UK Government to Launch PR Campaign Undermining End-to-End Encryption

Rolling Stone is reporting that the UK government has hired the M&C Saatchi advertising agency to launch an anti-encryption advertising campaign. Presumably they’ll lean heavily on the “think of the children!” rhetoric we’re seeing in this current wave of the crypto wars. The technical eavesdropping mechanisms have shifted to client-side scanning, which won’t actually help—but since that’s not really the point, it’s not argued on its merits.

Tags: , , , , , , ,

Posted on January 18, 2022 at 6:05 AM51 Comments

Comments

Winter January 18, 2022 7:03 AM

The basic point is that they will or can not protect us against criminals, spies, and foreign agents, but they want to make it illegal for us to protect ourselves.

It is not different from the municipality outlawing bicycle locks because they cannot easily remove stray bicycles. Or outlawing door locks to allow the police to enter your house without fuss[1], “because of the Children”.

The basic point is that this is a very bad “deal”: We have to give up our right to secure our online life, while they refuse to protect us.

[1] The story has been told before, but the Belgian police (Rijkswacht) had a service for the public. If you were planning a vacation, you could warn your local police office and they would keep an eye on your house because of all the burglaries. They stopped it when it became public it was the police that did the burglaries when the owners were on holiday.

Ted January 18, 2022 8:01 AM

Mark Zuckerberg wrote a blog post in 2019 called “A Privacy-Focused Vision for Social Networking” where he lays out the value of encryption for Facebook’s (now Meta’s) three messaging services: Facebook Messenger, WhatsApp, and Instagram Messaging.

People expect their private communications to be secure and to only be seen by the people they’ve sent them to — not hackers, criminals, over-reaching governments, or even the people operating the services they’re using.

https://www.nytimes.com/2019/03/06/technology/facebook-privacy-blog.html

From what I’m reading WhatsApp currently supports E2EE by default, while messages sent through Facebook Messenger and Instagram Messaging can support E2EE – but this option isn’t the default and possibly wouldn’t be until sometime in 2023.

Bownse January 18, 2022 8:39 AM

Winter is spot on with his observation. It’s not unlike them telling use to keep our doors unlocked because it makes their dynamic entries more difficult.

Hold The Door January 18, 2022 10:00 AM

@Bruce

You write, “…since that’s not really the point, it’s not argued on the merits.”

What do you think the point is?

Bear January 18, 2022 10:05 AM

The paper you linked with ‘won’t work’ makes a lot of conclusions based on leaps of mistrust, assumptions, and words defined contrary to consensus.

Hal Abelson (lead author) did a lot of hard and precise crypto software work, and he did it very very well. I respect the hell out of that. But his contributions to public policy papers need to be read very closely, explained fully, or supported with far more evidence than he tended to supply.

The security business is based on leaps of mistrust; we have to treat every party as potentially acting in bad faith. The various intelligence agencies of many nations have amply demonstrated that mistrust in them is warranted by their history, actions, intentions, and modus operandi.

But the capabilities this paper assumes the client-side scanner has available, amounting to making the device arbitrarily and remotely searchable, seem unrealistic in the context of an application that can be installed on a very limited device and denied the capability of receiving messages other than looking at those the user sends.

Clive Robinson January 18, 2022 10:55 AM

@ ALL,

Saddly for the UK Government, although you can try to stop “End to End Encryption”(E2EE), there is not very much you can do technically to stop it.

So the plan is to make it a “social issue” which is generally a very stupid thing to do as it only works when society wants it to be that way.

Here they are hoping to get parents to brainwash children into a life long cognative bias just as the more dangerous “cults” do. Unsupprisingly for exactly the same reason unwaranted power over those they see as inferior and of inconsequence (ie the voting citizens and their descendants). Think of Kings, Barrons etc -v- the slaves, serfs and vilains.

You already know which group you’ve been selected for…

The thing is there is as I said no known technology that can actually stop E2EE as long as communications with any degree of freedom is alowed, as I’ve indicated and described before on this blog.

So whilst they may pass legislation it is still not going to stop those who are determined to maintain privacy from their sordid snooping.

@ John,

You asked,

So, describe a simple system you and I can setup that does ‘good’ encryption.

Which part? and to What depth?

All crypto systems have two parts,

1, The public algorithms
2, The secret key.

That is you have an algorithm –encryption– and it’s inverse –dexryption– that take two inputs,

1, The text
2, The key

And has one output depending on if you are encrpting “plaintext” to “ciphertext” or decrypting “ciphertext” to “plaintext” in each case using the correct Key Material (KeyMat).

The simplest secure system is called the “One Time Pad”(OTP) and it is simple to understand and use but has fragile security so has to be used correctly.

The OTP has advantages over other cipher algorithms such as “deniability” but it has several disadvantages primarily due to the fact all the security exists in the KeyMat which by necessity has to be at least as large as all the messages you envissage you will need to use it for.

Also the KeyMat needs to be made via a secure “Key Generation”(KeyGen) process, audited, securely exchanged between the two parties by some other secure channel, and securely stored all prior to the OTP being used. Then the used KeyMat needs to be securely destroyed so it can not be reused, lost, or stolen. These processes and a few more are known collectively as “Key Managment”(KeyMan).

By now you should realise, that in the general reality of things the OTP is seen as more trouble than it is worth in commercial or high bandwidth communications environments.

Esspecially where more than two parties need to be involved with communications.

However as was found in World War Two the down sides of OTPs could be easily addressed and the added security they gave far out weigh the disadvantages.

The OTP cipher can also when combined with code books, can suprisingly to many make a secure system that hides a covert channel in plaintext by tajing advantage of the redundancy in the language.

But the OTP like all crypto systems has three unavoidable downsides,

1, It is less convenient to use
2, It adds significant work
3, It adds latency

Which means most will not want to have anything to do with it unless you can make these problems insignificant.

Which is why we tend to use,

1, Block ciphers for encryption.
2, Public Key for KeyMat exchange.

And a computer to do the work.

Bear January 18, 2022 10:57 AM

Tis the same paper as the one I spoke about.

Obviously if we allow such an application to receive search requests from the Internet and allow remote operators to bypass normal channels to update individual installations with new executable code, then there can be no security on the device.

That is possibly the single stupidest way to implement this, and no one seems to consider any other possibility.

Impossibly Stupid January 18, 2022 12:04 PM

@John

So, describe a simple system you and I can setup that does ?good? encryption.

Depending on how you define “simple”, perfect encryption can be achieved by using a basic XOR cipher.

@Hold The Door

What do you think the point is?

A monopoly on control. The problem remains that, even with the best of intentions (e.g., let’s say the people in power at the top really are sincerely only interested in the abuse of children), corrupt people within the system will use it for their own benefits (including the possibility of abusing children, as the RS article points out).

As I have said here in the past, if these people are so certain that unencrypted communication is the best thing to do, they need only set the example by making all of their messages be free and clear. Until that happens, there’s no reason to believe they’re being sincere. The government wants to watch The People without The People watching them.

That’s why things like the “glass box” stunt are so hilariously misguided. It’d be so easy to counter-protest by slapping on a sign that said something along the lines of “What does the UK government use encryption for?” Or set up an identical box somewhere featuring similarly lurid scenarios where the perp is simply dressed as a policeman.

Winter January 18, 2022 12:16 PM

@Clive
“Saddly for the UK Government, although you can try to stop “End to End Encryption”(E2EE), there is not very much you can do technically to stop it.”

Memories of the UK plans for age verification for porn sites come to mind.

I see the various UK governments as the protagonists of Popper’s “The open society and it’s enemies”. One reason cited for the Leave campaign was to end being forced by the European courts to uphold human rights and free speech.

MikeA January 18, 2022 12:35 PM

@Winter

Your Belgian Police story is very close to what actually happened in my small home town. Not on a national scale. Some (IIRC 2) police officers tipped off their burglar friends when folks asked for “extra vacation care”.

This is of course merely anecdotal for you, but was very real to me.

“Every substantial crime is an inside job”
(The ageing stock detective in “Rancho Deluxe”)

AL January 18, 2022 1:03 PM

It seems a bit odd that a government uses tax dollars to launch a campaign that is essentially a political issue. What’s the point – to get the public to cajole the Parliament into doing something? Something seems a bit out of whack here.

AlanS January 18, 2022 1:24 PM

Their campaign may not be very effective against encryption but one shouldn’t underestimate the current UK government’s appetite for dead cats. Having the public focus on Home Office scare stories while they shove through the police and elections bills is consistent with their MO.

AlanS January 18, 2022 3:04 PM

The reappearance of this now may be part of Operation Red Meat, a desperate downpour of Dead Cats.

Tupiniquim Dude January 18, 2022 5:11 PM

As a Brazilian i can tell you i have seen this movie uncountable times, governments (both left and right-leaning) use massive propaganda campaigns to create an “evil” image of something until the point where people make pressure for them to act against it, it just feels more “democratic”, more like the “will of the people” than just shoving it down people’s throat and suppressing the opposing voices, but it’s not an inch less authoritarian in reality.

It’s funny how most people here buy it and easily get afraid of the thing in question and very few of them stop for a sec to put pros and cons on the table and think better about it, they easily buy what the (in theory) experts on the TV and newspapers say.

If a campaign against E2E encryption was launched here it would much likely be successful. Thanks to our precarious education most people don’t even have the slight idea of what encryption is, and of those few who do, even less truly understand how crucial it is for privacy and freedom of speech, not to mention all eCommerce stuff and the like that couldn’t even exist if it wasn’t for strong encryption.

But if i am to be honest, i kind of see a light at the end of the tunnel, now with more and more people accessing the internet such campaigns are getting more expensive (there are many more media channels that have to be subverted than before) and less effective (as people have much more access to other points of view). With that i see that folks here are getting more questioning, even though much of that is still based on conspiracy theories and fake news, imma allow myself some hope.

ResearcherZero January 19, 2022 2:26 AM

@Tupiniquim Dude

M&C Saatchi have run a number of propaganda campaigns for both Labor and the Conservative parties.

Now M&C Saatchi are back to run the latest campaign against end-to-end encryption, and like with previous political campaigns, by trying to frighten people.

“The campaign will accuse Facebook, Instagram and WhatsApp owner Meta as well as other encryption services of “blindfolding” police investigations and inform the public that encryption makes it hard to identify pedophiles and terrorists.”

https://www.thedrum.com/news/2022/01/17/mc-saatchi-hired-government-anti-encryption-campaign-targeting-meta

Bell, with the Saatchi brothers, were of course instrumental in putting Mrs T where she was. Their 1978 “Labour isn’t working” posters have become the most famous British political ad. But there was great footage last night of a series of TV ads.

The now iconic “Demon Eyes” adverts only appeared in three newspapers and yet took on a life that even their creators could not have anticipated. The church condemned the image. A super confident Tony Blair, whose red, peering eyes were designed to show that Labour had not changed and was a clear and present danger, just made a joke out of it.
https://web.archive.org/web/20120331064909/http://blogs.telegraph.co.uk/news/andrewporter/4041201/The_power_of_political_advertising/

The eyes will be featured on posters for the first time this week, staring out of a purse above the slogan “New Labour, New Taxes” on hoardings all over the country.
In a landmark judgment only three days ago, the ASA told the party to drop advertisements depicting Tony Blair with demonic eyes.
https://www.independent.co.uk/news/tories-revive-demon-eyes-1361151.html

In August 2019, the company first announced its initial £6.4m accounting error, and warned shareholders that the number could grow.
https://www.accountancyage.com/2019/12/11/mc-saatchi-crisis-continues-as-company-leaders-flee/

In December 2019, the Board announced the total charges would in fact be £11.6M
https://www.theguardian.com/media/2019/dec/10/saatchi-isnt-working-ad-agency-crisis-deepens-as-directors-and-co-founder-quit

We have of course debunked the technically illiterate government desire for backdoors to end-to-end encryption many times.

We have also pointed out the utter futility of banning any one app from using end-to-end encryption when there are plenty of others to choose from – as well as encryption methods that can hide in plain sight, like steganography, in which encrypted messages are embedded into ordinary-looking photos.

Finally, we have pointed out that end-to-end encryption is no different from fitting doors to our bathrooms and curtains to our windows.

We live in a world where it would be technologically feasible to ensure that virtually no crime could go undetected. We could fit CCTV cameras on every street, in every home, in every building. We could all have trackers embedded beneath our skin. We could force everyone to provide both fingerprints and DNA samples to hold in a global database. We could make it illegal to fit curtains or blinds to windows. And so on.

We don’t do any of these things because we value freedom and privacy, and we consider that the risks involved are a price worth paying for the ability to live our lives free from tyranny and surveillance.

https://9to5mac.com/2022/01/17/emotive-anti-encryption-ad-campaign/

Dave January 19, 2022 4:10 AM

Saying this as someone who’s not in the UK and doesn’t have a stake in UK politics: If they do as good a job with this as they have with Brexit and Covid, we have absolutely nothing to worry about.

SpaceLifeForm January 19, 2022 5:05 AM

Just the Metadata, Meta, just the Metadata

https://www.forbes.com/sites/thomasbrewster/2022/01/17/whatsapp-ordered-to-spy-on-chinese-phones-by-america-no-explanation-given

“Other than the three elements described above, federal law does not require that an application for an order authorizing the installation and use of a pen register and a trap and trace device specify any facts,” the government wrote in the latest application.

[the investigation team probably already has a good idea as to who the perps are, but they want to connect dots and learn more. And they are not going to reveal any more info, because it may leak, and tip. Note it is not Does 1 thru 10]

AlanS January 19, 2022 7:42 AM

@Dave

If you lived in the UK the opposite would probably be true. I’m also not persuaded that the larger problem is unique to the UK, although it is probably more acute in the UK, an increasingly incoherent state that’s still trying to figure out its new place in the world post-Empire.

I read something a couple of years ago by a writer who observed that many of the key people in the current UK governing party had previous careers, or sometimes parallel careers, writing for newspapers and news magazines, not so much as journalists, as opinion writers. Or they had careers in PR. (This is probably also true to some degree of previous left-wing administrations as well.) As such they really don’t do policy; they are spinners of stories, fantasies or, as Bruce has this tagged above, propaganda. They have very little interest in policy tied to facts or science. A current UK cabinet member, a former journalist, famously claimed “I think the people of this country have had enough of experts” a few years ago. And their stories are not in the service of any coherent ideology (unlike, the earlier generation of Thatcherites) other than the persuasion of people to put them in power and keep them there. As such it’s not worth debating them over the merits of their position on encryption. Encryption is just story fodder. Which I think begs the question, how do you respond to people who don’t care about facts and science?

Clive Robinson January 19, 2022 9:50 AM

@ AlanS, Dave, ALL,

Which I think begs the question, how do you respond to people who don’t care about facts and science?

Well there is,

“Nothing you can do in theory”

So I guess a few practical lessons with them as the experimental subjects might help with their cognative issues.

Perhaps demonstrating to “The Blimp Imperial BoJo” the advantages or not of a pure helium atmosphere might atleast prove entertaining for a little while.

Winter January 19, 2022 10:28 AM

@AlanS, Clive
“Which I think begs the question, how do you respond to people who don’t care about facts and science”

The only way to get a lawyer or PR/spin doctor to see your point is to employ them. Any argument or discussion is for the audience. They have to be brought on your side.

How to win the hearts and minds of the audience starts with acknowdging that you cannot win the one without the other, you have to win both the hearts and the minds.

Second, the argument must be brought to their own lives and experiences. The use of any abstraction wil lose you the debate. The fight against pesticides and pollution was won because people did not want a “silent spring” or soot on their laundry, not because of abstract notions of biodiversity and ecological value.

pup vas January 19, 2022 1:48 PM

Recent on the subject
Facebook Messenger: The battle over end-to-end encryption
https://www.bbc.com/news/technology-60055270

=End-to-end encryption goes a step further.

The code agreed upon by a sender and receiver is so secret not even the company handling our data knows it.

Only the end-user can decrypt the messages, images or phone calls.

Imagine you want to receive a letter in the post that only you can read.

You could send someone a box only you have the key for. They put their letter inside it and it locks when they close it. Then they send it to you to open with your unique key.

The digital version of the locked box is known as a “public key”, while your unique key is your “private key”.

The system is beloved by privacy-minded people as the data is safe from everyone. Even the messaging company is unable to decipher the data you send.=

More information and good charts inside.

That is why Skype being initially P2P communication after acquired by Microsoft change its architecture adding man in between – who can read, listen, record and store all your private communication.

lurker January 19, 2022 3:01 PM

@pup vas

All well and good, but the people who don’t read @Clive or understand what he says, will still get caught by key-loggers and back-loaders that intercept the message before it is encrypted by the sender; or after it is decrypted by the receiver.

Assuming the UK Govt proposal does does not get overwhelming public support, it’s still a certainty that the UK Govt spooks have orders in for Holidays_Calendar apps, or Pet_Care apps, &c. to do just that dirty work.

moz January 19, 2022 3:18 PM

@Clive Robinson

Ignoring that this is clearly a dead cat policy, I don’t think our government really cares about the theory. This is partly really about crime fighting but in the background about population control for the masses. Although encryption will be possible, most people won’t have encryption and so when they realise the Tories have sold off the site next to their school for chemical waste handling the police will be able to intercept any protest.

The question that needs answering is: could you build a system that would be practical and safe for most of the current internet connected inhabitants of China? I think the practice is that they would make mistakes and give themselves away to the government.

In which case the Chinese restrictions are working, even if some people can work around them.

Freezing_in_Brazil January 19, 2022 3:24 PM

@ Tupiniquim Dude

If a campaign against E2E encryption was launched here it would much likely be successful. Thanks to our precarious education most people don’t even have the slight idea of what encryption is, and of those few who do, even less truly understand how crucial it is for privacy and freedom of speech not to mention all eCommerce stuff and the like that couldn’t even exist if it wasn’t for strong encryption.

Brazilian here. Brazilians could easily fall for this talk, indeed. What’s not to love in an Easy Fix? In fact, I don’t think it is all about education as I see educated people acting stupid when dealing with a smartphone’s ]or even a computer] security- I see it all the time, and I bet you too.

Brazilians understanding of encryption? Well, you see, aside my office and my professional activities, the only place I can talk about encryption is here [and forums like these]. Not with friends, not with family. The understanding of the English people must not be much higher, no offense. Encryption is hard. It is simply not a matter for the masses or social science types [and given the case in light it seems it is also not a matter for legislators], that is the reality.

So let them see for themselves. Banning encryption is impossible now. Both the English and Brazilians [or any other nation for that matter] will-would revoke this legislation within 24 hours from the promulgation, as the chaos ensues. Just wait and see.

Regards

Clive Robinson January 19, 2022 6:05 PM

@ moz, ALL,

This is partly really about crime fighting but in the background about population control for the masses.

It’s actually the other way around.

When you can get at the information the Police etc are not at all troubled by “encryption” the “Ascociation of Chief Police Officers”(ACPO) talk a good talk, but the reality is encryption is not something that troubles ordinary police officers they just do not see it even when dealing with more serious and organised crime.

Where encryption does cross law enforcments path it is very specialised crime that has very specialised personnel in specialized national police units. And whilst the numbers involved with this crime appear large and the crimes very scary the reality is it’s all “corner case”. Even so the reality is internal fighting in crine groups obviates the need to break encryption even if it is used as more than a “status” symbol.

The real big number crooks by far are white collar finance industry types and other apparantly sober big industry players like Group 4, Serco, Capita, much of the construction industry and mil-tec. The names of which can be found on the political corporate funding lists and annual “Honours Lists”. Where crimes are “corporate” and paid with tax deductable fines.

The reality for the police and specialised units, is as it is with millitary communications, message content is of less importance than who is talking to whom when and where. That is what is called meta-data and the process of extracting information from it “Traffic Analysis”.

When you hear about Facebook, Google and other big tech wanting to up privacy by E2EE but also increase “safe guarding”. They are talking abot two very much related technologies,

1, No your client/customer.
2, Traffic Analysis.

This is so powerfull they do not need to see message content. In fact E2EE is desirable to them because it gets rid of the court orders, warrants and much else that they realy do bot want to be dealing with as it’s a very significant burden that is not going to get any less. E2EE stops all the messy legal business and just leaves “third party business records” which are not contentious currently.

This UK Home Ofice Minister Priti Patel nonsense is nothing what so ever to do with “dealing with real crime”. It’s all about what is the placing the foundation stones of a “Police State” via an Orwellian “thought control” process designed to keep certain people in certain positions preying off of everyone else. Look at the recent history of legislation by this government and it’s all about centralisation of power and prevention of opposition or protest and other basic freedoms that make the society we currently know what it is. At the rate they are changing things UK society will be like that of the old East Germany and similar states.

Which brings us to your compound question of,

The question that needs answering is: could you build a system that would be practical and safe for most of the current internet connected inhabitants of China?

To answer it, you need to split it into a number of scenarios and realise that “one to one” privacy is a realistic possibility we’ve known how to do for centuries. However “one to many” is rather more complicated and needs a “broadcast” system which has complexities. As for “many to many” that is either an N^2 links issue or a central hub issue of which you would have to do both for interactive group communications.

So for simplicity, for “one to one” communications,

1, Could I design one : Yes.
2, Could I build them : Yes.
3, Would it be safe : Yes.
4, Would it be private : Yes.
5, Would it be practical : Yes.
6, Could I publish plans : Yes.

Sounds good so far… But,

7, Would I be allowed to sell : No.
8, Would I be allowed to make : No.
9, Would I be allowed to import : No.

Which brings us onto point 6 again. The question arises would the majority of people be able to “build their own” if given the design?. The answer is, if it involves more than software or a pencil and paper the answer is for by far the majority “No”. Worse for those that could for by far the majoriry of them it would be “inconvenient” so they would not build systems to give them safe privacy.

It’s, what all the Governments know the citizens do not want to be bothered to get safe privacy if it is in any way “inconvenient”.

So it’s going to stay the relm of “crypto-geeks” and “Criminals who can think with logic”.

But what will happen with “software” only systems is what we see currently with “Secure Messaging Apps”. The user interface will be on the communications device, so it will be easy for Governments to get around the security of the Application… They just do an “end run attack” around it to the user interface…

Whilst stoping this is technically very easy, it won’t be “convenient”, so users will not do it…

As has been observed on many an occasion,

People can be their own worst enemy.

AlanS January 20, 2022 9:56 AM

@Winter, Clive,

Agreed. One has to have both reason and poetry. @Dave referenced Brexit earlier. There was compelling reasons to vote against it but remainers lacked enthusiasm and a compelling narrative. The current PM also appears to be undone by a party when others were denied the right to be with dying friends and family. There are so many reasons for his undoing but it may be the stupid, visceral one that is his downfall.

Homo economicus is a fiction. People often have only a vague grasp of their own interests and are as likely to act on emotion as much as reason. The political economists (Smith, Marx, etc.) knew what modern economists who worship at the alter of mathematical models ignore.

Reason is a double-edged sword. Zamyatin’s We (@ Null Clam), is a tale that ends with the engineer, who has had his imagination and emotions expunged, dispassionately recounting the use of a machine to ritualistically torture and execute the woman he loved and then betrayed to the Benefactor. As Orwell wrote of the book: “It is in effect a study of the Machine, the genie that man has thoughtlessly let out of its bottle and cannot put back again.”

The worst type of unreason is total reason. The innovations that allowed the collection of endless data points and their abstraction to reveal patterns that enabled the control of plagues also enable the vast electronic databases and algorithms that subject our emotions and lives to the machine. We are ultimately undone by becoming the objects of our own reason without limit.

Encryption in the hands of us ordinary folk is a threat as it inhibits the machine. It is a curtain around the glass houses of the inhabitants of One State. It is what makes I-330’s endless revolution against the unreason of reason possible.

ResearcherZero January 20, 2022 4:02 PM

@pup vas

You can receive a letter that only you can read, you just have to get the person who wrote it to decide on a predetermined method for the text, which I assumed all good uncles taught to kids. You can use it over radio, plenty of good books about it, and all god grandmothers give their grandchildren radio kits. That’s why houses have a backyard, so you can have an antenna.

Is not HAM radio still cool?
https://www.sunjournal.com/2014/05/18/ham-radio-cool-five-nine-good-buddy/

Clive Robinson January 20, 2022 7:46 PM

@ ResearcherZero, vas pup, ALL,

Is not HAM radio still cool?

So is drinking what tastes like vinegar strained through an old tramp’s sock, that is being a Fine Wine Connoisseur. Then there is eating of cheese that has creepy crawlies digesting it for you as you watch… Each is an “aquired taste”.

Yes I got my licence back in oh the pre-dawn of the 1980’s and the launch of the Icom IC2 that I got one of the first for pulked apart and published a “widebander mod” for it (so you could listen in to the adjacent bands of UK Police and Securiry Service radios that back then were unencrypted[1]).

Anyway something to ammuse,

https://www.kb6nu.com/wp-content/uploads/2022/01/220-resistor-captcha..jpg

[1] In part the publishing of that and a later “Tones mod” which enabled people to “squeak” the UK Security Services also got somebody I indirectly knew in trouble. I thought the story of the “visit” was lost in the mists of time untill this got pointed out to me by someone the other day,

https://m.youtube.com/watch?v=E0vu-MyXYzQ

There are some “errors” in the story as told (I’m guessing it’s “third hand”). Because it gives the impression a number of things happened a half decade or so later than they actually did. For instance in the UK cordless phones were freely available in high street shops in the 1990’s as they had been licenced for quite some time and by then I was designing some of the early digital phones. So getting illegal imports from the US was something that was happening in the late 1970’s and into the 1980’s not the 1990’s (as you can easily check). There are other details you can check as well which the curious can “ferret” out via OSInt but I’m not going to “confirm or deny” to protect the guilty and their government pensions 😉 but I can say that what got under foot was a hook switch modification device that some might call a “capacitor”.

Clive Robinson January 20, 2022 7:49 PM

@ Bruce, Moderator,

Just got that 429 error, and on reposting told held for moderation.

Can you please let people know why this is happening?

ResearcherZero January 21, 2022 12:00 AM

British MPs use end-to-end encryption (E2EE) and self-deleting messages.

“Signal – which has enhanced encryption measures and the option of auto-deletion – was adopted en masse by Conservative MPs following the party’s 2019 general election victory. Reports have since claimed that the prime minister and other senior Downing Street figures are also among the users of the ultra-secure platform.”

The admission of the use of self-deleting Google messages comes on the back of what the campaign groups claim are a number of indications that “suggest that a growing share of government business is done” via other private messaging platforms, such as WhatsApp and Signal.
https://publictechnology.net/articles/news/government-facing-legal-challenge-dcms-admits-use-automatically-deleting-messages

End-to-end encryption is a basic and essential security protocol. It means that your personal data – including family photographs, messages to friends and family, financial information, connected home devices, and education and homework – can all be kept safe from interception and misuse by governments, companies, and malicious actors. Indeed, over the course of the pandemic, end-to-end encryption is the single most important technical capability which has allowed us to work from home, educate our children, keep in touch with our families and friends, and keep the country running.
https://www.openrightsgroup.org/blog/mps-encryption-keeps-your-constituents-safe/

Winter January 21, 2022 12:30 AM

@ResearcherZero
““Signal – which has enhanced encryption measures and the option of auto-deletion – was adopted en masse by Conservative MPs following the party’s 2019 general election victory. ”

Has the lockdown not amply shown that there is one law for the hoi poloi and one for the hoi oligoi.

John January 21, 2022 5:10 AM

@Clive,

I too have a ham license and a communications analyzer. A fellow I knew told me he had fun in his youth creating various ‘fake’ messages!!

I can only imagine how disturbing it would be now to fake the now ‘encrypted’ messages!

Or inject or delete supposedly end-to-end secure Signal messages.

I guess that is what the various nation states are in fact doing with their fake and modified/amplified ‘news’ and their increasingly clever and invasive software!

As you often put it real security is non-trivial!

John

Clive Robinson January 21, 2022 2:58 PM

@ John,

I can only imagine how disturbing it would be now to fake the now ‘encrypted’ messages!

It is something “some” people desire so strongly it has a characteristic odor to it of fetid corruption.

If they can not break the application encryption, system, or a key holder, then their next best option is to commit an “end run” attack / abuse to the users device and get at the plaintext interface. Which is why they want to force their “Apps” onto chosen users devices.

As you say,

As you often put it real security is non-trivial!

It’s not trivial, nor is the seemingly endless social battle against political control, which is the chosen field of battle of the faux news merchants and their pay masters.

Oh and remember,

“Behind every good politician, stands an endless que of those who are not.”

ResearcherZero January 21, 2022 10:00 PM

What ever could possibly go wrong with a back door in products using E2EE to decloak child pornography?

Previously, the FBI has been known to have wielded a Firefox exploit to decloak child pornography suspects using Tor.

Security researchers have also scoured leaked Hacking Team source code for suspicious behavior. Among the findings, the embedding of references to child porn in code related to the Galileo.
https://arstechnica.com/information-technology/2015/07/massive-leak-reveals-hacking-teams-most-private-moments-in-messy-detail/

Reengineering showed that the original UEFI image, from firmware maker AMI, had been patched to add malware that was based on a malicious UEFI bootkit made by, and later stolen from, Hacking Team, the Italy-based exploit and implant seller that was spectacularly hacked in 2015.

Three of the four added modules were lifted directly from the stolen source code of the UEFI bootkit, which Hacking Team sold to governments—some from countries with poor human rights records such as Egypt, Saudi Arabia, and Russia. A fourth module—which served as the main bootkit component—was based on the one from Hacking Team but had been almost completely rewritten from scratch.
https://arstechnica.com/information-technology/2020/10/custom-made-uefi-bootkit-found-lurking-in-the-wild/

ResearcherZero January 22, 2022 5:19 AM

@Winter

“Has the lockdown not amply shown that there is one law for the hoi poloi and one for the hoi oligoi.

Hypothetically speaking, bureaucracy dictates I answer no, I never saw anything like that, nothing existed, and judges were always very happy to comply with our requests. This would have meant that we always looked after our people very well, and no one was never left to a very cruel fate for purely political purposes.

I have great confidence that any deaths would have been worth the intelligence, and that intelligence would not have been ignored in vain or glory, whilst avoiding shame or embarrassment. Filing complaints and long drawn out legal proceedings, were therefor never required, or accompanied by copious amounts of violent and persistent retribution.

You can tell that is true by the authentic smile on my face, only encouraged by the daily 40C temperatures. I’m also very encouraged by the bureaucracy at CIA and their courage to speak up. Impressive stuff!

Winter January 22, 2022 6:19 AM

@ResearcherZero
“I have great confidence that any deaths would have been worth the intelligence, and that intelligence would not have been ignored in vain or glory, whilst avoiding shame or embarrassment. ”

My original post referred to the fact that Johnson et al. flouted every Lockdown law.

But wrt to your comment, today there is a long interview with the head of Fox-IT, the Dutch cyber security firm. She asks the question why our intelligence service, that is a veritable army, does not protect us against cyber attacks? A good question.

In Dutch
ht-tps://www.volkskrant.nl/nieuws-achtergrond/waarom-hackt-de-politie-ransomwarebendes-niet-helemaal-de-tering~b7671d0a/

“I expect that if you have an army like the AIVD, you have a greater significance in the fight against ransomware. Together with the MIVD and NCTV, the AIVD has presented this as a threat to national security. Well what do you do then? The AIVD is also there to intervene. Why can’t I see that?’

Translated by Google

Ted January 22, 2022 8:23 AM

@AlanS

It’s almost comical that the UK’s data watchdog, the ICO, is giving the Home Office a little spanking over this. From your Guardian article, they say E2EE protects children, and businesses, and so on and so forth.

Some of the ways E2EE protects children, the ICO says, is by reducing their risk of blackmail and the risk of their photos and location being targeted.

They add that law enforcement has other safer methods at their disposal like infiltrating abuse rings, going through the reports of children targeted by abusers, and using evidence from convicted abusers.

Hopefully all this information disseminates into the mainstream. We all mostly like kids. Well most of us want them to be protected, right? And we all like our data to be safe too.

Clive Robinson January 22, 2022 8:34 AM

@ Winter, ALL,

She asks the question why our intelligence service, that is a veritable army, does not protect us against cyber attacks? A good question.

It is a good question, but not one people realy want to know the answer to.

The long answer short is “It’s not their job”.

The long answer is,

Their job is to use what ever tools are available to them to collect intelligence, for the “Government” by way of “National Security” argument that covers political, military, ecobomic and social aspects not just of other nations but the nations own citizens.

But what are these “tools”? Normally they are covered by the expression “Methods and Sources”. Broadly meaning “technical” and “human” intelligence collecting.

Nearly all of these tools have two characteristics,

1, They only work when the opposition do not know about them.
2, They are all desirable to use in what ever way they can be.

Thus “secrecy” becomes a major objective because some of those “tools” like blackmail, tourture and murder, are generally disaproved of by everyone in society so things have to be kept unknown.

Hence a highly undesirable “Secrecy Culture” rapidly builds up and “over classification” becomes endemic.

This in turn alows all manner of sins to be hidden and entirely worthless “pet theories” and the like going long long after any rational overview would alow.

Arguably promotions, jobs, pensions and whole departments only exist to service something entirely worthless. But success is measured not in achievments being made but on resources being used…

Back in the early days of the Internet bubble, companies were often judged by their “burn rate” that is just how fast they got through seed or venture capital without actually producing anything worth while (they are still around have a look at the NYM project for instance).

In fact it became important not to actually produce anything, that way there is nothing to disapoint potential new investors (suckers/marks if it were a long con…).

So they are always “moving forward” and results look promissing, but no you can not see them…

So if you were to see the results and make them public…

The argument is you would destroy and make useless entire “Methods and Sources” thus destroying their ability to gather intelligence.

If you challenge the quality or use of the intelligence, you will get told that it’s “raw” or some such which the “analysts” work on and you will have to speak to them, and so on.

In other words nobody has to show rational behaviour and accept that what they are doing is a failure and in all probability could never have worked… In other words,

Just keep throwing buckets of water at it, eventually they must stack up

Thinking…

There are other issues involved but they likewise can be explained from those two points…

Clive Robinson January 22, 2022 9:10 AM

@ Ted, AlanS, ALL

They [UK ICO] add that law enforcement has other safer methods at their disposal like infiltrating abuse rings, going through the reports of children targeted by abusers, and using evidence from convicted abusers.

Which are a subset of,

1, Know your client/customer.
2, Traffic Analysis.

For which you have no need of the “message data”.

It’s all about meta-meta-data and meta-data all of which are apparent at your “perimeter” unless you take steps to hid them.

You will here claims about “Mix Nets” and “Onion Routing” well whilst they can obfuscate some meta-data like IP address of a packets destination, they can not as currently implementated deal with say timing meta-meta-data.

You need as a minimum to also,

1, Not have a perimeter.
2, Store and forward.
3, Use constant data rates.

It’s not an easy thing to do but it can with a little thought be done, as I’ve mentioned in the past a few times.

It’s actually loosing meta-meta-data and meta-data that scares the SigInt agencies. Law enforcment have to produce “court admissable evidence” so meta-meta-data is definately out currently but some meta-data is admissable now, and more will become so over time.

But prosecutors don’t like even meta-data they want message plaintext and physical evidence so it’s easy to explain to juries… The thing is message plaintext is very much a double edged sword as obtaining it is fraught with issues. So even Law Enforcment want to avoid it where they can and go for other evidence as a priority.

But what scares the lot of them is encryption that has “deniable plaintext” and requires one of the two communicating parties “to betray the other”… It is when you get down to it not as reliable as second hand gossip barked out by a dog or neighed by a horse in a circus show…

Thankfully for them most crypto does not have the “deniable plaintext” feature, in fact the opposite.

Ted January 22, 2022 9:56 AM

@Clive, ALL

But prosecutors don’t like even meta-data they want message plaintext and physical evidence so it’s easy to explain to juries…

Good point. And also good point that obtaining plaintext is very much a double-edged sword. I wonder if a child could submit records of any plaintext communications they received.

Supposedly TikTok restricts access to some features based on a child’s age. For example: “Users under 13 can’t post videos or comment, and content is curated for a younger audience.”

It seems like kids could get around this, at their own peril perhaps. But it’s what things like electrical outlet plugs are for.

I don’t know how much each platform is willing to invest in these controls. Also parents probably take different levels of involvement in these things.

But I agree, it doesn’t seem like putting all the data on the laundry line, polka dot undies and all, is the best solution.

Winter January 22, 2022 11:37 AM

@Clive
“The long answer short is “It’s not their job”.”

That is like saying the army should not protect citizens against attacks by foreign armed forces: A very stupid response.

That they have a history of criminal behavior against their own people is no excuse for not using the taxpayer’s money to protect the same tax payers.

Clive Robinson January 22, 2022 1:13 PM

@ Winter,

That is like saying the army should not protect citizens against attacks by foreign armed forces: A very stupid response.

Err yes the example you give is…

Because it is the job of the army, airforce and navy to protect the nation and it’s citizens from not just foreign but domestic attackers alike, “in times of war” and mostly that’s what they do. In the US the military are by elected government wishes not alowed to get involved with “policing” and thus they receive no training in it, hence many of the problems in the Middle East.

The SigInt agencies however are generally considered part of the “Intelligence Community” and are not tasked with any kind of defensive role against civilians, just a non physical offensive one against other nations national security interests. In many respects they are similar to investigative journalists.

Believe it or not on balance the protection of the civilians to cyber-criminals is primarily the police and other law enforcment agencies including customs and coast guard.

And surprise surprise elected governments have chosen not to give law enforcment the resources to carry out that job, therefore it’s not getting done.

The argument you present is like saying the US airforce is there to find defects in all of Boeing’s and other US areospace industries aircraft…

Last time I looked the US had a Federal Agency specifically for that… but by elected government wishes they gutted that agency and gave the job to industry to manage it’s self and oh look aircraft started dropping out of the sky…

SpaceLifeForm January 22, 2022 5:00 PM

@ Clive, ALL

Re: 429 errors

I have seen this 429 error even though I had not even pulled up this site in nearly 12 hours.

Next time you encounter this, clear your browser cache, reload page, try again, and see if the behaviour changes.

My hunch is yes, it will work-around the problem.

SpaceLifeForm January 22, 2022 6:43 PM

@ Clive, Ted, AlanS, ALL

There is a 4th item that must be added to the list

If not done, heavy duty traffic analysis will defeat the objective. Think DPI even if the interloper can not break the encryption.

1, Not have a perimeter.
2, Store and forward.
3, Use constant data rates.

4, The traffic must contain garbage.

There must be garbage sent and garbage received.

One persons garbage is another persons treasure.

The garbage treasure must be distributed.

It must be broadcast.

ResearcherZero January 23, 2022 10:19 PM

@ALL

Signals and intelligence have no arrest powers.

We could always establish some kind of secret police, but do you really want police who are protected by national security laws? The quantities of caustic soda required would be enormous. Guys in black suits digging holes everywhere, screams coming from fenced of buildings, loud opera music playing from loud speakers, no pliers at the hardware store, a rapid decline in Socialist and Conservative club members, vanishing magistrates and lawyers…

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.