Return to the Press page

LWN.net Weekly Edition for August 14, 2008

Udev rules and the management of the plumbing layer

Weekly edition	Kernel	Security	Distributions	Search
Archives	Calendar	Subscribe	Write for LWN	LWN.net FAQ

UK holds Microsoft security talks (BBC)

[Posted February 15, 2006 by corbet]

Here's a BBC article describing British concerns about the (DRM-inspired) encryption features in the upcoming Windows release. "Windows Vista is due to be rolled out later this year. Cambridge academic Ross Anderson told MPs it would mean more computer files being encrypted. He urged the government to look at establishing 'back door' ways of getting around encryptions. The Home Office later told the BBC News website it is in talks with Microsoft." That's the sort of thing that could inspire interest in free software desktops.

(Log in to post comments)

Posted Feb 15, 2006 15:43 UTC (Wed) by pbardet (subscriber, #22762) [Link]

Unfortunately, there is no real Open Source discussion here.
It's only about the government working out a way with MS to be able to access anyone's computer with a special key.
So now, not only you get less rights on the files legally purchased because of the DRM, but on top of that, the government can control it, and do even more on your computer.

I don't even think Open Source would do anything "positive" for the governement in this specific case, since you can encrypt any drive with open source tools without giving backdoor access to the government. I don't think they want the people to know about it, since that would mean less control.

UK holds Microsoft security talks (BBC)

Posted Feb 15, 2006 15:47 UTC (Wed) by ewan (subscriber, #5533) [Link]

Free software crypto is just as affected by the Regulation of
Investigatory Powers Act, which includes the handy provision that
if you can't or won't come up with the encryption key when suitably
asked for it you can be jailed for that alone:
<http://www.opsi.gov.uk/acts/acts2000/00023--e.htm#53>>

UK holds Microsoft security talks (BBC)

Posted Feb 15, 2006 19:07 UTC (Wed) by copsewood (subscriber, #199) [Link]

"Regulation of Investigatory Powers Act, which includes the handy provision that if you can't or won't come up with the encryption key when suitably
asked for it you can be jailed for that alone"

And I wrote to my MP before they passed this stating that there could be circumstances in which I would elect to go to jail over this. If a criminal used a public key I only use for signing important stuff (e.g. within a future community currency network entity certification chain) to send me something encrypted with this key and the government jailed me for not disclosing it, then I could only maintain the credibility of the CC network and the reputation of my key within this network by asking those with an interest in its legal continuation to carry out acts of civil disobedience aimed at disrupting the process of UK government until my release. My signature is worthless in this connection if the government can forge it by this means.

There has been no test case yet where anyone has been jailed over this provision, and it seems unlikely that this provision would survive a sustained campaign by 1000 determined activists.

UK holds Microsoft security talks (BBC)

Posted Feb 16, 2006 4:24 UTC (Thu) by cortana (subscriber, #24596) [Link]

Hm... don't you have separate signing and encryption keys? So you can, at least, give up the key that allows the government to read the evil message without compromising your signing key.

You could also decrypt the evil message for the government and give them the plaintext. They are unlikely to be so cooperative, however.

UK holds Microsoft security talks (BBC)

Posted Feb 16, 2006 8:21 UTC (Thu) by Wol (guest, #4433) [Link]

You miss the point. It doesn't matter what YOU do, if you publish your public key you have no control over what anyone else does!

I may only use my private key for signing. If J Random Hacker decides to use the matching public key for encryption there's nothing I can do about it.

And with the law in question, if "I don't have the key" is no defense, then "I never use the key for encryption" will be even less effective.

Cheers,
Wol

UK holds Microsoft security talks (BBC)

Posted Feb 15, 2006 19:20 UTC (Wed) by efexis (guest, #26355) [Link]

This doesn't mean much. If we look at the terrorist angle (which is only one), someone who is willing to sacrifice their life (or spend it in the fight) for their cause, being threatened prison time if you don't release information that will damage your cause, isn't going to do a fat lot.

Plus you still have to have someone to ask for the key. There'll be many times where this /isn't/ the case (for example, detecting keywords in network traffic, extracting info when the owner is unknown or has fled, incapacitated or deceased).

But all of this is a bit stupid, nobody who has anything that's worth protecting from the government (AND that the government would want - this rules out 95% of all that encryption is used for) is going to use an encryption method that the government has been in talks about establishing a backdoor for.

UK holds Microsoft security talks (BBC)

Posted Feb 15, 2006 15:56 UTC (Wed) by nigelm (subscriber, #622) [Link]

I have to say I find the remarks attributed to Ross suspicious. I'd like to see an original source for these since they sound fishy.

UK holds Microsoft security talks (BBC)

Posted Feb 15, 2006 16:02 UTC (Wed) by nigelm (subscriber, #622) [Link]

To follow this up, the meeting appears to be Session 2005-06 / PN No. 30 - TERRORISM DETENTION POWERS which was held on Tuesday 14 February 2006 at 10.15 a.m.

It appears to take ages to get minutes - and those can be rather sparse

UK holds Microsoft security talks (BBC)

Posted Feb 15, 2006 18:14 UTC (Wed) by andy (guest, #21272) [Link]

Parliament TV has an archive of broadcasts which includes these select committee meetings I think. Could be this one:

mms://62.25.111.144/parliament/00004186.wmv

UK holds Microsoft security talks (BBC)

Posted Feb 17, 2006 0:04 UTC (Fri) by njhurst (guest, #6022) [Link]

It takes days to get minutes eh?

UK holds Microsoft security talks (BBC)

Posted Feb 15, 2006 18:29 UTC (Wed) by dd9jn (subscriber, #4459) [Link]

Check out Ross' blog at http://www.lightbluetouchpaper.org/2006/02/13/forensics-a...

"I don’t see the Vista security mechanisms as being security for me,
but as security for them. It’s just not the same as the key escrow
debates of the 1990s - in which I opposed key escrow on principle.
The technology’s being used for different things here.

If you want privacy, use PGP - or better still, some low-observable
communication technology, such as throwaway prepaid mobile phones or
webmail accounts"

Thus is is explictly against DRM efforts.
The BBC story paints a another (wrong) picture.

UK holds Microsoft security talks (BBC)

Posted Feb 15, 2006 22:39 UTC (Wed) by andy (guest, #21272) [Link]

I think the BBC's account of what was *actually said* yesterday to the committee as at least as accurate as Ross' blog. All the quotes seem to be verbatim.

Listen to the recording (interesting bit is about an hour or so in).

The police (or the government) want to be able to hold a suspect 90 days (rather than 14 or 28) before charging them. They are using "increasing difficulty of decrypting seized hard drives" as one argument to support this. Ross claimed decryption is easy or impossible, so doesn't come into the argument. But he pointed out that under TPM things will get even harder unless the home office talk to microsoft *and* intel, "NOW rather than when the product ships".

Shame the BBC didn't give Ross' entire quote on the reasons for [microsoft's] introduction of this technology:
1) for DRM and
2) "to lock the customer in tightly and charge more for the product".

UK holds Microsoft security talks (BBC)

Posted Feb 16, 2006 8:01 UTC (Thu) by jd (guest, #26381) [Link]

IANAL, so the remainder of this post is pure and wild speculation. Imbibe plenty of sodium chloride when reading.

Although the Government is permitted access to data for national security reasons, under UK law, Microsoft is NOT permitted to install backdoors without the user's knowledge and consent. For the installer or upgrader to add such a backdoor, it would necessarily be conducting unauthorized activity on the user's computer, which would violate the Computer Misuse Act. Any such backdoor would need to be publicly declared and openly agreed to. Under the Data Protection Act, Microsoft would also be barred from holding any information that might associate a backdoor key with the user's personal information. Nor can such information be exported to Microsoft, as the EU bans the trade of personal information to countries that lack privacy laws (such as the US).

Also, backdoors might constitute a picklock. In the ruling of the case involving a hacker breaking into Prince Philip's PRESTEL mailbox, the court ruled that a digital key that existed for a fraction of a second (the hacker used a password guesser, I believe) was not a picklock, so by guessing keys, he was not "breaking and entering". A backdoor is essentially permanent, so that defense would not apply.

Although the UK Government couldn't realistically be touched for requesting such a backdoor, there MAY be ways Microsoft could be legally vulnerable if they supplied one, but even if they were, it would take a genius of a lawyer to pull off a stunt like that.

A different line of attack might be to put pressure on Euro MPs regarding the current Microsoft lawsuits. The more the EU hurts Microsoft now, the less likely Microsoft is to play ball with ANY European state on legal or security requirements. Besides which, they'd be less likely to risk further entanglements with the EU as a whole, no matter what any one member state wanted.

UK holds Microsoft security talks (BBC)

Posted Feb 16, 2006 19:18 UTC (Thu) by copsewood (subscriber, #199) [Link]

"Microsoft is NOT permitted to install backdoors without the user's knowledge and consent. For the installer or upgrader to add such a backdoor, it would necessarily be conducting unauthorized activity on the user's computer, which would violate the Computer Misuse Act."

The last time I actually read the Microsoft clickthrough agreement this was couched in terms that gives the user's consent to Microsoft to do whatever it likes. Sony selling a CD to play music with no or unclear information on the CD or packaging it comes with that installs a rootkit if an attempt is made to play the CD using a computer is another matter entirely.

The prestel exploit...

Posted Feb 18, 2006 17:20 UTC (Sat) by dps (subscriber, #5725) [Link]

Last time I heard about it there was a less well publicised telephone number that corresponded to a prestel test system. This, without any exploitation or prompting, told you the prestel administrator's user name and password. This was an early example of security through obscurity not working.

I suspect if the UK government does get a back door into windows vista that the law will be changed to allow it. I also suspect that there is no backdoor, or other key recovery/bypass technology, that is safe from abuse by criminals.

P.S. Last time I head about it not having the keys, and therefore being unable to decrypt the incriminating data, *is* a good enough excuse for neither doing it nor giving the authorities the required keys.