diff options
Diffstat (limited to 'paper.ms')
| -rw-r--r-- | paper.ms | 259 |
1 files changed, 259 insertions, 0 deletions
diff --git a/paper.ms b/paper.ms new file mode 100644 index 0000000..ce6b01f --- /dev/null +++ b/paper.ms @@ -0,0 +1,259 @@ +.R1 +short-label D.y +sort spec +.R2 +.TL +Title +.AU +Mohit Agarwal +.AI +February 2022 +.LP +Encryption offers a level of security and confidence for communications +that has not previously been seen. This offers individuals with the +ability to communicate with each other in a way that is practically +immune from eavesdropping of any sort. Naturally, this does mean that +malicious actors such as criminals and terrorists be able to use +encryption in order to commit crimes or enable acts of terror. In +response to the threats of encryption and communications technology +generally, governments have often engaged in signals intelligence +(SIGINT) such as phone line tapping. Modern SIGINT initiatives have +become incredibly complex and sophisticated and have grown greatly as +popular adoption of technology has grown. Part of government interest +in SIGINT is a direct response to percieved threads, such as the +Patriot Act in the US which followed the 2001 terrorist attacks with +the objective of strengthening national security (cite). State +sponsored SIGINT programmes aim to respond to encryption and other +technological developments with the primary interest of overcoming it +in order to prevent terror and crime. These measures have, however, +had arguably limited efffectiveness and have violated the privacy of +individuals who are not suspected of being a threat to national +security. The way we respond to encryption as a society will clearly +be significant, and the success of government responses to encryption +in relation to issues such as terror and crime are rather significant. +A failure of effective response could allow terrorism to occur in ways +previously unseen, however an overreaction threatens people's civil +liberties and could easily be exploited for reasons other than +prevention of crime and terror. The successes and failures of +government responses can be judged in various ways. + +.IP i. 5 +To what extent does encryption enable either crime or terror? +.IP ii. 5 +Does the increased mainstream adoption of encryption better enable +crime or terror? +.IP iii. 5 +Is combatting encryption an effective way to combat crime/terror? +.LP + +An argument is often made against digital privacy in the interest of +national security. With access to communications and usage history law +enforcement and government can quickly discover large amounts of +information useful in a criminal investigation or in preventing +criminal activity. Graham{#CTC terrorists} explores the use of +encryption by terrorists which is often cited in a reason for giving +governments access to unencrypted Internet communications so that +suspicious activity can be flagged and investigated in order to +prevent a terror attack or in order to better respond in the case of +an attack. Graham describes the extensive use of end to end encryption +used by terrorists in order to avoid interception by the authorities. +Due to US usage of intercepted communications to uncover and prevent a +number of al-Qa'ida plots, the terrorist organisation and other +terrorist groups have increasingly used encrypted communications (read +citation from Graham). An significant factor is the use of +non-mainstreams software in early use of encryption by terrorists, +including a program that built a wrapper around the popular, secure, +and open source PGP called \fIMujahedeen secrets\fR. Although now +terrorists and criminals use widely available, popular, and +user-friendly software such as the Tails operating system or Telegram +(Graham citation 28), terrorists organisations have shown an ability +to make use of more obscure and complicated systems, as well as use +publicly available source code in order to construct software for +operatives to use. + +Although the issue of popular messaging technologies and their support +for 'end-to-end encryption' is often discussed, the argument that the +introduction of end-to-end encryption by large companies such as +Facebook gives an advantage to criminals {conversation Facebook}{home +office} is arguably an entirely invalid one. By preventing the usage +of true end-to-end encryption in industry, we will not be able to +prevent those attempting to evade the law from doing so, as shown in +the case of terrorist organisations who have used more obscure +software in the past and also in the case of the abundance of illegal +activity that occurs on the so called dark web in the form of the +trade of drugs and child pornography among others (cite). Instead the +limitation of use of encryption on popular software will only decrease +the privacy of those uninterested in criminal activity and instead +using technology to communicate. In the case of platforms such as +Instagram (which is owned by Facebook) it is quite clear that the vast +majority of communications (cite) will not contain anything illegal +(reword) and that it is these conversations that will suffer from a +lack of encryption. The information exposed by Edward Snowden in 2013 +demonstrates that the US government has processed and collected vast +amounts of unencrypted data (cite) and likely continues to do so. In +the case of unencrypted messaging the problem remains and preventing +end to end encryption will simply allow governments to maintain the +status quo of being able to intercept and read all communications +between its citizens and individuals outside of their jurisdictions. + +In order to conduct the vast amounts of surveillance they did in the +GDR (German Democratic Republic) in support of the ruling party +{Jarausch}, the Stasi gathered information from a vast network of +informants who greatly outnumbered Stasi agents {Bruce 2014}. Whilst +in Nazi Germany there may have been around one Gestapo agent for every +2300 citizens, in the GDR it was closer to one informant or officer for +every 63 citizens. Those living in the GDR often had experiences +involving investigation by the Stasi and there was clearly an +understanding amongst citizens {funder} of the GDR that one had to be +wary of an informant or agent listening in. In modern western society +there is a similar collective understanding that governments +attempting to carry out surveillance on a massive scale on their own +citizens. A key distinction, however, is that in societies such as the +UK, this work is not carried out by a vast network of informants, +there are no gargantuan gargantuan stores of paper, and there are no +hundreds of miles of film (cite all) documenting and aiding the +surveillance of the authorities. Instead, the level of surveillance +that large, secretive groups of individuals once had to carry out in +order to enable a surveillance state can be performed instead through +bureaucracies and technological methods. In modern times, governments +can operate with a very limited number of operatives `on the ground`, +and instead focus attention on the giant amounts of data they have for +processing in order to make the findings they intend to: be it crime, +terrorism, or - as was the case with the Gestapo and Stasi - descent. + +As with any technology, regulation has followed behind development in +an attempt to control its limits. Much as automotive regulation +followed the increase in popularity of cars in areas such as the UK +and US, regulation will no doubt follow the newfound popularity of +heavy encryption. There are however, difference in the case of +encryption when compared to cars. The rate of change with modern +technology is far greater. There are already discussions about quantum +computers and their potential to overcome current encryption methods. +In the case of encryption regulation will continuously struggle to +control encryption methods due in part to how quickly they change, but +perhaps moreso due to their decentralised nature, where a government +cannot prevent the existence of software that enables encryption which +is open source and reproducible internationally. Just as media privacy +through torrents and access to hidden services over tor are possible +without significant regulation, regulation of encryption may prove +impossible. An arguably useful tool to the authorities does exist in +the hardware and infrastructure that users of the internet rely on. +Firstly, the vast majority (cite) of users in the foreseeable future +will continue to use the highly popular CPUs designed by Intel. +Concerns have already been expressed {Intel Management portnoy} with regard to +the Intel Management Engine that exists on modern processors produced +by Intel. Should governments chose that backdoor access is essential, +then this presence in hardware around the world alongside an influence +over Intel (a US based company) to give access to governments may +provide them with the ability to access information directly from the +target's hardware rather than having to intercept information in +transit. This would go for other hardware vendors such as AMD or ARM +also. Whether or not companies such as Intel would open backdoors to +governments is up for debate, however we are aware that in the case of +the Intel Management there was potentially an ability for it to be +disabled by US government authorities such as the NSA, demonstrating a +level of leverage the US government potentially has over organisations +including but not limited to Intel {register kill switch}{intel me +bleepingcomputer}. +Regardless of the level of influence governments might or +might not hold over private corporations, the potential exists for +systems built into non-open hardware which most people, even those +using open software use, leaving them more open to exploitation from +either state or private actors. Furthermore, there is a visible +interest in increasing the presence of technologies on the hardware +level, including the aforementioned Intel Management Engine, the +Trusted Platform Module (cite), and recently Microsoft's Pluton (cite) +subsystem, which will be present on hardware sold in the future. This +variety of hardware within a single computer is a rather interesting +and potentially worrying development, particularly with the clear +level influence, interest, and competitiveness both the US {US House +chip manufacturing bill} and Chinese governments (cite) are +respectively showing (the US and China are the two largest chip +manufacturers (cite, reword)). + +Is discussion on this useful? +Individuals around the world have clearly expressed interest in +matters of privacy and encryption (cite) and open source software +allows those with the technical skills to become involved in the +development of technology that enables strong encryption and avoids +state surveillance. Measures taken by governments to prevent this +development will doubtless be limited unless extreme actions such as +those seen in China are taken. Otherwise, development will continue to +occur in both free and non free societies in support of individual +freedoms. The assertion of `Linus' law` that "given enough eyeballs, +all bugs are shallow" (cite - CathBaz) creates a serious inability +for actors such as governments to engineer backdoors into software as +the NSA previously has (cite) or to prevent the development of +software altogether (find example). On the other hand, a significant +amount of the software and hardware + +The discussion of encryption and related technologies has arguably +limited impact. State actors such as the NSA will continue to act +against individual freedoms and attempt to find or introduce backdoors +in technology that is widely used as part of its actions purportedly +in the interest of `national security`. Although public reactions to +information such as the 2013 Edward Snowden releases have been very +strong, they have not had significant effects on legislature, the +funding received by the NSA, and quite possibly the level of +surveillance carried out by the NSA (cite all). Thus, from recent +history, discussions in public or private spheres are unlikely to +influence decisions made inside already secretive agencies where +governments are ready to except that sacrifices must be made for the +greater good. Of course, the issue arises when surveillance exists +that does not exist simply to protect a nation, but instead mass, +indiscriminate surveillance is carried out on citizens not suspected +of any criminal or terrorist activity such as the Optic Nerve +program in the United Kingdom (cite), however governments nonetheless +prove willing to fund the activities of surveillance agencies. +Furthermore, there are options available to authorities that are +regularly made use of. (Give example from Graham) + +Modern cryptographic algorithms are `cryptographically secure`; the +underlying theoretical concepts mean that breaking the encryption to +intercept a communication is possible only through a brute-force +attack and is therefore, due to the nature of the algorithm. This +however, does not consider implementational flaws. + +.nr HY 0 +.ad l +Intro + Foreign Intelligence Surveillance Act of 1978 Amendments Act of 2008 + +Cryptography + https://wikiless.org/wiki/Kerckhoffs%27s_principle?lang=en + Timing Attacks + RSA + +Spectre and Meltdown (disucss speculative execution) + https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html + https://www.nytimes.com/2018/01/03/business/computer-flaws.html + https://support.apple.com/en-us/HT208394 + https://www.ibm.com/blogs/psirt/potential-cpu-security-issue/ + https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/ + -- Speculative execution? + +IME/Pluton -- backdoors + https://www.techrepublic.com/article/is-the-intel-management-engine-a-backdoor/ + https://www.techrepublic.com/article/why-the-nsa-may-not-need-backdoors/ + Disabled on new ThinkPads: https://www.theregister.com/2022/01/20/microsoft_amd_pluton_lenovo/ + +Heatbleed (2014) (occured in open source software) + +RISC V + +Government + https://rules.house.gov/bill/117/hr-4521 + + https://www.theguardian.com/world/2014/feb/27/gchq-nsa-webcam-images-internet-yahoo + https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html + https://www.propublica.org/article/the-nsas-secret-campaign-to-crack-undermine-internet-encryption + https://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html + !! https://wikiless.org/wiki/Dual_EC_DRBG + https://www.reuters.com/article/us-usa-security-rsa-idUSBRE9BJ1C220131220 + https://web.archive.org/web/20131223121638/http://blogs.rsa.com/news-media-2/rsa-response/ + https://www.technologyreview.com/2012/04/04/186902/how-china-blocks-the-tor-anonymity-network/ + https://www.nytimes.com/2016/09/03/technology/nso-group-how-spy-tech-firms-let-governments-see-everything-on-a-smartphone.html + + Leahy Law + +{firewall} |