Stories
Slash Boxes
Comments

SoylentNews is people

posted by on Wednesday January 25 2017, @11:22AM   Printer-friendly
from the ROT-13-is-too-secure dept.

Like other politicians and government officials, President Trump's nominee for the position of Attorney General, Jeff Sessions, wants to have it both ways when it comes to encryption:

At his confirmation hearing, Sessions was largely non-committal. But in his written responses to questions posed by Sen. Patrick Leahy, however, he took a much clearer position:

Question: Do you agree with NSA Director Rogers, Secretary of Defense Carter, and other national security experts that strong encryption helps protect this country from cyberattack and is beneficial to the American people's' digital security?

Response: Encryption serves many valuable and important purposes. It is also critical, however, that national security and criminal investigators be able to overcome encryption, under lawful authority, when necessary to the furtherance of national-security and criminal investigations.

Despite Sessions' "on the one hand, on the other" phrasing, this answer is a clear endorsement of backdooring the security we all rely on. It's simply not feasible for encryption to serve what Sessions concedes are its "many valuable and important purposes" and still be "overcome" when the government wants access to plaintext. As we saw last year with Sens. Burr and Feinstein's draft Compliance with Court Orders Act, the only way to give the government this kind of access is to break the Internet and outlaw industry best practices, and even then it would only reach the minority of encryption products made in the USA.

Related: Presidential Candidates' Tech Stances: Not Great


Original Submission

Related Stories

FBI Official: "Build Technological Solutions to Prevent Encryption Above All Else" 55 comments

Another day, another U.S. law enforcement official calling for regulation and weakening of encryption. This time, Michael Steinbach, assistant director in the FBI's Counterterrorism Division, has told Congress that Internet communication services are helping ISIS/ISIL and other terrorist groups as they are now "Going Dark," and the FBI needs a "front door":

As far as the FBI is concerned, private companies must "build technological solutions to prevent encryption above all else," the Washington Post reports Steinbach as saying. That's a pretty sharp reverse ferret from the FBI, which four years ago was recommending encryption as a basic security measure. But Steinbach said evildoers are hiding behind US-made technology to mask their actions.

Steinbach told the committee that encrypted communications were the bane of the agency's efforts to keep the American public safe from terror. But the FBI wasn't insisting on back door access to encryption; rather, it wants companies to work directly with law enforcement where necessary. "Privacy above all other things, including safety and freedom from terrorism, is not where we want to go," Steinbach said. "We're not looking at going through a back door or being nefarious."

Instead the FBI wants a front door; a system to allow it to break encryption created by US companies. Understandably, US tech firms aren't that keen on the idea, since "we have borked encryption" isn't much of a selling point.

Presidential Candidates' Tech Stances: Not Great 100 comments

How do the candidates for the presidency of the US do on technical issues?
Two companies (Tusk Ventures and Engine) on startups, government and policies evaluated the candidates on
- privacy & security
- intellecutal property
- education, talent and workforce
- broadband access and infrastructure

Report: site.
Blog post: here

Overall conclusion:
Clinton B+
Sanders B
Cruz D
Kasich D+
Rubio C+
Trump F

There's little explanation on the methodology though. Seems to be "This candidate has said something on this once/twice/often" - not the forefront of academic rigor.

Nevertheless: I am (somewhat) curious about this. So my questions to SoylentNews:
- How would you grade the candidates on the above issues?
- What are your reasons for those grades?


[There is some background on the categories and the thinking behind the scores in their 2016 Candidate Report Card (pdf). Do note that part of the scoring in the "education, talent and workforce" category is based on: "High-skilled Immigration Reform: Does the candidate support expanding opportunities for global technical talent and entrepreneurs to work in U.S.?" -Ed.]

Original Submission

How the US Anti-Encryption Bill Will Kill Our Privacy/Security 67 comments

El Reg :

Analysis In the wake of the FBI's failed fight against Apple, Senators Richard Burr (R-NC) and Dianne Feinstein (D-CA) have introduced a draft bill that would effectively ban strong crypto.

The bill would require tech and communications companies to allow law enforcement with a court order to decrypt their customers' data. Last week a draft copy of the bill, dubbed the Compliance with Court Orders Act of 2016, was leaked, but the new version is even worse than the discussion draft.

In the draft version, court orders could only be issued for a crime resulting in death or serious bodily harm, terrorism and espionage, crimes against minors, serious violent felonies or Federal drug crimes. In the final version, those caveats are gone, so any court order will allow the police to access the data they want.

The bill would apply to "device manufacturers, software manufacturers, electronic communication services, remote communication services, providers of wire or electronic communication services, providers of remote communication services, or any person who provides a product or method to facilitate a communication or to process or store data." That's a pretty wide net.

"No entity or individual is above the law," said Feinstein. "The bill we have drafted would simply provide that, if a court of law issues an order to render technical assistance or provide decrypted data, the company or individual would be required to do so.

"Today, terrorists and criminals are increasingly using encryption to foil law enforcement efforts, even in the face of a court order. We need strong encryption to protect personal data, but we also need to know when terrorists are plotting to kill Americans."

Idiots, I tell you, they're a pair of idiots.


Original Submission #1
Original Submission #2

U.S. Attorney General Jeff Sessions Will Rescind the Cole Memo 112 comments

U.S. Attorney General Jeff Sessions will reportedly rescind the Cole Memo (DoJ), effectively ending the moratorium on enforcing cannabis prohibition in states where it has been legalized:

Attorney General Jeff Sessions will roll back an Obama-era policy that gave states leeway to allow marijuana for recreational purposes.

Two sources with knowledge of the decision confirmed to The Hill that Sessions will rescind the so-called Cole memo, which ordered U.S. attorneys in states where marijuana has been legalized to deprioritize prosecution of marijuana-related cases.

The Associated Press first reported the decision.

Sessions, a vocal critic of marijuana legalization, has hinted for months that he would move to crack down on the growing cannabis market.

Republican Senator Cory Gardner says he will hold up the confirmation process for DoJ nominees:

Sen. Cory Gardner (R-Colo.) threatened on Thursday to start holding up the confirmation process for White House Justice Department nominees unless Attorney General Jeff Sessions reverses a decision to roll back a policy allowing legalized recreational use of marijuana in some states.

Gardner said in a series of tweets that Sessions had told him before he was confirmed by the Senate that he would not change an Obama-era policy that discouraged federal prosecutors from pursuing marijuana-related offenses in states where the substance had been legalized. Colorado is one of those states.

[...] The Justice Department's reversal of the Cole memo on Thursday came three days after California's new law allowing recreational marijuana use went into effect.

Other politicians have reacted strongly to the news.

Previously: New Attorney General Claims Legal Weed Drives Violent Crime; Statistics be Damned
4/20: The Third Time's Not the Charm
Jeff Sessions Reboots the Drug War
According to Gallup, American Support for Cannabis Legalization is at an All-Time High
Opioid Commission Drops the Ball, Demonizes Cannabis
Recreational Cannabis Goes on Sale in California

Related: Attorney General Nominee Jeff Sessions Backs Crypto Backdoors


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough

Mark All as Read

Mark All as Unread

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Insightful) by anubi on Wednesday January 25 2017, @12:27PM

    by anubi (2828) Subscriber Badge on Wednesday January 25 2017, @12:27PM (#458460)

    Sounds like the same argument DVD_CCA thought when creating DVD movie encryption. Anyone remember how that one turned out?

    --
    "Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
    • (Score: 3, Interesting) by TheRaven on Wednesday January 25 2017, @01:13PM

      by TheRaven (270) on Wednesday January 25 2017, @01:13PM (#458465) Journal

      It's not quite the same. The problem with encryption for DRM is that encryption assumes two cooperating parties and one or more adversaries, but in DRM one of the cooperating parties is also the adversary. They have to be in the state of both having the key (to access the content) and not having the key (for the DRM to be secure). The only way that this can be made to work is if the user doesn't control their own playback device and is not able / allowed to reverse engineer it.

      With encryption, if you want the government to be able to break it, then you must either make it weak enough that government-owned computers can break it (difficult to do if you don't also want to be able to let other people break it, especially for something that has a lifetime of years) or you have to use a more complicated cryptosystem where there are two decryption keys, one used by the intended recipient and one held by the company. Or you can make the system insecure, but not the crypto by allowing remote logins that can access the plaintext, again secured by a key held by the author of the software.

      The first problem with all of these approaches is that they rely on the organisation that controls the master key being able to store it securely in such a way that no one is able to infiltrate the company and exfiltrate the key, externally compromise the systems that store the key, or simply work out what the key is based on flaws in the crypto implementation.

      The other flaw with this approach is that it assumes that all communication systems come from big companies and are black boxes. Even with traditional mail, there's nothing that you can do to stop two people exchanging a one-time pad in person and then sending completely secure letters to each other through the post. With encryption systems, there are thousands of off-the-shelf open source solutions and even books that contain source code listings for implementing algorithms that, with a sensible key length, are well beyond the ability of any government agency to crack. Gun advocates like to claim that if guns are outlawed then only outlaws will have guns. The analogy would be equivalent for encryption, if there were gun stalls on every street that would hand out free guns to anyone who walked past and most businesses depended on armed guards.

      --
      sudo mod me up
      • (Score: 3, Interesting) by Grishnakh on Wednesday January 25 2017, @05:34PM

        by Grishnakh (2831) on Wednesday January 25 2017, @05:34PM (#458546)

        Well one thing I think you're missing is that, just like with DRM where reverse-engineering can be simply banned, with mandated backdoored encryption, the use of unapproved encryption can be banned. Sure, you can say that "only criminals" will use it, but with ubiquitous surveillance, it wouldn't be that hard for the government to monitor communications and make sure they're using one of the approved encryption services. It wouldn't be perfect; someone could of course resort to steganography or something and send people big JPEGs with short, simple messages hidden in them, or the like, but if you want to exchange serious amounts of data, it's going to be hard to hide that from the enforcers using automated systems.

        • (Score: 2) by MostCynical on Wednesday January 25 2017, @10:38PM

          by MostCynical (2589) on Wednesday January 25 2017, @10:38PM (#458690)

          USB drives, SD cards, or something custom-built, hidden in a toy (something with electronics), sent by mail.

          --
          (Score: tau, Irrational)
        • (Score: 2) by TheRaven on Thursday January 26 2017, @09:54AM

          by TheRaven (270) on Thursday January 26 2017, @09:54AM (#458862) Journal

          The only way to tell if encrypted traffic is government-approved encrypted traffic is to decrypt a large enough sample that you can tell. Even then, there are cryptosystems that give two different real-seeming plaintexts depending on the key that you use, so it probably wouldn't be too hard to put together something that produced a plausible looking stream of words for the NSA but the real message for the intended recipient. It wouldn't stand up to human inspection, but by the time that they've focused on you as a target then you're past the point where having them know that you're using encryption is a problem.

          Even then, you're ignoring how effective modern steganography is. For example, linguistic steganography works by taking a known passage and permuting typos and punctuation to encode a message. You can take, for example, the GN?? troll, and post minor variations of it on Slashdot. Each one encodes a message, but unless you know the meaning of the permutations you have no way of distinguishing it from various mechanisms for trying to get past spam filters. Or you can take a generic spam and send it to a million people, including the intended recipient. Traffic analysis won't help the adversary identify the recipient because, in both cases, it goes to a load of people who aren't the intended recipient, and they all ignore it as spam. If you're serious about evading the government, this is quite easy to do, so all this kind of law would do is make legitimate financial transactions less secure.

          Amusingly, the original version of this post did not redact GN?? and so triggered the spam filter here.

          --
          sudo mod me up
    • (Score: 5, Insightful) by Thexalon on Wednesday January 25 2017, @01:28PM

      by Thexalon (636) Subscriber Badge on Wednesday January 25 2017, @01:28PM (#458469) Homepage

      Or, more to the point, it basically adds up to "anything the (supposed) Good Guys can use, the Bad Guys can use too". It's just like how if you keep a key to your house under the potted plant in your backyard, a burglar can look there too, find the key, and get right in.

      --
      If you act on pie in the sky, you're likely to get pie in the face.
      • (Score: 5, Insightful) by Anal Pumpernickel on Wednesday January 25 2017, @01:50PM

        by Anal Pumpernickel (776) on Wednesday January 25 2017, @01:50PM (#458477)

        We shouldn't assume those working for the government are necessarily good guys, either. There are often bad people working for the government (especially intelligence agencies and the like) and sometimes there is even an systemic effort to suppress certain groups of people (such as journalists, activists, whistleblowers, etc.). Given all the atrocities the US government has committed, it would be foolish to think of it as a good guy that can be trusted with our secrets.

        But even if I assume that the government can be trusted and that they can provide adequate security now and in the future, surrendering everyone's liberties in exchange for security is a cowardly act. If one person wants to make the personal decision to surrender their ability to use strong encryption, then fine, but leave me out of it.

        • (Score: 2) by Thexalon on Wednesday January 25 2017, @02:12PM

          by Thexalon (636) Subscriber Badge on Wednesday January 25 2017, @02:12PM (#458485) Homepage

          That's why I said "(supposed) Good Guys". You obviously leave that out when talking to Sessions and people who think like him, because authoritarians think only in terms of "we're the Good Guys, everyone else is the Bad Guys".

          --
          If you act on pie in the sky, you're likely to get pie in the face.
          • (Score: 0) by Anonymous Coward on Wednesday January 25 2017, @04:35PM

            by Anonymous Coward on Wednesday January 25 2017, @04:35PM (#458521)

            It is quite funny. Obama and his team built the current system up over what they inherited, and that was OK. Obama's people also called for backdoors, and that was OK by most of the left as well. But a few days after the new team takes over, and the system they inherited is now ultimate evil, and folks on the new team saying the same things as the old team are cause for panic (and buying copies of 1984).

            • (Score: 5, Informative) by Anal Pumpernickel on Wednesday January 25 2017, @04:44PM

              by Anal Pumpernickel (776) on Wednesday January 25 2017, @04:44PM (#458524)

              That's strange, because I seem to recall countless criticisms of Obama and his cohorts over the issue of the surveillance state. There was certainly a lot of discussion about it on this website. Partisan hacks are nothing new and exist on both sides, so what are you even referring to?

              • (Score: 1, Touché) by Anonymous Coward on Wednesday January 25 2017, @05:14PM

                by Anonymous Coward on Wednesday January 25 2017, @05:14PM (#458537)

                But but libruls are evil!

                I'll bet this whole thing is fake news spread by libruls! Trump is going to make sure we have fantastic encryption! The best encryption!

                Trump! Trump! Trump!

              • (Score: 2) by DeathMonkey on Wednesday January 25 2017, @06:16PM

                by DeathMonkey (1380) on Wednesday January 25 2017, @06:16PM (#458563) Journal

                Obama Won’t Seek Access to Encrypted User Data [nytimes.com]

                The Obama administration has backed down in its bitter dispute with Silicon Valley over the encryption of data on iPhones and other digital devices, concluding that it is not possible to give American law enforcement and intelligence agencies access to that information without also creating an opening that China, Russia, cybercriminals and terrorists could exploit.

                The fact that they actually made the right call helps...

                • (Score: 0) by Anonymous Coward on Thursday January 26 2017, @12:58AM

                  by Anonymous Coward on Thursday January 26 2017, @12:58AM (#458758)

                  They are all pro-surveillance.

                  This should not in any way be a partisan issue, it is US (the people) versus THEM (the politicians and their authoritarian backers of various stripes and creeds.)

                  We need to remind them who is in charge and stop acting like livestock for them to do as they please.

                  And people need to stop whining about liberals or conservatives and allowing them to divide us over the stupid parts of each side's ideology, rather than uniting over the common pieces neither side SUPPOSEDLY wants infringed.

            • (Score: 3, Insightful) by Thexalon on Wednesday January 25 2017, @05:08PM

              by Thexalon (636) Subscriber Badge on Wednesday January 25 2017, @05:08PM (#458534) Homepage

              I've been consistently critical of the surveillance state, regardless of who's in charge of it. And I'm certainly not alone in that.

              I agree that partisan hackery exists, on all sides, but there is such a thing as ideological consistency. Basically, scratch somebody who works specifically in politics (whether professionally or not), and you'll find a lot of partisan hacks. Go for anybody else, and you'll find that while they often favor one party over another, they're much less partisan hacks.

              --
              If you act on pie in the sky, you're likely to get pie in the face.
      • (Score: 2) by LoRdTAW on Wednesday January 25 2017, @01:54PM

        by LoRdTAW (3755) Subscriber Badge on Wednesday January 25 2017, @01:54PM (#458480) Journal

        It's just like how if you keep a key to your house under the potted plant in your backyard, a burglar can look there too, find the key, and get right in.

        I'd say it's more akin to allowing johnny law to have a skeleton key to every lock "just in case". Once that key is discovered and copied, it's all over and there is no going back. A free for all will ensue.

        • (Score: 3, Informative) by darnkitten on Wednesday January 25 2017, @05:41PM

          by darnkitten (1912) on Wednesday January 25 2017, @05:41PM (#458549)

          I'd say it's more akin to allowing johnny law to have a skeleton key to every lock "just in case".

          Already have 'em... [knoxbox.com]

          They're intended for fire departments, but...

          • (Score: 2) by urza9814 on Friday January 27 2017, @12:53AM

            by urza9814 (3954) Subscriber Badge on Friday January 27 2017, @12:53AM (#459227) Journal

            I'd say it's more akin to allowing johnny law to have a skeleton key to every lock "just in case".

            Already have 'em...

            They're intended for fire departments, but...

            1) They're not on every lock. They're on apartments and office buildings which voluntarily decided to grant that access. I have no problem with the government having a program where I can voluntarily submit my encryption key. I wouldn't, but they're free to provide a drop box for 'em.

            2) It's not a single master key, it's a different key for every local fire department. Much less risk. But of course, you can't really do that with crypto as it isn't tied to a physical location.

            3) I believe most building codes specify that your front door has to be weak enough that the fire department can break it down. In the commercial buildings where these things are installed, the doors are often glass. So if they didn't have these keys they'd just use "brute force" and break through the door, which would probably be *faster* than using the key anyway. So unlike crypto keys, physical keys don't actually offer much protection to begin with.

            4) Those boxes should be installed so they trip the building alarms when opened. In a fire, it doesn't matter, because the alarm is already going off. If you open one to try to break in when there ISN'T a fire, you're going to have the whole damn building coming towards you wondering what the hell is going on.

        • (Score: 2) by tibman on Wednesday January 25 2017, @07:00PM

          by tibman (134) Subscriber Badge on Wednesday January 25 2017, @07:00PM (#458593)

          Here, you can 3d print TSA master keys: https://github.com/Xyl2k/TSA-Travel-Sentry-master-keys [github.com]

          --
          SN won't survive on lurkers alone. Write comments.
    • (Score: 3, Funny) by DannyB on Wednesday January 25 2017, @05:45PM

      by DannyB (5839) on Wednesday January 25 2017, @05:45PM (#458552)

      Protip: You keep the encryption key secret by wearing the t-shirt inside out. That's how.

    • (Score: 0) by Anonymous Coward on Wednesday January 25 2017, @10:11PM

      by Anonymous Coward on Wednesday January 25 2017, @10:11PM (#458677)

      Cover it with a white sheet. [independent.co.uk]

  • (Score: 3, Insightful) by The Mighty Buzzard on Wednesday January 25 2017, @01:23PM

    He can suck it. I'll stick to OSS solutions where most of that crew would kick you right he fuck off the team, and tell the entire world why, if you even thought about backdooring the crypto.

    --
    We've got #BieberFever [soylentnews.org]!
    • (Score: 4, Insightful) by fadrian on Wednesday January 25 2017, @01:46PM

      by fadrian (3194) on Wednesday January 25 2017, @01:46PM (#458473) Homepage

      After the new Congress passes a law stating that all encryption will have a back door, I doubt many developers on the team would continue under the threat of prosecution. Then the grunts will come in and add in an insecure back door.

      You can't fight stupid when the law says you have to be that way.

      Sessions is a disaster in a lot of other ways too, such as voting rights and marijuana legalization...

      --
      That is all.
      • (Score: 4, Insightful) by jcross on Wednesday January 25 2017, @01:54PM

        by jcross (4009) Subscriber Badge on Wednesday January 25 2017, @01:54PM (#458479)

        You mean any *American* developers would quit the team. As long as there's somewhere in the world safe from this bullshit, I expect we'll have options. Also, good luck trying to force backdoors on the likes of Apple and Google. At some point it would start to look anti-business, which is anti-jobs-in-usa, and then I expect the administration might temper their stance.

        • (Score: 0) by Anonymous Coward on Wednesday January 25 2017, @02:19PM

          by Anonymous Coward on Wednesday January 25 2017, @02:19PM (#458487)

          Uncle Sam has extradition treaties with many of his underlings... I mean... ALLIES, and he probably will find a very good excuse to arrest one of these non-American developers when she (all the best programmers are transgender, of course) comes to the US to attend a conference on Feminism in Cryptography.

          Yes. I dislike everyone.

          • (Score: 4, Insightful) by Grishnakh on Wednesday January 25 2017, @06:08PM

            by Grishnakh (2831) on Wednesday January 25 2017, @06:08PM (#458560)

            That won't happen. Such people are already not coming to America, after the infamous debacle with Sklyarov. With Trump/Sessions in power, everyone's going to stay away.

        • (Score: 3, Insightful) by TheGratefulNet on Wednesday January 25 2017, @03:14PM

          by TheGratefulNet (659) on Wednesday January 25 2017, @03:14PM (#458504)

          indians who where not born here have ALWAYS been happy to do the government's dirty work. they'll happily do it and for low wages, too.

          many american citizens (the R variety, mostly, since that is the party with the authority boot-licking attitude) will also happily work against their own best interests; but foreigners are even 'better' since they don't have the full understanding of what made america great, way back when we started.

          our principles are not theirs; they come from another culture and they could really care less if we bottom-out and become a hellhole. their country already is, for that matter, and they are doing nothing to really fix their own country, either, truth be told.

          so, you can find willing pigs to do the bigging piggies' bidding. shame but its true and everyone knows it.

          look at the googlers and yahoos and such. those people work for companies that also sell us all out. and they convince themselves that they are not doing the man's dirty work. cog dissonance at its best.

          --
          "It is now safe to switch off your computer."
        • (Score: 2) by nitehawk214 on Wednesday January 25 2017, @06:39PM

          by nitehawk214 (1304) on Wednesday January 25 2017, @06:39PM (#458578)

          I used to set up FreeSWAN tunnels for my work back in the late 90s. The project rules were such that no American was allowed to contribute due to the laughable "weaponized encryption" laws back then. No restrictions on usage, though.

          I think those laws were repealed or scaled back some years ago.

          --
          "Don't you ever miss the days when you used to be nostalgic?" -Loiosh
          • (Score: 0) by Anonymous Coward on Thursday January 26 2017, @01:09AM

            by Anonymous Coward on Thursday January 26 2017, @01:09AM (#458765)

            Canada is one of the few 'green' nations in the chart on
            http://infogalactic.com/info/Restrictions_on_the_import_of_cryptography [infogalactic.com]
            (or wikipedia if you prefer, but fsck supporting Wales and his financially motivated 'non-profit')
            along with Ghana and a few other places you wouldn't think of as freedom loving utopias and paragons of democracy :)

            In fact most of the 'free world' looks decidedly unfree based on the restrictions noted in that chart.

        • (Score: 0) by Anonymous Coward on Thursday January 26 2017, @06:58AM

          by Anonymous Coward on Thursday January 26 2017, @06:58AM (#458840)

          Yep, this is an american fire drill here, as opposed to a chinese one.
          I run FreeBSD and am not at all concerned with any of the spying these assholes are capable of.
          As long as we have a free people on the planet somewhere, uninfected uncompromised code will always be.

          Or course those running M$ windoz are already compromised with backdoors and an OS that spies on you and rats you out everytime you switch the thing on.
          I imagine M$ compliance will satisfy these critters and leave them to quandary OSS and something they can't touch, meddle with or control.
          And this is priceless!

  • (Score: 3, Insightful) by Anonymous Coward on Wednesday January 25 2017, @01:35PM

    by Anonymous Coward on Wednesday January 25 2017, @01:35PM (#458471)

    "overcome encryption under lawful authority"

    That could be the front door.
    Get a warrant and force the bad guy to provide the key.
    Hmmm, there's that pesky 5th amendment.

    I guess it's back to the back door.
    Which brings up the old question of how do you make a backdoor that can only be used by the good guys when they have permission.
    You can't.

    What's really sad is that the in the Congressional hearing, nobody called him in it.
    Is that because there is no understanding of the technical issues, or they feel security should trump liberty, or probably both?

  • (Score: -1, Spam) by Anonymous Coward on Wednesday January 25 2017, @01:48PM

    by Anonymous Coward on Wednesday January 25 2017, @01:48PM (#458474)

    Trump! Trump! Trump!

  • (Score: 4, Insightful) by LoRdTAW on Wednesday January 25 2017, @01:50PM

    by LoRdTAW (3755) Subscriber Badge on Wednesday January 25 2017, @01:50PM (#458476) Journal

    Encryption with a back door isn't encryption.

  • (Score: 5, Insightful) by meustrus on Wednesday January 25 2017, @02:09PM

    by meustrus (4961) <meustrusNO@SPAMgmail.com> on Wednesday January 25 2017, @02:09PM (#458483)

    The fundamental problem with treating digital encryption like physical locks - which would lead to law enforcement having the right to break in - is the same as the fundamental problem facing everything digital: scale. The police can, with a lot of time, expense, and visibility, break any safe. But there is no way for the police to break encryption with a lot of time, expense, and visibility. There is only a way for the police to break encryption quickly, cheaply, and invisibly.

    That's just how computers work. Encryption, which must be designed to keep information safe wherever it is copied, must accomplish a task that is impossible to achieve in physical space to be useful. And achieving that task - being difficult to break into even if when it is on high-end hostile computer systems - necessarily prevents the police from gaining access.

    That brings us to the problem of scale. Because breaking any encryption means breaking lots of encryption quickly, cheaply, and invisibly, there is no effective way to limit the backdoor to one lock at a time. It will be used at scale to break into lots of things really quickly. It's like the police want to be able to break into a safe from brand X, but in order to do it, they are going to be able to break into every safe from brand X at the same time. Not only that, but any enterprising criminals who found out how the cops did it would be able to do the same thing. The only thing keeping jewel thieves out of every safe is that breaking into them requires time, can be noisy, and must be done behind physical security. Hackers have all the time they need and can make all the noise they want because they can break through security, make a very portable copy of the information, and run off with it to break in on their own time.

    Unfortunately this fundamental difference between the physical and digital worlds is not something that the average person understands. We live in the physical world. Only the math and software nerds understand the implications of the digital world. And there has been very little effort to explain the fundamental differences in such simple terms.

    We are likely to see this problem keep coming up every time our politicians represent the understanding of the population at large rather than the understanding of the elite. Much as I dislike this administration and assert that the do not represent the majority of the population, politically speaking they must represent the majority understanding on most issues. It's a simple matter of their messaging - Republicans are only willing to accept declarations from the elite when they sound like common sense, whereas Democrats are willing to accept declarations that appear to come from experts even when they conflict with common sense. And in this case, the reality definitely conflicts with common sense, because common sense is based on the physical world.

    I don't expect Democrats to fix this problem. Obama made it worse. Law enforcement experts tend to override cryptography experts when it comes to law enforcement, so relying on expert opinion simply isn't a viable strategy. Our only hope is to make Republican voters - and right-leaning movements all over the world - understand intuitively how the digital world works. Because ultimately, if they understood what encryption backdoors meant, they would oppose it as government overreach.

    --
    If there isn't at least one reference or primary source, it's not +1 Informative.
    • (Score: 2) by Non Sequor on Wednesday January 25 2017, @04:00PM

      by Non Sequor (1005) Subscriber Badge on Wednesday January 25 2017, @04:00PM (#458513) Journal

      I'm going to play devil's advocate here.

      Let's say you have a cryptographic system where there is an algorithm that uses a publicly available constant in the process. This algorithm would be framed so that a private constant can be used to reduce the complexity of cracking a key to something that could be accomplished with a very large supercomputer. Maybe new constants are published at regular intervals to reduce issues with leaks of the private constant and maybe encryption users could regularly decrypt and re-encrypt using the newer constant to prevent older encrypted data from becoming less secure over time.

      Now suppose that use of this scheme was mandated, enforced by a fine, with exemptions for encryption used for health records, sales transactions, and messages under attorney-client privilege. Messages and personal data are under the mandate, but personal encryption users would be subject to at most a fine for violating the mandate and not subject to criminal prosecution. Service providers offering encrypted storage or messaging, on the other hand, likely would not be able to risk the fine.

      This is probably what the middle ground looks like. A pure backdoor system where the authorities can access any encrypted information at any time is a straw man of what the other side wants. They may actually even say they want it, but when you come down to it, they're mistaken on what they want, because they'll definitely want data security for certain pragmatic purposes and they'll grudgingly concede certain explicit civil rights uses such as attorney-client privilege if pressed hard enough.

      If a serious middle ground proposal in this vein is aired, they will get the major tech companies on board and they will cut out the legs from under the traditional encryption advocates. Of course, that doesn't mean the middle ground proposal will actually work, since there are a lot of other devils in the details. A sloppy execution results in it falling apart, and there is plenty of attack surface in this kind of framework. But the point is that eventually the conversation may change so that rather than arguing from a fundamental position, you're arguing about expected pragmatic outcomes of a particular plan. That's going to be a much different animal.

      --
      Write your congressman. Tell him he sucks.
      • (Score: 0) by Anonymous Coward on Wednesday January 25 2017, @04:52PM

        by Anonymous Coward on Wednesday January 25 2017, @04:52PM (#458526)

        That sounds exactly like: https://en.wikipedia.org/wiki/Dual_EC_DRBG [wikipedia.org] in that the whole security of the thing depends on two constants being independent. The security of the whole thing goes out the window if there is a valid solution to (Backdoor EC multiplication Secret1) = Secret2. True, solving that inverse operation is hard, but not impossible. And once someone gets it, the whole thing is insecure in that you can predict the random output.

      • (Score: 2) by meustrus on Thursday January 26 2017, @03:42PM

        by meustrus (4961) <meustrusNO@SPAMgmail.com> on Thursday January 26 2017, @03:42PM (#458962)

        Now suppose that use of this scheme was mandated, enforced by a fine, with exemptions for encryption used for health records, sales transactions, and messages under attorney-client privilege. Messages and personal data are under the mandate, but personal encryption users would be subject to at most a fine for violating the mandate and not subject to criminal prosecution. Service providers offering encrypted storage or messaging, on the other hand, likely would not be able to risk the fine.

        That is indeed a middle ground. It's also completely unworkable because of whom it targets: service providers like Facebook or Apple. These service providers are the people with lobbying power. They don't want to succumb to this surveillance because of two reasons: 1) it incurs unnecessary expenses on their part (which is the same reason all industries resist regulation of any kind), and 2) it will make their users angry, possibly angry enough to leave the platform. And ultimately, while conservatives should be concerned about reason #1, security buffs are very concerned about #2.

        It comes down to the exact same problem as digital piracy. Right now Facebook is like Napster: operating outside the rules (in this case the unwritten rules or else they'd have met the same fate). When Napster was shut down, users who left the platform didn't stop pirating. They moved to a decentralized platform that was harder to crack down on. Similarly, if Facebook were required to build in backdoors, users would leave in favor of a decentralized platform. This would similarly make it harder to enforce the rules, and much like the difference between DRM-based legal stores and torrents, the legitimate customers would end up with a product that is inferior to what the terrorists get. And the terrorists still win.

        In short, if you make encryption illegal, then only terrorists will have encryption.

        Which is how we get to where we currently are: the NSA gets secret powers because if they got what they needed by law, everyone would know what they are doing and the bad actors would work to prevent it. The NSA probably doesn't want Facebook to have legally required backdoors because that would actually make their existing tools - which rely on people using Facebook without really thinking about their security - less effective.

        What the NSA should really want is specifically to target individual users, not services. The realistic fear is that terrorists will create a real encrypted platform outside of US control. They wouldn't even need to solve hard decentralization problems to keep the platform safe from air strikes; they could use the already-available decentralization solution that the Pirate Bay uses to avoid being shut down everywhere: keep lots of mirrors. Your "devil's advocate" scheme will do nothing to help combat this situation and may even help bring it about.

        --
        If there isn't at least one reference or primary source, it's not +1 Informative.
      • (Score: 2) by urza9814 on Friday January 27 2017, @01:22AM

        by urza9814 (3954) Subscriber Badge on Friday January 27 2017, @01:22AM (#459244) Journal

        Let's say you have a cryptographic system where there is an algorithm that uses a publicly available constant in the process. This algorithm would be framed so that a private constant can be used to reduce the complexity of cracking a key to something that could be accomplished with a very large supercomputer. Maybe new constants are published at regular intervals to reduce issues with leaks of the private constant and maybe encryption users could regularly decrypt and re-encrypt using the newer constant to prevent older encrypted data from becoming less secure over time.

        You've already got a problem. You can't re-encrypt to make the data more secure, because someone may already have a copy of the data that used the old encryption keys. Or you might just forget to re-encrypt an old copy that's sitting on your backup server. You can't assume that the criminal is only trying to break into live data. They'll take the data and sit on it for a few months or even years, and until they crack it, you may not even know it's been stolen (and even then you still might not know). In fact, *they already do this*. Thankfully, most encryption schemes are designed to last quite a few years, and hopefully the data they protect is useless by the time they can be cracked...but yeah, that's another scheme that just makes things easier for the criminals.

        Any encryption scheme designed to be broken is, well, broken.

    • (Score: 2) by Hyperturtle on Wednesday January 25 2017, @04:29PM

      by Hyperturtle (2824) Subscriber Badge on Wednesday January 25 2017, @04:29PM (#458519)

      I hope you are right that this can be done, that this can be effectively communicated, and that people are willing to try to understand.

      There is a reason that many tech companies are made up of individuals that are not on the fringes of the political spectrum. A lot of that has to do with the view of what change is and what it represents.

      Certainly, change is a constant. It would seem that some people will go to great lengths to avoid change, though, and willful ignorance (I am not saying stupidity--I am saying the refusal to accept something and carrying on as normal) is an unfortunate response by people that don't have a good alternative to the change.

      Often it makes things worse, like policies that are not in the best interests of those resisting change, made more easily implemented because of a refusal to understand the issues and a desire for nothing to happen. The problem is that changes are more easily introduced and implemented when the populace is ignorant--willful or otherwise.

      IT is an excellent arena where we can safely conclude that the populace is ignorant of the difficulties and concerns surrounding many concepts within it-- privacy, security -- and the merger of both, encryption-- but we can also conclude that the populace knows how to respond to fear. Consider one-issue voters. They are often compelled to vote out of fear that their one issue will no longer be decided in their favor.

      It is easier to tap into an emotion than it is to relate to an "expert", even worse when they are described as egghead geeks that are so far removed that they don't understand the 'realities'.

      I am hoping for the best, but expect that Big Brother Inside (the clipper chip, if you recall--something President Clinton proposed back during his presidency) will see its modern equivalent make a resurgence. This may result in a mandate... and the support will be drummed up because of various threats described that have only one solution to maintain your safety--complete surrender of privacy in the digital realm in the name of security, because terrorist pedophiles want to take your rights while praying in a different religion as they compete for outsourcing contracts to replace your jobs.

       

  • (Score: 4, Insightful) by mendax on Wednesday January 25 2017, @07:31PM

    by mendax (2840) on Wednesday January 25 2017, @07:31PM (#458607)

    This is what idiots like Jeff Sessions and his ilk do not understand: You can have strong encryption without backdoors or you can have NO encryption. There can be no in between. There can be no half measures. With regard to strong, nearly unbreakable encryption, the cat is out of the bag and no amount of regulation will put it back. Law enforcement is going to have to accept this fact. If backdoors are mandated, there will be some entrepreneur outside the United States who will provide the means for encryption without a backdoor. And, of course, everyone here knows that a backdoor is just an invitation for the black hats to break in and steal personal information.

    I'm sure that government would like to opt for NO encryption, but that is impossible because it is a vital part of the American economic system now. E-commerce and banking is impossible without strong encryption.

    There is also another argument against backdoors. At one time there was a proposal that in order to use strong encryption one had to register one's private key with the federal government. That's all well and good except that because the cat is out of the bag regarding public key encryption, such a regulation will mean that only the bad guys will have unmonitored communications.

    In short, backdoors simply will not work and it's about time these idiots figure this out.

    --
    It's really quite a simple choice: Life, Death, or Los Angeles.
  • (Score: 0) by Anonymous Coward on Wednesday January 25 2017, @07:43PM

    by Anonymous Coward on Wednesday January 25 2017, @07:43PM (#458615)

    how about a real physical key?
    if lawful authority has the physical encrypted device in hand then they can really unlock it with a real key and then remove the
    chips that are storing the data (and get around the encryption)?

    this would be "okay" if the real key were securely stored, difficult to copy and would leave a paper trail if removed (and used)
    from the real physical storage box .. somewhere.

    but ofc this "solution" isn't what is wanted. what IS wanted is the means to willy-nilly spy over great distances thru a
    in-place network (internet) by any 'lil whim ... and you don't have to worry because you're a good law abiding person that has nothing to hide ...

  • (Score: 0) by Anonymous Coward on Wednesday January 25 2017, @07:50PM

    by Anonymous Coward on Wednesday January 25 2017, @07:50PM (#458621)

    User Al want's to setup an encrypted session to user Bob.
    The Govt agent George want's the ability to look into the session give permission from Judge Judy.
    To support this somebody we trust, Kim, sets up a set of Key servers.

    Kim creates a set of PKI key pairs and publishes the public keys K1..Kn.
    These keys are grouped into separate key servers so that each private key is only known of a few servers.

    Bob makes a PKI key pair and publishes the public key to Al.

    Al chooses a random session key and sends it to Bob using Bob's PKI.
    Al also includes an encrypted version of the session key encrypted with his choice of a subset of K1 through Kn.
    Al and Bob can talk using the session and George can watch the encrypted traffic.

    George gets permission to see the decrypted traffic from Judy.
    Judy tells servers K1 through Kn that this is ok.
    George looks at the key subset Al used to encrypt his access key and asks the proper Keyservers to decrypt the session key.
    The Key servers do this,but keep a good audit trail that George did this for this specific session.

    George can now see the traffic the Judy authorized and there is a good audit trail to make sure that this is all that happened.

    Good news:
    No new algorithm are required. The encryption algorithm is as good as it was before the backdoor was installed.

    Bad news:
    Only good guys and lazy or dumb bad guys can be expected to provide the access key.
    If some bad guy manages to get the private keys from the key servers, he can see all the traffic for the whole system.

    Moral, even with an algorithmically robust backdoor, the operations problems of keeping such powerful keys are overwhelming.
    It's wiser not to make such keys in the first place.

  • (Score: 0, Offtopic) by Anonymous Coward on Wednesday January 25 2017, @07:51PM

    by Anonymous Coward on Wednesday January 25 2017, @07:51PM (#458622)

    I know y'all may think this blindingly obvious, but the real lead here is: Candidate who wants to make America "GREAT" "again" ends up putting together a team that is advocating exactly the same totalitarian shit as before.

    Kind of like how the candidate who would give us "HOPE AND CHANGE" ended up putting together a team that advocated exactly the same totalitarian shit as before. Kind of like how the candidate who was going to be The Decider... granted he gave us two new fronts to fight combat engagements on (that still aren't settled,) but his team even before September 11 advocated exactly the same totalitarian shit as before. Then you had the Slick one whose wife just lost the election. He gave us prurient sexual escapades and did manage to balance the budget and take credit for a normal economic upturn (and his veep claims credit for Teh Internets.) He had a staff who advocated the same totalitarian shit as before - see for example Tomahawk missiles against the Taliban. Before him you had the Daddy of The Decider, who lasted only one term in office because his team gave us the same totalitarian shit as before (despite taking back Kuwait.) Then you had the B-list Actor who was excellent at oratory but was clueless enough to have a staff who started giving us the same shit as we have now - who were actually continuing the same shit as Nixon and Ford did. His predecessor, Jimmy Carter, was genuinely new and different because we were sick of Ford/Nixon.... And Carter is still today regarded by many as a wonderful humanitarian and diplomat but who in his single term was one of the WORST Presidents the United States ever had.

    So. What's your real theme here, and why the fuck would anyone not expect that Mr. Make America Great Again would have anything but a staff who would give us the same totalitarian shit that's been shoveled down our throats since before McCarthyism?

    You young idiots... get the picture yet? I hope so. Because then you'll have genuinely learned something new that those of us who were stupid enough to vote for Reagan, Bush, Clinton, Bush, and Obama didn't learn when we were young and stupid.

    Thanks for reading.

  • (Score: 0) by Anonymous Coward on Wednesday January 25 2017, @11:55PM

    by Anonymous Coward on Wednesday January 25 2017, @11:55PM (#458735)

    Big Brother is watching. They are pushing double-speak as "alternate facts". Reminds me of that Doctor Who quote posted on i09:

    “You know, the very powerful and the very stupid have one thing in common,” the Doctor said. “They don’t alter their views to fit the facts. They alter the facts to fit their views.”

    The United States is becoming scarier by the day.

    --
    Why is Donald Trump hiding his tax returns?