GCHQ’s not-so-smart idea to spy on encrypted messaging apps is branded ‘absolute madness’

Discussion in 'privacy general' started by mood, Nov 30, 2018.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    20,719
    GCHQ’s not-so-smart idea to spy on encrypted messaging apps is branded ‘absolute madness’
    November 30, 2018
    https://techcrunch.com/2018/11/30/g...d-messaging-apps-is-branded-absolute-madness/
     
  2. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    548
    Location:
    Europe
    That will sure suck for normal people who arent doing any crime, but then again there'll be no reason for the government to spy normal people, after all the purpose is to catch criminals. And smart criminals can easily encrypt their messages with their own algorithm. Like, each letter becomes the letter 25 positions after it, and thus the messages looks random to anyone who doesnt know the pattern. Ofc, the pattern can be more complex. So really, this will only be useful for catching stupid criminals, not the smart ones. The latter can simply message each other without using the app's encryption but their own encryption that only they know
     
  3. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,981
    They can't do that in P2P mode, right? Because they're not involved. Unless the app itself is backdoored. But that'd be pretty easy to detect, so it'd be risky.
     
  4. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,805
    Location:
    UK
    Mass surveillance. Algorithmic pattern matching and scoring. False positives. Bingo!
     
  5. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    Pretty much pure nonsense. One of the most difficult things to do is roll your own crypto, that's why experts tells you not to do it. Use current crypto algorythms or you're opening yourself up for a world of pain. Criminals do not use their own cryptography, lol.

    Perhaps what you meant to say was create their own app? This is a lot easier today when you can easily set up your own WebRTC platform.
     
  6. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    548
    Location:
    Europe
    I don't have a huge understanding on this topic, but it doesn't take a genius to convert a letter to the one 25 letters after it, if that's what you mean by "roll your own crypto". And ofc that is just an exemplary pattern, a very simple one that would be easily brute-forced, but you get what I mean
     
  7. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,981
    You're talking about end-to-end encryption, I think. As others note, custom crypto (and/or security by obscurity) is generally a bad idea.
     
  8. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    548
    Location:
    Europe
    Care to explain why?
     
  9. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,981
  10. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    654
    Unbreakable crypto, in 5 minutes. Super-simple

    Code:
    https://blog.xrds.acm.org/2012/08/unbreakable-cryptography-in-5-minutes/
    
    Simple XOR operation, with truly random key.

    Example ciphertext:
    GUIXVHULEBAMFGF

    Of course, that still does not solve the problem of securely passing the keys...
     
  11. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,981
    This is just a one-time-pad implementation, right?
     
  12. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    I should also have added that there isn't even a NEED for them to roll their own crypto. The original article is about "who runs the servers" not the crypto.

    So like I stated earlier: The simplest thing to do is roll your own app using webrtc (basically all communication apps today use webrtc).

    If they control the servers, the originally-posted-issue is invalidated.
     
  13. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,981
    Really?

    Maybe browser based stuff. But generally?
     
  14. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    654
    Yeah, its a one-time pad. So maybe not very practical for instant messaging or similar applications (?)
    But this is just for show that you don't need to be high math crypto geek to implement encryption.

    When I read all the news how this and that agency or government want's to ban encryption,
    I get this funny a feeling that they think it's something new that has just been invented o_Oo_Oo_O

    Heck, there was primitive ciphers even before Enigma :D
     
  15. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,981
    Well, there's that old Illuminati (aka cataract surgeons) document that resisted decryption for decades. It was basically just a substitution cipher, as I recall.
     
  16. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    654
    Hmmm...Interesting, I have to dig some more info about that.
    I just love digging history stuff. :)

    And especially when you find things that were invented long time ago and can still resist the test of time (that Vernam cipher for example was invented before WWII)
     
  17. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,981
  18. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    12,722
    Location:
    UK
  19. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    I'm not aware of any mobile communications app that doesn't use WebRTC today. It is really easy to implement thanks to Chromium embedded.

    It's a good thing, you now know they don't use some crappy voice implementation.

    On the desktop, apps like Wire, Discord, Skype, etc all use WebRTC, usually via Electron (Chromium).

    WebRTC has created a simple standard for voice/text/data exchange, so successful you see apps like WebTorrent now using it, which you can argue is superior to standard torrenting thanks to the superior encryption mandated by WebRTC.

    I would also assume (although I have not verified) that it would provide you extra anonymity. Torrent data is easy to identify, but you can't tell what people are sending each other via a WebRTC transmission.
     
  20. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    20,719
    GCHQ wants to be added to your chat groups, but won't even have the decency to contribute GIFs
    February 4, 2019
    https://www.theinquirer.net/inquire...wont-even-have-the-decency-to-contribute-gifs
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.