1234
For Donald's phone have they tried 1234 to get in ? There again maybe he can't count that high so maybe try 1212.
FBI Director Christopher Wray has picked up where he left off last year with a new call for backdoors in encryption exclusively for law enforcement. Speaking at the International Conference on Cyber Security in New York today, Wray complained that in the past year the Feds have seized 7,775 devices that they can't unlock and …
"That's the stupidest combination I ever heard in my life! It's the sort of thing an idiot would use on his luggage." - Dark Helmet
<later>
"That reminds me, I must change the combination on my luggage." - President Skroob
Hail Skroob! (and still a better alternative to the incumbent).
FTFY.
The rhetoric is always about protecting Joe Public from the menace of terrorists/drugdealers/moneylaunderers/paedophiles but the real agenda is always
"Give me six lines from an honest man and I'll find something with which to hang him."
Being able to do warrantless trawls through all the data the NSA has slurped has been real good for the FBI but it's a bit unfocused.
Data fetishism. It's not a sane policy. It's a personality disorder
they want to permanently compromise the privacy of around 200,000,000 of their fellow citizens
They've already done that through mass data collection of data in transit - and most of their fellow citizens seem fine with that. They want to build on that precedent while they (think they) can.
Has anyone tried to tell them that it's their own fault and that they were warned (by the very community that is so well represented here on El Reg).
If you break the public's trust and slurp all the data you can, expect people to get pissed off and take up measures to counteract it. It's human nature - or are they going to legislate against that next?
To get at those 8000 devices they want to permanently compromise the privacy of around 200,000,000 of their fellow citizens. Yeah right.
There's more people in the world than that.
Although I suppose over time the rest of the world would just move to non US backdoored encryption systems.
Good job all those terrorists people are so worried about aren't foreign.
If you haven't been paying attention, there is this thing called the official records Act. That is to say all work products and communication by Federal Employees must be retained and readable.
In the CFPA (I think that's the acronym) there's a group calling themselves Dumbledoor's ?sp? Army. Where they have downloaded encryption apps and what not. (You can find out more by googling.)
Those individuals should be terminated because by law everything they do should be review-able.
As to this... tell them to punt. They put a backdoor in... a year or two later, someone pilfers the NSA/CIA and poof, those hacks are out.
Not to mention with all of the news of the level of corruption within the DoJ and FBI... fuggitabout it.
Considering how little regard law enforcement and the executive branch (all branches) actually have for the fourth amendment hard to have much sympathy. Any backdoor would get abused in the name of the War On (insert flavor the times) even if requiring a warrant initially.
"And when criminals also figure out the back door"
that's always the only SANE conclusion anyone can come up with.
Not only that, but THE CRIMINALS will ALWAYS have their:
a) illegal encryption
b) illegal servers
c) illegal weapons
d) illegal whatever
because they, by definition, do NOT obey the laws that regular people are forced to live under.
Back door effect on fightingcrime: ***Z E R O ***
Back door effect on personal security: *** H U G E ***
say buh-bye to intarweb commerce if a back door evar becomes mandatory. That's like a universal skeleton key to every lock.
The 4th amendment explicitly allows the executive branch to help itself to your papers and effects, provided it gets the assent of the judicial branch first. We're not talking here about J Edgar'ing up internet traffic, we're talking about unlocking devices that have been physically seized by the Feds, but are locked down in such a way that they cannot reasonably exercise their constitutional rights.
Call me a heretic, but I don't see quite what the fuss is about. A backdoor that requires intrusive physical access to the hardware - would not compromise your constitutional rights.
So, what if a bad guy steals your phone? He's got physical access too.
Then that bad guy has (potential) access to your stuff, obviously. How is that different from him stealing your wallet?
The point is that in that scenario, you know your phone has been stolen, and from that point you should assume the clock is ticking, and it's only a matter of time before everything on it is available to whoever has it. You should take countermeasures. No different from cancelling your credit cards when you lose your wallet.
Not a heretic just completely missing the point of compromising encryption.
No, I understand that. But for a long time, every security advisor would have told you "when the enemy has physical access to your hardware, and unlimited time in which to operate - it's over. There is no defence from that position." As I see it, that's an inherent limitation in digital encryption, it's one I've always taken for granted.
Mind you, I also assume that if the NSA really wants to read the contents of my phone or hard drive, they can. Which is why I don't keep my plans for world domination on either of them. That's just common sense, IMO.
So...your position is that we should just trust the government to do what's right and legal?
No, my position is that the feds have a difficult job to do, and you should assume they will use every means to make it easier. That includes legal, technical and political means. If you don't give ground and meet them at some point, then they will press for more and more intrusive tools and rights, and they will get them, because politicians will see - correctly or not - that you are the ones who are being unreasonable.
If you don't give them an inch, they will take a mile.
"So, what if a bad guy steals your phone? He's got physical access too."
What happens if a bad guy steals your phone and the police collar him a little later and now they have your phone?
Let's say you are 17 (of any gender) and have some intimate photos of your 16yo girlfriend on the phone that you have encrypted so your mates or parents don't find them. Ever thought about a career as a registered sex offender?
Not a heretic just completely missing the point of compromising encryption. It’s all or nothing, there’s no intermediate point that will actually work to both allow entry to kaw enforcement whilst keeping out the crooks, that’s the whole point being made by the experts here and elsewhere.
The 4th amendment explicitly allows the executive branch to help itself to your papers and effects
Sure, but another amendment means that people cannot be compelled to provide passwords.
It's a side-show: want to catch crooks then do normal police work and following the money is a good way to start.
...We're not talking here about J Edgar'ing up internet traffic...
No, that's already being done by another agency...
https://en.wikipedia.org/wiki/Room_641A
Call me a heretic, but I don't see quite what the fuss is about. A backdoor that requires intrusive physical access to the hardware - would not compromise your constitutional rights.
So...your position is that we should just trust the government to do what's right and legal?
Yeah. That hasn't worked out so well in the past, has it?
I want a bullet that only hurts bad guys.
And that's the problem with this. Somebody will reverse engineer it or the police will leak the Sekret Key* or probably both. Insecure is insecure is insecure no matter HOW many people you trust with the key to your house.
Or to abuse another analogy, having slightly compromised encryption is like being slightly pregnant.
*It only takes ONE LEAK. There are MILLIONS OF POLICE. Do you trust all of them? And that's just the police.
Reverse engineer the secret key? Nah, nobody will have to do that. All they'll have to do is file a FOIA request and the DOJ will likely hand them the key. It will be redacted of course but done wrong, like this:
... Hush, don't tell anyone,the secret keyis "password12345"
veti wrote:
"
Call me a heretic, but I don't see quite what the fuss is about. A backdoor that requires intrusive physical access to the hardware - would not compromise your constitutional rights.
"
Not a heretic, you're someone just asking what is impossible to keep secure. This isn't just because of mathematics and the current state of the art, it's really because of human beings.
Anything like this would be broken in a few years or even matter of months IMHO. Even if it was cryptographically secure, for example a big RSA key, the public half being distributed to be contained in all encryption software, intended to save RSA encrypted packets (of encryption user encryption keys) with the public key, and the private counterpart known only to whatever government authority, some kind person (or perhaps one bribed with enough money / had his family threatened etc.) would surely leak that private component sooner or later. Then the scheme is completely useless.
Just like todays 1080 HDCP video content protection scheme now completely broken, which might as well not be there at all.
The master key was leaked, reversed, or got out somehow.
It would be EASY to implement something like a big RSA key in theory, at least for the foreseeable future. But it relies on human beings to keep it secure which would NEVER happen, or could never be trusted. Also such keys would be subject to the biggest attack in history I'm sure.
If any government wants such a scheme they should develop it, and first prove beyond all doubt to the world that it really is completely secure beyond question, Even if every bit of information was leaked out somehow. But if they could access the data, then so could someone else.
There lies the impossibility of it. I am sure if it wasn't and there was a way everyone, save for the bad guys would be in full support.
Any ideas ?
Remember they couldn't even secure their own systems with basic methods, and instead blamed people like Gary McKinnon for exposing that incompetency. Would anyone really trust them to be the gatekeeper for the whole country ? They shouldn't blame others such as the designers of crypto systems for something they clearly cannot do themselves.
The whole crypto community including the most eminent of mathematicians have told them it is not possible. They should perhaps think about believing them, at least for now.
Crypto Security is about information. Something you have (which then contains the required information), or something you know. In that case your brain contains the needed information. As secure as it gets with a properly designed system, at least for now.
"Call me a heretic, but I don't see quite what the fuss is about. A backdoor that requires intrusive physical access to the hardware - would not compromise your constitutional rights."
Let's say you are being detained by the police because you match the description of somebody that just assaulted somebody in the area. You are handcuffed, you pockets are emptied and you are sat in the police car or on the curb. Now the police have physical access to your phone since they are highly unlikely to let you hang on to it while they try to determine if you are the person they are looking for. Maybe they want to plug your phone into a little device they have that copies and decrypts the contents "just to verify that you are who you say your are".
Physical access to desktop computer or a server is much more difficult than a mobile device that, by it's very nature, is small and moves around a lot. Phones are also easily stolen since people set them on tables when they are sat down for lunch or a pint and look away since it's sooooo unstylish to have a belt pouch to put it in when wearing tight trousers. As a side note, I find it interesting that women that are on the top heavy side will sometimes store their phone front and center. Physical access to phones is not hard. I could write a crime novel with ways of grabbing phones of targets in all sorts of ways.
Veti, the assumed fiction of the US Constitution does't have a "they" (government). The government is "of the people, by the people, for the people". There is nothing in that concept that hands "rights" to FBI.
The lazy bastards need to go back to investigations 101 and get away from trolling for all of their evidence on electronic devices. I can only see data on an electronic device as absolutely required for Thought crimes. Every other sort of crimes has a transfer of wealth or a physical aspect to it.
There is no such thing as a perfect justice system and the founding fathers of the US understood that and built a framework that puts the onus on the government to develop a case against somebody that can hold up in court and has to done within a structure of rules. The other way around is someplace like Mexico where they have a national legal theory that boils down to "guilty until proven innocent". I feel it's better to error in favor of the citizen. A criminal isn't very likely to change their ways and is going to make a mistake that provides plenty of evidence against them.
It would be so easy to scoop people off of the street in any major city that look like gang members, go through their phone and all of their stuff and have a case against them. While I'm all for stuffing hard core gang bangers in the slammer, I'd be very frightened to live in a state where anybody can be grabbed off of the street and have their lives examined in detail because of how they look or dress. It could also mean that one could be subject to "review" for living in a particular neighborhood or being out past a certain time of night without a pass.
to the Sherrifs department of Podunk County
And every other country you want to sell phones in.
If Apple give an unlock code to the FBI then the Eu will want it to protect themselves from their terrorists. And then Israel, Turkey, Russia, China, India, Pakistan ....
So how does the FBI feel about Trump's phone being officially backdoored by Putin ?
They wallow in their own manure so long that they can't smell the difference between fact and fiction, thus their faces don't change.
The question is - How did they approach such crimes before electronic devices? Surely if they could solve them then, using the same detective work they could solve them now. They don't NEED anything on those devices. In fact, they would rather NOT have access so that they can use that as an excuse.
If they can't make a case without access to the device, then they don't have a case to make.
They don't worry about old-fashioned physical crime. We live in a brave new world and have to deal with thoughtcrime. OK, try again, we live in 1984 and ... no, that's not right either.
Laugh if you like, but when they try to ferret out potential terrorists they are looking for thoughcrime. Should you stop crime before it happens? Should you lock up bad people before they do bad things? The consensus seems to move towards a yes. China serves as an example that prosperity and progress are possible despite intrusive government. Most of us feel safe that our democratic societies won't turn on us, so it's OK if they first go for the terrorists. Orwell lived in a time closer to the nazi and communist regimes and saw freedom fighters instead of terrorists -- some things are in the eye of the beholder. I expect our western societies to become less freedom-focused unless/until people see negative consequences (i.e., Things That Go Wrong as they did in the first half of 20th century).
"If they can't make a case without access to the device, then they don't have a case to make."
In fact, the hoped-for backdoor is a just-in-case tool. That the increasingly-dubious FBI have k000 encrypted devices means they have k000 devices the contents of which are completely unknown to them and which, therefore, are devices only potentially -- but not demonstrably -- relevant to any current investigation. I think it's a good idea to maintain the status quo, however frustrating it might be to TPTB. They'll have to work smarter; there's nothing for a bigger truncheon in the budget for liberty.
"In fact, the hoped-for backdoor is a just-in-case tool. That the increasingly-dubious FBI have k000 encrypted devices means they have k000 devices the contents of which are completely unknown to them and which, therefore, are devices only potentially -- but not demonstrably -- relevant to any current investigation. I think it's a good idea to maintain the status quo, however frustrating it might be to TPTB. They'll have to work smarter; there's nothing for a bigger truncheon in the budget for liberty."
So, the FBI needs to be absolutely sure if the cat is dead or alive, then?
This post has been deleted by its author
"if enough campaign contributors want a backdoor the US politicians will give the FBI a backdoor."
Then open source developers from outside the USA [and perhaps a bunch from WITHIN, using anonymizing networks] would write their own encryption stuff that prevents back-dooring, and now you have "dark net" encryption being used WITHOUT a back door, but only by those with the tech savvy to do so.
In addition, the banking industry and privacy advocates would form an unholy alliance to put a stop to it via a continuous stream of lawsuits.
Consider the history of the DeCSS library for DVD players. That's a good, recent example of what would happen with encryption technology. There will be PLENTY of script-kiddie-friendly utilities available on the dark web. And NONE for the rest of us.
I know politicians are complete idiots but even THEY could realize the obvious in this situation. Just compare it to Marijuana and half of them would "get it".
Would someone please tell me why we keep putting Directors in the FBI that don't understand the most simple concept of encryption? I know that they are just the glorified Chief of Police, but it's not like encryption is a new thing. The fact that a subset of society now has access to it, hasn't changed the fundamental way crypto works. Are we going to have to wait for a snowflake to get old enough to be FBI Director before this asinine subject keeps getting brought up?
I tell you what Director Wray, dump all your agency funds into a working D-Wave QC and you won't have to ask us, you'll be able to crack whatever you want (like the neato 1337 haxxor script-kiddies you wish you were).
I'm so sick of making fun of this subject.
"And at what point does possession of a one-time-pad - or something which could be construed to be used as a one-time-pad - become an offence?"
Or a book, since book ciphers are pretty hard to break. (For those who don't understand, read Le Carré's A Perfect Spy. You will thank me.)
Fahrenheit 451 ftw, FBI!
Well it's not like the embassies of most countries would not contain diplomatic courier delivered one time pads up the kazoo in their safes even today.
And tbh any criminal organization could do an xor DDV-25 encryption with the "salt" being just the byte where to start from. (DDV-25 is of course debbie does vegas 25 year anniversary official dvd from which the bytes are just pulled). More secure would be copies of someones vacation dvd, or whatever self-made never published video content that is not available online or elsewhere, and cannot really be claimed to be an offense to be in possession of. Like a phone directory.
Of course that's not *real* encryption and easy to subvert in various ways, however in the end one time pads tattooed on someones head and the hair grown back (ancient) etc cannot really be prevented. And the more serious folks are about their data, the more serious the protection. This would probably go for criminals as well I would guess.
So this is indeed, just the usual blowing in the wind up the wrong tree.
They're just hoping that the average American doesn't understand so they can move ahead with getting their back door installed.
And how are they gonna put a backdoor in FSF encryption solutions ? If they do, someone will simply fork ...
Listen, Mr Hoover Jr, you cannot get a backdoor, sorry ... ask your NSA buddies, they have access to Intel ME et al, so access to RAM and Ethernet, they can decrypt on-the-fly ... they certainly have the bitlocker key as well, stashed away with a gazillion other data on some storage cluster ... No, you can ask as much as you want, you CANNOT get a backdoor.
It not just you in America, we have the same in the UK.
HM Govt continually want backdoors in encryption.
Neither realise that:
a) You can't just do that and keep its integrity.
b) HTTPS to Amazon and your bank's website is also encryption, so cybercrime will explode if that's broken.
c) The general public don't trust the Govt's ability to keep anything secret.
d) The general public don't trust the Govt not to abuse such access.
If you could crack whatever you wanted wouldn't you put out a load of FUD (not not as in the Scottish one missus) claiming how awful it was that you couldn't crack all these crypto phones - would give your targets a false sense of security. I'm sure the FBI has got something for its money.
"Would someone please tell me why we keep putting Directors in the FBI that don't understand the most simple concept of encryption"
A _LOT_ of people over at the FBI, CIA, etc. are OBAKA HOLDOVERS. I think THAT guy is, too.
Now, if Jeff Sessions were making a big push for encryption back doors, I'd be a LOT more concerned. According to the EFF, from a 1 year old article, Jeff Sessions supports them. And the EFF alleges Trump does to, but I don't think that's the case - Trump doesn't speak in black/white ideas, he often voices his inner monologue and people over-react to it.
However, we have not heard ANYTHING since then, to my knowledge, until this one FBI deputy director made some noise, prompting the article.
Keep in mind that Trump is pro-gun and the arguments for strong encryption [protecting your bank accounts and private information] and gun ownership [protecting lives and property] are very much the SAME. Logic concludes that BOTH legal gun ownership AND legal strong encryption [without back doors] are necessary for individuals to be able to protect themselves from crime, AND from potentially oppressive governments. This is the intent of the 2nd ammendment, regardless of how anybody FEELS about it - it's about self defense against oppressive government as well as criminals.
That being said, I don't think Sessions is going to call for encryption back doors. I think he understands the political SUICIDE of doing so. And, I doubt Trump would EVER sign such legislation, for the same reasons. We the people will, of course, keep our eyes on things, because gummints really can NOT be trusted.
Oh, and thanks in advance for the expected downvotes, the usual penalty for stating the truth without the "pretty please with sugar on top" i.e. "no lubrication required"
Because that's what it feels like. Comey talked arrant shit about backdoors despite a virtually endless queue of experts, including the NSA, explaining it simply cannot be done in the way the Feds envisage. Now Wray is doing the same thing, despite being told the exact same thing by the same people. I cannot believe the FBi doesn't have a few high-end crypto people of its own, who must shake their heads in despair every time the Boss gets on its hind legs and talks the same stupid crap.
Why do they do this? I appreciate that the math of modern encryption systems is a bit beyond the average FBI head's ability to make change, but surely to heaven they have at least enough nous to ask the experts? And having heard the unanimous answer ("No! It just cannot work, at all, ever!") they would accept the advice, and move on to battles they *can* win.
I simply do not understand why they are so mule-headedly stubborn. It isn't just stupidity. It's something more than that. What makes a senior FBI guy—or a politician like our own hopeless imbecile Theresa May—keep saying "I want the world to be flat" despite being told again and again and again that it just. Is. Not. Possible. Why??
They do know the facts about encryption. It's just that they oppose ANY encryption in the hands of the public and always have. Unfortunately for them the public crypto thing got rolling while they were jerking off somewhere, and now that horse has left the stable forever. Sucks to be them.
They know exactly what they are doing. They understand completely that a universal encryption backdoor is not acceptable. But they will keep on pushing this in public until, at some point, they will give us the options of 1) Be a good citizen, don't use encryption; 2) Use an FBI approved encryption method (with a backdoor); 3) Use any other encryption method (you're automatically a person of interest). If they make the penalties for option 3 scary enough, then the sheeple will choose 1 or 2. Their concession to device vendors who don't want to be forced into only 1 or 2, will be that when you first initialise your new shiny you will get the three options:
1) Don't encrypt this device (not recommended)
2) Use FBI approved secure encryption (default)
3) Use non-approved encryption (this can lead to seizure of your device by security officials and severe criminal penalties if the encryption key is withheld)
Even if true, there's some major problem with attempting to do it.
1) As a civil control/police state measure, it's unstable. You'll need a very low number of dissenters (people who just ignore and encrypt anyway) to topple it. Some of those have legitimate interest, like journalists or business people. The latter (to protect intellectual property) will lobby hard to keep sentences less harsh.
2) As a policing measure, you're still not better off to catch AND PROSECUTE the people you want. High level criminals just shrug it off. Mid-level, if clever, will adapt to other methods. You'll only catch the stupid and low-level street thugs, which is ineffective.
3) As mentioned, one does NOT NEED technology to use unbreakable communication. Book cyphers and one-time pads are some methods. Using innocent, sensible phrases that mean something else entirely are others, and are already in use.
"Using innocent, sensible phrases that mean something else entirely"
That's OLD SCHOOL! Key words and tricky phrases spoken over radio in the clear is one way that the French Underground communicated with the UK back in WW2 during the occupation.
Or, from the movie 'Hackers' - "It's where I put that thing that one time" (or something like that). Like anyone but an informed insider would know what it means.
There must be a new, all-you-eat, donut shop opening up and they can not miss out. Solving any crime takes a leg work, talking to people, reviewing what evidence you have, etc. Probably the most important bits of evidence from a phone are location and traffic logs. The traffic logs will give them a reason to go play 20-questions someone. But that means giving up your seat in the donut queue.
Well, its not like we have seen the cyber capabilities of the IC weaponized against an administration/party's political enemies, and the government has been so so careful and restrained in their use of things like FISA warrants and upstream collection so that Americans constitutional rights are protected, so I am sure this would work out well for the people.
Plus, the Russians would have so much easier access to hack our elections! My math makes this a Win-Win-Win.
To copy someone I modded up on slashdot -
A generous reading would agree that good encryption IS a public safety issue - we're all safer as a result of having it without backdoors for anyone, including thieves in blue, who are known to lose keys and abuse every power given them as well as some they weren't given - repeatedly and since their very beginnings.
They lost our faith deservedly and should have to earn it back.
If they protected us at all, much less against those others we'd use encryption to be safe from, maybe we'd consider it. But as they remain one of the main threats to our safety and welfare, while taking our money in both taxes and civil asset forfeiture, I do't think we should give them any faith at all.
This feels like a water torture attack (um, yet another abuse they're guilty of). If we just give in, they'll shut up about it (they say) - like a spoiled child - and like that child, will just figure out something else to whine about anyway.
Did they notice that if they get backdoors to encryption, that online finance (including bank to bank) will not work anymore, and we'll step WAY back? Oh, in that case my understanding is that they have complete compromise of the plaintext via intimidation and things like FATCA already.
My guess as to the purposes of such a ruse:
It absolves the FBI of responsibility for various bad and scary things; some specific, some artfully vague - terrorist attacks, organised crime, cybercrime, etc.
It stokes the fear of these bad things and justifies current (and future) surveillance programmes and whatever other increased powers they think they may be able to get (suspension of habeas corpus, detention without trial, etc, etc, i.e. whatever is coming in the next national security bill).
It can be used as a distraction from things which they would rather the public does not notice.
And, as they will never get the proposed backdoor and crypto is not going away, they can use this little ruse at any time for the foreseeable future.
When I fly somewhere I like to put a lock on my suitcase. The lock must be TSA approved, which means they (and almost anyone else) can open it. Consequently it makes no sense to put anything of value in there.
This is what the FBI wants with your device. If it comes to pass, people will adapt, which means not keeping anything private on the device, and finding another way to do things. My device has a password, but there is nothing in there to protect, I just do it to make life harder for the crooks (and whoever) if it is stolen.
I hate what they're doing to citizen's rights in the name of terrorism, but the horses are all gone now and most people don't care.
"If it comes to pass, people will adapt, which means not keeping anything private on the device"
They will adapt, but they're more likely to adapt by installing crypto the wasn't supplied by the manufacturer of the phone. Strong crypto is readily available everywhere, for every platform. You can't put that genie back in the bottle.
Locks on your luggage do not need to be TSA approved. If the TSA decides to open your bag and it doesn't have a TSA lock on it, they will cut the lock open.
Meanwhile in Europe, there is no equivalent because opening someone's luggage without them present is illegal in almost all cases. So you get the passenger connected to the bag, inform them that their bag is being inspected and would you open it please so we don't have to destroy the lock?
Make sure your travel gear is at the very least tamper evident. Good locks, no zippers so that any attempt to open the bag and put something in it will leave clear evidence for you to point to, should customs intercept your bag before you get it and take it to customs yourself because it's been tampered with.
I put a cable tie on my hold luggage with a pair of nail cutters (so I can open it) in an externally accessible pocket.
Stops light fingered baggage handler from taking a dip, plus makes it very obvious when I collect my luggage if someone has been inside, and that I should check then and there if anything is missing.
Replacement cable tie for the return journey is kept in my hand luggage or coat pocket.
Then Apple and Google modify iOS and Android to include the new FBI backdoor. None of those Chinese Android phones use Google's version, they wouldn't include the FBI backdoor. Guess which phones will be preferred by terrorists the world over?
What would be next, make it illegal to use a phone that doesn't have the backdoor (making criminals of everyone with an older Android that isn't updated to a newer version that includes the backdoor) Suicide bombers are well known for being afraid of committing major crimes like using the wrong phone.
This is a battle that not only should the FBI not fight, but one they can't win even if they get everything they want.
This is what happens when people watch too many shows like Silicon Valley. Up against a seemingly impossible task, some malnourished programmer in a Palo Alto basement gets a convenient flash of insight and what do you know: with just a little ingenuity and some off-the-wall thinking, now the impossible is easy! This Wray character is already designing the front of the box.
You mean the same FBI that has interfered in the smooth transition of power and a select few have decided they know better than the American Electorate? Why wouldn't we trust them with a universal back door. It's not like they've abused their power and wiretapped candidates and elected officials just because they didn't like them.
Oh.
"backdoors in encryption exclusively for law enforcement."
Will this be securely held within US law enforcement? So every other country in the world will be expected to let the US read all their private data at whim?
Or will it be shared with law enforcement in other countries - so that they can then read US private data?
Or shared only with the Five Eyes countries, assuming that they won't read US data (ha!) - but that still expects other countries to let the US read all their data.
Or do they seriously expect that they can make all US citizens (including criminals) use their broken encryption while the rest of the world uses secure encryption that the US can't break? But change to broken encryption when they travel to the US?
There's also the possibility that other countries will mandate phones sold in their territories not include backdoors because of security concerns, which would create the opposite of the old problem where high grade crypto was considered munitions grade and export of it was tightly restricted.
Instead, high grade crypto will remain the norm in the rest of the world while US crypto is crippled.
"Instead, high grade crypto will remain the norm in the rest of the world while US crypto is crippled."
Nope. The US trade delegation will require adopting the US policy of backdoors or products from that country will not be allowed to be shipped to the US. Foreign banks have to disclose any accounts held by US persons (a much more vague term) to be reported to the Internal Revenue Service or that bank is excluded from accessing US banking systems and cannot exchange US currency. That's lead to countries making it a universal policy since small banks might just find that catering to US depositors, that don't want the IRS to know about some money, might be a good business move.
Russia could just tell the US to go and get rooted, but China would be in a tough position.
Or shared only with the Five Eyes countries, assuming that they won't read US data (ha!) - but that still expects other countries to let the US read all their data.
Until it comes to the UK, then it's all 'yes, beggin' your pardon, Sir, I'll bend over more and spread 'im guv'nor. Can I have scraps from the table again, please SIr?'
Of course, in the imagination of Anonymous Coward, those poor people in Al-Qaeda are the real victims.
Are you really that hard of reading? I very much doubt anyone believes 'Al-Qaeda' are innocent victims, the bombing of innocent victims does lead to support of terrorist organisations that are planning attacks on the people who made those victims.
Action - reaction - geddit?
Yeah, I'm sure law enforcement would never abuse such a back door for parallel prosecution or to circumvent a warrant. *eye roll* Our Government and law enforcement already have too much power that rages unchecked, despite the promise of usually nonexistent oversight.
Just recently they published secret NSA programs, one of which specifically targeted Americans. http://www.zdnet.com/article/ragtime-program-appear-in-nsa-leaked-files/ Where is the oversight? Congress, so really no oversight.
Fahrenheit 451
So if Fire Fighters can Fight Fire or Fight <u>with</u> Flame Thrower, are Freedom Fighters fighting Freedom or fighting <u>with</u> Freedom.
<u>with</u> is an ambiguous construct at best, if you see any monkeys, I can probably either yell defiance or tell them where the best fruit is....
That was nothing to do with browsers, it was encryption in general, and the idiocy went right back to the origins of modern encryption in the 1980s. Netscape only hit the tail end of that era, in which most cryptographic advances avoided the US for obvious reasons.
That is, most, but not all. And it seems the #1 hero of the resistance back then has fled his country more recently (damn, where was El Reg when that story broke)?
I think the US still has one thing going for it: people who really care about privacy and are prepared to get off their backsides and do something about it, and a court process that gets so bogged down that all sides reach a settlement. Like DJB last time around.
Perhaps this story is an echo for our times of Zimmermann's original release of PGP?
Your wrote: "What Wray wants is a secure form of encryption that contains a flaw that only law enforcement can find and exploit. Trouble is, scumbags will no doubt find and leverage it, too".
You missed out the word "other".
Should have written "...Trouble is, OTHER scumbags will no doubt..."
"Being unable to access those devices is a major public safety issue and impacts our investigations across the board," he said. "This problem will require a thoughtful and sensible approach. We have people devoted to working with stakeholders to find a way forward. We need the private sector’s help."
It's a major public safety issue that you can't snoop on millions of people around the world you mean.
Why would anyone trust any government organisation or for that matter any organisation to have a back door into their devices and not abuse the power.
...actual mobile device security is so bad that, given some effort, you could probably break it.
I mean look at areas where manufacturers actually care about "security": Games Consoles. Despite those using sophisticated measures to prevent you from using them yourself, they regularly get broken.
Just look at any of the papers or talks about console hacking:
https://media.ccc.de/search/?q=console+hacking
There is little reason to believe that smartphones have better "security".
If Meltdown and Spectre are not designed in backdoors, then I don't know what it is. These are just the 2 we know about. How many others could there be? They are only asking for weakened encryption because they don't want people to figure out how they really get inside a system.
I'm just waiting for Trump to be 'persuaded' to pass a bill saying 'Only Nationally Approved encryption may be used on all civilian electronic devices. Ameri-lock® will be the standard encryption system in the US to be used on all smartphone - and other lockable devices capable of storing data. Other forms of encryption are now deemed illegal, and will result in harsh penalties to users and hardware developers if found using them.
i have to enter a passcode to update my phone while retaining the data. Even if Wray gets his backdoor, it won't help him unlock those devices.
That ship has sailed!!!!
Wray probably wants an FBI encryption mode where the central key is rotated every few months, or every device has a unique key registered with the FBI, obviously requiring periodic check in so the FBI know where the device is.
Are we forgetting that TB made sure us in the UK cannot have privacy? We have to give up our encryption keys to the authorities if they ask, and we can just about have a lawyer with us if we demand and demand and demand it. It's all very well criticizing the FBI, but the UK is already there. We have no rights, we are merely cogs in the machine to keep those in power in power.
You are quite correct in that here in the UK we are Royally screwed.
However, since we lack the means to challenge things there, we can all do our bit to support our US colleagues who at least have a few bricks left in their wall to defend in the hope that it will trickle down to us poor sods.
Everyone is quick to point at abuses and indiscriminate data collection such as they were implemented in programs like PRISM.
But lets try to draw an analogy from the data that can not be recovered by a law enforcement officer, which is needed to build a case against a criminal, and the physical world we live in. Suppose we get invaded by predator like creatures from space, who can make them selves invisible to us like predator from the Schwarzenegger movie.
If they would use this to break into houses and steal things, we all would look at law enforcement to solve this. Now somebody harmed us, important data to prove his guilt is encrypted on a digital device. Without the technology to recover data, criminals thus remain invisible like predator, remaining unpunished.
In a safe world, there is a trade off between privacy and ability to recover digital tracks by law enforcement.
"In a safe world, there is a trade off between privacy and ability to recover digital tracks by law enforcement." -- naive
No trade off is possible. That is what anyone with a clue keeps trying to explain: the only settings are "effectively broken crypto" and "satisfactory crypto." These are binary states - there is no spectrum between the two where you can decide where to place your "trade off" --- you can only choose one or the other.
In total agreement with you ,
Technically. Unfortunately giving the said FBI / NSA / CIA / Police A backdoor key to access everything int he bad guys phone / computer / anything digital , at some point it WILL be stolen , even TOP SECRET information gets stolen , you think a MASTER GOLDEN KEY will not be high on the list of things to steal , people will KILL to get one no price will be to high , as it will give anyone with it, ABSOLUTE POWER , Including the asshole that broke into your home stole things from you abused your wife and kids. Only now he wont have to break into your home to do it he will be able to do it from anywhere in the world with a myriad of devices.
If you don't believe me , look at wikileaks , the fappening ,level 7 leaks (NSA hacking tools), hell just look on pastbin.com you will find tons of leaked stuff , just put leak 2017 as a search term you will find tons of stuff , It is happening on a daily basis people find ways to steal what was thought was highly secure data ,
and this was without a all master key , this was just human error . Even facebook had a stupid idea of how to stop Revenge porn , their Idea ? send them your personal pictures so they can have a look and then scan for them online in facebook , because nobody at facebook will go bad will they, a huge stash of everyones personal pictures , how long will it be before some miscreant steals the entire lot then ransoms them against release of said pictures ? Facebook / FBI will be so sorry for the breach and will summerly drop whoever allowed it to happen , but the damage will be done , I can't image the NSA or CIA will even say sorry but hey .
you analogy is a little faulty
lets take the 3 aspects your talking about
1. law enforcement
2. the people
3. the aliens
1. law enforcement - you assuming your invisible aliens aren't in the room temptering with the equipment doing the decrypt and changing the results and that all involved are honest and truth worthy.
2. the people - if the good honest citizens had information that would help would surely provide there decryption keys and provide that information. that none have decided to throw there lot in with the aliens,
3. the aliens if the encrypted data is on the aliens encrypt device they aren't going to provide the details to get that information you would have to steal it (oh no stealing is bad) or rely on an alien throwing his lot in with the humans
lets go back to reality we still have law enforcement the people and but instead of aliens we have negative actors (a catch all for terrorist, crims ,and other bad people) problem is that negative actors are a subset of the people not an external force as with the alien example.
1. law enforcement - encrypted phones can have information that's vital to stopping negative actors.
2. the people - ok i'll willingly decrypt my phone for you
3. negative actors - er no i'll use those this different encryption software that you can't decrypt.
again still no useful information is gained from the majority sharing there data
now again you have to assume that all of 1. are good and above rebuke and can secure there own systems, and that they don't have any of 3. inside that system. and that all of 2. trust 1. to always act in there best interest
As encryption is now a public technology and managed to escape to the world mostly during the 90's (thanks Mr Zimmerman) the only way they could get around this is to centralise the data.
They (FBI etc) would need us all to move away from devices that have significant local storage, instead relying on centralised storage (even centralised processing power) which could be cloud based or another network service. Then the comms to these handsets would still be as secure, but there will be some kind of escrow on keys used to protect the data where it actually is stored (the cloud service).
This would essentially be like a Chromebook phone. Or even better (and what I'm really thinking of) the Hand Terminals as used by the characters in The Expanse: https://www.forbes.com/sites/kevinmurnane/2017/03/08/science-and-tech-in-syfys-the-expanse-it-may-look-like-a-cell-phone-but-its-a-hand-terminal/#5284f52d752d
That is the only way I can see anyone getting around this. We encrypt the data on our devices because each device that stores it is vulnerable to attack or theft. If the data however was not on the device at all then you wouldnt care about decrypting it. You just need to go to the service provider.
The downside is that the data is now a BIG target on the internet and cracking open that golden egg lets anyone get to all the gooey goodness inside.
The Hand Terminals in the Expanse excite me as they are likley cheap throwaway devices that let you connect to any local network with your own cusomised view of that network and its functions.
But thanks to Snowden proving my suspisions, I like many will prefer to lock my data up on an expensive power hungry non-throway physically vulnerable device. The 3 leter agencies had their free ride and abused it.
But what about in 25 years time? Or 40? Will the generations that follow be drawn to amazing and cheap hand terminals that seem to just work? Will they look back at our smartphones, laughing at how they had gigabytes of flash memory to store data locally just like many laugh at floppy discs today?
Btw I love floppy discs and are annoyed by people laughing at cool retro tech ;-)
The better tactic is to not use a public cloud storage provider and instead set up your own storage system somewhere that adds yet another layer of encryption. If The Man® catches on and raids your home to steal your computer, they may not figure out that the data is on an NAS stuffed up in the attic or another hard to find cavity so you are protected by ignorance. They don't know that they have to look for that NAS and are left thinking that what they want is on the desktop they grabbed. Be really clever and build the NAS next to the compressor in the fridge. There won't be any tell-tale connections to the mains that don't make sense and if you have one of the new internet connected fridges, the dog won't bark about a wi-fi connection coming from there. Just name your NAS as the make and model of the fridge and disable the wi-fi on the fridge itself and the touch screen so it just appears to be busted.
Be creative. Law enforcement has a hard time hiring clever people with tech backgrounds since they can't pay what the private sector can for good people.
russia managed to steal the US election by planting their [feckless, idiotic manchild] agent into the election cycle and subsequently win. this is despite the seemingly endless chain of bumbling clowns that pridefully boasted the info to all and sundry, well before the election.
if the FBI couldn't do anything about that, wtf do they need to break encryption for?
it seems the problem isn't the tech. or indeed the absence of useful data. its the political will to engage with the existing tech, using the existing policy framework and with the existing data-sets.
never give-in to the data fetishist. they'll always claim the problem is absence of data. when in reality, they simply want more control. for themselves.
Not being able to get into 8,000 devices is sometimes a good thing. Society has had its secrets for thousands of years and society is not about to give up everything to a snooping government who only wants to play pocket pool with your money. John Birchers (also known at alt right wingers), beware! The further right you go the further left you are in the end.
"The FBI would soon be complaining people have access to information on their devices and want the backdoors closed!!"
I'm sure that there will be non-backdoor versions of equipment that are for government sales only. The laugher will be when somebody needs to replace a bad piece of kit and gets a commercial model from the local computer supply store and roots the entire FBI or NSA.
This post has been deleted by its author