- entry 2015/11/21

Legislating mathematics

It gets worse. Governor Chris Christie has called for a no-fly zone in Syria and, managing to utterly miss what is actually happening, has even gone as far as saying that they would shoot down Russian jets to maintain the no-fly zone.
Eight Republican senators back this action, two are against it, two have no opinion. The primary excuse for the Americans marching in to declare a no-fly zone in another sovereign state is to attempt to stop the president of Syria from dropping bombs on his own people.
America, with all due respect, What The Hell?
The chance to do something positive in Syria was years ago. Now we (the Europeans) are looking to do something about ISIS. But I suppose the Americans would rather threaten to blow Russian planes out of the air in preference to forming any sort of alliance with Hezbollah or ever agreeing to do anything jointly with Russia.

The thing it seems America fails to realise is that the caliphate of the Islamic State is not a place. It isn't a country, they can't threaten trade embargoes. It is an idealism, a belief. It transcends borders and cultures. For France and Belgium both are starting to realise the scale of the problem on their own home soil as well as the situation in Syria. America's policies hark from the previous decade, plus a huge dollop of refusal to work with people on a common goal if they are somewhere nominated as "the bad guys". Sure, it is extremely weird seeing France and Russia engaging in a common goal given the politics of the past few years; but given that fanatical Islamists consider damn near everybody (Jews, Christians, and other Muslims) to be the enemy, one might say that the conclusion of a common goal might be more valuable in the long run than squabbles that have been played out endlessly through history.

Or, to put it more bluntly yet: France and Russia are doing something. May be the right thing, may be the wrong thing. History will tell looking back, but for now they're doing something. America, on the other hand, has presidential candidate Donald Trump implying that he would be open to the idea of a database of Muslims living in the United States. This, on top of more than half of the states of the United States stating that Syrian refugees are not welcome.

Hillary Clinton, who clearly knows little bout basic security practice given her email gaffe, has basically requested the tech companies to weaken their encryption and stop treating the government as an adversary.
She fails on two very big and very important points:

• Firstly, the government, especially the US government, is an adversary. Thanks to Edward Snowden, we now have some idea of the scope of the snooping carried out by the likes of the NSA on targets both within the country and overseas. Just as advert blocking has been on the rise as advertising gets more and more offensive, encryption will be on the rise as citizens wish to keep their private lives private. The situation in the US is a mess of secret orders, secret courts, and so damn many secrets I'm surprised anybody at all has a clue. And when the cat was out of the bag, the NSA made moves to not spy on everybody in America. Well, actually, they kept that agreement. Now they're spying on everybody from somewhere else.
  Over this side of the ocean, but really applicable on either side, those in power have shown time and again that they simply cannot be trusted with personal data. The level of contempt shown towards the citizens when their data, perhaps important or sensitive data, is lost or misplaced, is absolutely staggering. And the whole EU Safe Harbor has collapsed given that there is no American company capable of fulfilling basic European citizens' rights when handling their data in the US. If our data isn't valuable, why does everybody want to get their mitts on it?
  Is it any wonder that normal people are turning to encryption?
• Secondly, proper encryption is a mathematical process. You can legislate it all you want - and it is worth noting that Senators once nearly redefined Pi by legislation - but the most primal and basic truth of the matter is that the value of an encryption scheme depends upon its mathematical exactitude. The maths does not care what it is encrypting, messages between terrorists, state secrets, or the latest episode of iZombie. It is just a sequence of data in, a sequence of data out, and a means to be able to reconstruct the input data legitimately while making it somewhere between damn hard and impossible to recreate it otherwise. A popular method is the partially shared secret, as demonstrated by PGP. The public key contains sufficient information to encode a message, but it requires the private key to decode it. Only the owner has the private key, and the contents of the private key can't be realistically determined by analysis of the public key.

Sure. Terrorists may be using encryption and social media to communicate and spread their message. But, let me ask you this, terrorists are also using guns. Will we see America not only trying to ban strong encryption but also banning guns? I doubt it. Terrorists will make use of social media and the like because they can. Acts of terror existed before we had Circles and Friends and +1s; and if all this goes away (if the public manages to get bored with reposting each others crap infinitely), then terrorism will continue. Such acts of brutality neither require nor depend upon social media nor encryption. They depend more upon global news media providing wall to wall coverage afterwards, as this is what scares people.

Now, note that while some Bad Guys have apparently been using Telegram, there does not appear to be any intelligence suggesting the attacks in Paris made use of encryption. So, if you advocate to weaken encryption on the basis of terrorism, you are doing everybody a disservice.

• Firstly, strong encryption exists. Governments can attempt to classify it as munitions, but the secret is out there. Also, it seems that there are some clever minds around and they don't all reside in American academia. Ordinary citizens might be stripped of the ability to encrypt their information, this won't touch Bad Guys (and in that definition I count everybody from drug lords to terrorists). Remember, folks, that if people will be breaking laws in the course of their dealings, an extra law isn't going to bother them. You'd have to be pretty clueless to think that "hey, gunning down a hundred is fine but encrypting the master plan is just too far". Really, get real.
• Why should a citizen need encryption anyway? If you have nothing to fear...
  I'm not an unkind person, but I really wish Anonymous would utterly trash the digital life of every prat that utters that statement. We rely on subtle forms of encryption all the time. I can feel reasonably confident that my WiFi will not be shared with random passers by because the AP uses WPA2/AES with an insane key, and no WPS. So if somebody wants to piggyback off of an accessible AP to get their fix of kiddie porn, they'll keep on walking. This is important when APs do not attempt any logging of when and how connections are made to it, and the authorities seem to think that an IP address is sufficient proof of guilt. A honeypot would record the IP address, and there will be scant trace of what happened. The internet box might record the device's MAC address, but how many people would even know to look for that?
  We all (should) use encryption (from POP3 or IMAP SSL and HTTPS through to VPN) when using mobile devices on public APs. Do you think I connect to read my email when I'm at McDonalds spaffing my login details in the clear? Don't be stupid.
• Weak encryption is useless. Encryption needs to be strong to be effective. I don't use WEP on my AP because WEP is crap. I don't use WPS because WPS is crap. Both have been shown to have vulnerabilities that make it possible for a generic middle-of-the-road computer to compromise such a network in a fairly short time - in 2007 some researchers cracked a WEP network in under a minute of data capture plus a negligible amount of processing power. Likewise, due to some crappy design, a WPS key can be retrieved in a couple of hours. That is, assuming one has to bother at all.
  If a WEP/WPS router can be compromised in a few hours (that's well within the timeframe of hiding a netbook PC near the target for a while in the early hours to do its thing unmanned, perhaps checked up on via VNC), what good is any other sort of weak encryption?
• Back doors are the very worst idea. For if a backdoor exists, then the data cannot be said to be encrypted, merely obfuscated. You might as well use ROT13. Twice, just to make it that much more difficult. This doesn't get around the basic fact that a backdoor is effective so long as the secret is kept. Now this means there will need to be very few people in the world who know the secret, it cannot be divulged to other authorities no matter how much they might bitch about needing it as an absolute necessity in law enforcement, and the mere knowledge of a back door will concentrate minds in countries that are not your friends (and some that are) to finding it. And once it is known, and once it is disclosed that the backdoor is secured with p@$$w0rd, then the entire backdoored encryption - all of it - every single thing - is utterly useless and accessible. For citizens and governments alike.

Do I feel safer? In a word, No. It isn't because of recent events, but those events have highlighted the underlying issue. Apparently several of the actors in the Paris attack "were known to security services". Where have we heard that phrase before? Oh, how about pretty much every act of terror that happens in the West? France's security watch list apparently amounts to some 11,500 people. The government absolutely does not need to be granting the government or security agencies more powers to pry into innocent people's lives. It has been shown over and over that they can't keep track of the people they know about, so throwing a metric tonne of irrelevant rubbish at them is going to further degrade their abilities. Maybe, since I'm resident in France, somebody has noticed this post from keyword matching and has had to go find somebody fluent in English to read all of this twaddle to realise that I'm not planning to be the next idiot to try blowing up the Eiffel Tower (hell, I've never even been to Paris...). Well, good for you, security people.....you've just wasted how many minutes? The governments are utterly failing their citizens if they think that more surveillance powers are the solution. That's wrong. The solution is more investment in the security agencies. If they can't keep tabs on all of those who are suspected, then what good are they? Don't lose sight of this in some short term paranoia. Indeed, France recently passed a dubious surveillance law just last month and, yet, this horrible attack happened. The populace should not be put under general surveillance, the suspected should be targeted specifically with enough manpower to do so. Otherwise, what's the point?
I write this, incidentally, as France has extended its "State of Emergency" (that technically means it becomes a police state) to three months.
I'm not sure that I feel more protected.

I don't know what the long term solution is. There is growing Islamophobia on both sides of the Atlantic. The idea of slamming the door to refugees or tracking people of a specific religion ought to be unconstitutional; and in Europe there is growing nationalist sentiment fed up of both the failings of the EU and the issue of immigration both in and out of EU member states. An Islamophobia that threatens to radicalise more people. While some terrorists are Muslims, not all Muslims are terrorists. I really don't imagine any of them would appreciate being treated like one just because their concept of God is different.

Your comments:

Please note that while I check this page every so often, I am not able to control what users write; therefore I disclaim all liability for unpleasant and/or infringing and/or defamatory material. Undesired content will be removed as soon as it is noticed. By leaving a comment, you agree not to post material that is illegal or in bad taste, and you should be aware that the time and your IP address are both recorded, should it be necessary to find out who you are. Oh, and don't bother trying to inline HTML. I'm not that stupid! ☺ ADDING COMMENTS DOES NOT WORK IF READING TRANSLATED VERSIONS.
 
You can now follow comment additions with the comment RSS feed. This is distinct from the b.log RSS feed, so you can subscribe to one or both as you wish.

Gavin Wraith, 22nd November 2015, 19:57

I remember Joe Taylor entertaining the students with the Indiana Pi bill farce. At least there were some senators who knew nonsense when they heard it. A mathematical education is even rarer now than then, alas.

ROT13, 23rd November 2015, 21:20

"You might as well use ROT13. Twice, just to make it that much more difficult."  Class!

Add a comment (v0.11) [help?] . . . try the comment feed!
		Your name
		Your email	(optional)
		Validation	Are you real? Please type 32468 backwards.
		Your comment