US government pushing again on encryption bypass Just a few weeks after the US government effectively conceded defeat in its efforts to force tech companies to introduce backdoors into their software, the issue is being pulled back onto the table. Both FBI director James Comey and deputy CTO Ed Felten have reopened discussions: Comey stating that tech companies like Apple …
> ... public concern over both has led for calls to limit the degree of privacy afforded all users of mobile phones.
I don't see any evidence that "public concern" has anything to do with it.
All these calls are coming from government agencies and the media are jumping all over it to beat the politicians with it on both sides of the debate.
I don't think the average Joe or Jemima gives a shit.
I think they're hard at work to drum up some "public concern" in this manner to hide the fact that there is actual public concern about the fact that the last few batches of perpetrators were already well known to the various services and agencies out there, yet no prevention took place.
I can well imagine they urgently need a distraction, but I fear it may not work, certainly not with the whole backdoor crypto idea. That concept is only considered still alive by the utterly clueless.
They had flagged various pieces of information about these people before, but hadn't put it together because they have flagged so much information about so many people it is impossible to correlate it all or follow up on it all.
The spy services think "if you just give us access to more stuff, we can prevent incidents" but this demonstrates there is already too much data. They aren't able to drink water fast enough to keep up with a garden hose, so their solution is to replace it with a fire hose.
"prevent incidents"
It's not about preventing incidents, although I'm sure many involved think it is. It's about spotting patterns after the fact to create future lists of suspects that can be rounded up as they meet certain criteria that the security services/government of the day deem undesirable. Today it's anyone supporting an Islamic State in the Middle East, tomorrow it's a desire for a republic, the day after it's journalists criticising the government.
" ... the day after it's journalists criticising the government"
This is already happening:
Suicidal terrorists are pretty much impossible to stop. Far worse than people being killed is catching the government with its pants down. Journalists and people like Mitnick and Snowden are the real targets. People who embarrass the government. Finding those people with end to end encryption in place is hard and leaves a huge paper trail of warrants.
"They had flagged various pieces of information about these people before, but hadn't put it together"
They have zero interest in "putting everything together" - I mean I'm sure they'd love it to have pre-digested pre-crime warnings but as things are they don't even try; they're not interested in drinking from the garden hose, what they want instead is no faucet to exist that they can't open instantly any time they feel like it...
AC - Exactly right. Either the cell is so small as to be very difficult to find and monitor or they are relatively well known. The San Bernardino tragedy was planned and executed by a husband and wife team probably with some help from his family. The only way they would caught the attention of and get the donut-eaters to move would be someone to make a credible enough report. Otherwise the planning was done in person.
Well, it's pretty simple to implement - the Government publishes its public key and whenever you create a symmetric key for bulk data encryption, you have to encrypt it with Big Brother's public key and include it in your network comms or data BLOB.
Pretty sure that a law would force enough banks and big orgs to implement it. So your cloud data would "not get stored correctly" and your webbrowser would "not experience good network connectivity" if you tried to bypass it.
Encryption in general maybe not - a fully encrypted phone is virtually impossible with the manufacturers cooperation.
The guys at XDAdevs might - just might - be able to maintain android encryption in the face of google dropping it but that's hardly going to help the average joe or iPhone owners.
The guys at XDAdevs might - just might - be able to maintain android encryption
This is not the encryption you are looking for and not the encryption he is trying to discuss this time.
This time it is Blackberry, Telegram and the like - end-to-end encrypted services. That is something he can actually negotiate with the valley not to offer. The issue however is, that if the valley does not offer it, someone else will. The valley also cannot do a hell of a lot about weakening it either.
iMessage is encrypted end to end, as is WhatsApp. So these big companies are offering this stuff, not just Blackberry and whatever the heck Telegram is.
If they passed a law that prevented this sort of thing it would be offered via apps from somewhere outside the US. The only question is whether Apple, Google and Facebook would relocate their headquarters so as to continue being the ones offering these apps instead of letting someone else eat their lunch. I hope they would - it would serve morons like Comey right!
"If they passed a law that prevented this sort of thing it would be offered via apps from somewhere outside the US."
That boat's sailed already. Telegram is from Germany and the owners are Russian, I think, so even if Germany joined in the idiocy they'd just move on somewhere else.
Unless Telegram was designed by the NSA to use subtly flawed encryption and the Russian ownership is just a front to ensnare the terrorists! If it isn't, the CIA should plant rumors to that effect so the terrorists never know for sure what's safe to use.
Encryption is hard to get right, even mega companies who can afford best in field experts like Google and Apple don't get things exactly right every time. What chance does the loner or tiny company creating the apps the terrorists might use? Maybe the spooks just want to create enough bluster to scare terrorists off iMessage and WhatsApp "just in case" the government is forcing secret back doors on them, knowing that odds are good whatever terrorists end up landing on will be have multiple flaws they can work with. The ones that don't they can FUD out of use by starting rumors it is a CIA front.
Encryption is hard to get right, even mega companies who can afford best in field experts like Google and Apple don't get things exactly right every time.
There are various open source libraries which provide encryption. You must make correct use of them, and you rely on them being implemented correctly, they generally make it simple to get "right" (for some value of "right").
If the library is compromised, you are screwed, although this doesn't happen often as is generally fixed quickly (many eyes and all that). Also, if you use it incorrectly (https://xkcd.com/1286/) you have problems. So you obviously need some clue as to what you are doing, but the job is made at least an order of magnitude easier...
They can't keep themselves away from this.
Despite the complete lack of evidence that encryption was used in this attack-de-jour
Despite the fact you don't find a needle in a haystack by getting in more haystacks.
When you keep hearing this same refrain when the logic says it's b**llocks you know it's not something outside the people asking.
It's something inside their heads.
It's something inside their heads.
Bingo. It's the belief, common to all politicians and spy agencies, that anything that happens that they're not able to snoop represents a threat. It's the Total Information Awareness concept (remember that?), writ large. Why, if we can only see and intercept absolutely everything, then we can stop all crime/terror/radicalism/wrongthinking!
Fundamentally, they don't trust people. The assumption is that people, left to their own devices, will do bad stuff.
And so they continue with their pervasive snooping. At the risk of sounding like a tinfoil hatter - treasure the privacy of your own thoughts, while you can.
The assumption is that people, left to their own devices, will do bad stuff.
Bad people make Bad Assumptions - reason is: I cannot read thoughts so if I want to guess* what the other person is up to, I am really thinking "What would I do with this?", so, if one happens to be a thieving, lying, authoritarian piece of shit - which would drone your one's mother for the life insurance - Of Course Everyone Else is up to the same Shit - If we don't get them first!
It's a mirror; politicians and security people think they see us, but they only see a reflection of themselves!
*) The other way is to observe what the other person in fact does - hypothesis based on evidence and stuff, how old.
@John Smith 19
Right! Have an upvote. Except instead of "It's something inside their heads," I'd say "It's something missing from inside their heads." Like intelligence enough to understand anything about encryption.
The media and politicians are talking out their collective asses.
This comes from the usual "DO SOMETHING!" attitude when something bad happens. Everyone screams at the government to "DO SOMETHING" to fix it. But nobody in or out of government actually knows HOW to fix all the problems. Hence all this "crypto backdoor" and other crap in government. They do it because, to those without understanding of the issues, which means 90+% of the population, it gives the appearance that they are actually DOING SOMETHING to fix the world's problems. That's why you hear the same, tired crap over and over in the same pointless debates that occur every time something bad happens.
"Outlaw this! Mandate that! And then everything will be set right in 3 easy steps! Right?
Bollocks!
There's also the alternative, everyone is screaming "DO SOMETHING!" at the government so the government, knowing they can't actually do much which will show results quickly, turns to an easy scape goat to pin the blame on. "We can't do anything if they encrypt things! It's their fault really!" etc
For the more Management-oriented, you could even think of it as a SMART (Specific Measurable Achievable Realistic Timely) solution, i.e. the holy grail of targets.
We, the technical community, should agree to adapt our products to suit a solution they provide, within one month of it being found to meet criteria we will set.
To start with:
* It must be possible to decrypt the data in a timely fashion (i.e. without brute-forcing it) at a properly warranted request of a Government agency.
* End-to-end encryption must remain possible
* It can be proven that it is impossible to copy or otherwise disseminate the data once decrypted
* Warrants can be proven to be legal in both the localities where they were created and where they are effected
* Warrants applied to the data can be audited
* Data outwith the warrant should be utterly impossible to decrypt without obtaining a further warrant
* Foreign governments should be able to decrypt the data with a common warrant structure.
* The breadth and rate of warrants should be limited for a certain dataset to prevent the government simply warranting all of it everywhere and decrypting the lot
* It must be possible to highlight when data has been decrypted/viewed and what data was encrypted/viewed
* All of the above must be part of the encryption algorithm itself; these controls cannot be baked into an application, they have to be part of the mathematical theorem that forms the basis of the encryption algorithm, and any removal of these safeguards should change the output so that there can be no other method of decryption
* It must not bias towards one country or region
* It must not rely on stored (or even known) keys
* It must not work any slower than current algorithms
* It must be implemented so that if it is ever broken the people pushing for it at the moment (individuals as well as agencies) are imprisoned and/or face execution (depending on jurisdictional maximum sentences).
* Research efforts towards this must be funded lavishly
And some representatives of the tech industry should be held to this in a court of law. And shortly after unicorn/pig hybrids fly over a frozen Hell the security services figure out how to meet these criteria and we can start worrying about how to implement it.
Now we see why it is being talked about. Some big government contractor like MITRE or Raytheon will get a huge contract to develop this solution, and after multiple extensions and huge cost overruns they'll say "it can't be done". But not before the sponsoring legislators retire from Congress and get cushy board jobs paying $500K for 10 hours of work a month.
(original AC) Yep, absolutely. 100% correct. Get the government to keep chucking money at Crypto, get them to keep pushing for this utterly unattainable Holy Grail. Someone mentioned nuclear launch codes below- this (and banking data etc) should be the grade of information we could distribute freely with this encryption, happy that the government(s) can decrypt it but no-one else can by the time they're done
That way, we have Raytheon, Lockheed, Boeing, a bunch of universities, and many others- all of them pushing to continue the hunt. To make the 'perfect' crypto. And much like warfare, they'll keep it going and going and going, constantly allllllllllllmost managing the perfect crypto- enough to warrant keeping the research funded but not enough to end the project and their funding.
And of course every nation should push for it, so those companies get paid multiple times for the same work.
When someone does end funding, they'll have half the world's defence industry declaring that government 'terrorist sympathisers', and then the funding will restart. So the Governments of the world are seen as doing something AND gets the support of the technical community for doing The Right Thing, we get stacks of lobbyists on our side for once helping to ensure we never have to do anything because the contractors will never actually produce a product.
In the meantime, it goes without saying that we continue using the strongest crypto possible so as to protect our personal and corporate data from terrorists, paedophiles and other undesirables.
Warrants? Legal speak it all you want. It still boils down to either they encryption is secure or it's insecure. If it's insecure, I don't want it.
Backdoored or weak encryption is useless in the real world. It leave everyone open to Identity Theft, Band Fraud, and CC Fraud. And that's at a minimum. Those threats are more prevalent than a terrorist attack. Take out the miscreants who engage in this activity and when there's no more of this happening, we'll re-think encryption.
You're proposals sound like they came out of Feinstein's mouth. "Pass a law and no one will every break it. Use a warrant and only we can get the information." Bullshit. Look into the tech and the maths of encryption.
Indiana showed the way to sort this a long time ago, but chickened out. If the mathematics makes it impossible to do what you want, just pass a law changing the mathematics. If you make Pi equal to three, the equations get much simpler.
Can someone suggest this to the Republicans? I'm sure at least some of their presidential candidates will be eager to endorse it.
OK so its ALL about Encryption nothing about the fact that Guns in the USA are easier to find than a Bus load of radicalised Jihaddis in Raqqah.
I would agree to a backdoor to the data when.
1) the government can be trusted. (any country who will have access to the data)
2) the number of Guns in the USA is less than the number of guns in Shetland.
3) someone tells us who shot JFK.
I'm well aware of the relevance of the Second Amendment to encryption and to the core issue of trust in governments. I believe that Jefferson and others would readily agree. Their is also being secure in one's papers and effects which definitely has extreme relevance though and Comey and Company haven't addressed.
Which nation's warrants applied to which devices where Mr. Comey?
Probably hopes no other nation, save perhaps 5-Eyes will demand, and receive, such access.
I like to think it would not be practical to legislate into being some kind of 'private key register', and require CAs to obtain both public and private keys to issue certs, and manufacturers to lodge their software signers for safekeeping, records, or whatever makes it sound nice.
This is totally non-tech but would need to be applied globally to work. It could see some unlikely bed partners. I'm not sure if I should be worried.
So all criminal and terrorist organisations, and all "rogue" states will immediately try to get hold of that register.
Once any of them do, every related encryption is broken, forever and ever, past and future.
It would be the literal end of the Internet and mobile telephony.
And they will definitely get hold of it eventually. Some of these are people who would be willing to torture a keyholder to death in order to get access to this type of register.
That is why it is a fundamentally stupid idea.
For all it's faults, that little clause in the TPP allowing foreign companies to sue the government for passing laws which impacts their bottom line looks like it might actually be useful in this case.
Blackberry, being Canadian, could be the first off the block with their sueball if this goes ahead. The perhaps Apple and Google's Irish tax havens could follow suit, once the appropriate paperwork shuffle to make them the acting Glabal HQ of said companies gets pushed through.
Maybe the same folks that brought you WMD, PBSuccess in Guatemala overthrew the democratically elected leader of Guatemala Jacob Arbenz and installed right wing military dictators , overthrew Goulart in Brazil and installed General Branco in Chile and even trained his death squads, smuggled Klaus Barbie out of Europe, armed Saddam Hussein...
And that's just the short list.
I think we should give the NSA FBI and everybody who wants it the backdoors they can't live without. BUT we also pay All FBI/NSA etc staff digitally and publish their bank accounts details, Pension account details, phone numbers etc. After all they are still secure right? no one who is from the dark side is going to find those back doors so their money will be safe right?
It's sad and terrifying that there are 4 mass shootings every day in the USA . That's every bloody day. And the FBI wants to read text messages. No word on addressing the fact that the latest shooters had assault weapons and thousands of rounds of ammo.
The scary thing isn't how poorly elements of the US government understand technology. The scary thing is that this could really happen. You would imagine that they couldn't legislate holes in encryption and that they can't legislate on stuff that happens outside of the US but you'd be wrong. Look at the Foreign Corrupt Practices Act, look at the ongoing efforts to extract data from Irish datacentres without Irish judicial review.
Spending $1Trilllion on your millitary earns you the ability (not the right but who cares about that) to tell international law and common sense to take a running jump.
You can easily imagine a law which says that no US company can offer end-to-end encryption without at backdoor, on pain of massive fines and criminal liability for the bosses. It's not difficult to imagine them exending that to any company which does business in the US (defined as having a website reachable from there), enforced by either fining the hell out of any subsidiary of that foreign company in the US or by fining any financial institution which deals with the troublemaker and has an office in the US or by fining any CSP which connects to the troublemaker.
Sure GPG will still exist but you can go after the keyservers and you can require email relays to pass the NSA the metadata of any encrypted email. Basically you can make it bloody awkward to use (and it's hard enough already). That doesn't eliminate encryption entirely but it narrows your haystack down from 1 Billion Whatsapp users to 100k crypto nerds, 1k civil liberties campaigners and 2 terrorists.
Be sure to tune in next week when government demands a court order for mind reading. Its so inconvenient to Government's Good Works for God to have encrypted the human brain so that thoughts are beyond the access of a court order. Clearly Google and Apple could/should fix this oversight!
Many incriminating documents are on paper and can easily be destroyed with a crosscut shredder. Actually it would be better to ban paper. Or require all records on stone tablets.
I used to buy flash paper for magic tricks but the bookies used it for keeping track of their bets and dropped a cigarette into the pile of slips when raided. Poof! goes the evidence so now you have to make it yourself or pay a lot.
(Icon of flash paper.)
Why don't they just admit they really don't know what to do?
Subverting or banning encryption will do nothing - the "good guys" will be more at risk while the "bad guys" will find another way. It backfired thus far, producing damage to the US in numerous well-publicized ways, and will continue to backfire if pressed.
Rather than keep speaking the same trash and trying to push a "solution" they really know won't work, why not work together with industry leaders to come up with a better one?
Yes, it's really disappointing to see Felten - an important IT security researcher who's done great work tearing apart stupidly insecure voting machines, among other things - supporting this bullshit.
Though I do agree that there's an important conversation to be had here. It goes like this:
Spooks and other surveillance-monkeys: "Hey, let us undermine your encryption. It's for Your Own Good."
Citizens: "No."
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
