EU: No Encryption Backdoors But, Let's Help Each Other Crack That Crypto (theregister.co.uk) 83
The European Commission has proposed that member states help each other break into encrypted devices by sharing expertise around the bloc. From a report: In an attempt to tackle the rise of citizens using encryption and its effects on solving crimes, the commission decided to sidestep the well-worn, and well-ridiculed, path of demanding decryption backdoors in the stuff we all use. Instead, the plans set out in its antiterrorism measures on Wednesday take a more collegiate approach -- by offering member states more support when they actually get their hands on an encrypted device. "The commission's position is very clear -- we are not in favour of so-called backdoors, the utilisation of systemic vulnerabilities, because it weakens the overall security of our cyberspace, which we rely upon," security commissioner Julian King told a press briefing. "We're trying to move beyond a sometimes sterile debate between backdoors or no backdoors, and address some of the concrete law enforcement challenges. For instance, when [a member state] gets a device, how do they get information that might be encrypted on the device." [...] Share the wealth. "Some member states are more equipped technically to do that [extract information from a seized device] than others," King said. "We want to make sure no member state is at a disadvantage, by sharing the tech expertise among the member states and reinforcing the support that Europol can offer."
Re: (Score:1)
Who bankrolls the EU now that Britain is out?
The same as before: not Britain.
Re: (Score:2)
"Police in Germany will forego seeking decryption keys for secure messaging apps,
AC governments are just going for the remote communication interception software (RCIS) solution to advanced end to end crypto.
Ok, that's something we can talk about (Score:5, Insightful)
So we have a device of someone that we suspect to be a criminal, now aid us to access it.
That is something we can actually work with. Provided there is oversight and it's not "we probably have (population count) terrorists in our country, let's find out how to up the surveillance so we can track them all!"
Re: (Score:2)
It depends whether they going collaborate on an as-needed basis, or are they going to collect and hoard zero-days without notifying the manufacturers?
We've seen how well the latter works... thanks, NSA!
Re: (Score:2)
Completely agree. This has been the proper course of action from the start, and I'm glad they're finally coming around on it. It's the only path that aligns with the security and privacy interests of businesses and individuals while allowing for law enforcement to conduct lawful investigations.
There will certainly be additional points to discuss, such as the degree and nature of their collaboration (e.g. Is it—or to what extent is it—okay for them to withhold information regarding vulnerabilitie
Re: (Score:2)
The creed behind the law should be that there should be full cooperation when someone has a suspect and a reasonable assumption that this suspect is actually a criminal, but zero support for any measures that aim for blanket surveillance of people "just because".
Re: (Score:2)
FTFY.
If a measure can be used for mass surveillance, it doesn't make any difference how sincere the legislators sound as they say it won't be. Law enforcement will us that measure despite what it was aimed for.
Uhm (Score:1)
If any member state has that capability, there is no way
Re: (Score:3)
Remember the FBI Apple iPhone debate in the US and a solution was found how to gain access to the data, my guess would be they could be sharing those kinds of solutions. I would be surprised if they had things even more advanced than that.
Re: (Score:1)
Please, don't ! Leave them with their brute forcing. In the meantime we can enjoy secure communication.
I am not sure if this is just an attempt to please the lobbysts of encryption regulation or ignorance.
Re: (Score:2)
It's an example of you not understanding. Brute forcing is (generally) impossible and that's not what this is about.
Re: (Score:2)
Do I understand this right that they want brute-force encryption? If so, somebody really should explain complexity analysis to them. These algorithms have been chosen in such a way that brute forcing is computationally hard.
No they want to share methods on how to break devices. No device is 100% secure. Each device probably has an exploit depending on the hardware and OS version. For example, the San Bernandino shooter had an older model iPhone that was bypassed but that took several months before the US government could find someone who could do it. At the very least point the governments in the right direction: "Oh that model Samsung and Android, we used this company to break that phone." It is more so that each government d
Re: (Score:1)
If any member state has that capability, there is no way in hell they'll share it.
This is simply a request to increase the funding & staffing of EC3 in Europol.
https://www.europol.europa.eu/about-europol/european-cybercrime-centre-ec3
All in all, EU has taken a rational position here.
Law enforcement cannot simply disregard the issue; they have to do and say SOMETHING.
A statement "we will NOT be going to ask or push for backdoors & weak crypto" is good enough, especially considering this comes from the LEA / antiterrorism guys, not from DG CONNECT or similar.
Re: (Score:3)
Re: (Score:2)
Don't tell them! They are convinced that because they represent nation-states, they are all-powerful. Let them have that illusion!
The irony (Score:4, Informative)
Re: (Score:2)
Exactly.... This is really stupid in that it only helps you catch the stupid ones....
Anybody who thinks about this, won't have an issue communicating securely regardless of if the encryption backdoor.
Re: (Score:2)
Consider for a moment that while governments may ultimately be varying degrees of evil, that is an emergent property that isn't necessarily present in the humans who make it up.
Now imagine you're a cop or a politician, and you have criminals and pressure to stop them from getting organized or simply 'getting away with it', and you KNOW there's evidence you could hang them with if you could get your hands on it.
Of course they're going to try and get official back doors. Now you say those back doors will onl
Re: (Score:3)
'Backdooring' encryption RUINS it, plain and simple; there is no compromise that can or should be made there. EVER.
Re: (Score:3)
>You NEVER trade freedom for security. EVER.
That's a foolish absolute to stand behind, since you do it all the time in your day to day life.
>'Backdooring' encryption RUINS it, plain and simple; there is no compromise that can or should be made there. EVER.
Another silly stance to take. For general encryption, absolutely... but there's nothing wrong with a proprietary system with a back door in it, as long as it's understood to be less than perfectly secured and that it will eventually be cracked (or t
Re: (Score:1)
Re: (Score:1)
This a joke post? Article is about the EU and you grizzle about whether someone is a "U.S. citizen". And why do "foreigner"s have no stake? It's global. Etc, and so on.
Truth is you trade freedom for security every day of your life. Every day. Wake up and look around you.
I am against backdooring general crypto but I don't claim it means the end of civilisation like you do.
Re: (Score:2)
Are you being willfully stupid?
You are NOT free to walk into a bank waving a gun. That freedom is denied you. You ARE free, however, to walk into a bank and withdraw a large amount of money, with the reasonable expectation that nobody else in the bank will shoot you and take it from you.
See how this works?
Re: (Score:2)
Re: (Score:2)
Your "less than perfectly secured" is awfully optimistic. Most people aren't prepared to jump to a new encryption method when the old back door is compromised. Moreover, the system can't ever be trusted, since the user never knows who might know the back door. It might be of some use to some people, but nobody with any sort of security requirements could rely on the system.
Re: (Score:2)
criminals and terrorists would not just use non-compromised encryption, they'd use codebooks and other types of obfuscation
Terrorists have shown how clever they are ; that kind of subtlety is out of their league.
Re: (Score:2)
The irony here is that even if they put a gun to everyones heads and forced them to ruin encryptions' value by compromising it with 'backdoors' (that anyone would eventually be able to discover and leverage) criminals and terrorists would not just use non-compromised encryption (copied from before the ban on 'real' encryption), they'd use codebooks and other types of obfuscation (book ciphers, and so on; the list is endless) that have been used for much longer than we've had computers, and goverments and cops would be back at Square One again: needing to do REAL police work, not just be jackbooted thugs with guns forcing their will on everyone. Are they really so blind to all this, or is it just another power-grab?
Of course it's another power-grab. That's almost a given for almost everything Western governments are trying to implement in the encryption/security field. The mistake here is in assuming they're telling us the truth when they tell us they will use it exclusively against criminals & terrorists instead of mostly as another general domestic surveillance tool for politically/ideologically-driven motives.
They know as well as we do that real terrorists and criminals will simply use other secure methods. The
Re: (Score:2)
The irony here is that even if they put a gun to everyones heads and forced them to ruin encryptions' value by compromising it with 'backdoors' (that anyone would eventually be able to discover and leverage) criminals and terrorists would not just use non-compromised encryption (copied from before the ban on 'real' encryption)
Well most suggestions don't involve building an algorithmic backdoor, but about making the manufacturer retain a copy of embedded keys. Like for every iPhone there's a master UID - essentially a 256 bit AES key - fused into the processor during manufacturing. They (supposedly) don't keep a copy, they certainly could and stick in a vault somewhere and in theory they'd only hand individual keys over to law enforcement with a warrant. The "doomsday" scenarios are that a powerful organization robs the vault or
That's Honestly Enough (Score:2)
Re: (Score:1)
Not every one. There are plenty of open hardware certified devices.
lol, that's so naive I don't know whether to laugh or cry. If you didn't design and build the chip or are best friends with the guy who designed and built the chip, it has a backdoor (possibly even in that latter case due to all the NDAs he would be in fear of.)
Re: (Score:1)
Re: (Score:2)
Apple designs its own ARM chips, and they've been clear about standing up for user security. I'm not at all convinced that all CPUs have back doors.
Re: (Score:1)
Re: (Score:2)
True; I was thinking of the ARM chips on iDevices. Apple in fact got bad PR from the dispute with the FBI relating to the work iPhone 5C that the San Bernardino shooter almost certainly didn't leave evidence on, so I'll give them credit for that. Apple appears to want user security.
Re: (Score:1)
Comment removed (Score:5, Insightful)
Sudden outbreak of common sense? (Score:1)
Or have they just struck a secret deal somewhere?
Let's hope the first. Being a big fan of EU (the idea) and sometimes utterly revolted by EU (the implementation), this makes my week.
Yes please (Score:5, Interesting)
Do share all your cracking and hacking tricks. Publicly.
so we can patch the vulns
While they're busy sharing wealth (Score:2)
October 2017 (Score:1)
Is when the encryption wars began. The war was long and had many casualties. After many years of trying to crack encryption most governments around the world agreed to make encryption used by anyone other than the government illegal.
I'm good with that (Score:2)
Weakening encryption is bad. Trying to break encryption is expected.
Encryption = False sense of security (Score:2, Insightful)
Re: (Score:2)
At some time that fully and secure message had to be created and later decrypted for the users convenience.
Key logging is the solution and will get content at source from the users for the security services.
A one time pad on paper used once and sent would be secure. The privacy of the message is protected by using a one time pad. Anonymity on networks in 2017 is not protected.
Interestin
Re: (Score:1)
> So, are we supposed to trust SSL? I don't. ... I'm supposed to trust some megacorp that says some other megacorp or boiler-room-scam operation capable of issuing a certificate signing request is trustworthy?
TLS/SSL exists independent of the Certificate Authorities. You (and anyone else) can use SSL/TLS without involving a third party: sign your own damn certs. Viola, you have full-strength data-in-flight crypto capabilities.
The reason you don't really see this on the web is because without cert pinnin
Re: (Score:2)
Good encryption means precisely one thing: that it is necessary to know the key to access the information, but otherwise it's safe. When using something like AES-256, the only problem is key management. Nobody who can't find or guess my iPhone unlock code is going to be able to read anything off it, and the Secure Enclave makes it very difficult to guess.
There's a big difference between levels of security. If they're willing to haul you in and torture you for the information, they're almost certainly
Simple answer (Score:2)
You don't. If you could, the encryption would be pointless.
EU vs Five Eyes (Score:4, Interesting)
For instance, when [a member state] gets a device, how do they get information that might be encrypted on the device." [...] Share the wealth. "Some member states are more equipped technically to do that [extract information from a seized device] than others," King said. "We want to make sure no member state is at a disadvantage, by sharing the tech expertise among the member states and reinforcing the support that Europol can offer."
I think they're worried about the Five Eyes countries sharing information with each other, but not with EU countries
https://en.wikipedia.org/wiki/... [wikipedia.org]
One of the interesting contradictions of the UK being a member of the EU was that it always had much better intelligence sharing with the Five Eyes countries than it did with any EU country.
see through it (Score:2)
Re: (Score:2)
So you’re in favour of backdoors then? (Score:3)
You are accusing the EU of incompetence for stating that they are “not in favour of so-called backdoors, the utilisation of systemic vulnerabilities, because it weakens the overall security of our cyberspace, which we rely upon”, and at the same time you are praising Brexit, when Theresa May (and Cameron before her) as well as officials from other individual states (including France and Germany) have been advocating the mandatory use of backdoors. So I take it that you are a supporter of weak en