Comment by kmeisthax
1 day ago
What the politicians want is partial security: something they can crack but criminals can't. That is achievable in physical security, but not in cybersecurity.
I have a feeling the politicians already know partial cybersecurity isn't an option, and don't care. Certainly, the intelligence community advising them absolutely does know. We don't even have to be conspiratorial about it: their jobs are easier in the world where secrets are illegal than in the world where hackers actually get stopped.
> That is achievable in physical security, but not in cybersecurity.
Not with physical security either, I'm afraid.
With physical security the state apparatus can provide physical security in the form of police and what not, as well as deterrence and punishment.
In the world of cryptography it's... a bit harder to do something similar. In the best case they can come up with a key escrow system that doesn't suck too much, force you to use it, and hopefully they don't ever get the master keys hacked and stolen or leaked. But they're not asking for key escrow. They're asking for providers to be the escrow agents or whatever worse thing they come up with.
> That is achievable in physical security, but not in cybersecurity
This isn't accurate though, and leads us down the path of trying to prevent these bad laws from a technical perspective when we should be fighting the principle of the bad law not just decrying it for being "unworkable".
It is possible to construct encryption schemes with a "backdoor key" while still being provably secure against anyone else.
This creates precisely the "partial security" you describe: Criminals can't crack the encryption, but the government can use their backdoor-key.
But like those who argue online age-consent schemes can't work, it doesn't help to argue against the technical aspects of such bad laws. The law, particularly UK law, doesn't care for what's technically possible. The bad laws can sit on the books regardless of the technical feasibility of enforcement. Eventually technology can catch up, or the law can simply be applied on a best endeavours / selective enforcement approach.
> This creates precisely the "partial security" you describe: Criminals can't crack the encryption, but the government can use their backdoor-key.
No, it doesn't. Now criminals just have to get the key. These schemes have been tried many times. They've been discovered by actors that shouldn't have access to them.
Please don't go around advising government leaders and organizations. This is exactly the problem solving capabilities of governmental leaders that security experts are decrying here in this thread.
I honestly though get you're comment was going to go along the lines of perfect physical security can only be perfectly secure from everyone, including the people it shouldn't be. We constantly see the hacking oh physical locations. The big things keeping some orgs from being attacked: redundancy, observability, and ENCRYPTION WITHOUT BACKDOORS!
And what happens when someone in the government inevitably leaks the key either intentionally or because of a hack?