End to end encryption under threat

[nine_tails]

Pass legislation to store today ; pass legislation to scan everyone tomorrow.
In the long term, this is going to infringe on privacy of everyone.

 

[Mynight]

Well yeah, which is why Manning and Snowden have so much blood on their hands. Nothing to do with the UK government though.

Hacking into TalkTalk (with an SQL injection vector ffs) is one thing, hacking into GCHQ is a rather different prospect.

It's doubtful the data collection will be stored by GCHQ it's more likely to be the ISPs (they were whinging about the added costs) as such it could easily be another talk talk affair.

 

[scorza]

Actually many are. Its not just the UK though, many companies wipe devices before going through US immigration just in case their devices we confiscated and highly sensitive information is taken by the U.S. Government. Companies building/designing things for other countries or companies in other countries would be very worried about this. Industrial espionage is big business and you would be a fool to think it's only China that spies on British/US companies, it happens the other way round as well.

So that's an interesting argument, as I remember it, in the '90s the US government passed a law that made it a criminal offence to not decrypt an encrypted device in the US when requested to by US authorities. Somewhat heavy handed and as a result a lot of companies, including mine at the time, implemented a policy of not taking any encrypted devices to the USA and other countries that had similar laws. The important thing is that it didn't stop companies doing business with the US, they just became more careful about handling their data.

I'm sure the British security services were involved in industrial espionage back then - the end of the Cold War left them with not much to do. These days I think they have more pressing issues though.

 

[scorza]

It's doubtful the data collection will be stored by GCHQ it's more likely to be the ISPs (they were whinging about the added costs) as such it could easily be another talk talk affair.

One imagines that the capability to decrypt these messages would be managed out of GCHQ though.

 

[Mynight]

One imagines that the capability to decrypt these messages would be managed out of GCHQ though.

O you'd hope wouldn't you .

 

[Eriedor]

Either I'm missing something in this legislation or many others are. Can someone point me to the part which means the government will have a "backdoor" to encryption algorithms?

As I read it the legislation basically tells companies encryption end points should be their own servers not end user devices, communications are still fully encrypted by industry standard best practices in such a scenario except in the memory of the companies servers.

Ignoring peoples trust of the government, the only negative is it opens up one additional attack vector for a malicious entity to now target the company to decrypt a users communications as opposed to just the user themselves. But let's not forget that is exactly the case currently for services such as email - the basis of your online identity (very important) and banking ... (Kind of important!)

It seems strange to me that people are quite happy with such security arrangements for banking and email but not when sending their mates a picture of a lolcat over iMessage??

On the topic of trust, at the end of the day if you want to engage in digital services you have to trust someone, and while my trust for the security forces is not complete, it is higher than a private company who is legally mandated to act in its best interests over mine which generally means to monitise me and typically abuse my privacy.

 

[Amp34]

One imagines that the capability to decrypt these messages would be managed out of GCHQ though.

But that goes back to having a backdoor rather than asking apple to provide decrypted messages of specific people, ala Facebook et al.

To be fair I think I was actually talking cross threads, it's more relevant to the storing of website data in the other thread.

 

[platypus]

Well no-ones advocating putting in a "back-door" (a rather simplistic term for what in effect would be a sophisticated solution) and then letting everyone use it. Sure there's a risk that the government's "back-door" key gets compromised and that'll have to be managed, but you know, government's are used to handling sensitive information - a lot more sensitive than this tbh.

And they have a pretty well documented track record of screwing up when it comes to storing sensitive information safely.

 

[Tefal]

Why do you think this bill would affect terrorists? They aren't going to continue to use a compromised services, they'll use something else - something which is secure still. Even if they have to code it themselves.

They only people this will affect are law abiding people.

i think you over estimate he sophistication of most terrorists

 

[Amp34]

And this is why backdoors are bad m'kay

http://www.engadget.com/2015/12/18/cnn-fbi-is-investigating-the-juniper-networks-security-hole/

esterday's news of "unauthorized code" that could enable untraceable backdoor access to VPN traffic on certain Juniper Networks firewalls is now being investigated by the FBI. That news comes from CNN, which said that a US government official described the vulnerability as "stealing a master key to get into any government building." There's no word yet on which government agencies or private companies may have been using the specific ScreenOS-powered devices affected, but that's what the Department of Homeland Security is now trying to find out.

 

[Mynight]

****e juniper is used by a fair few big corps.

Wonder who authorised it and how long it's been "unauthorised" for.

 

[scorza]

****e juniper is used by a fair few big corps.

Wonder who authorised it and how long it's been "unauthorised" for.

Sounds like it's been unauthorised since 2012, presumably it's a rogue developer since it was Juniper's own internal code review that found it.

Edit: don't see what this has got to do with government back doors. In fact it just demonstrates how concerned we should be about cyber-crime in general.

 

[jsmoke]

I do wonder why a lot of people in here complain about this. Damned if they do, damned if they don't, what are people trying to hide. Man has lived for millions of years without the internet. If your family/friends were massacred in an attack would many not turn to the authorities and demand why they didn't stop this this, I think do. Lose the pr0n.

 

[Mynight]

Got to give them credit for owning up. I imagine a few companies would have just patched it and kept quiet.

 

[peterwalkley]

On the Juniper code, a lot would depend on what kind of code reviews, testing and checks were in place at the time. There would be some kind of source code control system pointing to a developer id that checked the code in, but was it a stolen or borrowed login id. Given the FBI involvement, we'll likely never know unless someone gets prosecuted for it.

Agree that Juniper did the right thing by owning up. The extra free publicity would also help get the patches applied a lot more quickly.

 

[olivier renault]

just made me laugh, sounds like a 5 yo telling his mum why something is not ok

As you know, it had always been perfectly legal for anyone, let alone any government to open up private letters and wiretap into any communication, as this in no way violates the privacy and trust of your citizens.

What is this, the U.S.S.R.? I mean, we're already there, with the constant video surveillance of public places anyway. Man, the old commies would have LOVED all that tech.

 

[Mynight]

On the Juniper code, a lot would depend on what kind of code reviews, testing and checks were in place at the time. There would be some kind of source code control system pointing to a developer id that checked the code in, but was it a stolen or borrowed login id. Given the FBI involvement, we'll likely never know unless someone gets prosecuted for it.

Agree that Juniper did the right thing by owning up. The extra free publicity would also help get the patches applied a lot more quickly.

I think in this case it could be an exemption to any publicity is good publicity. A company that sells security to others has been breached leaving others open to attack(ish).

I'd be rather intrigued to know how an employee could gain from it. unless Cisco are running a if you can't beat them discredit them initiative.

Open source ftw!

 

[Caged]

I don't think any vendor would be foolish enough to use this Juniper vulnerability to promote themselves. Glass houses and all that.

If a frantic code review isn't happening at Cisco, Palo Alto etc. 'just to be sure' then I'd be surprised.

Open source ftw!

It's a nice idea but it's important not to fall into the trap of assuming that just because it's open source it means somebody else is reviewing the code - Heartbleed was less than two years ago and far more dangerous than this Juniper bug. Unless you're employing people who are competent enough to understand the VyOS code (for example) then the fact that the source code is public by itself isn't offering you any extra protection over the proprietary code supplied by a vendor with what you have to assume are well run internal practises to development, code review and bug fixes.

 

[Mynight]

That is a very fair and valid point.

 

[Amp34]

Sounds like it's been unauthorised since 2012, presumably it's a rogue developer since it was Juniper's own internal code review that found it.

Edit: don't see what this has got to do with government back doors. In fact it just demonstrates how concerned we should be about cyber-crime in general.

Because once you install a backdoor you may as well say bye to any semblance of security.