugnant or scary that worrying about things like civil rights, privacy, or the law both written and in spirit are to be discarded. Room 614A, the Patriot Act, warrantless wiretapping, the commonplace use of FISA courts/warrants and overclassification not so much for security as opposed to embarrassment, even the development of Homeland Security and ICE (not related to the Internet discussion directly, but they did spring up very quickly at the same time) everything revealed thanks to leaks from sources major and minor alike etc... extraordinary power was normalized ostensibly as the only way to protect people from the big bad boogymen. And like we both agree, these powers weren't only used to go after terrorists nor were they put back in the box, repealed later.... both elements contrary to how they were sold to the public.

There's a danger at looking at it all as part of the same game which is a whole discussion in and of itself, but there used to be certain lines not crossed that have become increasingly brazenly done, justified, and given a veneer of legality. This is a manyfold problem because not only do these things affect more people than ever before thanks to the entwined nature of the Internet in our lives today, but also because it justifies "easy" and frequent use for wider cases that never before would have been approved.

 

[glutto]

Soon webcams in every room?

 

[lcpiper]

When I said "rig up their networks" I did not specifically mean physical networks as if there was a "Hey GCHQ, plug into our Access Everything In The USA Port" or vice versa - I meant the entire network of intelligence sharing. Both official statements as well as leaked documents show that the policy of intelligence sharing is present especially across mission aligned allies; i nthe case of the Five / Nine / Fourteen eyes this includes a significant amount of material especially what we think of as part of the current surveillance complex (ie non specific or general gathering as opposed to targeted etc). In the case of when it would come up to a legal challenge for one of these nations if one of these intelligence agencies operated in a certain way within their borders, the sharing becomes a convenient sidestep a la "Its illegal for me to look at mine, but not look at yours. So if we look at each other's, and share the result, we're staying within the letter of the law". This is one of many reasons it is important for say, US citizens to be aware of what's going on in the UK or Canada etc.... not just out of ethical concern, but because it could impact them as well depending in our increasingly globalized world.

I'm not speaking in relation to the military, but rather the civilian agencies but I agree that terrorism is not the real underlying motive and that's my point - the problem is that it is used as the frequent justification for the expansion of powers. I'm not saying that things I find shifty, unethical etc.. didn't happen before; yes there are whole chapters of the history of intelligence but what that means on a practical level, especially to the average person, has changed immensely with globalization and especially the Internet. The problem is that powers that be (or rather those who want more power and are willing to exploit the situation to do so as just "playing the game" ) harp on fear of relatively few things to justify intrusion. Yes in past days that was "Communists" (and was just as foolish as in the days of the Hollywood 10 and McCarthy) but recently - in reference to Internet privacy etc - it has been either "Pedophiles" or after 9/11 "Terrorists" . These are the boogymen that are so repugnant or scary that worrying about things like civil rights, privacy, or the law both written and in spirit are to be discarded. Room 614A, the Patriot Act, warrantless wiretapping, the commonplace use of FISA courts/warrants and overclassification not so much for security as opposed to embarrassment, even the development of Homeland Security and ICE (not related to the Internet discussion directly, but they did spring up very quickly at the same time) everything revealed thanks to leaks from sources major and minor alike etc... extraordinary power was normalized ostensibly as the only way to protect people from the big bad boogymen. And like we both agree, these powers weren't only used to go after terrorists nor were they put back in the box, repealed later.... both elements contrary to how they were sold to the public.

There's a danger at looking at it all as part of the same game which is a whole discussion in and of itself, but there used to be certain lines not crossed that have become increasingly brazenly done, justified, and given a veneer of legality. This is a manyfold problem because not only do these things affect more people than ever before thanks to the entwined nature of the Internet in our lives today, but also because it justifies "easy" and frequent use for wider cases that never before would have been approved.

All I can say is that I have seen all kinds of "leaked documents" that people say, "suggest" "prove" "show" all kinds of things. For example, that training slide that was suppose to show that the NSA co-opted Google's servers and networks in order to gain access to data when in fact, on the slide using Google's name was just a reference for a well known ISP for instructional purposes and not an instance of actual intelligence gathering or an operation that targeted Google. But then the idea is now firmly planted in people's minds, the NSA hacks Google. There is a wealth of bad info and false "knowledge" out there on this subject. Five Eyes is a releasability marking. It's used to mark information that we have deemed suitable to share with those four really close allies, the USA being the fifth Eye. It doesn't mean that we share everything with them. They also don't share everything with us.

The bulk meta-data program was not the first instance of bulk collection. The NSA has been vacuuming the electromagnetic spectrum for decades, since the late 50s, every single overseas phone call during the land line days was not just intercepted, it was recorded, every one between the USA and another country, recorded in it's entirety or at least all that they could get from it. They were doing the same thing with the bulk-meta data program, it was against overseas calls, meta-data was actually far less intrusive than recording the entire conversation but whatever.

I've talked about all this stuff you mention, how there is no such thing as a "warrantless" wiretap. There is no legal official instance where a wiretap is required and not secured. There are wiretaps that do not require warrants, because the people being wiretapped aren't US Citizens. But what the hell, we'll just make it sound like warrants are being dodged.

Then there is the FISA Court rubber-stamping warrants ...... because the warrants were required post-collection and the identity of the person being collected on wasn't known yet. You find out after, that the person is a US Person, so you go get a warrant. The law never guaranteed a US Person would never have a conversation recorded, only that it wouldn't be done on purpose or without very good reason, and with oversight, a warrant.

OverClassification - what determines the classification of information? For the most part, it has nothing to do with what the information is. But it does have almost everything to do with "how the information was collected". It's not what we know, it's how we found out. Therefore, there is a great stockpile of information that is classified, despite that fact that the information is mundane or even common knowledge. You will find information for weapons systems in Jane's Book of Warships that is exactly the same as the classified version, so why is it classified? Because if we acknowledge that Jane's is right then we have told our enemies what we believe is correct, and therefore how we will plan, using that information.

Look, if you want to harp on the Government trying to justify everything with the latest "boogieman", then you also must at least recognize that those who fight all government power and intrusion will use this as their primary argument, "it's for the children, terrorism, etc" it works both ways. As usual, reality and the truth lies somewhere in between.

There are a great many people today who think they know what all this stuff is about and fact is, they do not. Their absolute ignorance on the subject means they have made flawed assumptions. They take individual instances and exceptions to the norm and form opinions that these rare exceptions are common place. They leave out key distinctions like the deference between Law Enforcement and Intelligence Collection activities when discussing the rules for the rules for each are very different and for very good reason. They always make the assumption that everything that is being done or reported on is against US Citizens when often, it's not.

But I will agree on something else with you. That just like I agree that Privacy Laws need a new hard rewrite, I also agree that when the DHS was formed and it's mission defined, when the mandates that different agencies share information was laid down, that we certainly put our government into a position where errors are easier to make, lines are more easily crossed. The rules were in place to prevent a government from becoming a tyrannical being. They don't assume the government to be automatically tyrannical, but they do acknowledge that things can slide that way if left unchecked.

It's a struggle to maintain that balance between what the government needs to be doing, and what they shouldn't be doing. And just like it's in our own best interest to look out for ourselves, we need to not forget that it's also our government's job to help do that, particularly in matters that we as citizens don't have the capability to see happen.

Don't throw the baby out with the bathwater comes to mind.

The "communists" might have justified many things, but it wasn't without good reason. Just like people make fun about "The Dominoes not falling...." If you think no dominoes fell, you haven't looked at what happened in SE Asia after the US left Vietnam, Cambodia, Laos, and others to their own fate.

So we all know, the best lies are built upon truths and the lies do not make the truths untrue.

I don't say these things shut you up, but to give you a perspective that you may not currently have. You're interest and involvement is not a bad thing, we need it, we really need it. I just want it to be tempered with reality because it does us no good to call out things that actually are not wrong. Instead we need to be focused on what is wrong so we can be clear and consistent in what we demand and that it is a just demand.

And I do so apologize for this book, it seems the only way I can deal with such a subject.

 

[lcpiper]

Soon webcams in every room?

Today more like it.