How doublethink actually became a thing!
Keep your customers secrets or else.
Give us your customers secrets or else.
In the wake of the FBI's failed fight against Apple, Senators Richard Burr (R-NC) and Dianne Feinstein (D-CA) have introduced a draft bill that would effectively ban strong crypto. The bill would require tech and communications companies to allow law enforcement with a court order to decrypt their customers' data. Last week a …
I think the US should put this bill forward for a vote immediately.
That way, anyone who votes in its' favour will have shown themselves to be unfit for office - right down to the point where they shouldn't be allowed to make the tea.
Sack anyone who votes for it and ban them from ever having any more authority than over their own bladders.
Feinstein, while a democrat has always sided with law enforcement since her time as Mayor of San Francisco. The article notes this is not her first bill she has "written" to support of the NSA and FBI. I am speculating here, it won't be her last.
FYI: The senator has been in her current office going on 24+ years. Nobody has the money to take her seat. The last election, she didn't even campaign.
She's one of the senators from California so she's elected by the whole state. She's not up for reelection this year, its Boxer's turn (and she's retiring).
We do have to get ignorant legislators out of government but its an uphill struggle against the hordes, there's so many of them. What Fienstein hasn't figured out is why DES got changed out for AES. It wasn't just that DES got old and tired, it was because the Cold Warriors wanted to exercise so much control over technology that critical technology like encryption standards had to originate "anywhere but in the USA".
I've personally witnessed just how much damage these people have done to our technology industries over many decades. Since the industry has grown rapidly its easy to overlook the losses but as things flatten out you will notice how many of our key technologies have been hollowed out by overzealous and underinformed legislators.
The Californians who have repeatedly elected Feinstein to the Senate are generally unaware that she is one of the most totalitarian-minded members of Congress. She is a ringleader of the War on Drugs, and an opponent of internet privacy. When she was Mayor of San Francisco in the 1980s she vetoed legislation that would have extended to gay city employees in domestic partnerships the health insurance benefits that were available to heterosexual employees.
Hopefully this latest totalitarian move will finish Feinstein's political career.
They angry up the blood every time I read them.
Not from the U.S. but in a country that tends to follow soon after on crap like this.
I'll repeat the only point I have on the issue,
The government can lead by example here and make sure they are running the same busted "security" on all their data so the people can have backdoor access to it for freedom of information requests.
They want to protect the people from the terrorists? They can start by protecting them from their own government.
...and they have! The OPM hacks dropped the US government's pants to the tune of personnel records on 22 million employees, including security classifications.
Now if that isn't busted security, I don't know what is.
Maybe it's like penis envy -- Feinstein, Burr, et al are insanely jealous of people smart enough to do good encryption.
Or perhaps it's simpler: Feinstein, Burr, et al are insane.
Leave it at that.
>>"Or perhaps it's simpler: Feinstein, Burr, et al are insane."
Simpler than that. They're interests just don't align with the publics. Nor has a farmer's interests ever truly aligned with the chickens. They might both want to keep the fox out, but the farmer still wants to keep the chickens in.
I can't decide if this is well-meaning but just astoundingly ignorant; or if it's a genuinely evil attempt to further fuck over people's liberty in a (going to be unsuccessful) power grab.
It does highlight a frequently-occurring flaw in the American psyche, though, and that is forgetting that there's a 'rest of the world' out there. Because there is, this cannot possibly work.
If this bill went through, the immediate cost would be in -at minimum- billions and the cost over time would be truly colossal. Nobody in their right mind would use a bank that automatically rendered them more liable to scams; or encryption software that is deliberately flawed.
In the unlikely event of this bill passing, my new hobby is to send one-time-pad encrypted email attachments with dodgy names*** to US Senators.
***CP_vol_7.zip (With the CP standing for Cat Pictures, or possibly Chincillas, but don't tell anyone because it's not as funny if the reveal isn't in the highest court you can find with extensive press coverage).
If you want to send an encrypted message - and still have plausible deniability - do the following.
1) Encrypt the message with a one time pad (simple XOR encryption - still unbreakable if each byte of the message is encoded by a unique byte of the pad and the pad is never reused)
2) Create an innocuous message of the same length
3) Create a fake "one time pad" as the XOR of the innocuous message and the encrypted message from (1)
If forced to decrypt the message - provide the fake "one time pad" generated in stage 3 which converts the encrypted message into the innocuous message from stage 2.
"but wouldn't that make your "evil message" (now being used as the one-time-pad and containing structured data) easier to decrypt?"
I don't see why it should. If I've understood correctly the fake pad is just to convert something you know (the encrypted message) into something else you know (the fake unencrypted message).
The original pad will will decrypt the original encrypted message to the real one. All the fakery stuff only relates to the faked message so should reveal nothing about the real pad or message.
I'm not an expert, so was asking for information. (I was completely wrong about the evil message being the one-time pad, as that function is served by the new one-time pad that you have whipped up for yourself...my mistake...not enough coffee).
Your encrypted message contains both the decoy message and the evil message. My question is that if you decode the decoy message, does not that give some clues (either by changes at conversion time or by what's left) that might make it more vulnerable to finding out that there's another message in there? Or worse - to decoding it? The evil message is structured so might it not be possible to detect that something is there?
Ah, I think I see your disconnect here.
In reality, the encrypted message does not 'contain' the decoy message as such. You are creating a fake translation matrix that you apply to your encrypted message to make it look like the decoy message when it's processed.
Does that help?
Actually, thinking about it, couldn't this process be used to fake evidence if someone refuses to reveal their passwords? It might be limited to creating incriminating evidence rather then magically conjuring up actual useful data (which is still hidden by the encryption) - but who is going to argue that the prosecution has 'incorrectly' decrypted the file? The only way to prove that their information was fake would be to produce the *real* key, and hence reveal the real data.
Thanks, I think it will help after I've looked some more stuff up. Clearly I'm hard-of-thinking today.
The new one-time pad by the prosecution would have to have a different hash than your original (OK, second) decoy pad, wouldn't it? You might be able to prove that the files have been interfered with. Mind you, if someone's clever enough to think of tampering with one-time pads; it's feasible that they'll have the knowhow (if possibly not the opportunity) to interfere with the forensic report of the original storage medium.
So actually this technique is not only for deniability; but can also be used as a protection measure; as it takes you from being completely stuffed to a word-against-word situation...and if you whip out your decoy pad and it decrypts to an innocuous message then you'll end up looking more credible to a jury, I think.
Here's an attempt to clear up any remaining confusion:
A one time pad is random data (at least) as long as the original message.
If we look at the original suggestion, step 3 could be put off until the demand arrives. One could, without knowing the original, decrypt the message to anything. Therefore it doesn't affect the security of the original message.
I've thought about this before, in a rather similar context. In the UK, could this approach be used to fend off a RIPA section 49 notice?
I think it's worded that you're required to make the information intelligible, which this approach does, assuming a carefully chosen plaintext. Might be handy when they're demanding you decrypt a file you don't actually have a key for.
"My question is that if you decode the decoy message, does not that give some clues (either by changes at conversion time or by what's left) that might make it more vulnerable to finding out that there's another message in there? Or worse - to decoding it? "
Any OTP encrypted message contains ALL messages of the same length (or shorter) - you just need the appropriate OTP to get to it.
All that the "innocuous OTP" proves is that someone has combined the 'crypt data' with 'innocuous message' to get an 'innocuous OTP'.
If you find the 'evil OTP' then you reveal the 'evil message' - but you need to demonstrate that that OTP was used on this message - since you now have two apparently valid OTP instances, and only one is genuine.
No - the trick is the "one-time" pad is held at the sender and receiver's position and for each message a layer of the pad is removed - thus each message encoding schema is random and observed bits from a transmission cannot be used as a guide on a subsequent message. This betters the scheme for Enigma - which transmitted a large volume of messages each day - and you had to decrypt during the day to be able to read something at night. This requires discipline to avoid reuse of the pad.
The only way to crack this unbreakable system, first documented by Frank Miller in 1882 for Telegraph systems is if the one-time pads are not truly random or if someone re-uses a prior pad as in the Verona case. This is why pseudo-random number generators are not usable for securing systems.
"Any OTP encrypted message contains ALL messages of the same length (or shorter)"
That did it. Got a neighbour who's doing renovations; which does not sit well with being nocturnal.
Actually,, this technique does handily solve my main problem with the UK version of encryption legislation...decrypt it or go to prison. In my work, I end up with a vast stack of other people's passwords; so I could end up in the position of not decrypting (and fulfilling my responsibilities as a data controller) and going to prison; or decrypting and making myself liable for all sorts of shit under various Data Protection Acts, in various countries.
...so I could decrypt and leave the passwords scrambled; which would also have a handy built-in canary for law enforcement misusing the data.
"Good sense might prevail in the Land of the FreeTM, but don't bet on it." With America's Native Criminal Class (Mark Twain) which is best at subtracting from the sum total of human knowledge (Czar Reed of Maine) I figure the final bill will be much worse than the current drafts.
The problem with this bill is that it will impact commerce. Tech isn't just about the tech companies anymore but everyone else who will be impacted by that tech. It's like that bit from the last DrWho special where he plugged Hyroflax into all of the big banks.
Nothing gets protected like money.
This dimwit is threatening the security of money. Never mind the midgets of Silicon Valley.
They are going to make it so it is impossible to get at the data under any circumstances. Obviously I haven't read the full text, but what I have seen doesn't seem to require that they perform the impossible. So if presented with an iPhone 5c they might be forced to create a hacked OS to help the FBI break in, but if presented with an iPhone running iOS 10 that includes the changes that make it impossible to Apple to help, the FBI will get the court order and Apple will say "what you are asking is impossible".
If the government could compel impossible things they should just have a court order that compels Apple to hand over a list of every active terrorist in the world and where they are located. That would save a lot of hassle trying to decrypt phones and doing police work if you assume you can force someone to pull a rabbit out of a hat.
Ah.. the list of impossible things that some CongressCritters think can be done.... This is right up there at the top. What's next.. ordering an FTL drive? Ordering NASA to find "heaven"?
Good on Wyden and I hope enough in Congress listen to him as seems to be one of the few who have a grasp of the problem. As for the two bozos.... a pox on them. Better yet, may all their files and emails along with anyone who voted for them be exposed because... ya' know, weak encryption.
I swear it's a race to the bottom between the US and just about everyone else. I'm wondering if May will try to top this or maybe France?
The problem is the passcodes. Proper security requires high-entropy but no-one is going to do that every time they want to unlock their phone. Hence the ability to brute-force it is wanted.
The other option is to have a high-entropy passcode just for software upgrades which don't destroy the on-chip data, but a rarely used password is going to be forgotten or shortened.
Realistically, if a terrorist is going out to die, he's now going to destroy his phone first, regardless of what any phone manufacturer does.
But this was never about terrorism, was it? This is about the State asserting its right to Total Information Awareness. That's mostly to protect against another Snowden, in my opinion. We can't have the serfs knowing what's really going on.
Passcodes - i.e. 4 digits PINs are definitely a problem, but you do not have to use them. iOS supports using passwords. You don't need too much entropy before brute force becomes utterly unwieldly - this isn't like password cracking where can try a rainbow attack using a dictionary of billions of pre-encrypted passwords.
If your password was a single lowercase dictionary word you'd be vulnerable, but if you simply added a couple digits or punctuation marks to it, you'd have enough entropy to be safe as the solution space would too large for a dictionary attack to be practical given the limitations of being able to enter them (even if you bypassed the delays for wrong passwords and the ten try limit)
If the data on the terrorists phone was encrypted, there wouldn't be anything that Apple could have done to help the FBI. Damn media outlets don't understand the difference between an encrypted file and a password protected device.
If a "terrorist" wanted to keep data secure, they'd use a third party encryption program if Apple's built in encryption was compromised or thought to be.
On its face, the draft law requires in Section 3a that a company that provides a device or encryption system "shall" perform certain actions under specified circumstances. How they provide for that (Section 3b) is up to them; the government cannot require a specific implementation (similar to the fact that they did not require a specific implementation in the recent California case). The imperative "shall" does not, on its face, allow for a "covered entity" such as Apple, for example, to evade this by implementing a security system in their product that they cannot, in fact, circumvent; the law, if enacted, will impose a requirement
The draft does not provide any information about the consequences for a "covered entity" that either will not or cannot comply. I can imagine a fine, possibly quite large, for covered entities that refuse and possibly injunctions shutting down sales of non-compliant products which the covered entity has designed so that it cannot bypass the product security. That would be a sad outcome indeed.
The proposed law still is pretty rough, and does not cover things, such as fraud, money laundering, and other financial crimes that seem fairly obvious. There seems no very good reason, for example, to single out any particular type of crime for this treatment; it ought to be enough for a US or District Attorney to be able to convince a judge to issue a search warrant based on probable cause. (I expect that other types of court order, if included in an enacted version, would be thrown out on the basis of Riley v California, which found a warrant necessary for search of a cell phone, even incident to an arrest).
Apple would not be "refusing" to comply, they would be unable to comply. It would be no different than the FBI trying to get Apple to break into a phone that had been damaged by fire, and Apple telling them "it has been destroyed too badly".
The law says the covered entity 'shall' provide certain things, but does not specify that they must design their products to be capable of providing those things. That's a whole different law, and Apple will already be at that point before this law can ever pass - congress would never pass something so controversial during an election year, and by the time there is a lame duck session in November Apple will have already changed iOS 10 so they cannot comply.
The question might well be whether Apple would be able to sell such equipment in the US. The draft law appears to require that they bypass, or help the government to bypass, security that they provide or have provided on their behalf by another party, given a constitutionally valid warrant or other court order, and maybe a lawful court order for assistance under the proposed act, to do so. One obvious solution to the "cannot bypass" claim would be a "cannot sell" injunction applicable to such equipment in the US.
I am not arguing that this would be good policy, or would not cause great uproar and discontent. However, it is not obviously inconsistent with anything in the Constitution. Moreover, if implemented subject to the same controls that Apple applies to iOS, it would not, in fact, pose any threat that does not now exist to users against whom the government does not obtain authority to breach privacy.
The draft act has numerous problems, but "cannot bypass my built in security" may not be the most serious of them.
> They are going to make it so it is impossible to get at the data under any circumstances. ... if presented with an iPhone running iOS 10 that includes the changes that make it impossible to Apple to help, the FBI will get the court order and Apple will say "what you are asking is impossible".
And that's where this law kicks in, such a phone would be illegal - it would be illegal for Apple to make it (or import it), illegal to sell it, and if Apple ever turned round and said "impossible" then that's a complete admission that they broke this new law banning unbreakable crypto.
In fact, their current models would be illegal under this law - and that's the problem.
"Anything" with crypto where TPTB can't be given the decrypted data on demand is basically illegal. So Apple must water down their protection to render it insecure - and so must anyone else making or importing anything in the US.
As pointed out, this would render the USA "out of bounds" for pretty much anything technology related. The current "discussions" regarding Privacy Shield would be moot - it would be illegal to provide proper security of any data held in the US even if the government completely backed down and accepted the principle of privacy.
What would happen is that a good chunk of US technology business would be very quickly offshored. There'd be (sticking with Apple for a moment) a "US iPhone" and a "rest of world" iPhone - the RoW version would have security, the US one wouldn't, and the security software would have to be developed outside of the US. A bit like certain encryption tools had to be developed outside the US to avoid their "encryption is a weapon of mass destruction" laws.
Apple, Microsoft, IBM, Cisco, Juniper, and a long long list of US tech companies would very soon be deciding that the rest of the world was a more important market than the domestic US one !
"In fact, their current models would be illegal under this law - and that's the problem."
Then the problem lies with Congress. The Constitution specifically forbids retroactive laws (Article I, Section 9). If an item exists legally, it cannot be made illegal after the fact.
I have seen nothing in the text of the proposed law that makes it illegal to make, sell or import any sort of device based on government access. Only that tech companies have to help the government access them, but it is silent on what happens if the tech company is UNABLE to help.
There are a few other countries where law enforcement officials would be happy to be able to access data stored on smartphones (France, Belgium, and the UK come to mind rather quickly). It seems possible that these companies find few large markets in which to sell equipment that is immune to government authorized search.
Upvoted anyhow for clarity of analysis, although the bill, if enacted, is certain to differ from what we see now in draft.
I wonder whether these congresspeople ever think their ideas through to the end. If they insist on weakened encryption, this encryption will not only be broken by law enforcement, but by criminals ranging from individual to corporate.
Which would put a stop to most high-value technological development.
Think about it. Boeing and Airbus would know exactly what the other company is developing. The 787 came out before the A350 in part because of industrial espionage by Boeing; with no secure encryption available, this kind of thing would not be a single occurrence but a constant one. So both companies would stop doing any high-risk development out of fear that they invest the billions into R&D only for the other company to file the patents first. You may replace "Airbus" and "Boeing" with the names of any other high-tech duopoly you like, there are quite a few. Think space booster development and defense contractors.
The same goes for scientific progress. In the higher academic circles, he who publishes first gets the Nobel Prize, not necessarily he who did the actual work. So work would get slowed significantly, because top-notch scientists would be unable to use electronic media for communication for their work any longer, lest another team grab the laurels of years of work they didn't do themselves. It has happened before, many times, just so far through negligence letting papers lying around and not by default decreed by law.
Those are only the two most obvious considerations, but I somehow doubt the congresspeople (and the many other legislators the world over demanding encryption be banned outright!) ever thought things through even this far.
"I wonder whether these congresspeople ever think their ideas through to the end. If they insist on weakened encryption, this encryption will not only be broken by law enforcement, but by criminals ranging from individual to corporate."
That's not a problem in the minds of the bill's authors. The vendor just has to provide encryption that criminals can't break but they, the vendors, can. How they do that is the vendors' problem: "Nothing in this Act may be construed to authorize any government officer to require or prohibit any specific design ... to be adopted by any covered entity."
It's almost like they want to wipe out the US high tech sector...
... but life amd some exposure to politics on the local level has taught me that human supidity knows no bounds. It's either that, or they are North Korean sleeper agents. In any case, at least it would lower the rents in the SF area.
"I wonder whether these congresspeople ever think their ideas through to the end. If they insist on weakened encryption, this encryption will not only be broken by law enforcement, but by criminals ranging from individual to corporate."
No. They think the keys well be safe in the hands of law enforcement, won't be abused, and won't be cracked independently by hackers or other governments.
After all, they're the good guys, right?
They really are that incredibly stupid and ignorant.
The proposed act, like the court order in the Farook iPhone case, does not require that the government have any keys at all, or even be able to use whatever a vendor devises to comply with the act. It requires that the vendor decrypt or assist the government to do so.
They do think these things through. Most anti-crime legislature in the US these days is geared toward non-criminals. Criminalizing constitutionally held rights all in the name of safety. Criminals don't give a rats ass about the law, that's why they are criminals... The senators know this. The goal is to remove power of the populace to protect themselves from, and hold accountable the very elected officials that are supposed to be working for the people, not for themselves. Sadly, it is probably horribly and irreversibly corrupted. As a US citizen it sickens me to no end.
> "No entity or individual is above the law," said Feinstein
So obviously, the architects of the 2008 financial meltdown are mostly behind bars? The people responsible for fabricating evidence of WMDs in Iraq, and taking half of the western world to war; they had their comeuppance didn't they? And when the CIA realised they'd accidentally provided self-incriminating documents to a Senate Committee, then hacked the senate computers to remove said evidence, they were brought swift justice after Dianne Feinstein herself brought it to light?
Interestingly, the use of encryption in https is not to hide anything, merely to prove that it really is you.
I'm sure it is well understood in these forums that a back-door would not only blow open secrets, it would make it impossible to trust anything. However, I see no wording in this bill about making it possible to impersonate others (perhaps, for the purposes of emptying their bank accounts).
Perhaps the best response to this bill is "Please publish your online banking details.". The idiots will wonder what you are talking about and deny that it is relevant, but if it becomes the stock response to all such requests, perhaps the more curious idiots (like, the ones voting in November) might make further enquiries and enlighten themselves.
'Perhaps the best response to this bill is "Please publish your online banking details.". The idiots will wonder what you are talking about and deny that it is relevant'
And they'd be right. Because apart from being able to decrypt on demand for law officers the vendor would be required to protect the data from everyone else. The fact that these requirements are mutually impossible is beside the point as far as the authors are concerned.
"Interestingly, the use of encryption in https is not to hide anything, merely to prove that it really is you"
I agree that there are two uses for encryption keys and that one of those is to digitally sign data to prove it was written by you, but I'm not sure you understand https as it isn't implemented like that.
The certificate exchange and verification process is to create an encryption key for the data flow between you and the web server. Anyone else looking at that data stream wouldn't know what it contained unless they had the key.
Unless I've totally misunderstood your point :/
Let's blow past all the ethical reasons why this is ridiculous and even past the reasons why weakening encryption is dangerous.
Instead, let's just focus on the practical, logistical implications for the existing technology companies who would be covered by this.
There are thousands of pieces of existing software, currently running on all manner of hardware, that would need to become compliant with this legislation. All that software would need to be re-written and re-deployed.
That's not quick and it's not free. So, while companies may be compensated (by the tax payer) for the effort requiured to hand over the data for each request, who pays for them to re-write their software? To delay product launches? Arranging for updating of existing devices? User communication? Support?
And that's before we talk about interoperability and communication between hetergenous systems - something that's sort of important in the modern, connected world.
How can you have software from different vendors across different hardware communicating without standards? And what standards can exist when each vendor is charged with coming up with their own solution?
So yes, the privacy and security issues are HUGE but even at the simplest level, this legislation is insane.
You are allowed now to keep whatever secrets you wish by default. The government (either federal or state) can get authorization from a judge to access those secrets by obtaining a warrant based on "probable cause, supported by Oath or affirmation." That is included in the Constitution's fourth amendment. The proposed law may be unworkable and it may be bad policy, but nothing in it affects legal rights of citizens or of non-citizens legally present in the US.
It's more absurd than that. The politicotards don't get the fact that encryption is just maths, and it's piss easy to roll your own.
So they want to try to ban something (or, at least, render ineffective) something that anyone can make for themselves. An act that that will also have little effect on the safety of American ( or any other ) citizens.
Yet fail to do anything to control guns, which most people are incapable of making themselves and which kill over 10,000 Americans every year.
This bill will never become law and they know it. It is really meant to force every rich tech company to open their wallets, not their encryption. This bill will have tech running so scared they they will pour mountains of cash through their lobbyists into congress critters' pockets. Congress, on its part, will equivocate, right up to the final vote, squeezing every last penny they can out of the Googles, Microsofts, Facebooks, etc. of America, before finally, at the last moment, allowing themselves to be convinced that this is a bad bill, then claiming they felt that all along. Everybody will then breathe a deep sigh of relief, and Congress will stash all that windfall cash.
I agree. We're at the point where tech companies are globalised. They don't need government anymore and they chose where to pay tax and how much. Tech companies also command more respect, authority and credibility amongst the population as compared to goverment institutions and politicians. The recent support for Apple (vs FBI) is evidence of that.
The old way of politics where the Military & Industrial complex pours money into lobbyists and polticians is over.
The ban on encryption is a last ditch attempt at showing tech companies who's boss.(or who wants to stay boss).
In recent years technology has had a bigger(positive) impact on my life than politics. It is almost as if politicians are intentionally boring people to death, so they can get on unhindered, with whatever it is they do.
I find the efforts of Elon Musk more inspirational than any politician in the last few decades.
This bill ensures that there can never be a safe harbour for EU data on any US server.
When this bill passes, the US ceases to be a part of the internet - no one will allow any of their data to ever reside on the US. I suspect many US citizens will insist their data go offshore as well.
We will have Data Havens popping up in small countries around the world - they will allow strong encryption and deny all access to the data. Data Havens will soon have a value beyond that of Tax Havens. Small islands will have to install nuclear reactors to power the server farms.
This may also mean owning an enigma machine will be illegal.
Science fiction writers are going to have a field day with this.
"shall be compensated for such costs as are reasonably necessary"
I see an opportunity...
1. Build popular app with strong encryption
2. Wait for USA Gov. to demand decryption
3. Ask for $$$ to buy f**ing big supercomputer...
4. "No, we don't have an answer yet, call again in 10 billion years..."
"and which have been directly incurred"
Damn, past tense, it's like they were anticipating this...
"No man's life, liberty, or property are safe while the legislature is in session." Mark Twain
Never were truer words spoken. Particularly in this case. I think we should setup legislation in a country that guarantees the availability of strong encryption and ensures that there are no backdoors. If we can couple that with low company taxes I am sure that a lot of high tech companies will want to setup there.
I fired off a Nasty-Gram to my senator, Feinstein. I avoided profanity. It wasn't easy.
that's where ANYONE can send a Nasty-Gram. It helps if you live in Cali-fornicate-you, but ANYONE can say whatever they want.
It also helps if you give REAL contact information.
I'm sure there's a SIMILAR contact form for the other senator, the 'Establishment' RINO.
Kudos to you for doing the one thing that is really necessary in this case : showing your politician that his aides and yes-men are out of touch with his political base.
Because nothing sends a politician scurrying the other way like the perspective of losing votes. Remember Minister Hacker ? "You're not asking me to make a courageous decision, are you ?"
Make sure that hack knows the decision is courageous.
Her. Dianne. https://en.m.wikipedia.org/wiki/Dianne_Feinstein
Not that I expect everybody in the world to know our politicians. The US citizenry are notorious in our own ignorance of global politics. Or culture. Or language. Or geography. I... May be slightly less parochial than most, but I'm guilty of it as well.
Providing technical assistance by delivering such information or data - concurrently with its transmission would require the OS used to encrypt a communication to provide a live feed, if requested.
Telemetry, telemetry, telemetry - now we know what Windows 10 is for.
Uncanny, yes. Microsoft seem to have had a good idea of where the wind was blowing. Or are they blowing themselves?
Doesn't say much for Windows 10, mind, if its best chance of taking over from Windows 7 lies in it already being compliant with a nut-job bit of lawmaking.
As much as I think this is stupid and damaging I think I can see where this is going. They will probably enforce the local storage of keys and the unlocking of devices on the manufacturer that way the encryption is intact until you have physical or remote access to said device.
Having said that the stupid part is that they really think they could force someone like tencent to adhere to these rules and if they don't then how exactly would they stop people using foreign software? The only thing this will achieve is the severe hobbling of the US tech industry. Who in their right mind would use a cloud service that the US government could access at will?
Anyone who has seen this will recognise the recent UK newspaper articles which said that the terrorist scum didn't rely on encryption, they used burner phones. How exactly will this bill help with that...?
I'll allow that these two are not evil (though this is exactly the way that the 1984 brigade are creepingly gaining control over the populace) but that leaves me only with the alternative - they're stupid and/or ill-informed.
How dare you bring reality to the debate ! You informed anarchist, you !
This is not about particular occurences, this is about furthering the domination of Government over The People by using handwaving, strawman arguments and religiously chanting the magic password (ie terrism).
You're ruining everything they're fighting for !
"Live free or Die"
I think Rincewind put it best. Once you're dead, it's over. At least when you're alive you can change things.
"He who would trade liberty for some temporary security, deserves neither liberty nor security"
They've been found to be mutually exclusive and polarizing. You can EITHER have liberty (in anarchy) OR security (in autocracy); problem is, there's no happy medium between them because anything in between is unstable, naturally tending to drift toward one end or the other. So third options are ephemeral at best.
"All providers of communications services and products (including software) should protect the privacy of United States persons through implementation of appropriate data security and still respect the rule of law and comply with all legal requirements and court orders."
And for the none americans living in America?
Law enforcement should focus on non encrypted crime first. The Panama Papers have shown that tax evaders and money launderers have been doing just fine for the past 40+ years without encryption and most countries have done nothing about it.
Would be great if we saw law enforcement holding these people accountable, instead of wasting energy on this "war on encryption" media campaign.
This law would only apply to US companies or overseas firms with offices here
If TTIP comes in before Burr-Feinstein, does that mean that an EU company offering end-to-end encryption services in the US could sue the US government for compensation by severely restricting the service it can offer? How is 'office' defined? A shell company constituted in Delaware, or would a rented mailbox in DC do?
A covered entity that receives a court order from a government as described in paragraph (1) and furnishes technical assistance under subparagraph (B) of such paragraph pursuant to such order shall be compensated for such costs as are reasonably necessary and which have been directly incurred in providing such technical assistance or such data in an intelligible format.
So maybe the Feds eventually approach the company with a court order and say they need one of its customers' messages in an intelligible form. If the Feds want the plaintext some time before the heat death of the Universe, the company rents a truly huge amount of compute power and sets it to brute-force cracking. How long would it take before the government budget for such recompense is drained?
"So maybe the Feds eventually approach the company with a court order and say they need one of its customers' messages in an intelligible form. If the Feds want the plaintext some time before the heat death of the Universe, the company rents a truly huge amount of compute power and sets it to brute-force cracking. How long would it take before the government budget for such recompense is drained?"
Probably not much at all if they're keeping a Black Project working quantum computer under the datacenter in Utah.
Serve the suspect with a court order requiring they unlock their stuff. Why exactly should the police be able to reach-around the judicial protections? Why should they be able to go to the device makers instead of the usual court ordered searches directed at the suspect?
It's called "Compliance with Court Orders Act", it's actually "Compliance with any potential FUTURE court order act".
Because they have to backdoor everyones hardware *today* to allow for any future court or police requests for that data *tomorrow*.
Do they have probable cause to suspect *everyone* today for crimes they might commit tomorrow?
On the contrary, they have a privacy right today, and a presumption of innocence (certainly of crimes they haven't yet been accused of), so why is their hardware backdoored and spied on if they're innocent? Feinstein?
There are a couple of likely outcomes.
One is that the mutual incompatibility of the requirements would become its downfall in court. A company builds the encryption its customers require. Some investigator attempts to invoke the decryption requirement. The company goes to court with any number of expert witnesses to state that the requirements of the law are mutually impossible. Based on they argue that they've complied with one and must then be excused of complying with the other. There'd be scope for pouring on a certain amount of ridicule such as comparing the bill with attempting to outlaw gravity.
The other is that the US loses its IT industry.
Bills like this are introduced in a vacuum of what the people actually want.
The news media will not cover it because they're too busy following what Donald Trump said yesterday.
If and when people actually hear the news, they won't understand it. The bill will have a cute title like, The American People Protection Act Against Terrorism or some other meaningless "sounds good" nomenclature.
I'm actually almost hoping that this bill pases.
The initial result will be no noticeable change.
The long-term result will be the exit of all high-tech industries from the USA, to the ruination of that country and the benefit of anywhere else that does not blindly follow the USA over the cliff.
Sadly that's more likely to be a Pacific atoll state than the UK!
1- Right to privacy isn't absolute.
2- The government has the responsibility of keeping the general public safe
3- There are ways to allow bypassing encryption and still keeping things relatively secure... or do you really think you currently need to 'approve' updates to your operating system?
4- It's more likely you and the general public will benefit from a bypass than have it used against you... unless you're a criminal.
For instance... it's more likely you will have your identity stolen, credit debt increased, bank account wiped out, etc... and the only evidence linking the criminal to these acts against you are on an encrypted hard drive.
If law enforcement cannot get access to it, the criminal will never be charged and your money, credit rating, etc. will be lost forever. Which also means any decent paying job requiring a background investigation will be out of reach because of a poor credit rating and all the other electronic mayhem the criminal did.
What about a possible POS breach where criminals got access to your credit card numbers among other things. Investigators can't investigate what happened because the banks and commercial store involved refuse to allow access to their encrypted information.
...I wonder, will you be in favor of a law enforcement bypass then? Of course you would. Just imagine your whole world turned upside down, and tomorrow you have no car, no place to live and no money. With your electronic reputation in the dumps, you also have no future or prospects for employment, loans, etc.
Good luck with that.
"For instance... it's more likely you will have your identity stolen, credit debt increased, bank account wiped out, etc... and the only evidence linking the criminal to these acts against you are on an encrypted hard drive."
More than likely such a savvy criminal will live outside US jurisdiction, meaning he's out of reach anyway. Even if he could be apprahended, he'd likely have no evidence at all because at the hint that the door's being busted in, he activated a self-destruct mechanism whereby the volume key on the drive is wiped or physically melted with thermite. Either way, the evidence goes up in smoke and the law has no case and no way to create one. All his data is now just useless random data that NO one can decrypt, not even him.
"What about a possible POS breach where criminals got access to your credit card numbers among other things. Investigators can't investigate what happened because the banks and commercial store involved refuse to allow access to their encrypted information."
Again, nine times out of ten, the crook is operating from another country: likely one that's antagonistic to the West like Russia or China and maybe even with their tacit consent and covert support. Three words: you can't win.
About the only way you can avoid this is to liquidate all your assets and go live by yourself in the Alaskan wilderness or somewhere in complete isolation. Otherwise, you just have to live with the risk and realize that when it comes, it's "Game Over, Better Luck Next Life," and there's no way around it. Either live with it or drive yourself crazy trying to flatten the sphere.
A bill to make both pi and e equal to 3.0. This will be known as the "Making Scientific Calculations Simpler Act." Every bit as well-thought out as her encryption bill (or any of her many other Great Ideas), this will foster scientific innovation by making math much simpler for scientists and others. It will catapult the USA into a real leadership position in the scientific world.
Future projects include assisting work on conquering space by getting Congress to repeal the law of gravity.
Most of the bunch are just grabbing their actual catch and yelling each other. CONGRATULATIONS to Dianne and Richard. Also is quite clear that Industry doesn't want to acknowledge what Senate is clearly asking. Also is quite clear that only Actor? being kidded into not acting is Consumer.
No tech barrier. Common, there is intelligent People around here. Theoretic formalism for this kind of problems where established since the time of Mainframes.
IT People here is not being kidded with this pseudo-theoretical limit. But silence allow the Consumer to be kidded.
In fact, IT People here should be fighting the fight for a breathing space of true personal encrypted privacy, within some of the memory space(s).
Security should be concerned with communications only, and leave our private wanders and ramblings to ourselves.
Personal_address-space>Comm-Provider_address-space>Law-Enforcement_address-space. With a line of Formal Request Back to the Individual. The better this scheme -of any other- works, the less Intelligence Community has to meddle in everybody business.
English King? No man should lack guarantors.
On empowering clients|users, the bestowing Entity becomes guarantor.
Government is not asking the weakening of anything.
Government Is asking those -no questions asked- empowering Companies to effect guaranties on their protégées, when Lawfully requested so.
Again, this is not a Tech Issue. As simple as dividing that so called One Pass by two. And declaring themselves 'Me in the Middle'.
It seems to me the only change to make this a reasonable (not necessarily good, but reasonable) law is insert "if possible", at the end of the requirement for companies to turn over data. Since it does contain the provision that no particular design can be required or prohibited , in practice all it really means is "If you leave the door open, let us use it". As currently written, all a company would have to do to "comply" with this law, while still offering strong end-to-end encryption is say "Alright, 'appropriate technical assistance' coming right up. We're going to build the world's biggest super computer farm to crack this key for you... but you're paying, right?"
It seems to me the only change to make this a reasonable (not necessarily good, but reasonable) law is insert "if possible", at the end of the requirement for companies to turn over data.
The change required to make it reasonable involves a pint of diesel and a blowtorch...
Petrol, not diesel
Diesel, not petrol.
Diesel actually doesn't set light with a torch
This video disagrees with you. That's the first one I found - having done similar myself, I knew there was bound to be one.
Petrol has a tendency to conflagrate and burn your face off. Diesel, with its much higher ignition temperature and lower volatility, is somewhat safer in such situations..
Unfortunately, most americans have become fat, lazy, and obsessed with Kim K's ass. It is sad to see what the popular zombies have become. Look at the jokes running for president. Scammer, criminal, and idiots. The US wants to control the population and look how they love to pump our local water supplies with sodium fluoride which is known to cause problems with neural development...
New Godwin's Law. Let's call it 'Charles' law'?
Anyone requiring cites from 'Reputable' (ie, ones that I agree with) 'Peer-Reviewed' (in other words, old chum's networks) journals from 'multiple countries' (so that I can claim that you haven't cited enough) is:
1 - wrong
2 - unable to admit this
3 - frantically trying to force the original poster to do his own checking work for him
4 - never going to agree with any cite that's given, making the whole exercise pointless...
Then I propose Godwin's Law for Godwin's Law.
1. If you don't believe there's such a useful thing as "reputation," then you don't trust anyone. By definition, you're paranoid.
2. If you don't trust peer review (which includes rivals who would love to shoot down the competition), then you don't trust anyone. By definition, you're paranoid.
3. If you don't place your stock in other countries and their laws which will differ from country and country and may indeed see each other as rivals or even enemies, you believe there is a global conspiracy. Meaning you don't trust anyone. By definition, you're paranoid.
If you aren't willing to back up the claims you make, you're either making a baseless claim or you don't think backing up the claim is possible because the moment you make it everyone will oppose you because you. And if you're that paranoid, why haven't you abandoned the Internet at this point, gone to the mountains, and hidden in your lead bunker waiting for Judgment day?
All security related companies be it hardware or software will HAVE to relocate all offices out of the USA.
the USA will loose out on Billions of tax revenue and will be NO safer for it in fact they will be less safe as local security will be back doored and bad apples WILL get in (as well as the Govt decide yourself which is worse)
FEINSTEIN is actually acting in a treasonous manner. BURR is actually acting in a treasonous manner. Together they are threatening the privacy of all Americans, killing American ingenuity and creativity, and generally acting like imbeciles who don't know they have their heads up their own ____.
And... these "predatory third world control freaks" are killing American business while shipping jobs overseas. In the spirit of SANDERS & TRUMP, firing the entire legislative body save for very few, will put America on the path to being Great again.
Cryptography was on the united states munitions list as late as 1992, with all of the export restrictions that came along with it. United states citizens have "...the right to bear arms...". so I would have thought that American citizens have the right to any type of encryption they can afford?!
Paris because; once you've made a tool of yourself as publically as these two senators have, its difficult to be taken seriously...
lol! First we get life in prison for shipping stron encryption overseas (as if the people outside the u.s. are so stupid as to not conceive their own) Now these primo azzajoles want to give us life in prison for using strong encryption.
WOW. Privacy rules as long as you don't mind getting permission to schedule your high level business meetings from the likes of imbeciles like Feinstein (the censor master) and Burr (i hear the guy is 100% complete eejit).
On one hand health care providers are told to keep patient data secure, and then if the encryption to do that is banned, they'll start to get sued for not being properly HIPAA compliant. If encryption is backed off on JUST mobile devices, then Doctors will have to go back to paper instead of tablets...
Not to mention the fact that putting our encryption LOWER than the rest of the planet makes every bit of our infrastructure vulnerable to terrorist cyberattack or state sponsored cyberattack. Might as well revert all our power and water plants back to full manual control and pull all the computers out... How stupid are US politicians? (yeah, bunch of clueless OLD lawyers, nvm)
It's already know that US spy agencies have plied their trade snooping on the oversight committees that are meant to keep them on a leash. I wonder if the SENATOR has stopped to think that giving the keys to the henhouse to the foxes might be a really bad idea. The US black agencies are already completely out of control. More and more, police departments in the US are out of control and are gearing up with surplus military equipment. I live in a small town that has a Humvee and an APC at the police department. At the very least, it looks bad.
I think its the other one -- Senator Boxer -- that's retiring this year so we're stuck with Feinstein for another couple of years. Both need to be pensioned off (they'll probably find a good berth in a lobbying company or similar). Boxers replacement may well be Kamela Harris who, if her track record is anything to go by, is just Feinstein Jr. Time for some fresh blood (and preferably not Republican fresh blood, with one or two notable exceptions they're total nutcases).
This draft is so broadly worded that it may apply to things such as ATM's, credit card and POS terminals. A judge may even interpret the law to include modern cars. Let's all imagine the evil money we could make by disabling or causing cars to crash on a major interchange during rush hour if large sums of money aren't deposited to a certain overseas bank account. The beauty is that once the back door is found for the cars, we could run the ransom routine all over the world many times before the car models that have been compromised could be updated. Even that wouldn't help since the method to break into the vehicles would be known and the next hack gets easier since we'd know what to look for and where.
Compromising security is wrong on a fundamental level. If the US mandates it, Britain, France and the rest of the EU will shortly follow (or the US will impose sanctions just like they do with the reporting of US citizens that have bank accounts with overseas banks. If they don't report the accounts, they get taxed on US transactions.) At least China and North Korea will love it. It will make espionage much easier for them.
You are forgetting an even scarier outcome ........
After the unlovely events you describe come to pass, a cowered and whipped populace will soon be eager for even more restrictive legislation. Instead of a golden age through technology (where the benefits can be shared and used by all), the existing kleptocracy will simply use it to keep everyone beaten down as they grab more and more power.
Lovely legacy to leave for our children,.... isn't it?
Why these fear mongerors continue to be allowed oxygen is beyond me.
yeah, except the thieving coniving predatory persons in the ruling group that illegal steal our privacy and sell it to who knows who - and then allow wallstreet thieves to crash the economy and pay what? pay a small percent of their take!
oh they hypocrisy... The law for decades threatened americans with treasonous punishment for shipping encryption overseas. Now the dummies like censormaster Feinstein (BDS UCB) who also want to limit freedom of expression and speech, want to punish us for using strong encryption - you know, like the kind they actually have overseas.
i love the part that says "All providers of communications services and products (including software) should protect the privacy of United States persons through implementation of appropriate data security and still respect the rule of law and comply with all legal requirements and court orders."
THIS IS NOTHING SHORT OF A TRAP AND A SHAM OF A TRAP AT THAT.
Could mean just that or perhaps that I am taking a bomb to bomb the queen.
There was similar with ww2 giving the information about dday to the french... all that is needed is both sides to know what you really mean. Terrorists are not as thick as the rule makers but the rule makers have big egos and never admit how stupid they are
But then you have the issue of First Contact. How do you pass the code to the other side without it being intercepted? Indeed, how can Alice know Bob is really Bob and not Mallory or in this case Gene if they've never met before and there's always the chance Trent's been doubled? Not to mention custom codes like this tend to have a limited vocabulary, much like good stego. You can only convey so much information, and it's hard to "wing it" and convey an arbitrary change of plans without giving yourself away.
Biting the hand that feeds IT © 1998–2019