Stories
Slash Boxes
Comments

SoylentNews is people

posted by on Wednesday January 25 2017, @11:22AM   Printer-friendly
from the ROT-13-is-too-secure dept.

Like other politicians and government officials, President Trump's nominee for the position of Attorney General, Jeff Sessions, wants to have it both ways when it comes to encryption:

At his confirmation hearing, Sessions was largely non-committal. But in his written responses to questions posed by Sen. Patrick Leahy, however, he took a much clearer position:

Question: Do you agree with NSA Director Rogers, Secretary of Defense Carter, and other national security experts that strong encryption helps protect this country from cyberattack and is beneficial to the American people's' digital security?

Response: Encryption serves many valuable and important purposes. It is also critical, however, that national security and criminal investigators be able to overcome encryption, under lawful authority, when necessary to the furtherance of national-security and criminal investigations.

Despite Sessions' "on the one hand, on the other" phrasing, this answer is a clear endorsement of backdooring the security we all rely on. It's simply not feasible for encryption to serve what Sessions concedes are its "many valuable and important purposes" and still be "overcome" when the government wants access to plaintext. As we saw last year with Sens. Burr and Feinstein's draft Compliance with Court Orders Act, the only way to give the government this kind of access is to break the Internet and outlaw industry best practices, and even then it would only reach the minority of encryption products made in the USA.

Related: Presidential Candidates' Tech Stances: Not Great


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by TheRaven on Thursday January 26 2017, @09:54AM

    by TheRaven (270) on Thursday January 26 2017, @09:54AM (#458862) Journal

    The only way to tell if encrypted traffic is government-approved encrypted traffic is to decrypt a large enough sample that you can tell. Even then, there are cryptosystems that give two different real-seeming plaintexts depending on the key that you use, so it probably wouldn't be too hard to put together something that produced a plausible looking stream of words for the NSA but the real message for the intended recipient. It wouldn't stand up to human inspection, but by the time that they've focused on you as a target then you're past the point where having them know that you're using encryption is a problem.

    Even then, you're ignoring how effective modern steganography is. For example, linguistic steganography works by taking a known passage and permuting typos and punctuation to encode a message. You can take, for example, the GN?? troll, and post minor variations of it on Slashdot. Each one encodes a message, but unless you know the meaning of the permutations you have no way of distinguishing it from various mechanisms for trying to get past spam filters. Or you can take a generic spam and send it to a million people, including the intended recipient. Traffic analysis won't help the adversary identify the recipient because, in both cases, it goes to a load of people who aren't the intended recipient, and they all ignore it as spam. If you're serious about evading the government, this is quite easy to do, so all this kind of law would do is make legitimate financial transactions less secure.

    Amusingly, the original version of this post did not redact GN?? and so triggered the spam filter here.

    --
    sudo mod me up
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2