SoylentNews is people
SoylentNews
from the Mister-Potato-Head!-Mister-Potato-Head!-Back-doors-are-not-secrets! dept.
Senators Diane Feinstein (D-CA) and Chuck Grassley (R-IA) are preparing legislation that would regulate encryption and potentially mandate "backdoors." The Senate Judiciary Committee has been meeting with tech lobbyists and at least three researchers to come up with a "secure way" to allow only law enforcement to access encrypted information:
US lawmakers are yet again trying to force backdoors into tech products, allowing Uncle Sam, and anyone else with the necessary skills, to rifle through people's private encrypted information. Two years after her effort to introduce new legislation died, Senator Dianne Feinstein (D-CA) is again spearheading an effort to make it possible for law enforcement to access any information sent or stored electronically. Such a backdoor could be exploited by skilled miscreants to also read people's files and communications, crypto-experts continue to warn.
Tech lobbyists this month met the Senate Judiciary Committee to discuss the proposed legislation – a sign that politicians have changed tactics since trying, and failing, to force through new laws back in 2016. New York District Attorney and backdoor advocate Cyrus Vance (D-NY) also briefed the same committee late last month about why he felt new legislation was necessary. Vance has been arguing for fresh anti-encryption laws for several years, even producing a 42-page report back in November 2015 that walked through how the inability to trawl through people's personal communications was making his job harder.
Tech lobbyists and Congressional staffers have been leaking details of the meetings to, among others, Politico and the New York Times.
From the NYT article:
A National Academy of Sciences committee completed an 18-month study of the encryption debate, publishing a report last month. While it largely described challenges to solving the problem, one section cited presentations by several technologists who are developing potential approaches. They included Ray Ozzie, a former chief software architect at Microsoft; Stefan Savage, a computer science professor at the University of California, San Diego; and Ernie Brickell, a former chief security officer at Intel.
[...] The researchers, Mr. Ozzie said, recognized that "this issue is not going away," and were trying to foster "constructive dialogue" rather than declaring that no solution is possible.
Also at The Hill.
Previously: New Paper on The Risks of "Responsible Encryption"
Report On Device Encryption Suggests A Few Ways Forward For Law Enforcement
Senator Wyden Calls on Digital Rights Activists to Block Legislative Efforts to Weaken Encryption
(Score: 1) by pTamok on Wednesday April 11 2018, @10:36AM (8 children)
I can see a strong argument on National Security grounds for the USA placing back-doors in hardware and software it controls by both hard- and soft- power.
Obviously, the same arguments apply to any other independent state.
Assuming the USA gets its wish, then there will be a very strong incentive for states not aligned with the USA's national interests to use hardware and software that is guaranteed, as far as is practicable, to be free of the USA-influenced back-doors.
However...what if the USA makes the back-door technology openly available to everyone? In other words, it is not hidden, but simply made available to the authorities of each state? Say, for example, every commercially available cpu has a secure enclave that runs only software signed by an authority. Each state gets one or several (root) signing keys. You then mandate for every ISP in that state that a device has to have a licence in order to be able to route packets on the Internet. This is enforced at link initiation, and the licence certificate is stored in the secure enclave. No licence certificate, no network access, and operation of an unlicensed network is made a criminal act. Private networks will require a proxy-server that can relay licence checks and authorisations. Such Media Access Control authentication is already standardized - IEEE 802.1X-2010 . If you look at the Blu-ray AACS and BD+ schemes, you can see that having a trusted (virtual) machine in each cpu allows for fine-grained control over access and security.
An 'in full sight' back-door scheme is very easy to achieve with existing technology. If you travel to another country you have two options: (1) if your equipment is compatible with the host-country's network, you obtain an additional licence; or (2) if your equipment is not compatible with the host-country's network, you get no network access.
I regard such a scheme as pretty much inevitable.
This does not give authorities access to all encrypted information: but what it does do is give authorities privileged access to any cpu attached to a known network. A trusted enclave could easily be primed to look for encryption keys in its host system. So rather than looking for a magical encryption scheme with a law-enforcement-only back-door, build a back-door that gives access to everything on its host. Easier. And more useful. Pretty much all the ingredients are available now.
(Score: 0) by Anonymous Coward on Wednesday April 11 2018, @12:35PM
It's about time to get serious when it comes to fighting the Crypto Wars. Stockpile "secure" hardware for use with the dark web before it is all gone. Run compromised performance hardware only offline and maybe in a Faraday cage. Flout the law daily and en masse. Donate to the EFF and hope that we can get these laws nullified by the courts. And for when shit hits the fan, why not collect some assault weapons and ammo?
(Score: 2, Interesting) by Anonymous Coward on Wednesday April 11 2018, @01:20PM
It's because of people like you that the world is shit.
You see a problem, and your brain is capable enough to provide a solution.
Well, you're solving a problem for evil people.
(Score: 2) by Wootery on Wednesday April 11 2018, @02:08PM (3 children)
You seem to be ignoring the indirect consequences of making other people's devices work for you, rather than for them: they stop buying from you, and start buying from your competitors. We've already seen US-based cloud vendors take a hit for the US's spying practices.
(Score: 1) by pTamok on Wednesday April 11 2018, @06:02PM (1 child)
Actually, no, I'm not.
1) Try buying a commercially available PC or Server CPU that doesn't have ME, PSP or TrustZone in it. You'll find it is not easy. I am aware of niche items, like the Talos workstation.
2) You may have missed the 'what if?' point I made, which was that if the USA opened up ME/PSP/TrustZone, and made the technology open to all governments, there would be a strong incentive for it to be used. It would not take much - many campaigners are trying to get Intel and AMD to open up the Secure Enclaves so that FLOSS firmware could be loaded. The other edge to that sword is that opening up the technology allows any government to impose its own requirements about running government signed firmware.
If you make back-doors available to everyone, then you can make cosy agreements with other governments about which back-doors are mutually transparent to each other. If you impose a requirement that government sanctioned code/certificates must be present in the secure enclave, or you can't legally use the Internet, then you close off options of buying cpus from elsewhere.
It would be frighteningly easy to implement. Telecommunications carriers already install a lot of monitoring equipment for governments that the general population is not aware of, so the process is not novel. Specialists are aware of things like 'Legal Intercept Modules' that are installed in certain equipment used by carriers, and things like Room 641A [wikipedia.org] are well known in the (rather small) information security community. Knowledge of such things is 'out there', but it certainly is not mainstream, even after Snowden.
(Score: 2) by darkfeline on Friday April 13 2018, @07:13PM
That's because ME (and related) is a feature for the user. Enterprises use it to control their hardware. They literally pay extra money for this feature (or at least, for the feature to be enabled. A CPU model might support ME in hardware, but only the more expensive variants will have it enabled).
If, somehow, non-ME CPUs start becoming a desirable feature for a large proportion of purchasers, then there will be commercially available PCs that don't have. So far, that is not the case (no, SN does not comprise a large proportion of purchasers).
Join the SDF Public Access UNIX System today!
(Score: 2, Insightful) by Anonymous Coward on Wednesday April 11 2018, @06:19PM
at&t got caught splitting the internet feed in san fransisco for the @#$%^ NSA and the vast majority of people won't even switch their phone carriers.
(Score: 3, Interesting) by All Your Lawn Are Belong To Us on Wednesday April 11 2018, @05:33PM
And then next week the Five Eyes sign a cooperative agreement that allows the foreign agency to go after targets in its own country using its own perfectly legitimate targeting rules and share that information back again. Thus allowing circumvention of constitutional protections of the privacy of said data.
That's quite aside from that if you look at the AACS scheme, for example, you can find that the trusted (virtual) machine in each cpu also allows for hacking to compromise the privacy of the system. As already occurred with AACS. Hence any compromise to encryption being functionally equivalent to no encryption in terms of ultimate trust.
Though yes, I think such a scheme is ultimately inevitable and the Internet shall die and be silently replaced by Consumernet while still being called the Internet. The only hope is to perfect samisdat technology and technique before then.
This sig for rent.
(Score: 2) by archfeld on Wednesday April 11 2018, @07:19PM
That sounds vaguely like the DVD encryption scheme the motion picture industry introduced and that watched get pwned in record time by a group of part time hackers. For every additional key you issue the chances of one get loose goes up exponentially. How much effort went into DeCSS and who long did it take before it was commonly available in free tools for every flavor of OS ?
For the NSA : Explosives, guns, assassination, conspiracy, primers, detonators, initiators, main charge, nuclear charge