This is presumably a response to the increase in encryption post-Snowden. In which case, it's a good thing from one angle at least - it suggests that moves to encrypt everywhere are frustrating bulk intercept.
It's not like GCHQ wasn't hacking networks before. The law just says they need to disclose it now, so they use the encryption as an "excuse" to do it, while also making encryption look bad (something we ought to get rid of).
> UK spies are planning to increase their use of bulk equipment interference, as the range of encrypted hardware and software applications they can't tap into increases.
So past communication methods came with built-in backdoors for UK spies (and, as it turns out, around 32 other EU agencies). These backdoors are becoming useless for them, and so they seek to force everyone else into providing backdoors for them again.
I'm not sure why you interpret it that way. Nobody has found built-in backdoors for UK spies, and where did you get the "32 other agencies" from?
This shift was predicted long in advance and is clearly a response to the increasingly saturation-level usage of SSL. GCHQ and NSA have for decades been oriented primarily around bulk interception of unencrypted radio and fibre traffic, see:
But what happens when nearly all traffic becomes encrypted? Then they must become ever more reliant on hacking the endpoints, to get at data before the encryption is applied.
What's happening is easily explainable without needing to refer to apparently non-existent back doors. The closest thing to that was the EC-DRB algorithm, but nobody ever used that except RSA Inc who got paid to use it, because their back doored algorithm sucked and the back door was spotted very quickly. I doubt it ever had much operational impact.
I'd be extremely wary of such reports coming from the government. I don't know about other sources but that article provides absolutely no additional information beyond the claim. And I imagine this kind of information is nearly impossible to verify, which they may be betting on.
In short, given the current state of media and government, it wouldn't surprise me if this were just propaganda.
Reminds me of when Obama claimed upwards of 50 attacks have been foiled by bulk data collection programs. However other officials said that the NSA was unable to provide substantial evidence that even single one was foiled[1].
eventually this (e2e encryption everywhere) will happen once governments realize their security and secrecy depends on the security of consumer technology and to protect the public is to protect themselves.
You’re more optimistic than me. I see it like Brexit: they demand all the advantages and none of the disadvantages and angrily dismiss anyone who tells them it’s an impossible combination.
When technical means will stop working they will issue the laws that make e2e devices without backdoors illegal or not easily obtainable. Not completely apples-to-apples comparison, but look at all the iPhones and androids where you can't have root and can't load another OS, can't side load apps in apple's case. In China you already have to have an app on your phone mandated by government at all times. And if you opt to have a "freedom phone" -- your life will become quite inconvenient (with some services impossible to get). TL;DR: even if e2e everywhere happens, it means nothing if you have to have a mandatory app on your phone.
There are two ends to the true picture here - they do exist to protect and maintain the status quo as you say, but the underpinning (largely unspoken) assumption is that the general public, as the GP hopes, are among the set of 'those that benefit', on the basis that the continued existence and flourishing of the state is beneficial to the public.
That's the theory. In practice, of course, the truth has been weighted more to one side or the other at different times and in different places.
Well they sure are doing a shit job then - if they were smart they would realize they have the most to lose from weak crypto.
But there will always be sociopaths who would rather be dictator or a pathetic state of starving and poor people rather than president of a prosperous.
That's very silly. Between all of the people capable of spying on you, it's exactly your own country that has the most ability to harm you. The Chinese government can't arrest you if you're not in China, but your government can.
Not sensible because your own country has jurisdiction over you and therefore more relevance. This is why I recommend russian proxies for a western audience. I doubt the russian government will trade data with domestic agencies.
I’m not overly bothered about this. Their access vectors are more likely to get noticed in bulk and patched so the entire idea is self defeating in the long run. Which is beneficial for all of us.
Given that many many many devices are not patched despite known vulnerabilities, I'd not be overly optimistic about this. Vendors do not provide patches for devices, Vendors go out of business, Users don't patch even when patches are available. This affects everything, routers, phones, IP cameras, you name it.
I'd rather expect that the access vectors get noticed and applied by criminals en masse.
Ah, the horrors of lifecycle management of consumer devices.
Every networked product should come with a legally binding A4/letter-sized sheet that clearly shows the last date the product is guaranteed to receive security patches. Not fulfilling the requirements would have to result in a buyback with the sum directly proportional to whatever time of the promised lifetime is left unused.
EU countries already have rather strict consumer protection laws but they really haven't been designed for situations where a hardware product can be rendered unusable by insecure software.
Sure, but the key point is that the access vectors will get noticed, and publicized. And people who pay attention and care (including many criminals) will protect themselves.
Your data, someone elses money; and in this case, the money for those who can convince you the most that you are in imminent danger and thats why they need so much more money and media attention and fear mongering government support
The uk gov now appears to resemble a media organisation whos main purpose is to broadcast the message of fear.
The amount of money that passes in and out of the uk gov and to all the industry security contractors that manage that amplified and antagonised anxiety can probably now be directly related to how much fear it can generate amongst its own citizens that they are under immediate danger of being attacked
Statistically speaking (tally up the dead for example) the biggest threat people face in their lives is not from any terrorist or criminal, but from their own government.
its maybe interesting to read up on what these kind of intelligence services amounted to before the internet and what they generally did. then you can translate these activities to the digital age and see very easily what they do and don't do.
even in the first episode of cryptolog (nsa) they state that collectors 'might chose or not chose what rules to adhere to to complete their collection job'. so theres rules not to do things and people with choices (like everywhere in life) and these choices aren't aligning to these rules. like always, a channel for plausible deniability and if the shit hits the fan a scapegoat is chosen to mitigate any damages if public eye caught something suspicious. plain and simple how the intelligence agencies work in whatever context.
Isn't this the thing that was added that lets police and intelligence agencies hack other machines legally?
I thought that was the only decent part of the bill as most of those attacks become narrow and direct in contrast to the problematic broad information gathering the legislation also authorised.
Readit News
https://www.theguardian.com/uk-news/2018/sep/21/british-spie...
> UK spies are planning to increase their use of bulk equipment interference, as the range of encrypted hardware and software applications they can't tap into increases.
So past communication methods came with built-in backdoors for UK spies (and, as it turns out, around 32 other EU agencies). These backdoors are becoming useless for them, and so they seek to force everyone else into providing backdoors for them again.
This shift was predicted long in advance and is clearly a response to the increasingly saturation-level usage of SSL. GCHQ and NSA have for decades been oriented primarily around bulk interception of unencrypted radio and fibre traffic, see:
http://www.lamont.me.uk/capenhurst/original.html
But what happens when nearly all traffic becomes encrypted? Then they must become ever more reliant on hacking the endpoints, to get at data before the encryption is applied.
What's happening is easily explainable without needing to refer to apparently non-existent back doors. The closest thing to that was the EC-DRB algorithm, but nobody ever used that except RSA Inc who got paid to use it, because their back doored algorithm sucked and the back door was spotted very quickly. I doubt it ever had much operational impact.
https://www.standard.co.uk/news/london/police-foil-seven-ter...
In short, given the current state of media and government, it wouldn't surprise me if this were just propaganda.
[1] https://www.nbcnews.com/news/world/nsa-program-stopped-no-te...
And I bet they could foil even more crimes if everyone had to wear an ankle monitor. Does that make it a good idea?
If I seem aggressive, it's not intentional - your post only highlighted relevant data, which is always commendable.
Deleted Comment
They exist to protect and maintain the status quo for those that benefit from it.
That's the theory. In practice, of course, the truth has been weighted more to one side or the other at different times and in different places.
But there will always be sociopaths who would rather be dictator or a pathetic state of starving and poor people rather than president of a prosperous.
https://assets.publishing.service.gov.uk/government/uploads/...
(PDF)
Either you have them flopped yourself, or leave it to the enemy.
But in any way, the West has more urgent issues than Chinese popping their routers, namely the issue of their own spy agencies running rampant.
I'd rather expect that the access vectors get noticed and applied by criminals en masse.
Every networked product should come with a legally binding A4/letter-sized sheet that clearly shows the last date the product is guaranteed to receive security patches. Not fulfilling the requirements would have to result in a buyback with the sum directly proportional to whatever time of the promised lifetime is left unused.
EU countries already have rather strict consumer protection laws but they really haven't been designed for situations where a hardware product can be rendered unusable by insecure software.
We can’t win the ok battle any more as no one up top gives a shit clearly.
even in the first episode of cryptolog (nsa) they state that collectors 'might chose or not chose what rules to adhere to to complete their collection job'. so theres rules not to do things and people with choices (like everywhere in life) and these choices aren't aligning to these rules. like always, a channel for plausible deniability and if the shit hits the fan a scapegoat is chosen to mitigate any damages if public eye caught something suspicious. plain and simple how the intelligence agencies work in whatever context.