Saturday, 24 January 2015

Radio 5 interview shows stupidity

There is an excellent radio 5 interview on the whole issue of banning encryption, well worth a listen.


There is a lovely quote in it from the so called expert that advises the government, Professor Glees.

"The government can require by law that software allows a back door entry in to it, that's a fact"

I actually laughed out loud at that, really. It is so funny, but somehow, it seems he was not joking.

Firstly, as Professor Glees may not understand it, I'll explain that software is just a set of instructions that a computer follows.

A lot of the software used for encryption is open source. It is published openly and it is written, reviewed ,and maintained by volunteers all over the world for no money. It means there is no person or company that the law can apply to. There is no door the police (in any country) can bash down and demand the software is changed or not distributed. There is no person you can lock up or fine. It is free, open, and has copies everywhere on the Internet. It means that the set of instructions are out there and exist and can be used by anyone with a computer. This software is secure by design and does not have any "back door entry in it".

But let's bring it back to basics. There are things called "books" which are something of which Professor Glees may have heard. These too can contain instructions which can be followed. They could be instructions one can put in to a computer, but there are instructions which don't even need a computer. There is a book published in 1882 on the subject for use with telegraphs, so this is not new.

I have a simple video showing how you can use one of the simplest but most secure means to send secrets [here], do watch. This involves following instructions, the very thing computers do. I wrote out a set of instructions in my blog post [here]. Both the video and my blog, and countless other books, web page, videos, and even university courses, count, in a way, as "software", a set of instructions you could, if you wanted, put in to a computer.

Now, in order to "require, by law, that software allows a back door entry in to it" as specified by Professor Glees he would have to require my blog and that video are changed to add instructions like "Now you have made two copies of the key, one for the sender and one for the recipient, you have to make a third, and post it to GCHQ at this address". Indeed, every copy of every book and every web page explaining encryption is in effect "software" and they would all have to be found and need instructions like that added, or access blocked somehow. I suspect, for books, the only real way to get close to this involves piling books up outside libraries and burning them - that'll work!

Of course, if I was following that 1882 book, or my blog, or that video, and I came to the bit that says "send your keys to GCHQ", I could ignore that bit! When putting these instructions in to the computer, I could leave those bits out. Nobody would know. The encrypted messages would still pass around just like ones with the "back door entry". Remember, that these systems have to interwork with normal systems outside the UK (unless UK is to be disconnect from the Internet), so the presence of the "back door entry" is not something you can detect on the wire somehow. Only if someone actually wanted to spy on me, and tried to use this "back door entry", demanded copies of keys or whatever, would they find that I had not included one as required by law, but otherwise I would be fine.

This means that law abiding citizens and companies and engineers would have to follow these rules, or be committing a crime.

For criminals, ignoring these extra instructions, or loading software that does not have a "back door entry" will just be committing one more crime and only visible if/when they are caught. Of course, as proper encryption is legal everywhere else in the world, getting such software would be easy.

As explained on the Interview, you'd need a special weak version of iPhones and Windows and OS X in the UK. Indeed, somehow, you'd need a special weak version of Linux and FreeBSD and other open operating systems. When I download some crypto app for linux, somehow you have to stop me editing it to remove the "back door entry". Just as it would be hard to catch every iPhone as visitors come through customs it would be hard to catch every download of linux or other operating system, app, patch, library, source code, that could be loaded to bypass these mad laws. You would need special weak versions of cisco, juniper and FireBrick routers for use in the UK. You'd need to stop people downloading loads of standard apps from the Apple app store, and from Android stores, and somehow have Androids that are "locked down" that they cannot download any of these secure apps if someone does get a copy. You'd have to make Windows and iMac somehow locked down so that people could not download apps of their choice, and somehow do the same with linux and BSD. Heck, you'd even need a special version of the telephone I have on my desk as it can do encryption if I ask it to, and it is an outdated model that is no longer supported. Somehow you need special versions of code for equipment made by companies that do not exist any more. Even your TV would need a software upgrade to a special version.

And once you have that special code and special versions of iPhones, which the criminals can just ignore, you then need to somehow make it so that criminals don't crack this "back door entry" which has been added, even though it has somehow been added to open source code, and so can be seen and understood (makes cracking it just slightly easier if you have the source code). And when (not if) this back door is cracked you have to have some secure way to update every single device in the country from desk phones, mobile phones, apps on computers and TV sets and everything to the new version with the better back door that has not been cracked yet, while you cross your fingers for a week or so until it is hacked again.

Of course, even if not cracked for a long time, all confidence in any UK based security would be lost by the rest of the world. It would be against card payment processing rules for anyone to accept cards from any of the UK browsers because they would be known to have this "back door entry", so no card payments on-line would be possible from any UK law abiding citizen (criminals would not have that problem, obviously, as they can just run old/safe versions of browsers and access via TOR/VPNs).

Now, remember, Internet Explorer 6 (IE6) which dates to 2001, that is 14 yeas ago. That has in it secure(ish) encryption code. If it has taken 14 years for Microsoft to get people to stop using IE6 when there are good reasons for people to upgrade. How long would it take to get everyone to upgrade their browsers to include the government mandated back door? And that is just one app on one type of device (PC).

Finance would have to leave the UK, probably in order to comply with security requirements by law in other countries if not simply due to lack of confidence from any customers who find they deal with the UK.

And with all of that, you still have the fact that a child with pen, paper and some dice could send secret messages if they want, even if that means ignoring the extra line of instructions to send a copy of the key to GCHQ. You can make that illegal, just like you could make farting illegal, and probably with about as much chance of it being implemented.

And who the hell pays for all of these changes to every computer, every app, every browser, every telephone and device?

Sorry for repeating myself here - just trying to find ways to explain the scale of the problem to people like Professor Glees, who clearly has no fucking clue, much like Theresa May and David Cameron. Somehow we need to get the message across.

9 comments:

  1. Maybe Cameron understands, maybe he doesn't. But it doesn't matter because it is irrelevant. This is not about protecting us from terrorists or from kiddy fondlers, it is about appearing to be seen to be doing something. It's just political marketing.

    ReplyDelete
    Replies
    1. Indeed, but surely even the most non technical should see that what is seen to be doing is taking away privacy from us all. That has got to be bad political PR, surely? Doing a Ratner's.

      Delete
  2. My parents' non technical friends all think this is fine, they don't care if the government reads their emails and knows what web sites they are browsing. They think it goes no further than that. The trouble is you need a fair amount of technical knowledge to know what this really means.

    ReplyDelete
    Replies
    1. Tell them it means they can't have their wifi encrypted and if a paedo uses their connection they'll never be able to prove it wasn't them.

      Delete
  3. It's about control and power.

    What will actually happen is that laws will be passed which make no sense to technical people but which will give a judge the power to interpret them in any way they like which means that the Government can do pretty much anything they want to anyone.
    #WEREALLCRIMINALS

    ReplyDelete
  4. "Doing a Ratner's." If only he had done in the name of anti-terrorism or child protection.

    ReplyDelete
  5. Not only wouldn't it work it'd be a burden to anyone in the UK doing legitimate business. We ship software that requires commercially sensitive data to be encrypted (otherwise they wouldn't do business with us). Suddenly we have to devise a method where it's 'impossible' that the data to be decrypted by those that might want to steal it but the government can read it without trying very hard, otherwise we risk jail? F that.

    ReplyDelete
  6. There's a more generous way to interpret Professor Glees' comment: there is no treaty obligation or existing legislation that would prevent a ban on good encryption from becoming law.

    This differs from things like a law prohibiting men called Adrian from having children; that would come into conflict with the Human Rights Act (for example).

    So, Cameron can certainly have such a law on the books, and even enforce it on people doing business within the UK. Whether the law will have the effect that he wants it to have is a different matter.

    ReplyDelete
    Replies
    1. Indeed, and I don't actually dispute his assertion that a law could be made. As I say, you could probably make a law banning farting as well. It would not be effective, obviously, and would be very damaging.

      Delete