back to article Line by line, how the US anti-encryption bill will kill our privacy, security

In the wake of the FBI's failed fight against Apple, Senators Richard Burr (R-NC) and Dianne Feinstein (D-CA) have introduced a draft bill that would effectively ban strong crypto. The bill would require tech and communications companies to allow law enforcement with a court order to decrypt their customers' data. Last week a …

Page:

  1. cbars

    Amazing

    How doublethink actually became a thing!

    Keep your customers secrets or else.

    Give us your customers secrets or else.

    1. Sir Runcible Spoon Silver badge

      Re: Amazing

      I think the US should put this bill forward for a vote immediately.

      That way, anyone who votes in its' favour will have shown themselves to be unfit for office - right down to the point where they shouldn't be allowed to make the tea.

      Sack anyone who votes for it and ban them from ever having any more authority than over their own bladders.

      1. ecofeco Silver badge

        Re: Amazing

        That way, anyone who votes in its' favour will have shown themselves to be unfit for office - right down to the point where they shouldn't be allowed to make the tea.

        Except in Murica, that's usually a guaranteed re-election.

      2. MachDiamond Silver badge

        Re: Amazing

        With elections coming up this year, this bill should be voted on as soon as possible. Once it's known which corporate shills have voted to pass it, the US voters will know whom to vote against (assuming that their votes are actually counted).

      3. Tom -1

        Re: Amazing

        "ban them from ever having any more authority than over their own bladders"

        That's very wrong. Give them that much authority and they'll piss all over us!

  2. Anonymous Coward
    Anonymous Coward

    The more I read about this, the more I want some pitchforks and torches

    Ropes, lampposts, congress: Some assembly required.

    1. Keef

      Mr AC, I agree.

      But most people will not read about this.

      I know not where you live, but I hail from the UK where our beloved Daily Mail, Mirror. Independent, Guardian, Times et al regularly write shit instead of following a story.

      I do despair for the future..

    2. Voland's right hand Silver badge

      You do not need to

      You need wallets. And election season.

      Feinstein represents silly valley if memory serves me right. If she continues down this road her chances of being re-elected are highly correlated with Lucipher working for the Mountainview county council as a snow plough driver.

      1. Vern not Winston Smith
        Big Brother

        Re: You do not need to

        Feinstein, while a democrat has always sided with law enforcement since her time as Mayor of San Francisco. The article notes this is not her first bill she has "written" to support of the NSA and FBI. I am speculating here, it won't be her last.

        FYI: The senator has been in her current office going on 24+ years. Nobody has the money to take her seat. The last election, she didn't even campaign.

        1. ckm5

          Re: You do not need to

          Plenty of people in California (as a senator, she represents all of California, not just SV) have the money to take on Feinstein. The question is will she push someone, anyone, over the edge.

      2. martinusher Silver badge

        Re: You do not need to

        She's one of the senators from California so she's elected by the whole state. She's not up for reelection this year, its Boxer's turn (and she's retiring).

        We do have to get ignorant legislators out of government but its an uphill struggle against the hordes, there's so many of them. What Fienstein hasn't figured out is why DES got changed out for AES. It wasn't just that DES got old and tired, it was because the Cold Warriors wanted to exercise so much control over technology that critical technology like encryption standards had to originate "anywhere but in the USA".

        I've personally witnessed just how much damage these people have done to our technology industries over many decades. Since the industry has grown rapidly its easy to overlook the losses but as things flatten out you will notice how many of our key technologies have been hollowed out by overzealous and underinformed legislators.

      3. MachDiamond Silver badge

        Re: You do not need to

        I'm surprised that Feinstein's advanced oldtimers disease hasn't been leaked to the media. She's never been very bright when it comes to technology, economics or morals.

      4. rusty94114

        Re: You do not need to

        The Californians who have repeatedly elected Feinstein to the Senate are generally unaware that she is one of the most totalitarian-minded members of Congress. She is a ringleader of the War on Drugs, and an opponent of internet privacy. When she was Mayor of San Francisco in the 1980s she vetoed legislation that would have extended to gay city employees in domestic partnerships the health insurance benefits that were available to heterosexual employees.

        Hopefully this latest totalitarian move will finish Feinstein's political career.

    3. hplasm Silver badge
      Happy

      Digital pitchfork...

      1. Encrypt nasty PC virus.

      2. Punch a Fed.

      3.Get PC confiscated and decrypted.

      4.BZZZZZKKKTT!!!

      5.Profit!

  3. Ropewash
    Facepalm

    These articles...

    They angry up the blood every time I read them.

    Not from the U.S. but in a country that tends to follow soon after on crap like this.

    I'll repeat the only point I have on the issue,

    The government can lead by example here and make sure they are running the same busted "security" on all their data so the people can have backdoor access to it for freedom of information requests.

    They want to protect the people from the terrorists? They can start by protecting them from their own government.

    1. Palpy

      Re: The government [of USA] can lead by example...

      ...and they have! The OPM hacks dropped the US government's pants to the tune of personnel records on 22 million employees, including security classifications.

      Now if that isn't busted security, I don't know what is.

      Maybe it's like penis envy -- Feinstein, Burr, et al are insanely jealous of people smart enough to do good encryption.

      Or perhaps it's simpler: Feinstein, Burr, et al are insane.

      Leave it at that.

      1. h4rm0ny

        Re: The government [of USA] can lead by example...

        >>"Or perhaps it's simpler: Feinstein, Burr, et al are insane."

        Simpler than that. They're interests just don't align with the publics. Nor has a farmer's interests ever truly aligned with the chickens. They might both want to keep the fox out, but the farmer still wants to keep the chickens in.

        1. Sir Runcible Spoon Silver badge
          Thumb Up

          Re: The government [of USA] can lead by example...

          Nice analogy there Harmony, and not a car in sight ;)

        2. allthecoolshortnamesweretaken Silver badge

          Re: The government [of USA] can lead by example...

          Why did the chicken use weak encryption?

          Okay, somebody please come up with a clever punchline. K THX.

          1. BebopWeBop Silver badge

            Re: The government [of USA] can lead by example...

            Because Alice asked him to?

          2. Sir Runcible Spoon Silver badge
            Coat

            Re: The government [of USA] can lead by example...

            "Why did the chicken use weak encryption?"

            Because it wanted someone to use it's back door?

          3. G Olson

            Re: The government [of USA] can lead by example...

            "Why did the chicken use weak encryption?"

            Because he didn't have a strong enough shell for his embryonic development environment.

          4. channel extended

            Re: The government [of USA] can lead by example...

            Because the rooster had crossed the road?

          5. Number6

            Re: The government [of USA] can lead by example...

            Why did the chicken use weak encryption?

            Because it wanted the information to get to the other side?

          6. Mpeler
            Coat

            Re: The government [of USA] can lead by example...

            Because it wanted people to see poultry in motion...

    2. This post has been deleted by its author

  4. The Nazz Silver badge

    Stuff your fancy encryption.

    Can i just have the lead photo as a screensaver? That should keep the buggers away.

    1. This post has been deleted by its author

  5. moiety

    I can't decide if this is well-meaning but just astoundingly ignorant; or if it's a genuinely evil attempt to further fuck over people's liberty in a (going to be unsuccessful) power grab.

    It does highlight a frequently-occurring flaw in the American psyche, though, and that is forgetting that there's a 'rest of the world' out there. Because there is, this cannot possibly work.

    If this bill went through, the immediate cost would be in -at minimum- billions and the cost over time would be truly colossal. Nobody in their right mind would use a bank that automatically rendered them more liable to scams; or encryption software that is deliberately flawed.

    In the unlikely event of this bill passing, my new hobby is to send one-time-pad encrypted email attachments with dodgy names*** to US Senators.

    ***CP_vol_7.zip (With the CP standing for Cat Pictures, or possibly Chincillas, but don't tell anyone because it's not as funny if the reveal isn't in the highest court you can find with extensive press coverage).

    1. Duncan Macdonald Silver badge
      Mushroom

      Evil one time pad

      If you want to send an encrypted message - and still have plausible deniability - do the following.

      1) Encrypt the message with a one time pad (simple XOR encryption - still unbreakable if each byte of the message is encoded by a unique byte of the pad and the pad is never reused)

      2) Create an innocuous message of the same length

      3) Create a fake "one time pad" as the XOR of the innocuous message and the encrypted message from (1)

      If forced to decrypt the message - provide the fake "one time pad" generated in stage 3 which converts the encrypted message into the innocuous message from stage 2.

      1. moiety

        Re: Evil one time pad

        That is quite deliciously evil; but wouldn't that make your "evil message" (now being used as the one-time-pad and containing structured data) easier to decrypt?

        1. Sir Runcible Spoon Silver badge

          Re: Evil one time pad

          "but wouldn't that make your "evil message" (now being used as the one-time-pad and containing structured data) easier to decrypt?"

          I don't see why it should. If I've understood correctly the fake pad is just to convert something you know (the encrypted message) into something else you know (the fake unencrypted message).

          The original pad will will decrypt the original encrypted message to the real one. All the fakery stuff only relates to the faked message so should reveal nothing about the real pad or message.

          1. moiety

            Re: Evil one time pad

            I'm not an expert, so was asking for information. (I was completely wrong about the evil message being the one-time pad, as that function is served by the new one-time pad that you have whipped up for yourself...my mistake...not enough coffee).

            Your encrypted message contains both the decoy message and the evil message. My question is that if you decode the decoy message, does not that give some clues (either by changes at conversion time or by what's left) that might make it more vulnerable to finding out that there's another message in there? Or worse - to decoding it? The evil message is structured so might it not be possible to detect that something is there?

            1. Sir Runcible Spoon Silver badge

              Re: Evil one time pad

              Ah, I think I see your disconnect here.

              In reality, the encrypted message does not 'contain' the decoy message as such. You are creating a fake translation matrix that you apply to your encrypted message to make it look like the decoy message when it's processed.

              Does that help?

              Actually, thinking about it, couldn't this process be used to fake evidence if someone refuses to reveal their passwords? It might be limited to creating incriminating evidence rather then magically conjuring up actual useful data (which is still hidden by the encryption) - but who is going to argue that the prosecution has 'incorrectly' decrypted the file? The only way to prove that their information was fake would be to produce the *real* key, and hence reveal the real data.

              Oh dear.

              1. moiety

                Re: Evil one time pad

                Thanks, I think it will help after I've looked some more stuff up. Clearly I'm hard-of-thinking today.

                The new one-time pad by the prosecution would have to have a different hash than your original (OK, second) decoy pad, wouldn't it? You might be able to prove that the files have been interfered with. Mind you, if someone's clever enough to think of tampering with one-time pads; it's feasible that they'll have the knowhow (if possibly not the opportunity) to interfere with the forensic report of the original storage medium.

                So actually this technique is not only for deniability; but can also be used as a protection measure; as it takes you from being completely stuffed to a word-against-word situation...and if you whip out your decoy pad and it decrypts to an innocuous message then you'll end up looking more credible to a jury, I think.

                1. Tony Haines

                  Re: Evil one time pad

                  Here's an attempt to clear up any remaining confusion:

                  A one time pad is random data (at least) as long as the original message.

                  If we look at the original suggestion, step 3 could be put off until the demand arrives. One could, without knowing the original, decrypt the message to anything. Therefore it doesn't affect the security of the original message.

                  ...

                  I've thought about this before, in a rather similar context. In the UK, could this approach be used to fend off a RIPA section 49 notice?

                  I think it's worded that you're required to make the information intelligible, which this approach does, assuming a carefully chosen plaintext. Might be handy when they're demanding you decrypt a file you don't actually have a key for.

            2. John Robson Silver badge

              Re: Evil one time pad

              "My question is that if you decode the decoy message, does not that give some clues (either by changes at conversion time or by what's left) that might make it more vulnerable to finding out that there's another message in there? Or worse - to decoding it? "

              Any OTP encrypted message contains ALL messages of the same length (or shorter) - you just need the appropriate OTP to get to it.

              All that the "innocuous OTP" proves is that someone has combined the 'crypt data' with 'innocuous message' to get an 'innocuous OTP'.

              If you find the 'evil OTP' then you reveal the 'evil message' - but you need to demonstrate that that OTP was used on this message - since you now have two apparently valid OTP instances, and only one is genuine.

        2. Gigabob

          Re: Evil one time pad

          No - the trick is the "one-time" pad is held at the sender and receiver's position and for each message a layer of the pad is removed - thus each message encoding schema is random and observed bits from a transmission cannot be used as a guide on a subsequent message. This betters the scheme for Enigma - which transmitted a large volume of messages each day - and you had to decrypt during the day to be able to read something at night. This requires discipline to avoid reuse of the pad.

          The only way to crack this unbreakable system, first documented by Frank Miller in 1882 for Telegraph systems is if the one-time pads are not truly random or if someone re-uses a prior pad as in the Verona case. This is why pseudo-random number generators are not usable for securing systems.

      2. Anonymous Coward
        Anonymous Coward

        Re: Evil one time pad

        You would have done well on the old (now defunct?) PGP.Security Usenet threads. They were all about one time pads, extra long password schemes and so on, fun reading.

        1. moiety

          Re: Evil one time pad

          "Any OTP encrypted message contains ALL messages of the same length (or shorter)"

          That did it. Got a neighbour who's doing renovations; which does not sit well with being nocturnal.

          Actually,, this technique does handily solve my main problem with the UK version of encryption legislation...decrypt it or go to prison. In my work, I end up with a vast stack of other people's passwords; so I could end up in the position of not decrypting (and fulfilling my responsibilities as a data controller) and going to prison; or decrypting and making myself liable for all sorts of shit under various Data Protection Acts, in various countries.

          ...so I could decrypt and leave the passwords scrambled; which would also have a handy built-in canary for law enforcement misusing the data.

    2. hplasm Silver badge
      Joke

      " (With the CP standing for Cat Pictures, or possibly Chincillas,"

      Chia Pets?

      Phwoarr!

    3. Jeffrey Nonken Silver badge

      Actually I don't think it's well-meant, and I also think it's made in ignorance. I think it's an intentional power grab by people who have no effing clue what they're doing. There is no either/or here.

    4. John 104

      @moiety

      It isn't well-meaning. Feinstein has repeatedly introduced or voted for rights reducing legislature for her entire career. If she had her way, she'd burn the constitution and impose martial law on all of us. She is poison to the US and I wish she would just go away.

    5. Anonymous Coward
      Anonymous Coward

      ***CP_vol_7.zip (With the CP standing for Congress representatives caught in Porn pictures but don't tell anyone because it's not as funny if the reveal isn't in the highest court you can find with extensive press coverage).

      1. This post has been deleted by its author

  6. a_yank_lurker Silver badge

    Good Sense?

    "Good sense might prevail in the Land of the FreeTM, but don't bet on it." With America's Native Criminal Class (Mark Twain) which is best at subtracting from the sum total of human knowledge (Czar Reed of Maine) I figure the final bill will be much worse than the current drafts.

    1. JEDIDIAH
      Devil

      Re: Good Sense?

      The problem with this bill is that it will impact commerce. Tech isn't just about the tech companies anymore but everyone else who will be impacted by that tech. It's like that bit from the last DrWho special where he plugged Hyroflax into all of the big banks.

      Nothing gets protected like money.

      This dimwit is threatening the security of money. Never mind the midgets of Silicon Valley.

  7. DougS Silver badge

    I don't see how this would be a problem for Apple

    They are going to make it so it is impossible to get at the data under any circumstances. Obviously I haven't read the full text, but what I have seen doesn't seem to require that they perform the impossible. So if presented with an iPhone 5c they might be forced to create a hacked OS to help the FBI break in, but if presented with an iPhone running iOS 10 that includes the changes that make it impossible to Apple to help, the FBI will get the court order and Apple will say "what you are asking is impossible".

    If the government could compel impossible things they should just have a court order that compels Apple to hand over a list of every active terrorist in the world and where they are located. That would save a lot of hassle trying to decrypt phones and doing police work if you assume you can force someone to pull a rabbit out of a hat.

    1. Mark 85 Silver badge
      Facepalm

      Re: I don't see how this would be a problem for Apple

      Ah.. the list of impossible things that some CongressCritters think can be done.... This is right up there at the top. What's next.. ordering an FTL drive? Ordering NASA to find "heaven"?

      Good on Wyden and I hope enough in Congress listen to him as seems to be one of the few who have a grasp of the problem. As for the two bozos.... a pox on them. Better yet, may all their files and emails along with anyone who voted for them be exposed because... ya' know, weak encryption.

      I swear it's a race to the bottom between the US and just about everyone else. I'm wondering if May will try to top this or maybe France?

    2. P. Lee Silver badge

      Re: I don't see how this would be a problem for Apple

      The problem is the passcodes. Proper security requires high-entropy but no-one is going to do that every time they want to unlock their phone. Hence the ability to brute-force it is wanted.

      The other option is to have a high-entropy passcode just for software upgrades which don't destroy the on-chip data, but a rarely used password is going to be forgotten or shortened.

      Realistically, if a terrorist is going out to die, he's now going to destroy his phone first, regardless of what any phone manufacturer does.

      But this was never about terrorism, was it? This is about the State asserting its right to Total Information Awareness. That's mostly to protect against another Snowden, in my opinion. We can't have the serfs knowing what's really going on.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019