Amber Rudd – part 2

No answer to my message to Ms Rudd about internet encryption. It’s possible my email didn’t arrive, and possible it did but her reply got lost in cyberspace. I’ve emailed my MP, Alastair Burt asking him to look into it. We’ll see if he replies. I might have to resort to paper in the snailmail!

Apologies

Some low-life, or more likely some automated script, hacked my website and scattered so many files around I ran out of disk space and hence people trying to contact me on Oct 16 got a ‘Mailbox full’ message. Sanity has now been restored.

For the techies, using Cpanel file manager I got my password changed by the hosting company, deleted all the dodgy looking files and directories from public_html, downloaded the rest of public_html to my desktop and ran ClamAV on the whole directory. Didn’t find anything. Hope that’s all…

Message to Amber Rudd

Dear Ms Rudd,

A few days ago I read a headline on the Independent “Amber Rudd admits she doesn’t understand WhatsApp technology but intends to ‘combat it’’.

(http://www.independent.co.uk/life-style/gadgets-and-tech/news/whatsapp-imessage-encryption-facebook-apple-amber-rudd-conservative-conference-a7979811.html)

Headline writers do tend to over emphasise stories to get readers’ interest, but the story contains a quote from you, apparently uttered at a party conference event, “I don’t need to understand how encryption works to understand how it’s helping – end-to-end encryption – the criminals. I will engage with the security services to find the best way to combat that”.

Then two more quotes from the Indy,

“It’s so easy to be patronised in this business,” she said. “We will do our best to understand it.”

“We will take advice from other people but I do feel that there is a sea of criticism for any of us who try and legislate in new areas, who will automatically be sneered at and laughed at for not getting it right.”

If I promise not to sneer or laugh, can I help you understand it? Before you say or do anything that will get you both sneered and laughed at, and could have more serious consequences.

Encryption is based on maths and you can’t ban maths. Now the principle is understood any decent mathematician could re-invent a similar system anytime he/she chose. When PGP (https://en.wikipedia.org/wiki/Pretty_Good_Privacy)

was invented in 1991 the US government tried to classify it as a military secret and prevent its export outside the USA, but by then the inventor had already shared it with friends and colleagues and the secret was out. Even if he hadn’t some other mathematician would have come up with the same idea sooner or later. It’s not the only encryption method but it’s common and it can be used by anyone.

The first thing to note is that encryption of some sort is vital to how much of modern life functions, the little padlock symbol you see in the address bar of your browser shows that encryption is being used when you visit a secure website, your online bank for example, or the .gov.uk site where one pays tax or claims benefits. Banning encryption is impossible unless you want North Korean levels of surveillance and control.

You could of course ban companies that provide encrypted messaging services from operating in the UK. Or you could allow such companies to operate only if they introduced a system whereby messages were recorded unencrypted somewhere before being encrypted and sent, and ensuring that that stash of unencrypted messages could be viewed by law enforcement officers with the right warrants.

There are several snags to this apparently simple plan. Wherever the messages are stored they will sooner or later be hacked. The threat of that happening will deter anyone with something to hide, whether it’s information of use to terrorists or A Level exam questions from using the system, they will look for something more secure. The knowledge that messages can be read by law enforcement officers provides an even stronger deterrent to use by miscreants. That’s nothing new, when criminals realised the police could intercept their letters and steam open the envelopes they stopped planning bank robberies by post. Similarly once wire tapping became standard practice for investigators criminals became careful about what they said on the phone. If you ban Facebook or WhatsApp from using encryption people will find an alternative.

Probably the simplest is to virtually offshore your communications. You might be aware that many British ex-pats like to watch BBC TV, and that BBC output is freely available online in the UK using iPlayer. But not to expats, if you try to access iPlayer from an IP address outside the UK, it is assumed you are not paying a UK TV licence fee and the service is blocked. Unless you use a UK based proxy server, which many, many ex-pats do.

In essence it’s very simple. Someone sets up a webserver (or lots of them) in the UK to which ex-pats can subscribe, paying a small fee or being subject to adverts to pay for the service. The server lists BBC programs available from iPlayer. The ex-pat chooses one and the UK-based server connects to iPlayer, receives the stream of data then resends to the cheating ex-pat. I suspect one could quite easily do something similar with other communications systems.

You could try to ban proxy servers in the UK to stop abuse of the BBCs service, but there are legitimate business and privacy reasons for using them, people don’t always want others to know who they are or where they are. In the case of foreign proxies, they are way beyond your jurisdiction. If someone in, say, DePfefflistan set up a website where one could download the .boris version of WhatsApp there would be little you could do.

Then you get into the Whack-a-mole scenario, you ban WhatsApp and within days, if not hours, someone launches Wotzapp, WattsApp and so on. Encryption is easy to use, web developers are two a dollar in most of the world and the internet runs on free software. And then even if you could find a way to stop all these new messaging services springing up, there’s email.

I’m not a mathematician, I’m not a software developer or IT expert, so let me give you the non-maths, low tech version of how PGP can be used with old-fashioned email.

To use PGP you need a piece of software, freely available online (http://openpgp.org/), that creates two encryption keys, known as a keypair. One key is a ‘private key’ the other a ‘public key’. The former you store on your computer (phone, tablet, whatever) the latter you give out to friends, contacts or broadcast on the internet if you wish. The keys are created such that any message encrypted using the public key can only be decrypted using the private key. Anyone can have the public key, but only the person with the private key can read the message. It is impossible to figure out from the public key what the private key looks like.

You need to make sure your email client software is aware of the private key and where you filed it, but this is usually just a point and click affair. When you receive an encrypted message the software uses your private key to decrypt the message.

You can also append your contacts public keys to your addressbook system so that you can encode a message to them.

This system is the basis of secure email as used by governments and commercial organisations everywhere, in most cases the IT department sets it up and user knows nothing about it. Something similar happens when you use a messaging app or online banking, your web browser sends your public key to your contact, bank, whatever and it uses that key to send you an encrypted message with its public key which your browser uses to confirm that you are now securely connected.

PGP it is simple to implement, if I can do it in a few minutes so can terrorists and other criminals. Unlike commercial applications such as WhatsApp, email is universal and operates on standard protocols. Anyone can set up an email server, it doesn’t have to be one of the big IT corporations where you might have some influence, it can be a £20 computer in a shed somewhere.

Don’t despair though. You cannot un-invent encryption, and you can’t stop people using it but the law enforcement and security organisations can and do get a lot of information by simply finding out who is sending messages to whom, where from and how often. And who is responding. On the web that’s hard to hide, though using systems like Tor do make it tricky. There is probably more info to be gleaned from looking at suspects’ use of readily available private messaging systems than there is from trying to gain access to these systems and driving the people of interest into using even harder to trace methods.

Finally, please stop making statements that suggest that you don’t need to understand something in order to combat it. It may win plaudits from a few technophobes but anyone who thinks for a moment will see how stupid it is. You don’t need to be an expert any more than the health secretary needs to be an oncologist to combat cancer, but you do need to have some concept of what you are trying to achieve. Mandating the impossible just leads to disappointment.

I’ve written to a couple of MPs in the past, and in most cases received a standard, ‘Mr/Ms xxx wishes to thank you for your communication…’ from their office. One never knows if the MP actually read it, I assume they didn’t and I suspect you won’t either. I’ll just have to wait and see if you make any more ill informed comments about encryption, or worse still try to enact legislation on the matter.

Writing Magazine

When I’m not writing technical features for money (or DIYing the boat) I try to write fiction. I attend a local writing group and a while ago a publisher, Collette Smith, from Writing Magazine joined us. For her it’s research, trying to get inside the heads of her customers, but it set me thinking. Writers use software and, it often seems to me, pay over the odds for it. I’ve used free software for years and written about it in techie magazines and on industry websites, so why not try a simple guide to free software for writers?

Here it is. (PDF approx 400KB)

And here is a sidebar I wrote to go with it which the magazine put online rather than in the print version.

Nextcloud(2)

As promised the server now runs Nextcloud and MySQL. Unfortunately Nextcloud was forked from the latest version of ownCloud and requires the latest ownCloud client on the desktop. Which wasn’t supported by my operating system a LTS version of Linux Mint based on Ubuntu 14.10. So I waited for the next KDE version of Mint to arrive, which it did in September. Now Nextcloud syncs everything with my desktop, which is fine except that the desktop is temporarily set up in the garage of our temporary accommodation. Until we move to our (hopefully) final destination I’m using an old (Bodhi Linux) laptop which runs the client fine, but I daren’t sync too much because the disk isn’t that big.

The other ‘interesting’ issue is remote access to the server which is being blocked somewhere. It’s fine via the LAN but not via the Internet. I’m beginning to wonder if my new ISP contract has something to do with it, even though it’s the same company. More on this when I get to the bottom of it.

Nextcloud

I’ve blogged about ownCloud before, and written a couple of features about it for MM. Unlike a lot of software that I’ve installed, tested, written about then forgotten, ownCloud is in regular use.

My entire /home/phil directory is synced to an ownCloud server, which is just an old Athlon 3500+ desktop sat in my office, and I can access it from anywhere with an internet connection. It’s so convenient I’ve installed the client on my wife’s PC and use a folder we can both access for simple file transfers between our machines. Changes are afoot though some falling out between the majority of ownCloud devs and the management of the ownCloud company which markets the supported commercial version has led to the majority of devs leaving.

Being open source of course they left with a full copy of the source code which they have forked to create Nextcloud, and have just put out their first release with instructions for upgrading from ownCloud.

We’re moving house soon (-ish subject to lawyers) so the server and network is all going to be packed away. Once we’re settled I think I’ll stick a new disk in the server and install Nextcloud from scratch, and do it right this time using MySQL rather than the default SQLite.

Android, not Google

I’ve written a few pieces over the last couple of years about ditching Gmail, Google Search, Maps, Docs etc but the final frontier was Android which I had on my phone and tab. Having manged to break the screens on both just before Christmas I treated myself to a new large format phone with a 5½” screen and CyanogenOS rather than regular (Google) Android.

Read all about it here: NoGoogleAndroid

It’s Cloudy again

ownCloud on my webserver works just fine. But the obvious snag is that web host companies charge for storage space, and generally charge more than a dedicated cloud storage provider. ownCloud have thought of this and provide a plugin to connect to external storage using various common protocols.

Given that I got into ownCloud because I want to avoid government snoops and US corporates selling my data I want a UK based cloud storage provider that allows access by FTP or SFTP. There are several issues.

A lot of companies with a UK website turn out to be branches of US companies who don’t disclose where there servers are. Many companies provide cheap, even free, storage but only if you use their Windows, Mac or Mobile client software. Won’t link to ownCloud unless you pay for the ‘Pro’ package which often starts at £10/month. I did find one exception, Memset which charges 4p/GB/month. Set up is easy and it links to ownCloud via FTP or SFTP. But I can’t make it accept files.

In desperation I signed up to a 30 day free trial with iWeb. It also uses FTP and connects to ownCloud just like Memset – but it works. This demonstrates to my satisfaction it’s not me or ownCloud at fault, so I’ve filed a support ticket with Memset. I hope they fix it, after 30 days iWeb gets expensive!

The long term plan is to mirror my entire /home/phil directory on ownCloud so I can work anywhere without needing to remember what to copy/backup before I go.