Non-US encryption is 'theoretical,' claims CIA chief in backdoor debate CIA director John Brennan told US senators they shouldn't worry about mandatory encryption backdoors hurting American businesses. And that's because, according to Brennan, there's no one else for people to turn to: if they don't want to use US-based technology because it's been forced to use weakened cryptography, they'll be …
I'm not sure what Brennan's game is. For a smart guy he sure seems stupid.
Does he not know how maths works? If US encryption is broken, someone else will sell a non-broken alternative. I'm pretty sure he's worked that out, so why say something so patently dumb?
I want to know what's really going on here.
A person I rather respect once said that if you ever find yourself considering what politicians are doing and thinking "now, that's stupid!", then know that you do not know all that is going on.
Of course, it's not exclusively correct, obviously: sometimes it's the politicians who are lacking critical information and/or understanding, and sometimes they are indeed just being plain stupid. But it's a world-view that's useful to keep in mind, I find.
@RIBrsiq: But Occam's Razor applies and on any matter requiring understanding of law, economics, science or technology, the politician is out of their depth and probably motivated far more by what they want to be true than by any advice they might have had from experts.
"He may talk like an idiot and look like an idiot. But don't let that fool you. He really is an idiot."
-- Groucho Marx
I don't really think Mr Brennan is, generally speaking, an idiot. I suspect that there really is something deeper going on here. But I'd not rule out the possibility that he really is an idiot.
-- Bill
Encryption itself can be designed and produced anywhere. In fact, AES has non-USA origins. So do a few other encryption algos.
Encrypting gear, however - not so much. You have a choice of USA or China (I am deliberately ignoring Ala-Lu-No or whatever it is called today out of the equation for now, it is constantly shooting itself in the foot so I cannot see it leveraging a market opportunity even if it hits in the face). In some areas, like authentication, there are a couple of smaller players like Israel, but in general that is about it.
So, he has a point - if you are trying to use a product which bundles encryption you have to make a choice between USA and China today and you will probably have to make that choice tomorrow. You are already assuming it has backdoors (not like it did not happen recently with equipment "infected" in transit). Adding them openly does not make a lot of difference commercially.
The effect is to create a market opportunity that will quickly be filled, US kit replaced.
The same effect (forced decryption of customer data) in Snoopers Charter that means that every conversation between customers has to be intercepted by the vendor.
Communications product vendor Charlie has to include himself in the encrypted discussion between Alice and Bob, because as the vendor of their comms software and being a British company (regardless of where Alice and Bob are) Snoopers requires he decrypt their comms.
Belgacomm spings to mind as an ex customer of any UK kit, or kit from UK companies. For UK that is only communications satellites affected I think?? Cloud services, data processing, and a few others will be hit.
So your private Alice-Bob comms also include Vendor Charlie, his friend GCHQ, their friends abroad (=5 eyes), UK police (via info sharing), and everyone from traffic wardens to animal charities via the UK's slack data protection system. Shared with everyone but courts and judges to avoid any kind of legal process or privacy right. Natch.
But I'm sure their chief will explain that their backdoors won't affect business because nobody has a choice!
Wishful thinking.
But Brit Kit, not with a free extra account.
The effect is to create a market opportunity that will quickly be filled, US kit replaced.
The world is a small village. You will find that getting funds to work on such an opportunity off the ground is virtually impossible (just ask the OpenBSD guys on how difficult it is to get encryption related non-USA funding). Investors will tell you to sod off if you deliberately exclude USA and all American companies out of your customer base day one. Treaties like TTIP and Co will also make it even harder for you to build such a thing tomorrow.
This leaves you the only option to go hat in hand to the hill above Москва река, but that has its own issues. Ones we should probably avoid discussing as none of us would like to hear "Mr Chrisoprase is very unhappy" somewhere in a dark alley way.
That is something Mr Bremnan understands very well by the way (he is not being an idiot here, he is in fact being brutally honest about it - something most USA politicos prefer to avoid).
This post has been deleted by its author
Investors will tell you to sod off if you deliberately exclude USA and all American companies out of your customer base day one
Ah, but herein lies the irony: IMPORTING high grade crypto kit isn't illegal (although paranoia suggests the US would quickly slap an import tariff on it if you were to start affecting the revenue of the government's paymasters). So you could still sell to US businesses, and I have a feeling that it's not the US businesses who want backdoors (well, OK, except the IT outfits who probably make a mint selling access to the agencies).
There's also the little issue that "US" crypto isn't actually of "US" origin at all. AES was originally called Rijndael, but that obviously sounded too foreign, and was developed in the country that once gave us techno, Belgium. This suggests that it's not actually going to be spectacularly difficult to obtain another cipher without the US having a foot in the door, but validating it is where the costs lie (as a matter of fact, a number of governments, amongst which the UK, do maintain other ciphers as well).
IMHO, given the continued behavioural problems of the US government it becomes more and more commercially feasible to develop a non-US cipher - as a matter of fact, I personally think we've reached the point where you could probably get an EU grant for it, the trick is to keep the whole thing as open as possible because that makes subverting it hard (sunshine works)..
I suggest that there is another possibility: If the US were to make such a requirement stick (I think the last version of Burr-Feinstein that I saw is pretty unlikely to pass), it is likely enough that it would be followed by similar legislation in quite a few other countries, with China and Russia in the mix but not necessarily the first.
Thales e-Security are pretty big, part of the huge Thales organisation, and sell hardware security devices, trusted by many household names.
Based in Cambridge (England).
I'm sure they'll be happy to pick up lots of customers fleeing from the US mandated backdoors.
Disclaimer: I work there.
It's called disinformation.
He's quite deliberately speaking hypothetically about his vast governmental espionage agency "needing" the hapless consumer crap weakened - Thus implying (confirming - to all those who think he's "stupid") that the existing US crapto presently in use is most awesomely doubleplustrusty.
It is not.
Obviously.
Perhaps the San Bernardino fiasco broadcast that fact widely, loudly and convincingly enough to necessitate this spot of disinformation?
Hypothetically: The CIA doesn't really need any such thing. Doesn't really want any such thing. Isn't really asking for any such thing.
Equally obviously.
It's a show.
It's a fucking spy agency for Christ's sake. He's a spook. The real deals are done in secrecy. Next time the politicians pluck some deranged Orwellian crap "from thin air" and shove it into law before anyone can bat an eye, it was probably him wot wanted it.... but... whenever he spews shit at you via the world's media: HE'S LYING AT YOU.
No animosity to the man: IT'S HIS JOB
NIST knew that if they wanted anybody to trust their replacement crypto, they'd have to run an open international competition for it, with all the design rationales published, not just hand us a shiny updated version of the Clipper Chip or something. And yes, AES is Rijndael, from Belgium. And OpenSSH is managed by a Dutch/SouthAfrican who lives in Canada, and OpenSSL by a New Zealander. Shamir of RSA is an Israeli.
"A cryptographer, a Eurocrat, and a normal person walk into a bar. What do they order?" Three Belgian beers, and maybe some Club Mate' if it's available. (Cryptography seems to be one of the Belgian national sports these days.) But it's not just the Belgians and the Dutch and the New Zealanders and the Israelis and Canadians and the Russian Mafia writing computer security software - lots of other places do it too. And while a lot of the Cypherpunks group activities were in Silicon Valley and Berkeley in the 1990s, it's not like everybody attending were Yankees; we had Canadians and Russians and Dutch, and there was a lot of academic work back and forth between US and European and Aussie and NZ universities.
And yes, AES is Rijndael, from Belgium. And OpenSSH is managed by a Dutch/SouthAfrican who lives in Canada, and OpenSSL by a New Zealander. Shamir of RSA is an Israeli.
And a lot of it is run on X86/64 hardware featuring Intel CPUs with their embedded micro running some Intel firmware blob that has access to all of memory and the Ethernet port...
So whilst your software list might be Non-American, the hardware and underlying firmware most definitely is American, and it's very opaque too
"Not that we should be worried about the CIA snooping, Brennan said. In the past three weeks, the CIA has appointed a privacy and civil liberties officer as a full member of senior staff. The person will review all CIA activities to ensure they are legal, Brennan said."
A den of thieves has hired a thief to make sure they stay honest.
Well, I'm satisfied.
"Its a good thing none of the foreign countries like say Belgium understand encryption. Oh wait."
don't rule out Finland, either.
that and libertarian-minded Americans who'll do it on the "dark net" and not tell anyone they did it. HELLO "underground economy".
Making drugs illegal - that really stopped THOSE, didn't it? And how about that 'prohibition' thing back in the 1930's? How'd THAT work out?
All I can say is, "they" (politicians, D.C. insiders, "the establishment") must think WE are IDIOTS.
Making drugs illegal - that really stopped THOSE, didn't it? And how about that 'prohibition' thing back in the 1930's? How'd THAT work out?
You may accidentally have hit on the real reason for these shenanigans: a repeat of exactly that. The reason the whole drugs market still exists is because it makes a shocking lot of money for a small group of people by being illegal. Like the prohibition, many a billionaire was made on the back of something that is banned because it creates a supply shortage which can drive up the price.
The only thing missing here is the addiction part, but that's backfilled by the fear of the presence of many evil hackers and even the government itself.
It's really just about money. Lots of money.
This is a trial balloon. Nobody thinks "mandatory backdoors" is going to pass. Brennan and Wyden are both going through the motions because it's their job, but there's no point getting excited about it.
We're being distracted from something, the question is: what? TTIP? Safe harbor?
Most of the rest of the internet-savvy world has perfectly good resources for developing and deploying kit that is as-good-as or superior to the US Gov't stuff.
Many of the recent advances have been made in Europe and Russia. They have also been at the forefront of pointing out the US-sponsored deficiencies. Of course this group (and including increasingly active ones in China) are more than capable of breaking US algorithms and introducing their own.
Massive fail for the old hat CIA/NSA/etc. All you're trying to do is to scare your minions/taxpayers.
I just finished reading through Brennan's private emails and it's clear the man doesn't have a clue about encryption. If the head of a security organization can't form a coherent idea on the topic, I don't expect anyone will actual place any value on his opinions.
If those are 'copters I hear outside, we'll know that reading his work emails may have been a step too far.
Was with you (and thinking "Truecrypt") right until you said OTP.
Not typically practical and horribly vulnerable to catastrophic "side channel" failure.
TRUECRYPT
(Use your "OTP" as a permanent keyfile, to augment/"salt" your session passcodes/keyfiles, if you like ,)
"Not that we should be worried about the CIA snooping, Brennan said. In the last three weeks, the CIA has appointed a privacy and civil liberties officer as a full member of senior staff."
A mere 68-and-a-bit years after it was formed (1947-09-18). My, that was quick. I'm getting dizzy just watching from the sidelines.
-- This has the delicious stench of American-Exceptionalism written all over it... If its not American it doesn't exist... Yeah <cough> right!
-- Americans are not known for their studious attention to history, but there are warnings about the fall of great civilizations (Rome etc)...
-- If there was a scale where US opinion and power mattered its probably down from 9/10 in the 80's to about 3/10 now. Own goals like unwise ME wars, the Bush years, Obama empty promises, China rising, and revelations from Edward Snowden have all seen to that. So great job. Go Team USA!
Well, I think nearly all, at the time of this posting, are in agreement here, and have recognised that Uncle Sam has lost the leading plot and are catastrophically vulnerable to being ruthlessly exploited for both personal and personnel and foreign state and non state actor gain.
And that title can also be written thus .....To XSSXXXX, is Creative IT Command and Control in Computers, a Brave New Orderly AI World Order to Program with Novel Programming and Heavenly Projects delivering Noble Projects in Immaculate Pursuits ..... and/but of course, and one is well warned here and is hereby again advised to remember to never ever forget, for some things are final and vital and fatal and strike without any sort of prior warning, should its Advanced IntelAIgent Systems and Virtualised Administrations Executive[s] be proposed opposed, at any time in any space or place, and be the subject of objectionable attack and/or abuse, are Hellish Schemes and Crazy Operations also always readily available to crush both wayward opponents and competitive rogue renegade elements alike.
To XSSXXXX is IT no Fools' Tool and Perfect Attacking Defence Weapons System. Take care out there, IT is dangerous in the wrong hands, hearts and minds, and can and will kill you if you choose to abuse and misuse it.
Have a nice day, y'all.
the above shows just how effective non-US encryption can be, even if we have to go to Mars to get it. ... Lyndon Hills 1
Hi, Lyndon Hills 1,
It would be a monumental folly to discount and dismiss home delivery whenever Martians realise takeaway is more than a number of steps too far for Earthlings to make and/or take.
It is neither wise nor practical to expect a primitive species to exercise quantum leaps and revolutionary actions they have no offence or defence against, so please expect something quite extraordinary to be rendered and presented currently for continuing disbelief and terrifying consternation.
Because I'm pretty sure that things like OpenSSH would be Hard for the US to stick a back-door into. (Not impossible, looking at recent history of subtle bugs, but certainly Hard.) IOW, the man is clearly an idiot who thinks the people he is trying to talk to are also idiots. (If I were one of the people he was talking to, I might take umbrage at that.)
Bugs in OpenSSH would be more bypassing it rather than backdoors, as far as I was aware what they're after is people building in ways to bypass which they notify the CIA etc about and then keep there, rather than rightly fixing it as a bug
I was thinking a bit more tinfoil than that. I was wondering to myself if a sufficiently clever intelligence organisation couldn't sneak in a bug in a FOSS offering that would weaken the product in ways that only they were aware of, for however long it took before others spotted it. No, it's not a back-door, but it might be worth the effort anyway.
Note also that it wouldn't have to be in an obviously sensitive place. It might suffice to fiddle with the memory allocator (which may not seem like it is even part of the product) or make a trivial patch to remove a compiler warning.
But although this will probably be upvoted by the paranoid wing of El Reg's readership, I must say it seems a bit unlikely to me.
The problem there is that you are working on community software and the community will review it, question your "weird code" then dismiss you from the project. You are coming from the angle that a "secret CIA/FBI coding operative" is going to be more clever than any single person already well versed in their own codebase. It most likely will not happen at that level, much easier at the hosting side, but then the community will notice your "additives" and kick you down the road. You could hijack the downloads with your "special package" for a time, I suspect. but not long.
To expand to the comments in general; WHY ARE YOU WAITING SO LONG?! People, people, people! Ed Snowden gave up the info several years ago; the NSA/CIA/FBI spies on ALL data routed through the US and world. Every single entity that gives more than two shits about real, honest, Internet, and general computing, security should have been working 24/7 to get out this trap laid down by those above mentioned Acronyms. It's been three whole years and you're still taking about "if" and "someday" "we'll get a fucking clue and divorce any products hosted in a known spy zone"; the USA and all connected networks therein. There should have been a Euro-version of every major web site online by now, so that I, and a US Citizen, can get out of the fucking trap too! God fucking dammit, get your shit together and get this working already!!1! Your personal data in a US cloud, or routed through a US access/peering point, or on a major US crap site (twitter, farcebook, Goopal, etc) is not personal anymore. There are plenty of good projects not hosted here that can be leveraged to make a stand and build a nice Internet zone that will not allow snooping or other decryptions. Come ON!
Three years...
Is that because of the MIT collaboration, or the fact that Andy Yen, Proton Tech's registered CEO, is a US passport holder?
Both, actually.
Why would that be a problem?
It's called leverage. Especially post Snowden we received reports of quite a number of reports of US sysops of multinationals being asked to "have a chat" when they were about to enter data centres abroad. On examination, ProtonMail is further exposed to that by having a branch office in the US.
There are various ways in which "collaboration" can be organised, the simplest one being the assistance with anti-terrorism - let's not forget that there are bad people out there.
The good news (and just about the best move they could have made in this context) is that their code is open source. There's still a gap there but it lessens the exposure to subversion as it becomes too easily visible that something isn't right. So, from a security perspective it's done well.
Exactly. Since US relaxed encryption export rules, nobody really cared about not using US made encryption product - but the same product often used algorithms developed *outside* the US. AES was developed by two Belgians.
And back then, the situation was quite different, and there was no Snowden. Then US were able to upset even long-time allies, because of their bulimic STASI-like information gathering handled by greedy gnomes.
So what will happen?
1) US will have to develop their own backdoored cryptography. Bright minds abroad, instead of helping, will look at how to exploit that backdoors, while still developing useful cryptography.
2) Company outside the US will switch to cryptography without US backdoors
3) US-based companies will have legal/commercial issues outside US. "Privacy shield"? Good luck with that.
4) A new commercial market for non US companies opens.
5) Brennan will become the next Trump, blaming those "evil foreigners" for US economy issues.
Suggest this guy googles "Enigma" and "German belief it could not be broken".
Actually, IIRC even the Nazis weren't so far up their own arses they believed their encryption was unbreakable. They assumed it was, and their compensating control was daily key changes.
I wouldn't be surprised to learn that terrorist networks are better configured than most corporate networks. Terrorists tend to give a shit about their cause and however misguided, seem to put their hearts and minds into it. Corporate IT types on the other hand, at least where I work, do as little as possible and give few shits about the company they work for.
I'm sure he'd be very interested to know that there are no encryption experts outside the USA.
When they issue those backdoored encryption products he'll probably set breaking them as an exercise for his students. It might take them perhaps a couple of weeks?
Brennan is not completely wrong.
It's all very well having the option of using different software vendors, but whose processor and associated chipset will you run the software on? Both Intel and AMD current x86 chipsets are backdoored, and the embedded ARM processors in peripheral devices such as network cards, cellphone modems, and disk drives, if not already doing so, can also be running subverted code.
Open hardware projects, where you can demonstrate no real-estate on the chip is dedicated to back-dooring, and you can show you are running non-backdoored code, have almost no backing. Very few people take the requirement seriously. If you want to be paranoid, you can also posit there are vested interests in making sure such projects fail.
Lets say you run some non-USA originated encryption code on your PC. The key is in memory. But the network interface has a processor that has full DMA, and can quite happily run an instance of another O/S while pushing packets merrily on their way. You can see where this is going. And this is NOT theoretical. Compromised hard disk firmware is also out there in the wild. SSDs have pretty powerful processors in place to do wear levelling etc. They too are compromised.
For the most part, the security and intelligence agencies don't care that you can run OpenBSD and PGP and whatever independent software you like: they already have full access to the compromised hardware you have to run it on, because you cannot now buy non-compromised general purpose PC hardware. Separate encryption devices, usually used for encrypting point-to-point communications are different.
Then Brennan should be more worried about how much of that hardware is manufactured in China...
BTW: adding hardware-based full snooping capabilities has a cost. While it can be done for "valuable targets", I can't see US companies doing it full scale in their products and pay the costs just because CIA likes it.
I agree it has a cost. But it has been done.
Read this (very) recent BoingBoing article:
https://boingboing.net/2016/06/15/intel-x86-processors-ship-with.html
The point being that the Intel Management Engine and the AMD equivalent have legitimate commercial uses in remote management of servers and desktops. It is convenient to be able to send a Wake-on-LAN packet to wake up a desktop at night, apply patches, do a hardware inventory etc. But the very same system can be used to subvert the PC. As has been pointed out, Intel are very cagey about the Management Engine, firmware is cryptographically signed, and the processor it runs on is (a) separate to the x86 CPU, but on the same chip and (b) has full memory access without the x86 chip knowing about it.
So it is not as if there is an extra development cost for the hardware now. It has been done. 'All' that is needed is the modified firmware that does what the intelligence community wants.
I do not think for one minute that the NSA is bugging every modern PC on the planet. I'm not that stupid. But with this, they have the capability to choose to exfiltrate information from any one of pretty much all modern PCs that get connected to the Internet. Yours probably has not been targeted. Mine probably hasn't. But key PCs of interest almost certainly have.
Feel free to dismiss me as a wild-eyed loon. But please do read the articles I link to, and have a think about the technical issues around this. Ask, "Is it possible?". And ask "If it is possible, would the NSA do this?". The intelligence budget the USA have is not small.
The technology of hardware backdoors is fascinating. How about dopant level backdoors:
http://www.extremetech.com/extreme/166580-researchers-find-new-ultra-low-level-method-of-hacking-cpus-and-theres-no-way-to-detect-it
http://thehackernews.com/2013/09/Undetectable-hardware-Trojans.html
"Despite these changes, the modified Trojan RNG passes not only the Built-In-Self-Test (BIST) but also generates random numbers that pass the NIST test suite for random numbers.”
The US military and intelligence community do worry about this sort of thing, which is why they have 'Trusted Foundries'
https://www.nsa.gov/business/programs/tapo.shtml
The list of trusted suppliers is publicly available if you follow a couple of links from the above.
"A key part of the DoD Trusted Foundry program is that it uniquely provides the US Government with guaranteed access to leading edge trusted microelectronics services for the typically low volume needs of the US Government. DMEA and NSA co-fund the Trusted Foundry program to facilitate this. The Trusted Access Program Office (TAPO) facilitates and administers the contracts and agreements with industry to provide US Government users with:
Leading edge foundry services including multi-project wafer runs, dedicated prototypes, and production in both high- and low-volume models"
A library of standard IP blocks
Limited packaging and test services"
"Both Intel and AMD current x86 chipsets are backdoored"
Let's assume that is true. Does it matter? If the chips continue to give the right answers to numerical problems, they can still be used to break your encryption, and they can still be used offline to encrypt stuff without you ever knowing. (Yes, you don't *have* to be connected to the internet to perform arithmetic.) IOW, that back-door opens out onto a brick wall built by your enemy.
Back-dooring a chip to the extent that it gives all the right answers *except* when fed problems that you don't want your enemies solving sounds like it will take more transistors than Intel have ever manufactured -- and I don't mean on a single die.
I seem to remember that a rather popular encryption tool from the 90's being developed by a US company/person/team but the algorithms for the encryption itself being written in Finland or Sweden or somewhere, specifically to get around needing a license to export a US product containing "strong encryption" by making sure it wasn't a "US product". There was some media hysteria about this, and the CIA were particularly annoyed.
If I'm right remembering this, it kinda blows this chap's rather weak argument out of its already quite shallow water.
Can anyone remember the specifics of what I'm blathering about? :-)
There were US-origin products that included stubs for RSA/DES. Non-US customers were supposed to link in rsalib, then hosted on a Finnish server. Sorry, but the names are lost to me.
There are a lot of non-US companies that sell cryptio chips and boxes (Infineon, for example). The sticky point is whether they have a US presence that can be held hostage.
Quite fresh commentary around here. Not pondered -and should- is that of resistance to change.
First, a huge cultural 'building' trying to keep things being done according to 'cold war' customs. Any change at this area having tremendous adaptive costs.
Second, bringing those mechanisms to a more civilian ground -from mil|intel to civilian- will represent opening to competence, even in price.
The mistake here is that INTERNET Technology [and encryption tech] is no more Strategic or Complex, in any way, and creating artificial scarcity will end by-siding the same Industry [that is whining].
I find it hard to understand how that was >20 years ago, yet we're still having this global debate about encryption. ... Olius
That's because it's politically charged, Olius, and all about mass remote power and virtualised control of natives Earth species, which is defaulted in the crashing flash supply and spending of fiat paper/currency. Knowing what's being planned for the future allows one to prepare attacks/defences against it, but that does involve one in talking around hot subjects rather than answering clearly and truthfully questions posed to one about one's efforts in it. Slippery tongued politicians thinking their replies are super clever whenever nothing is answered and all is deflected tell you everything you need to know about anything you ask them?
All secrets surely hide thought advantageous unpleasantnesses which tell a real different tale of existence from the stories spun for realities fed to the masses. And such surely indicates and proves that life on Earth is a virtual reality which is presently being extremely badly programmed to server corrupted drivers.
Time for a change, methinks. What think ye? Or do you doubt and believe things are not so simple and therefore will be just as a paying spectator to Greater IntelAIgent Games Play with no input provided for future consideration and inclusion? That is your fate in such a scenario/virtual reality/future existence.
Indeed it is all of that.
"Time for a change, methinks. What think ye? Or do you doubt and believe things are not so simple ..."
I'm a techie - so I believe anything is straightfoward, and it takes great effort on top of a good dose of politics and paranoia to make the world appear to be so complex :-)
:-) And then there were at least two, and their powers were squared. Keep watching these Registering spaces, Olius ...... Things aint what they used to be, for future builders are transparently internetworking secrets and solutions over invisible, intangible webs of intriguing innovation and invasive invention/immaculate conception with perfect formations.
In some sad and bad and rad and mad intellectually challenged minds and corrupt perverse systems will that equate and be treated as Cyber Terrorism and Virtual Warmongering ....... and such rantings will identify the lead fool which be a blunt tool.
We need to look at what he is actually saying before we get all excited. Consider the following.
The US spying agencies, including the internal ones, want to be able to have backdoors in anything that they look at.
The US political establishment likes that idea.
The US tech industry says that idea is a no no.
The US tech industry actively sticks it to the man.
Now we have a guy the really really wants to be able to look at everyone's communication so he comes up with an idea.
If no one else can do the encryption as well as the US then the US tech industry does not have to worry about losing sales if the put in the required backdoors because no one else can do encryption like they can.
What he is saying is what he hopes the tech industry and people will believe and thus approve the introduction of backdoors or watered down encryption.
It's all very nice but the maths still don't add up. Anyone who deliberately weakens encryption will negate their encryption, if not immediately, then sometime soon.
To me this sounds more like an elaborate re-hash of the "there must be some way to do it" school of thought. Now it is being trotted out by a guy whose business is to keep secrets. I suspect he is trying to keep the more rabid Alzheimer sufferers in Congress happy (a certain California senator comes to mind) until either he or they can retire on their government pensions.
So sad that the informed reasoning of the few can be so easily sidetracked by the uninformed reasoning of the many.
If American companies do attempt to impose global (HW or SW) back doors on the world, then the stampede to produce alternatives to American products will be deafening. This is precisely why it won't happen, grand-standing politicians aside. Brennan clearly knows this but can't say so. His is a smoke blowing exercise because economic suicide is not the answer.
"If American companies do attempt to impose global (HW or SW) back doors on the world, then the stampede to produce alternatives to American products will be deafening. "
It has already been done, and there is no stampede. Yet.
Look up Joanna Rutkowska and her publicly available talks.
http://blog.invisiblethings.org/2015/10/27/x86_harmful.html
AMD have an equivalent technology (PSP) to Intel's IME.
Compromised hard-drive firmware: http://www.theregister.co.uk/2015/02/17/kaspersky_labs_equation_group/
and
https://www.wired.com/2015/02/nsa-firmware-hacking/
Compromised network interface firmware: http://www.theregister.co.uk/2010/11/23/network_card_rootkit/
Compromised USB firmware: https://www.engadget.com/2014/10/02/badusb-released-github/
Compromised SD cards: http://www.bunniestudios.com/blog/?p=3554
Compromised SSD firmware: https://downloadcenter.intel.com/download/18363
If Intel can offer firmware upgrades, then you can treat SSDs just like hard disk, above.
I can't be bothered to find the link, but Graphics cards also run firmware that can be reconfigured to surveil the main computer.
Firewire interfaces are great - older versions allow unrestricted remote DMA to the main processor
http://security.stackexchange.com/questions/49097/protecting-against-firewire-dma-vulnerabilities-in-linuxmemory.
https://www.jwz.org/blog/2013/01/bypass-full-disk-encryption-and-passwords-on-any-powered-on-computer-via-firewire/
More general information on hardware backdoors:
http://resources.infosecinstitute.com/hardware-attacks-backdoors-and-electronic-component-qualification/
Fun, isn't it?
I'm an American, but I can't even begin to imagine this guy's attitude. Is he a total cretin? Does he really think the rest of the world are cretins?
If this guy is in charge of our SECURITY, and he thinks the rest of the world can't even cobble together working encryption, I'm really afraid for the US. This reminds me of some of the bollocks spouted by the worst of the pukka-sahib types at the beginning of WW II who couldn't even imagine the Japanese posing any actual threat. They didn't do too well, either, as I recall. With guys like this in charge of our security, the U.S. will likely be conquered any day now.
When I read that I recalled Tom Lehrer's "MLF Song". Specifically:
"We taught them a lesson in 1918, and they've hardly bothered us since then"
I won't say "Once a thief, always a thief", but when hiring an armored car driver, or even a valet-parking attendant, the applicant with a long record of thievery is probably not the best choice.
What it means to me is that whether foreigners have high-grade encryption or not is uninteresting to them. It's a "theoretical" capability that may be true; it may not be true; it doesn't really matter.
It's their own citizens they want to listen in on. It's their own citizens they're trying to exert control over.
With all due respect, It ¡s PR spin. US Senate has educated men & women. Surely they would prefer an honest assessment. [Maybe that They're looking at the wrong side?].
Director John Brennan doesn't have a problem. [He is at another frame]. Maybe that's the reason of so short answer.
Software Industry could consider -among many other- applying strong 2-pass encryption & get hold of anything required by law to get hold of, even if up to now locally stored.
Hardware Industry has to get rid of [actual] dangerous back-doors, diligently walking toward a safer, stronger Global Village. [And to prevent Western Technology to be slowly and progressively by-sided. Which plausibly is the reason of the hearing].
There are many aspects of John Brennan's testimony, and the technical background to encryption that need to clarified in more detail to know the veracity of his claims, since I am aware of world class encryption technology not developed in USA or owned/controlled by US entity, and there are dominant Operating Systems (OS) and Networking software - not from Microsoft or US companies that included capability for extremely strong encryption for data transmission and storage.
Unfortunately in 2016, the technology environment for security, especially regarding encryption has substantially more internationally development and innovation base, so there very little "fact" than can be attributed to Mr. Brennan's wishful thinking.
"Requiring companies to build backdoors in their products to weaken strong encryption will put the personal safety of Americans at risk at a dangerous time and – I want to make this clear – I will fight such a policy with everything I have."
Although that was said by Senator Wyden, I'll sign on to that, too.
I have a hashmark I've been posting for a couple years now. Every year it becomes more factual and urgent: #MyStupidGovernment
Here we have more of the same.
I use encryption NOT controlled by the US government or any company. I use it every day. Big surprise. Sheesh. ;-P
I have a copy of The Codebreakers by David Kahn, and. partly though the timing of original publication, it sets up the myth of super-competent US cryptography. They had talked about breaking the Japanese codes and ciphers. The Ultra secret had not yet been revealed. But it mostly deals with earlier generations of cryptography, stopping with the development of teleprinter-based systems that read a key from a punch-tape.
One thing is apparent. If the skilled hands could be applied (and paid for), by the 18th Century anything in the mail could be tracelessly read. But the process was so expensive that for most people a sealed envelope was all the security they needed.
And then the telegraph came along, and just ordinary commercial communications started using codes. The codes deterred casual reading by a telegrapher but also replaced long words and phrases by fairly short code groups. And they reduced language problems: London or Londres, it was the same code group.
Everything has changed in the last twenty or so years. The internet has destroyed the economic protection of the sealed envelope. As Edward Snowden has revealed, the intelligence agencies are indiscriminately reading everything, because they can, and smothering themselves with irrelevant data.
For most of us, good encryption is a tool: what we're really looking for is the security of the sealed envelope, something that costs enough to bypass that the intelligence agencies have to think about just what their targets might be.
It's very apparent that thinking is optional in the modern CIA.
Let's be fair for a moment. Encryption standards as they stand today originate in the US. There are many many good encryption techniques, many which are likely stronger and better than AES, RSA and DH. The issue however is that nearly every product in the report about encryption coming from 55 countries is they use standards.
We use standard ciphers because at some point we believed they were strong enough to keep us safe. Some people who call themselves security experts think they're unbreakable, that is sheer vanity and silliness. There have been many enhancements made to AES for example which strengthen it, but the AES block cipher itself isn't particularly strong.
The reason we still use these ciphers has more to do with dependence on things like hardware and software for encryption. Intel and ARM CPUs have acceleration engines for the standard ciphers as well as some of the more popular non-standard ciphers. Processing the encryption in software is not practical for most applications. For example, running full disk encryption in software would take that awesome SSD and make it feel like MFM drives from the 80s.
For messaging and mail and basic storage encryption, software can be used. But which cipher should we trust?
AES became a standard after a massive amount of peer review and a great deal of experimentation by thousands of researchers, mathematicians and hackers. To find a suitable replacement would require a European or UN effort of similar scale. Even now, there is a certain belief that unless a cipher is blessed by the NSA or the Israeli Mossad, it's likely considered weak. There are many cipher researchers outside the US and Israel, but it is unlikely they are as public or well funded as thsoe guys are.
Is it time for something better? Sure... just need to run a competition like they did for AES, find a suitable review board and pass European laws to mandate that Intel and ARM can't ship AES acceleration unless they also support the new standard... this can take a few years.
I work in payments, processing cards and payments for most of Europe. Our company also does (state) authentication etc. We deal with a lot (all?) of the HSM suppliers and smart-card suppliers.
Off the top of my head we are dealing with Finnish, Danish, Dutch, German, Belgium, French, Swiss Austrian, Italian and UK suppliers.
There is not a single USA company involved.
Some of our customers have a specific non-USA requirement...
Brennan is correct: he talks about <<US-based technology>>, and that includes the HARDWARE and MICROCODE which can be used to weaken cryptography by installing some sort of a backdoor.
Some not so theoretical examples:
1. bios-based anti theft which the capability to run arbitrary code on the machine.
2. producer's "trusted" signature that can be used to (remotely?) replace processor microcode.
3. (activated by default) CPU-based Management Technology.
Brennan is correct: he talks about [US-based technology], and that includes the HARDWARE and MICROCODE which can be used to weaken cryptography by installing some sort of a backdoor.
Some not so theoretical examples:
1. bios-based anti theft which the capability to run arbitrary code on the machine.
2. producer's "trusted" signature that can be used to (remotely?) replace processor microcode.
3. (activated by default) CPU-based Management Technology.
Ok, so we don't "dominate" the encryption landscape, sure, but .AU has a few companies, including YDF (your digital file)- doing very nice encryption, thank you very much. Typical american-centric view of the world.
Plenty of startups outside the US going hammer and tongs on encryption. Nothing theoretical about it. And we will happily eat their lunch if the US want to shoot themselves in the foot.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
