Brexit Deal Mandates Old Insecure Crypto Algorithms

In what is surely an unthinking cut-and-paste issue, page 921 of the Brexit deal mandates the use of SHA-1 and 1024-bit RSA:

The open standard s/MIME as extension to de facto e-mail standard SMTP will be deployed to encrypt messages containing DNA profile information. The protocol s/MIME (V3) allows signed receipts, security labels, and secure mailing lists… The underlying certificate used by s/MIME mechanism has to be in compliance with X.509 standard…. The processing rules for s/MIME encryption operations… are as follows:

  1. the sequence of the operations is: first encryption and then signing,
  2. the encryption algorithm AES (Advanced Encryption Standard) with 256 bit key length and RSA with 1,024 bit key length shall be applied for symmetric and asymmetric encryption respectively,
  3. the hash algorithm SHA-1 shall be applied.
  4. s/MIME functionality is built into the vast majority of modern e-mail software packages including Outlook, Mozilla Mail as well as Netscape Communicator 4.x and inter-operates among all major e-mail software packages.

And s/MIME? Bleah.

Posted on December 31, 2020 at 6:19 AM35 Comments

Comments

Fish December 31, 2020 6:35 AM

A friend who pays more attention to this stuff than I do argued to me that a lot of people are missing the point here. It’s not something that was drafted for the deal itself; it incorporates an Annex to some existing EU legislation. Which is obviously now out of date, and I’m not defending that, but (my friend argued) the deal had no choice but to replicate the current EU legislation, as out of date as that may be.

I’m not familiar enough to know for sure whether it is true that the authors of the deal were bound to use the existing legislation or whether they had the option of updating it if they so chose, but their arguments did somewhat change my mind about this. Obviously still a problem, just maybe a different one to that which it at first to be.

Original legislation is here: https://www.legislation.gov.uk/eudn/2008/616/annex/chapter/1/adopted

metaschima December 31, 2020 6:44 AM

It’s weird that it’s so specific and it’s not a minimum requirement. It’s not like use at least this many bits of security. Even if it is a cut and paste error, it should have originally given a minimum bit security for symmetric and asymmetric crypto and maybe like a few options for each. If they really wanted to be progressive they would have included some of the new quantum resistant asymmetric crypto as backups. I’ve seen several articles claiming quantum supremacy although not for the Shor algorithm yet, but I suspect that that won’t be made public if and when or maybe it already has happened.

Clive Robinson December 31, 2020 9:14 AM

@ Arthur Chance, Fish, ALL,

As Fish says, this is simply copying old EU legislation

Even back in 2008 those requirments were obsolete…

In a way it tells you something more subtle.

EU technical standards for the likes of “Placing on the market” of electronics and communications equipment are not generally “perscriptive” (thats a fault you find with many US legislation espetially environmentall).

They are usually “frame works” that delegate technical standards to the likes of the standards bodies. To see this have a look at RT&TTE Directives and how you end up with British Standards Institute, IEE, IEEE, CENLEC even some ANSI and NIST standards.

This is because those drafting the legislation are neither politicians or lawyers but engineers, scientists, and academics. The lawyers do get a final say on things simply because providing “language neutral” legislation for 27 nations and ensuring the translations all legaly mean the same thing is a job for specialists.

The point is the politicians are as much as possible kept out of technical standards for obvious reasons.

The 2008 treaty was however very much a political initiative driven by politicians and law enforcment agencies. How to be quite honest rarely have technical knowledge or care.

So it’s 99% certain what is in the 2008 legislation was copied and pasted from some other document by some clerk taking direction from either a politician or senior law enforcment person/group that are in effect as in contact with technology as the rings of Saturn are with the Earth, which is “not much, and very variable in effect”.

In short anything going into legislation should pass under the eyes of independent domain experts that are as free from political and economic influance as possible, to stop this crap happening.

Politicians may think they know everything because of their “camel nose” personality failings. But in all honesty they need to give way to domain experts to ensure that things don’t go badly wrong. Which has happened so often with ICTsec related legislation the whole field should hang it’s head in shame…

Clive Robinson December 31, 2020 9:29 AM

@ ALL,

Never assume incompetence when security is involved, malice is way more profitable.

It might just be that somebody has decided to “backdoor” such communications…

Look at it this way the current cost of technology to bust this open is less thsn $100k which is “pocket change” for even small size criminal organisations…

Such information in those messages could in the right hands have pay back 100fold over with the size of some drug deals.

Any way there is a way to solve this, the specification as given does not say that what would be the “plaintext” into this system actually has to be “plain text”.

So design a more uptodate and secure protocol for the payload, turn it into some subset of ASCII and use this insecure system as just a wrapper, not unlike the use of a VPN or a multitude of other layered protocols.

...doug December 31, 2020 10:04 AM

@Clive,
…turn it into some subset of ASCII …

Just be very careful when turning it into ASCII. The Brexit documents also include an ASCII table that leaves out a bunch of entries, doesn’t distinguish between space and non-printable characters, and includes a few values — {}{ and }} — that seem to be problems with formatting. Likely another case of copying and pasting things from older documents without understanding them. 🙂

https://politics.stackexchange.com/questions/61178/why-does-the-eu-uk-trade-deal-have-the-7-bit-ascii-table-as-an-appendix

…doug

xcv December 31, 2020 12:31 PM

@Clive Robinson

Never assume incompetence when security is involved, malice is way more profitable.

Thank you. You’re catching up with the military police detail.

@Carlo Graziani

ROT13 not good enough for them?

Oh, we don’t allow anything stronger than ROT13 except for police and active duty military.

Good grief. The situation in the USA is with NSA tipping off your local neighborhood crime watch at the aforementioned urban combat fusion centers to your dastardly deeds online whenever they can’t get the clearance to prosecute federally.

GCHQ and the rest of the “Five Eyes” Anglophone nations with the surveillance cameras on every street corner are doing exactly the same thing.

They get a FISA warrant to have the surveillance conducted through foreign agents, and use
a legal fiction of parallel construction to introduce naked raw intelligence as evidence in court.

They post revenge porn videos of the targeted individual on one of the popular sites if they don’t get their way in an open court of common pleas.

RealFakeNews December 31, 2020 4:47 PM

Those who are pro-EU/anti-Brexit are trying to use this as some kind of attack against the Brexit deal.

Reality is, all legislation is like this, and they’re pretty nïeve if they think it isn’t.

I guess there isn’t much else to complain about, if the only focus is on the mention of out-of-date software.

Clive Robinson December 31, 2020 5:07 PM

@ RealFakeNews,

I guess there isn’t much else to complain about, if the only focus is on the mention of out-of-date software.

As I understood it this one was an “easy find” as it kind of stood out like Rudolfs nose…

But as they say “be carefull what you say, sometimes the little folks hear and curses appear”.

Thus I fully expect some real nasties to come out at some point soon.

Winter January 1, 2021 6:56 AM

“I believe the Brexit mantra is “any deal is better than no deal.””

At rock bottom, all directions go up.

I believe all pretending that Brexit is financially profitable for the average Britton has been abandoned.

Winter January 1, 2021 8:21 AM

I am very happy the UK will still participate in the EU New Horizons program. Losing collaboration s with our British colleagues would have been very unfortunate.

Clive Robinson January 1, 2021 10:08 AM

@ Winter,

At rock bottom, all directions go up.

A not often used these days expression is,

“Life in the crab bucket”

Unless you’ve actually ever go crab fishing it’s a little hard to understand.

Basically you can catch enough crabs that they very nearly fill the bucket, so much so you would easily think they could escape, and in fact they could quite easily.

The reason they don’t is as one crab starts to rise up all the other crabs grab hold of it and not just pull it back down but actually climb on top of it.

When I was around eight, and on holiday the hotel managers son who was about twevelve taught me how to crab fish as the tide went out, all you actually need is a lump of raw bacon hide with fat on about 2cm by 1cm tied with strong string onto the end of a long bamboo garden cane. No hooks are needed because once the crab got a hold of it it would not let go…

So “crab bucket” is a euphamism for working class and lower middle class streets. Proud enough to as a friend used to say “T’drink turps out of a jam jar”. But you try doing any bit better than the rest of them and they will drag you back down. But they all will drag you back just to get a taste of bacon even though grabbing it will lead to their doom…

At the end of the day Brexit was about living in a crab bucket… The people that were going to do worst by Brexit are the ones who voted most keenly for it and will be the first to be dragged down by those aroind them as unemployment will rise and jobs and money scarcer than a silver threepence piece that gran used to keep by for the christmass pudding.

Winter January 1, 2021 12:28 PM

@?
“Who wins with the exit?”

If you mean Brexit, it’s the Mathew effect (see Wikipedia).

I know about the crab bucket (thanks to Terry Pratchett).

But I think Brexit has the same cause as Trump: The lower SES half of the population saw 4 decades of economic growth pass by without any of it trickling down to them.

And then there was the 2008 meltdown where the culprits got a golden parachute instead of jail time. Meanwhile, the pensions, income, and savings of the poor evaporated.

Reason enough to burn some witches. They never burn the leaders responsible, always “foreigners”.

Clive Robinson January 1, 2021 12:43 PM

@ Winter,

I am very happy the UK will still participate in the EU New Horizons program.

Which one… The one to get the longterm disabled into an unsuitable job, or the one to do with space technology?

With regards the Space technology, the damage has already been done.

Ownership of UK space technology companies has been given at “fire sale prices” to German and French companies because of the EU National Security rules. The few UK Universities doing space related trchnology degrees have pretty much all down graded them and turned them into introductory “General engineering degrees”. Leicester being a case in point that had quite a reputation for space enginering has basically dumbed down now that Europran students will not be allowed etc.

Though nobody in the current UK government has said anything their xenophobic attitudes are not just well known but well established. Co-operation will not happen due to the inability to get visas to do more than very basic degrees, the Universities know this, they also know that the companies that would have provided employment will just be “brain/talent drains” those with ability will have to obtain EU Citizenship Status to meet the National Security requirments. So all of those companies over the next decade will be chasing little scraps fighting each other and bringing each other down. Similar is going to happen to aero space now that COVID has changed the direction of the aircraft industry.

Basically all but “grunt type” engineering jobs are going to leave the UK, and those eith the ability will follow thrm.

It does not take the brains of a Nobel laureate in economics to realise the following,

In a crowded boat freedom of movment is restricted on board but you can swim in the sea and that looks atractive. But only in the very short term untill the cold and tiredness set in then you are going to wqnt to get back on board. Nor do you need Nobel brains to realise that being on board and pissing out, is better than being down in the water bring pissed upon. Alright you have to give up the freedom of just pissing anywhere you like when on board but you are in return way better off.

Thus only a real idiot would swear cuss and bitch at those on board before jump over the side… Because it’s fairly obvious what is going to happen. To mix metaphores you can not just jump in and swim to greener pastures unless you are a manatee (sea cow, with all that implies).

But we actually know all this from living history.

It was fairly clear during WWII that industry was being decimated by the war effort, it was all production and no maintainance and no teinvestment. If the war in Europe had not stopped when it did, within about six months Btitain would have to capitulate. As it was large parts of the population started to starve and if it was not for US food parcels from concerbed US citicens –opposing US Gov policy– tens of thousands would have staved to death or died of deprevation related diseases.

Thus Seventy years ago various people in what was then laughingly called Great Britain could see the way it was going and decided that signing up to a European coalition made sense and moves were made and in 1952 Great Britain was the first nation to sign on the dotted line of the proposals for trade unification.

Then unfortunately as ever petty politics got involved and short term thinking reared it’s stupid head. More stupid than that of the crab who’s behavioirs they emulated…

But eventually people realised that being in the boat was better than being out of it.

However when they tried for membership in 61 France’s Chatles de Gaulle was having none of what he saw as “perfidious albion” in Europe. He said “Non” via the veto procrss and blocked UK membership every which way he could three times and it was a quater of a century later after de Gaulle had resigned that in 73 what was now a very reduced in circumstances Britain and Ireland was alowed in along with Denmark. As in effect “a package deal”.

Those who persued the idea of a united Europe from the end of WWII knew very well that the British Empire was over and that Britain was at the bottom of a list of 60 or so countries in just about every way measurable. It’s only claim to being a great nation was it’s supposadly independent nuclear deterrent, which was in reality anything but due to the War Debt with America. Just about every technical development the UK moved forward on got killed by the American demands that the war debt be paid back. When that threat failed UK politicians were bought of in other ways. Which is why the UK is unique in the history of space exploration, to have got a satellite into space to then kill off all that investment… The reason is the US prommised the UK free launches, then when the UK launch capability had closed the offer disappeared like the fairy gold it had always been. Similar happened with faster than sound flight, fly by wire aircraft, and a list so long that you would fill rather more books than you would have shelf space for. That is what the “special relationship” means to US politicians. It’s why the “Brain Drain” happened and continued untill Margaret Thatcher got rid of the war debt and made a few US politicians “sit up and beg”. The reason for that was in the main the Falkland Islands, the US state dept thought they would get better access to the resources in the antartic and surounding seas if they propped up the corupt Argentinan regime. Thus they tried many tactics to ensure the Falkland Island’s were handed over to Argentina. In many respects we are luky the US plan failed otherwise the chances are South America would be in the same state the Middle East is in currently (though arguably it’s not much better).

Those who were most pro Brexit were at best little boys in the school playground when all the entry into the EEC happened. As their parents made money by financial cheating that was easy to do back after WWII with Bretton Woods broken by bonds they did not see the effects of three day weeks, strikes, fuel shortages, power cuts and worse, much of which I do and I can assure you with no fondness.

Thus they have a very peculiar view of what they want the UK to be, which is simply a no questions asked money laundering bank close to Europe with strong ties to America. Their plane is utter futility the world has moved on and finance has always played very much third fiddle to engineering and manufacturing[2] and the UK can not in any way survive off of the tiny drips the finance industry hands over in the way of taxation.

But then more sensible heads even most that actually work in the finance industry know this and voted against Brexit.

But the crab bucket won based on the false promises of bacon from the sky for all… and now we have to live with the consequences… No bacon just the fit fighting out before economic cannibalism claims them

Within a decade the UK will probably be Nation 70-80 down the list of the measures that are important to the everyday person… We will have a new Brain/Talent drain as Britons turn into what the greasy greedy politicians claim to dislike more than criminals, yes those “Economic Migrants” but flowing the other way to other Nations…

[1] https://en.m.wikipedia.org/wiki/Accession_of_the_United_Kingdom_to_the_European_Communities

[2] Actually fourth or worse when you consider services like thr advertising and media industries and that off shoot of engineering that is architecture and design.

Clive Robinson January 1, 2021 1:20 PM

@ Ignorant US redneck,

Who wins with the exit?

Not you, or me that’s for certain and it’s not,

Yep. Always the ‘foriegners’.

That is just a distraction from the puppets who front the real winners you do not see, you call the puppets your “Representatives”, and they are just making a simple play from the George Orwell playbook called 1984.

If you give the people a distant enemy to hate then the government puppets can get away with almost anything the puppet masters / money men ask.

It realy is that simple.

Ignorant US redneck January 1, 2021 1:31 PM

@ Clive.

My tongue was firmly in cheek.

I do understand the reasons for misdirection. It works so very well, whether in business or politics. But, there will come a time for retribution.

What steps can the ITsec community use to combat the insecurities mentioned above? Will it take a political move to change things, or will science raise it’s dusty head and make some noise?

Clive Robinson January 1, 2021 2:05 PM

@ Ignorant US redneck, winter, ALL,

I do understand the reasons for misdirection.

I kind of thought you would by your “which side” comment.

I put it up so that those who had not traveled far enough to know that would have the opportunity to read it.

But I must admit in the UK untill quite recently we were rather fond of “burn them at the stake” with Nov 5th being an anual practice day 😉

But I will be honest I still think a festive decoration of the spikes on Traitors Gate might be fun as well and if you think about it, it’s the green option in more than one way…

With regards,

What steps can the ITsec community use to combat the insecurities mentioned above? Will it take a political move to change things, or will science raise it’s dusty head and make some noise?

Step one is dispel the myth of the “magic good” of the Internet, surely there is enough evidence by now to say it’s neither magic nor in most cases good.

Though the reeducation process of much of managment and marketing to get them out of their cognative bias / delusion might require a $5 Wrench and a book on “de-culting people”. I guess we will just have to look on it as “good healthy excercise” with “major stress reliving” ability. Rather than a “bring the kids to work day” we should have a “bash the boss day” with ducking stool etc. So all good clean fun.

Step two is issolate all computers that do not require public access. Lets be honest are you at work to do work or update your social media and auction site business or watch cat/hamster videos (mind you I think a dancing hamster that has a cat thrown in half way through the routien might liven things up and get the old hormones pumped).

Step 3 is issolate, not all Internet connectivity is bad, it can bring in business. But it also brings in trouble so issolation with reductionism is the way to go to limit damage to both the connected and hopefully non connected systems.

Step four does involve the dusty head of science. Put simply most of that over priced security measures junk is effectively usless. Why because there is no uniform way to evaluate their function so marketing can trot out any old bovine fertilizer and get away with it. The reason for this is there is no science involved. Science basically does the,

“Observe, hypothesize, test”

Loop, which requires two basic things,

1, Reliable and usefull measurands.
2, That will work with statistical analysis.

We don’t have that so we have a snake oil and sugar pill market instead…

Ignorant US redneck January 1, 2021 2:26 PM

@Clive

When the decorations to the Traitors Gate go up, please do post a pic.

From my fading memory, here in the US we have a limited edition of stake burnings. Salem was one of the last. I think.

Instead, we have the gunpowder solution. Sadly, sadly indeed, I think this will provoke an answer to the powers that be.

I agree with all of your thoughts on computer security. I believe that the changes to corporate security are on the horizon. The advent of multiple ransom attacks and the recent solarigate revelations should, get some CEO’s to thinking about security. Emphasis on the ‘should’ part.

It’s easy to see that the only functions that need to face the internet are marketing and recruiting. The rest stay closed off. To do those things would not take so very much effort and very little capital outlay. There would be glory for the CIO who could convince his management to do those things.

Not holding my breath over here in the sticks.

Clive Robinson January 1, 2021 4:18 PM

@

So, how to incentivize our science compatriots?

That as they say “Is an interesting qurstion” which in effect tells you the answer befor they say anything else…

A little history, back on the 1980’s when 8bit CPU chips still ran by necesity below 8MHz I did some personal time research.

Put simply the printed circuit board lines/traces can be viewed as VHF-Microwave antennas, but still quite efficient at lower frequencies that “coupled in the near field”. The protection diodes caused by the CPU substrates and power metalisation are effrctively “crystal set” receivers or “envelope detectors” so any constant RF field generates a DC offset on the PCB trace as well as the CPU substrate input or output. Whilst such voltages had minimal effect on output pins they had significant effects on input pins. Few realise these days that the input “buffers” be they inverting or not could be viewed as high gain analog amplifiers with bandwidths up into the tens of MHz depending on vintage.

So I’d observed that VHF two way radios could when close enough to a logic / microprocrssor card could be used to cause them to malfunction.

Most engineers would have just shrugged there shoulders made a note to add RF shielding and go get on with the next task the boss had given them. I am however as was once observed “A curious bugger of the most exemplary kind” thus it caused thoughts. Put simply I wondered what would happen not with FM/PM signals that are essentially constant envelope, what would happen with high Pulse Repitition Rate modulation or envelope modulation, thus onto could it be used to exploit the execution of code? To which the answers are a distorted version of the modulation appears on the PCB trace and yes you could exploit the code.

Thus the idea of “EM Fault Injection” was born and I went on to do some interesting things with it including reading the function of smart cards by illuminating the chip with low level microwaves (at ~10GHz) and by the process of cross modulation read off what the chip was doing. That is it produced the same results as power line analysis but without having to get into the smart card reding device with test instruments.

You would have thought a lot of people would be interrsted in such a potential security issue. Mostly the chip people wanted it hushed up with the usual threats and others were not interested as they thought power analysis and the like was just to fancy and nobody would use it as an attack method.

The only person who appeared interested was Ross Anderson over at thr cambridge computer labs and that was some years later. He was looking at tryingvto use random self clocked logic as a way to defeat power analysis on smart cards. I pointed out that a suitable level EM signal would “injection lock” the self clocking and bring them all into alignment thus further attacks be made. Ross sent me the details of a reseatcher in Europe who was using “pico coils” to fire pulses of energy into chips very close up. Basically the same idea dump energy at the circuit in a way that causes bits to flip etc. We had a chat and he said he would let me know next time he was comming over to the UK. Well it did not go any further.

As you might have read Ross did do some research into illuminating the lead of a PC keyboard that he put in his Security Engineering book and eventually two researchers at Cambridge Labs showed that by using 10GHz CW EM you could get energy into an IBM security TRNG and take it’s entropy down from 2^32 or ~1 in 4billion down to about 2^7 or ~1 in a hundred. Thus making “guessing attacks” or “brut force attacks” nearly trivial.

Since then not very much it’s all been TEMPEST stuff which is “Passive EmSec” not “Active EmSec”. One laugh though was the neigh sayers over using acoustic channels. You may remember BadBIOS and the issues that caused. Well it turns out that not just myself but other engineers had looked into using audio to network Personal Digital Assistants like the Psion Organizer and earlier back in the early 80’s so we knew not only it could be done but had done quite a bit on it all of which basically went next to nowhere as IR became the prefered choice even though it was more expensive, then leads with unreliable connectors and they wonder why it was unpopular… Any way when the BadBIOS audio channel was mentioned all those that had never picked up a soldering iron declared it impossible. So I dug up an old IO card to put the “hidden code” on that would survive hard drive wipes and it talked via the speaker and mic connected to a sound card on bits of wire. I mentioned it on this blog as did @RobertT but the neigh sayers were adament. Then a couple of students did it with a couple of laptops on chairs in a corridor and wrote it up “as a paper”… Then the neigh sayers disappeared and the next thing you know malware writers were putting acoustic channels in apps so you could be tracked by advertising etc…

Oh and more resently RowHammer demonstrated what you can do by dumping energy into Dynamic memory and in effect flipping bits by de stabalising the analog refresh circuitry…

So about a quater century to a third of a century time for academia to “wake up”…

So as the old saying goes “don’t hold your breath” with even the simple stuff.

Comming up with ideas for appropriate measurands is going to need an information theoretic approach and that is not exactly simple stuff.

Ignorant US redneck January 1, 2021 5:10 PM

I remember a conversation you had here, some years ago, on the topic of ‘Fault Injection’. Still an interesting concept.

I don’t know the answers. I’m hearing a lot of yammer about Quantum Computing. Of course, something something Quantum will draw a lot of attention. Just as something something Blockchain does. There remains hope that a real solution is just around the corner.

The flip side of that coin is the long arm of the TLA. (you can easily transpose a C and I for the T and L). I can’t think of any way that they wouldn’t have a compromise for Quantum processing. Whether they develop it inhouse, buy it, or steal it, they will compromise the system in the name of “National Security”.

Well, this has been interesting. Thank you. It’s time for our annual New Years Feast so I’ll sign off for now.

Clive Robinson January 1, 2021 5:51 PM

@ Ignorant US redneck,

It’s time for our annual New Years Feast so I’ll sign off for now.

Enjoy and keep safe, I usually celebrate the lunar new year or spring festival in China town with friends, it’s probably not going to happen this year due to lockdown So I guess a take-away instead, but that’s not till 12th Feb a lot can happen in that time.

But to all others have a happy new year and I hope it’s a better one in oh so many ways.

Cryptogoat January 3, 2021 8:41 AM

https://pastebin.com/gKBN5RTm

SMIME is an absolute joke; I often wonder if it was engineered to fail, or if the openpgp standard was just simply not good enough to thrive.

The decentralized wot model makes far more sense to me. You could even have a hybrid approach where you could trust people X layers down from your address book, and if not present, check a TXT record for their domain which will include enough metadata for the domain owner to certify the users therein, perhaps a signature for each key.

For those wishing to have an additional layer of security a CA like organization could be established eg imagine something like Verisign who signs people’s keys to verify it matches IRL credentials.

It’s already perfect and flexible enough for this use, and the openpgp smartcards or any pkcs implementation would be perfect. You could store EC crypto for ssh, or building auth. It could be integrated in a comprehensive way.

But excuse me for being skeptical about governments. They would prefer as much remain in cleartext as possible, for example the current us issues with messenger wanting to use signal encryption by default (or cooot WhatsApp protocol, which is weaker imho but both have an Achilles heel which is the reliance on SS7 for registration of the number etc. But at least people can confirm keyprints on a side channel.

https://pastebin.com/gKBN5RTm
— can you solve the stego challenge posted? 1 btc in there for finding —

Winter January 3, 2021 9:47 AM

@Cryptogoat
Why do you post opaque pastebin.com links? What is at the end of the links that cannot be described in your comment?

Sheilagh Wong January 3, 2021 10:10 AM

The GCHQ is obsessed with snooping on the British citizenry. This is likely an intentional oversight.

Goat January 3, 2021 10:22 AM

@Winter, pastebin links can be used for sharing secrets by steganography after encrypting them, to hide the fact that message is shared and avoid prying eyes. It isnt unusual for terrorists to use these.

Winter January 3, 2021 10:47 AM

@goat
“pastebin links can be used for sharing secrets by steganography after encrypting them”

Thanks.

disG January 5, 2021 7:00 AM

I am curious if one day a suspect who realises that his DNA profile was shared in such insecure way between the UK police and the police of one of the EU member states sues them for breaching the GDPR or some other privacy legislation.

I hope he will do so.

Amy Andersen January 12, 2021 1:20 AM

Grateful for sharing this. Protecting delicate data is very hard to do especially when there is a lot of hackers to steal it. I search everywhere and I found Setainty (https://www.sertainty.com/) is one of the best out there for data security service.

David January 15, 2021 1:02 PM

When you change treaty text you need to review and agree the changes, which takes time and can open up the prospect of other negotiated changes, so the cut and paste reference to old legislation is likely to be deliberate. In this case the legislation that has been cut and paste, COUNCIL DECISION 2008/616/JHA (https://eur-lex.europa.eu/eli/dec/2008/616), is that basis for a multilateral agreement. I would be incredibly surprised if the EU had attempted to update that multilateral agreement at the same time as negotiating Brexit.

On the practical side, the COTS tools mentioned are examples and from a security perspective you note the data exchange takes place over the EU secure network know as TESTA, which has evolved since the council decision that caused cut and paste amusement. If you want to understand the security as implemented you need to work forward from the COUNCIL DECISION 2008/616/JHA and consider other relevant legislation, updates to legislation, implementation decisions and so on. No one is going to undo those improvement just because of Brexit!

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.