Tech Security Ping!
Posted on 04/09/2021 4:17:17 AM PDT by ShadowAce
The principle of end-to-end encryption underpins a system of communication where only the communicating users can read the messages. To this end, it exists to prevent any potential eavesdroppers (telecom providers, internet providers, law enforcement agencies) from being able to access the cryptographic keys needed to decrypt the conversation.
We remain deeply concerned, therefore, that the Council of the European Union is seeking to adopt new rules that would effectively do away with encryption. At the end of last year, they released a five-page resolution that called for the EU to pass new rules to govern the use of end-to-end encryption in Europe. We are completely against this resolution as it effectively ends the notion of true encryption.
There’s no such thing as strong encryption if you allow the institution of backdoors for government or law enforcement officials – and don’t believe any politicians who say otherwise – they are, at best, ill-informed. The most important takeaway here is that encryption is either secure or it is not. Users either have privacy or they do not.
We strongly believe that encryption is the very foundation of the internet. Every citizen needs encryption to safeguard their data and to offer themselves protection against hackers and other malicious online forces. Politicians will argue that they see backdoors as an easier way to thwart all manner of crimes, ranging from terrorist attacks through to drug trafficking. However, by effectively quashing end-to-end-encryption, the government disregards all the other crime that effective encryption protects citizens from.
By calling on technology companies to find ways to bypass encryption so that law enforcement agencies can quickly access a suspect’s messages or device, we may end up with weak encryption. And weak encryption is, in our opinion, the same as no encryption.
We understand the need to combat online criminal activity in all of its various guises, but we do not believe that weakening encryption will solve that. Indeed, weakening encryption is actually counterproductive. For example, putting pressure on popular messaging apps to have a backdoor in their encryption doesn’t deter criminals from establishing their own encryption services.
There is an impact on businesses, too. Many organizations use end-to-end encryption for protecting their trade secrets and classified information. And what about the impact on many of the apps that we all use to communicate? These apps are underpinned by a zero-knowledge ethos which means that users don’t need to worry about being tracked or monetized and can exercise their right to privacy.
The Council of the European Union’s proposed resolution is all the more surprising in light of the General Data Protection Regulation (GDPR). This model for data protection legislation is very much in favor of robust encryption as an elementary technology to ensure the right to privacy (for citizens).
Ultimately, adopting this resolution would severely undermine the trust that individuals and businesses place in end-to-end encrypted services. It also threatens the security of users who merely wish to share information securely. When politicians expect the introduction of encryption backdoors, they completely miss the point regarding security and privacy. They are effectively asking us to say no to security.
Tech Security Ping!
Shadow, I am a systems engineer, too. Or I should say I was one.
I ended up in storage, and saw the disk drive migrate from an electromechanical device, whose challenges were performance and reliability, into a nightmare of software “security” considerations.
I always wondered why. The disk drive should simply store encrypted data, just as any data.
There are probably many answers, but I think the primary is that people want the impossible from “security”. There is always a time factor to security. Encryption, or any security measure, can only provide a probability of security which diminishes with time. Eventually, all security is cracked.
At least that’s my take on it.
The (current) key is to make the encryption difficult enough to make it not worth the time/effort to crack it. Putting in backdoors for "gov't use" just negates that. Someone will find it easier to just find the backdoor or to phish it from the people who have them. And someone will always succeed because most people (especially gov't employees) are on the left side of the Bell curve.
Bears repeating!
I'm passing this article along to our Global Threat Management, SecOps and Legal folks this morning. I'm certain our GTM and SecOps folks know about this, not sure our Legal folks do.
Can't wait for the EU regulators to demand a backdoor into our systems. We'll pull our data centers in London, Ireland and Luxembourg out of there in a big hurry. We'll fail them over to our U.S. Data Centers and that'll be that.
Stupid politicians.
There is no secure. There is only highly secure.
The offense always has the advantage over the defense.
The EU is the heart and soul of what is called the DEEP STATE...they have always been up to no good.
Remember CSS: copy protection for DVDs crumbled when a player manufacturer inadequately secured a key. Found, it was widely disseminated quickly.
Remember TSA: locks compatible with secret physical master keys were authorized to secure luggage. Wired Magazine published a photo of the master keys; duplicates were for sale on eBay within 3 hours.
I’d be interested to know if there are freepers out there who use GPG/PGP.
It’s not good crypto unless the source code for the algorithms are fully documented, preferably by source.
The original German Enigma machine was used to secure corporate communications between company HQ and foreign offices. It was used as the basis for the machine later used adopted & developed by the German Wehrmacht.
So almost from the advent of telegraphy there was a recognized need for encryption to secure private communications.
The offense always has the advantage over the defense.
WORD!
I'd be interested to know if there are freepers out there who use GPG/PGP.
I do. And I also have a copy of the PGP book, purchased when there was all the discussion in government circles about embargoing encryption. I still remember all the legal eagles saying that publishing the algorithms in book form trumps the embargo of source.
Remember the T-shirts that had DECSS printed on them?
Says the guy that keyed Small C from Dr. Dobbs those many years go.
People have largely forgotten the crap that Phil Zimmerman went through regarding PGP. The associated documentation was actually a pretty good primer on encryption.
I had a copy of Schneier’s Applied Cryptography. It went walking from my office at work one day, sadly. It’s still relevant today. Bruce has been writing a lot in recent years of some of the pitfalls associated with the modern spy state, both governmental, and non.
Good take.
Btw... My PGP key is on my FR homepage
Absolutely yes. Have used it since the late 90's for all sorts of things. Originally PhilZ's PGP, then when it got bought out, I had licenses for the PGP commercial product, and eventually converted over to GnuPG (GPG) and have used that since.
Started out with 2048-bit keys, now only use 4096.
I believe in it, and frankly it's the one I trust the most. And even it gets bug fixes from time to time (via Ubuntu apt-get).
Nothing's perfect but GnuPG is pretty damn good.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.