What if there was a war and no one noticed?

Wednesday, 10 October 2012

Shortly after our freedom in 1994, cellular telephones using the GSM standard began making their way to our shores.

We soon found ourselves being able to travel the world and still remain accessible on the same phone number thanks to roaming – except for in the USA.

The reason for this was simple: the GSM standard as originally introduced was secure communication. In other words, you could conduct a conversation without your phone being tapped.

The United States did not like this. You see, the US government has a long and notorious history of spying on its own citizens, and the process of wiretapping began as early as the 1890s when the first telephone recorders were invented.

A challenge to the constitutionality of eavesdropping on private conversations was defeated in 1928 after the conviction of bootlegger Roy Olmstead. Federal authorities had tapped his conversations over a period of several months and used that information to secure Olmstead’s conviction. Olmstead argued that government’s spying upon him was unlawful search and seizure violating the US bill of rights. The courts turned him down.

So 100 years after phone tapping was born, the US government was not prepared to give up this right. So they reached a compromise with the global bodies for telecommunications standards – they would allow the use of GSM technology within the US only if the (then) unbreakable 128-bit cipher used to encrypt communications was deliberately brain-damaged with 10 of the key bits set to zero.

That’s computer jargon, so let me break it down. Let’s say you have a 4-digit PIN code on your bank account: there are only 10 000 possible PIN numbers (0000, 0001, 0002 all the way to 9999). So I can guess your PIN code by simply entering the numbers one after another – a technique known as a brute force attack. It would be very easy for a thief to crack your PIN if the ATM did not automatically block your card after a short number of bad PIN attempts.

But if your bank forced you to set the first three digits of your PIN to 0, a thief would only need to guess ten numbers (from 0 to 9).

A 128-bit cipher has 2 to the power of 128 possible combinations. That’s a huge number of potential passwords – 340282366920938 followed by 23 zeros. The cipher is shared between the calling phone and the receiving phone, and is the key to unlocking the garbled data stream of your phone conversation. Even with the fastest computers, it’s physically impossible to calculate all of the possible combinations during the time you are conducting a phone conversation. So your phone cannot be tapped.

But if you already know that the first 10 values of the cipher are all zeros, you only have to guess 2 to the power of 54 combinations allowing computers to unlock your conversation and listen in.

This week a US congressional investigation red-flagged China communication giants Huawei Technologies and ZTE, claiming that they posed a security risk because their equipment could be used to spy on Americans.

Committee chairman Mike Rogers said companies that had used Huawei equipment had reported “numerous allegations” of unexpected behaviour, including routers supposedly sending large data packs to China late at night.

Now this is just too funny.

See, I’ve no doubt that China will use every opportunity to conduct espionage in any part of the world in exactly the same way as I expect any country to conduct espionage in its national interest. I don’t trust the Chinese or US governments, but I don’t trust any government – including our own.

The more fundamental question is how does one go about securing data from industrial espionage after more than a century of governments insisting that no one has a right to privacy?

The answer for me is very clear. Government must get out of the tapping business and allow everyone the right to secure communications.

The technology already exists to do so. If all electronic data is encoded using stronger 256-bit or 512-bit or 1024-bit keys, it will be unfeasible for anyone to spy on that communication using a brute force attack.

Yes, terrorists will be able to conduct conversations in privacy – but terrorism is not the real threat. The war in cyberspace is already around us.

We just haven’t noticed – not yet.