TETRA Vulnerability (TETRA:BURST) - Computerphile 

What the hell. I googled his name and his story is really infuriating

depends on who you ask the people who made this system, probably a bug the people who made the export restriction, probably a feature

it was a feature in the 90 when the export restriction was in effect. After the restriction was lifted, it became a bug.

@@KohuGalyIs it lifted?

100%, TBTB needed to ensure they could decrypt those comms any time they wanted from the beginning

All those "bugs" are really features, not only the export one. Agencies are more interested into know what their own people is doing, than foreign agencies know what they are doing.

so being able to meet Kerckhoff's Principle. not a bad idea to lock off use of the word "encryption" unless it meets that standard (encryption is increasingly meaning security to average people), just may not be palatable for businessmen that don't understand why they have to publish a "trade secret"

Nation-state actors don't intend to create unbreakable encryption. They want to balance their stuff not being broken with being able to break other people's stuff. So they'll never use standard unbreakable encryption.

@@GettNumber Exactly, call it Kerckhoffs's Principle or Shannon's Maxim, we should clearly accentuate the security distinction between cryptographic robustness and protected secret by definition so that in time even the business associate has at least a mere linguistic appreciation that these things are understood to be distinct. That said it should not be assumed that individual private solution implementers* necessarily have to disclose the details of which open encryption standards they use or refrain from attempting to further obfuscate their encrypted data (if done judiciously) but if the data isn’t encapsulated* at some level by an open public cipher standard* then the data isn’t really protected by encryption. * What is more, private re-implementations of the public encryption standard itself should be avoided; encrypted data should be encapsulated using a standard public encryption library before any other schemes are applied. In the strictest sense of my meaning anything else even an unmodified private re-implementation of an open encryption standard isn’t really encrypted IMHO; I appreciate this isn’t the most practical definition, but I’m fine with it being the “academic” definition.

is called a proprietary backdoor lol

@@thewhitefalcon8539 I agree and not suggesting that they will. I’m just saying what they are doing (in many cases) isn’t really encryption because it fundamentally lacks the primary security attribute of encryption and thus shouldn’t be acknowledged as such. I’m under no delusion that my random RU-vid commentary is going to effectuate any discernible change in existing behaviors, it’s merely a philosophical proposition, but none the less, one I promote in my work.

Yes, perfectly well, they learnt all this more than well. Clue: For an agency, all those backdoors are features not bugs. Why would they use a bug-free method? then they will not be able to break it when needed.

Security through obscurity 100% works. Until it doesn't.

Nope. People think _"Oh, it's more secret so it's more secure."_ I think a useful analogy is this: Imagine someone tried to sell you a padlock by saying _"It's so secure because it's illegal to look inside it."_ That would obviously be spurious. The same is true for digital encryption.

TETRA was developed in the mid 90s, it wasn't much of an issue back then

I watched it live at the camp. Unfortunately they did not tell us the algorithm.

@@thewhitefalcon8539Isn't it on their github? I'm no algorithms expert, so I can't figure that out. I got really amazed by what they've done to dump the sbox using the cache of the DSP, that's literally insane.

Because they weren’t flaws.

Any propietary software and hardware

I'm pretty sure the -manufacturers- designers and developers of TETRA were warned. I'm also pretty sure the governments who decided on using this system were warned. But did they care?

Who’s “we”? Not everyone has the same amount of knowledge as you. Just because you already knew this doesn’t mean someone else isn’t learning this for the first time.

Oh, I know when UK was shifting to TETRA this was being screamed about, to deaf ears.

Proprietary encryption is a great idea… if you don’t want the users to find out about the weaknesses you know about for quite a while.

"Warning." Buddy, public communications by public agencies is PUBLIC by design.

@@snex000This is clearly intended to be encrypted

@@circuit10 On what authority can our government use our money to hide things from us?

exactly correct.

It is *precisely* the same logic as placing export controls on any armour that is strong enough to protect against your best guns. The US never tried to hide the fact that their export controls on encryption systems with more than a 32 bit key was specifically so that the US could decrypt foreign communications whenever they wanted to. Although why a US export restriction was affecting an agency of the EU is confusing to me.

"And you can’t really provide feature like that with an open standard." Unless you make the strong encryption variant open and the weaker one proprietary. But that that point you're basically advertising to your export clients that there is a back door. And you're at the same time telling them how to modify the software/hardware so that it used the openly available strong encryption variant. (Unless the open encryption variant is different enough from the proprietary variant that they won't run on the same hardware.)

TETRA was (is) used for tactical and strategical comms by ignorants that don't understand the basics ... The technology was pushed with the help if the military, by favoring the use of 380-400 MHz mil band to avoid regulatory problems and using it in real military manouvres with blueforce tracking in order to sell it to governments as a "secure" system..😂😂😂. Interlaced jamming is so easy that users cannot even figure out what is going on (and difficult to DF). Blind people leading other blind people...

Damn! ACAB! NOW I get it!!!

Then just don’t watch shorts? What an odd comment.

​@@jasonschuler2256yes it is quite easy to just not watch em very strange comment

He has got a Dutch accent, but not a British accent.

He speaks first class English with a slight Dutch accent.

Probably?

Yes, ETSI EN 300 392. Also, most TETRA systems outside public safety are completely unencrypted because that saves a ton of money. So the encryption is proprietary but the standard is completely useable without it.

Curiously, it's the most secure thing you can do, if you use one time pad ciphers. And honestly... why would you use anything else in a day and age of 4Tbyte SSD drives? One drive is enough for years of voice communications. ;-)

Came here to say the same: security by obscurity is no security at all

Most people could still spell and write in complete sentences in the 90s.

@@ChrisBreederveld That doesn't however mean obscurity is bad. Not using port 22 for SSH reduces exposure to automated attacks, but is not a replacement for a good password or forcing key-based authentication.

The mere idea that security exists in this space is a ridiculous misunderstanding of physics. A radio transmitter can always be located simply by the fact that it has to produce an energy flow that is above the noise background of the environment. No matter the protocol, it is always possible to detect the source of the transmission. For a criminal the detection of a police transmitter close to his physical location would usually be enough to seize the criminal activity. It is complete overkill to differentiate between "harmful" and "harmless" police presence for most such activities. That's why the police usually does not care about being listened to.

I'm sure there are situations where you wouldn't want people to be able to just listen in - for example, if they're coordinating raids or a manhunt. Perhaps a different idea - they could carry on broadcasting encrypted messages (using an open, thoroughly tested protocol) and maybe release keys a day or a week later

Yeah a delayed system would be cool. Also body cams i feel should be harsher restrictions on "accidentally" deleting footage.

@@AbelShields Maybe in whatever shithole country you live in where government is sovereign and people are subjects. In America, it's the opposite. If cops can't do their jobs without violating peoples' rights, then too damn bad. Git gud.

The only "criminals" with this kind of capability are people engaged in highly lucrative trade of goods that the government doesn't like - aka only criminals by statute. Dangerous murderers and rapists aren't sophisticated people but magically the government rarely finds the time to go track them down.

@@AbelShields it would have to be a system that doesn’t rely on the good will of the police.

An NDA is a legal document that defines a "reasonableness" standard for the safekeeping of trade secrets. It prevents both sides from bringing nonsense lawsuits. If you are ever exposed to somebody's trade secret without having a written NDA in place, be very careful. It might backfire if you are dealing with a possessive personality. With an NDA all you have to do is to keep their trade secrets as safe as you would your own, i.e. they can't require you to pay damages for accidental leaks if you abide by the low standards of the document, which are usually trivial. If you are used to keeping your own trade secrets in a file folder in a locked office and you have employment agreements that require your employees to keep their knowledge about your company and its operations to themselves, then you are done implementing security measures for your partner as well. They can't sue you for not keeping their documents in a safe inside a vault inside a military installation with double fences and armed guard towers. ;-)

Also TETRA was known to be backdoored in the early 2000s, it's not that "no one knowed about it" - it was simply illegal (patent, IP) to say how. At least in the UK.

lol ... "heart cancer"

Never short of tin foil in your house.

@@BezosAutomaticEye false, i'm actually constantly running out because the government is hiding my shopping lists.

That's guaranteed by the law and only by the law. If you think that spying on the police will keep you safe from the police of a country that does not abide by human rights standards, then you are just kidding yourself... and not just a little.

"All ignorants making decisions on what they don't understand" is just how politics generally works under capitalism.

He was talking about European export restrictions…

@@jasonschuler2256 well he said American

I agree with transparency, BUT not realtime. What I mean, is that police communications while some operation is going on, needs to be secret, but after they are done, all data needs to be public. Think of a raid, you do not want the raided to be aware of it, but after all is done, the public has the right to know what happened there.

@@ikocheratcr Police shouldn't be doing "raids." They are not the military and citizens are not enemy combatants.

@@snex000 That seems...impractical. I can imagine quite a few cases where raids seem called for - human trafficking, illegal weapons manufacturing operations, etc. I mean, I guess you could call in the military for all such operations? I'm on the fence about that one.

@@Erhannis Human trafficking is only an issue because the government has illegally made it a crime to sell sexual services in a reputable manner. And what on earth is an "illegal weapon?" The right of the people to keep and bear arms shall not be infringed. You are just making my point for me. The ONLY reason you want secret police communications is to go after people who commit made up crimes that either have no victims or that only exist because the government has forced activity into a black market. Stop giving this kind of immense power to people who are supposed to be there to SERVE the people. They cannot be trusted with it. No one can.

⁠@@Erhannisthe military is both better equipped and better trained for these types of scenarios, and the police, in america at least, have shown themselves time and time and time and time again to not handle them well. Cops use that to argue they need better equipment, then when they fail to use the better equipment, they say they need more training, then you get astronomical budgets going to the police of every town and city in the country so that they can pretend they are elite military personnel at the one big call every few years, where they tend to completely drop the ball.