DeepSec 2024 Press Release: State Attacks on Information Security continue unabated. End-to-end Encryption remains an important and threatened Component of Security.
Analogue W48 telephone without encryption (source: Wikipedia).
The introduction of strong encryption has repeatedly led to disputes with authorities and the government in the past. Whether it’s mobile networks, email systems, messengers or the World Wide Web, every iteration of the technical protocols requires backdoors that jeopardise the entire communications infrastructure. The DeepSec conference warns against opening the door to espionage.
Secure or insecure, that is the Question
Encryption inevitably has to do with mathematics, and the algorithms used in encryption technologies almost always originate from mathematical research. There are ready-made and well-tested components for IT infrastructures that are freely available. The critical point in securing communication is always to prevent messages from being intercepted. The only way to do this is with end-to-end encryption (EE2E). The keys involved remain exclusively with the sender and recipient. All parties involved in forwarding the message cannot access the content. The implementation of EE2E is always the goal in information security. EE2E configurations are part of our daily lives, whether in the private sphere or in companies. Messenger on smartphones, video conferencing, home office, secure access to portals and many other applications use this secure form of encryption.
It is important to note that the cryptographic algorithms do not recognise any exceptions. Either you want maximum security through EE2E or you don’t. Security standards such as ISO 27001 or data protection requirements also recognise no exceptions. If you want to implement security guarantees, there are no exceptions. Access to content is not impossible when using EE2E. It is only limited to the sending or receiving side.
Whispers and Threats
The US government with President Bill Clinton tried to sabotage encryption as early as 1993. At that time, an attempt was made to make all encrypted communications searchable with the help of duplicate keys by introducing an official computer chip. The technical implementation failed due to many contradictions. In fact, nothing has changed in terms of mathematics and implementation. All approaches must inevitably compromise security. Legally required backdoors already exist in mobile phone networks. In 2005, unknown persons broke into a Greek mobile phone network. In the course of the attack, over 100 members of the government were bugged. Traces were covered up and the investigation came to nothing. The incident is documented under the name ‘The Athens Affair’. Mobile telephony does not follow the same security model as Internet protocols, but the cancellation or ban on EE2E would provide attackers with similar opportunities.
In April 2024, various law enforcement agencies called on Meta to abandon the use of EE2E. The argument was that secure encryption would hinder investigations. According to the authorities, only insecure encryption was safe to use. This wording was deliberately chosen because it corresponds to the technical facts. One argument that is often put forward is the term ‘going dark’, i.e. the possibility that communication parties suddenly become ‘invisible’ with encryption. Reliable figures are not cited. According to an interview with Robin Wilton, Director of the Internet Society, the introduction of secure communication has increased significantly since 2015 as a result of Edward Snowden’s revelations. Conversely, however, there has been no sharp drop in the results of investigations. If EE2E were the decisive factor, then there would no longer be any charges or convictions for offences linked to encryption. Apart from the investigating authorities, end-to-end encryption should also lead to problems in IT security, because content can supposedly no longer be inspected (e.g. for content checks for malware). However, this is also not the case.
Encryption remains the basic Building Block for Security
IT security cannot be realised without secure encryption algorithms. Attempts to ban EE2E or install backdoors on clients/servers fall far short of the mark. The consequences will only affect the users, who will then become victims. Criminals will regard the communication protocols used to date as insecure and switch to other methods. This is a well-known effect that investigating authorities already experienced 30 years ago in the drug war with the cartels. Especially in the current threat situation due to industrial espionage and attacks on critical infrastructure and companies, the legal weakening of IT security measures is grossly negligent.
Cases of espionage have been discussed at the DeepINTEL conference in recent years. Experience with security gaps or weaknesses in security has shown that these are always exploited for attacks.
Programme and Booking
The DeepSec 2024 conference days are on 21 and 22 November. The DeepSec training sessions will take place on the two preceding days, 19 and 20 November. All trainings (except for announced exceptions) and presentations are intended as face-to-face events, but can be held partially or completely virtually if necessary. For registered participants there will be a stream of the presentations on our internet platform.
The DeepINTEL Security Intelligence Conference will take place on 20 November. As this is a closed event, please send direct enquiries about the programme to our contact addresses. We provide strong end-to-end encryption for communication: https://deepsec.net/contact.html
Tickets for the DeepSec conference and the training sessions can be ordered online at any time via the link https://deepsec.net/register.html. Discount codes from sponsors are available. If you are interested, please contact deepsec@deepsec.net. Please note that we are dependent on timely ticket orders due to planning security.