Entries Tagged "UK"

Page 2 of 19

Securing Communications in a Trump Administration

Susan Landau has an excellent essay on why it’s more important than ever to have backdoor-free encryption on our computer and communications systems.

Protecting the privacy of speech is crucial for preserving our democracy. We live at a time when tracking an individual—­a journalist, a member of the political opposition, a citizen engaged in peaceful protest­—or listening to their communications is far easier than at any time in human history. Political leaders on both sides now have a responsibility to work for securing communications and devices. This means supporting not only the laws protecting free speech and the accompanying communications, but also the technologies to do so: end-to-end encryption and secured devices; it also means soundly rejecting all proposals for front-door exceptional access. Prior to the election there were strong, sound security arguments for rejecting such proposals. The privacy arguments have now, suddenly, become critically important as well. Threatened authoritarianism means that we need technological protections for our private communications every bit as much as we need the legal ones we presently have.

Unfortunately, the trend is moving in the other direction. The UK just passed the Investigatory Powers Act, giving police and intelligence agencies incredibly broad surveillance powers with very little oversight. And Bits of Freedom just reported that “Croatia, Italy, Latvia, Poland and Hungary all want an EU law to be created to help their law enforcement authorities access encrypted information and share data with investigators in other countries.”

Posted on November 23, 2016 at 2:01 PMView Comments

UK Admitting "Offensive Cyber" Against ISIS/Daesh

I think this might be the first time it has been openly acknowledged:

Sir Michael Fallon, the defence secretary, has said Britain is using cyber warfare in the bid to retake Mosul from Islamic State. Speaking at an international conference on waging war through advanced technology, Fallon made it clear Britain was unleashing its cyber capability on IS, also known as Daesh. Asked if the UK was launching cyber attacks in the bid to take the northern Iraqi city from IS, he replied:

I’m not going into operational specifics, but yes, you know we are conducting military operations against Daesh as part of the international coalition, and I can confirm that we are using offensive cyber for the first time in this campaign.

Posted on October 24, 2016 at 2:12 PMView Comments

UK Government Promoting Backdoor-Enabled Voice Encryption Protocol

The UK government is pushing something called the MIKEY-SAKKE protocol to secure voice. Basically, it’s an identity-based system that necessarily requires a trusted key-distribution center. So key escrow is inherently built in, and there’s no perfect forward secrecy. The only reasonable explanation for designing a protocol with these properties is third-party eavesdropping.

Steven Murdoch has explained the details. The upshot:

The design of MIKEY-SAKKE is motivated by the desire to allow undetectable and unauditable mass surveillance, which may be a requirement in exceptional scenarios such as within government departments processing classified information. However, in the vast majority of cases the properties that MIKEY-SAKKE offers are actively harmful for security. It creates a vulnerable single point of failure, which would require huge effort, skill and cost to secure ­ requiring resource beyond the capability of most companies. Better options for voice encryption exist today, though they are not perfect either. In particular, more work is needed on providing scalable and usable protection against man-in-the-middle attacks, and protection of metadata for contact discovery and calls. More broadly, designers of protocols and systems need to appreciate the ethical consequences of their actions in terms of the political and power structures which naturally follow from their use. MIKEY-SAKKE is the latest example to raise questions over the policy of many governments, including the UK, to put intelligence agencies in charge of protecting companies and individuals from spying, given the conflict of interest it creates.

And GCHQ previously rejected a more secure standard, MIKEY-IBAKE, because it didn’t allow undetectable spying.

Both the NSA and GCHQ repeatedly choose surveillance over security. We need to reject that decision.

Posted on January 22, 2016 at 2:23 PMView Comments

How GCHQ Tracks Internet Users

The Intercept has a new story from the Snowden documents about the UK’s surveillance of the Internet by the GCHQ:

The mass surveillance operation ­ code-named KARMA POLICE­ was launched by British spies about seven years ago without any public debate or scrutiny. It was just one part of a giant global Internet spying apparatus built by the United Kingdom’s electronic eavesdropping agency, Government Communications Headquarters, or GCHQ.

[…]

One system builds profiles showing people’s web browsing histories. Another analyzes instant messenger communications, emails, Skype calls, text messages, cell phone locations, and social media interactions. Separate programs were built to keep tabs on “suspicious” Google searches and usage of Google Maps.

[…]

As of March 2009, the largest slice of data Black Hole held—41 percent—was about people’s Internet browsing histories. The rest included a combination of email and instant messenger records, details about search engine queries, information about social media activity, logs related to hacking operations, and data on people’s use of tools to browse the Internet anonymously.

Lots more in the article. The Intercept also published 28 new top secret NSA and GCHQ documents.

Posted on September 29, 2015 at 6:16 AMView Comments

David Cameron's Plan to Ban Encryption in the UK

In the wake of the Paris terrorist shootings, David Cameron has said that he wants to ban encryption in the UK. Here’s the quote: “If I am prime minister I will make sure that it is a comprehensive piece of legislation that does not allow terrorists safe space to communicate with each other.”

This is similar to FBI director James Comey’s remarks from last year. And it’s equally stupid.

Cory Doctorow has a good essay on Cameron’s proposal:

For David Cameron’s proposal to work, he will need to stop Britons from installing software that comes from software creators who are out of his jurisdiction. The very best in secure communications are already free/open source projects, maintained by thousands of independent programmers around the world. They are widely available, and thanks to things like cryptographic signing, it is possible to download these packages from any server in the world (not just big ones like Github) and verify, with a very high degree of confidence, that the software you’ve downloaded hasn’t been tampered with.

Cameron is not alone here. The regime he proposes is already in place in countries like Syria, Russia, and Iran (for the record, none of these countries have had much luck with it). There are two means by which authoritarian governments have attempted to restrict the use of secure technology: by network filtering and by technology mandates.

Posted on January 13, 2015 at 2:07 PMView Comments

NSA/GCHQ/CSEC Infecting Innocent Computers Worldwide

There’s a new story on the c’t magazin website about a 5-Eyes program to infect computers around the world for use as launching pads for attacks. These are not target computers; these are innocent third parties.

The article actually talks about several government programs. HACIENDA is a GCHQ program to port-scan entire countries, looking for vulnerable computers to attack. According to the GCHQ slide from 2009, they’ve completed port scans of 27 different countries and are prepared to do more.

The point of this is to create ORBs, or Operational Relay Boxes. Basically, these are computers that sit between the attacker and the target, and are designed to obscure the true origins of an attack. Slides from the Canadian CSEC talk about how this process is being automated: “2-3 times/year, 1 day focused effort to acquire as many new ORBs as possible in as many non 5-Eyes countries as possible.” They’ve automated this process into something codenamed LANDMARK, and together with a knowledge engine codenamed OLYMPIA, 24 people were able to identify “a list of 3000+ potential ORBs” in 5-8 hours. The presentation does not go on to say whether all of those computers were actually infected.

Slides from the UK’s GCHQ also talk about ORB detection, as part of a program called MUGSHOT. It, too, is happy with the automatic process: “Initial ten fold increase in Orb identification rate over manual process.” There are also NSA slides that talk about the hacking process, but there’s not much new in them.

The slides never say how many of the “potential ORBs” CSEC discovers or the computers that register positive in GCHQ’s “Orb identification” are actually infected, but they’re all stored in a database for future use. The Canadian slides talk about how some of that information was shared with the NSA.

Increasingly, innocent computers and networks are becoming collateral damage, as countries use the Internet to conduct espionage and attacks against each other. This is an example of that. Not only do these intelligence services want an insecure Internet so they can attack each other, they want an insecure Internet so they can use innocent third parties to help facilitate their attacks.

The story contains formerly TOP SECRET documents from the US, UK, and Canada. Note that Snowden is not mentioned at all in this story. Usually, if the documents the story is based on come from Snowden, the reporters say that. In this case, the reporters have said nothing about where the documents come from. I don’t know if this is an omission—these documents sure look like the sorts of things that come from the Snowden archive—or if there is yet another leaker.

Posted on August 18, 2014 at 5:45 AMView Comments

1 2 3 4 19

Sidebar photo of Bruce Schneier by Joe MacInnis.