It turns out that Khalid Masood was using encrypted Whats App messages to communicate with associates.
There is no way these messages can be read apparently. This throws ths issue of of internet privacy once more into the spotolight
Is the right to privacy greater than national security?
www.bbc.co.uk/news/uk-39396578
|
There are other apps like Telegram etc which started encrypted conversion features way before WhatsApp.
If one app is blocked then people will use something else. Here the problem is ideology and not technology.
He was known to police. This is common for most terrorists. So this incident has nothing to advocate for mass surveillance.
|
I think the question here is who did he send an encrypted message to via WhatsApp just before he committed the murders. Obioulsy the police would dearly like to know.
|
|
There's a lot of talk around this issue right now. The authorities in the US are trying to get access to people's phones and information on databases etc. I think eventuality cracked the code on the iPhone, however I think they are still waiting to get access to amazons database with information from echo dot.
|
We are watched on our computers listened to on our phones if needed how far do you go?
Community policing bobby's on the beat or anybody talking and listening to people what goes on in a area.
If any loner decides to do harm there is no institutions which will stop him or her.Maybe, maybe if we all can create a better society for all on this planet we might be able to live in peace together.
|
>> It turns out that Khalid Masood was using encrypted Whats App messages to communicate with
>> associates.
No, It turns out he used Whats App messenger. As the police have said he worked alone he has no "associates" so he didn't communicate with them. Wy wife uses whats app all the time, as do I. Its got rock all to do with terrorism.
|
|
I didn't know there was more than one sort of Whats App message. Did you mean FB messenger?
|
>> I didn't know there was more than one sort of Whats App message. Did you
>> mean FB messenger?
No I mean Whats app.
|
|
So what's the difference between using encrypted Whats App messages and using Whats App Messenger?
|
>> So what's the difference between using encrypted Whats App messages and using Whats App Messenger?
Nothing, Whats App is a messenger application and all its messages are encrypted by default
|
Millions of people use Whats App. The question is do individuals have an absolute right to communicat in private by using encrypted facilities such as Whats App or do Governments have a right to read those messages in certain circumstances such as this case.
I can see arguments on both sides but would probably come down on the side of privacy.
|
Yes, I think I'm with you there.
Its difficult but I think ultimately the right to privacy of good citizens outweighs a Government's need to spy on the few bad ones.
And the opportunity for abuse makes me shudder.
|
If they can access it on basis of terror how long before mission creep sees it used to prove collaboration over 'flipping' speed camera offences.
Never mind in matrimonial proceedings.
|
>> If they can access it on basis of terror how long before mission creep sees
>> it used to prove........
.......who fluffy really is....
;-)
|
I use Whats App messenger.
It is encrypted.
Khalid Masood used Whats App messenger.
Last edited by: Zero on Sun 26 Mar 17 at 19:07
|
>> I use Whats App messenger.
>>
>> It is encrypted.
>>
>> Khalid Masood used Whats App messenger.
>>
Well done Fluff.
|
The right to privacy.
Motoring version - My right of way even if it kills me.
|
>> If they can access it on basis of terror how long before mission creep sees
>> it used to prove collaboration over 'flipping' speed camera offences.
>>
>> Never mind in matrimonial proceedings.
>>
But to play devils advocate before the internet and ends to end encrypted messaging came along all communications could be intecepted and indeed were if deemed necessary by the courts. Letters could be read, phones could be tapped, telegrams could be intercepted. Even if were a matter of life and death to thousands of UK citizens it would not be possible to read a whats App message. This scenario has not existed before. Whilst on the side of privacy I can see the argument on the other side.
|
The age of the internet, and its lack of physical borders, means that Government has no control, legal or practical over what methods of communication we use.
It was technically possible (study the great firewall of china) but that needed to be in place right at the outset of the net, and also requires unacceptable severe and punitive control of the population, levels of which are not possible in a democracy.
So uk politicians should stop wibbling on about it, its just meaningless words, sorry I mean "Look how important I am sound bites"
Last edited by: Zero on Sun 26 Mar 17 at 19:51
|
|
My missus has perfected encryption. Much of what she says makes no sense to me anyway.
|
>> The age of the internet, and its lack of physical borders, means that Government has
>> no control, legal or practical over what methods of communication we use.
I am sure that is correct bit it does put security and law enforcement in a position it has never been before. I guess that the public have to accept the fact that the right to privacy comes with a downside and criminals will undoubtedly escape being caught because of that right. As a rule we ae not good at accepting that rights sometimes have negative consequences.
|
>> I am sure that is correct bit it does put security and law enforcement in
>> a position it has never been before.
Really not true at all. Study the history of military and criminal secrecy and you will see that secure communication (encrypted or hidden ) pre dates christianity, and has developed more or less continually since then.
|
Yes I am aware of that. What I meant was that this is the firat time that this level of encryption has been available to everybody. It's effectively free.
My understanding is that the the encryption used by whatspp and other messaging systems is totally secure not even unreadable by WhatsApp. I think it fair to say that it is highly unlikely a criminal like Massod would have had access to such encryption in the past
|
>> Yes I am aware of that. What I meant was that this is the firat
>> time that this level of encryption has been available to everybody. It's effectively free.
No you are getting hung up (like the politicians) in the technology and the method. The availability and security has always been available to anyone who cared to make an effort, in fact interception by government has never been easier than it is today.
Last edited by: Zero on Sun 26 Mar 17 at 21:01
|
|
I find it hard to believe that government and GCHQ etc can't read messages in a free app?
|
|
I suspect knowing who to monitor is the clever bit. I haven't spoken to a copper for decades and I would be amazed if they have any interest in me.
|
|
It may be hard to believe but I understand it is a fact.
|
For them to access it, then Whatsapp would have had to engineer a loophole in the encryption before it was implemented and would then need to share that loophole. Once a message has been encrypted, then to all intents and purposes it cannot be forcibly broken.
If Whatsapp put a loophole, then others will find it.
|
|
Well they say that, but it wouldn't be the first time governments have used a bit of misdirection. Although if it's true, alot of spying will be no doubt be redundant. Simply send everything through whatsapp.
|
|
Encryption is not new, in concept or use. Secure encryption has been freely available to everyone or anyone who uses email and computers for the last 15 years. Whatsapp is a red herring.
|
>>alot of spying will be no doubt be redundant
You'd have to think that communication for spies these days is a long way from dead drops and invisible ink, or morse code tapping while wearing a french beret.
Even if you are using a hackable form of communication, these days the skill is almost certainly in knowing who to listen to.
|
|
Do you think the government publicly discloses its capabilities?
|
An app like Whats App merely makes it convenient to send encrypted messages.
You could send an encrypted message in an email as an attachment. The email might be sent as a text based MIME formatted email but the attachment could only be read if you knew the encryption key.
We use PGP at work like many places so for important emails I can send a message encrypted. For convenience you could use the public keys but there's nothing stopping me encrypting a message with a private passphrase which could be long and complicated. As long as the recipient knows the passphrase they can decrypt the message.
Enigma was of course a famous encrypted communication system but we cracked that. But they had some help in that there was always a common message that they know and therefore could break the code for that which then applied to the rest of the message.
To brute force a crack of more modern encryption is no mean task. And back doors are not going to be implemented.
There's nothing stopping ISIS or whoever writing their own encrypted communication app - then there's no friendly company you can ask for help either.
|
I think we overrate the governments powers.In the scheme of things so called terrorist attacks are rare.The mainstream news want us to believe otherwise.
Of course the London deaths are terrible and my condolences are with the families.
|
Can someone (Zero?) explain encryption to me to me please.
If someone sends a message in some kind of code down a line to someone at the other end, the recipient has to have a means of decoding it. That has to be more than just a pre-arranged message, such as "If I say the red cow is flying tonight that means attack" . It has to be a code that can read any message, not a pre-arranged one.
So surely whatever the recipient has at his end has in principle to be available to someone else - a replicated Enigma machine can read an intercepted Enigma message ?
There's no point in me having a device that encrypts my messages if no one else has the capability to read them? Surely something has to be pre-arranged between the communicators?
|
>>explain encryption to me to me please.
I will try.
Recal those codes you used to mess around wiht when a child? They worked like this...
A B C
1 2 3
We both knew that, so if I wanted to send you a message I would use the key (above) to translate CAB to 312, send it to you and then you would use the same key to decrypt it to CAB again. And we naively thought nobody else could read it because they didn't have the key.
That "key" is important.
Obviously we could just make that "key" really complicated, you and I could use it, and it could be so complicated that nobody else could work it out. Or at least, not in any time that would make it practical.
The trouble with that is, somehow you and I have to have shared or communicated that key, and at that time the key is exposed and vulnerable. Equally anybody else with that key can read our messages.
So we moved to asymmetric encryption - essentially you and I use different keys and do not communicate the secret..
I have a public key. And I make that available. Anybody can use that key to encrypt and send me a message. But, you need a different key, my *private* key, to be able to decrypt that message.
Everybody knows my public key, only I know my private key. So I only share the means to encrypt a message for me, only I know the key to decrypt. And that key is not stored, it is calculated. It will use many factors to calculate, some of those depend on the device I am using. Even if you knew the algorithm to calculate that key, you still couldn't do it without my access to my device.
Serious techies may have their toes curling, but I think that's a reasonable representation.
Last edited by: No FM2R on Mon 27 Mar 17 at 11:07
|
If you dont mind me saying i think you made that a little convoluted.
Simply saying. Its a two stage lock. I give everyone a public key to lock stuff up and send it to me, but only I have the key to unlock it.
And boy, its a helluva padlock. More or less unbreakable
Funnily enough I am towards the end of a OU course in Cyber Security. Its fascinating.
Last edited by: Zero on Mon 27 Mar 17 at 11:15
|
Mmm, that does seem rather simpler.
Oh well.
|
>>
>> Its a two stage lock. I give everyone a public key to lock
>> stuff up and send it to me, but only I have the key to unlock
>> it.
>>
>> And boy, its a helluva padlock. More or less unbreakable
Thanks, that explains it really well.
So basically, it could have been used for centuries, and probably was:
I hand out secure metal boxes to my agents, complete with snap-shut padlocks. When they discover something to report, they simply put the message in the box, snap the padlock, and post it to me. I can open it because only I have the key.
Is that it?
If so, then am I right it is only a one-way process? How would I get a message to my agent in reply, unless I had a means of first sending him a key to the return padlock ?
|
>> If so, then am I right it is only a one-way process? How would I
>> get a message to my agent in reply, unless I had a means of first
>> sending him a key to the return padlock ?
>>
He puts a snap shut padlock in the box for you to use to lock it when you send it back. If you want another reply from him, you put the original padlock inside the box for him to use and so on.
|
|
And because a padlock, if opened, is always transported in a locked box that no-one can get into, no-one can nick your lock and cut another key.
|
|
That is of course where the analogy breaks down. The box could always be opened by brute force in an hour or so with the right tools.
|
>> That is of course where the analogy breaks down. The box could always be opened by brute
>> force in an hour or so with the right tools.
No that's why the analogy is good. Encryption can be broken with brute force - i.e. computing power. But if the length of key is sufficiently long, even with a massive amount of computing power you are talking a very very long time. But it's doable.
Some forms of encryption that were in common use are now seen as vulnerable to brute force attacks. Made easier/quicker using 'dictionaries' to help reduce the computing power needed.
|
>> Do you think the government publicly discloses its capabilities?
Of course not, but as part of that they are also prone to bluff and overstate their capabilities for equally good reasons.
|
>> I find it hard to believe that government and GCHQ etc can't read messages in a free app?
The encryption is based on laws of mathematics. One can encrypt messages using appropriate algorithm in a way it would take several supercomputers many months to un-encrypt those using brute force attack. No one can bend the rules of maths.
FBI uses different technique though. If they discover you have encrypted messages, they will torture you until you reveal the password.
|
>> FBI uses different technique though. If they discover you have encrypted messages, they will torture
>> you until you reveal the password.
No they dont. The FBI use the "Not telling us the key is an absolute offence anyway, and we will lock you up for thirty years, tell us and you get 20. - your choice"
|
>> Which Zero are you?
>>
....the encryptic one.....
|
|
So not the trainspotter one. :-)
|
I've not considered or looked into what the Whats App application (and their central servers) do. But it might be something along these lines:
1. I install the app and it generates the public and private keys. These will be based on some randomness, some device details (e.g. MAC address of the Ethernet interface), time and date, etc.
2. I send the public key to the Whats App servers so anyone wanting to communicate with me can encrypt messages by retrieving my public key.
3. Someone sends me a message encrypted with my public key.
4. My app unencrypts using the private key which is only installed/stored on my phone.
Whats App does not hold a copy of my private key (I'd hope not) and therefore have no way of encrypting my messages.
It will be similar for other encrypted communication. Your HTTPS/SSL communicate will exchange public keys for both ends and then encrypt the traffic. Your end unencrypted it.
I have mobile phone banking via an app which when setup will have generated some encryption keys for sure. If you get a new phone or re-install the app you need to get in touch with the bank to reset their end (i.e. start setup again) because the public shared key is no longer valid.
|
>>
>> If you get a new phone or re-install the app you
>> need to get in touch with the bank to reset their end (i.e. start setup
>> again) because the public shared key is no longer valid.
>>
So if you had been arrested and forced or "turned" and made to ask the bank to reset their end, your safe communication would have been broken?
In the stories of secret agents, you would of course have managed to report to the bank in an apparently innocuous way but using little quirks of language that would have alerted someone at the other end to the fact that you were acting under duress. But can the Lloyds Bank password re-set department detect such subtleties?
|
>> So if you had been arrested and forced or "turned" and made to ask the bank to reset their
>> end, your safe communication would have been broken?
But when they reset their end the process of registering needs to be done again. So on my phone for example I cannot get into my bank account with the app. I need to re-register and to do that I need to use: (1) my bank card, (2) the card reader the bank provides and (3) my PIN number.
So resetting their end does not compromise my account. And to get into the phone you need to use a password or my fingerprint.
To get into the app needs the use of a PIN - longer than your bank PIN.
Last edited by: rtj70 on Tue 28 Mar 17 at 10:17
|
|
... by Katie Hopkins. Viewers beware :-)
|
>>
>> To get into the app needs the use of a PIN - longer than your
>> bank PIN.
>>
But surely all the things you need to re-register must have been sent you at some stage?
Agents could have intercepted your post and obtained your bank details, PIN, and password?
Did your PIN come in an envelope with a square of peel-back paper? There must be ways of reading it without peeling the paper, or counterfeiting a replacement having opened and read it?
Then armed with these re-registered your account and by pretending to be you, got into your account, or read your phone messages?
I appreciate the padlock analogy, but I still don't get how absolutely secure 2-way communication can be guaranteed, given unlimited resources for monitoring, spying, hacking, etc.
|
>> I appreciate the padlock analogy, but I still don't get how absolutely secure 2-way communication
>> can be guaranteed, given unlimited resources for monitoring, spying, hacking, etc.
It can, and it is. Cases are not cracked by intercepting and breaking encrypted communication. The weakness is always the point where the human is involved.
|
>> It can, and it is. Cases are not cracked by intercepting and breaking encrypted communication.
>> The weakness is always the point where the human is involved.
>>
Doesn't that sort of come back to my original point.
Accepting that an intercepted encrypted message cannot be decoded the security services in the modern age security services are in a worse s situation via a vis eavesdropping on criminals and indeed anyone else they want to monitor that they were in the past I.e in the days of telephone wiretaps and written messages or less perfect encryption
The governments view, one that is that there should be a way to decode such interrupted messages on the application of a court order. On the face of it that may seem reasonable but it comes down to the right of the individual to communicate in privat with whomsoever he chooses against what the Government would argue is the greater good of society.
|
>>
>> >> It can, and it is. Cases are not cracked by intercepting and breaking encrypted
>> communication.
>> >> The weakness is always the point where the human is involved.
>> >>
>> Doesn't that sort of come back to my original point.
Nope, because secure unbreakable communication has always been available, but the weakness has always been the human interaction, or the way they use it. And that will continue to be the case.
|
Nope, because secure unbreakable communication has always been available
Has it? I'm a bit lost there. If in 1960 say I was an average criminal plotting to commit a crime and I wanted to quickly send a a secure communication to my associate how would I have easily done that?
|
>>>>Nope, because secure unbreakable communication has always been available
>>Has it?
No, and it isn't now.
Like the arms/armour war, it is, and always has been. a matter of trying to keep the effort, time and resources required to decrypt something so difficult as to not be practical in the real world.
So the series of security measures in place currently don't make it unbeatable, they just make it so difficult to beat that for normal people leading normal lives it simply isn't worth the effort to try.
An electric fence doesn't make your house impregnable, it just makes it not worthwhile.
At the moment the biggest difficulty is the time a brute force takes.
However, remember what happened when cars became reasonably "unstealable" for a while? It became easier to burgle your home and steal your keys.
If you're rich, even if only relatively so when compared to a mugger, that's probably worth bearing in mind.
The human link is *always* the weak link.
|
>> If in 1960 say I was an average
>> criminal plotting to commit a crime and I wanted to quickly send a a secure
>> communication to my associate how would I have easily done that?
>>
If it was one of several pre-arranged options, such as:
A = Lloyds, B= Barclays, C = Midland, D = Nat West, E = cancel, we're being watched
followed by:
1 = fetch Alf the safe cracker 2 = bring gelignite 3 = bring bulldozer
then all you would need to do would be to ring up from a public call box not in your area, say C2 and put the phone down.
But if it was more complicated and not a pre-arranged option then you'd have to send code F which would mean meet at the last previously arranged pub, we need to discuss.
|
>> Nope, because secure unbreakable communication has always been available
>>
>> Has it? I'm a bit lost there. If in 1960 say I was an average
>> criminal plotting to commit a crime and I wanted to quickly send a a secure
>> communication to my associate how would I have easily done that?
The one time pad type of message
let me explain. All you or I need is a book, the same book. We need to meet once to agree a format. When we wish to communicate I then send you a series of number groups.
001 006 005, 001 007 004, etc etc
It simply mean page 1, word 6, letter 5, Page 1 word 7 letter 4
Its been used for years, transmitted by radio (google "numbers stations") and is unbreakable because its cypher key size is the size of the total number of letters in the book, there is no single letter/code repetition* and only sender and receiver know the book.
Its unbreakable. In practice its not, because of the human factor. Lazy sender can't be rrrsed to start at the next page of the book and uses page 1 all the time. You get letter repetition, makes it breakable. Lazy sender can't be rrrrsed to put his book back into the very large bookshelf? then break into his house and make a note of the book open on his coffee table.
I wont go into the ways you can get person to revel the book he uses, there are hundreds of spoofing or social engineering ways to work on the human end you can guess those.
The Germans knew it, thats why they invented machine cyphers. They forgot the human on the end of the keyboard.
Lets get back to whatss ap. You use it, I can easily snoop on you in 7 days time. I steal your phone, clone it with my special code, get it back to you, Every message you then send and receive I can then snoop on.
A properly aware person would crush the phone as soon as they got it back and use another. You wouldn't tho, you be so grateful you got the phone back. The human factor.
Unbreakable code has ALWAYS been available. Unbreakable humans - Never.
|
>> But surely all the things you need to re-register must have been sent you at some stage?
No. I already have what is required to register: (1) the phone with the app, (2) bank card, (3) Chip and Pin reader/device.
The last item (Chip and Pin device) produces a code which the bank can validate. Nothing needs sending.
The PIN used for the app is setup in the app when you register it. The encryption key (or whatever) is stored on the phone and unlocked with this PIN. It's no use on another phone because you'd need to re-register and to do that you'd need to ask the bank to do something.
I think it's pretty secure but thanks for your concern.
|
But can the Lloyds Bank password re-set department detect such subtleties?
>>
Duress words are really only used in limited circumstances, not really suitable for widespread use. Generally best used for a limited set of interactions.
|
>> Duress words are really only used in limited circumstances, not really suitable for widespread use.
>> Generally best used for a limited set of interactions.
>>
No, I didn't mean a preset duress word. In the films the captured spy contrives to word his message in a slightly odd way, unnoticed by his captors, but ringing a warning bell to his control in London because of old school slang.
In the film about the false moon landing it was a reference to a holiday incident which only his family would remember about something being faked.
But I know films aren't like real life. :)
|
>> But I know films aren't like real life. :)
Monitor your local bank at opening time. From the outside, see what the first employee to unlock and enter does.
You will find a passive safe signal is displayed for the rest of the employees.
|
|
... unless they have clocked the dodgy looking bloke with a Car4Play baseball cap on backwards watching them
|
>> ... unless they have clocked the dodgy looking bloke with a Car4Play baseball cap on
>> backwards watching them
>>
it is easy to watch things these days just pretend you are using a mobile phone and the world will not notice you :-)
|
If any of you are paranoid about email privacy you could consider this:
protonmail.com
.. a creation of a bunch of bright people from CERN - just like, er, the web...
I haven't used it myself but I hear that those who have used it love it.
|
>> It turns out that Khalid Masood was using encrypted Whats App messages to communicate with
>> associates.
>>
To read those messages, you need access to either the recipient's or the sender's Whatsapp device.
The reason it is known that Masood sent a message is because the Daily Mail got hold of his number, added it as a contact on a phone, and checked his Whatsapp status. This is the result they got, which shows his last activity about two minutes before he drove over the bridge.
tinyurl.com/mlwhzmb
(link is copyrighted Daily Mail image - A_screengrab_of_Khalid_Masood_s_WhatsApp_profile )
|
|
Presumably though it would have shown the same status if he'd only read a message? Even [I think] if he'd read an old message at that point, even not one received that day, would have updated the "Last Seen" time.
Last edited by: No FM2R on Wed 29 Mar 17 at 19:11
|
>> Presumably though it would have shown the same status if he'd only read a message?
>> Even [I think] if he'd read an old message at that point, even not one
>> received that day, would have updated the "Last Seen" time.
>>
Yes.
So the Daily Mail image shows someone sent or read a message from that phone. To or from whom, one or more people, it is not public knowledge.
Whether the phone has been found on Khalid or not has not been made public. If it was, whether it was locked or not is then another question. If the Police didn't find it, it is a possibility that his phone was with someone else who has since disposed of it.
Last edited by: BrianByPass on Wed 29 Mar 17 at 19:15
|
|
Do you have any idea, or did they say, where they got his number from?
|
>> Do you have any idea, or did they say, where they got his number from?
>>
Similar way they got hold of Milly Dowler's phone number?
p.s. apart from Channel 4 who got the ID spectacularly wrong, most mainstream media got to know the details of the killer within 6 hours of the atrocity.
|
>> Whether the phone has been found on Khalid or not has not been made public.
>> If it was, whether it was locked or not is then another question. If the
>> Police didn't find it, it is a possibility that his phone was with someone else
>> who has since disposed of it.
Either way, he worked alone, not part of any group, his whatsapp security availability is a red herring whipped up by the press and the Gov.
|
The Right to Privacy - movilogo
