Flogging a Dead Horse?
Or just a throwaway speech tailored to his audience?
The deputy US Attorney General said he wants legislators to force technology companies to decrypt people's private conversations. Rod Rosenstein on Wednesday told a crowd of over 600 police officers that software developers should be required by law to unscrambled end-to-end encrypted chatter on demand – and if the engineers …
Probably they're going to try again to get public support for it now that Trump is president. He was on record as against Apple during their battle with the FBI so they'll have his support. The problem is that the public is still at best split on this issue - and Trump's low popularity isn't going to help him win any converts beyond his base.
Fortunately congress can't get anything done, and the stuff they MUST get done will take priority over arguing about stuff like this, so we don't have to worry about any laws of the type of Rosenstein wants happening.
You're probably right that Trump won't see it as a cause worth his time, but that won't stop the FBI from trying once again to mandate encryption backdoors. They've been pushing this in one form or another since Clipper back in the 90s, even though the genie has been out of the bottle so long he has grandkids.
@Big John
Trump has a big ego and only big causes will energize him, such as Immigration, Taxes, Health Care and the like.
HELLO!!!
Terrorists!
Wasn't it his first Executive Order to persecute Muslims as all his followers consider them a terrorist risk that needs controlled and monitored?
if you flog it enough, it becomes *UNDEAD*
http://tvtropes.org/pmwiki/pmwiki.php/Main/UndeadHorseTrope
Anyway, Rosenstein's "audience" is more like "the D.C. Establishment" as he's one of THEM...
Don't these numbskulls understand that if you FORCE A BACK DOOR like that, you render the encryption WORTHLESS©®¶™? And then EVERYBODY will download some foreign entity's encryption, and/or use PGP, and/or use an algorithm OF THEIR OWN DESIGN [me], which would render this worthless argument into complete irrelevance.
Or, like 'gun control', if it's not "hitting the target by aiming properly" it's making sure that law abiding citizens cannot DEFEND THEMSELVES [because ONLY the criminals will have them].
So if we ONLY want terrorists and criminals to be the ones with proper encryption, then going THAT DIRECTION will ENSURE IT.
It's funny; US conservatives often deride gun control by saying "criminals don't obey laws, so if we ban guns then only criminals will have them."
The same logic applies to banning (or back-dooring) encryption. The sheeple will use the security-neutered comms to send cat pics to mom, and ISIS / the mafia / etc. will use something like PGP.
TLAs will gain access to mountains of "where you at" messages, pictures of food, and other useless data. Meanwhile, the thugs will continue their thuggy business unabated...with the added benefit of not getting their bank accounts hacked, because now they're the only ones who have secure comms.
I'm sure they already do, with well managed
I doubt it. Too many of them are incompetent dumbasses
It's funny; US conservatives often deride gun control by saying "criminals don't obey laws, so if we ban guns then only criminals will have them."
The same logic applies to banning (or back-dooring) encryption. The sheeple will use the security-neutered comms to send cat pics to mom, and ISIS / the mafia / etc. will use something like PGP
But unless enough "sheeple" also use proper encryption, then 'properly encrypted' becomes a sufficiently valuable property for identifying 'traffic of interest' and allows TLAs to concentrate resources on looking out for opsec fuckups or meta-data so ISIS will need to cut over to using lame-o encryption on their seecrit comms steggoed into cat videos
Video for cats -->
"But unless enough "sheeple" also use proper encryption, then 'properly encrypted' becomes a sufficiently valuable property for identifying 'traffic of interest' "
But if it's "properly encrypted" then it's not going to help...Disguising sources on the internet is easy via TOR / VPN / Proxy etc etc.
"
But unless enough "sheeple" also use proper encryption, then 'properly encrypted' becomes a sufficiently valuable property for identifying 'traffic of interest'
"
Not if the properly encrypted messages are sent over a connection that has compromised encryption. In that case the FBI et al will have to decrypt all the weakly-encrypted traffic in order to find out who is using "proper" encryption, which is not practical.
"then 'properly encrypted' becomes a sufficiently valuable property for identifying 'traffic of interest' "
That argument doesn't quite work. You can detect well-encrypted message bodies by measuring their degree of randomness (and then checking that they aren't simply well-compressed, which also makes them look random). But detecting by looking at the ciphertext that they've been encrypted with a back door is a completely different, i.e. impossible, problem. So in practice they will have to pick a message for analysis based on its metadata or on the sender or receiver's profile, and only then will they find out whether it has a back door. Of course, if it's suspect based on metadata, it may become a bit more suspect if there's no back door, but that doesn't have evidentiary value. Not that actual evidence seems to mean a lot to these spooks.
Oops, better be AC for this one... although I wonder whether that helps... who's that knocking at the door?
"But detecting by looking at the ciphertext that they've been encrypted with a back door is a completely different, i.e. impossible, problem."
I don't believe it is. If you can identify the application / traffic type then presumably you could test it against a known backdoor key and see if the output makes sense / is non random. Or even testing it against a whole suite of keys wouldn't be hard baring in mind the CPU power these guys have leverage.
You could also make "authorised" backdoored encrypted traffic in some way distinctive. After all if you are forcing a backdoor then presumably you can force whatever else you want as part of the package.
Then the use case here is if you know it's encrypted in a "non authorised manner" and the source or destination is something that you have / can compromise then with a bit of extra effort you can still go take a look what is inside it. We already know the security services had exploits for most OS, VPNs, network hardware, etc, etc for many years. And worked by compromising and exploiting internal networks to get access for things they couldn't otherwise crack. I would imagine that they have already replaced all the exploits that were previously stolen and released with new ones.
I wouldn't be surprised if they have exploits in things like imessage, WhatsApp, etc. etc too. They are not going to admit it if they do. In that case they can potentially monitor you just by sending a message or even a packet....
And don't forget there are known security flaws in many of these apps anyway that a well resourced adversary could attack. For instance https://www.scmagazineuk.com/ss7-vulnerability-defeats-whatsapp-encryption-researchers-claim/article/530945/ and http://bgr.com/2017/01/13/whatsapp-encryption-broken-key-generated-nsa-oh-no/
"TLAs will gain access to mountains of "where you at" messages, pictures of food, and other useless data."
Google, Whatsapp, Facebook et al all leverage that 'useless' data to generate cash. Presumably the TLAs & gov can and will do exactly the same - much like our allegedly confidential NHS records here in the UK.
My money's on maths
"The laws of mathematics are very commendable but the only laws that applies in Australia is the law of Australia."
Good quality encryption is already in the public domain (eg OpenPGP ) and any attempt to insert a backdoor is very unlikely to succeed when the source is publicly available.
For people who REALLY want to keep information secret - it is possible to use multiple encryption programs in series (eg use 7-Zip to create a password protected Zip file then use ccrypt to encrypt the Zip file then use OpenPGP to encrypt the output from ccrypt.). Done properly there is no way of recovering the original message without knowing the keys even if one of the programs has a backdoor.
That level of pain is normal here, and yes I'm serious. I've been tasered and that didn't work out so well for the cops. Hardest part was pulling out the hooks. The shock did nothing. They decided that talking me out of one of my rambles was better idea.
The real problem for law enforcement is that it's only companies that they have a real bit of leverage on. I'm now a private citizen and unless they figure out some way of banning encryption entirely, there are probably close to a myriad of ways we citizens can short-circuit their monitoring. Save for the point to point metadata, and some of that can be scrambled too, the content is a mystery.
They've been told and told that only by leveraging the end-point (hacking the devices on each end) will they be able to gain access to the content. And that's dead on*. Anything else is a pipe dream and as I recall, AG Sessions has a thing about people that smoke drugs.
* - In the military I worked professionally in a dozen fields of engineering, half that in analysis (including intelligence), had a nuclear security clearance, and used to fix NSA gear when it broke and the cryppies couldn't fix it. [Real easy to troubleshoot if you know what should be looking for in-circuit.] Also a computer scientist, statistician, econometrician and a bunch of other applied math stuff. The point of this footnote is that there isn't a damn thing in the world preventing me from literally encrypting the world+dog, should I choose to do so. The hardest part is killing side-channel attacks. And then, share the results. Short of locking me up forever which will have to be solitary since there's stuff they don't want me to talk about. Ever. And I'm far from the only one with these distinct libertarian/anti-authoritarian impulses.
Those dumbkopff at teh upepr levels of NSA/GCHQ/MI5/MI6/CSE/CSIS, etc can't do toodle SQUAT
when I can write an OPEN SOURCE text and video messaging app that works on MULTIPLE OSes
and web browsers which can encrypt data to and from almost ANY application!
I can design and code Triple AES-256, Elliptic Curve and Quantum Computing Shor's
resistant encryption algorithms EVERYWHERE in almost ANY application!
And of course I will GIVE IT AWAY COMPLETELY FREE AND OPEN SOURCE !!!
and there is NOTHING they can do about it! BECAUSE...I'm ONE of those people
who simply IGNORESTHE LAW if I find it to be stooopid and/or outrageously illegal
and/or immoral! I JUST IGNORE IT AND SEND MY SOFTWARE OUT ANYWAYS!
NOT A THING THEY CAN DO ABOUT IT AS I keep dead hand switches active
EVERYWHERE in the world!
"or people who REALLY want to keep information secret - it is possible to use multiple encryption programs in series "
That's why I double encrypt everything with ROT-13 when I want to make sure it stays secret. ;-)
Dave
P.S. I'm waiting for an intelligent genius to develop an encryption routine which, when the data is decrypted with one key, produces the secret text, but, when decrypted with an alternate key, produces a grocery list.
"
P.S. I'm waiting for an intelligent genius to develop an encryption routine which, when the data is decrypted with one key, produces the secret text, but, when decrypted with an alternate key, produces a grocery list.
"
It's been done.
Search "TrueCrypt" (or VeraCrypt") and "hidden container"
There are deniable encryption systems that come close, but they have strong usage constraints that make them not super practical for day to day use. Generally they let you selectively decrypt portions of the data without revealing how many portions are still encrypted. This only helps you if the cops aren't sure what you have, of course -- if they have other evidence you have a specific piece of info, they can just keep you in jail on contempt charges until you cough up the passphrase for it.
> it is possible to use multiple encryption programs in series (eg use 7-Zip to create a password protected Zip file then use ccrypt to encrypt the Zip file then use OpenPGP to encrypt the output from ccrypt.). Done properly there is no way of recovering the original message without knowing the keys even if one of the programs has a backdoor.
Also your idea whilst stopping attacks on specific ciphers does bit assist when said TLA compromises your RNG.
A new bill was just introduced into Congress to repeal the law of gravity. "After all," stated a congressional spokesperson, "it's a LAW, so Congress has the power to repeal it, at least in the U.S. With gravity under our control, it will be much more economical to explore space since the rockets won't need as much fuel to take off. We're also looking into making both pi and e equal to 3.0 to simplify mathematics for our children and bring up STEM scores."
Privacy is a constitutional right, just not an explicitly listed one. It underlies decisions like Rowe vs. Wade that tend to piss a lot of people off when they discover the government can't compel behaviors they don't like.
While making it an explicit right wouldn't change much legally, it would sure do a lot for the whiners that want the government to run our lives.
" It underlies decisions like Rowe vs. Wade that tend to piss a lot of people off when they discover the government can't compel behaviors they don't like."
unless it's the OBAKA-CARE INDIVIDUAL MANDATE (according to the Supreme Court, anyway)
/me still waiting for THAT @#$%-ing thing to GO THE @#$% AWAY and I will _CONTINUE_ to _VIOLATE_ that "law" until it does... because it's a "hardship"
A situation the British can only dream of.
UK police forces have been doing this for a decade, despite no apparent formal request to set it up in the first place, and absolutely no government or local authority oversight.
The police in the UK have been told holding mug shots and DNA info on ordinary citizens is illegal and they should destory what they have and not collect any more. Guess what they're doing? Exactly as they dam well please and we don't have an one with the nerve to hold the police to account for breaking the law.
According to the law, usage of the backdoor would be only permitted by law enforcement. Also to guarantee the well known concept of "security by obscurity", backdoored software would be classified as "munitions" and made illegal to export to other countries. Practically, usage and specific knowledge of backdoors would be limited only to cases vital to national security and not made available to local agencies to access people's phones without securing warrants- ok, yeah I can't keep going.
> backdoored software would be classified as "munitions" and made illegal to export to other countries
Encryption software or any encryption device is already classified as munition in the US, and it has been so for a very long time, at least since WWII.
Currently, any encryption algorithm using a key, or key pair, wider than 1024 bits falls under ITAR, and is considered munition. It cannot be exported to any country without prior permission from the US Department Of Commerce - Bureau of Industry and Security.
Just because an encryption algorithm is open source - that is, the source code is publicly available, it does not mean that the software is not subject to EAR export restrictions.
This is a relaxation of the rules that have existed since WWII. Before 1997, any encryption software or device was considered munition, regardless of key length.
"Currently, any encryption algorithm using a key, or key pair, wider than 1024 bits falls under ITAR, and is considered munition. It cannot be exported to any country without prior permission from the US Department Of Commerce - Bureau of Industry and Security."
I'm sorry, but after reviewing your link, I'm just not able to confirm your assertion. It seems to even directly contradict it:
"There is no "unexportable" level of encryption under license exception ENC. Most encryption products can be exported to most destinations under license exception ENC, once the exporter has complied with applicable reporting and classification requirements."
> I'm just not able to confirm your assertion. It seems to even directly contradict
Nope it does not contradict any of it:
Federal Register - BIS EAR - Encryption Export Control Regulations.
There are plenty of details about key length restrictions for export control.
You quoted the relevant sentence yourself:
Most encryption products can be exported to most destinations under license exception ENC, once the exporter has complied with applicable reporting and classification requirements
If you really want to learn about US crypto export control details, you need to spend a lot of time reading the Federal Register, because these regulations are spread around many documents.
>This is a relaxation of the rules that have existed since WWII. Before 1997, any encryption software or device was considered munition, regardless of key length.
Which is why no one outside of the US used DES and instead purchased encryption software typically developed in Israel. Also the open source community quickly got wise and ensured relevant projects were led by non-US nationals and hosted by non-US providers on servers physically located outside the US.
It's not his permission you have to worry about, but his fingers, to be sure he never had a hand, overt or covert, in the design such that you can be certain he didn't insert a backdoor. After all, consider the data center in Utah. What's to say it isn't secretly concealing a black-project quantum computer?
backdoored software would be classified as "munitions" and made illegal to export to other countries.
Of course, The US has no qualms about selling munitions to friendly countries and allies, Like say, Their old allies in the Middle East: Iran, Iraq, and the Taliban.
Sure came in handy later when we were fighting in the Middle East with... Iran, Iraq, and the Taliban? Uh, wait, hold on...
1st. Can they even enforce this when the devices ship from China and I am sure it would not be hard to move the systems that compile the code off shore thus the product is never exported.
2nd. I'll use this the second the USA confirms that all government agencies including the military use the same encryption for all their communications!
I think they could enforce it if they wanted to badly enough. We already know the NSA intercepts and backdoors routers being shipped to some countries. The amount of manpower required to do it in the other direction for cell phones would be steep, though. It would probably be easier to slip a backdoor in at the source, without the manufacturers knowledge.
Would this actually happen? Probably not, not for feasibility reasons, but for political ones. The NSA and the other three-letter agencies are rivals and they don't like to share. They're especially not keen on having their methods revealed in court, which tends to deter them from participating in criminal cases.
"I think they could enforce it if they wanted to badly enough. We already know the NSA intercepts and backdoors routers being shipped to some countries."
You're still thinking in the US box. There's a whole lot of other countries out here. Some of them have quite nice climates where CxOs will be happy to live, quite amenable financial regimes and others have cheap manufacturing locations. OK, the NSA can make those intercepts when the goods are being shipped to one country - the US but the rest of us won't worry.
Do it the old fashion way, shut up, figure it out and don't tell anyone you can get in. Why are there so many idiots in positions of power.
Of course it is possible some of them have figured it out and then they let the idiots provide a smoke screen to make it look like they can't get in, but now I am starting to assume what you see is not what you get and that is usually wrong.
After a terrorist attack, obtaining stored electronic information is an effective and necessary law enforcement technique.
Yeah, who needs a crime to start investigations? Just start suspecting everyone!
Fortunately, the US Supreme Court would almost certain to slap down anything like this and the DoJ know it. So, it's the usual kind of posturing.
.. so let's ensure that the not-so-esteemed deputy AG is stripped of all crypto. He should not be able to set a password other than "1234" and "password", and must be mandated to access his bank only online.
If he objects, well, he's only exposed to the natural consequences of what he proposes so why the protests?
Bloody idiot.
The Reg readership doesn't need to have it explained why Rosenstein is talking complete drivel, but you do have to wonder why politicians, political appointees and even moderately smart guys like the late not-much-lamented Comey simply *will not* understand that the backdoors idea cannot work, will have no effect on the Black Hats it's supposed to be targeting and will render everyone less safe. Even the kind of intellectual pond life infesting DC are surely capable of understanding that π is not 3.000. It will never be 3.000. No amount of political gobshittery from a mouth-on-a-stick will make it become 3.000. The laws of math trump those of men and that's all there is to it.
Then again, perhaps I overestimate them. Maybe their stupidity should be diverted into a more harmless route: leveraged, in a word, rather than us simply banging our foreheads in frustration.
So someone please tell these nincompoops that the problem is prime numbers. Get Trump to twat something presidential like "Primes unamerikan. Helping nookoolar tursts. Bad!" Congress obviously must set itself to pass a law to make it easier to perform prime factorisation on large numbers. It's scandalous that this has been overlooked for so long. Give them a mountain of paper and as many pencils as they like (there's always some attrition, as Representatives in particular keep sticking them in their ears and noses) and leave them to secure the nation and make America great again. Should keep them from causing trouble elsewhere for years at least.
"but you do have to wonder why politicians, political appointees and even moderately smart guys like the late not-much-lamented Comey simply *will not* understand that the backdoors idea cannot work, will have no effect on the Black Hats it's supposed to be targeting and will render everyone less safe"
The answer is very simple: They don't actually care about security and locking up bad guys, they just want access to all your data 24x7. Given that the motivation is clearly not security, and the folks talking this shite are pole climbers by definition, I believe we can safely conclude that they want this stuff because it will give them a massive edge over the proles in terms of insider trading, blackmail, extortion and evading justice. I am not even sure why they are trying to justify this crap to the television cameras, it's not as if the voters have a choice in the matter.
IANAL but I have a question:... if they demand your password, and you give it to them, and it still doesn't work (perhaps, just perhaps, they are using the wrong program to decrypt it....), are you obliged to tell them?
And how do they prove you gave them the wrong password then?
Or do they require you to do the decrypting?
Isn't that where the whole "self incriminating" thing kicks in?
All your secrets are belong to us.
In the US that question is so far up in the air, in my understanding.
On the one hand there have been rulings that held that police can compel you to unlock your phone with a fingerprint, but can't compel you to give your PIN.
On the other hand, there's currently a guy who's been held in prison for two years on contempt of court charges, because he won't give the password to unlock an encrypted drive that's believed to contain child porn.
I say we let them have their backdoors. But like any good technology, first it must be proven to work. So before the law forces world+dog to use it, first anyone who voted for, signed a dotted line, supported, etc. the backdoor is required to be a part of the Proof of Concept phase wherein all of their phones, bank accounts, emails, etc. are now all replaced with backdoored equivalents. Anyone else who wants to support this can also opt-in to this trial. And this trial must occur for no less than six months prior to forcing it upon everyone else. And there is no opting out or cancelling. You supported it, then are locked in to the trial to the end.
I figure just one week of that and random and sundry hackers of the world will have pwned them to hell and back and generally stolen all their money, pillaged their identity, ruined their lives, and badmouthed their dog enough to prove even to people as mentally deficient as these idiots just why exactly mandatory backdoored encryption is such a bad idea. LOL The remaining five months and three weeks or so is just me laughing endlessly.
Same old crap. Hopefully it fizzles again once people, who know wtf they're talking about, school these misguided legislators how futile this kind of legislation would be.
Goes something like:
1) Pass laws in US requiting back-doors to encryption
2) Users\Companies stop using those products\protocols and opt for some foreign-made product that does not adhere to US laws
3) US tech loses market share.
Also, can't make a law that will compel people to use back-doored tech
Sure you can. Just require the use of it if you want lucrative government (some run in the BEEELIONS) contracts, many of which can be make-or-break-ers for companies. Think about it. ALL states set their alcohol minimum ages to 21 (IN SPITE of the age being determined by the states in the years following the 21st Amendment) because setting any lower means no federal highway funds for you (BY LAW). Same tactic.
"Just require the use of it if you want lucrative government (some run in the BEEELIONS) contracts, many of which can be make-or-break-ers for companies."
No problem. The US has a rump tech industry that sells to the US govt The rest of the world uses non-US products from firms that either left the US or started elsewhere in the first place. If that leaves the US floundering with its downsized tech industry why should the rest of us care?