Stories
Slash Boxes
Comments

SoylentNews is people

posted by cmn32480 on Sunday July 05 2015, @04:00AM   Printer-friendly
from the plain-text-is-good-enough dept.

The FBI and other LEOs often complain about the risk to preventing and protecting against crime posed by the use of encryption on the internet. Recently, there have been several senior figures stating quite categorically that encryption will enable criminals to operate with impunity, completely defeating the efforts of those 'trying to protect us'.

In fact, next Wednesday, both the Senate Intelligence Commitee and the Senate Judiciary Committee are hosting "hearings" for [FBI Director James] Comey, about the issue of "going dark" due to encryption.

[...] So it's rather interesting that before all that, the US Courts had released their own data on all wiretaps from 2014, in which it appears that encryption was almost never an issue at all, and in the vast majority of cases when law enforcement encountered encryption, it was able to get around it. Oh, and the number of wiretaps where encryption was even encountered has been going down rather than up:

The number of state wiretaps in which encryption was encountered decreased from 41 in 2013 to 22 in 2014. In two of these wiretaps, officials were unable to decipher the plain text of the messages. Three federal wiretaps were reported as being encrypted in 2014, of which two could not be decrypted. Encryption was also reported for five federal wiretaps that were conducted during previous years, but reported to the AO for the first time in 2014. Officials were able to decipher the plain text of the communications in four of the five intercepts.

Obviously, if more communications are encrypted by default, it's true that the numbers here would likely rise. But the idea that there's some massive problem that requires destroying the safety of much of the internet, seems more than a bit far-fetched.


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: -1, Flamebait) by Anonymous Coward on Sunday July 05 2015, @04:12AM

    by Anonymous Coward on Sunday July 05 2015, @04:12AM (#205193)

    You don't need encryption to ask the Internet what to do if your jaw gets tired while you're giving a blowjob. Everybody already knows whose cock you're sucking. Grow a bigger mouth or find a boyfriend with a smaller cock. You just haven't found the right guy yet, dude.

  • (Score: 4, Interesting) by frojack on Sunday July 05 2015, @05:09AM

    by frojack (1554) on Sunday July 05 2015, @05:09AM (#205197) Journal

    I suspect the TLAs are worried more by the future, with projects like "Lets Encrypt" and the fact that people are slowly finding and fixing all the holes in VPNs, and SSL/TLS. They are worried abut the inclusion of encrypted email by default that several companies are suggesting, Mozilla, Facebook, etc. The want to nip it in the bud. They don't want client side encryption in phones without a back door.

    I think they can see a ground swell of encryption if all those things get come to pass.

    --
    No, you are mistaken. I've always had this sig.
    • (Score: 5, Insightful) by Nerdfest on Sunday July 05 2015, @05:22AM

      by Nerdfest (80) on Sunday July 05 2015, @05:22AM (#205198)

      The funny part is that for the most part they've brought it upon themselves too. If they'd been obeying the law and getting warrants for intercepts as opposed to scooping up everything things would have happily continued as they always had.

      • (Score: 5, Insightful) by K_benzoate on Sunday July 05 2015, @06:02AM

        by K_benzoate (5036) on Sunday July 05 2015, @06:02AM (#205205)

        They're essentially whining that their illegal surveillance is no longer as effective as it used to be. The most irritating part is the incredulity with which they react when they're told they never should have had those capabilities in the first place, and indeed only got away with it for so long because of lack of real oversight and secrecy (the later thankfully shattered by Snowden).

        --
        Climate change is real and primarily caused by human activity.
    • (Score: 1, Interesting) by Anonymous Coward on Sunday July 05 2015, @09:52AM

      by Anonymous Coward on Sunday July 05 2015, @09:52AM (#205244)

      Their focus is on the citizens. All of us. They feel it's their inalienable right to harvest as much data from as many people as possible. This allows for all sorts of parallel construction chicanery.

      Not willing to spy on your neighbors? We can tie you to a crime 1,000 miles away with enough circumstantial evidence - and your lack of evidence that you didn't do it - even though you are innocent. And if you don't get convicted your reputation will be shot, you'll lose your job, you'll be broke from the legal fees and we have complete immunity. So help us nail your neighbor.

      • (Score: 0) by Anonymous Coward on Sunday July 05 2015, @10:29AM

        by Anonymous Coward on Sunday July 05 2015, @10:29AM (#205248)
        Child porn seems to be one of the easiest - when confronted with your own HDDs suddenly full of child porn you know you're screwed even if you never put any of it there. Who is going to believe you? They'll say the usual "I can't believe it" and be "disgusted with you". I bet many of your so-called friends will be at the front of the mob racing to stick their pitchforks into you.

        Of course they might not be able to use that method too often or the masses might start getting suspicious. That said I'm sure you can convince the masses that it's very prevalent or something like that.

        What you need to do is make sure all your HDDs are fully encrypted - so that they need to wipe stuff to put the porn on it- and recreating the entire HDD (software, emails, browser history, etc) to make it look like you've been using it is going to be a lot more work. So at least make them work a lot to hang you.

        But how many will do that? Full disk encryption is a lot less convenient - plus a lot more fragile in the face of drive and other errors.
        • (Score: 1, Interesting) by Anonymous Coward on Sunday July 05 2015, @07:04PM

          by Anonymous Coward on Sunday July 05 2015, @07:04PM (#205348)

          Full disk encryption doesn't have to be inconvenient. It's the default for Apple now. The problem comes with whether or not the FDE routines are backdoored.

    • (Score: 1, Touché) by Anonymous Coward on Sunday July 05 2015, @02:43PM

      by Anonymous Coward on Sunday July 05 2015, @02:43PM (#205289)

      It is amazing that they were able to catch anyone before there was an internet.

  • (Score: 2) by frojack on Sunday July 05 2015, @05:23AM

    by frojack (1554) on Sunday July 05 2015, @05:23AM (#205199) Journal

    Are they talking about grabbing a full take on someone's internet feed? On someone's VPN, or skype session?
    A great deal of that is encrypted, and if the claim they didn't encounter any encryption then those can't be what they are talking about. (Unless they scoff at such encryption, and dismiss it out of hand).

    If it is a traditional wiretap on a land line, why would they expect encryption?

    --
    No, you are mistaken. I've always had this sig.
    • (Score: 4, Interesting) by Anonymous Coward on Sunday July 05 2015, @06:07AM

      by Anonymous Coward on Sunday July 05 2015, @06:07AM (#205206)

      If you read the summary, they're talking about messages in some text format: probably emails, SMS, or chat.

      The part that should worry you again:

      Encryption was also reported for five federal wiretaps that were conducted during previous years, but reported to the AO for the first time in 2014. Officials were able to decipher the plain text of the communications in four of the five intercepts.

      They can decrypt 80% of the encrypted stuff they encounter. Think about that for a second. We don't know what kind of encryption they're breaking--maybe it's not tough, but it's not ROT-13. Are they breaking PGP mail? OTR instant messages? Are they getting decryption keys from Blackberry to read texts?

      Also, did they just fail to report analysis done in previous years, or are they keeping this data around for several years?

      • (Score: 2) by Nerdfest on Sunday July 05 2015, @01:04PM

        by Nerdfest (80) on Sunday July 05 2015, @01:04PM (#205274)

        I'd guess SSL or services where the companies holding the keys are on American soil and can be given NSLs. I doubt they can break encryption where the keys are only shared between the message sender and receiver, but as usual, I could be wrong.

  • (Score: 2, Interesting) by anubi on Sunday July 05 2015, @06:29AM

    by anubi (2828) on Sunday July 05 2015, @06:29AM (#205212) Journal

    Looks to me like about the last thing one would want to do is start spewing encrypted streams if one was trying to lay low and not arouse attention. All the TLA's probably have back doors to all the "approved" encryption techniques anyway, and all you have done is illuminate yourself as a generator of such stuff.

    Once you are on the radar, everyone you contact is on it too.

    Internet AIDS, if you will...

    The real art is in communicating right out in the open without anyone even suspecting. Stuff like steganography. Use common public protocols, and hide your rubies in what looks like the cat litter pail. Roll your own encryption so you do not leave identifiable signatures of prior art. Use one-time pads of digitized interstation FM hiss if you are really paranoid about your stuff getting out. Hide it in custom porn or lulzcat videos, common stuff but no other copies exist to which the contents can be compared - or "pirated" redigitizations of copyright infringments... everyone else who downloads it is quite unaware of what's in the noise and sees only the movie. The fact many people downloaded the thing gives the cats a lot of mice to chase. Who cares if they have a copy of your stego'd in dirty little secret? Its useless and even its very existence is not detectable without the pad.

    I get the idea this fear of encryption is overdone. I feel encryption is only of use if the existence of the communication is already known. Stuff such as above-the-board financial transactions and other business communication. Sure, TLA may use their backdoor, but should they misuse their privilege, problems will start showing up, get traced back to them, and they will have some explaining to do.

    For the real covert stuff, the cat is out of the bag if its discovered that a communication even took place.

    --
    "Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
    • (Score: 2) by MichaelDavidCrawford on Sunday July 05 2015, @06:47AM

      Modify the encryption algorithm in some innocuos way then dont tell anyone what you did.

      For example AES has multiple rounds. Add one or two more.

      Destroy the source code.

      To have any hope of decryption they will need your binary. While they could conceivably find it there are ways to hide it that would make it quite difficult for others to find. For example your crypto could be a photoshop plugin, unless you edit a certain specific image.

      --
      Yes I Have No Bananas. [gofundme.com]
    • (Score: 4, Interesting) by frojack on Sunday July 05 2015, @08:32AM

      by frojack (1554) on Sunday July 05 2015, @08:32AM (#205226) Journal

      The problem with not using encryption so as to avoid suspicion is that then becomes the standard by which every one is judged. By knuckling under you condemn us all.

      In short, you've chosen to become a useful idiot for them.

      They can do a full take on just about anyone's and everyone's data stream. You can't hide in plain sight and expect that to work.

      Why has Soylentnews.org decided on https only when everyone can pull up the pages? Because it forces them to break the encryption just to be sure it is what they think it is. Less resources to dedicate to digging into your personal life.

      Encrypt it all and let God sort it out.

      --
      No, you are mistaken. I've always had this sig.
      • (Score: 1, Informative) by Anonymous Coward on Sunday July 05 2015, @08:46AM

        by Anonymous Coward on Sunday July 05 2015, @08:46AM (#205232)

        While I agree with the encrypt everything approach, actually, any site with a login should be HTTPS-only (at least for logged in users) to protect against the Firesheep [wikipedia.org] attack.

      • (Score: 4, Insightful) by _NSAKEY on Sunday July 05 2015, @08:40PM

        by _NSAKEY (16) on Sunday July 05 2015, @08:40PM (#205366)

        That, and they can't inject exploits into the packet stream in transit like they did with YouTube back before it went https-only.

    • (Score: 0) by Anonymous Coward on Sunday July 05 2015, @10:46AM

      by Anonymous Coward on Sunday July 05 2015, @10:46AM (#205250)

      Looks to me like about the last thing one would want to do is start spewing encrypted streams if one was trying to lay low and not arouse attention.

      You did notice the s in https in the url for soylent right? Encrypted traffic is commonplace. Most people don't even realize how frequently they use it.

    • (Score: 0) by Anonymous Coward on Monday July 06 2015, @06:11AM

      by Anonymous Coward on Monday July 06 2015, @06:11AM (#205501)
      Rolling your own encryption is dangerous. Even the best people make mistakes that leave them wide open, and good cryptography is very hard to get right.
    • (Score: 2) by Yog-Yogguth on Wednesday July 29 2015, @09:21PM

      by Yog-Yogguth (1862) Subscriber Badge on Wednesday July 29 2015, @09:21PM (#215613) Journal

      Not to discourage you and not saying you're wrong (your conclusions are spot on in my opinon) exept one thing (and sorry if you've heard this before, not meaning to be a bore): you don't need to use encryption to get “internet AIDS”, I guarantee you that you already have it.

      You don't need to read anything, you don't need to load a page after the fact, or (if by e-mail) the mail never needs to be delivered to your spam box or even sent; it's enough that it was somewhere where it was accessed (either in transit or on a corrupted node including any endpoints) and that it somehow involved or referenced you or has some kind of association with you.

      You have never done anything at all, never mind whether it would be good or bad. It still doesn't matter.

      Now then (if you read this) what precisely do you think my signature is? It is (purportedly) text strings the XKeyscore [wikipedia.org] system looks for in any and all MIME [wikipedia.org] content (or S/MIME [wikipedia.org] for that matter) the massive surveillance and manipulation system gets access to (not just e-mails but html pages, any html page bulk text like this comment is MIME, the details are in the given Wikipedia link). According to the snippets of leaked XKeyscore ruleset/configuration it flags anyone/thing associated with hits matching these strings as an extremist. Maybe they've changed that now or maybe they haven't, and who knows what else the ruleset looks for, it could be anything.

      This is why there are millions of ordinary boring people on various lists already. Like you and me.

      Not enough to get you into trouble on its own, enough to prove a point about where we are right now.

      If this wasn't enough the system (i.e. not just XKeyscore but all of it) simply doesn't care if you have “internet AIDS”: it takes everything it can get and tries to get what it can not yet get. You are facing pretty much every government on the planet, every single “secret” service no matter if they're allies or not, exponential technological improvement, billions and billions of yearly expenditure, and some of the “smartest”/most capable people who have ever lived who nevertheless are for most part unable to realize where this thing “ends”.

      It's hard to explain the horrors of this without sounding insane, even more so to people who aren't particularly interested or who can't overcome their innate disbelief or who simply don't understand the details. I'm no good at it. This is something that can be improved.

      Another thing one can do is to speak ones mind openly.

      Maybe the above is stupid, but I try not to do anything too stupid, deciding on my own terms as each should do for themselves.

      --
      Bite harder Ouroboros, bite! tails.boum.org/ linux USB CD secure desktop IRC *crypt tor (not endorsements (XKeyScore))
      • (Score: 1) by anubi on Thursday July 30 2015, @02:10AM

        by anubi (2828) on Thursday July 30 2015, @02:10AM (#215700) Journal

        Thanks for the post. You and I think a lot alike.

        I am convinced of exactly what you pointed out - we are all on a list - just like at credit reporting agencies. With the numbers beside our name indicating correlation of our perceived allegiance to different memes.

        Like you say, I feel one thing I can do is openly speak my mind. And I do. Here. Probably too much.

        --
        "Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
  • (Score: 0) by Anonymous Coward on Sunday July 05 2015, @10:07AM

    by Anonymous Coward on Sunday July 05 2015, @10:07AM (#205246)

    I am not even worried about them. I am worried about them making me vulnerable to other, less official, "adversaries". By that I mean scammers and schemers. It is a really disgraceful situation right now. I hope they clean up their act.

  • (Score: 1, Touché) by mcgrew on Sunday July 05 2015, @12:20PM

    by mcgrew (701) <publish@mcgrewbooks.com> on Sunday July 05 2015, @12:20PM (#205268) Homepage Journal

    The FBI and other LEOs

    I'm a nerd, and as such, LEO means low Earth orbit. The proper three letters for police officers for you kids too lazy to type it out is COP, as in "The FBI and other cops." For the non-lazy, "The FBI and other police agencies".

    Sorry, but seeing LEO for "cop" on a nerd site rankles. I can see the confusion when you report on the first police officer in orbit. "The LEO reached LEO at 4:20..."

    --
    mcgrewbooks.com mcgrew.info nooze.org
    • (Score: 0) by Anonymous Coward on Monday July 06 2015, @03:01PM

      by Anonymous Coward on Monday July 06 2015, @03:01PM (#205650)

      LOW earth orbit? At 4:20? Talk about doing it wrong, man.