Tuesday, 10 September 2013

Edward Snowden – déjà vu all over again

Come to think of it, this debate about the security services having cracked all our codes is not entirely new.

For what it's worth, back in August 2010, on the No2ID forum, we were discussing the latest revelations about BlackBerry mobile phones. Someone posted the following extracts from a Nic Fildes article in the Times newspaper, BlackBerry ‘near deal to open messages to Saudis’. The debate remains relevant three years later:
The makers of BlackBerry mobile phones appear to have backed down in the face of demands from Saudi Arabia to allow the state to monitor messages sent on its devices ...

The Saudi-backed television station Al-Arabiya quoted unnamed sources as saying RIM [Research In Motion, the people behind the BlackBerry] had agreed in principle to grant the Saudi authorities access to its messages.

Bandar al-Mohammed, of the Saudi Communications and Information Technology Commission, said RIM had expressed its “intention…to place a server inside Saudi Arabia”, allowing the kingdom to inspect communications and data exchanged between BlackBerry handsets ...

The United Arab Emirates intends to ban BlackBerry e-mail, messaging and web browsing on October 11 ...

The company then issued a statement on Thursday denying that it had already allowed some governments access to BlackBerry data.

The US and Canadian governments have also offered to hold talks with countries concerned about the security implications of BlackBerry usage.
Not just Saudi Arabia, but the UAE, too, and India and Indonesia and France – it seemed as if no country would allow people to use BlackBerrys until its security services had found out how to listen in. There are obvious implications for industrial and other espionage.

Then Justin found a Babbage article in the Economist magazine, Spies, secrets and smart-phones, and someone posted this, adding a reference to Sir Richard Dearlove, the former head of MI6 ...
From the Economist article usefully brought to our attention by Justin:
A security pundit interviewed on BBC television's "Newsnight" a few days ago speculated that the American authorities are only pretending when they claim they still can't tap into Skype calls. This was then put to Lord West, a former British security minister. His response was fascinating:
When I come on a programme like this I'm always very nervous, ‘cos I know so much. And also people…don’t necessarily always tell the truth. That sounds an awful thing to say but do you want anyone to know that you can get into very high-encrypted stuff? No, you can say "we don’t, we can’t do it".
He then went on to say how "mind-boggling" are the capabilities of America's National Security Agency and its British counterpart, GCHQ. To this blogger, that sounded like: "Yes of course we can hack Skype calls and all the rest, but we have to pretend we can't".
Lord West is not the only one playing this game. At 9.30 a.m. on Saturday 26 September 2009 Sir Richard Dearlove lectured several hundred of us on the security risks the world faces and the international response [p.15]. At one point he said that there are many good encryption systems available but maybe "we" have cracked them. (I paraphrase.) (Andrew Watson turned out to be at the lecture, too – Andrew, can you confirm this is at least roughly right?)

Let's take it, from Sir Richard's lecture and Lord West's appearance on Newsnight, that the commonly available encryption systems are a busted flush. So what?

The implications are legion.

One of them is that part of the case for long periods of detention without charge [remember Admiral Lord West, the once court-martialled and then reinstated "simple sailor"] collapses. That case is based on the large number of computer files that often have to be checked for evidence and on the difficulty of deciphering them. If that difficulty doesn't exist, ... etc.
... followed by wise words from Andrew Watson:
I have to admit that I don't remember what he said on that topic - having lived through all the fuss surrounding PGP export from the USA in the 90s [see Phil Zimmermann, Why I wrote PGP, pp.227-31], I'm afraid I tend to tune-out speculation about whether the NSA can or cannot read any particular form of encryption. I agree that there doesn't seem to be any publicly-available hard data on this point, and one can spend a lifetime speculating about the possibilities for bluff, double-bluff, triple-bluff etc by those who may know but aren't telling.

Here's the one bit of hard data I have seen recently -

http://www.theregister.co.uk/2010/06/28 ... _lock_out/

... but again, one could speculate that the NSA could break this crypto if they wanted to, but choose not to release this information to the FBI for fear of revealing the secret (etc, etc).
That ElReg article referred to by Andrew, Brazilian banker's crypto baffles FBI, is all about TrueCrypt, the open source encryption facility which was exercising Mydex the other day, "Waaaaat? A backdoor is available for truecrypt too?".

Mydex, and the rest of us – we're all exercised by the Edward Snowden revelations that began on 6 June 2013.

In the atmosphere of "bluff, double-bluff, triple-bluff etc" we're not going to get any sensible answers.

So here's a flippant point.

England staged its revolution over a century before the Americans and the French got round to holding theirs. Edward Snowden was beaten to it by Sir Richard and Lord West by three or four years. Late again!

No comments:

Post a Comment