back to article Non-US encryption is 'theoretical,' claims CIA chief in backdoor debate

CIA director John Brennan told US senators they shouldn't worry about mandatory encryption backdoors hurting American businesses. And that's because, according to Brennan, there's no one else for people to turn to: if they don't want to use US-based technology because it's been forced to use weakened cryptography, they'll be …

Bronze badge
Go

Re: What's an encryption product (in this context)?

The problem there is that you are working on community software and the community will review it, question your "weird code" then dismiss you from the project. You are coming from the angle that a "secret CIA/FBI coding operative" is going to be more clever than any single person already well versed in their own codebase. It most likely will not happen at that level, much easier at the hosting side, but then the community will notice your "additives" and kick you down the road. You could hijack the downloads with your "special package" for a time, I suspect. but not long.

To expand to the comments in general; WHY ARE YOU WAITING SO LONG?! People, people, people! Ed Snowden gave up the info several years ago; the NSA/CIA/FBI spies on ALL data routed through the US and world. Every single entity that gives more than two shits about real, honest, Internet, and general computing, security should have been working 24/7 to get out this trap laid down by those above mentioned Acronyms. It's been three whole years and you're still taking about "if" and "someday" "we'll get a fucking clue and divorce any products hosted in a known spy zone"; the USA and all connected networks therein. There should have been a Euro-version of every major web site online by now, so that I, and a US Citizen, can get out of the fucking trap too! God fucking dammit, get your shit together and get this working already!!1! Your personal data in a US cloud, or routed through a US access/peering point, or on a major US crap site (twitter, farcebook, Goopal, etc) is not personal anymore. There are plenty of good projects not hosted here that can be leveraged to make a stand and build a nice Internet zone that will not allow snooping or other decryptions. Come ON!

Three years...

4
0
Silver badge
Meh

Really?

"they'll be out of luck because non-American solutions are simply "theoretical.""

As many have said about open source stuff above +

Email

Protonmail

Phones

Most Chinese and South Korean manufacturers

Networking Kit

Huawei

Intel Chipery

ARM

5
0

Re: Really?

OX App Suite is another option, it's available for free and can be hosted on any Linux box, provides the same kind of functionality as Microsoft Exchange and their HQ is in Germany

2
1
Anonymous Coward

Re: Really?

Protonmail

AFAIK, Protonmail has US involvement.

0
2
Anonymous Coward

Re: Really?

"AFAIK, Protonmail has US involvement"

Is that because of the MIT collaboration, or the fact that Andy Yen, Proton Tech's registered CEO, is a US passport holder? Why would that be a problem?

1
0
Anonymous Coward

Re: Really?

Is that because of the MIT collaboration, or the fact that Andy Yen, Proton Tech's registered CEO, is a US passport holder?

Both, actually.

Why would that be a problem?

It's called leverage. Especially post Snowden we received reports of quite a number of reports of US sysops of multinationals being asked to "have a chat" when they were about to enter data centres abroad. On examination, ProtonMail is further exposed to that by having a branch office in the US.

There are various ways in which "collaboration" can be organised, the simplest one being the assistance with anti-terrorism - let's not forget that there are bad people out there.

The good news (and just about the best move they could have made in this context) is that their code is open source. There's still a gap there but it lessens the exposure to subversion as it becomes too easily visible that something isn't right. So, from a security perspective it's done well.

0
1
Anonymous Coward

*** The word he missed is "now." ***

Exactly. Since US relaxed encryption export rules, nobody really cared about not using US made encryption product - but the same product often used algorithms developed *outside* the US. AES was developed by two Belgians.

And back then, the situation was quite different, and there was no Snowden. Then US were able to upset even long-time allies, because of their bulimic STASI-like information gathering handled by greedy gnomes.

So what will happen?

1) US will have to develop their own backdoored cryptography. Bright minds abroad, instead of helping, will look at how to exploit that backdoors, while still developing useful cryptography.

2) Company outside the US will switch to cryptography without US backdoors

3) US-based companies will have legal/commercial issues outside US. "Privacy shield"? Good luck with that.

4) A new commercial market for non US companies opens.

5) Brennan will become the next Trump, blaming those "evil foreigners" for US economy issues.

14
0
Anonymous Coward

You know that canard about history ...

Suggest this guy googles "Enigma" and "German belief it could not be broken".

Actually, IIRC even the Nazis weren't so far up their own arses they believed their encryption was unbreakable. They assumed it was, and their compensating control was daily key changes.

5
0
Anonymous Coward

Does this guy...

Does this guy think terrorists go out and buy Cisco or Fortinet VPN gear for their corporate interconnectivity needs?

11
0
Anonymous Coward

Re: Does this guy...

I wouldn't be surprised to learn that terrorist networks are better configured than most corporate networks. Terrorists tend to give a shit about their cause and however misguided, seem to put their hearts and minds into it. Corporate IT types on the other hand, at least where I work, do as little as possible and give few shits about the company they work for.

0
0
Anonymous Coward

Even if you trusted the US Intelligence agencies, you'd need to trust all the agencies they trust, plus the inevitable fact that it would be broken into by less desirable governments within months and criminals soon after. Not to mention competitors.

3
0
Silver badge
Boffin

Has anyone told Ross Anderson?

I'm sure he'd be very interested to know that there are no encryption experts outside the USA.

When they issue those backdoored encryption products he'll probably set breaking them as an exercise for his students. It might take them perhaps a couple of weeks?

6
0

Hardware

Brennan is not completely wrong.

It's all very well having the option of using different software vendors, but whose processor and associated chipset will you run the software on? Both Intel and AMD current x86 chipsets are backdoored, and the embedded ARM processors in peripheral devices such as network cards, cellphone modems, and disk drives, if not already doing so, can also be running subverted code.

Open hardware projects, where you can demonstrate no real-estate on the chip is dedicated to back-dooring, and you can show you are running non-backdoored code, have almost no backing. Very few people take the requirement seriously. If you want to be paranoid, you can also posit there are vested interests in making sure such projects fail.

Lets say you run some non-USA originated encryption code on your PC. The key is in memory. But the network interface has a processor that has full DMA, and can quite happily run an instance of another O/S while pushing packets merrily on their way. You can see where this is going. And this is NOT theoretical. Compromised hard disk firmware is also out there in the wild. SSDs have pretty powerful processors in place to do wear levelling etc. They too are compromised.

For the most part, the security and intelligence agencies don't care that you can run OpenBSD and PGP and whatever independent software you like: they already have full access to the compromised hardware you have to run it on, because you cannot now buy non-compromised general purpose PC hardware. Separate encryption devices, usually used for encrypting point-to-point communications are different.

8
2
Anonymous Coward

Re: Hardware

Then Brennan should be more worried about how much of that hardware is manufactured in China...

BTW: adding hardware-based full snooping capabilities has a cost. While it can be done for "valuable targets", I can't see US companies doing it full scale in their products and pay the costs just because CIA likes it.

3
0
Gold badge

Re: Hardware

"Both Intel and AMD current x86 chipsets are backdoored"

Let's assume that is true. Does it matter? If the chips continue to give the right answers to numerical problems, they can still be used to break your encryption, and they can still be used offline to encrypt stuff without you ever knowing. (Yes, you don't *have* to be connected to the internet to perform arithmetic.) IOW, that back-door opens out onto a brick wall built by your enemy.

Back-dooring a chip to the extent that it gives all the right answers *except* when fed problems that you don't want your enemies solving sounds like it will take more transistors than Intel have ever manufactured -- and I don't mean on a single die.

2
2

Re: Hardware - cost

I agree it has a cost. But it has been done.

Read this (very) recent BoingBoing article:

https://boingboing.net/2016/06/15/intel-x86-processors-ship-with.html

The point being that the Intel Management Engine and the AMD equivalent have legitimate commercial uses in remote management of servers and desktops. It is convenient to be able to send a Wake-on-LAN packet to wake up a desktop at night, apply patches, do a hardware inventory etc. But the very same system can be used to subvert the PC. As has been pointed out, Intel are very cagey about the Management Engine, firmware is cryptographically signed, and the processor it runs on is (a) separate to the x86 CPU, but on the same chip and (b) has full memory access without the x86 chip knowing about it.

So it is not as if there is an extra development cost for the hardware now. It has been done. 'All' that is needed is the modified firmware that does what the intelligence community wants.

I do not think for one minute that the NSA is bugging every modern PC on the planet. I'm not that stupid. But with this, they have the capability to choose to exfiltrate information from any one of pretty much all modern PCs that get connected to the Internet. Yours probably has not been targeted. Mine probably hasn't. But key PCs of interest almost certainly have.

Feel free to dismiss me as a wild-eyed loon. But please do read the articles I link to, and have a think about the technical issues around this. Ask, "Is it possible?". And ask "If it is possible, would the NSA do this?". The intelligence budget the USA have is not small.

The technology of hardware backdoors is fascinating. How about dopant level backdoors:

http://www.extremetech.com/extreme/166580-researchers-find-new-ultra-low-level-method-of-hacking-cpus-and-theres-no-way-to-detect-it

http://thehackernews.com/2013/09/Undetectable-hardware-Trojans.html

"Despite these changes, the modified Trojan RNG passes not only the Built-In-Self-Test (BIST) but also generates random numbers that pass the NIST test suite for random numbers.”

The US military and intelligence community do worry about this sort of thing, which is why they have 'Trusted Foundries'

https://www.nsa.gov/business/programs/tapo.shtml

The list of trusted suppliers is publicly available if you follow a couple of links from the above.

"A key part of the DoD Trusted Foundry program is that it uniquely provides the US Government with guaranteed access to leading edge trusted microelectronics services for the typically low volume needs of the US Government. DMEA and NSA co-fund the Trusted Foundry program to facilitate this. The Trusted Access Program Office (TAPO) facilitates and administers the contracts and agreements with industry to provide US Government users with:

Leading edge foundry services including multi-project wafer runs, dedicated prototypes, and production in both high- and low-volume models"

A library of standard IP blocks

Limited packaging and test services"

4
1
Bronze badge

Can anyone help jog my memory?

I seem to remember that a rather popular encryption tool from the 90's being developed by a US company/person/team but the algorithms for the encryption itself being written in Finland or Sweden or somewhere, specifically to get around needing a license to export a US product containing "strong encryption" by making sure it wasn't a "US product". There was some media hysteria about this, and the CIA were particularly annoyed.

If I'm right remembering this, it kinda blows this chap's rather weak argument out of its already quite shallow water.

Can anyone remember the specifics of what I'm blathering about? :-)

2
0
Anonymous Coward

Re: Can anyone help jog my memory?

There were US-origin products that included stubs for RSA/DES. Non-US customers were supposed to link in rsalib, then hosted on a Finnish server. Sorry, but the names are lost to me.

There are a lot of non-US companies that sell cryptio chips and boxes (Infineon, for example). The sticky point is whether they have a US presence that can be held hostage.

3
0
Bronze badge

Re: Can anyone help jog my memory?

Aha, thanks Anon :-)

Yes, that sounds about right.

I find it hard to understand how that was >20 years ago, yet we're still having this global debate about encryption.

4
0
Bronze badge
Holmes

Re: Can anyone help jog my memory?

Quite fresh commentary around here. Not pondered -and should- is that of resistance to change.

First, a huge cultural 'building' trying to keep things being done according to 'cold war' customs. Any change at this area having tremendous adaptive costs.

Second, bringing those mechanisms to a more civilian ground -from mil|intel to civilian- will represent opening to competence, even in price.

The mistake here is that INTERNET Technology [and encryption tech] is no more Strategic or Complex, in any way, and creating artificial scarcity will end by-siding the same Industry [that is whining].

1
0
Silver badge

Re: Can anyone help jog my memory?... @ Olius

I find it hard to understand how that was >20 years ago, yet we're still having this global debate about encryption. ... Olius

That's because it's politically charged, Olius, and all about mass remote power and virtualised control of natives Earth species, which is defaulted in the crashing flash supply and spending of fiat paper/currency. Knowing what's being planned for the future allows one to prepare attacks/defences against it, but that does involve one in talking around hot subjects rather than answering clearly and truthfully questions posed to one about one's efforts in it. Slippery tongued politicians thinking their replies are super clever whenever nothing is answered and all is deflected tell you everything you need to know about anything you ask them?

All secrets surely hide thought advantageous unpleasantnesses which tell a real different tale of existence from the stories spun for realities fed to the masses. And such surely indicates and proves that life on Earth is a virtual reality which is presently being extremely badly programmed to server corrupted drivers.

Time for a change, methinks. What think ye? Or do you doubt and believe things are not so simple and therefore will be just as a paying spectator to Greater IntelAIgent Games Play with no input provided for future consideration and inclusion? That is your fate in such a scenario/virtual reality/future existence.

2
1
Bronze badge

Re: Can anyone help jog my memory?... @ Olius

Indeed it is all of that.

"Time for a change, methinks. What think ye? Or do you doubt and believe things are not so simple ..."

I'm a techie - so I believe anything is straightfoward, and it takes great effort on top of a good dose of politics and paranoia to make the world appear to be so complex :-)

2
0
Silver badge

Re: Can anyone help jog my memory?... @ Olius

:-) And then there were at least two, and their powers were squared. Keep watching these Registering spaces, Olius ...... Things aint what they used to be, for future builders are transparently internetworking secrets and solutions over invisible, intangible webs of intriguing innovation and invasive invention/immaculate conception with perfect formations.

In some sad and bad and rad and mad intellectually challenged minds and corrupt perverse systems will that equate and be treated as Cyber Terrorism and Virtual Warmongering ....... and such rantings will identify the lead fool which be a blunt tool.

1
0
Silver badge

What is he actually saying

We need to look at what he is actually saying before we get all excited. Consider the following.

The US spying agencies, including the internal ones, want to be able to have backdoors in anything that they look at.

The US political establishment likes that idea.

The US tech industry says that idea is a no no.

The US tech industry actively sticks it to the man.

Now we have a guy the really really wants to be able to look at everyone's communication so he comes up with an idea.

If no one else can do the encryption as well as the US then the US tech industry does not have to worry about losing sales if the put in the required backdoors because no one else can do encryption like they can.

What he is saying is what he hopes the tech industry and people will believe and thus approve the introduction of backdoors or watered down encryption.

3
0
Anonymous Coward

Re: What is he actually saying

It's all very nice but the maths still don't add up. Anyone who deliberately weakens encryption will negate their encryption, if not immediately, then sometime soon.

To me this sounds more like an elaborate re-hash of the "there must be some way to do it" school of thought. Now it is being trotted out by a guy whose business is to keep secrets. I suspect he is trying to keep the more rabid Alzheimer sufferers in Congress happy (a certain California senator comes to mind) until either he or they can retire on their government pensions.

So sad that the informed reasoning of the few can be so easily sidetracked by the uninformed reasoning of the many.

If American companies do attempt to impose global (HW or SW) back doors on the world, then the stampede to produce alternatives to American products will be deafening. This is precisely why it won't happen, grand-standing politicians aside. Brennan clearly knows this but can't say so. His is a smoke blowing exercise because economic suicide is not the answer.

5
0

Re: What is he actually saying

"If American companies do attempt to impose global (HW or SW) back doors on the world, then the stampede to produce alternatives to American products will be deafening. "

It has already been done, and there is no stampede. Yet.

Look up Joanna Rutkowska and her publicly available talks.

http://blog.invisiblethings.org/2015/10/27/x86_harmful.html

AMD have an equivalent technology (PSP) to Intel's IME.

Compromised hard-drive firmware: http://www.theregister.co.uk/2015/02/17/kaspersky_labs_equation_group/

and

https://www.wired.com/2015/02/nsa-firmware-hacking/

Compromised network interface firmware: http://www.theregister.co.uk/2010/11/23/network_card_rootkit/

Compromised USB firmware: https://www.engadget.com/2014/10/02/badusb-released-github/

Compromised SD cards: http://www.bunniestudios.com/blog/?p=3554

Compromised SSD firmware: https://downloadcenter.intel.com/download/18363

If Intel can offer firmware upgrades, then you can treat SSDs just like hard disk, above.

I can't be bothered to find the link, but Graphics cards also run firmware that can be reconfigured to surveil the main computer.

Firewire interfaces are great - older versions allow unrestricted remote DMA to the main processor

http://security.stackexchange.com/questions/49097/protecting-against-firewire-dma-vulnerabilities-in-linuxmemory.

https://www.jwz.org/blog/2013/01/bypass-full-disk-encryption-and-passwords-on-any-powered-on-computer-via-firewire/

More general information on hardware backdoors:

http://resources.infosecinstitute.com/hardware-attacks-backdoors-and-electronic-component-qualification/

Fun, isn't it?

0
2
Bronze badge
Headmaster

Re: What is he actually saying

Not to forget that in ancient times NetCards used to generate 'additional' traffic...

0
0
Anonymous Coward

Does everyone here have bad memories.

Or are they too young to remember Al Gores Clipper Chip?

http://www.nytimes.com/1994/06/12/magazine/battle-of-the-clipper-chip.html

Way back in 1994

4
0
Anonymous Coward

Re: Does everyone here have bad memories.

Not sure if he wants key-escrow or something easier.

2
0

Counter Intel Agency

Him and hilldog are sucking each others dicks.

2
0
Anonymous Coward

Their Own President Doesn't Use US Encryption!

He uses Canadian made.... and we're very proud of that!

3
0
Silver badge

Re: Their Own President Doesn't Use US Encryption!

Sadly if seems he's now on a Samsung...

2
0
Anonymous Coward

To my knowledge, all of this spying on the American public has stopped maybe one terrorist incident. The real purpose of all of this spying on the people is to locate dissidents and those who oppose the government's stand on issues

5
1
Silver badge
Facepalm

Is this man a cretin?

I'm an American, but I can't even begin to imagine this guy's attitude. Is he a total cretin? Does he really think the rest of the world are cretins?

If this guy is in charge of our SECURITY, and he thinks the rest of the world can't even cobble together working encryption, I'm really afraid for the US. This reminds me of some of the bollocks spouted by the worst of the pukka-sahib types at the beginning of WW II who couldn't even imagine the Japanese posing any actual threat. They didn't do too well, either, as I recall. With guys like this in charge of our security, the U.S. will likely be conquered any day now.

6
0
Bronze badge

The CIA has changed (will change)?

When I read that I recalled Tom Lehrer's "MLF Song". Specifically:

"We taught them a lesson in 1918, and they've hardly bothered us since then"

I won't say "Once a thief, always a thief", but when hiring an armored car driver, or even a valet-parking attendant, the applicant with a long record of thievery is probably not the best choice.

4
0
Silver badge
Windows

Re: The CIA has changed (will change)?

Upvote for the reference to TL.

Personally think that we need to force Weird Al to redo all his stuff. Its almost all still relevant. And that fits with Hollywood's current mandate.

0
0
Bronze badge

What it means to me is that whether foreigners have high-grade encryption or not is uninteresting to them. It's a "theoretical" capability that may be true; it may not be true; it doesn't really matter.

It's their own citizens they want to listen in on. It's their own citizens they're trying to exert control over.

4
0
Bronze badge
Windows

"they'll be out of luck because non-American solutions are simply "theoretical.""

With all due respect, It ¡s PR spin. US Senate has educated men & women. Surely they would prefer an honest assessment. [Maybe that They're looking at the wrong side?].

Director John Brennan doesn't have a problem. [He is at another frame]. Maybe that's the reason of so short answer.

Software Industry could consider -among many other- applying strong 2-pass encryption & get hold of anything required by law to get hold of, even if up to now locally stored.

Hardware Industry has to get rid of [actual] dangerous back-doors, diligently walking toward a safer, stronger Global Village. [And to prevent Western Technology to be slowly and progressively by-sided. Which plausibly is the reason of the hearing].

1
0
Bronze badge
Childcatcher

Last but not least...

Strong One Pass Encryption, if well technologically not a feat, shouldn't be worth the consideration of Civilian Law Frames. Leave it to the Pros.

0
0

encryption technologies now moreinternally developed

There are many aspects of John Brennan's testimony, and the technical background to encryption that need to clarified in more detail to know the veracity of his claims, since I am aware of world class encryption technology not developed in USA or owned/controlled by US entity, and there are dominant Operating Systems (OS) and Networking software - not from Microsoft or US companies that included capability for extremely strong encryption for data transmission and storage.

Unfortunately in 2016, the technology environment for security, especially regarding encryption has substantially more internationally development and innovation base, so there very little "fact" than can be attributed to Mr. Brennan's wishful thinking.

1
0
x 7
Silver badge

stupid argument

we all know all American kit is designed and built in China nowadays, or made using Chinese parts......

0
0
Silver badge
Angel

Amen, Brother!

"Requiring companies to build backdoors in their products to weaken strong encryption will put the personal safety of Americans at risk at a dangerous time and – I want to make this clear – I will fight such a policy with everything I have."

Although that was said by Senator Wyden, I'll sign on to that, too.

1
0
Silver badge

The CIA's Budget

...may be in line for a big increase. After all, if nobody outside the U.S. knows how to encrypt anything, obviously they can shut down the NSA, and give the money they're wasting on it to the CIA.

0
0
Facepalm

So much for the CIA's tech savvy

I have a hashmark I've been posting for a couple years now. Every year it becomes more factual and urgent: #MyStupidGovernment

Here we have more of the same.

I use encryption NOT controlled by the US government or any company. I use it every day. Big surprise. Sheesh. ;-P

2
0
Bronze badge

Bring back the sealed envelope.

I have a copy of The Codebreakers by David Kahn, and. partly though the timing of original publication, it sets up the myth of super-competent US cryptography. They had talked about breaking the Japanese codes and ciphers. The Ultra secret had not yet been revealed. But it mostly deals with earlier generations of cryptography, stopping with the development of teleprinter-based systems that read a key from a punch-tape.

One thing is apparent. If the skilled hands could be applied (and paid for), by the 18th Century anything in the mail could be tracelessly read. But the process was so expensive that for most people a sealed envelope was all the security they needed.

And then the telegraph came along, and just ordinary commercial communications started using codes. The codes deterred casual reading by a telegrapher but also replaced long words and phrases by fairly short code groups. And they reduced language problems: London or Londres, it was the same code group.

Everything has changed in the last twenty or so years. The internet has destroyed the economic protection of the sealed envelope. As Edward Snowden has revealed, the intelligence agencies are indiscriminately reading everything, because they can, and smothering themselves with irrelevant data.

For most of us, good encryption is a tool: what we're really looking for is the security of the sealed envelope, something that costs enough to bypass that the intelligence agencies have to think about just what their targets might be.

It's very apparent that thinking is optional in the modern CIA.

1
0

So let them have their cake

Their arses will be soon after handed to them on a plate, no?

No better lesson than life.

0
0

What a fucking retarded moron of epic fuckwittery he is indeed a cockwomble. I am truly amazed how someone could reach his position and have such insane thoughts.

0
0
Silver badge

Thales

Brennan seems to have missed them. Because they aren't based in the US and are definitely not theoretical.

0
0

Remember when the US tried this before?

'Merica band the export of anything above 48bit encryption back in the 90s.

Which was odd because 128bit encryption was already from Europe :/

0
0
Bronze badge

Well, with a misinformed CIA leader like that, as a non-USA citizen, I can sleep much better at night.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017