Pakistan Tries To Ban Encryption

An anonymous reader writes "Pakistan has a new Telecoms Law going into effect, which requires widespread monitoring of internet usage. In response, new reports are saying that the country is banning encryption, including VPNs, because it would interfere with the ability of ISPs to monitor internet usage."

Cool!

[Penguinisto]

...now I just have to get hold of a few Pakistani bank IP addys, set up some sort of listener, and...

Oh, you thought SSL would still be around after this little law gets into effect?

(obviously I'm kidding, at least about wanting to do any such thing. OTOH, there are quite a few folks who probably wouldn't be kidding at all).

Re:

[jc42]

...now I just have to get hold of a few Pakistani bank IP addys, set up some sort of listener, and...

Why bother, when you can simply talk to a few people at the bank's ISP, exchange a bit of something under the table, and get a list of all the banks' customers' account numbers, PINs and login info.

That's much simpler than setting up your own listener. And the new law will require the ISP to collect such information, so they might as well productize it.

Re:

[EdIII]

This is just stupid. For many reasons.

Banning VPN's? Sure they encrypt traffic, but they also serve a very useful purpose. They bridge networks.

Sounds like the people that set up MPLS (The ISPs) in Pakistan are out looking at expensive toys they are going to buy. Only corps will be able to afford to bridge networks now because those will be the only state sanctioned bridges.

Re:

[wagnerrp]

Eh? You don't need encryption to bridge two networks or set up a tunnel.

Re:

[EdIII]

I think that really depends on the firmware and software. Most developers assume you are going to use encryption so that option 'none' does not appear anywhere.

Personally, I have never seen a VPN set up that allowed to specify no encryption in the proposals. Maybe you could do it with open source and set up an encryptionless tunnel.

Technically you are probably correct, but pragmatically, I don't think it matters.

Re:

[gratuitous_arp]

What about GRE, IP-in-IP/IP6-in-IP, and tunnel mode AH for IPSec? These are all common tunneling mechanisms that do not use encryption, though as you said, they'd have to be supported in the software. I'm prepared to be wrong on this as I don't work with small business equipment, but I would imagine the lowest end boxes that will provide an IPSec VPN will let you do an AH-only tunnel.

Interestingly, some open source IPSec implementations will even allow "encryptionless" ESP tunnels, using "null" ciphers for

Re:

[EdIII]

Since I have worked on the low end boxes for years, and some higher end stuff, I can tell you they don't allow AH-only tunnels.

I am not surprised that open source IPSec implementations could do it, and I mentioned that they probably could, but not everybody is going to shell out $500-$600 bucks to create their own routers for both sides.

If the majority of the hardware does not support it, then making the rule is not very wise. You mention IPv6 too, which is still not largely supported by the majority of ro

Re:

[pakar]

I am not surprised that open source IPSec implementations could do it, and I mentioned that they probably could, but not everybody is going to shell out $500-$600 bucks to create their own routers for both sides.

Option 1 - 2 routers running OpenWRT and OpenVPN can be had for $100... Complete with a web-interface, but will probably need the user to follow a step by step howto on setting up the tunnel...

Option 2 - Get a couple of old computers (even a 486 could probably handle this..) ... say ~$50 each.. Install PFSense and then just use the webgui and setup a GRE or OpenVPN-tunnel...

Option 3 - I know MikroTik RouterBoard supports GRE and they can be had for around $50 as a starting-point... never used them myself so

Re:

[EdIII]

First off, I would just like to say.... Slashdot will you fix your crappy ass shit in Chrome!!! Dear sweet tiny baby jesus....

Secondly, Cisco is some high end equipment. I have worked with Sonicwalls and some others and I just checked a couple different models and they don't allow encrpytionless tunnels.

Never touched a Cisco yet, but since VPN is used by business quite a bit, I think you have a point if it allows it. Of course, the other business considerations of a VPN tunnel that does not make the data

Re:

[LordLimecat]

Eh? You dont need encryption for a VPN either.

Re:

[Jawnn]

This is just stupid. For many reasons.

Banning VPN's? Sure they encrypt traffic, but they also serve a very useful purpose. They bridge networks.

Uhm..., One can bridge networks without that encryption layer, dude. Never bothered to do it across the public Internet, for obvious reasons, but just sayin'.
Then again, with the way the idiots in Congress (I'm looking at you, Tea Baggers) [cnet.com] are going, I might need to make plans for that. Apparently, some in our own government feel that they too should know everything that their subjets..., er..., citizens are doing.

Re:

[slick7]

Considering their batting average combating the Taliban, al Queda, stopping the flow of money, weapons and information to them, it's par for the course.

Re:

[DarkOx]

Um what makes you think you can do VPN in clear text? I guess the "Private" part of VPN would not really apply but you could bridge networks just fine over the Internet using GRE for instance.

Re:

[NFN_NLN]

Why bother, when you can simply talk to a few people at the bank's ISP, exchange a bit of something under the table, and get a list of all the banks' customers' account numbers, PINs and login info.

After some careful analysis, I've determined you could make off with tens of dollars by hacking the average Pakistani's bank account. It would be more lucrative and less effort to trick dumb and greedy Americans into Nigerian money laundering scams.

http://www.einfopedia.com/per-capita-income-of-pakistan.php [einfopedia.com]

Not here though

[tebee]

Well of course the US would never introduce mandatory data logging logging and retention https://www.eff.org/deeplinks/2011/07/house-committee-approves-bill-mandating-internet [eff.org]

Re:

[DarkOx]

These are probably the same people who thought skipjack was a good idea.

Re:

[lostsoulz]

Oh, you thought SSL would still be around after this little law gets into effect?

I, for one, welcome the arrival our new Telnet Overlords.

Re:

[pakar]

They will make a fork of OpenSSL called OpenSL

Re:

[Zontar The Mindless]

It also means that every single password for every single system in India will have to be plaintext.

What does India have to do with this?

Re:

[O('_')O_Bush]

India and Pakistan are different countries, enemies, and have nothing shared between except animosity.

ok guys, seriously

[SpiralSpirit]

no more secrets. at all. this time I mean it. now go back to putting your secrets on the internet, in plain text!

Re:

[Penguinisto]

I'm just wondering how the hell they're going to be able to tell images with steganographic messages from the ordinary variety.

(the more I think about this, the more I'm forced to concldue that the Pakistani government isn't really thinking this thing through...)

Re:

[caerwyn]

Sure they are. They're interested in low-hanging fruit, and this will catch a whole lot of it.

Re:

[gl4ss]

and it's going to nicely suck development money back to western countries. you know, to those houses selling them this bullshit surveillance sw.

Re:

[Wolfling1]

There will certainly be a number of ways to encrypt transmissions on the sly, and the Pakistani Govt will eventually be forced to allow a certain level of encryption to banks and/or military suppliers (maybe licensed encryption?). However, for the vast majority of punters, it will make subversive activities much harder.

As I follow it through, it seems to be consistent with the ongoing push (in some parts of the world) to de-anonymise (is that a word?) the Internet. And that's a whole debate in its own r

Re:

[ultranova]

However, for the vast majority of punters, it will make subversive activities much harder.

Most people simply want to be left alone. Making them feel threatened posting shit on discussion boards or downloading porn or games - or even browsing Wikipedia - is a sure way of turning someone who doesn't care about the government one way or another into someone who actively hates it. Consequently, this will actually make any subversive actions easier, since it increases the pool of people willing to go out of th

Re:

[shutdown -p now]

Very easy. If you're suspected, for whatever reason, of using steganography, they will employ thermorectal cryptoanalysis to determine whether any encryption was in fact involved. I hear the success rate of that method easily exceeds 100%.

Re:

[ShakaUVM]

>>no more secrets. at all. this time I mean it. now go back to putting your secrets on the internet, in plain text!

I can't wait until we all move back to using telnet.

I had some great fun with that in computer labs, back in the day.

Re:

[wagnerrp]

Exactly what I was thinking. What is stopping someone from setting up an application that does nothing but connect to random other machines and dump /dev/random down the pipe? Encrypted traffic through any well written algorithm should be practically indistinguishable from random data. Of course not knowing how the judicial system is set up in Pakistan, they may have the ability to imprison you indefinitely for doing such.

Re:

[tebee]

There are so many other things that must appear to to be more or less randomized data, how are they going to determine when someone is using encryption?

Using data compression will obscure plaintext, either on the fly compression or putting it into a zip or rar archive. And what about those people torrenting a game ? both the executables and data will not be nice readable textfiles, added to which the various cunks of the torrent may received out of order.

All HTTPS data is already encrypted - is this goi

What it comes down to

[Arancaytar]

The particulars may vary, but the essence is that you try to forbid people to have secrets from you.

Once you see it in this light, the paradoxical futility becomes clear.

Re:

[PopeRatzo]

The particulars may vary, but the essence is that you try to forbid people to have secrets from you. Once you see it in this light, the paradoxical futility becomes clear.

You don't have to forbid people from having secrets if you take away any tools that allow them to share those secrets.

Oh, you can still think whatever you want about the corrupt government, you just can't tell anyone else about it without exposing yourself to imprisonment and torture.

That approach has actually been pretty effective. Remem

Re:

[Nikker]

Once you lack enough trust in your own people to have secrets then everything is potentially a secret, even the most sincere communications.

Good plan...

[gstrickler]

That'll work about as well as outlawing prostitution has worked for the last several thousand years.

Re:

[Ironchew]

The FCC bans encryption over amateur radio frequencies and it's worked out fine. Of course, the FCC also bans commercial traffic over said frequencies, so any argument about "online commerce" is moot in that scenario.

Re:

[interval1066]

Apples and oranges. With a wave of their hands the Paki legislature have made monetary transactions over the wire impossible. This law will necessarily be re-visited. Commerce isn't and has never been done over general band radio, but the very medium of digital money transactions is now made useless in Pakistan. That obviously won't work for them for long.

Re:

[ewanm89]

I would like to point out that it's international telecommunications union regulations that ban encryption on amateur wavelengths, and it is fine as amateur radio is for the purpose of research and learning about radio technology. Not research into encryption systems.

It has worked, in a way

[TiggertheMad]

That'll work about as well as outlawing prostitution has worked for the last several thousand years.

Outlawing prostitution has worked, if your goal was to have a reason to arrest prostitutes....

Re:

[CrimsonAvenger]

That'll work about as well as outlawing prostitution has worked for the last several thousand years.

It should be noted that prostitution hasn't been outlawed over most of the last several thousand years.

Nor has it been outlawed in many places, even when it was being outlawed.

Fact of the matter is, even nominally Christian countries haven't made much effort to suppress the Oldest Profession until the last few centuries, and not universally even then.

Re:

[ewanm89]

Hell, courtesans were popular in most European courts (including in Italy, right outside the Vatican) until about 150 years ago. It was the Victorian age that defined pornography and prostitution as bad.

France

[White Flame]

Didn't France ban encryption at least on some strengths years ago? I'm not too familiar with what happened after that, and a quick Googling is just bringing up old hits from when the ban was enacted. Anybody care to fill in the reality of what happens in such a case?

Re:

[Sprouticus]

The data on the law must have been encrypted...

Re:

[jgrahn]

Didn't France ban encryption at least on some strengths years ago? I'm not too familiar with what happened after that, and a quick Googling is just bringing up old hits from when the ban was enacted.

Back in the early 1990s, I believed that useful encryption would eventually be outlawed everywhere. The legal troubles of Phil Zimmerman and PGP didn't look promising. The US export ban on encryption, US and non-US versions of software ... What happened then I suppose was that encryption became a vital part of the infrastructure of the internet, so it couldn't easily get banned.

with technology like that.....

[scosco62]

They might actually hide the location of Osama Bin Laden....oh, wait.....

Steganography

[parlancex]

Does anyone remember when an article was posted a while back highlighting techniques for practical stenography based encryption for network traffic? Does anyone remember all the snarky comments and derision because you would never need that kind of encryption? This is how it begins.

It will be repealed ..

[wisnoskij]

Right after hundreds of top secret governments docs are leaked.

Lack of technical acumen

[Sprouticus]

...and I thought the US government was clueless.

Re:

[Jah-Wren Ryel]

Which is why the lobbyists are there ... to stand in with clues.

What they mean is ...

[jc42]

By "interfere with the ability of ISPs to monitor internet usage", presumably they mean collecting all their customers' account numbers, PINs, login ids, passwords, etc.

The major effect of banning encryption would be to make electronic commerce impossible. If anyone alone the data path can intercept your names, numbers, and passwords, then people will learn very quickly that the Internet simply can't be used for anything that involves a transfer of money.

Re:

[CrimsonAvenger]

The major effect of banning encryption would be to make electronic commerce impossible. If anyone alone the data path can intercept your names, numbers, and passwords, then people will learn very quickly that the Internet simply can't be used for anything that involves a transfer of money.

Which might serve their purpose nicely. It's certainly a clever way to do a "buy local" law without imposing tariffs...

Before you start blasting Pakistan....

[i_want_you_to_throw_]

Remember that it wasn't that long ago that the U.S. was trying to peek in on you via the Clipper Chip [wikipedia.org]. After being soundly trounced, they got a little smarter about it. The NSA owns the patent on DES. [wikipedia.org] and can peek in on you anytime they like with your "triple DES encrypted" device. Comfy?

Re:

[NReitzel]

Yah, and how did that work out?

Re:

[jonwil]

Triple DES can be cracked by anyone with a sufficiently fast computer (even faster if you have special custom made chips for it) and should be avoided for anything unless you have to talk to something that's already using triple DES.

These days the best choice is a well tested open implementation of AES that has been peer-reviewed. And then you ideally review it yourself for back-doors.
Short of bugs in the encryption code that make it weak, 256 bit AES is as good as unbreakable with today's technology (I bet

Re:

[mrnobo1024]

Triple DES can be cracked by anyone with a sufficiently fast computer (even faster if you have special custom made chips for it)

That's the original (single) DES; Triple DES is still not feasible to crack.

Say good to any big business in Pakistan

[Joe_Dragon]

And us government contractors may also have to stop being able to do some work there as well.

Is stupid!

[Kaz Kylheku]

In Ruritania we had better policy. We banned decryption.
You could encrypt as you like.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[uvajed_ekil]

They have the internet there, you uniformed, racist, insensitive clod! It's Afghanistan where they have just a couple rocks and a donkey, some poppies, and AK-47 rifles.

Re:

[Mr. Underbridge]

That *is* their internet. You put your packets in the donkeys, whack them with the rocks, and away they go. The latency's a bitch, and there's pretty rough packet loss when the donkeys get concussed from the rocks or get lost in the mountains. Still, the bandwidth is surprisingly respectable.

Re:

[belmolis]

How do donkeys compare to pigeons [ietf.org]?

Re:

[Mr. Underbridge]

As long as you like goats in your porn, totally.

Re:

[Chemisor]

Since all data can be represented in binary, two rocks is all you need. The donkey can then serve as the transport layer. The connection can be encrypted by picking up more rocks on the way.

Re:

[uvajed_ekil]

You forgot the last part. It should read: I can only say I'm glad they're on our side, when it is convenient for them to be.

the password is "password"

[ZankerH]

-----BEGIN PGP MESSAGE-----
Version: APG v1.0.8

jA0ECQMChZ3RwgUsAJdg0lEBYUPJE99vUuXd5HppJFBZM0enqVmr8C8x6BYdUtBi
B1ndcpYpk8T7zotMlr/7SuS13rdg3gvvHsECU8sLNLIeUaWrWNGoMpIvRBosCuLa
dvU=
=OgVf
-----END PGP MESSAGE-----

Re:

[cvtan]

At the risk of showing my ignorance, what is the most friendly way to decode PGP encrypted messages: Plug-in for Firefox or stand alone program?

Re:

[spasm]

You need the stand alone program either way to generate your own keys; plugins for firefox and most common email clients just simplify using the keys.

But the originator of the message has to have used *your* public key to encrypt the message for *you* to be able to decrypt it. The post by ZankerH will only be readable by whichever person generated the pubic key s/he used to encrypt it.

Re:

[Wingman 5]

Be sure to drink your ovaltine?

Re:

[Wingman 5]

I download gpg4win, I was wrong :(

Re:

[choongiri]

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.10 (GNU/Linux)

jA0EAwMCw969+iZOTVxgyTKvx7h2bBPpHOqa1mDTD3+RnwtyKB0hdI03RZNOtDLL
r+YARKbR369SinLNWRz+kZW5Dw==
=ZWgV
-----END PGP MESSAGE-----

Nice opportunity for Indian Nationalists

[couchslug]

I hope they make good use of it.

As Pakistan turns into Talibanistan it will become a massive threat to the region.

Re:

[mustPushCart]

Nice opportunity? The more that cursed country spirals into oblivion with its nuclear weapons and US sponsored military hardware and hardline jihad ideology the worse it is for India. Its in everyones interest that pakistan improves rather than deteriorates further and hopefully stop its indian fixation.
A nice read here if you are interested:

http://online.wsj.com/article/SB10001424052702304911104576445862242908294.html [wsj.com]

Re:

[turgid]

Interesting, insightful, informative.

Like Banning Suicide

[retroworks]

Duh.

And for all you know India might be next ....

[CalcuttaWala]

Because after every terrorist exploit, the security agencies make threatening noises about Skype (most favourite) followed by Gmail and then mail in general. How to explain to our dumbos that banning automobiles is no solution to hit-and-run accidents !

Re:

[nedlohs]

Well banning automobiles would be a solution to hit-and-run accidents. You'd significantly reduce them after all.

Whereas banning VPN will do exactly nothing to stop terrorists from blowing shit up.

Re:

[ThatsMyNick]

Well banning automobiles would be a solution to hit-and-run accidents. You'd significantly reduce them after all.

No, it wont. Not a single soul will respect the ban.

Re:

[nedlohs]

Of course they would. Gas stations are now illegal. Possession of gasoline is a jailable offence. Possession of an automobile is a jailable offence. Driving an automobile is a shoot on site offence. All the roads have been ripped up and replaced with parks surrounded by solid steel poles or by brick/concrete apartment blocks.

Most people won't will respect the ban.

Been to venice? See many people not respecting the ban on cars?

Good for the USA

[cryfreedomlove]

This will just continue the trend of driving smart and educated Pakistanis out of Pakistan. The USA has a massive opportunity to welcome them with open arms. Are you a Pakistani who is well educated and fed up with corruption and religious hysteria? Please come and raise your family here in America.

Re:

[Tanuki64]

Buahahahahahahaaaaaaaaaaaaa.

Re:

[Dunbal]

Yeah explain that one to Joe Sixpack and his trailer-park friends.

Zero outsourcing jobs moving to Pakistan

[jroysdon]

Wow, way to make sure your country can never have any outsourcing jobs. No business with a clue would ever set up operations in a country where all traffic has to be open to corporate espionage.

They're going to be in the technological dark ages forever if this persists, vs. following India into the cheap outsourcing market.

Re:

[currently_awake]

It's very common for Muslims to talk about how the middle ages were the golden age of their religion/culture/country. I guess when you blindly attempt to emulate/copy a middle ages culture you tend to copy everything including the lack of technology/education/progress.

Re:

[jroysdon]

I'm sure one might have said the same about India 15 years ago as well. Remember, both were originally one country, until the British empire split the two and later three.

https://secure.wikimedia.org/wikipedia/en/wiki/Partition_of_India [wikimedia.org]

It's not encrypted

[Intropy]

It's not encrypted. We're just sending random, meaningless strings to one-another.

Foreign Agents, Attack!

[meustrus]

Isn't this one of those countries that's supposedly afraid of foreign agents infiltrating their country and attacking their citizens? At least, that's the excuse totalitarian regimes always use for imprisoning and torturing their own citizens. I'd say this is a call for some actual foreign assailants to launch an attack on Pakistan. All internet traffic is unencrypted. Let's steal some government accounts and passwords. Let's read the government's emails. Let's hack into their public utilities and make 'em

Let's define encryption, shall we?

[Opportunist]

What's "encrypted traffic"? Did they define that too? Like, say, "every traffic we can't instantly read"? Then say sayonara to online gaming as well, twice so if it's a MMO which by default encrypts traffic to make cheating and botting harder. And pretty much any traffic that's not following one of the well known protocols, which also means no "nonstandard" remote control software, no file transfer, no streaming, no ... you get the picture.

Talking about streaming, how do you plan to sell streamed movies onl

Way to go, Pakistan!

[Dracophile]

Memo Australian Government: this is how you make your intergoogle filter work. It comes with the advantage of completely screwing up any credible e-commerce in the country, too, which is handy when you want your economy to be all about being someone else's quarry.

Re:

[Zapotek]

They're interested in content rather than b/w utilisation. I suggest you RTFA...no-matter how preposterous it may sound.

Re:yeah ok

[NFN_NLN]

They're interested in content rather than b/w utilisation. I suggest you RTFA...no-matter how preposterous it may sound.

Instead of generic encrypted traffic now users will to resort to stenography. Just embed encrypted traffic in otherwise boring video streams and pictures.

I take it no one does any actual work over the internet in Pakistan?! How about banking, stock trades, online purchases? How ass-backwards is this country?

Re:yeah ok

[lgarner]

Sure, since hardly anyone can read shorthand these days, that should work. I'm not sure how to get it encoded into e-mails & such, though.

Re:

[petermgreen]

This isn't about how much they are using the internet it's about what they are using it for. It's kinda hard to determine what a user is using the internet for if all their traffic goes through an encrypted tunnel leading out of the country.

Re:

[cvtan]

In that case please send me all your personal information...

Re:

[CrimsonAvenger]

In that case please send me all your personal information...

Note that he never said HE had nothing to hide....

Re:

[0123456]

any bets this gives some idiot in the US Gov't an idea and they add this to the next save the children legislation.

Presumably you've forgotten the Clipper Chip?

Re:

[royallthefourth]

Not to mention that most Pakistanis do not have access to the internet, if they even have electricity at all. It's a desperately poor country.

Re:

[shutdown -p now]

Why would USA want another clusterfuck like Afghanistan? Esp. in Waziristan...

It doesn't work like that. No foreign invasion or occupation can help if there isn't already a strong, broad pro-freedom movement.

Re:

[bill_mcgonigle]

Get out while you still can?

I've have Pakistani friends here in the US and a nice lady makes Pakistani food at our farmers' market. Of course, our government probably has the visa thing completely screwed up at this point - try Canada, they're still sane.

Re:

[rossz]

A co-worker is from Pakistan. He wasn't surprised the government is trying this crap. When I joked that they'll blame the Jews when the law is a complete failure, his response was, "of course they'll blame the Jews. They blame them for everything."

Re:

[MichaelSmith]

What if the government hands out the death penalty for possession of steganography software?

Re:

[WNight]

Yeah, quit white-washing it. He was also a liar, a thief, and probably sexually got off on killing.