<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">On 05/06/2020 04:27, Phillip
Hallam-Baker wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAMm+LwiyFQ4X0LCgp2pdTLQ7QcQsOu3h7NDSrk0+g4Yoqa4MfA@mail.gmail.com">
<div>
<div class="gmail_default" style="font-size:small">I think this
is what people are really missing with Skype/Signal/Zoom etc.
End to End makes no damn difference if the service is only
accessible from a single app provided by the service provider
who can force an automatic update. <br>
</div>
</div>
</blockquote>
<blockquote type="cite"
cite="mid:CAMm+LwiyFQ4X0LCgp2pdTLQ7QcQsOu3h7NDSrk0+g4Yoqa4MfA@mail.gmail.com">
<div>
<div class="gmail_default" style="font-size:small">Lawful
intercept of a Signal or Zoom call is merely a matter of
getting a warrant that requires the service provider to drop a
client with a backdoor onto the specific users they want to
intercept. Oh and of course a court can and will tell you to
lie about how many warrants you have been served. I can't see
a judge being remotely impressed by warrant canaries. If a
person intentionally constructs a situation that makes it
impossible for them to comply with a court warrant in good
conscience, that is their problem, not the court's. <br>
</div>
</div>
</blockquote>
<p>Hushmail is my usual example here.<br>
</p>
<div class="moz-cite-prefix">On 04/06/2020 21:32, Christian Huitema
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:38b364ac-8b18-c0ea-777a-d63767ae91a5@huitema.net">
<pre class="moz-quote-pre" wrap="">After Microsoft bought Skype they centralized the
handling of the call set-up, and the centralized handling made it much
easier to satisfy law enforcement requests. We are seeing the same
process happening with Zoom.</pre>
</blockquote>
<p>Probably pedantic, but I seem to recall Microsoft claiming for
years they didn't do that... because the previous owners of the
platform had already done it just before Microsoft took over.</p>
On 05/06/2020 04:27, Phillip Hallam-Baker wrote:
<blockquote type="cite"
cite="mid:CAMm+LwiyFQ4X0LCgp2pdTLQ7QcQsOu3h7NDSrk0+g4Yoqa4MfA@mail.gmail.com">
<div>
<div class="gmail_default" style="font-size:small">How many
users did Lavabit have when the FBI went after them? You only
need to have one customer to get a warrant if it is the wrong
customer.</div>
<div class="gmail_default" style="font-size:small"><br>
</div>
<div class="gmail_default" style="font-size:small">The only
robust solution to this problem I can see is an open standard
for end-to-end communications that covers all the common
modalities and is supported by multiple implementations and
the updates to those implementations are subject to some form
of transparency controls.</div>
<div class="gmail_default" style="font-size:small"><br>
</div>
<div class="gmail_default" style="font-size:small">NOBUS is the
key here: NObody But US. NSA is not going to rubber hose my
company to force it to issue a backdoored version of the code
if they think the backdoor can be used by someone else. Nor
are they likely to want to do so if the compromise is likely
to be discovered. </div>
</div>
</blockquote>
<p>Its debatable. The TLAs will balance the value of the
intelligence NOW against the risk (to them) of it being revealed
and targets leaving the platform. We see time and again (for
instance, the "growing dark" narrative) that they don't care if
the backdoor is exploited by others, nor will they hesitate to
throw "partners" under the bus if they are no longer useful.<br>
</p>
</body>
</html>