SoylentNews is people
SoylentNews
The Washington Post reports that Adm. Michael S. Rogers is continuing to advocate for weakened encryption as the White House explores a number of possible schemes, as illustrated by this infographic.
For months, federal law enforcement agencies and industry have been deadlocked on a highly contentious issue: Should tech companies be obliged to guarantee government access to encrypted data on smartphones and other digital devices, and is that even possible without compromising the security of law-abiding customers?
Recently, the head of the National Security Agency provided a rare hint of what some U.S. officials think might be a technical solution. Why not, suggested Adm. Michael S. Rogers, require technology companies to create a digital key that could open any smartphone or other locked device to obtain text messages or photos, but divide the key into pieces so that no one person or agency alone could decide to use it?
"I don't want a back door," Rogers, the director of the nation's top electronic spy agency, said during a speech at Princeton University, using a tech industry term for covert measures to bypass device security. "I want a front door. And I want the front door to have multiple locks. Big locks."
[...] The split-key approach is just one of the options being studied by the White House as senior policy officials weigh the needs of companies and consumers as well as law enforcement — and try to determine how imminent the latter's problem is. With input from the FBI, intelligence community and the departments of Justice, State, Commerce and Homeland Security, they are assessing regulatory and legislative approaches, among others.
The White House is also considering options that avoid having the company or a third party hold a key. One possibility, for example, might have a judge direct a company to set up a mirror account so that law enforcement conducting a criminal investigation is able to read text messages shortly after they have been sent. For encrypted photos, the judge might order the company to back up the suspect's data to a company server when the phone is on and the data is unencrypted. Technologists say there are still issues with these approaches, and companies probably would resist them.
Google, Apple, and others have been pretty badly burned by the NSA's crimes, so it's probably safe to say Mike Rogers should file that idea under Norfolk & Way.
(Score: 2) by frojack on Monday April 13 2015, @11:51PM
(US citizens are already legally barred from contributing to the project's encryption due to export laws)
Citation needed. As far as I can determine all such restrictions ended in 2000.
Not saying OpenBSD might be wise to be very selective about accepting US contributors,
No, you are mistaken. I've always had this sig.
(Score: 2) by kaszz on Tuesday April 14 2015, @12:06AM
In what way would US contributors be worse than anyone else?
(Score: 3, Insightful) by c0lo on Tuesday April 14 2015, @12:27AM
Influence and jurisdiction of FBI [cnet.com] and NSA [cryptome.org], I guess. Sorry, folks, not your (direct?) fault.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by Mr Big in the Pants on Tuesday April 14 2015, @01:05AM
As in spying on their source code?
It is open, how is that relevant?
As in arresting the coders contributing? Apart from the terrible PR OS projects are VERY tolerant of this and continue regardless. In fact you will probably be overwhelmed with non-US recruits wanting to sign up to help out.
You have too much faith in your authoritarian masters, my friend. The more they tighten their grip, the more it will slip through their fingers.
(Score: 3, Informative) by c0lo on Tuesday April 14 2015, @01:13AM
As in weakening their code in non-obvious ways.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by c0lo on Tuesday April 14 2015, @01:43AM
While the matter with slipping is true, what the quoted aphorism won't tell you is the state of those slipping through the fingers; most of them will be in the form of a bloody pulp.
If you like it better (may be so, if I'm correctly interpreting your "I see this as a GOOD THING"), good luck when your turn comes.
(BTW: I have no masters... yet; certainly, if it can be helped, I don't intend to get some)
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by Mr Big in the Pants on Tuesday April 14 2015, @06:41AM
Feel free to be happy and comforted by a ever worsening status quo.
It sounds like you are reasoning based on fear more than anything else. Not point arguing with that.
(Score: 0) by Anonymous Coward on Tuesday April 14 2015, @11:10AM
And you sound like the glorious leader who's morals reduce to "If you want to make an omelet, you gotta break some eggs" - with the unspoken "as long as they are not mine".
(Score: 3, Funny) by TheRaven on Tuesday April 14 2015, @09:37AM
It is open, how is that relevant?
If you have a mechanism that allows malicious and non-malicious code to be trivially distinguished, then I know some VCs that would be very interested in throwing money at you (just to give you something to do for the couple of years before you claim your Turing Award).
sudo mod me up
(Score: 2) by kaszz on Tuesday April 14 2015, @01:07AM
That's not so much a legal liability as the ability to do the "$1 wrench breach".
(Score: 2) by c0lo on Tuesday April 14 2015, @01:34AM
The "$1 wrench breach" is included in the "influence" part.
The jurisdiction is not related with the legal liability of the "breached contributor", but with the possibility of acronym agencies to gag them afterwards. Those NSL [wikipedia.org]s? They are an as nasty tool as the $1 wrench.
...
(BTW: last time I checked, that wrench used to be 5 times [xkcd.com] more expensive.
Is the price drop a sign that the NSA's wrench volume purchases started to play significantly in US economy?)
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by kaszz on Tuesday April 14 2015, @11:55AM
How would these organizations get to an individual using NSL etc if the person are physically outside of the jurisdiction?
Yeah, perhaps some organizations have a volume discount .... ;-)
(the price is 12$ with free shipping I saw now)
(Score: 3, Informative) by frojack on Tuesday April 14 2015, @12:55AM
http://www.pcworld.com/article/2454380/overreliance-on-the-nsa-led-to-weak-crypto-standard-nist-advisers-find.html [pcworld.com]
No, you are mistaken. I've always had this sig.
(Score: 3, Informative) by anubi on Tuesday April 14 2015, @11:01AM
They already have it.
Its been in every Windows distribution since WIN95OSR2. [google.com]
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 3, Informative) by JNCF on Tuesday April 14 2015, @01:26AM
Citation needed.
Wikipedia's summary of current encryption export laws in the US [wikipedia.org] (I just fixed a broken citation link to a government document with relevant information, so please don't tell me that Wikipedia isn't a good enough source).
There are still restrictions on what cryptography you can export from the US. Not as many as there used to be, but still some on the books. I don't know enough about OpenBSD's encryption tools to say that they definitely include software that is still illegal to export from the US, but given that there is encryption software that is still illegal to export from the US, and that OpenBSD won't allow US programmers to contribute to their cryptography, I don't see what other conclusion can be drawn. Your suggestion that they are scared of three-letter-agencies doesn't make sense to me; three-letter-agencies obviously have agents living in foreign countries, and cryptography isn't the only part of the system vulnerable to back-doors.
(Score: 2) by frojack on Tuesday April 14 2015, @04:21AM
Nope. Only military encryption, and only embedded in devices. Opensource is not restricted.
Source code, they just want to see it, probably to make sure its not theirs. And even that is not for approval, they just want a heads up.
I went looking for the BIS page that addresses the specifics and its a 404. They pulled the page, because its not illegal.
And OpenBSD is not illegal to export from the US. In fact Canadian export regs are vertically identical to US export when it comes to Encryption.
One subsidy of Intel was fined, but not for selling Openbsd, but rather selling embedded OpenBSD in security products to banned countries:
In April 2012, Wind River Systems voluntarily disclosed to BIS that between 2008 and 2011 the company made 55 exports of operating software valued at $2.9 million to governments and various end users in China, Hong Kong, Russia, Israel, South Africa, and South Korea. The operating software is controlled under Export Administration Regulations for national security reasons, and some of the export recipients in China are on the BIS Entity List.
http://www.theregister.co.uk/2014/10/17/intel_subsidiary_crypto_export_fine/ [theregister.co.uk]
So again, overhyping of events.
No, you are mistaken. I've always had this sig.
(Score: 2) by JNCF on Wednesday April 15 2015, @03:05PM
My previous link indicates that there are still mass market applications that are restricted, not just military, and your link actually seems to support this. Note that not all of the recipients were governments. It seems like they were selling devices for general security purposes and got fined $750,000 for exporting to the wrong countries (none of which have general sanctions against them). The BIS wanted them to apply for a license, not simply give them a notification. Do you see how this could deter OpenBSD from accepting cryptography-related-code from the US? It's possible that it wouldn't even be strictly illegal, but that OpenBSD is trying to make sure that they stay away from complicated US regulations that could potentially make them in violation of US law. I still think a legal explanation for OpenBSD's refusal to accept US cryptography makes the most sense, but if you have some reason to think they have an unrelated motive I'm all ears. I can't find an official OpenBSD site that directly claims the ban on American cryptographers is due to legality, but this newsletter [cuug.ab.ca] from the Calgary Unix Users Group seems to indicate that this is the case:
-One of the major reasons that OpenBSD is able to be more secure is that it can use cryptography freely. The project is hosted in Canada by Theo, so it is permitted to export free, non-United-States cryptography software to the world at large. Some of the software includes KERBEROS IV, and IPSEC, all written by 12 non-American programmers from around the world. (At one point, Theo started counting off some of the team: "Four Canadians, 6 Swedes, 3 Germans, 2 Argentineans, and a Greek..." Me, I seem to recall a Milton Berle joke that starts where these people all walk into a bar.)
But that was from 1998. Perhaps OpenBSD is working off of an understanding of outdated American laws? The OpenBSD page on cryptography links to a summary of Canadian cryptographic export laws that includes a section [www.efc.ca] on exporting cryptography of American origin, but it seems potentially outdated as well. It's possible that the specifics are outdated, but the general case of cryptography coming from the US having extra strings attached is not.
Again, if you have good reason to believe that OpenBSD's refusal to accept American cryptography is not related to American export laws I'd love to see it.
(Score: 0) by Anonymous Coward on Tuesday April 14 2015, @03:29AM
It did. I looked this up in 2010 when someone I worked with insisted on stripping all the crypto code out of a hosted repository based on this misunderstanding. I couldn't convince him this was stupid, and he's still doing it as far as I know.
You are maybe supposed to notify the BIS although I've never heard of anyone getting in trouble for not doing this: https://www.bis.doc.gov/index.php/policy-guidance/encryption/registration [doc.gov]
(Score: 2) by gnuman on Tuesday April 14 2015, @10:41PM
Citation needed. As far as I can determine all such restrictions ended in 2000.
If you write crypto code, even if open source, you have to register it with US government.
http://www.cryptolaw.org/cls2.htm [cryptolaw.org]
On 7 January 2011, a minor amendment was made to the EAR (Federal Register Vol. 76, No. 5, p. 1059). Publicly available mass-market encryption object code software (with symmetric key length exceeding 64 bits), and publicly available encryption object code of which the corresponding source code falls under License Exception TSU (i.e., when the source code is publicly available), are no longer subject to the EAR. The amendment includes some minor specific revisions.
Export case law
In August 2001, two men were arrested and accused of attempting to illegally export encryption devices to China (news report).
In February 2002, the Commerce Department fined a San Diego firm $95,000 for illegally exporting 128-bit encryption software to South Korea (news report).
http://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States#Current_status [wikipedia.org]
Some restrictions still exist, even for mass market products, particularly with regard to export to "rogue states" and terrorist organizations. Militarized encryption equipment, TEMPEST-approved electronics, custom cryptographic software, and even cryptographic consulting services still require an export license[9](pp. 6–7). Furthermore, encryption registration with the BIS is required for the export of "mass market encryption commodities, software and components with encryption exceeding 64 bits" (75 FR 36494). In addition, other items require a one-time review by or notification to BIS prior to export to most countries.[9] For instance, the BIS must be notified before open-source cryptographic software is made publicly available on the Internet, though no review is required.[10] Export regulations have been relaxed from pre-1996 standards, but are still complex.[9] Other countries, notably those participating in the Wassenaar Arrangement,[11] have similar restrictions.[12