from the Mister-Potato-Head!-Mister-Potato-Head!-Back-doors-are-not-secrets! dept.
Senators Diane Feinstein (D-CA) and Chuck Grassley (R-IA) are preparing legislation that would regulate encryption and potentially mandate "backdoors." The Senate Judiciary Committee has been meeting with tech lobbyists and at least three researchers to come up with a "secure way" to allow only law enforcement to access encrypted information:
US lawmakers are yet again trying to force backdoors into tech products, allowing Uncle Sam, and anyone else with the necessary skills, to rifle through people's private encrypted information. Two years after her effort to introduce new legislation died, Senator Dianne Feinstein (D-CA) is again spearheading an effort to make it possible for law enforcement to access any information sent or stored electronically. Such a backdoor could be exploited by skilled miscreants to also read people's files and communications, crypto-experts continue to warn.
Tech lobbyists this month met the Senate Judiciary Committee to discuss the proposed legislation – a sign that politicians have changed tactics since trying, and failing, to force through new laws back in 2016. New York District Attorney and backdoor advocate Cyrus Vance (D-NY) also briefed the same committee late last month about why he felt new legislation was necessary. Vance has been arguing for fresh anti-encryption laws for several years, even producing a 42-page report back in November 2015 that walked through how the inability to trawl through people's personal communications was making his job harder.
Tech lobbyists and Congressional staffers have been leaking details of the meetings to, among others, Politico and the New York Times.
From the NYT article:
A National Academy of Sciences committee completed an 18-month study of the encryption debate, publishing a report last month. While it largely described challenges to solving the problem, one section cited presentations by several technologists who are developing potential approaches. They included Ray Ozzie, a former chief software architect at Microsoft; Stefan Savage, a computer science professor at the University of California, San Diego; and Ernie Brickell, a former chief security officer at Intel.
[...] The researchers, Mr. Ozzie said, recognized that "this issue is not going away," and were trying to foster "constructive dialogue" rather than declaring that no solution is possible.
Also at The Hill.
Previously: New Paper on The Risks of "Responsible Encryption"
Report On Device Encryption Suggests A Few Ways Forward For Law Enforcement
Senator Wyden Calls on Digital Rights Activists to Block Legislative Efforts to Weaken Encryption
Related Stories
Senator Ron Wyden spoke to RightsCon about the Crypto Wars following the FBI dropping its case against Apple:
Senator Ron Wyden (D-OR) has put out a call to arms to digital rights activists, asking them to join in a SOPA-style effort to defeat upcoming efforts to weaken encryption. In a wide-ranging speech that covered J Edgar Hoover, Miranda Rights, the Founding Fathers and the Amazon Echo, the Oregon Senator warned that despite the recent decision by the FBI to drop its case against Apple, "as sure as night follows day," the issue is going to return and it will be necessary to fight legislative efforts to reduce the effectiveness of encryption.
"I will block any plan that would weaken strong encryption," he told the RightsCon conference in San Francisco. "The expected legislation will be a lose-lose for all of us: less security and less liberty." He also railed against the notion that the current debate over technology and encryption was a privacy versus security debate, arguing that it is more "security versus more security." Instead, Wyden said, he wanted to refocus the debate, and called for "a new compact for security and liberty in the digital age."
Also at Reuters, The Guardian, The Hill.
Here is the speech Wyden gave at RightsCon.
Riana Pfefferkorn, a Cryptography Fellow at the Center for Internet and Society at Stanford Law School, has published a whitepaper on the risks of so-called "responsible encryption". This refers to inclusion of a mechanism for exceptional access by law enforcement to the cleartext content of encrypted messages. It also goes by the names "back door", "key escrow", and "golden key".
Federal law enforcement officials in the United States have recently renewed their periodic demands for legislation to regulate encryption. While they offer few technical specifics, their general proposal—that vendors must retain the ability to decrypt for law enforcement the devices they manufacture or communications their services transmit—presents intractable problems that would-be regulators must not ignore.
However, with all that said, a lot more is said than done. Some others would make the case that active participation is needed in the democratic process by people knowledgeable in use of actual ICT. As RMS has many times pointed out much to the chagrin of more than a few geeks, "geeks like to think that they can ignore politics, you can leave politics alone, but politics won't leave you alone." Again, participation is needed rather than ceding the whole process, and thus its outcome, to the loonies.
Source : New Paper on The Risks of "Responsible Encryption"
Related:
EFF : New National Academy of Sciences Report on Encryption Asks the Wrong Questions
Great, Now There's "Responsible Encryption"
Techdirt covers a new paper published by the US National Academies of Science, Engineering, and Medicine regarding the general access that the FBI and DOJ want to encrypted communications.
Another paper has been released, adding to the current encryption discussion. The FBI and DOJ want access to the contents of locked devices. They call encryption that can be bypassed by law enforcement "responsible encryption." It isn't. A recent paper by cryptograpghy expert Riana Pfefferkorn explained in detail how irresponsible these suggestions for broken or weakened encryption are.
This new paper [PDF] was put together by the National Academies of Science, Engineering, and Medicine. (h/t Lawfare) It covers a lot of ground others have and rehashes the history of encryption, along with many of the pro/con arguments. That said, it's still worth reading. It raises some good questions and spends a great deal of time discussing the multitude of options law enforcement has available, but which are ignored by FBI officials when discussing the backdoors/key escrow/weakened encryption they'd rather have.
The paper's suggestions have not been rigorously investigated by those with domain expertise, yet.
Source : Report On Device Encryption Suggests A Few Ways Forward For Law Enforcement
Despite cries of "responsible encryption", numerous law enforcement agencies are cracking into iPhones using a box called "GrayKey". Even the latest iPhones may be affected:
FBI Director Christopher Wray recently said that law enforcement agencies are "increasingly unable to access" evidence stored on encrypted devices. Wray is not telling the whole truth.
Police forces and federal agencies around the country have bought relatively cheap tools to unlock up-to-date iPhones and bypass their encryption, according to a Motherboard investigation based on several caches of internal agency documents, online records, and conversations with law enforcement officials. Many of the documents were obtained by Motherboard using public records requests.
[...] "It demonstrates that even state and local police do have access to this data in many situations," Matthew Green, an assistant professor and cryptographer at the Johns Hopkins Information Security Institute, told Motherboard in a Twitter message. "This seems to contradict what the FBI is saying about their inability to access these phones."
As part of the investigation, Motherboard found:
- Regional police forces, such as the Maryland State Police and Indiana State Police, are procuring a technology called 'GrayKey' which can break into iPhones, including the iPhone X running the latest operating system iOS 11.
- Local police forces, including Miami-Dade County Police, have also indicated that they may have bought the equipment.
- Other forces, including the Indianapolis Metropolitan Police Department, have seemingly not bought GrayKey, but have received quotations from the company selling the technology, called Grayshift.
- Emails show the Secret Service is planning to buy at least half a dozen GrayKey boxes to unlock iPhones.
- The State Department has already bought the technology, and the Drug Enforcement Administration is interested in doing so.
See also: FBI Refuses to Say Whether It Bought iPhone Unlocking Tech 'GrayKey'
Also at Engadget and AppleInsider.
Related: U.S. Legislators Trying to Weaken Encryption Yet Again
(Score: 3, Insightful) by milsorgen on Wednesday April 11 2018, @04:31AM (5 children)
But there is no way around this, there is no solution that the government wants and preserves encryption. They are going to toy with us and then find some "solution" that will leave the public and business in a terrible position while the government gets all that it wants.
On the Oregon Coast, born and raised, On the beach is where I spent most of my days...
(Score: 1, Interesting) by Anonymous Coward on Wednesday April 11 2018, @05:16AM (3 children)
All this while meanwhile DC is flooded with rogue stingrays [arstechnica.com] thanks to the deliberately weak cell phone standards which simply cannot be found and stopped (nevermind the ones it'd be illegal to stop because they're on sovereign soil in foreign embassies).
Maybe these people will learn when the GRU starts using some of the data harvested from these sorts of devices to blackmail them. Surely Senator Feinstein has said things over a phone she'd rather not appear on the front of the NYT, after all.
(Score: 3, Funny) by maxwell demon on Wednesday April 11 2018, @05:39AM (2 children)
I don't think it is that hard to find the cell phone standards. Stopping them may indeed be hard, though. ;-)
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Wednesday April 11 2018, @11:25AM (1 child)
[Citation needed]
(Score: 2) by Fluffeh on Thursday April 12 2018, @01:43AM
Oh hai.
Here's the link to 5G standards [ieee.org]. You can find similar for all the other ones too. All the phones that can connect to it, will do so via these standards.
*sips coffee*
(Score: 5, Insightful) by driverless on Wednesday April 11 2018, @05:34AM
Ah, Ray Ozzie, the guy who gave us the wonder that is Lotus Notes, and then backdoored the crypto in it despite there being no law requiring it.
Actually I'm not sure whether having him involved will be such a bad thing, if his solution is at the same level of quality and usability as Notes then it'll be dead in the water as soon as it launches.
(Score: 3, Insightful) by Whoever on Wednesday April 11 2018, @04:40AM (2 children)
The sooner we can get rid of that Fakecrat (Feinstein) the better!
(Score: 2, Interesting) by Anonymous Coward on Wednesday April 11 2018, @08:03AM
Getting the mayor position after that assassination and all, she took a previously liberal position and make it 'Democrat-Conservative'.
While the parties distract us with their 'social reform bills' and us vs them, all the laws that REALLY count, they seem to be collectively on the same page about and colluding against the constituents to enact.
(Score: 0) by Anonymous Coward on Wednesday April 11 2018, @06:26PM
if you think either of these parties are legitimate you are a retard.
(Score: 1, Interesting) by Anonymous Coward on Wednesday April 11 2018, @04:52AM
Looks like wintel is firmly on board.
(Score: -1, Troll) by Anonymous Coward on Wednesday April 11 2018, @05:04AM (2 children)
Senator Dianne Feinstein [wikipedia.org]
A Khazar Jewess wanting to put backdoors into products used by humans is to be expected. These Khazars never stop. Expose them and let the world see who they are.
(Score: 4, Funny) by The Mighty Buzzard on Wednesday April 11 2018, @10:39AM (1 child)
#FakeJews
My rights don't end where your fear begins.
(Score: 2) by Azuma Hazuki on Wednesday April 11 2018, @07:41PM
Strictly speaking, the Khazars *are* fake Jews. The real ones are the Sephardim, who get treated like shit in ways that only someone who is both Jewish *and* Middle-Eastern can.
I am "that girl" your mother warned you about...
(Score: 2) by bzipitidoo on Wednesday April 11 2018, @05:07AM (1 child)
Because darkness makes it easier for criminals to hide, we must install more illumination! Streetlights aren't enough. We need a giant space mirror positioned over the night side of the earth. Then the sun will never set on the American Empire!
(Score: 1, Insightful) by Anonymous Coward on Wednesday April 11 2018, @05:33AM
Outlaw crime! Outlaw criminals! Outlaw criminality!
(Score: 0) by Anonymous Coward on Wednesday April 11 2018, @05:11AM
56bit 3DES ought to be enough for anyone. Anything stronger would be sufficient grounds for criminal investigation, like gun ownership. After all, only criminals break the law and need protection against the law.
:)
(Score: 2) by archfeld on Wednesday April 11 2018, @05:42AM (7 children)
As a part time Californian I would like to apologize to the rest of the US for the existence of Senator Diane Frankenstein. Sadly she is from the area I call home for part of the year :(. As much as I love living in the SF Bay Area, she taints everything that is cool about Northern California with a stain that may never wash away.
Diane Frankenstein, Willie Brown, Gov. Moonbeam Brown, maybe there is something to the notion of too much pot causing retardation, or maybe we as voters were just too high to notice what we inflicting on the rest of the US. I think I'll go and vape a bowl and think on that...
For the NSA : Explosives, guns, assassination, conspiracy, primers, detonators, initiators, main charge, nuclear charge
(Score: 3, Insightful) by TheGratefulNet on Wednesday April 11 2018, @02:21PM (4 children)
she's NO hippy. in fact, she's a repuplican in D clothing.
nothing about her strikes me as D-based.
no D person I know respects her, either.
no idea how she manages to stay in office, but no one likes her that I know of.
"It is now safe to switch off your computer."
(Score: 2) by archfeld on Wednesday April 11 2018, @07:13PM (3 children)
No PERSON I know respects her. My dad is a staunch 'republican', a retired Police officer and general conservative of epic proportions and he calls her names I can't repeat here. His animosity towards Feinstein is exceeded only by his disdain of Nancy Pelosi, and the grand wizard of waste Moonbeam Jerry Brown. Those are one of the few points to which we agree politically.
For the NSA : Explosives, guns, assassination, conspiracy, primers, detonators, initiators, main charge, nuclear charge
(Score: 2, Funny) by DeVilla on Thursday April 12 2018, @02:27AM (2 children)
Damn
(Score: 2) by archfeld on Thursday April 12 2018, @04:33AM (1 child)
He often uses the terms Shitsock, Colon Kisser, The Taint Fairy, the Placenta Princess. I am amazed sometimes at what comes out of the 76 year old guys mouth. He was a cop and prison guard for a long career and I guess they must have had colorful discussions on the old cell block. He was to my memory much cleaner of grammar when I was growing up, but now I am living with him and my mother part time since he had a pace maker inserted and he is a lot more 'liberal' in his language, but always very creative. He can swear up a paragraph and never repeat himself :)
For the NSA : Explosives, guns, assassination, conspiracy, primers, detonators, initiators, main charge, nuclear charge
(Score: 1) by DeVilla on Thursday April 12 2018, @05:08AM
Sounds a little like a fellow I knew when he got out of the military. He didn't even really need to use profanity (though he had no problem doing so), yet he could paint a picture that would leave you trying to poke out your mind's eye.
(Score: 0) by Anonymous Coward on Wednesday April 11 2018, @11:29PM (1 child)
Dianne. The name is Dianne Frankenstein. Not Diane.
(Score: 2) by archfeld on Thursday April 12 2018, @12:55AM
How about Emiel Goldman ?
https://duckduckgo.com/?q=dianne+feinstein&t=hb&ia=news [duckduckgo.com]
For the NSA : Explosives, guns, assassination, conspiracy, primers, detonators, initiators, main charge, nuclear charge
(Score: 0) by Anonymous Coward on Wednesday April 11 2018, @06:23AM
This woman can't walk out the door in the morning without violating the Constitution yet again.
There is ample evidence at this point.
(Score: 1, Insightful) by Anonymous Coward on Wednesday April 11 2018, @06:47AM (3 children)
The solution is to tell the authorities, fuck you, we don't need your stinking dialogue! and to built the best encryption we can with or without their approval. I mean, really, why is anybody seeking their permission?
(Score: 2, Touché) by Anonymous Coward on Wednesday April 11 2018, @12:34PM
I'm okay with constructive dialogue if it's PGP encrypted.
(Score: 0) by Anonymous Coward on Wednesday April 11 2018, @06:12PM
the vast majority of companies and people in this country are slaves and whores. they will do anything not to rock the boat so they can get their 30 pieces of silver. just look at how they suck up and play cop for the IRS.
(Score: 0) by Anonymous Coward on Thursday April 12 2018, @04:32PM
Give the Senators a reply in the language they understand:
vade et caca in pilleum et ipse traheatur super aures tuas
(Score: 2, Troll) by realDonaldTrump on Wednesday April 11 2018, @06:49AM
They had Responsible Encryption in France. And it worked very well. For many years they had one of the greatest Countries. Then they repealed it. And now they're having so many HORRIBLE attacks. They had Charlie Hebdo. They had Bataclan. They had Nice -- believe me, it wasn't nice. And they had the Carcassonne & Trèbes attack.
(Score: 2, Interesting) by Anonymous Coward on Wednesday April 11 2018, @09:10AM
Hell, I wouldn't even be too bothered then: it'd be fucking hilarious when they shot their own leg off.
(Score: 1) by pTamok on Wednesday April 11 2018, @10:36AM (8 children)
I can see a strong argument on National Security grounds for the USA placing back-doors in hardware and software it controls by both hard- and soft- power.
Obviously, the same arguments apply to any other independent state.
Assuming the USA gets its wish, then there will be a very strong incentive for states not aligned with the USA's national interests to use hardware and software that is guaranteed, as far as is practicable, to be free of the USA-influenced back-doors.
However...what if the USA makes the back-door technology openly available to everyone? In other words, it is not hidden, but simply made available to the authorities of each state? Say, for example, every commercially available cpu has a secure enclave that runs only software signed by an authority. Each state gets one or several (root) signing keys. You then mandate for every ISP in that state that a device has to have a licence in order to be able to route packets on the Internet. This is enforced at link initiation, and the licence certificate is stored in the secure enclave. No licence certificate, no network access, and operation of an unlicensed network is made a criminal act. Private networks will require a proxy-server that can relay licence checks and authorisations. Such Media Access Control authentication is already standardized - IEEE 802.1X-2010 . If you look at the Blu-ray AACS and BD+ schemes, you can see that having a trusted (virtual) machine in each cpu allows for fine-grained control over access and security.
An 'in full sight' back-door scheme is very easy to achieve with existing technology. If you travel to another country you have two options: (1) if your equipment is compatible with the host-country's network, you obtain an additional licence; or (2) if your equipment is not compatible with the host-country's network, you get no network access.
I regard such a scheme as pretty much inevitable.
This does not give authorities access to all encrypted information: but what it does do is give authorities privileged access to any cpu attached to a known network. A trusted enclave could easily be primed to look for encryption keys in its host system. So rather than looking for a magical encryption scheme with a law-enforcement-only back-door, build a back-door that gives access to everything on its host. Easier. And more useful. Pretty much all the ingredients are available now.
(Score: 0) by Anonymous Coward on Wednesday April 11 2018, @12:35PM
It's about time to get serious when it comes to fighting the Crypto Wars. Stockpile "secure" hardware for use with the dark web before it is all gone. Run compromised performance hardware only offline and maybe in a Faraday cage. Flout the law daily and en masse. Donate to the EFF and hope that we can get these laws nullified by the courts. And for when shit hits the fan, why not collect some assault weapons and ammo?
(Score: 2, Interesting) by Anonymous Coward on Wednesday April 11 2018, @01:20PM
It's because of people like you that the world is shit.
You see a problem, and your brain is capable enough to provide a solution.
Well, you're solving a problem for evil people.
(Score: 2) by Wootery on Wednesday April 11 2018, @02:08PM (3 children)
You seem to be ignoring the indirect consequences of making other people's devices work for you, rather than for them: they stop buying from you, and start buying from your competitors. We've already seen US-based cloud vendors take a hit for the US's spying practices.
(Score: 1) by pTamok on Wednesday April 11 2018, @06:02PM (1 child)
Actually, no, I'm not.
1) Try buying a commercially available PC or Server CPU that doesn't have ME, PSP or TrustZone in it. You'll find it is not easy. I am aware of niche items, like the Talos workstation.
2) You may have missed the 'what if?' point I made, which was that if the USA opened up ME/PSP/TrustZone, and made the technology open to all governments, there would be a strong incentive for it to be used. It would not take much - many campaigners are trying to get Intel and AMD to open up the Secure Enclaves so that FLOSS firmware could be loaded. The other edge to that sword is that opening up the technology allows any government to impose its own requirements about running government signed firmware.
If you make back-doors available to everyone, then you can make cosy agreements with other governments about which back-doors are mutually transparent to each other. If you impose a requirement that government sanctioned code/certificates must be present in the secure enclave, or you can't legally use the Internet, then you close off options of buying cpus from elsewhere.
It would be frighteningly easy to implement. Telecommunications carriers already install a lot of monitoring equipment for governments that the general population is not aware of, so the process is not novel. Specialists are aware of things like 'Legal Intercept Modules' that are installed in certain equipment used by carriers, and things like Room 641A [wikipedia.org] are well known in the (rather small) information security community. Knowledge of such things is 'out there', but it certainly is not mainstream, even after Snowden.
(Score: 2) by darkfeline on Friday April 13 2018, @07:13PM
That's because ME (and related) is a feature for the user. Enterprises use it to control their hardware. They literally pay extra money for this feature (or at least, for the feature to be enabled. A CPU model might support ME in hardware, but only the more expensive variants will have it enabled).
If, somehow, non-ME CPUs start becoming a desirable feature for a large proportion of purchasers, then there will be commercially available PCs that don't have. So far, that is not the case (no, SN does not comprise a large proportion of purchasers).
Join the SDF Public Access UNIX System today!
(Score: 2, Insightful) by Anonymous Coward on Wednesday April 11 2018, @06:19PM
at&t got caught splitting the internet feed in san fransisco for the @#$%^ NSA and the vast majority of people won't even switch their phone carriers.
(Score: 3, Interesting) by All Your Lawn Are Belong To Us on Wednesday April 11 2018, @05:33PM
And then next week the Five Eyes sign a cooperative agreement that allows the foreign agency to go after targets in its own country using its own perfectly legitimate targeting rules and share that information back again. Thus allowing circumvention of constitutional protections of the privacy of said data.
That's quite aside from that if you look at the AACS scheme, for example, you can find that the trusted (virtual) machine in each cpu also allows for hacking to compromise the privacy of the system. As already occurred with AACS. Hence any compromise to encryption being functionally equivalent to no encryption in terms of ultimate trust.
Though yes, I think such a scheme is ultimately inevitable and the Internet shall die and be silently replaced by Consumernet while still being called the Internet. The only hope is to perfect samisdat technology and technique before then.
This sig for rent.
(Score: 2) by archfeld on Wednesday April 11 2018, @07:19PM
That sounds vaguely like the DVD encryption scheme the motion picture industry introduced and that watched get pwned in record time by a group of part time hackers. For every additional key you issue the chances of one get loose goes up exponentially. How much effort went into DeCSS and who long did it take before it was commonly available in free tools for every flavor of OS ?
For the NSA : Explosives, guns, assassination, conspiracy, primers, detonators, initiators, main charge, nuclear charge