Stories
Slash Boxes
Comments

SoylentNews is people

posted by takyon on Monday April 13 2015, @10:15PM   Printer-friendly
from the both-doored dept.

The Washington Post reports that Adm. Michael S. Rogers is continuing to advocate for weakened encryption as the White House explores a number of possible schemes, as illustrated by this infographic.

For months, federal law enforcement agencies and industry have been deadlocked on a highly contentious issue: Should tech companies be obliged to guarantee government access to encrypted data on smartphones and other digital devices, and is that even possible without compromising the security of law-abiding customers?

Recently, the head of the National Security Agency provided a rare hint of what some U.S. officials think might be a technical solution. Why not, suggested Adm. Michael S. Rogers, require technology companies to create a digital key that could open any smartphone or other locked device to obtain text messages or photos, but divide the key into pieces so that no one person or agency alone could decide to use it?

"I don't want a back door," Rogers, the director of the nation's top electronic spy agency, said during a speech at Princeton University, using a tech industry term for covert measures to bypass device security. "I want a front door. And I want the front door to have multiple locks. Big locks."

[...] The split-key approach is just one of the options being studied by the White House as senior policy officials weigh the needs of companies and consumers as well as law enforcement — and try to determine how imminent the latter's problem is. With input from the FBI, intelligence community and the departments of Justice, State, Commerce and Homeland Security, they are assessing regulatory and legislative approaches, among others.

The White House is also considering options that avoid having the company or a third party hold a key. One possibility, for example, might have a judge direct a company to set up a mirror account so that law enforcement conducting a criminal investigation is able to read text messages shortly after they have been sent. For encrypted photos, the judge might order the company to back up the suspect's data to a company server when the phone is on and the data is unencrypted. Technologists say there are still issues with these approaches, and companies probably would resist them.

Google, Apple, and others have been pretty badly burned by the NSA's crimes, so it's probably safe to say Mike Rogers should file that idea under Norfolk & Way.

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Interesting) by JNCF on Monday April 13 2015, @11:14PM

    by JNCF (4317) on Monday April 13 2015, @11:14PM (#170067) Journal

    This is an unenforceable law outside of mainstream services. So all "you the people" (whatever the fuck that ever meant) have to do is use something not officially sanctioned by the government spooks like Tor et al.

    I wouldn't say "unenforceable." We're talking about OpenBSD becoming contraband in the US (US citizens are already legally barred from contributing to the project's encryption due to export laws). They might not be able to stop everything, but if they catch you with encrypted data that they don't have a key to they might throw you in a concrete box with rapists. That would certainly have a chilling effect, the way it does with the War on Drugs. This is perhaps the most terrifying law I've seen discussed by the federal government in my lifetime. The War on Code, already well under-way in China Germany, now marches towards America.

    We should amend the Constitution to make it clear that the First Amendment applies to any collection of 1s and 0s, intelligible or not.

    Starting Score:    1  point
    Moderation   +2  
       Insightful=1, Interesting=1, Total=2
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   4  
  • (Score: 2) by frojack on Monday April 13 2015, @11:51PM

    by frojack (1554) on Monday April 13 2015, @11:51PM (#170085) Journal

    (US citizens are already legally barred from contributing to the project's encryption due to export laws)

    Citation needed. As far as I can determine all such restrictions ended in 2000.

    Not saying OpenBSD might be wise to be very selective about accepting US contributors,

    --
    No, you are mistaken. I've always had this sig.
    • (Score: 2) by kaszz on Tuesday April 14 2015, @12:06AM

      by kaszz (4211) on Tuesday April 14 2015, @12:06AM (#170093) Journal

      In what way would US contributors be worse than anyone else?

      • (Score: 3, Insightful) by c0lo on Tuesday April 14 2015, @12:27AM

        by c0lo (156) Subscriber Badge on Tuesday April 14 2015, @12:27AM (#170099) Journal

        In what way would US contributors be worse than anyone else?

        Influence and jurisdiction of FBI [cnet.com] and NSA [cryptome.org], I guess. Sorry, folks, not your (direct?) fault.

        --
        https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
        • (Score: 2) by Mr Big in the Pants on Tuesday April 14 2015, @01:05AM

          by Mr Big in the Pants (4956) on Tuesday April 14 2015, @01:05AM (#170126)

          As in spying on their source code?

          It is open, how is that relevant?

          As in arresting the coders contributing? Apart from the terrible PR OS projects are VERY tolerant of this and continue regardless. In fact you will probably be overwhelmed with non-US recruits wanting to sign up to help out.

          You have too much faith in your authoritarian masters, my friend. The more they tighten their grip, the more it will slip through their fingers.

          • (Score: 3, Informative) by c0lo on Tuesday April 14 2015, @01:13AM

            by c0lo (156) Subscriber Badge on Tuesday April 14 2015, @01:13AM (#170134) Journal

            As in arresting the coders contributing?

            As in weakening their code in non-obvious ways.

            --
            https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
          • (Score: 2) by c0lo on Tuesday April 14 2015, @01:43AM

            by c0lo (156) Subscriber Badge on Tuesday April 14 2015, @01:43AM (#170147) Journal

            You have too much faith in your authoritarian masters, my friend. The more they tighten their grip, the more it will slip through their fingers.

            While the matter with slipping is true, what the quoted aphorism won't tell you is the state of those slipping through the fingers; most of them will be in the form of a bloody pulp.
            If you like it better (may be so, if I'm correctly interpreting your "I see this as a GOOD THING"), good luck when your turn comes.

            (BTW: I have no masters... yet; certainly, if it can be helped, I don't intend to get some)

            --
            https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
            • (Score: 2) by Mr Big in the Pants on Tuesday April 14 2015, @06:41AM

              by Mr Big in the Pants (4956) on Tuesday April 14 2015, @06:41AM (#170245)

              Feel free to be happy and comforted by a ever worsening status quo.

              It sounds like you are reasoning based on fear more than anything else. Not point arguing with that.

              • (Score: 0) by Anonymous Coward on Tuesday April 14 2015, @11:10AM

                by Anonymous Coward on Tuesday April 14 2015, @11:10AM (#170327)

                It sounds like you are reasoning based on fear more than anything else.

                And you sound like the glorious leader who's morals reduce to "If you want to make an omelet, you gotta break some eggs" - with the unspoken "as long as they are not mine".

          • (Score: 3, Funny) by TheRaven on Tuesday April 14 2015, @09:37AM

            by TheRaven (270) on Tuesday April 14 2015, @09:37AM (#170299) Journal

            It is open, how is that relevant?

            If you have a mechanism that allows malicious and non-malicious code to be trivially distinguished, then I know some VCs that would be very interested in throwing money at you (just to give you something to do for the couple of years before you claim your Turing Award).

            --
            sudo mod me up
        • (Score: 2) by kaszz on Tuesday April 14 2015, @01:07AM

          by kaszz (4211) on Tuesday April 14 2015, @01:07AM (#170129) Journal

          That's not so much a legal liability as the ability to do the "$1 wrench breach".

          • (Score: 2) by c0lo on Tuesday April 14 2015, @01:34AM

            by c0lo (156) Subscriber Badge on Tuesday April 14 2015, @01:34AM (#170145) Journal

            The "$1 wrench breach" is included in the "influence" part.
            The jurisdiction is not related with the legal liability of the "breached contributor", but with the possibility of acronym agencies to gag them afterwards. Those NSL [wikipedia.org]s? They are an as nasty tool as the $1 wrench.

            ...

            (BTW: last time I checked, that wrench used to be 5 times [xkcd.com] more expensive.
            Is the price drop a sign that the NSA's wrench volume purchases started to play significantly in US economy?)

            --
            https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
            • (Score: 2) by kaszz on Tuesday April 14 2015, @11:55AM

              by kaszz (4211) on Tuesday April 14 2015, @11:55AM (#170341) Journal

              How would these organizations get to an individual using NSL etc if the person are physically outside of the jurisdiction?

              Yeah, perhaps some organizations have a volume discount .... ;-)
              (the price is 12$ with free shipping I saw now)

      • (Score: 3, Informative) by frojack on Tuesday April 14 2015, @12:55AM

        by frojack (1554) on Tuesday April 14 2015, @12:55AM (#170118) Journal
    • (Score: 3, Informative) by JNCF on Tuesday April 14 2015, @01:26AM

      by JNCF (4317) on Tuesday April 14 2015, @01:26AM (#170140) Journal

      Citation needed.

      Wikipedia's summary of current encryption export laws in the US [wikipedia.org] (I just fixed a broken citation link to a government document with relevant information, so please don't tell me that Wikipedia isn't a good enough source).

      There are still restrictions on what cryptography you can export from the US. Not as many as there used to be, but still some on the books. I don't know enough about OpenBSD's encryption tools to say that they definitely include software that is still illegal to export from the US, but given that there is encryption software that is still illegal to export from the US, and that OpenBSD won't allow US programmers to contribute to their cryptography, I don't see what other conclusion can be drawn. Your suggestion that they are scared of three-letter-agencies doesn't make sense to me; three-letter-agencies obviously have agents living in foreign countries, and cryptography isn't the only part of the system vulnerable to back-doors.

      • (Score: 2) by frojack on Tuesday April 14 2015, @04:21AM

        by frojack (1554) on Tuesday April 14 2015, @04:21AM (#170212) Journal

        Nope. Only military encryption, and only embedded in devices. Opensource is not restricted.

        Source code, they just want to see it, probably to make sure its not theirs. And even that is not for approval, they just want a heads up.
        I went looking for the BIS page that addresses the specifics and its a 404. They pulled the page, because its not illegal.

        And OpenBSD is not illegal to export from the US. In fact Canadian export regs are vertically identical to US export when it comes to Encryption.
        One subsidy of Intel was fined, but not for selling Openbsd, but rather selling embedded OpenBSD in security products to banned countries:

        In April 2012, Wind River Systems voluntarily disclosed to BIS that between 2008 and 2011 the company made 55 exports of operating software valued at $2.9 million to governments and various end users in China, Hong Kong, Russia, Israel, South Africa, and South Korea. The operating software is controlled under Export Administration Regulations for national security reasons, and some of the export recipients in China are on the BIS Entity List.

        http://www.theregister.co.uk/2014/10/17/intel_subsidiary_crypto_export_fine/ [theregister.co.uk]

        So again, overhyping of events.

        --
        No, you are mistaken. I've always had this sig.
        • (Score: 2) by JNCF on Wednesday April 15 2015, @03:05PM

          by JNCF (4317) on Wednesday April 15 2015, @03:05PM (#170990) Journal

          My previous link indicates that there are still mass market applications that are restricted, not just military, and your link actually seems to support this. Note that not all of the recipients were governments. It seems like they were selling devices for general security purposes and got fined $750,000 for exporting to the wrong countries (none of which have general sanctions against them). The BIS wanted them to apply for a license, not simply give them a notification. Do you see how this could deter OpenBSD from accepting cryptography-related-code from the US? It's possible that it wouldn't even be strictly illegal, but that OpenBSD is trying to make sure that they stay away from complicated US regulations that could potentially make them in violation of US law. I still think a legal explanation for OpenBSD's refusal to accept US cryptography makes the most sense, but if you have some reason to think they have an unrelated motive I'm all ears. I can't find an official OpenBSD site that directly claims the ban on American cryptographers is due to legality, but this newsletter [cuug.ab.ca] from the Calgary Unix Users Group seems to indicate that this is the case:

          -One of the major reasons that OpenBSD is able to be more secure is that it can use cryptography freely. The project is hosted in Canada by Theo, so it is permitted to export free, non-United-States cryptography software to the world at large. Some of the software includes KERBEROS IV, and IPSEC, all written by 12 non-American programmers from around the world. (At one point, Theo started counting off some of the team: "Four Canadians, 6 Swedes, 3 Germans, 2 Argentineans, and a Greek..." Me, I seem to recall a Milton Berle joke that starts where these people all walk into a bar.)

          But that was from 1998. Perhaps OpenBSD is working off of an understanding of outdated American laws? The OpenBSD page on cryptography links to a summary of Canadian cryptographic export laws that includes a section [www.efc.ca] on exporting cryptography of American origin, but it seems potentially outdated as well. It's possible that the specifics are outdated, but the general case of cryptography coming from the US having extra strings attached is not.

          Again, if you have good reason to believe that OpenBSD's refusal to accept American cryptography is not related to American export laws I'd love to see it.

    • (Score: 0) by Anonymous Coward on Tuesday April 14 2015, @03:29AM

      by Anonymous Coward on Tuesday April 14 2015, @03:29AM (#170189)

      It did. I looked this up in 2010 when someone I worked with insisted on stripping all the crypto code out of a hosted repository based on this misunderstanding. I couldn't convince him this was stupid, and he's still doing it as far as I know.

      You are maybe supposed to notify the BIS although I've never heard of anyone getting in trouble for not doing this: https://www.bis.doc.gov/index.php/policy-guidance/encryption/registration [doc.gov]

    • (Score: 2) by gnuman on Tuesday April 14 2015, @10:41PM

      by gnuman (5013) on Tuesday April 14 2015, @10:41PM (#170604)

      Citation needed. As far as I can determine all such restrictions ended in 2000.

      If you write crypto code, even if open source, you have to register it with US government.

      http://www.cryptolaw.org/cls2.htm [cryptolaw.org]

      On 7 January 2011, a minor amendment was made to the EAR (Federal Register Vol. 76, No. 5, p. 1059). Publicly available mass-market encryption object code software (with symmetric key length exceeding 64 bits), and publicly available encryption object code of which the corresponding source code falls under License Exception TSU (i.e., when the source code is publicly available), are no longer subject to the EAR. The amendment includes some minor specific revisions.

      Export case law

              In August 2001, two men were arrested and accused of attempting to illegally export encryption devices to China (news report).
              In February 2002, the Commerce Department fined a San Diego firm $95,000 for illegally exporting 128-bit encryption software to South Korea (news report).

      http://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States#Current_status [wikipedia.org]

      Some restrictions still exist, even for mass market products, particularly with regard to export to "rogue states" and terrorist organizations. Militarized encryption equipment, TEMPEST-approved electronics, custom cryptographic software, and even cryptographic consulting services still require an export license[9](pp. 6–7). Furthermore, encryption registration with the BIS is required for the export of "mass market encryption commodities, software and components with encryption exceeding 64 bits" (75 FR 36494). In addition, other items require a one-time review by or notification to BIS prior to export to most countries.[9] For instance, the BIS must be notified before open-source cryptographic software is made publicly available on the Internet, though no review is required.[10] Export regulations have been relaxed from pre-1996 standards, but are still complex.[9] Other countries, notably those participating in the Wassenaar Arrangement,[11] have similar restrictions.[12

  • (Score: 2) by kaszz on Monday April 13 2015, @11:53PM

    by kaszz (4211) on Monday April 13 2015, @11:53PM (#170088) Journal

    This war on code what is the outline of that? And is Germany really that bad?
    What hinders any US resident from contributing to that project as long as they don't store anything locally?

    • (Score: 2) by JNCF on Tuesday April 14 2015, @12:34AM

      by JNCF (4317) on Tuesday April 14 2015, @12:34AM (#170103) Journal

      This war on code what is the outline of that? And is Germany really that bad?

      Germany has outlawed "hacker tools," which are defined vaguely. At least one security researcher has already had his door kicked down by law enforcement.

      What hinders any US resident from contributing to that project as long as they don't store anything locally?

      Export laws, [wikipedia.org] as previously stated.

      • (Score: 2) by frojack on Tuesday April 14 2015, @01:00AM

        by frojack (1554) on Tuesday April 14 2015, @01:00AM (#170121) Journal

        You should maybe read your own links.

          For instance, the BIS must be notified before open-source cryptographic software is made publicly available on the Internet, though no review is required. They don't have to even approve it, but they still want an heads up. However a "contributor" to OpenBSD wouldn't even be the one making it publicly available. OpenBSD would be.

        --
        No, you are mistaken. I've always had this sig.
        • (Score: 3, Informative) by JNCF on Tuesday April 14 2015, @01:57AM

          by JNCF (4317) on Tuesday April 14 2015, @01:57AM (#170151) Journal

          For some things you only need to notify them (which seems like a pretty complicated process), but that isn't the case with everything. From the Wikipedia page we're discussing:

          Some restrictions still exist, even for mass market products, particularly with regard to export to "rogue states" and terrorist organizations. Militarized encryption equipment, TEMPEST-approved electronics, custom cryptographic software, and even cryptographic consulting services still require an export license[9](pp. 6–7). Furthermore, encryption registration with the BIS is required for the export of "mass market encryption commodities, software and components with encryption exceeding 64 bits" (75 FR 36494).

          Check out this document, [doc.gov] which is the Wiki citation ([9]) I mentioned in response to your other post. An excerpt:

          License Requirement Note:
          When a person performs or provides technical assistance that incorporates, or otherwise draws upon, “technology” that was either obtained in the United States or is of US-origin, then a release of the “technology” takes place. Such technical Commerce Control List assistance, when rendered with the intent to aid in the “development” or “production” of encryption commodities or software that would be controlled for “EI” reasons under ECCN 5A002 or 5D002, may require authorization under the EAR even if the underlying encryption algorithm to be implemented is from the public domain or is not of U.S. origin.

          Once again, I don't actually know enough about OpenBSD's encryption tools to say with 100% certainty that they fall under the umbrella of encryption software that is still illegal to export from the US, but there definitely is such software. If you continue to deny that my links contain say what they say I'm simply not going to reply to you anymore. You're allowed your own opinions, but not your own facts.

      • (Score: 2) by kaszz on Tuesday April 14 2015, @01:10AM

        by kaszz (4211) on Tuesday April 14 2015, @01:10AM (#170131) Journal

        Is there any other countries that has outlawed "hacker tools" ?

        Oh and those export laws seems quite ridiculous. But the pain they result in is still real.

      • (Score: 0) by Anonymous Coward on Tuesday April 14 2015, @01:11AM

        by Anonymous Coward on Tuesday April 14 2015, @01:11AM (#170132)

        "Germany has outlawed "hacker tools," which are defined vaguely. At least one security researcher has already had his door kicked down by law enforcement."

        Why didn't he shoot them when they kicked in his door and burn any survivors alive while filming it?

  • (Score: 2) by Mr Big in the Pants on Tuesday April 14 2015, @12:57AM

    by Mr Big in the Pants (4956) on Tuesday April 14 2015, @12:57AM (#170120)

    Well I beg to differ.

    The US is NOT the be all and end all of all things computing. And the world is much larger place with its own data centers don't ya know.

    Oh, let me guess, next you will be telling me the US will create a "great firewall" to stop it all? I refer you to my original post...

    And Europe is looking like the last (super power) hope for civilization - or at least a civilization worthy of the term. (no, I don't live there...)

    I would be all for such projects being exported to better countries. Or even being, say, open sourced...as in the source of their effort can come from anywhere...oh wait...they are already like that.