User: Password:
|
|
Subscribe / Log in / New account

Security quotes of the week

Security quotes of the week

Posted Jul 19, 2012 22:28 UTC (Thu) by nix (subscriber, #2304)
Parent article: Security quotes of the week

Trigger warning: The first post is notably paranoid (the poster appears not to grasp the difference between the text of a law and the way it is applied, confuses the law with a computer program, and assumes that judges have no discretion), but some of its comments devolve into frothing anti-semitism.

(If this is Falkvinge's normal degree of paranoia, and his usual commentariat, my liking for the Pirate Party has gone down several notches. I assumed they were basing their policy positions on the actual rank injustices seen throughout the 'intellectual property' system, but it appears I was wrong: paranoia is the order of the day over there. Note that the UK government has never prosecuted anyone under RIPA for refusing to provide encryption keys to files full of astronomical noise, and if they tried to do so the judge would laugh them out of court. They know this, so they don't try. RIPA is unjust and hateful enough that puffing it up with hyperbole like this should be unnecessary and only damages the anti-RIPA position.)


(Log in to post comments)

Security quotes of the week

Posted Jul 19, 2012 22:55 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

RIPA _allows_ to do just that. The fact that it was not used yet is irrelevant, because RIPA itself has not been used much at all.

However, nobody can't guarantee that this situation would stay forever.

Security quotes of the week

Posted Jul 19, 2012 23:18 UTC (Thu) by nix (subscriber, #2304) [Link]

That sort of reason is why RIPA has mandatory provisions for judicial oversight. The police cannot use RIPA without getting permission from a judge, and because it's a bit of a political hot potato with the obvious proving-a-negative problems, they don't hand out permission without a pretty good case. This law cannot be used for fishing expeditions -- at least not unless someone nobbles a judge.)

Security quotes of the week

Posted Jul 19, 2012 23:27 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

Yeah, sure.

Like the US CALEA also requires judicial oversight of all wiretaps. With grand total of ZERO denied requests out of hundreds thousands.

Meanwhile, RIPA is being used to catch dog foulers: http://www.telegraph.co.uk/news/uknews/1584808/Council-sp...

Security quotes of the week

Posted Jul 20, 2012 13:28 UTC (Fri) by nix (subscriber, #2304) [Link]

The US and UK judicial systems are very different and can't be compared like that.

The covert surveillance article you link to is four years old: when this came out, it caused enough of a scandal when it came out that councils were ordered to stop by the very Labour central government that introduced the powers in the fist place: <http://news.bbc.co.uk/1/hi/uk_politics/8003123.stm>. The council you linked to later lost legal cases over the same matter: <http://www.bbc.co.uk/news/uk-england-dorset-10839104>, and stopped spying on account of its being a PR disaster: <http://www.bbc.co.uk/news/uk-england-hampshire-17926819>. A shame they quietly started again a year later.

Note that the powers the councils were using in these cases have nothing to do with the contentious encryption parts of RIPA discussed elsewhere in this thread: RIPA was a dog's-breakfast of an Act throwing together a whole bunch of stuff, some a good idea, some very much not. Some councils did very stupid things using anti-terrorism legislation and were told to stop (ostensibly because dog foulers are not terrorists, but actually because it's a PR disaster waiting to happen). The encryption parts of RIPA relate to the police -- the surveillance parts relate to local councils as well, and it's *those* busybody-stuffed excrescences on the state that have been abusing RIPA and invading privacy left right and centre.

Since slapping councils' wrists hasn't stopped them from spying, this got enacted: <http://www.legislation.gov.uk/ukpga/2012/9/part/2/chapter...> which beefs up the judicial oversight (though part of it is still odious, notably the part which says that legal representatives of the surveilled need not be informed of the surveillance. I note that this law doesn't say that surveillance requests can be rejected on grounds of unreasonableness, though I suspect that won't stop judges from doing so).

(Disclaimer: IANAL, obviously.)

Security quotes of the week

Posted Jul 20, 2012 13:54 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]

Well, you obviously have more faith in judicial system than I do. However, I'd very much prefer if all laws were created with the expectations of the worst possible abuse.

Security quotes of the week

Posted Jul 24, 2012 7:08 UTC (Tue) by kleptog (subscriber, #1183) [Link]

That won't work. The "worst possible abuse" is that someone bought the police, the politicians, the judge and the jury. I'm afraid nothing is going to save you from that.

The real world has no guarantees. There are no unbreakable rules you can build a perfectly secure legal system on. You have to draw a line somewhere and say everything under that line we have to trust works. And then keep checking it is working. The price of freedom is eternal vigilance and all that.

If you think the politicians are doing a bad job, I'd suggest getting involved to try and fix it. A bit like open source in general really.

Security quotes of the week

Posted Jul 19, 2012 23:05 UTC (Thu) by jake (editor, #205) [Link]

> Note that the UK government has never prosecuted anyone under RIPA
> for refusing to provide encryption keys to files full of astronomical
> noise, and if they tried to do so the judge would laugh them out of court.

is there some foolproof way to distinguish between an encrypted file and one containing astronomical noise?

jake

Security quotes of the week

Posted Jul 19, 2012 23:16 UTC (Thu) by nix (subscriber, #2304) [Link]

No, but the law does not require 'foolproof'. That's why judges have discretion, and why laws that prevent judges from exercising that discretion are so bad.

(Honestly, the police aren't likely to realise that a bunch of random noise *is* encrypted unless it has a header from a major encryption program attached to it, and if you keep files of astronomical noise around you probably have a reason for it which you can tell the judge. Most people don't keep files of white noise lying around just for the hell of it. Now the law *is* evil: among other things, it presumes that people who keep encrypted stuff around are either hiding something from the police or don't mind the police rifling through their private stuff, which is an unjustified assumption. But it's not *quite* as bad as all that, and Falkvinge's complaint is making a mountain out of, not a molehill, but a worm cast.)

Security quotes of the week

Posted Jul 20, 2012 0:09 UTC (Fri) by jake (editor, #205) [Link]

> Honestly, the police aren't likely to realise that a bunch of random
> noise *is* encrypted unless it has a header from a major encryption
> program attached to it

hmm, you seem to have some faith in police and judges that I lack I guess ... since you can't *prove* in any sense of that term that any random data you have lying around isn't some kind of encrypted "bad stuff" (defined, of course, by said police and judges), it just gives them license to lock you up for not providing the "key" should they wish to ...

not at all saying this is some UK-specific problem, btw, I imagine these kinds of games could be played anywhere ...

jake

Security quotes of the week

Posted Jul 20, 2012 13:06 UTC (Fri) by nix (subscriber, #2304) [Link]

Note that judges in the UK are not elected, so don't have to pander to the lowest common denominator, make every decision in the light of future election campaigns, and so forth. Faith in the judiciary in the UK is a *lot* higher than in the US, and is not declining. This may not always be justified, but the judiciary (the libel-tourist-friendly antics of Mr Justice Eady notwithstanding) is a lot more trustworthy, and trusted, than most other arms of UK public life right now.

suspicious-looking random files

Posted Jul 21, 2012 0:08 UTC (Sat) by giraffedata (subscriber, #1954) [Link]

This raises a question I haven't encountered before: for many purposes for which encryption is used, the very existence of the document might be what you're trying to keep private. So is there a common encryption format that doesn't make it obvious that the file is encrypted?

I guess that wouldn't be enough. A carefully preserved file of random data with no header at all would obviously be something encrypted. You'd probably have to go full steganography and make the file appear to be something else (like a telescope image).

suspicious-looking random files

Posted Jul 21, 2012 13:46 UTC (Sat) by nix (subscriber, #2304) [Link]

If you really wanted an evil approach to hiding confidential data, build up a Gentoo or other source-based system, then encrypt your data and conceal it in plausible-sounding ELF sections in chosen binaries (sections that could perfectly well be there otherwise, are often quite large, but have little impact if filled with arbitrary junk: .debug_types in a file that actually has its debugging information in DWARF 3, something like that). (If you want to be really evil, take a legitimate ELF section and perturb it, using alternate representations of DIEs and instruction choices and the like to steganographically encode your data.)

Note that the binaries still work because the addition of a non-loaded section won't affect them at all. Hash checking for modified binaries to find the hacked ones won't work because the distro is source-based and everyone has different hashes anyway. Looking at the binaries to find suspiciously random info won't work because binaries have lots of random info in them anyway (this would be doubly true if DWARF debugging sections were gzipped, but they're not, oh well). The only way anyone would find info stashed in a random-but-plausible ELF section like this is to know what e.g. a legitimate .debug_types section looks like, dump all of them and find the ones that don't look right -- and nobody's going to do that who doesn't already know what they'll find. And even that will be fooled by the steg-encoding approach.

Security quotes of the week

Posted Jul 20, 2012 13:04 UTC (Fri) by james (subscriber, #1325) [Link]

This is something that really would need a qualified English or Welsh lawyer (which I am not), but reading the sections of the Act (linked to in the original post), it strikes me that
  • Section 49 notices only "appl[y] where ... protected information has come into the possession of any person" with suitable statutory powers: it would be for the prosecution to prove beyond all reasonable doubt that this was a Section 49 notice, and if the data was not "protected information", then the alleged Section 49 notice was not a Section 49 notice;
  • "a person shall be taken to have shown that he was not in possession of a key to protected information at a particular time if—
    (a) sufficient evidence of that fact is adduced to raise an issue with respect to it; and
    (b) the contrary is not proved beyond a reasonable doubt",
    which appears to be a very weak standard for the defence to meet: I would presume that the defendant would merely have to give evidence that he or she did not possess the key to "raise an issue".
In any case, the offence would be an "either-way" case, triable either before three lay magistrates with a maximum six month prison sentence, or before a jury in the Crown Court. In "either way" cases, the defendant can always elect to be tried by jury.

Security quotes of the week

Posted Jul 20, 2012 16:16 UTC (Fri) by nybble41 (subscriber, #55106) [Link]

> I would presume that the defendant would merely have to give evidence that he or she did not possess the key to "raise an issue".

You make that sound so easy. What would count as evidence that you did _not_ possess a key capable of decrypting an arbitrary random-looking binary file? The key could be anything; the only real evidence that you _didn't_ have it is all in your head.

The requirement should be the other way around: they should have to prove that you did have the key, i.e. that you've decrypted the same file before, _and_ that the key is still in your possession. Even then, I would support your right to refuse to provide the key (without penalty), but then I've never been a fan of forced testimony, self-incriminating or otherwise.

Security quotes of the week

Posted Jul 20, 2012 16:28 UTC (Fri) by james (subscriber, #1325) [Link]

Sorry, I can see how that wasn't clear.

Try this: I would presume that the defendant would merely have to testify under oath that he or she did not possess the key to "raise an issue".

Security quotes of the week

Posted Jul 26, 2012 11:50 UTC (Thu) by farnz (subscriber, #17727) [Link]

Certainly in the UK, and I believe in the US (whose system derives from ours), a simple statement under oath is evidence, and has to be countered by stronger evidence.

So, if you were in court under Section 49, and said under oath "I do not possess the key", it would be up to the prosecution to demonstrate that your statement was not believable (for example, by showing evidence that you had decrypted the file recently).

It's one of the things that, until a recent discussion with a lawyer, confused me about the legal system here; "sufficient evidence" apparently just means "will swear under oath, and has convincing explanations that counter any evidence presented by the other side". So, the police claim "nybble41 has hidden encrypted terror instructions in his photographs of a cat"; you can literally say to that "no, I didn't", and you've presented sufficient evidence.

It gets more complex if the police have more than just a bald statement; for example, if the police said "we saw nybble41 run 'convert catphoto.jpg -cdl 42.txt catphoto.png' and we believe that he was inserting encrypted instructions from 42.txt into catphoto.png". You could then explain about ImageMagick color description lists, and still convince a judge you didn't have the key.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds