SoylentNews is people
SoylentNews
Bruce Schneier has written a short piece over at Lawfare in response to ongoing calls to weaken encryption. Unlike during the cold war there is no longer a distinction between consumer grade encryption and military encryption. This is because customized encryption is both more expensive and less secure, because it is unique, non-standard, and untested.
In his keynote address at the International Conference on Cybersecurity, Attorney General William Barr argued that companies should weaken encryption systems to gain access to consumer devices for criminal investigations. Barr repeated a common fallacy about a difference between military-grade encryption and consumer encryption: "After all, we are not talking about protecting the nation's nuclear launch codes. Nor are we necessarily talking about the customized encryption used by large business enterprises to protect their operations. We are talking about consumer products and services such as messaging, smart phones, e-mail, and voice and data applications."
The thing is, that distinction between military and consumer products largely doesn't exist. All of those "consumer products" Barr wants access to are used by government officials—heads of state, legislators, judges, military commanders and everyone else—worldwide. They're used by election officials, police at all levels, nuclear power plant operators, CEOs and human rights activists. They're critical to national security as well as personal security.
Earlier on SN:
U.S. Attorney General William Barr Demands Backdoored Encryption (2019)
FBI: End-to-End Encryption Problem "Infects" Law Enforcement and Intelligence Community (2019)
The Crypto Warrior--Why Politicians Want a ‘Back Door’ into Your Devices—and Why it Will Never Work (2016)
(Score: 3, Interesting) by JoeMerchant on Sunday September 01 2019, @12:16PM (2 children)
While this is often true for general system access, it is often done "against policy" and not the kind of thing the higher ups in legal or management would have knowledge of. It is less common to build in a backdoor to decrypt a specifically secured folder or message.
If you want to be an unassailable ivory tower of present day security - choose one of the well tested algorithms and use that. You're good, until you're not - and then you're scrambling to update with the rest of the world.
If you want to slip unnoticed through broad trawling nets set by state actors, you're better off with a reasonably well thought out home grown steganography system - sure, once you're in the spotlight they can capture your endpoint programs and eventually guess the keys, but you're going to have to be a valuable target to merit that kind of effort, and 99.9% of us are not that valuable.
If you want to be truly secure: layer, combinations of the best trusted and tested academically vetted algorithms and your own homegrown quirky as possible algorithms - wrapped in a steganographic outer shell, or two. For the love of secrets: protect your keys.
Most importantly, don't act like a freak in the first place - if you paint a "hack me" sign on your forehead and make anybody with power the slightest bit nervous, or make yourself a valuable political token for any side of the power game, you're asking for personal experience with the $5 wrench. https://xkcd.com/538/ [xkcd.com]
🌻🌻 [google.com]
(Score: 1, Interesting) by Anonymous Coward on Sunday September 01 2019, @11:25PM
Can confirm, worked at a startup building routers. (Real ones, not home routers, unless you have a high five or low six figure home network budget.) We didn't backdoor it. We would have had zero tolerance. We would have fired, ostracised, etc. an employee who did such a thing, and our buyers were mostly national tier carriers/ISPs who would have immediately terminated orders if a backdoor had been revealed. We were trustworthy in part because we were working out of a relatively neutral country without agencies able to coerce us into including backdoors. Our codebase wasn't siloed and we could review any code we wanted, so while it's possible a peon or an exec slipped something in, the personal risk would have been so high that I doubt it, unless we had an nationstate's spy implanted among us. But at that point they could have just poisoned our chip supply, for those we didn't design ourselves.
tl;dr: upstart hardware companies will avoid backdooring. Maybe at bigger companies who are more engaged with local governments like cisco or huawei.
(Score: 0) by Anonymous Coward on Sunday September 01 2019, @11:27PM
Sorry I neglected to specify: hardware companies who sell to plural entities with military might are unlikely to willingly backdoor their product.
All bets are off when it's consumers receiving. Consumers won't jail your CEO on a stopover flight. :)