back to article FBI chief asks tech industry to build crypto-busting not-a-backdoor

FBI director Christopher Wray has addressed a cyber-security conference and again called for technologists to innovate their way around strong cryptography. Wray spoke at the Boston College / FBI Boston Conference on Cyber Security on March 7. He told the audience the issue of crypto can be solved because the industry's …

Page:

  1. DCFusor Silver badge

    I'm sure they know better

    This is just laying the groundwork for a later power grab as in - "we asked nicely for a long time, now we got congress to do it". They have to convince some dumb old people they'll be able to keep their jobs collecting insider benefits at the seats of power. The danger is that those congresscritters are so disconnected that enough of this in the news might drown out all the voices of reason till it's too late.

    Because we all know what he's asking for is not possible - no way this guy doesn't know that.

    I think they should work more on trying to regain our trust after quite a lot of evidence of mis and malfeasance. All the things they didn't prevent out of laxity that had nothing to do with this issue, for starters.

    It's hard to find evidence that they ever bust anyone for the issues mentioned. But plenty on say...Kim Dotcom, plenty witch hunts (which don't die because of crypto, but because there might be stupid people, but no witch), and of course the retards they encourage and give fake bombs to so as to look like they catch terrorists rather than create and then entrap them.

    Oh wait, speaking of power grabs, I didn't know that non citizens doing things that are legal in their own countries were supposed to be subject to US law....

    They resist giving info on this because (I'd bet) the actual number of cases that fail because of crypto is miniscule - they just want a fishing license to create more cases based on their hacking.

    1. jmch Silver badge
      Facepalm

      Re: I'm sure they know better - power grab

      Looks like instead of having a back door, they now want the keys to the front door.

      1. Sir Runcible Spoon Silver badge

        Re: I'm sure they know better - power grab

        Also, how is gaining access to devices (physically in your possession) in any way linked to overall security software?

        It's almost as if he is using an example of 'x' to justify 'y', where x and y are from different universes.

        Anyone spouting this shit and not being forced to admit they are wrong should simply be refused from office for either a)lying or b)being too stupid to breath without clear instructions.

    2. CrazyOldCatMan Silver badge

      Re: I'm sure they know better

      "we asked nicely for a long time, now we got congress to do it"

      At which point the rest of the world stops using software developed in the US.

      1. DropBear Silver badge

        Re: I'm sure they know better

        At which point the rest of the world stops using software developed in the US sighs a collective sigh of relief and copies the US in outlawing all strong encryption all of five minutes later. - Fixed

        1. Mark 65 Silver badge

          Re: I'm sure they know better

          Not going to happen for several reasons:

          1. By laying waste to their software/services industry they open the door for others. There's big money involved so why would other countries forgo both the economic boost and tax grab?

          2. The genie cannot be put back into the bottle.

          3. No financial institution will stand for weakened encryption as, in most reasonable countries, they are responsible for any losses incurred by weakness in their systems. Alter this burden and you destroy your banking sector also.

          They can try as they might, but they are fucked on this one and they know it. Hence the persistent wailing.

    3. Anonymous Coward
      Anonymous Coward

      Re: I'm sure they know better

      Next, someone will be saying we should look to Equifax for a solution.

    4. Mark 65 Silver badge

      Re: I'm sure they know better

      Several posters here have mentioned "but the bad guys won't use the new flawed encryption". I am left wondering whether they were ever the target but rather this is a long term operation to ensure mass data collection is kept viable. They had the comms companies on the payroll but then we went https. They were into the tech companies but then they switched to encrypted at rest and in transit with independent keys to which said companies had no access. People are gradually using more and more secure chat/messaging systems. It would appear that LE can see the limit to only being able to grab Facebook data with all else disappearing from view and they're trying to be a little pro-active (albeit too late) about maintaining their feeds.

  2. Anonymous Coward
    Anonymous Coward

    He's right, but no one here will accept it

    All of the comments here will be along the lines of, encryption cannot be broken unless a backdoor is added which would enable bad guys to also use it. This argument is both true and irrelevant. The tech community does not want its precious encryption broken, so techies never think out of the box. One solution would be to mandate that copies of all private keys be kept in escrow where only trusted law enforcement could access it. Could we trust LE to not abuse the system? Maybe, maybe not, but to say there is no solution is to be an ostrich. Perhaps the EU could be the key repository, eliminating the distrust of the NSA. Speaking solely for myself, I would like to see LE be able to take-down pedophiles, Islamic terrorists, revenge porn dealers, malware purveyors, and others hiding behind encryption.

    1. Olivier2553

      Re: He's right, but no one here will accept it

      And of course, the key escrow will never be breached...

      1. bombastic bob Silver badge
        FAIL

        Re: He's right, but no one here will accept it

        "And of course, the key escrow will never be breached..."

        nor will the WRONG person ever be in power to abuse it.

        When you consider all of the outright illegal shenanigans that took place within the top levels of the FBI, regarding Mrs. Clinton, the Steele dossier, and (alleged) lying to the FISA courts to get a warrant on a member of a rival candidate's campaign, yeah, sure, we can "trust" that the keys would be kept safe/secret.

        Riiiight. Am I on 'Candid Camera' ?

        Fact: Human nature is what it is. Those who wield power often ABUSE it. Period. That's why we must NEVER allow *them* to have TOO MUCH.

        As for those who want back doors or "not back doors" in encryption algorithms, I say this: Do you want someone you don't know to have a master key to all of your locks, in case you're a criminal or a terrorist? Do you think it will be kept safe?

        The 4th ammendment to the U.S. Constitution was written in part to deal with this specific thing. I believe they had locks on doors back then. This is NOT a new concept. The cops can do REAL police work instead of being FORNICATING LAZY.

        And, if every HONEST LAW ABIDING CITIZEN used this "back door" encryption, then EVERYBODY WHO ENGAGES IN ILLEGAL ACTIVITY will simply use one of a BOZILLIAN EXISTING METHODS that do NOT have back doors, with super-strong keys, and THAT genii has been OUT OF THE BOTTLE for so damn long it's pathetic.

        Icon in response to the idea that the FBI guy was 'right' in asking for the "not a back door, really, honest!" encryption method, because, he thought of it, and therefore it's *POSSIBLE* !!!

        1. Mycho Silver badge

          Re: He's right, but no one here will accept it

          The biggest oversight is what happens when Capita loses the contract to hold on to all of your private keys and it gets passed over to Serco. What do we do about the few hundred private keys that went missing during the move?

          1. J. Cook Bronze badge

            Re: He's right, but no one here will accept it

            ... or sent by the CEO of the escrow company via insecure public email with no security whatsoever to someone they want to start a pissing match with? *points at last week's Trustico / Digicert debacle*

        2. Anonymous Coward
          Anonymous Coward

          Re: He's right, but no one here will accept it

          Reading the garbage that flows from your head is enough to cause genuine physical discomfort in anyone who speaks English as their first language. Until I reading your posts, I never knew it was possible to pervert the structure of a language so badly, that it should be considered a crime against humanity.

          Clearly, you've no concept of proper capitalization or punctuation, and that would only be mildly annoying, if it weren't combined with the fact that you have no grasp on the most basic grammar.

          First off, let's talk about adjectives and nouns. Adjectives are the words we use to modify or describe nouns; and nouns are persons, places, things, or ideas.

          Secondly, let's talk about verbs. These are the words used to describe an action, state, or occurrence, and forming the main part of the predicate of a sentence. Sometimes, if we're feeling whimsical, we could also "verb" a noun, by using it in place of a verb (like I just did in quotes,) and if you've ever spent any amount of time "Facebooking" you'd see countless examples, like "adulting" or "Googling" being used all over the place.

          However, something that is absolutely not a thing (and definitely not a noun or a verb) is an "adjectivising" (which I just made up, because as I mentioned, "verbing" is an actual thing.) The reason I just "verbed" adjective like that, was because there was literally no other word to describe what you did to the word "fornicating" in the following sentence:

          "The cops can do REAL police work instead of being FORNICATING LAZY."

          You attempted to "adjective" a verb, and produced a sentence that's so hard to look at, that you'd have to go trolling the dark web before you'd see anything that would make you feel more uncomfortable. It's bad enough that you type with Tourette's and the content of your writing is just idiotic nonsense--but that crosses a line! Someone can be "lazy fornicating" but they absolutely cannot be "fornicating lazy!" Maybe if you threw a comma in there, you could be "fornicating, lazy" and add a few other things onto the list while you're at it--but verbs are not adjectives.

          Bob, you're not being "cool" or "telling us like it is" and you're definitely not Ted Nugent. Even "The Nuge" isn't as awful as you, because he's at least being creative when he starts making up his own adjectives. You just take words that already exist and use them completely wrong. If it were even possible to count the exact number, I'd be willing to bet that you've forced words into more places that they didn't belong, than Kevin Spacey or Harvey Weinstein ever did with their hands. Obviously, there can be no comparison between the extent of the damage done to the victims in either case, because on one hand, I'm comparing acts of perversion that are so egregious, that only pedophilia ranks worse--and on the other hand, I'm talking about the alleged actions of Kevin Spacey and Harvey Weinstein.

          1. Sir Runcible Spoon Silver badge
            Coat

            @AC

            Quit mumbling. You'll also find that you made your very own grammatical error, nice rant/troll/whatever that was.

            'Until I reading your posts'.....eh?

    2. Anonymous Coward
      Anonymous Coward

      Re: He's right, but no one here will accept it

      And when the Russians, Chinese, Israelis, Saudis, Belgians etc also need access to protect themselves from terrorists - they get the backdoors to all your business and political leaders phones?

      1. Oengus Silver badge

        Re: He's right, but no one here will accept it

        And when the Russians, Chinese, Israelis, Saudis, Belgians etc also need access to protect themselves from terrorists and Americans

        FTFY

        1. Anonymous Coward
          Anonymous Coward

          Re: He's right, but no one here will accept it

          >>And when the Russians, Chinese, Israelis, Saudis, Belgians etc also need access to protect themselves from terrorists and Americans

          >FTFY

          This further fix brought to you by the department for unnecessary redundancies

          1. Anonymous Coward
            Anonymous Coward

            didn't you spot the change in font?

            that's only for protection against Black Americans

          2. CrazyOldCatMan Silver badge

            Re: He's right, but no one here will accept it

            department for unnecessary redundancies

            .. which, with stunning iront, has just been made redundant because the government realised that all the other departments already had plenty of unnecessary redundancy..

            1. Sir Runcible Spoon Silver badge

              Re: He's right, but no one here will accept it

              I've just realised that he is barking up the wrong tree here (well, duh).

              If he truly is talking about SmartPhones, and that he wants manufacturers to make phones that the FBI can get into whenever they want , plus the fact that everyone else on the planet would shun such a device - wouldn't it make more sense just to ban smartphones capable of encryption outright?

              That would actually be more effective, quicker to implement, and doesn't require huge amounts of capital investment/breach of rights etc.

              I wonder why they aren't doing it that way? After all, criminals/terrier-ists will use devices with encryption regardless of what the government says so it will be about as effective in that sense. They can't enforce this shit outside of the US anyway so it's about as effective in that sense as well.

              Perhaps when people are screaming at him that this would mean *anyone* could access their information (if no-one was allowed devices that encrypt) he might start to understand the nature of the problem? I doubt it.

    3. Mark 85 Silver badge

      Re: He's right, but no one here will accept it

      Ok... sounds good except who do you trust? A government agency somewhere would be logical but if you've paid attention, the government's systems are woefully open and unprotected and they have been breached by the "bad guys". I'd suggest that he clean up his own agency (and the other agencies) first before flogging the people.

      So far the government has shown that they shouldn't be entrusted with any data much less the keys to the citizens' data.

    4. Dodgy Geezer Silver badge

      Re: He's right, but no one here will accept it

      ...One solution would be to mandate that copies of all private keys be kept in escrow where only trusted law enforcement could access it. Could we trust LE to not abuse the system? Maybe, maybe not, but to say there is no solution is to be an ostrich....

      Your 'solution', of course, leaves a gaping hole in a central principle of crypto security, which is that you do not let other people control your PRIVATE keys.

      If you think about it (which you have obviously not done), there IS no solution to the problem of keeping your data completely secret while at the same time letting government bodies have access to it.

      Oh, and why do you trust LE when corruption and incompetence is so widespread?

    5. Anonymous Coward
      Anonymous Coward

      Re: He's right, but no one here will accept it

      ok i'll bite

      you miss 3 points

      first - lets set up a key escrow for all these things the 'good guys' need to access. bad guys simply don't upgrade to the new versions. now what?

      second - who picks the good guys to get access to the key escrow? If the Iran govt wants keys do you deny them that? Does Apple say we won't give them access to our phone key escrow service, or does the FBI? What about a Chinese phone manufacturer? I can't see the FBI wanting to go to a Chinese vendor for keys

      third - how do you secure the escrow stores? even if you re-engineer every app/device to have secure key escrow in place, how do you then secure the stores? who's at fault if a store gets hacked? how do you give transparency to the store<>govt interface? The FBI et al partly ended up in this place because they were caught spying on their own citizens, even now they won't fix that. I'd go as far as to say a US company preventing this snooping in general should have defensible grounds in the constitution. but i'm no lawyer, its just how things would appear to me.

      fourth - bonus question - crypto libraries are open source and readily available. How do you prevent 'other company' from 'other country' from just making a non backdoored product and have other people use it?

      I think it's quite obvious that the issues they are having are related to device encryption, at least for the FBI. This could lead US companies to eventually caving to some sort of escrow when enabling device encryption, but what if a Chinese company does that? Keys stored over there? that'd be popular I'm sure. So prevent non US phone sales and destroy all the old phones and you're fine.

      1. Ken 16 Silver badge
        Trollface

        Obviously every country would need a copy of the key store

        But only so they can execute legally issues warrants.

    6. Graybyrd
      Trollface

      Re: He's right, but no one here will accept it

      Actually, the only thing he's "right" about is to continue holding the line on the FBI's (and LE in general) PM* with demands for FM*. To deviate from toeing the hard line, demanding open access, is to forego law enforcement's habitual self-embellishment and righteous posturing.

      Of course, these days, nothing remains beyond the realm of unthinkable stupidity. Our esteemed Congress currently ranks somewhere between pissants and cockroaches in the American public eye.

      *PM: pissing and moaning *FM: effing magic

    7. BebopWeBop Silver badge
      WTF?

      Re: He's right, but no one here will accept it

      All of the comments here will be along the lines of, encryption cannot be broken unless a backdoor is added which would enable bad guys to also use it. This argument is both true and irrelevant.

      If iI posted something like this I would also post anonymously.

    8. Headley_Grange Silver badge

      Re: He's right, but no one here will accept it

      The OP has a good point. I think the the tech community (that's us) needs to get behind the concept of accessibility and start suggesting potential ways to keep both sides as happy as possible instead of saying "never". The feds will win this one way or another and I'd rather have a solution that's got some creative tech input rather than mandatory back doors. I don't know what solutions might look like - but I'm not a data or crypto expert. Like all the commenters here, I like my privacy, I like encryption and I understand the benefits it brings and the systems that couldn't work without it, but if we continue to just shout "NO" we're going to end up with a crap, insecure, risky-as-fuck system designed by a policeman.

      1. Ledswinger Silver badge

        Re: He's right, but no one here will accept it

        The feds will win this one way or another

        Actually, they probably won't. The encryption genie is out of the bottle. The best the MIB can hope for is to persuade big tech to use weaker or flawed encryption on their systems, but that means nothing because the bad guys won't be using these systems. So the peasants will have their security compromised, corporations will have their security compromised but it won't make one iota of difference to tech savvy criminals. Even if you make use of high grade encryption illegal, then that makes no difference to people who are already intending to break the law. There's plenty of tools already in the public domain, and I would guess the dark web already offers a whole range of very secure tools (and even services) for those who want their communications to go unhindered.

        Arguably if the feds do "win" this round, we have to go through the phase of a crap, insecure, risky-as-fuck system designed by the TLAs, watch the massive fail happen, and then gormless politicans may be forced to accept that proper encryption is necessary, and the MIB will be forced back into their hole. Imagine the consequences of the complete breach of corporate IP for a series of major corporations, that's not going to look so good.

        Now, if you want to aid and abet this huge screwup because you've already admitted defeat, feel free. But don't count me as a supporter of such a foolish enterprise.

        1. John Brown (no body) Silver badge

          Re: He's right, but no one here will accept it

          "but that means nothing because the bad guys won't be using these systems."

          This. The big scary terrorist paedophile they claim they are targeting, if caught, will be facing much, much bigger sentences than anything minor like using "illegal" encryption.

      2. Aitor 1 Silver badge

        Re: He's right, but no one here will accept it

        I'm not an expert but..

        No offense, "but" that is the problem. You either have decent (not even good) security or you dont. And if you are going to allow other people to bypass security, it is bad by design.

        If we say "yes" we would have your scenario. If we say "no" we would also probably end up in the same scenario, but at least we tried.

      3. Alister Silver badge

        Re: He's right, but no one here will accept it

        @Headley_Grange.

        What you appear to be missing is that any change to a new improved law enforcement friendly cryptography will just be ignored or bypassed by criminals and terrorists.

        It would be far better to get that message across to law enforcement and governments, than to try and put in place something which won't work.

        1. Yet Another Anonymous coward Silver badge

          Re: He's right, but no one here will accept it

          What you appear to be missing is that any change to a new improved law enforcement friendly cryptography will just be ignored or bypassed by criminals and terrorists.

          That is only a problem if the measures are intended to stop criminials and terrorists.

          If they are only targeted at ordinary people. Get stopped by a traffic cop - he gets to have a quick riffle through your phone for anything interesting, or you complain to the council - they have a quick check through your internet browsing history to see what they can use to discredit you.

          1. Sir Runcible Spoon Silver badge

            Re: He's right, but no one here will accept it

            "or you complain to the council - they have a quick check through your internet browsing history to see what they can use to discredit you."

            They can already do that with your ICR (unless you are using a VPN)

        2. Headley_Grange Silver badge

          Re: He's right, but no one here will accept it

          Alister - I'm not missing it. I know that crims are likely to keep using encryption and innocents will suffer. The cops don't care - they just want a law to make their life easier.

          I've got a drawer full of small penknives which stay in the house because the cops will treat me just the same as the teenage drug dealer with a zombie killer if they stop and search me. Knife law is a shit law, but the cops love it because they can nick more people and pretend that they are saving lives.

          https://www.telegraph.co.uk/news/uknews/crime/7593039/Disabled-caravanner-given-criminal-record-for-penknife-in-car.html

          Encryption law will be just the same - as someone above says, they'll pull you over for speeding and nick you for stuff on your phone, while ignoring the ransom notes you're getting from the crims who're threatening to send your porn viewing history to your wife and boss. It'll be shit, but the cops will be able to present better arrest figures and continue to exclude cyber crime from their stats. I'm not missing any of this - I expect it to happen.

          I just hope that when we're living in this world of crap that no one looks back and says we could have done it a better way that would have retained some protection and given the cops most of what they want - if only we'd tried to talk sensibly about it instead of shouting everyone down with a religious fervour that would not have made the final cut of "The Life of Brian".

      4. Doctor Syntax Silver badge

        Re: He's right, but no one here will accept it

        "The OP has a good point. I think the the tech community (that's us) needs to get behind the concept of accessibility and start suggesting potential ways to keep both sides as happy as possible"

        Fine. Here's my suggestion.

        He puts out a tender for contract to build this supposed wonderful tech. He makes himself happy because he's Doing Something (politician's syllogism at work here). The winner of the contract is happy. The rest of us are happy because we know that (a) nothing will be delivered because it's not real and (b) it'll be one of the usual suspects who gets the contract so it will look like business as usual when nothing gets delivers.

      5. Jack of Shadows Silver badge
        Thumb Down

        Re: He's right, but no one here will accept it

        I do understand the math and have had my hands inside more than a few encryption systems including NSA gear when they couldn't fix it themselves. Also, due to my nuclear security clearance, that I've held since the tender age of 17, I was "that one guy" who could work on and around any system on a ship or facility. On a personal note, I've been using encryption on my personal systems since 1987. Lastly, I've kept abreast of every facet of information security, also since 1987.

        What that all means is that while I ain't Bruce Schneier, I can come close. Real close as I have been hanging out on his 'blog, and that community, since forever. I know the issues on the software and hardware end. It wouldn't be hard to code up my own. There are more than a few libraries used in crypto, just in case I don't want to roll my own. Since I'm a private citizen, so the business choke hold won't work, I can create an app and give it away. Now, what do the security apparatuses gonna do?

        Hell, creating a key exchange hosted, in several places of course, that don't even respect what the US or other countries/alliances want. There are plenty of places around that are like that. Once set up, properly secure, what the fuck are gonna do? My whole point here is that while you can do something to a company or other organization, getting a handle on a private individual is awfully hard once the systems are in place. I need only point at torrent sites and LEO's whack-a-mole tactic failures as proof of my argument.

      6. DuncanLarge Bronze badge

        Re: He's right, but no one here will accept it

        @Headley_Grange

        Look. Nobody is behaving childish and simply saying "NO". All the clever tech heads are being realistic and telling non tech heads that their FANTASY is IMPOSSIBLE to engineer and no GENIUS exists who can think up such a system.

        They are trying to politley say "No sorry, tech and maths dont work like that so you will just have to accept it". I mean it is just like asking the air industry to design a system that puts parachutes onto all passengers of a plane as it crashes to the earth without any human intervention (as they may be unconcious). Or even more like asking the Physics professors to find a way to avoid gravity being an issue for the crashing plane (only the crashing plane) in the first place. When the professors claim that the universe does not offer a solution, saying its impossible by the maths done on the blackboard, all you guys will not get the message and complain that the scientists are being childish about anti-gravity and are basically guilty of murdering children in crashing planes.

        Stop it. Stop it now please.

    9. chivo243 Silver badge
      Meh

      Re: He's right, but no one here will accept it

      @ Wonder AC

      where only trusted law enforcement could access it!

      When I can trust all law enforcement officials and officers, I might consider this. MIGHT I said...

      I salute your views about "baddies" on the net, but I'm not sure this is the way to address the issue. Paedos and Terrorists have been around since before the web... They would still be around if we had no WWW...

    10. CAPS LOCK Silver badge

      Re: He's right, but no one here will accept it

      I see what you did thar buddah, neatly conflating "takin' down pedos"' with key escrow and whatnot. Lessons from the recent past indicate that's, mostly, not what the access will be used for. In fact one of the uses WILL BE your next door neighbour, who works for The Poh-Lice or tha' Eff Bee Eye and who has taken a dislike to you, because your dog barked at him or your son did sexeh to his teenage daughter, will use access, justified by a tip-off from an anonymous informant, to root though your data, looking for evidence of thought crime. Don't worry though, if you've got nothing to hide you've got nothing to fear...

      1. Sir Runcible Spoon Silver badge
        Flame

        Re: He's right, but no one here will accept it

        Ok, everyone has been far too reasonable to this numpty.

        The reason no one here will accept it is because he *isn't* right, anyone not listening to people who know what they are talking about is arrogant, stupid or malicious or combinations thereof.

        Let me make this quite simple: If someone else has *your* private key, they can make it look like you *did something* you didn't. Who would you trust with that kind of power?

        The only person in the world I'd trust with that power (over me) would be my wife, but I wouldn't trust her not to fuck it up and I certainly wouldn't trust her with that power over everyone else.

        So, Mr Numpty-Trollboy what's it to be: Who do you trust?

    11. Doctor Syntax Silver badge

      Re: He's right, but no one here will accept it

      "One solution would be to mandate that copies of all private keys be kept in escrow where only trusted law enforcement could access it."

      You are, of course right. But you just move the problem to ensuring that only trusted law enforcement could access it and only in appropriate circumstances*. And a few others such as if the product is sold outside the US's jurisdiction how do you ensure that the private keys for those customers don't also go into escrow.

      That, of course, applies to US products. It doesn't do anything about software produced overseas or open sourced; you know, the software that anyone wanting to do anything remotely dodgy would then turn to. That software would be made illegal? Let me repeat what I've said before. You do not inhibit someone intending to break laws by providing them with more laws to break.

      * For avoidance of doubt appropriate circumstances don't include checking up on the neighbours and going on fishing trips. They do, however not just include but require due process of law to obtain a warrant.

    12. JimboSmith Silver badge

      Re: He's right, but no one here will accept it

      The problem is that you can't put the genie back in the bottle once it's out. We're not back in the eighties where if the government/security services can make such demands with ease. When BSB was developing their set top box they had a visit from GCHQ. The spooks were interested in the message functionality of the system where subscribers could be wished Happy Birthday. Originally the system was extremely secure and GCHQ were concerned that they would be unable to read the messages. It could be used for passing information to terrorists. Back then the main users of encryption were governments and most people didn't use it on a daily basis. Then you look at the furore when PGP was leaked on to the net. They targeted the developer for violating the Arms Control Act despite the fact he (always claimed he) didn't put it on the net. Contrast that with today where for modern life we rely on encryption for a vast array of things. We also have open source software and all it takes is for someone to write a program or app that uses unbreakable encryption and you're back to square one.

      Then we come to the issue of building something to defeat the encryption. Now even if that's possible it's got some serious risks attached. So assuming this "thing" is built if the plans or the code leaks then that's a threat to everyone using encryption. Things leak either through deliberate actions or stupidity and once this gets out everything needs to be updated. We use encryption for everything from electronic payments to securing personal data. Data protection laws are being beefed up all the time and I hope that all my data is being kept safe by the companies I have entrusted it to. I will be less likely to believe that if there's anything that can break strong encryption.

      As to it being used sensibly you only have to look at the Regulation of Investigatory Powers Act 2000 and how that's been abused.

    13. Anonymous Coward
      Anonymous Coward

      Re: He's right, but no one here will accept it

      That sounds reasonable, IF any government could be trusted to safeguard PII from unauthorized access. But that simply isn't the case. Even the OPM was hacked, exposing the personal details of millions of Americans holding security clearances. I was one of them. If you've never gone through the process of applying for a security clearance, let me just say it's unbelievably comprehensive and deeply personal in nature.

      There is absolutely no reason to trust the US (or any) government to preserve crypto keys securely if they can't protect the personnel entrusted with its own secrets.

      Anon for obvious reasons.

      1. Jack of Shadows Silver badge

        Re: He's right, but no one here will accept it

        #metoo

        Deeply personal as they went back to which nursery I was kept in at Balboa Naval Hospital. My Mom, also with a security clearance*, had that information. I think the reason for wanting that sort of information is to make sure I wasn't swapped at birth. You can't make this shit up.

        * Everyone in my family, including my brother-in-law, has secret to TS/SAP/SAR security clearances. We can't discuss anything about our work currently, or in the past, with each other. We tell a lot of funny stories but nothing beyond that.

    14. Eddy Ito Silver badge

      Re: He's right, but no one here will accept it

      Could we trust LE to not abuse the system?

      No. Even if you have some contrived access that requires multiple people to get in, it will be abused. This isn't something like launching missiles where consequences are extreme and nearly universal it's more a matter of "come on, Jenny, I just want to see what my ex said about me and hey, you can check on your kids to make sure they aren't hanging with the wrong crowd online. It's a win-win and nobody else needs to know."

      Do I need to add that multiple incidents of LE abusing the existing systems for either personal gain or retribution happens all the time. Then there's things like civil asset forfeiture where they're just going to drain your accounts. There's also COINTELPRO, LOVEINT, & SEXINT. Even if it's only one incident per year at every agency it's a lot then add in all the subterfuge we can expect the CIA and their likes to perform adding the evidence they need to blackmail their mark into doing who knows what.

      So, no, LE can absolutely not be trusted because in the end LEOs are just people who are no different from anyone else and have all the same weaknesses as you & I. The ostrich is the one who thinks that any such system can work because they are ignoring their own human failings and everyone else's.

    15. DuncanLarge Bronze badge

      Re: He's right, but no one here will accept it

      Are you THAT guy who only uses a single "a" for his password?

      I mean if we have nothing to hide why dont we all just agree use the letter "a". It solves the problem because only the law abiding law enforcers will gain access. A warrant grants them to use the standard password of "a" to access any device.

      Criminals will be easily detected as they wont use the letter "a". Oh god, they might use "b"!

      Password resets will be a thing of the past.

      Law abiding citizens would never access any other device or account even though their possibly cheating spouse or homosexually curious child in a homophobic family uses the same password. No sir, that isnt cricket.

      In this future where we all use highly secure encryption, but all using the same password to prevent law abiding people from accessing the contents (as they have to wrestle with their conscience when they enter the standard global password "SGP" (TM)) we will have these same FBI bods demanding that the tech industry create a way to prevent unauthorised persons a.k.a the non-law abiding people (homphobic parents perhaps) from accessing devices or acounts that are not theirs.

      The tech industry will claim "it be impossible as to create such a system will involve everyone using different passwords!". The FBI etc will scoff at the tech industry saying they dont know their shit and are not having a "grown up" discussion about the fantasy that the FBI director dreampt up in the shower after viewing a high level visio diagram of how password validation works.

      The tech industry will claim that to keep using the SGP new tech needs to be developed to read the mind of the person accessing the account to detect if they are a bad actor or not, but such tech is nigh on impossible. The FBI will again say the tech industry is acting in a childish manner, because the FBI director saw mind reading on a TV show called Medium so it has to be possible.

      Reminds me of Demolition Man where the law enforcers, well society in general, were so out of touch with humanity that the mere idea of someone actually commitiing a crime, like a Murder-death-kill was impossible to imagine.

      Fancy changing your password?

  3. Anonymous Coward
    Anonymous Coward

    "...law enforcement’s own lawful need to access data be taken just as seriously.”

    Option 1: No. Maintain the impossibility. Print boilerplate "Sorry" memos to respond to warrants. Go for lunch.

    Option 2: Invent new magic that answers all needs. Spend the rest of your life responding to warrants, copying out endless files, drafting legal letters, following orders, paying lawyers. And missing lunch after lunch.

    Solution: FBI needs to bring money to the table. Warrants should be generous Purchase Orders. Maybe they'll be taken as an opportunity instead of an expensive distraction. No wonder they've been engineered out.

    1. Anonymous Coward
      Anonymous Coward

      Re: "...law enforcement’s own lawful need to access data be taken just as seriously.”

      Serious question but do you understand why we have warrants in the first place?

      Imagine a world without warrants, any member of law enforcement who you may have annoyed or they just don't like the look of you could go on a fishing trip to see if they can find anything to pin on you just for fun. A government could go looking for people that don't agree with their view. They can't do that now because there is a legal process of getting a judge to agree that there is suspicion a crime has been committed and you need to perform a search to gather evidence and confirm this.

      These checks and balances are there for a reason, a world without checks and balances will become a totalitarian state, don't agree with the government, there's a re-education centre for that.

      They may clog up the system and take time with lots of paperwork but that's the price you pay for living in an almost "free" world.

      1. Anonymous Coward
        Anonymous Coward

        Re: "...law enforcement’s own lawful need to access data be taken just as seriously.”

        "They can't do that now because there is a legal process of getting a judge to agree that there is suspicion a crime has been committed and you need to perform a search to gather evidence and confirm this."

        They can do that now - and have been doing that for some time. Some judges appear to rubber-stamp such applications. Other judges are more considered - but are given misleading "evidence" to sway them to issue the warrant. No one seems to go to jail for having done that.

        Checks and balances depend on people in the system upholding both the letter and principle of the law. When a government starts to denigrate and replace members of the judicial processes because they won't allow political interference - then the slippery slope is already present.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019