Senate Judiciary Committee Interrogates Apple, Facebook About Crypto
In a hearing of the Senate Judiciary Committee yesterday, while their counterparts in the House were busy with articles of impeachment, senators questioned New York District Attorney Cyrus Vance, University of Texas Professor Matt Tait, and experts from Apple and Facebook over the issue of gaining legal access to data in encrypted devices and messages. And committee chairman Sen. Lindsey Graham (R-S.C.) warned the representatives of the tech companies, "You're gonna find a way to do this or we're going to do it for you."
The hearing, entitled "Encryption and Lawful Access: Evaluating Benefits and Risks to Public Safety and Privacy," was very heavy on the public safety with a few passing words about privacy. Graham said that he appreciated "the fact that people cannot hack into my phone, listen to my phone calls, follow the messages, the texts that I receive. I think all of us want devices that protect our privacy." However, he said, "no American should want a device that is a safe haven for criminality," citing "encrypted apps that child molesters use" as an example.
"When they get a warrant or court order, I want the government to be able to look and find all relevant information," Graham declared. "In American law there is no place that's immune from inquiry if criminality is involved... I'm not about to create a safe haven for criminals where they can plan their misdeeds and store information in a place that law enforcement can never access it."
Related Stories
Proposed US law is "Trojan horse" to stop online encryption, critics say:
Two Republicans and two Democrats in the US Senate have proposed a law that aims to combat sexual exploitation of children online, but critics of the bill call it a "Trojan horse" that could harm Americans' security by reducing access to encryption. The EARN IT (Eliminating Abusive and Rampant Neglect of Interactive Technologies) Act "would create incentives for companies to 'earn' liability protection for violations of laws related to online child sexual abuse material," an announcement by the bill's supporters said today.
Under current law, Section 230 of the Communications Decency Act provides website operators broad legal immunity for hosting third-party content. A 2018 law known as FOSTA-SESTA chipped away at that immunity for content related to prostitution and sex trafficking, and the EARN IT Act would further weaken immunity for website operators who fail to take certain to-be-determined measures to find and remove child sexual-abuse material.
In a related development today, US Attorney General William Barr gave a speech calling for an analysis of how Section 230 affects "incentives for platforms to address [child sexual exploitation] crimes and the availability of civil remedies to the victims."
[...] Stewart Baker, who was formerly assistant secretary for policy at the Department of Homeland Security and general counsel at the National Security Agency, wrote in a blog post that "there is nothing radical" about the bill. "The risk of liability isn't likely to kill encryption or end Internet security," Baker wrote. But Baker acknowledged that the bill will likely make the decision to offer encryption a more difficult one for tech companies
Related:
U.S. Congress Passes SESTA/FOSTA Law
DoJ Lets Cops Know SESTA/FOSTA Is For Shutting Down Websites, Not Busting Sex Traffickers
Crypto Wars: US AG William Barr and UK Home Secretary Priti Patel Shake Fists at Facebook
Senate Judiciary Committee Interrogates Apple, Facebook about Crypto
(Score: 0) by Anonymous Coward on Sunday December 15 2019, @06:24PM (8 children)
One of the things that was said was grabbing encryption keys stored in a way that is accessible if you have physical, hardware, disassemble-the-phone access.
This obviously doesn't apply to Facebook/whatsapp - things that are entirely software - but what about the hardware phone? Isn't it plausible to have a special pin on Apple's encryption chip that can be used to read out the internal secret key and decrypt the data?
Drawbacks are theft of phone, and you have to destroy the phone to get access to the data. You dump the data, read the private key, and decrypt.
Whereas shared secrets have their obvious drawback, what is the argument against such physical key exposure? The only one that i can think is if a determined attacker has a good deal of money and resources to disassemble the phone, read a key, and decrypt the data - and they're willing to steal a phone to get to it. Probably not going to affect government officials as much, but this might apply to wealthy business leaders.
(Score: 0) by Anonymous Coward on Sunday December 15 2019, @06:34PM (1 child)
If there is a way to get to your special "decrypt" pin by taking the phone apart...it won't be long before some clever hackers work out how to get to that pin without ruining the phone. Maybe a tiny hole is drilled in just the right spot? Or some other clever way.
(Score: 2) by Freeman on Monday December 16 2019, @06:13PM
If you've lost physical access to your device. You've lost half the battle or more.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 1, Insightful) by Anonymous Coward on Sunday December 15 2019, @06:37PM (2 children)
Lindsey Graham was "surprised" that the FBI abused the FISA courts to start a farcical investigation of Trump, apparently he will also be "surprised" when they abuse this.
(Score: -1, Offtopic) by Anonymous Coward on Sunday December 15 2019, @06:56PM (1 child)
One would think US citizens would appalud efforts to root out treasonous corruption, yet here we are. #SAD #LowPatriotism
(Score: 0) by Anonymous Coward on Sunday December 15 2019, @07:24PM
Even Adam Schiff is publically admitting it now:
https://dailycaller.com/2019/12/15/adam-schiff-dodges-fisa-abuse/ [dailycaller.com]
This guy is like years behind anyone who has been paying attention.
(Score: 2) by sjames on Sunday December 15 2019, @06:45PM
Bad guy steals your phone, wrecks it getting the secret key, hoovers your bank account and offers not to share embarrassing but perfectly legal secrets with your contact list for only $2000 in bitcoin...
(Score: 0) by Anonymous Coward on Sunday December 15 2019, @07:20PM (1 child)
are you talking about a pin on a sticker inside the phone or stored in some super secure closed source firmware piece of shit chip? b/c i think either would be vulnerable eventually without opening up the phone or in the latter case even having physical access.
(Score: 0) by Anonymous Coward on Sunday December 15 2019, @09:18PM
He's talking about a physical electrical connector on a microchip on the phone's circuit boards.
A pin, not a PIN.
(Score: 1, Informative) by Anonymous Coward on Sunday December 15 2019, @06:38PM (3 children)
No need to, Senator, it's already been done and you can't undo it. Now get back to your afternoon nap.
(Score: 4, Insightful) by evilcam on Monday December 16 2019, @03:14AM (2 children)
A couple of other quotes from Lindsey Graham recently, on the impending impeachment trial:
You sound really committed to stopping criminals, Senator...
(Score: 3, Insightful) by DeathMonkey on Monday December 16 2019, @06:49PM
Vs 1999 Lindsey Graham:
What changed Mr. Graham?
(Score: 3, Informative) by DeathMonkey on Monday December 16 2019, @08:39PM
An even better one!
(Score: 5, Insightful) by barbara hudson on Sunday December 15 2019, @07:08PM (5 children)
So encrypt everything. It's not like being in law enforcement or the government is any sort of guarantee of honesty.
Go back to doing investigations the way real detectives do it - by getting off their asses and investigating. Getting informants to flip. Stop wasting your time watching doorbell videos - they obviously don't stop even casual thieves.
SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
(Score: 3, Insightful) by Runaway1956 on Sunday December 15 2019, @10:25PM (2 children)
Good post - right up until you fucked up by relying on informants. Maybe informants are alright, but they can't be "anonymous sources". When you hear that term, you know the cops are lying.
(Score: 2) by barbara hudson on Monday December 16 2019, @01:24AM (1 child)
SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
(Score: 2) by Runaway1956 on Monday December 16 2019, @01:44AM
That's a helluva lot better. Even so, relying on criminals turning on each other often leads to false convictions. IMO, "informant" is a slur. Cops use them all the time for less than admirable reasons.
(Score: 4, Informative) by FatPhil on Monday December 16 2019, @01:44AM
"The trouble with fighting for human freedom is that one spends most of one's time defending scoundrels. ..."
Every American who wants their device to be a safe haven for themselves should want a device that's a safe haven for scoundrels. The device cannot divine your intentions, it has to be equally secure for all.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by DannyB on Monday December 16 2019, @04:30PM
This is highly incompatible with inspecting donuts. And investigating which ones are the most bestest.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 1, Insightful) by Anonymous Coward on Sunday December 15 2019, @07:33PM (6 children)
(Score: 0) by Anonymous Coward on Sunday December 15 2019, @07:40PM
And embedded with the plastic rotors of the drone they used to deliver a bomb to you.
(Score: 0) by Anonymous Coward on Sunday December 15 2019, @09:13PM
Yeah, that cruiser that just rolled by your window.
That wasn't an accident.
(Score: 2) by Runaway1956 on Sunday December 15 2019, @10:35PM (3 children)
"Murdered" is both a harsh word, and an inaccurate one. Self defense has never been called murder in US courts. Fascist and communist courts with agendas are happy to call self defense murder, but not US courts. No true Scotsman/American wants to poke through your most personal possessions.
(Score: 2, Informative) by fustakrakich on Monday December 16 2019, @12:01AM (2 children)
Self defense has never been called murder in US courts.
Untrue. There's no such thing as self defense against a cop, or any other government authority.
La politica e i criminali sono la stessa cosa..
(Score: 3, Insightful) by Runaway1956 on Monday December 16 2019, @01:51AM
https://www.alternet.org/2016/12/texas-jury-sends-message-swat-raid-cops-finds-man-not-guilty-shooting-three/ [alternet.org]
I hate to cite socialist net, but they were the first hit in my search. Yes, it is self defense when you shoot a cop in self defense. The problem is, we live in a police state, and the judge always gives the cop the benefit of the doubt. At least one jury has seen through that charade.
(Score: 2) by FatPhil on Monday December 16 2019, @02:10AM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 3, Informative) by BsAtHome on Sunday December 15 2019, @07:48PM (3 children)
So, if you are not allowed to communicate in private using your private electronic devices, then you can always use paper and pencil. Plenty of good crypto available for plain old paper. A good compromise may be to write encrypted communication on paper and then send an image of it in plain text. -- Hey, I simply sent an image! And the image was not encrypted. Why are you complaining? --
However, you should avoid lemon juice. Its encrypting capabilities has been compromised.
(Score: 1) by pTamok on Monday December 16 2019, @12:09AM
This is, in fact, a workable way of sending messages that cannot be deciphered in transit - especially if you use a one-time-pad method.
Note that it is still possible for those intercepting messages to determine the sender and recipient - part of the message's metadata, which can be just as important as the content. There are ways of obfuscating both.
Criminals will work this out just as you have done, which leads to the question of why the government wants to make it difficult for people to encrypt things, when it doesn't stop criminals from sending secret messages.
(Score: 2) by Mojibake Tengu on Monday December 16 2019, @01:23AM
One guy already did one good enough for manual computing.
It is elsiefour with 3D printable tokens:
https://gitea.blesmrt.net/exa/ls47 [blesmrt.net]
It is surprisingly quite strong, and suitable for postapocalyptic world without any electricity, if you can craft tokens from wood.
No electronic backdoors guaranteed.
Respect Authorities. Know your social status. Woke responsibly.
(Score: 3, Funny) by DannyB on Monday December 16 2019, @04:36PM
You could still use digital. We just need government mandated ROT17.
"The government selected ROT17 because two applications of it will not revert the ciphertext back to plain text.", the senator explained.
"...and furthermore", the senator added, "we chose ROT17 because 17 is a prime number unlike 13."
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 0) by Anonymous Coward on Sunday December 15 2019, @09:11PM
Except apparently when it comes to congress. Which is why the attorney general restricted investigative authority of congress to only the executive level of the FBI. (FBI undercover guidelines section C.2.a)
Hows about these apples. First stop taking campaign money from international consortiums and start being a government of the United States again. Then we'll start explaining your fucktard demands for jurisdictional authority to you.
Sincerely,
The United States I.T. Sector.
(Score: 2) by jasassin on Sunday December 15 2019, @09:21PM
I was trying out the PMKID wireless hacking for WPA2 encryption on WiFi routers. I got a few PMKID's from some CenturyLink routers around here and emailed them to a friend of mine with an Nvidia RTX 2080 video card to brute force the passwords with hashcat64. I emailed him a command line to run the brute force attack with 8 digits/characters. It took his video card 6 minutes and 20 seconds to complete the hashes. There were no passwords so I did some googling about Century Link routers and squinted to see an image of the default router setup on one. Low and behold the CenturyLink routers by default have 14 digit/character passwords. So I emailed him the new command line to increase the brute force to 14 characters/digits, and the ETA for hash completion jumped from 6 minutes and 20 seconds to over 400 years. Have fun hacking that.
The moral of this story is use long passwords.
jasassin@gmail.com GPG Key ID: 0xE6462C68A9A3DB5A
(Score: 2) by Gaaark on Sunday December 15 2019, @09:32PM (2 children)
Zuckerberg apologized and said he'd never never NEVER do it again and smiled his creepy smile.
The Senators said, "No problem...you can go."
Guess what Apple said?
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by Runaway1956 on Sunday December 15 2019, @10:28PM
Steve Jobs didn't say anything, he just smiled his ghostly smile from the grave.
(Score: 2) by DannyB on Monday December 16 2019, @04:40PM
Apple said: "We will never again do it either. At least not without raising the price first."
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 0) by Anonymous Coward on Sunday December 15 2019, @10:46PM (4 children)
"You're gonna find a way to do this or we're going to do it for you."
If Congress can figure out a way to crack AES 256 Encryption with a strong random password then they deserve a nobel prize. I'd love to see them try. If the top scientists, the world's smartest, can't do it then what makes Congress think they can (politicians are not exactly known for being very intelligent).
(Score: 0) by Anonymous Coward on Sunday December 15 2019, @11:28PM (3 children)
When they say they will do it for you, they mean they will make it a law instead of being self regulated. Like all encrypted traffic must also be decrypted with the goverment mast private key, here is the public key for you to use.
(Score: 1) by pTamok on Monday December 16 2019, @12:25AM (2 children)
I predict a rise in the number of hobbyists who sporadically send a few kilobytes of random numbers to their friends, carefully encrypted with the government's required encryption.
(Score: 0) by Anonymous Coward on Monday December 16 2019, @02:36AM (1 child)
I know what they mean.
As you mention, Apple can have the device encrypt a user key with an Apple public key and store the encrypted key on the device so that they can decrypt it at request. Of course if the private key ever got into the wrong hands or ever made it out on the Internet (or ever got cracked) then anyone can decrypt it.
(Score: 0) by Anonymous Coward on Monday December 16 2019, @07:30AM
Perhaps a better solution would be for the judiciary branch to have its own public/private key pair. An Apple device can encrypt the user password with Apple's public key and then encrypt that encrypted password with the judiciary branch's public key and store the encrypted password on the device. Then law enforcement would need to get a warrant from the judicial branch and they would need both Apple and the judicial branch to cooperate in the decryption of the key since each party has one of the needed private keys. This would make it more difficult for the government to secretly decrypt keys without anyone knowing since Apple will be informed and can inform the public. It would also make it impossible for Apple to secretly decrypt the keys solo since the judiciary branch also needs to be involved being they have one of the required private keys as well.
Of course this begs the question, should device manufacturers be involved in the process at all since this really involves law enforcement?
Perhaps law enforcement can have a public private key pair and the judiciary branch can have another public private key pair. This way neither branch can independently decrypt the password, both branches would have to cooperate. Of course this begs the question if we can trust the two branches not to secretly work together to decrypt the devices without our knowledge and conduct mass surveillance (well, presumably, they would need physical access to the device first?). In the case of the user password being encrypted by the manufacturer public key and then by the judiciary branch's public key it would be hard for the government to coerce every manufacturer into not telling the public about secretive inquiries.
(Score: 2, Touché) by fustakrakich on Sunday December 15 2019, @11:55PM (1 child)
Leave Apple and "big tech" out of it. We just develop our own protocols and encryption and ignore the people that say we can't. That's it, nothing else to be said or done.
La politica e i criminali sono la stessa cosa..
(Score: 3, Insightful) by Anonymous Coward on Monday December 16 2019, @02:00AM
The encryption and applications that use it already exist.
These right-wing authoritarians are talking about making using those encryption applications/methods, illegal. A fun read is how the author of pgp got around US encryption export restrictions by printing the source code in a special OCR font, and publishing with a note that it would be illegal to scan, ocr, ... all the steps needed to build. We may see this sort of thing again, only, now, it will be the free world trying to smuggle non-backdoored encryption, and other information, into the US*.
Can't have the plebs able to plan their uprising against the rich parasite class. So, they must outlaw technology that prevents the rich parasites, and their sycophants being able to "listen in".
* When will we admit that the US is turning into a police state?
(Score: 1, Insightful) by Anonymous Coward on Monday December 16 2019, @05:52AM
And so, are they also going to make burning letters written with pen and paper illegal, because that technique can be used to plan misdeeds where law enforcement can never access it?
(Score: 3, Funny) by Dr Spin on Monday December 16 2019, @07:55AM
Are they going to be surprised when the rest of the world decides the only way to be safe is to buy Huawei?
Warning: Opening your mouth may invalidate your brain!