SoylentNews is people
SoylentNews
Kieren McCarthy at The Register has an interesting article discussing the inclusion of encryption backdoors in the recently passed Investigatory Powers Act, also knows as the Snooper's Charter.
Among the many unpleasant things in the Investigatory Powers Act that was officially signed into law this week, one that has not gained as much attention is the apparent ability for the UK government to undermine encryption and demand surveillance backdoors.
As the bill was passing through Parliament, several organizations noted their alarm at section 217 which obliged ISPs, telcos and other communications providers to let the government know in advance of any new products and services being deployed and allow the government to demand "technical" changes to software and systems.
[...] As per the final wording of the law, comms providers on the receiving end of a "technical capacity notice" will be obliged to do various things on demand for government snoops – such as disclosing details of any system upgrades and removing "electronic protection" on encrypted communications.
Thus, by "technical capability," the government really means backdoors and deliberate security weaknesses so citizens' encrypted online activities can be intercepted, deciphered and monitored.
[...] In effect, the UK government has written into law a version of the much-derided Burr-Feinstein Bill proposed in the US, which would have undermined encryption in America. A backlash derailed that draft law.
[...] To be fair, there were some fears that Blighty's law would effectively kill off the UK software industry as well as undermine Brits' privacy, and expose them to surveillance and hacking by criminals exploiting these mandatory backdoors. This mild panic did bring about some changes to the UK's Investigatory Powers Bill before it was passed.
The question is: were the changes sufficient?
(Score: 2, Insightful) by Anonymous Coward on Monday December 05 2016, @10:32PM
How are they going to stop people writing their own encryption code?
I'm hardly a genius, but even with my mediocre mathematical and programming skills, I could probably throw something together that would be at least a minor inconvenience to "them." It would be nothing like professional quality but it might slow them down by a few hours, assuming someone noticed and wanted to look.
I'm sure there are millions of other people like me who have a bit of an education and access to programming tools.
They don't need to.
1) Writing good encryption code is *hard*, even if you know the math behind it. See all the security problems that have been found through professional products throughout the years, including TrueCrypt. They are usually fixed, but that they exist is proof enough.
2) How many people do you know who have the knowledge, interest, and the resources (including time) to do this?
3) The harder you make it to install encryption, the fewer people will do so. Compare the default-encrypted of iPhones (millions of people have them, only a handful of "terrorists", huge false-positive rate), to a home brew solution (a couple of dozen people have them, a handful of "terrorists", a much less bad false-positive rate, and more resources can be spent to crack each individual machine).
4) The mere fact it is illegal will reduce usage. Consider how trivial it is to pick a lock (with a bump key it takes merely seconds). Yet, how many people have locks, and how few locks actually get picked?
(Score: 1, Insightful) by Anonymous Coward on Tuesday December 06 2016, @06:45AM
Or better yet, it’s UK, “give us your keys or wait in this nice prison we have here.”
(Score: 2) by Kromagv0 on Tuesday December 06 2016, @04:08PM
To be fair the problems with TrueCrypt aren't with the encryption but with all the other stuff attached to it. That said creating a good encryption algorithm is hard even for experts. For example looking the AES finalists, 256 bit versions only, Serpent, Twofish, and Mars were thought to have the highest security margin with Rijndael viewed as begin adequate. Turns out that Serpent's S-Boxes aren't as good [iacr.org] as initially believe. For Twofish there is a chosen plaintext attack that breaks it, However AES seems to be having problems as there are 2 attacks that break it although one is a related key attack.
T-Shirts and bumper stickers [zazzle.com] to offend someone