SoylentNews is people
SoylentNews
The Washington Post reports that Adm. Michael S. Rogers is continuing to advocate for weakened encryption as the White House explores a number of possible schemes, as illustrated by this infographic.
For months, federal law enforcement agencies and industry have been deadlocked on a highly contentious issue: Should tech companies be obliged to guarantee government access to encrypted data on smartphones and other digital devices, and is that even possible without compromising the security of law-abiding customers?
Recently, the head of the National Security Agency provided a rare hint of what some U.S. officials think might be a technical solution. Why not, suggested Adm. Michael S. Rogers, require technology companies to create a digital key that could open any smartphone or other locked device to obtain text messages or photos, but divide the key into pieces so that no one person or agency alone could decide to use it?
"I don't want a back door," Rogers, the director of the nation's top electronic spy agency, said during a speech at Princeton University, using a tech industry term for covert measures to bypass device security. "I want a front door. And I want the front door to have multiple locks. Big locks."
[...] The split-key approach is just one of the options being studied by the White House as senior policy officials weigh the needs of companies and consumers as well as law enforcement — and try to determine how imminent the latter's problem is. With input from the FBI, intelligence community and the departments of Justice, State, Commerce and Homeland Security, they are assessing regulatory and legislative approaches, among others.
The White House is also considering options that avoid having the company or a third party hold a key. One possibility, for example, might have a judge direct a company to set up a mirror account so that law enforcement conducting a criminal investigation is able to read text messages shortly after they have been sent. For encrypted photos, the judge might order the company to back up the suspect's data to a company server when the phone is on and the data is unencrypted. Technologists say there are still issues with these approaches, and companies probably would resist them.
Google, Apple, and others have been pretty badly burned by the NSA's crimes, so it's probably safe to say Mike Rogers should file that idea under Norfolk & Way.
(Score: 5, Insightful) by Mr Big in the Pants on Monday April 13 2015, @10:47PM
This is an unenforceable law outside of mainstream services. So all "you the people" (whatever the fuck that ever meant) have to do is use something not officially sanctioned by the government spooks like Tor et al.
It has not worked in China where they have even more control and no constitution and it wont work in the US.
Personally I see this as a GOOD THING. The more they act like abusive authoritarian dictators they are, the more it will give incentive to "you the people" to wake up and take this shit seriously.
I see this as *far better* than the last few decades where they have just done all this and nobody has known or cared and their respective countries have just continued spiralling towards police and/or surveillance states without mainstream commentary.
And this is not just a US thing.
China/Russia/North Korea/Saudi etc have always been this fucked up and are just upgrading their tech as it becomes available.
Australia, USA and the UK are examples I am aware of that have also been making MASSIVE leaps towards this goal in the last decade and it has been accelerating rapidly. There are many others.
But the problem is NOT with them. It is with "we the people" constantly voting in sociopaths to run our countries as if there are no alternatives in the millions of citizens out there.
(Score: 4, Interesting) by JNCF on Monday April 13 2015, @11:14PM
This is an unenforceable law outside of mainstream services. So all "you the people" (whatever the fuck that ever meant) have to do is use something not officially sanctioned by the government spooks like Tor et al.
I wouldn't say "unenforceable." We're talking about OpenBSD becoming contraband in the US (US citizens are already legally barred from contributing to the project's encryption due to export laws). They might not be able to stop everything, but if they catch you with encrypted data that they don't have a key to they might throw you in a concrete box with rapists. That would certainly have a chilling effect, the way it does with the War on Drugs. This is perhaps the most terrifying law I've seen discussed by the federal government in my lifetime. The War on Code, already well under-way in China Germany, now marches towards America.
We should amend the Constitution to make it clear that the First Amendment applies to any collection of 1s and 0s, intelligible or not.
(Score: 2) by frojack on Monday April 13 2015, @11:51PM
(US citizens are already legally barred from contributing to the project's encryption due to export laws)
Citation needed. As far as I can determine all such restrictions ended in 2000.
Not saying OpenBSD might be wise to be very selective about accepting US contributors,
No, you are mistaken. I've always had this sig.
(Score: 2) by kaszz on Tuesday April 14 2015, @12:06AM
In what way would US contributors be worse than anyone else?
(Score: 3, Insightful) by c0lo on Tuesday April 14 2015, @12:27AM
Influence and jurisdiction of FBI [cnet.com] and NSA [cryptome.org], I guess. Sorry, folks, not your (direct?) fault.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by Mr Big in the Pants on Tuesday April 14 2015, @01:05AM
As in spying on their source code?
It is open, how is that relevant?
As in arresting the coders contributing? Apart from the terrible PR OS projects are VERY tolerant of this and continue regardless. In fact you will probably be overwhelmed with non-US recruits wanting to sign up to help out.
You have too much faith in your authoritarian masters, my friend. The more they tighten their grip, the more it will slip through their fingers.
(Score: 3, Informative) by c0lo on Tuesday April 14 2015, @01:13AM
As in weakening their code in non-obvious ways.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by c0lo on Tuesday April 14 2015, @01:43AM
While the matter with slipping is true, what the quoted aphorism won't tell you is the state of those slipping through the fingers; most of them will be in the form of a bloody pulp.
If you like it better (may be so, if I'm correctly interpreting your "I see this as a GOOD THING"), good luck when your turn comes.
(BTW: I have no masters... yet; certainly, if it can be helped, I don't intend to get some)
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by Mr Big in the Pants on Tuesday April 14 2015, @06:41AM
Feel free to be happy and comforted by a ever worsening status quo.
It sounds like you are reasoning based on fear more than anything else. Not point arguing with that.
(Score: 0) by Anonymous Coward on Tuesday April 14 2015, @11:10AM
And you sound like the glorious leader who's morals reduce to "If you want to make an omelet, you gotta break some eggs" - with the unspoken "as long as they are not mine".
(Score: 3, Funny) by TheRaven on Tuesday April 14 2015, @09:37AM
It is open, how is that relevant?
If you have a mechanism that allows malicious and non-malicious code to be trivially distinguished, then I know some VCs that would be very interested in throwing money at you (just to give you something to do for the couple of years before you claim your Turing Award).
sudo mod me up
(Score: 2) by kaszz on Tuesday April 14 2015, @01:07AM
That's not so much a legal liability as the ability to do the "$1 wrench breach".
(Score: 2) by c0lo on Tuesday April 14 2015, @01:34AM
The "$1 wrench breach" is included in the "influence" part.
The jurisdiction is not related with the legal liability of the "breached contributor", but with the possibility of acronym agencies to gag them afterwards. Those NSL [wikipedia.org]s? They are an as nasty tool as the $1 wrench.
...
(BTW: last time I checked, that wrench used to be 5 times [xkcd.com] more expensive.
Is the price drop a sign that the NSA's wrench volume purchases started to play significantly in US economy?)
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by kaszz on Tuesday April 14 2015, @11:55AM
How would these organizations get to an individual using NSL etc if the person are physically outside of the jurisdiction?
Yeah, perhaps some organizations have a volume discount .... ;-)
(the price is 12$ with free shipping I saw now)
(Score: 3, Informative) by frojack on Tuesday April 14 2015, @12:55AM
http://www.pcworld.com/article/2454380/overreliance-on-the-nsa-led-to-weak-crypto-standard-nist-advisers-find.html [pcworld.com]
No, you are mistaken. I've always had this sig.
(Score: 3, Informative) by anubi on Tuesday April 14 2015, @11:01AM
They already have it.
Its been in every Windows distribution since WIN95OSR2. [google.com]
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 3, Informative) by JNCF on Tuesday April 14 2015, @01:26AM
Citation needed.
Wikipedia's summary of current encryption export laws in the US [wikipedia.org] (I just fixed a broken citation link to a government document with relevant information, so please don't tell me that Wikipedia isn't a good enough source).
There are still restrictions on what cryptography you can export from the US. Not as many as there used to be, but still some on the books. I don't know enough about OpenBSD's encryption tools to say that they definitely include software that is still illegal to export from the US, but given that there is encryption software that is still illegal to export from the US, and that OpenBSD won't allow US programmers to contribute to their cryptography, I don't see what other conclusion can be drawn. Your suggestion that they are scared of three-letter-agencies doesn't make sense to me; three-letter-agencies obviously have agents living in foreign countries, and cryptography isn't the only part of the system vulnerable to back-doors.
(Score: 2) by frojack on Tuesday April 14 2015, @04:21AM
Nope. Only military encryption, and only embedded in devices. Opensource is not restricted.
Source code, they just want to see it, probably to make sure its not theirs. And even that is not for approval, they just want a heads up.
I went looking for the BIS page that addresses the specifics and its a 404. They pulled the page, because its not illegal.
And OpenBSD is not illegal to export from the US. In fact Canadian export regs are vertically identical to US export when it comes to Encryption.
One subsidy of Intel was fined, but not for selling Openbsd, but rather selling embedded OpenBSD in security products to banned countries:
In April 2012, Wind River Systems voluntarily disclosed to BIS that between 2008 and 2011 the company made 55 exports of operating software valued at $2.9 million to governments and various end users in China, Hong Kong, Russia, Israel, South Africa, and South Korea. The operating software is controlled under Export Administration Regulations for national security reasons, and some of the export recipients in China are on the BIS Entity List.
http://www.theregister.co.uk/2014/10/17/intel_subsidiary_crypto_export_fine/ [theregister.co.uk]
So again, overhyping of events.
No, you are mistaken. I've always had this sig.
(Score: 2) by JNCF on Wednesday April 15 2015, @03:05PM
My previous link indicates that there are still mass market applications that are restricted, not just military, and your link actually seems to support this. Note that not all of the recipients were governments. It seems like they were selling devices for general security purposes and got fined $750,000 for exporting to the wrong countries (none of which have general sanctions against them). The BIS wanted them to apply for a license, not simply give them a notification. Do you see how this could deter OpenBSD from accepting cryptography-related-code from the US? It's possible that it wouldn't even be strictly illegal, but that OpenBSD is trying to make sure that they stay away from complicated US regulations that could potentially make them in violation of US law. I still think a legal explanation for OpenBSD's refusal to accept US cryptography makes the most sense, but if you have some reason to think they have an unrelated motive I'm all ears. I can't find an official OpenBSD site that directly claims the ban on American cryptographers is due to legality, but this newsletter [cuug.ab.ca] from the Calgary Unix Users Group seems to indicate that this is the case:
-One of the major reasons that OpenBSD is able to be more secure is that it can use cryptography freely. The project is hosted in Canada by Theo, so it is permitted to export free, non-United-States cryptography software to the world at large. Some of the software includes KERBEROS IV, and IPSEC, all written by 12 non-American programmers from around the world. (At one point, Theo started counting off some of the team: "Four Canadians, 6 Swedes, 3 Germans, 2 Argentineans, and a Greek..." Me, I seem to recall a Milton Berle joke that starts where these people all walk into a bar.)
But that was from 1998. Perhaps OpenBSD is working off of an understanding of outdated American laws? The OpenBSD page on cryptography links to a summary of Canadian cryptographic export laws that includes a section [www.efc.ca] on exporting cryptography of American origin, but it seems potentially outdated as well. It's possible that the specifics are outdated, but the general case of cryptography coming from the US having extra strings attached is not.
Again, if you have good reason to believe that OpenBSD's refusal to accept American cryptography is not related to American export laws I'd love to see it.
(Score: 0) by Anonymous Coward on Tuesday April 14 2015, @03:29AM
It did. I looked this up in 2010 when someone I worked with insisted on stripping all the crypto code out of a hosted repository based on this misunderstanding. I couldn't convince him this was stupid, and he's still doing it as far as I know.
You are maybe supposed to notify the BIS although I've never heard of anyone getting in trouble for not doing this: https://www.bis.doc.gov/index.php/policy-guidance/encryption/registration [doc.gov]
(Score: 2) by gnuman on Tuesday April 14 2015, @10:41PM
Citation needed. As far as I can determine all such restrictions ended in 2000.
If you write crypto code, even if open source, you have to register it with US government.
http://www.cryptolaw.org/cls2.htm [cryptolaw.org]
On 7 January 2011, a minor amendment was made to the EAR (Federal Register Vol. 76, No. 5, p. 1059). Publicly available mass-market encryption object code software (with symmetric key length exceeding 64 bits), and publicly available encryption object code of which the corresponding source code falls under License Exception TSU (i.e., when the source code is publicly available), are no longer subject to the EAR. The amendment includes some minor specific revisions.
Export case law
In August 2001, two men were arrested and accused of attempting to illegally export encryption devices to China (news report).
In February 2002, the Commerce Department fined a San Diego firm $95,000 for illegally exporting 128-bit encryption software to South Korea (news report).
http://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States#Current_status [wikipedia.org]
Some restrictions still exist, even for mass market products, particularly with regard to export to "rogue states" and terrorist organizations. Militarized encryption equipment, TEMPEST-approved electronics, custom cryptographic software, and even cryptographic consulting services still require an export license[9](pp. 6–7). Furthermore, encryption registration with the BIS is required for the export of "mass market encryption commodities, software and components with encryption exceeding 64 bits" (75 FR 36494). In addition, other items require a one-time review by or notification to BIS prior to export to most countries.[9] For instance, the BIS must be notified before open-source cryptographic software is made publicly available on the Internet, though no review is required.[10] Export regulations have been relaxed from pre-1996 standards, but are still complex.[9] Other countries, notably those participating in the Wassenaar Arrangement,[11] have similar restrictions.[12
(Score: 2) by kaszz on Monday April 13 2015, @11:53PM
This war on code what is the outline of that? And is Germany really that bad?
What hinders any US resident from contributing to that project as long as they don't store anything locally?
(Score: 2) by JNCF on Tuesday April 14 2015, @12:34AM
This war on code what is the outline of that? And is Germany really that bad?
Germany has outlawed "hacker tools," which are defined vaguely. At least one security researcher has already had his door kicked down by law enforcement.
What hinders any US resident from contributing to that project as long as they don't store anything locally?
Export laws, [wikipedia.org] as previously stated.
(Score: 2) by frojack on Tuesday April 14 2015, @01:00AM
You should maybe read your own links.
For instance, the BIS must be notified before open-source cryptographic software is made publicly available on the Internet, though no review is required. They don't have to even approve it, but they still want an heads up. However a "contributor" to OpenBSD wouldn't even be the one making it publicly available. OpenBSD would be.
No, you are mistaken. I've always had this sig.
(Score: 3, Informative) by JNCF on Tuesday April 14 2015, @01:57AM
For some things you only need to notify them (which seems like a pretty complicated process), but that isn't the case with everything. From the Wikipedia page we're discussing:
Some restrictions still exist, even for mass market products, particularly with regard to export to "rogue states" and terrorist organizations. Militarized encryption equipment, TEMPEST-approved electronics, custom cryptographic software, and even cryptographic consulting services still require an export license[9](pp. 6–7). Furthermore, encryption registration with the BIS is required for the export of "mass market encryption commodities, software and components with encryption exceeding 64 bits" (75 FR 36494).
Check out this document, [doc.gov] which is the Wiki citation ([9]) I mentioned in response to your other post. An excerpt:
License Requirement Note:
When a person performs or provides technical assistance that incorporates, or otherwise draws upon, “technology” that was either obtained in the United States or is of US-origin, then a release of the “technology” takes place. Such technical Commerce Control List assistance, when rendered with the intent to aid in the “development” or “production” of encryption commodities or software that would be controlled for “EI” reasons under ECCN 5A002 or 5D002, may require authorization under the EAR even if the underlying encryption algorithm to be implemented is from the public domain or is not of U.S. origin.
Once again, I don't actually know enough about OpenBSD's encryption tools to say with 100% certainty that they fall under the umbrella of encryption software that is still illegal to export from the US, but there definitely is such software. If you continue to deny that my links contain say what they say I'm simply not going to reply to you anymore. You're allowed your own opinions, but not your own facts.
(Score: 2) by kaszz on Tuesday April 14 2015, @01:10AM
Is there any other countries that has outlawed "hacker tools" ?
Oh and those export laws seems quite ridiculous. But the pain they result in is still real.
(Score: 0) by Anonymous Coward on Tuesday April 14 2015, @01:11AM
"Germany has outlawed "hacker tools," which are defined vaguely. At least one security researcher has already had his door kicked down by law enforcement."
Why didn't he shoot them when they kicked in his door and burn any survivors alive while filming it?
(Score: 2) by Mr Big in the Pants on Tuesday April 14 2015, @12:57AM
Well I beg to differ.
The US is NOT the be all and end all of all things computing. And the world is much larger place with its own data centers don't ya know.
Oh, let me guess, next you will be telling me the US will create a "great firewall" to stop it all? I refer you to my original post...
And Europe is looking like the last (super power) hope for civilization - or at least a civilization worthy of the term. (no, I don't live there...)
I would be all for such projects being exported to better countries. Or even being, say, open sourced...as in the source of their effort can come from anywhere...oh wait...they are already like that.
(Score: 4, Insightful) by c0lo on Monday April 13 2015, @11:26PM
Incorrigible optimist, aren't you?
Do you think dictatorships and other oppressive regimes were "spontaneously generated" or "given by an act of God"?
They took hold gradually, with a revolution (act of force under whatever name) towards at the end of it: the people weren't watching, didn't understand or they were powerless to do something even when they were watching/understanding.
My point? Watch out what you wish for, there's always possible for the things to go worse. There is a point of no return, after which the populace can do and will do nothing to stop an oppressive regime taking hold.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 4, Insightful) by kaszz on Monday April 13 2015, @11:59PM
Complacent people is the problem.
(Score: 2) by c0lo on Tuesday April 14 2015, @12:13AM
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 1, Offtopic) by Mr Big in the Pants on Tuesday April 14 2015, @01:01AM
False opinions are like false money, struck first of all by guilty men and thereafter circulated by honest people who perpetuate the crime without knowing what they are doing
Joseph-Marie, Les soirées de Saint-Pétersbourg, Ch. I
Also just as relevant and part of the problem? :)
(Score: 0) by Anonymous Coward on Tuesday April 14 2015, @01:16AM
You wish.
(Score: 0, Insightful) by Anonymous Coward on Tuesday April 14 2015, @05:02AM
The problem, like always, is racism. Racism is what created the drug laws, which have single-handedly shredded the constitution and eroded the US into a police state. Racism also has half of congress committing treason and sedition solely because the president isn't a WASP. [wikipedia.org] Racism is why at least half of the country is all for oppressive, unjust laws, because they're currently only being used exclusively on non-whites or other demonized people like drug users.
(Score: 2) by Mr Big in the Pants on Tuesday April 14 2015, @12:52AM
You could not be more wrong about my opinions or history.
I am a realist, not an optimist. An optimist or pessimist skews reality to align to their beliefs. While nobody can avoid a good skewing (haw haw) some of us at least try to avoid it as much as we are able. The worst trait of most optimists is how PROUD they are of it.
Many of the major dictators (including the worst) became thus through "popular" appointment and had mass appeal - at least were it counted. (or at least by using popular sentiment) It was not till AFTER the big "evil reveal" that they were "hated".
Like George Bush 2 for example. Won by popular vote, worst approval rating by the end.
(Score: 0) by Anonymous Coward on Tuesday April 14 2015, @01:09AM
Intel Active Management Technology (also called VT and vpro) says otherwise.
VNC server on chip.
Don't know what the AMD and ARM versions are called.
(Score: 2) by K_benzoate on Tuesday April 14 2015, @03:18AM
But the problem is NOT with them. It is with "we the people" constantly voting in sociopaths to run our countries as if there are no alternatives in the millions of citizens out there.
Here's why those millions of good people are unelectable. [youtube.com] Now add the NSA on top of that, actively trying to dig up dirt on any would-be reformers.
Climate change is real and primarily caused by human activity.
(Score: 3, Insightful) by Mr Big in the Pants on Tuesday April 14 2015, @06:44AM
You are now forming a circular argument of sorts.
I am saying the current selection process is deeply flawed and needs to change by voters changing how and why they vote.
You are saying they are unelectable due to the current way people vote.
This is all nonesense. I don't pretend to have a *workable* solution, but the solution is not that hard - people stop acting like cattle.
(Score: 2) by K_benzoate on Tuesday April 14 2015, @07:13PM
So any possible solution would require Americans, in large numbers, to stop being petty, puerile, puritanical, spiteful, gossipy, moralizing, busybodies? I don't think that'll work. You don't get cattle to improve their situation by forcing them to become something else, you figure out how to heard them away from danger.
Climate change is real and primarily caused by human activity.