SoylentNews is people
SoylentNews
The Washington Post reports that Adm. Michael S. Rogers is continuing to advocate for weakened encryption as the White House explores a number of possible schemes, as illustrated by this infographic.
For months, federal law enforcement agencies and industry have been deadlocked on a highly contentious issue: Should tech companies be obliged to guarantee government access to encrypted data on smartphones and other digital devices, and is that even possible without compromising the security of law-abiding customers?
Recently, the head of the National Security Agency provided a rare hint of what some U.S. officials think might be a technical solution. Why not, suggested Adm. Michael S. Rogers, require technology companies to create a digital key that could open any smartphone or other locked device to obtain text messages or photos, but divide the key into pieces so that no one person or agency alone could decide to use it?
"I don't want a back door," Rogers, the director of the nation's top electronic spy agency, said during a speech at Princeton University, using a tech industry term for covert measures to bypass device security. "I want a front door. And I want the front door to have multiple locks. Big locks."
[...] The split-key approach is just one of the options being studied by the White House as senior policy officials weigh the needs of companies and consumers as well as law enforcement — and try to determine how imminent the latter's problem is. With input from the FBI, intelligence community and the departments of Justice, State, Commerce and Homeland Security, they are assessing regulatory and legislative approaches, among others.
The White House is also considering options that avoid having the company or a third party hold a key. One possibility, for example, might have a judge direct a company to set up a mirror account so that law enforcement conducting a criminal investigation is able to read text messages shortly after they have been sent. For encrypted photos, the judge might order the company to back up the suspect's data to a company server when the phone is on and the data is unencrypted. Technologists say there are still issues with these approaches, and companies probably would resist them.
Google, Apple, and others have been pretty badly burned by the NSA's crimes, so it's probably safe to say Mike Rogers should file that idea under Norfolk & Way.
(Score: 3, Informative) by JNCF on Tuesday April 14 2015, @01:26AM
Citation needed.
Wikipedia's summary of current encryption export laws in the US [wikipedia.org] (I just fixed a broken citation link to a government document with relevant information, so please don't tell me that Wikipedia isn't a good enough source).
There are still restrictions on what cryptography you can export from the US. Not as many as there used to be, but still some on the books. I don't know enough about OpenBSD's encryption tools to say that they definitely include software that is still illegal to export from the US, but given that there is encryption software that is still illegal to export from the US, and that OpenBSD won't allow US programmers to contribute to their cryptography, I don't see what other conclusion can be drawn. Your suggestion that they are scared of three-letter-agencies doesn't make sense to me; three-letter-agencies obviously have agents living in foreign countries, and cryptography isn't the only part of the system vulnerable to back-doors.
(Score: 2) by frojack on Tuesday April 14 2015, @04:21AM
Nope. Only military encryption, and only embedded in devices. Opensource is not restricted.
Source code, they just want to see it, probably to make sure its not theirs. And even that is not for approval, they just want a heads up.
I went looking for the BIS page that addresses the specifics and its a 404. They pulled the page, because its not illegal.
And OpenBSD is not illegal to export from the US. In fact Canadian export regs are vertically identical to US export when it comes to Encryption.
One subsidy of Intel was fined, but not for selling Openbsd, but rather selling embedded OpenBSD in security products to banned countries:
In April 2012, Wind River Systems voluntarily disclosed to BIS that between 2008 and 2011 the company made 55 exports of operating software valued at $2.9 million to governments and various end users in China, Hong Kong, Russia, Israel, South Africa, and South Korea. The operating software is controlled under Export Administration Regulations for national security reasons, and some of the export recipients in China are on the BIS Entity List.
http://www.theregister.co.uk/2014/10/17/intel_subsidiary_crypto_export_fine/ [theregister.co.uk]
So again, overhyping of events.
No, you are mistaken. I've always had this sig.
(Score: 2) by JNCF on Wednesday April 15 2015, @03:05PM
My previous link indicates that there are still mass market applications that are restricted, not just military, and your link actually seems to support this. Note that not all of the recipients were governments. It seems like they were selling devices for general security purposes and got fined $750,000 for exporting to the wrong countries (none of which have general sanctions against them). The BIS wanted them to apply for a license, not simply give them a notification. Do you see how this could deter OpenBSD from accepting cryptography-related-code from the US? It's possible that it wouldn't even be strictly illegal, but that OpenBSD is trying to make sure that they stay away from complicated US regulations that could potentially make them in violation of US law. I still think a legal explanation for OpenBSD's refusal to accept US cryptography makes the most sense, but if you have some reason to think they have an unrelated motive I'm all ears. I can't find an official OpenBSD site that directly claims the ban on American cryptographers is due to legality, but this newsletter [cuug.ab.ca] from the Calgary Unix Users Group seems to indicate that this is the case:
-One of the major reasons that OpenBSD is able to be more secure is that it can use cryptography freely. The project is hosted in Canada by Theo, so it is permitted to export free, non-United-States cryptography software to the world at large. Some of the software includes KERBEROS IV, and IPSEC, all written by 12 non-American programmers from around the world. (At one point, Theo started counting off some of the team: "Four Canadians, 6 Swedes, 3 Germans, 2 Argentineans, and a Greek..." Me, I seem to recall a Milton Berle joke that starts where these people all walk into a bar.)
But that was from 1998. Perhaps OpenBSD is working off of an understanding of outdated American laws? The OpenBSD page on cryptography links to a summary of Canadian cryptographic export laws that includes a section [www.efc.ca] on exporting cryptography of American origin, but it seems potentially outdated as well. It's possible that the specifics are outdated, but the general case of cryptography coming from the US having extra strings attached is not.
Again, if you have good reason to believe that OpenBSD's refusal to accept American cryptography is not related to American export laws I'd love to see it.