← Back to context

Comment by kmeisthax

1 day ago

What the politicians want is partial security: something they can crack but criminals can't. That is achievable in physical security, but not in cybersecurity.

I have a feeling the politicians already know partial cybersecurity isn't an option, and don't care. Certainly, the intelligence community advising them absolutely does know. We don't even have to be conspiratorial about it: their jobs are easier in the world where secrets are illegal than in the world where hackers actually get stopped.

4 comments

kmeisthax

Reply
eterm  5 hours ago

> That is achievable in physical security, but not in cybersecurity

This isn't accurate though, and leads us down the path of trying to prevent these bad laws from a technical perspective when we should be fighting the principle of the bad law not just decrying it for being "unworkable".

It is possible to construct encryption schemes with a "backdoor key" while still being provably secure against anyone else.

This creates precisely the "partial security" you describe: Criminals can't crack the encryption, but the government can use their backdoor-key.

But like those who argue online age-consent schemes can't work, it doesn't help to argue against the technical aspects of such bad laws. The law, particularly UK law, doesn't care for what's technically possible. The bad laws can sit on the books regardless of the technical feasibility of enforcement. Eventually technology can catch up, or the law can simply be applied on a best endeavours / selective enforcement approach.

  • jliptzin  2 hours ago

    And what happens when someone in the government inevitably leaks the key either intentionally or because of a hack?

joncp  19 hours ago

> That is achievable in physical security, but not in cybersecurity.

Not with physical security either, I'm afraid.

  • cryptonector  19 hours ago

    With physical security the state apparatus can provide physical security in the form of police and what not, as well as deterrence and punishment.

    In the world of cryptography it's... a bit harder to do something similar. In the best case they can come up with a key escrow system that doesn't suck too much, force you to use it, and hopefully they don't ever get the master keys hacked and stolen or leaked. But they're not asking for key escrow. They're asking for providers to be the escrow agents or whatever worse thing they come up with.