In the last few days, I’ve done a lot of media interviews talking about David Cameron’s proposal to spy on secure encrypted messaging services – which I believe are bone-headed.
Earlier this week I appeared on Radio Five Live, discussing the issue with Preston Byrne, the co-founder and the COO of Eris Industries, and Professor Anthony Glees, who heads the University of Buckingham’s Centre for Security and Intelligence Studies.
I think it would be fair to say that Professor Glees has a different point of view from Preston and myself.
But hear for yourself, and apologies in advance that I became rather “heated”:
[soundcloud url=”https://api.soundcloud.com/tracks/186323339″ params=”auto_play=false&hide_related=false&show_comments=true&show_user=true&show_reposts=false&visual=true” width=”100%” height=”250″ iframe=”true” /]My concern, as I express in the above recording, is that regular consumers and businesses will be put at risk if secure messaging systems are backdoored – as whenever a weakness is put in a system it could be exploited by bad guys as well as law enforcement.
Thanks to those of you who tuned in…
Brave fight by @gcluley on #5live about encryption backdoors but it's almost impossible to coherently argue with the wilfully igborant.
— Robin (@rwstn) January 14, 2015
@gcluley caught the middle of it – whoever you was the govt bod u talking to hadn't a clue about a. Technology or b. How the Internet works
— Charlie #KBF #ShowYourSmile (@HawkeyeKnows) January 14, 2015
@gcluley in fact, you did well as I was screaming at the radio – can't pick any idiotic sound bites from him as there were so many..
— Charlie #KBF #ShowYourSmile (@HawkeyeKnows) January 14, 2015
@gcluley you did great on 5live today. You said exactly what I was trying to say if I wasn't speechless by all this!
— sonicated (@sonicated) January 14, 2015
@gcluley I'd put the PM's original comments down a kneejerk to be quickly hushed up. But to hear a government advisor so clueless. Just wow.
— The Duke Of Prunes (@duke_prunes) January 16, 2015
https://twitter.com/jenkojenkins/status/556063119173517312
https://twitter.com/webswonder/status/556063615879766017
As a side note, it has been reported today that a secret US internet security report concluded that encryption was vital to protect private data.
In the same report, it is claimed that UK spymasters GCHQ attempted to exploit vulnerabilities in Kaspersky antivirus software.
It’s a strange world, where reports of private companies being targeted by the UK intelligence agencies don’t leave me surprised anymore.
Interesting interview with Matt Green (Professor of maths at Johns Hopkins) on the NSA crypto issues and a nice round up of the Snowden stuff along with what others in deep crypto had been thinking anyway
http://threatpost.com/matthew-green-on-the-nsa-and-compromising-crypto-standards/110452
Definitely will be listening to this later (have something else on at this time and… since it is 4:36am I have plenty of time!)
But:
—
But hear for yourself, and apologies in advance that I became rather “heated”
—
I don't think you should apologise in the sense of truly being sorry (nothing really to be sorry about!). The only thing is being professional BUT – and here is the thing – I don't think they are in the position (i.e. aren't in authority in the sense of actual knowledge AND experience (the two together are critical!)) to even suggest something and so that they can frustrate (and there it is: frustration isn't bad, frustration is actually an emotion so it stands to reason that it can get 'heated' as you say (and it shows you are passionate about it… which has its own sincerity too!)) someone who is actually experienced (when they're trying to show experience with lack thereof). I'm sure I'll enjoy the interview, in any case. Besides, I know this: if it were me in the interview (never mind I wouldn't accept that – that is besides the point) it would be much worse than you (perhaps that's why I defend you, but still I think my points are valid indeed)!
As for being surprised: well yes, that's an interesting thing. But like you, nothing surprises me, and haven't in a long, long time (which is sad but also important that I do because it makes me be always aware, always on the defence (and looking at things differently)).
Shame you use Soundcloud (which, according to Ghostery collects search history).
https://www.ghostery.com/en/apps/soundcloud
Don't feel inclined to enable it – so I'll have to find you on iPlayer.
Still, I'm pleased you're fighting this nonsense.
You can download an MP3 of the programme (for a limited time) here: http://www.bbc.co.uk/podcasts/series/jot
Oh dear oh dear oh dear if Mr Cameron gets his way I will be thrown straight back into the dark ages of actually having to once again physically walk into a bank branch to manage my accounts and never mind the awful thought of a return to paper bank statements. I wont be able to trust online banking or buying again, no more booking flights online, using Amazon, eBay etc etc etc. Trust will be gone, and dear Mr Cameron so will I…maybe to labour or UKIP, who knows.
Can't see or hear the link. it appears to be down
This is worse than what the Romanian ‘Securitatea’ used to do before 1989 when people had no privacy. I can't believe that Cameron is trying to strip UK out of encryption and its privacy. I think this may be correlated with some other initiatives such as Romania's new privacy law that would allow the Romanian Information Service to snoop on every phone communications and even gain access to all PCs from the country without a warrant on their own discretion.
Overall I think this is the worst campaign move Cameron has made and I hope he doesn't get re-elected. Now that lunatic Nigel Farage seems just a dog who barks compared to Cameron.
Anyway, nice talk you had there Graham and I hope you and other major UK tech influencers can turn this around.
maybe the Proff should be talking to the guys who wrote this.
https://www.gov.uk/government/publications/10-steps-to-cyber-security-advice-sheets/10-steps-home-and-mobile-working–11
esp section 3.5 – protecting data in transit!
As a software developer (London based) writing an encryption product, I agreed with you completely.
In fact I was so annoyed by the Jeremy Vine show today on the same subject, that I phoned in to make the point that not only would there have to be a wholesale re-write of code, but should we implement a backdoor, would the UK Govt. indemnify companies for their losses should the backdoor be breached?
Encryption breaches involving the following would cause financial meltdown for the UK:-
Financial Sector (eg all Online Banking!)
BACS Payments (yes our monthly paychecks)
Medical Records
….. endless list
I would also point out that no UK software companies would be able to sell their products anywhere, who would trust a developer who would put a backdoor in their code?
In the piece, at 10:10 approximately the Prof says "It is possible to do this in such a way that totally secure software can be blocked". Is this a clue as to their thinking, to 'block' the use of "secure software" and only allow "back-doored software" somehow?
I was thinking that too. But then I also think of it as, they think it'll be more secure (that is the impression I got). But secure and backdoor are contradictory in one of the most extreme examples (of contradictions): they cannot coexist.
THANKFULLY, Graham is right: it isn't possible to block all secure software (or indeed whatever software they declare 'bad' even if that is all software). I've pointed this out before, and I am sure others have too, but it is incredibly amusing to think they can't get rid of software piracy (decades old, let's remember that!) and now they think they can stop legit software (i.e. make it illegal which is to say that it is just like pirated software but even harder to track because it was obtained legally and in many cases that is the only way it was obtained). If they can't prevent pirated software, what makes them think they can prevent software they declare illegal (but actually wasn't) ? It is so absurd it is hilarious (yet scary that they want this).
Listened to it some hours ago. My initial thoughts (that I still remember):
That other person – the one who has the title including 'intelligence' – was interrupting you and indeed by raising his voice. You, on the other hand, did not do that and frankly, if you did, it would be quite acceptable (you keeping things calm actually shows you have more self-control than he does). It is ironic that he makes it seem as if he is in the proper field, to suggest this but yet he also admits it is national security (what he means is security unrelated to computers and more like gathering of intelligence (something I'll get to momentarily) – and that is very different indeed). It is also ironic that he thinks it is as simple as a law, that would solve all the problems. Yes, because laws prevent crimes at a national level (this includes law to help national security!). Intelligence? One of the extreme signs of lack of intelligence (not counting politicians because that is one of the definitions of stupidity/unintelligent/etc.) is being unwilling to accept you don't know everything, you aren't perfect and even if you know a lot, you're willing to accept there is so much more you don't know (and consequently, you can learn more and therefore increase your understanding of things (contrast to outright dismiss)). He clearly fails there and so he's not (himself) all that bright. As for the intelligence gathering, I obviously can't judge him there (not having anything to judge by) but the other part makes one wonder. In addition, it is also ironic that he talks about how the US doesn't care about the security of the US when Cameron is (was ?) IN THE US and among things with the president, they DISCUSS: the GLOBAL THREAT (of what they claim they need encryption weakened for (which is absolutely false)) and even going so far as to make 'CYBER WAR GAMES' (I'll not even get started on that…). If they didn't care I would think it more like 'cyber war' (conveniently lacking the 'games') and it might be more arguing or if nothing else, certainly not wanting to work together on those threats (they do conveniently leave out the part that weakening encryption affects all users, not only the innocents they claim they'll be saving (!) but themselves and indeed the country(1)). Lastly, while I'm not sure I would define this as hissy fit, but it is very ironic indeed that he claims those in computer (and network) security (and clearly he knows because national security > computer security so he would know it all, just like the above) have a hissy fit when they want to weaken encryption… yet he was the one interrupting, raising his voice, unable to let others finish their thoughts (not to mention not being able to give anyone a chance in the first place (or accepting any other view: disagreement is fine, but that is different from not listening or accepting (or respecting) the thoughts/views of others)….
You're right: they don't understand the Internet (nothing new) but they are also arrogant enough to think (BELIEVE i.e. unrelated to any facts) it doesn't matter – that it just has to be what they want (control) and there is nothing to learn or accept as wrong: they're right and that's it (i.e. unintelligent at best).
1) If only it was possible to have them in a sandbox on a per-site basis. This way when they are buying something online, doing banking or logging in to (whatever it is they log in to), they are at risk. Then, we simply publicise a 0day for it. Yet I'm not sure they'd get it, still. In any case, yes, it is bonkers and it is worse than that.
This reminded me of the Home Office argument against making CB radio legal back in the late 1970s/early 1980s. Their public opinion was that if CB was made legal, it could be used by criminals to commit crime. It never occurred to them that criminals were unlikely to get a licence and buy radio equipment, that everyone else had access to, in order to commit a crime.
You did great, and hopefully you'll get asked to some more of these 'interviews'
I'd like to make a suggestion: It's no good trying to point out, rationally, that Cameron (and the various agencies) are demanding something that's unworkable. The more you try to explain, the more they will insist that 'It can be done! It shall be done! You're with us or against us!'.
So I would like to hear you and all the other experts say something like this – Encryption is mathematics. There are thousands of text books and academic papers that explain encryption. Anyone who wants to encrypt a message can look in a book, encrypt their message, and no one in the world can decrypt it.
So Mr Cameron will have to burn every text book that discusses encryption to make his dream come true. But it still won't work, because even after all those books have been burned, the same mathematics is available in other countries. And even if you can get every other country to burn all their books, what do you do about the people who have read those books?
It's not about Windows and iPads; that's the worst argument you can make – they will just say 'we will legislate!' It's about the fact that anyone can spend a couple of hours writing a perl script to encrypt a message, and if the professor can't manage to do that, it does not mean that a terrorist group can't either.
Also, the professor said that encryption without a back door can be outlawed. He's correct. But the response should have been that machine guns are already outlawed, and that didn't stop the terrorists in France…
I'm saying get ready for the next interview, because these people are evil. They will use every dirty trick in the book. Rational argument is worthless. Fight fire with fire. If they say you want lawlessness on the Internet, reply that they want mass book burnings. If they say you're having a hissy fit because you want to sell security, reply that they are having a hissy fit because they just realised after twenty years that they can't see how much you paid for your car insurance.
We are scientists and engineers. We struggle with politics. The voters can be convinced that 2+2=5. It's not their fault; it's human nature. Humans are not computers. Humans are scared that they will be gunned down, and Cameron is saying 'give me a back door and I'll keep you from being gunned down!" You can't counter that with a business case, or a discussion on the nature of open source software. You counter that by saying "They'll still gun you down, and they'll also take your savings and your house so your children get nothing after they've killed you!"
Well I didn't want this to be a rant, but it is. Ho hum :)
I don't see it as a rant. But consider this:
"It's no good trying to point out, rationally" is – in my mind – a contradiction of "But the response should have been that machine guns are already outlawed, and that didn't stop". Your point is still valid in a sense, though: there is no logic in the equation – politicians and logic don't mix very well. But that also means it doesn't matter what method is used – it won't change their mind. There's something else to consider, however, and something that your suggestion would potentially make less likely. Keep in mind the interview is not for them – it is for those listening to it. That means viewers who might actually have some sensibility, do get something out of it. So actually, explaining the issue is the best way. The more education there is, the better off the issue is. As you have pointed out, as others – myself included – laws don't change reality. However, the more people that agree with it, the less likely it will be addressed (that's why civil rights takes quite some effort by large groups of people, to get anywhere (better stated to potentially get anywhere)).
You should try to make a diagram/infographic about how encryption works and why backdoors are not secure. That way people who don't know security will still be able to understand how completely and utterly mental this proposal is.
The government representative seriously believes that government snooping = "bringing law to the lawless internet"? He imagines that government snoopers are going to bothered with guarding the backdoors against criminal snoopers and fraudsters? He knows nothing about software or "intelligence" operations. GCHQ won't concern themselves with our vulnerability to criminal snooping, only about exploiting our vulnerability to them.
Requiring backdoors will result in legalizing online vulnerability to criminals of law-abiding people and organizations. They may as well pass a law requiring everyone to have one of those fake rocks by our front doors with our key in it.
??? professor of what? taking advice from GCHQ! I'm sure he was told the whole truth!!!!!!!!!!! I feel a sense of irony coming on. If I were a malevolent miscreant I think I might be able to find pre-computing crypto method for sending and receiving secrets.
Ironically Graham mentioned one of the first (I think it might have been the very first) methods used for cryptograms on the 13th of this month: ROT13. Yes, the favourite of Julius Caesar. I seem to recall that years ago, when Netscape was around, their email client actually had a ROT13 encode/decode functionality. But then there's many other things, too. Pigeons used in WW2, for example. Actually, not long ago some country (want to say Vietnam) thought they were being spied on by the Chinese, and they were indeed pigeons (but they weren't spying and they weren't Chinese). There's many other things that can be done, of course, and there always will be. They're playing a game they think they can win if they change regulations but the fact is security is a constantly evolving thing and laws will never be able to keep up – it really does not take any break in time; it is always evolving. They're basically trying to shoot a target, while on a slow vehicle (let's say a tank) when the target is on the back of a vehicle powered by a rocket engine. In the end they will use whatever excuse is available, to have more power and control, even if both leads to less safe standards (that they claim will be the opposite). That's nothing new, though. The only things that change over time (even if just severity of): their excuse(s).
Scary. How do these people end up being advisers for the government? Take this example from Oct 2014, a peer (for those outside thew UK, they are kind of unelected politicians who are above normal parliament) who sits on the "digital skills" committee didn't even know about Google Maps (yes – this story is from Oct 2014) it's so sad and hilarious at the same time http://www.dailymail.co.uk/news/article-2802349/baroness-lords-tech-panel-left-bamboozled-google-peer-fire-admitting-knew-internet-giant-s-maps-feature.html
Isn't the really scary thing what the professor said about what the experts at GCHQ had said, that it IS possible to enforce strict control over what software that can be used? What measures would be necessary to do that? Rather extreme ones would be my guess.