back to article Why does the NSA's boss care so much about backdoors when he can just steal all our encryption keys?

NSA director Admiral Mike Rogers has said it is vital Uncle Sam's crimefighters snoop on people – and that this should be possible even if citizens use strong encryption. The spymaster reckons Americans should secure their communications against all eavesdroppers – except, of course, those working for the police, FBI and the …

  1. John Smith 19 Gold badge
    Unhappy

    "sounds kind of shady"

    Because it is.

    1. Anonymous Coward
      Anonymous Coward

      Re: "sounds kind of shady"

      wot, me shady?

    2. Anonymous Coward
      Anonymous Coward

      Re: "sounds kind of shady"

      Indeed it is. The more recent revelations of "classic" spy successes of the NSA, etc to steal keys and compromise crypto are resulting in people's memory starting to fade.

      Snowden original revelations were the use of BIG DATA analysis on METADATA by the three letters. People keep forgetting about that one. When you can figure out what going just by analysing the social graph and who talks to whom your need to break crypto is quite low. So as long as the No Such Agency (and its bretheren worldwide) are collecting metadata (as they are) and running it through a big data cruncher they do not need a wholesale encryption backdoor.

  2. Marketing Hack Silver badge
    Thumb Down

    Why is this guy allowed into a cyberSECURITY conference at all??

    While we're letting the NSA to give us their opinions on IT security, why not allow someone from Anonymous, or Lulzsec, or that Shanghai-based PLA operation chat as well?

    If we want to talk about SECURITY, then bring in the people who are actually working to improve cybersecurity and protect systems and data. If we want to talk about hacking or compromising security standards, THEN I would bring in the NSA to give us their point of view.

    Its like inviting a fox to the poultry-judging contest!!

    1. PleebSmash
      Trollface

      Re: Why is this guy allowed into a cyberSECURITY conference at all??

      Its like inviting a fox to the poultry-judging contest!!

      You have to admit they have good taste.

      1. Mark 85 Silver badge
        Trollface

        Re: Why is this guy allowed into a cyberSECURITY conference at all??

        Only because the poultry tastes good.

    2. Adam 1 Silver badge

      Re: Why is this guy allowed into a cyberSECURITY conference at all??

      Meh. It all tastes like chicken to me.

      1. AbelSoul
        Trollface

        Re: Meh. It all tastes like chicken to me.

        All of my life

        I've been lickin'

        Your cyberSEC

        'Cause it tastes like chicken

        Oh boy...

        1. Marketing Hack Silver badge
          Unhappy

          Re: Meh. It all tastes like chicken to me.

          Yes, Admiral Rodgers thinks the data on your systems is finger lickin' good.

    3. Nick Kew Silver badge
      Holmes

      Re: Why is this guy allowed into a cyberSECURITY conference at all??

      Surely for the same reason as one might take an interest in a blackhat like Mitnick. Know your enemy!

  3. JustWondering
    Thumb Down

    Sure

    Nothing to see here. Move along now!

  4. as2003

    "We fully comply with the law"

    Both the NSA and GCHQ keep saying "we fully comply with the law".

    I suppose this stonewalling is supposed to placate and/or reassure us, but to me, all this says is either they are lying, or the law is horribly broken. Both of which are deeply troubling scenarios.

    1. MrT

      Re: "We fully comply with the law"

      "Look into my eyes, look into my eyes, the eyes, the eyes, not around the eyes, don't look around my eyes, look into my eyes ... you're under. We have not been doing anything illegal. Whenever you hear the phrase 'we fully comply with the law', even if we don't specify what we mean by 'the law', you are to ignore any misgivings or concerns and accept us as completely trustworthy in every way. Trust us. Trust us. Three, two, one ... you're back in the room."

      1. Looper
        Flame

        Re: "We fully comply with the law"

        Come on! Own up you yellow bellied coward.

        Who is the Cupid Stunt downvoting the first and second posters' perfectly valid points?

    2. Roj Blake Silver badge

      Re: "We fully comply with the law"

      The Soviet Union's gulags were also completely legal.

      1. SteveG

        Re: "We fully comply with the law"

        Much like the tax dodgers fully comply with the law.

    3. I am not spartacus

      Re: "We fully comply with the law"

      ...or the law is horribly broken.

      I can't say that I fully agree with that. What I think is most likely is:

      "We've got a room full of experts, and we've found a loophole in the law, or maybe a surprising use of technology, or even of the English language, and, provided that we are very careful with the exact words that we use, we can give you the impression that we are fully in compliance with the intent and the letter of the law, while only actually complying with one of the above. Or maybe even with something our legal eagles tell us is strictly allowable, but with which no one else agrees. Whatevs."

      Of course, you might argue that, in practice, that is the same as 'horribly broken', but we have to be quite careful with wording here.

  5. Spaceman Spiff

    Insult to idiots.

    If I were to call Rogers an idiot, that would insult idiots everywhere. If ANYONE can break into encrypted communications, then it is NOT secure, and everyone can that wants to. Tell this a*hole to first put all of his communications in plain text online for all of us to read. If he is willing to do that, then maybe we'll bare our asses to his probing ministries.

    1. Mark 85 Silver badge

      Re: Insult to idiots.

      It's very easy to call him and his ilk idiots. However, I think the truth is, they are not idiots but a lot smarter than we give them credit for. Maybe not in ways we'd think of. But in doing the bidding of the government (and thus ensuring they stay employed) takes a different kind of smarts. In some ways (many actually), these folks are like the denizens of the board room. They know their craft very well. Whether it's the exploitation of their own greed or the exploitation of their power... they're good at it or they would be where they are.

      Do some reading on Sun Tzu along with Machiavelli and Sun Yat Sen (for starters) and you'll get an appreciation (or a deep dose of fear) about these guys... both governmental and boardroom. They may not have read them, but they practice an awful lot of what they preached.

      1. Eddy Ito Silver badge

        Re: Insult to idiots.

        If only it weren't so difficult to differentiate a useful idiot from a corporate quisling. Come to think of it, I'm not sure there's a need to make a distinction.

      2. Swarthy Silver badge

        Re: Insult to idiots.

        I agree with Mark. The word you are looking for is not "idiot", it is "Jackass". Or perhaps "Rat Bastard", or "Power-hungry fuck-wad".

        Calling him an idiot is attributing to idiocy that which, at this point, can only be malice.

  6. Duffy Moon

    I'm a little confused.

    I thought the whole point about the right to bear arms etc. was to do with US citizens having the power to overthrow a hypothetical corrupt government.

    Surely, it follows that the same citizens should be allowed private communications, free from the prying eyes of the aforementioned hypothetical corrupt government in order to plan their revolution?

    1. Robert Helpmann?? Silver badge
      Childcatcher

      Re: I'm a little confused.

      To follow that up, then the argument that encryption technology is equivalent to weapons would seem to imply that Americans have a right to it under the Constitution. To take the analogy a bit further, while it is fair to say that rights have limits, stipulating that any encryption must have a government-accessible backdoor is akin to requiring gun owners to only use guns that can be taken away by the government (and essentially anyone else) at any time.

      1. Eddy Ito Silver badge

        Re: I'm a little confused.

        Well there was that whole US government tizzy a while back regarding >40 bit cryptography being considered munitions until some guy named Phil wrote it out and it became free speech. It seems encryption technology falls doubly under the protection of the US Constitution.

    2. Anonymous Coward
      Anonymous Coward

      Re: I'm a little confused.

      what do you mean; 'hypothetical' ?

  7. Anonymous Coward
    Anonymous Coward

    Is he serious?

    Rogers quibbled with the term "backdoor," saying that it sounded "kind of shady."

    I'm reminded of the one about rearranging deck chairs on the Titanic. Surely this is the kind of thing you 'quibble' about if you're far more concerned with making sure the PR doesn't make your agency's already lousy image worse, rather than the evidently more serious topic of whether your self serving proposed measures are going to completely bork everyone's security.

    Anyone who was unsure if this bloke is an idiot should be clear enough now.

  8. Ole Juul

    Not invented here

    He insisted that the right legal framework could be put in place

    Unfortunately legal frameworks don't seem to work when it comes to the NSA. They prefer their own in-house solutions.

  9. Sebastian A

    Excellent logic

    "It should be legal to do it, because we're gonna do it anyway, but that way you can't complain."

  10. Mephistro Silver badge
    Devil

    Next week's news:

    "Following Admiral Mike Rogers suggestions that the NSA would order backdoors installed in web browsers, Norwegian company Opera Software's share prices rose a 200%. "

    Yep. He is an idiot.

    1. Charles 9 Silver badge
      Devil

      Re: Next week's news:

      Nope. They actually went after the WebKit engine (which Opera is now based on...not to mention Chrome and others) first.

      1. Mephistro Silver badge

        Re: Next week's news:

        "They actually went after the WebKit engine"

        Two points:

        a) - "Citation needed".

        b) - WebKit is distributed under BSD and GNU and its source code is available for review by anybody. Not saying it's impossible to compromise it, just that it's orders of magnitude more difficult than compromising proprietary software, and any vulnerabilities in the engine have a far bigger chance of being discovered & dealt with by the developer community.

        1. Charles 9 Silver badge

          Re: Next week's news:

          Two counterpoints:

          a) If you note my icon, I was playing Devil's Advocate. Playing along with the hypothetical scenario.

          b) As recent open-source snafus have shown, open-source is no panacea. And as Stuxnet has noted, not everyone at the TLA agencies are stupid (it's not everyday someone can design a malware that can jump an air gap in a high-security setting). If someone were really clever, they can hide the malware code in plain sight, perhaps by (1) breaking the whole works down into a gestalt of tine little pieces scattered all over the code and (2) disguising each piece as an innocuous if not serious feature.

          1. Mephistro Silver badge
            Linux

            Re: Next week's news:

            Your first counterpoint may be true, but I find your use of the Little Devil's icon a little bit too minoritary.

            Your second counterpoint does nothing to prove or disprove my second point. I said already that "open-source is no panacea" though with different words. The methods you describe to corrupt open source are much more difficult (i.e. more expensive) than simply slapping some NSL on, say, Google or Microsoft, ordering them to add a backdoor in their -more or less- closed source products, and also imply bigger risks.

            And before you say it, yes, I know they could bribe/blackmail/fool/waterboard some member of Opera Software's staff to surreptitiously include the backdoor in their product, but by doing that they'd be running a serious risk of exposure and of being arrested by the Norwegian Police or the EU institutions. This would be bad for NSA's business, wouldn't it?

  11. beep54
    Coat

    What a scary (looking) man.

    Are you certain that that is not a picture of some obscure Bond villain?

    1. Trevor_Pott Gold badge

      Re: What a scary (looking) man.

      I think he looks like a Harkonnen, personally.

      1. John Smith 19 Gold badge
        Unhappy

        Re: What a scary (looking) man.

        "I think he looks like a Harkonnen, personally."

        It's that malevolent gleam in his eye that says "All your phone encryption and IP addresses belong to me"

      2. Zolko

        Re: What a scary (looking) man.

        Baron Harkonnen was so fat he needed - actually, he will need, it's SciFi - suspensors to move around. While this man looks quite skinny. More like Nefud then, but that one was - will be, ouch, confusing - younger.

        1. Trevor_Pott Gold badge

          Re: What a scary (looking) man.

          Yes, but the baron had newphews, and this one reminds me of Feyd-Rautha Harkonnen.

          1. MrT

            Re: What a scary (looking) man.

            Gah! Now have "Every breath you take" playing in my head...

            "Every breath you take and every move you make

            Every bond you break, every step you take, I'll be watching you

            Every single day and every word you say

            Every game you play, every night you stay, I'll be watching you"

            etc...

  12. Anonymous Coward
    Anonymous Coward

    It's like this guys

    We either tell you what we are up to and do it.

    OR

    We don't tell you what we are up to, and do it anyway.

    Feel free to pick an option.

  13. dan1980

    To have a backdoor - any backdoor - is to have a weak spot.

    End of story.

    Whatever assurances are given, whatever 'frameworks' are constructed and whatever oversight is in place, these apply only to 'legitimate' access. Even with the very best intentions and practices*, you can't promise that no one else will ever be able to find and utilise the artificial weak spot that has been created.

    Perhaps there is a leak somewhere. Perhaps, given these backdoors must be conducted with industry help (generally), the information gets out after a targeted corporate hack. After all, the NSA are more than aware that with the right application of funds, know-how, technology and social engineering, you can hack pretty much any corporate entity.

    Encryption is either secure or it isn't. Fuck your legal frameworks and fuck your Commies and witches scare tactics - if it has a backdoor, it is not secure.

    If he would at least just come out and say that I would have some respect because he can't possibly not understand it. They are making the decision that it is worth weakening security for every citizen of their country (and indeed many others) to help them accomplish their goals. So just bloody well say so - say straight that these methods reduce the security of the public and open them up to potential hacking and theft but that the NSA believes that that is an acceptable price for the people to pay for the secure he is asserting they provide.

    * - In some bizarro world . . .

    1. Swarthy Silver badge

      So the quote morphs into something like "Those who give up privacysecurity to gain security deserve neither security nor security"?

      ...Sounds Legit.

      1. Anonymous Coward
        Anonymous Coward

        But since perfect security is impossible AND just ONE slip means game over, it looks like a no-win proposition.

  14. T. F. M. Reader Silver badge

    I'd say the post scriptum answer to the headline's question is quite incomplete. NSA want backdoors that will allow them to break into our computer and see if there is anything of interest there that has never been sent over the network. Decrypting your comms is just one part of the job.

  15. moiety

    The spymaster reckons Americans should secure their communications against all eavesdroppers – except, of course, those working for the police, FBI and the NSA (to counter terrorism or something). Experts warn any backdoors allowing this to happen will be exploited by criminals.

    Exactly. A system is either secure or it isn't. You can't make it selectively secure even if you wanted to because sooner or later the "bad guys" will get the keys to the door. And I'm being massively generous there by not adding police, FBI, NSA, alpabet alphabet to the "bad guy" list.

    1. Steven Roper

      And that's even assuming that the NSA of today doesn't eventually morph into the NSDAP of tomorrow.

      1. Anonymous Coward
        Anonymous Coward

        I think you mean Stasi, mate.

        But otherwise I agree with you.

  16. Allan George Dyer Silver badge
    Black Helicopters

    "backdoor," sounds "kind of shady"?

    Some more accurate alternatives:

    "gaping security hole"

    "thoughtpolice access node"

    "tyranny enabler"

    Shady is far too light a colour for this.

  17. This post has been deleted by its author

  18. Gray
    Windows

    Seems obvious to me ...

    if you want security, don't put it on the internet.

    And thinkin' on how they're goin' after air-gapped boxes,

    maybe you shouldn't put it on your fuk'n computer, neither!

    1. Afernie
      FAIL

      Re: Seems obvious to me ...

      "if you want security, don't put it on the internet."

      Yes, perhaps we should all just stop doing business in the 21st Century. That's a solution. A shit solution, but a solution.

      And thinkin' on how they're goin' after air-gapped boxes,

      maybe you shouldn't put it on your fuk'n computer, neither!"

      Are you going to write your deep, dissenting thoughts on some paper then? And maybe put it in a vault? That should stymie those nasty spooks.

  19. Anonymous Coward
    Anonymous Coward

    My apologies.

    I find myself at the point where I am obliged to apologize for the misbehaviour of my government. We did not and do not need an NSA. I am sorry that it has spied on you, but do realize that is spies on is own citizenry as well. I hope to see it abolished, but with the current crop of politicians, there is very little chance of that happening inside of a decade.

    1. dogged

      Re: My apologies.

      I echo the above sentiment with a minor alteration so that it regards GCHQ.

  20. PapaD

    Is this another attempt to destroy US corporations that provide online services.

    How soon after all US made browsers have 'backdoors' before we get an immense rise in the use of non-US made browsers.

    These guys are idiots - people care about their own privacy, even whilst advocating the moronic belief that 'if you've got nothing to hide......' to imply that they don't mind other people having their privacy breached.

    So, another way to destroy American online business.

    1. Anonymous Coward
      Anonymous Coward

      Is this another attempt to destroy US corporations that provide ...

      I don't think so. It is worse, it is an attempt to turn the Internet into a distrusted medium. The watchword of the current crop of governments all around the world is "control"; specifically control of all those who live within their borders. They know that (contrary to current edicayshun in skoolz) some people actually think, and that some of those thinking people distrust the propaganda pumped out through the "usual channels". Amongst other stuff, available on the internet is the information that counters the propaganda.

      Therefore ... (but then you, dear reader, are capable of thinking that bit through for yourself.)

  21. Eponymous Cowherd

    Of Geese and Ganders

    Alex Stamos' point is particularly relevant. If the US can demand that all encryption used within it's borders contains a "back door", so can any other nation.

  22. Primus Secundus Tertius Silver badge

    We have RIPA

    Who needs a backdoor when the authorities can demand the password on pain of imprisonment?

    This happened in the UK a year or two back. An Islamist who had 'forgotten' his password realised he was facing prison, and then 'remembered' it. Too late though: the offence was committed when he refused the original demand, and to jail he went.

    1. Eponymous Cowherd
      Facepalm

      Re: We have RIPA

      They can only demand a password if they know who to demand it from.

      1. Charles 9 Silver badge

        Re: We have RIPA

        Oh? They can't just demand it from EVERY suspect?

  23. toxicdragon

    "NSA director Admiral Mike Rogers has said it is vital Uncle Sam's crimefighters snoop on people"

    Fuck. Right. Off.

    1. Anonymous Coward
      Anonymous Coward

      And if they reply with "Fuck. Right. Back. We have ways of making you spill the beans..."?

  24. toxicdragon

    Then I honestly think at that point some form of action will be taken, who by I don't know but when it gets to the jackboots at dawn aspect then something will happen.

  25. John Smith 19 Gold badge
    Unhappy

    Note that once it's know that the backdoor *exists*

    Various groups will never stop looking for their access protocols and how to access it.

    The point is it's guaranteed to be there.

    How does this not end badly?

    1. Looper
      Devil

      Re: Note that once it's know that the backdoor *exists*

      They can backdoor all they like.

      Remember this:

      1. The code is effectively all open source, and perfect for any amopunt of forks.

      2. The smartest are not those working for the three lettered organisations.

      3. The online world will migrate away from the five eyes domains of control.

      4. Some suitable neutral territory will see the gap in the market and fill it.

      1. Anonymous Coward
        Anonymous Coward

        Re: Note that once it's know that the backdoor *exists*

        "3. The online world will migrate away from the five eyes domains of control.

        4. Some suitable neutral territory will see the gap in the market and fill it."

        It's these last two that will be tricky. Try to migrate away from the five eyes and they'll just follow you. Try to find a neutral territory and you'll probably find it won't be neutral for long.

  26. Anonymous Coward
    Anonymous Coward

    And when the criminals figure out the key?

    No, no, no. If there is a backdoor for "police", then the criminals will kill themselves trying to figure out how to get in it. And *when* they do, not if, NO ONE WILL KNOW for days/weeks/years while the bad guys steal logins, passwords, identities, credit card numbers, bank/retirement accounts, tax returns, etc etc etc.

    How does this guy have this position and not understand this? Or is it just a matter of making his personal fiefdom bigger?

    I'm all for finding/prosecuting terrorists and other criminals, but defeating security for everyone in pursuit of that goal is absolutely NOT the answer.

    1. Anonymous Coward
      Anonymous Coward

      Re: And when the criminals figure out the key?

      then the criminals will kill themselves trying to figure out how to get in it

      Oh, I already figured that out - you use blackmail or bribery.

      Especially easy at some small, rural Law Enfarcement agency.

  27. Speltier

    Why?

    You have to ask yourself why Rogers bothers. No one at the conference is going to buy the story about the need to have backdoors to catch whoever-- the problem is that they can't catch anyone publicly now despite the deplorable state of Internet security. A cover story is needed for those remailer keys/SIM keys/TOR keys/pickyourfavecryptohardwarekeys stolen long ago... I have it! There is a backdoor for security purposes that we used and here is the evidence needed for conviction!

    Yes, indeed, a framework is needed to provide a cover story about how we got the information without actually saying how we got the information; it came from the same place, just not from the so called backdoor. But it could have, and you can't tell it didn't now can you?

    It works even better when, say, China installs backdoors everywhere (because the Americans are doing it)... only the Chinese backdoors are real and guess what? The NSA rubber hoses broke the Chinese back doors down before the code even properly compiled! The American back doors don't even have to work to put a torpedo in Chinese security... the NSA/GCHQ will gladly help all comers properly implement a back door.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019