Apart from the story seeming to be one of a "brute force" attack to break the codes, rather some clever coding, and made possible by advances in hardware rather than software, I wonder if this is really the great problem the report and its producers seek to make it.
I only as the question because of the way things were, in the bad old days.
Mobile phones, private mobile radio, police, fire, ambulance, and any number of similar services used to be broadcast on conventional AM and FM systems (as were the communications of the Armed Services, using other modulation techniques needing only slightly more advanced receivers) which anyone could listen in on with fairly basic kit.
There didn't seem to be a great problem then, even though the same folk, or their equivalent at the time, were still jumping up and down, warning of all sorts of security issues.
Fact is, if you want secure comms, you should used a secure comms system, not a public system that happens to use algorithms to convert their content, and which can be easily accessed as they are in the public domain.
That said, reading some stories, it would seem that that those tasked with providing secure comms links don't even do as good a job as could be achieved simply using a mobile phone, so maybe, times are indeed changing.
It's probably pointless noting that no-one really wants to develop and unbreakable system, since the law says you can have one, and use it, but if you don't make it so the authorities can bypass it, you can "Go directly to jail", and if you use it and they want to see what you said, if you don't hand them the key to open the encryptioin, you will also "Go to jail" for up to two years by refusing.
Unbreakable systems already exist - someone was jailed recently for refusing to decrypt a couple of hard drives encrypted with PGP, and it seems that even the security services couldn't get into them.
Really, once the police or security services work out that the communication exists, you've lost - anonymity is a much better way to go than hard encryption. Free email accounts, free phone SIM cards, even old-fashioned tricks like dead-letter drops or modern versions like USB microdrives hidden in a public place (see Geotagging) will be a much better way to communicate securely.
Yet another case of security policy being written by people who don't have the faintest idea of what they're doing...
All too true, although I would have thought that PGP encryption would still have fallen to a brute-force attack. Couldn't the security services have borrowed a supercomputer, or couldn't they be bothered waiting.
As you rightly point out, the way to real security is not to place a trail in place in the first place, then even basic encryption works just fine, as it baulks the casual observer, and if there's no trail to follow, then...
The security policy point is also well taken, and was classically illustrated on the morning news after the underwear bomber was featured on all the news programmes the other morning.
By chance, I watched one security authority speak on the need to push forward with the installation of more advanced technology and detectors at airports, in order to detect the materials being smuggled on board aircraft for assembly into bombs on board.
By similar chance, as I changed channels I was treated to a similar authority explain that the dependence on technology and detectors had no clearly been shown to be the wrong way to tackle this problem, and it was now essential to stop deverting funds to this - which would be horrendously expensive to install in every airport - and use the money to improve the methods of identifying individuals who were actively plotting such acts. The speaker pointed out that the UK had refused this particular individual a visa, but that the Americans were unaware, and there was not even a system in place to inform them of this simple fact.
If I was involved in this sort of activity, option two would worry me more than option 1. Detectors can always be circumvented, but behaviour is very hard to hide if being effectively analysed.
Yes, this latest aircraft bomber was using PETN, with probably a nitroglycerin trigger - built properly, there's no way that could be detected other than a strip search. Even trying, with sensitive sniffers or something, would cause so many false positives it'd take a week to clear security.
I have a vague hope that security measures are being taken in the background which are much more intelligent than X-raying people's shoes or making mothers drink their own breast milk - it's a naive hope, possibly, but the alternative is that the terrorists are smarter than us...
To follow on the from the above posting that noted that there are not any "unbreakable" system, merely system that once would have taken so long to break, they were considered to be effectively unbreakable - but would still ultimately yield to a sufficiently determined, and patient, attack.
I was reminded by this when I saw a report on the very subject today, written in light of the cellphone encryption crack.
In this, one industry expert was suggesting that the time had come when a second level of security was needed as well as encryption, in order to ensure that data was secure. This could be by that addition of a PIN system, or some biometric method. Only by combining two independent systems could security be ensured.
As example of the failure of encryption alone, it was noted that another form of data encryption, 768-bit RSA encryption, was cracked by researchers who used distributed computing power to process numbers, finding the key to unlock data. A more secure form of that encryption, 1,024-bit encryption, has not been cracked, but the researchers involved said that it would take another decade to crack that encryption. But that will probably be beaten sooner, as methods improve.
A paper has been, and it gives an idea of what was involved as the RSA encryption was cracked by brute force. The team harness a vast amount of computing power to find the key that unlocked the encryption, and used hundreds of computers in a massive task that took two years:
"On a single core 2.2 GHz AMD Opteron processor with 2 GB RAM per core, [this process] would have taken about fifteen hundred years," noted the 22-page paper.
Though the decryption still involved the use of massive computing power, not the sort of thing ever criminal has in their bedroom, the research has demonstrated that it is possible for anyone who can amass that amount of computing power to break that method of encryption.
It may be worth bearing in mind, and reflecting on the millions that the tiny handful of spammers who are brought to the American courts appear to be able to amass, and the capable people they can/could buy. It might also be worth reflecting further on the fact some of the most talented hackers don't even care about money.
Home
Calendar
Search
Register
Login
Sky falls as cellphone encryption is cracked
Print Thread
Report to Moderator
Logged
