from the it-will-happen-when-we-are-not-looking dept.
The Intercept reports on an email obtained by The Washington Post: Top [Intelligence] Lawyer Says Terror Attack Would Help Push for Anti-Encryption Legislation:
The intelligence community's top lawyer, Robert S. Litt, told colleagues in an August email obtained by the Washington Post that Congressional support for anti-encryption legislation "could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement." So he advised "keeping our options open for such a situation."
[...] A senior official granted anonymity by the Post acknowledged that the law enforcement argument is "just not carrying the day." He told the Post reporters: "People are still not persuaded this is a problem. People think we have not made the case. We do not have the perfect example where you have the dead child or a terrorist act to point to, and that's what people seem to claim you have to have."
On Tuesday, Amy Hess, a top FBI official, told reporters that the bureau has "done a really bad job collecting empirical data" on the encryption problem. FBI Director James Comey has attempted to provide examples of how law enforcement is "going dark," but none have checked out. Only Manhattan District Attorney Cyrus Vance has been able to provide an example of encrypted technology maybe blocking one possible lead in a murder investigation.
Litt was commenting on a draft options paper from the National Security Council that includes three proposals for the Obama Administration: oppose compulsory backdoor legislation and come out in favor of encryption, defer any decisions until after an open consultation, or do nothing. No option calling for backdoors was included.
In other news, the EFF has issued its first certificate as part of the Let's Encrypt initiative. Microsoft researchers have published a paper and code (MIT license) for FourQ, a new and faster elliptic curve cryptography implementation. Cryptome's John Young has announced that some of his public PGP keys have been compromised.
Related:
June 7: FBI Official: "Build Technological Solutions to Prevent Encryption Above All Else"
July 30: Ex-Intelligence Officials Support Encryption in Editorial
September 10: Justice Department Considered Suing Apple Over iMessage Encryption
Related Stories
Another day, another U.S. law enforcement official calling for regulation and weakening of encryption. This time, Michael Steinbach, assistant director in the FBI's Counterterrorism Division, has told Congress that Internet communication services are helping ISIS/ISIL and other terrorist groups as they are now "Going Dark," and the FBI needs a "front door":
As far as the FBI is concerned, private companies must "build technological solutions to prevent encryption above all else," the Washington Post reports Steinbach as saying. That's a pretty sharp reverse ferret from the FBI, which four years ago was recommending encryption as a basic security measure. But Steinbach said evildoers are hiding behind US-made technology to mask their actions.
Steinbach told the committee that encrypted communications were the bane of the agency's efforts to keep the American public safe from terror. But the FBI wasn't insisting on back door access to encryption; rather, it wants companies to work directly with law enforcement where necessary. "Privacy above all other things, including safety and freedom from terrorism, is not where we want to go," Steinbach said. "We're not looking at going through a back door or being nefarious."
Instead the FBI wants a front door; a system to allow it to break encryption created by US companies. Understandably, US tech firms aren't that keen on the idea, since "we have borked encryption" isn't much of a selling point.
Three former intelligence and defense officials have published an op-ed in The Washington Post supporting encryption and rejecting the Department of Justice and FBI Director Comey's campaign to weaken encryption using backdoors or key escrow:
Mike McConnell is a former director of the National Security Agency and director of national intelligence. Michael Chertoff is a former homeland security secretary and is executive chairman of the Chertoff Group, a security and risk management advisory firm with clients in the technology sector. William Lynn is a former deputy defense secretary and is chief executive of Finmeccanica North America and DRS Technologies.
More than three years ago, as former national security officials, we penned an op-ed [paywall] to raise awareness among the public, the business community and Congress of the serious threat to the nation's well being posed by the massive theft of intellectual property, technology and business information by the Chinese government through cyberexploitation. Today, we write again to raise the level of thinking and debate about ubiquitous encryption to protect information from exploitation.
[...] Today, with almost everyone carrying a networked device on his or her person, ubiquitous encryption provides essential security. If law enforcement and intelligence organizations face a future without assured access to encrypted communications, they will develop technologies and techniques to meet their legitimate mission goals.
TechDirt speculated that the Washington Post "unpublished" the editorial, but the Post reuploaded the story, saying that a "production error" had caused it to be posted prematurely.
At the Aspen Security Forum in Colorado, Homeland Security Secretary Jeh Johnson recently went off the "Going Dark" script:
FBI Director James Comey, who opened the annual Aspen conference on Wednesday night, warned that his agency is "going dark" because of the use of unbreakable end-to-end encryption. It's an argument Comey has been making for months now. Johnson's comments were a reminder that authorities can see plenty.
"We have developed good capabilities to detect plotting, to detect efforts to do something bad in our homeland," he said. He then added that he wasn't disputing Comey's conclusion. "Um, we do have the problem of going dark that Jim talked about last night, very definitely."
This summer, the Justice Department obtained a court order in a case involving guns and drugs and demanded that Apple turn over iMessages sent between suspects in the case. Apple's response was that it couldn't comply – the encryption prevented it from being able to read the messages, so turning the data over to law enforcement would be useless.
Now, some senior Justice Department and FBI officials are calling for Apple to be taken to court over the issue, reports The New York Times. Earlier this year, FBI director James Comey argued that tech companies who serve lots of message traffic, such as Apple, Google, and WhatsApp, should build in master keys to bypass end-to-end encryption.
The flaws, which were apparently missed in an earlier independent audit of the TrueCrypt source code, could allow attackers to obtain elevated privileges on a system if they have access to a limited user account.
The original authors of TrueCrypt, who have remained anonymous, abruptly shut down the project in May 2014 warning that "it may contain unfixed security issues" and advised users to switch to BitLocker, Microsoft's full-disk encryption feature that's available in certain versions of Windows.
At that time a crowd-funded effort was already underway to perform a professional security audit of TrueCrypt's source code and its cryptography implementations. The first phase, which analyzed the TrueCrypt driver and other critical parts of the code, had already been completed when TrueCrypt was discontinued. The auditors found no high-severity issues or evidence of intentional backdoors in the program.
It's impossible to tell if the new flaws discovered by Forshaw were introduced intentionally or not, but they do show that despite professional code audits, serious bugs can remain undiscovered
Top law enforcement officials and Silicon Valley leaders, including Apple CEO Tim Cook, met on Friday to discuss topics related to support for terrorism on social media, as well as encryption:
Media were not invited to the Silicon Valley meeting. NPR talked with spokespeople from several companies who were attending, and got a copy of the email invite. It's a powerhouse list: White House Chief of Staff Denis McDonough, Attorney General Loretta Lynch, FBI Director James Comey and National Intelligence Director James Clapper.
Apple CEO Tim Cook was there. Google, Facebook, Twitter and Yahoo were among the other companies that confirmed attendance.
The word "encryption" is mentioned in the invite. But companies who'd be very relevant to that conversation, like Cisco, were not invited. White House spokesman Josh Earnest said encryption was likely to come up at the meeting, but he described it as a "thornier" issue.
[...] A spokesperson from one company at the meeting, who didn't want to be identified because of the sensitivity of the issues involved, said it's almost as if the administration wants a Madison Avenue ad campaign, only coming from tech geeks. Another criticized the event as a "bait and switch." Companies were told, more or less: "Hey, the government wants to brainstorm with the very best engineers about how technology can help fight terrorism," the second source said. It was similar in tone to the White House's call for tech support after the massive failure of Healthcare.gov.
But as the planning for Friday's meeting evolved, so did the tone. And in the 11th hour, companies fought to bring their lawyers, because it's clearly not just a technical conversation.
[More After the Break]
(Score: 0) by Anonymous Coward on Friday September 18 2015, @05:02AM
This message is encrypted! in transit.. Strong encryption is great! for nothing.
(Score: 0) by Anonymous Coward on Friday September 18 2015, @05:12AM
It forces the NSA to store the data in the hopes that it may eventually be decrypted.
I guess in this case they can decrypt it in seconds by visiting the website, but they do not know that until they check.
(Score: 0) by Anonymous Coward on Friday September 18 2015, @08:13AM
Also, assume you write something, but then in preview you decide that you'd rather not post it. With encrypted transmission the NSA can only ever see your non-posted message in encrypted form (unless they have a backdoor to SN).
(Score: 0) by Anonymous Coward on Friday September 18 2015, @08:33PM
The government has absolutely no constitutional authority to restrict cryptography. Not that that will stop them. Not that our courts will necessarily stop them, either, since many judges seem to be extremely authoritarian and treacherous.
(Score: 4, Funny) by Anonymous Coward on Friday September 18 2015, @05:07AM
will not be posted by me. All you xkcd lovers are autofellating mouthfuckers. FUCK YOU.
(Score: 0) by Anonymous Coward on Friday September 18 2015, @05:54AM
I think I found it:
Legal Hacks [xkcd.com]
The one from a couple of days ago seems strangely relevant too:
Squirrelphone [xkcd.com]
(Score: 0) by Anonymous Coward on Friday September 18 2015, @06:16AM
Ooops, sorry about the clear-text links:
Legal Hacks [xkcd.com]
Squirrelphone [xkcd.com]
(Score: 2) by tangomargarine on Friday September 18 2015, @08:37PM
Why should I care whether my connection to XKCD is encrypted?
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by Anal Pumpernickel on Friday September 18 2015, @08:42PM
The more mundane things are encrypted, the more cover will be provided for activities that are more private in nature. We need to encrypt as much 'useless' stuff as possible.
(Score: 2) by Justin Case on Saturday September 19 2015, @11:43AM
So that you get the actual XKCD content and not injected ads and malware.
(Score: 2) by tangomargarine on Sunday September 20 2015, @09:35PM
Is that a common problem with XKCD?
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by Justin Case on Sunday September 20 2015, @09:53PM
Yes, if in your part of the world XKCD is something that's delivered via the Internet.
Perhaps you haven't been paying attention. ISPs are injecting ads. China is injecting malware. Who knows what other asshats are corrupting things. They don't care what page you're viewing, they just want control of your machine and/or eyeballs.
(Score: 2) by tangomargarine on Sunday September 20 2015, @10:04PM
I'm already running NoScript and AdBlock, so whatever.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by Justin Case on Sunday September 20 2015, @10:25PM
Good for you. No, seriously. Now if we can get a few hundred million people to do the same, we wouldn't need https everywhere. Well, not as much.
(Score: 0) by Anonymous Coward on Friday September 18 2015, @06:02AM
Motherfuckers? [xkcd.com]
No, Fuck Grapefruit. [xkcd.com]
Obligatory [xkcd.com]
(Score: 2) by Bot on Friday September 18 2015, @08:11AM
> autofellating mouthfuckers. FUCK YOU
I'm sure there is a relevant XKCD for this.
Account abandoned.
(Score: 0) by Anonymous Coward on Saturday September 19 2015, @12:59AM
Don't start with the damned ">" quoting bullshit. Leave it to that one lazy AC. The blockquote tag is right there under every comment submission. Really why bother going to a nerdy news site if you can't or don't know how to use html?
(Score: 5, Insightful) by Whoever on Friday September 18 2015, @05:11AM
It must be great to work high-up in Intelligence. If they fail (terror attack takes place) they get more resources, more money, more everything. What's not to like about a job like that?
(Score: 2) by davester666 on Friday September 18 2015, @05:35AM
Whatever the next 'attacks' are, you can bet that every time, they will say that encryption likely prevented them from stopping the 'attack' from happening.
(Score: 0) by Anonymous Coward on Friday September 18 2015, @06:11AM
Whats not to like about a job in an intelligence agency?
Politics.
This is yet another government job with no deliverables. All theater.
Best to study Machiavelli to survive in this country club.
Engineering will only get you into trouble.
I would stay as far away from those folks as I can if I were you.
(Score: 4, Insightful) by Bot on Friday September 18 2015, @08:32AM
How is a terrorist attack even failure? Terrorist attacks always help the powerful ones already in charge, and they did so before terrorism was even a word, see French revolution terror, Vlad the impaler, and a score of tyrants and kings before then. They almost never help the terrorists' official agenda (unless the terrorist's agenda coincides with powerful ones' interests).
The only way to fight terrorism and wars is to make it illegal to profit from that.
You make one cent from selling arms*? High treason against humanity.
You award special powers because of a terrorist act? you are de facto accomplice, if not the mastermind behind it.
*) one little problem with that is that the world's most lethal weapon is called the financial system, and we kind of all support it by using money.
About encryption, this seems more about muscle flexing, the PC I am sending this stuff from has one official backdoor stack (no surprise from a company called "intel"...) and who knows how many hardware ones.
Account abandoned.
(Score: 2) by Anal Pumpernickel on Friday September 18 2015, @08:36PM
What's not to like about a job like that?
I imagine it's not a very good job for people who aren't treacherous freedom-hating scumbags who want to shred the constitution.
(Score: 5, Insightful) by stormwyrm on Friday September 18 2015, @05:24AM
Even if you have a dead child or a terrorist act to point to, I don't think weakening encryption is worth it. We use strong encryption to secure our financial transactions and protect our privacy. A dead child is a terrible thing, but is that really more terrible than the destruction of the foundation of modern electronic commerce? Law enforcement officials are deluding themselves if they believe that the back doors they want will be used by them and only them and only in legitimate situations. Eventually criminals and foreign governments will have the master keys for these back doors too, and then where will we be? And even if they removed the avenues of encrypted communication criminals and terrorists would just use encryption apps available outside the United States that don't have the mandated back doors or stop using electronic communication altogether, and just do things the old-fashioned way.
We are still seeing the after-effects of Crypto War I with things like the FREAK and Logjam attacks on TLS. Hopefully when this Crypto War II ends we won't wind up in worse shape.
Numquam ponenda est pluralitas sine necessitate.
(Score: 2, Insightful) by Anonymous Coward on Friday September 18 2015, @08:00AM
The whole problem is that modern law enforcement are lazy and want their work done by computer. They don't want to go and investigate. They want to know when you're being naughty so they can come in and get a conviction, and some medal from the President for being awesome.
(Score: 3, Touché) by TheGratefulNet on Friday September 18 2015, @03:09PM
and get a conviction, and some medal from the President for being awesome.
for that, I think that building a clock is a better way to do that.
"It is now safe to switch off your computer."
(Score: 4, Interesting) by jmorris on Friday September 18 2015, @05:46AM
They might could have imposed crypto regs back in the Clinton days when nobody had experienced the benefits and you couldn't even post PGP on an open ftp site. The genie isn't just out of the bottle now, the sucker is everywhere and nobody even remembers where the darned bottle even is anymore.
They will try to make Apple and Google stop encrypting phones or give law enforcement a backdoor. Even that is probably a year or two late to get done. Apple is a single point of failure, enough political pressure could make them fold if getting them on board would solve the problem. The Android side is far too complicated since it isn't just a matter of leaning on Google. You would need every handset maker to not only get on board but reverse the trend toward unlocking bootloaders and they would have to end all alt roms. It would also mean ending the Nexus line and creating an entirely rethought way to allow developers to exist. None of that is likely. More important it isn't likely to be something they can mandate in the next year or two and with every year it becomes harder.
They have succeeded for longer than anyone thought though. For example, email is still mostly open. All it would take (especially ten years ago when standalone MUAs were still a thing) is one open source mail client to generate a public key pair during initial setup, publish the public key to multiple key servers by default and attack the key to all outbound mail. Collect the keys from inbound email on first observation, verify it from the public keyservers, etc. and then default to encrypting all mail to that person by default. The widespread attacked keys would have encouraged most other mail clients to quickly add support. Yes zero, even open source ones, even ones based outside the US, added such an obvious feature. Somebody was responsible for quietly enforcing that.
They would have even keep most the web snoopable by keeping most https traffic restricted to finance and ecommerce until the Snowden fiasco unleased a frenzy to encrypt everything.
(Score: 2) by Hyperturtle on Saturday September 19 2015, @12:27AM
What? In the Clinton days? Were you there?
I still have my "Big Brother Inside" t-shirt, it looks like the Intel Logo and refers to the Clipper Chip.
I was talking about this very thing today -- they are more likely to get it passed today than back then.
Because there were less ignorant people involved to pass such decisions back then. My mom didn't care about computers then. Now she worries that we might not be safe from the islamofacists or whatever they are called, because they have "gone dark" by sending paper notes on trained birds or bats or something, and so we need strong cryptothings to defeat them. god bless america!
(Score: 2) by Justin Case on Saturday September 19 2015, @12:00PM
All it would take (especially ten years ago when standalone MUAs were still a thing) is one open source mail client to generate a public key pair during initial setup
[quote name="Average User"]What is this "mail" of which you speak? I use Outlook. I must use Outlook. Outlook === my life.[/quote]
(Score: 1, Redundant) by frojack on Friday September 18 2015, @06:39AM
Congressional support for anti-encryption legislation "could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement." So he advised "keeping our options open for such a situation."
Ok, watch for some useful idiot plant a bomb, (don't worry nobody will be hurt, and only federal property will be damaged), followed by news video of the terrorist wannabe being rounded up with some encrypted laptop and some encrypted email, heroically decrypted days after the event by a crash effort of some three letter agency.
No, you are mistaken. I've always had this sig.
(Score: 3, Insightful) by bradley13 on Friday September 18 2015, @07:08AM
No one hurt? I wouldn't put it past them to send their "useful idiot" to blow up a child care center, or something else really horrible. Set it up so that some sort of encryption was involved, and won't that provide motivation. At the higher levels, too many of these people are sociopaths (look at the torture scandals). I wouldn't put anything past them.
Everyone is somebody else's weirdo.
(Score: 0) by Anonymous Coward on Friday September 18 2015, @03:31PM
https://en.wikipedia.org/wiki/Russian_apartment_bombings [wikipedia.org]
I'm sorry, you were saying...?
(Score: 2) by shortscreen on Friday September 18 2015, @05:45PM
That's one. Here are fifty-five more.
http://www.washingtonsblog.com/2015/09/remember-your-country-admits-to-false-flag-terror.html [washingtonsblog.com]
(Score: 3, Insightful) by VortexCortex on Friday September 18 2015, @06:39AM
~RSc68K6qucor9OuA8A1uNp3OI_eyxbD7TWhulBeRVWOgl2GXMLtyyV6v1mINjtBMjp3Hrfk
hyaNySwjz5JTWwJkAb5HfJ7lzHeYyl42XtYPxPU1YukLDnqaMSS1rDy6Y50sQ4Y3ClNNlf0L
fY_D9CqNbxqZo5f5H.CNKGFS5veEDqmy0NE0uY2WhOBM_iiHp9dk7XpneqzKBSxIBinq8_jZ
OVw
You can take our freedom, you can outlaw our secrets, just remember there isn't a single computer system on this planet that doesn't have zero day exploits -- and I have several for each. What's good for the goose is good for the gander.
(Score: 0) by Anonymous Coward on Friday September 18 2015, @08:04AM
I should get you to come into my workplace. So far this year, they've stolen about $5000 from their part-time workers and awarded it to the owner, a multimillionaire who's too poor to pay you for all the hours you work.
(Score: 2) by Phoenix666 on Friday September 18 2015, @10:42AM
So...you work for a Congressman?
Washington DC delenda est.
(Score: 2) by Gravis on Friday September 18 2015, @11:24AM
there isn't a single computer system on this planet that doesn't have zero day exploits
so... they've hidden them in orbit? I KNEW IT!
(Score: 2) by jmorris on Friday September 18 2015, @09:03PM
No, remember the recent story about an exploit that would work on the Mars rover? Nothing is safe. Nothing.
(Score: 2) by wonkey_monkey on Friday September 18 2015, @10:58PM
~RSc68K6qucor9OuA8A1uNp3OI_eyxbD7TWhulBeRVWOgl2GXMLtyyV6v1mINjtBMjp3Hrfk
hyaNySwjz5JTWwJkAb5HfJ7lzHeYyl42XtYPxPU1YukLDnqaMSS1rDy6Y50sQ4Y3ClNNlf0L
fY_D9CqNbxqZo5f5H.CNKGFS5veEDqmy0NE0uY2WhOBM_iiHp9dk7XpneqzKBSxIBinq8_jZ
OVw
How dare you! My mother is a saint!
systemd is Roko's Basilisk
(Score: 2) by darkfeline on Friday September 18 2015, @11:26PM
>We do not have the perfect example where you have the dead child or a terrorist act to point to
They aren't even trying to hide the fact that they're looking for a "Think of the children!" or "War on terrorism!" excuse for this.
Join the SDF Public Access UNIX System today!
(Score: 1) by unzombied on Friday September 18 2015, @11:54PM
There may not be a perfect example to make encryption against the law, but this is a perfect example of confirmation bias [wikipedia.org] and the cherry picking fallacy [wikipedia.org]. The "people" just want hammers to hammer things, knives to cut things, and private communications to be private. Even though each of those things can be (rarely) used in horrible ways.
(Score: 0) by Anonymous Coward on Saturday September 19 2015, @02:52AM
A senior official granted anonymity... "...We do not have the perfect example where you have the dead child..."
Is this official volunteering their child? A small sacrifice to win his ideological battle.
These people are disgusting.
(Score: 2) by Justin Case on Saturday September 19 2015, @12:03PM
If he really really cares, I think the "perfect example" would be for him to volunteer one of his mother's children.
(Score: 0) by Anonymous Coward on Saturday September 19 2015, @11:32PM
microsoft. Cryptography. rotfl. Thank you for good laugh, i'd go with DJB.