SoylentNews is people
SoylentNews
Like other politicians and government officials, President Trump's nominee for the position of Attorney General, Jeff Sessions, wants to have it both ways when it comes to encryption:
At his confirmation hearing, Sessions was largely non-committal. But in his written responses to questions posed by Sen. Patrick Leahy, however, he took a much clearer position:
Question: Do you agree with NSA Director Rogers, Secretary of Defense Carter, and other national security experts that strong encryption helps protect this country from cyberattack and is beneficial to the American people's' digital security?
Response: Encryption serves many valuable and important purposes. It is also critical, however, that national security and criminal investigators be able to overcome encryption, under lawful authority, when necessary to the furtherance of national-security and criminal investigations.
Despite Sessions' "on the one hand, on the other" phrasing, this answer is a clear endorsement of backdooring the security we all rely on. It's simply not feasible for encryption to serve what Sessions concedes are its "many valuable and important purposes" and still be "overcome" when the government wants access to plaintext. As we saw last year with Sens. Burr and Feinstein's draft Compliance with Court Orders Act, the only way to give the government this kind of access is to break the Internet and outlaw industry best practices, and even then it would only reach the minority of encryption products made in the USA.
Related: Presidential Candidates' Tech Stances: Not Great
(Score: 2, Insightful) by anubi on Wednesday January 25 2017, @12:27PM
Sounds like the same argument DVD_CCA thought when creating DVD movie encryption. Anyone remember how that one turned out?
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 3, Interesting) by TheRaven on Wednesday January 25 2017, @01:13PM
It's not quite the same. The problem with encryption for DRM is that encryption assumes two cooperating parties and one or more adversaries, but in DRM one of the cooperating parties is also the adversary. They have to be in the state of both having the key (to access the content) and not having the key (for the DRM to be secure). The only way that this can be made to work is if the user doesn't control their own playback device and is not able / allowed to reverse engineer it.
With encryption, if you want the government to be able to break it, then you must either make it weak enough that government-owned computers can break it (difficult to do if you don't also want to be able to let other people break it, especially for something that has a lifetime of years) or you have to use a more complicated cryptosystem where there are two decryption keys, one used by the intended recipient and one held by the company. Or you can make the system insecure, but not the crypto by allowing remote logins that can access the plaintext, again secured by a key held by the author of the software.
The first problem with all of these approaches is that they rely on the organisation that controls the master key being able to store it securely in such a way that no one is able to infiltrate the company and exfiltrate the key, externally compromise the systems that store the key, or simply work out what the key is based on flaws in the crypto implementation.
The other flaw with this approach is that it assumes that all communication systems come from big companies and are black boxes. Even with traditional mail, there's nothing that you can do to stop two people exchanging a one-time pad in person and then sending completely secure letters to each other through the post. With encryption systems, there are thousands of off-the-shelf open source solutions and even books that contain source code listings for implementing algorithms that, with a sensible key length, are well beyond the ability of any government agency to crack. Gun advocates like to claim that if guns are outlawed then only outlaws will have guns. The analogy would be equivalent for encryption, if there were gun stalls on every street that would hand out free guns to anyone who walked past and most businesses depended on armed guards.
sudo mod me up
(Score: 3, Interesting) by Grishnakh on Wednesday January 25 2017, @05:34PM
Well one thing I think you're missing is that, just like with DRM where reverse-engineering can be simply banned, with mandated backdoored encryption, the use of unapproved encryption can be banned. Sure, you can say that "only criminals" will use it, but with ubiquitous surveillance, it wouldn't be that hard for the government to monitor communications and make sure they're using one of the approved encryption services. It wouldn't be perfect; someone could of course resort to steganography or something and send people big JPEGs with short, simple messages hidden in them, or the like, but if you want to exchange serious amounts of data, it's going to be hard to hide that from the enforcers using automated systems.
(Score: 2) by MostCynical on Wednesday January 25 2017, @10:38PM
USB drives, SD cards, or something custom-built, hidden in a toy (something with electronics), sent by mail.
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 2) by TheRaven on Thursday January 26 2017, @09:54AM
The only way to tell if encrypted traffic is government-approved encrypted traffic is to decrypt a large enough sample that you can tell. Even then, there are cryptosystems that give two different real-seeming plaintexts depending on the key that you use, so it probably wouldn't be too hard to put together something that produced a plausible looking stream of words for the NSA but the real message for the intended recipient. It wouldn't stand up to human inspection, but by the time that they've focused on you as a target then you're past the point where having them know that you're using encryption is a problem.
Even then, you're ignoring how effective modern steganography is. For example, linguistic steganography works by taking a known passage and permuting typos and punctuation to encode a message. You can take, for example, the GN?? troll, and post minor variations of it on Slashdot. Each one encodes a message, but unless you know the meaning of the permutations you have no way of distinguishing it from various mechanisms for trying to get past spam filters. Or you can take a generic spam and send it to a million people, including the intended recipient. Traffic analysis won't help the adversary identify the recipient because, in both cases, it goes to a load of people who aren't the intended recipient, and they all ignore it as spam. If you're serious about evading the government, this is quite easy to do, so all this kind of law would do is make legitimate financial transactions less secure.
Amusingly, the original version of this post did not redact GN?? and so triggered the spam filter here.
sudo mod me up
(Score: 5, Insightful) by Thexalon on Wednesday January 25 2017, @01:28PM
Or, more to the point, it basically adds up to "anything the (supposed) Good Guys can use, the Bad Guys can use too". It's just like how if you keep a key to your house under the potted plant in your backyard, a burglar can look there too, find the key, and get right in.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 5, Insightful) by Anal Pumpernickel on Wednesday January 25 2017, @01:50PM
We shouldn't assume those working for the government are necessarily good guys, either. There are often bad people working for the government (especially intelligence agencies and the like) and sometimes there is even an systemic effort to suppress certain groups of people (such as journalists, activists, whistleblowers, etc.). Given all the atrocities the US government has committed, it would be foolish to think of it as a good guy that can be trusted with our secrets.
But even if I assume that the government can be trusted and that they can provide adequate security now and in the future, surrendering everyone's liberties in exchange for security is a cowardly act. If one person wants to make the personal decision to surrender their ability to use strong encryption, then fine, but leave me out of it.
(Score: 2) by Thexalon on Wednesday January 25 2017, @02:12PM
That's why I said "(supposed) Good Guys". You obviously leave that out when talking to Sessions and people who think like him, because authoritarians think only in terms of "we're the Good Guys, everyone else is the Bad Guys".
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 0) by Anonymous Coward on Wednesday January 25 2017, @04:35PM
It is quite funny. Obama and his team built the current system up over what they inherited, and that was OK. Obama's people also called for backdoors, and that was OK by most of the left as well. But a few days after the new team takes over, and the system they inherited is now ultimate evil, and folks on the new team saying the same things as the old team are cause for panic (and buying copies of 1984).
(Score: 5, Informative) by Anal Pumpernickel on Wednesday January 25 2017, @04:44PM
That's strange, because I seem to recall countless criticisms of Obama and his cohorts over the issue of the surveillance state. There was certainly a lot of discussion about it on this website. Partisan hacks are nothing new and exist on both sides, so what are you even referring to?
(Score: 1, Touché) by Anonymous Coward on Wednesday January 25 2017, @05:14PM
But but libruls are evil!
I'll bet this whole thing is fake news spread by libruls! Trump is going to make sure we have fantastic encryption! The best encryption!
Trump! Trump! Trump!
(Score: 2) by DeathMonkey on Wednesday January 25 2017, @06:16PM
Obama Won’t Seek Access to Encrypted User Data [nytimes.com]
The Obama administration has backed down in its bitter dispute with Silicon Valley over the encryption of data on iPhones and other digital devices, concluding that it is not possible to give American law enforcement and intelligence agencies access to that information without also creating an opening that China, Russia, cybercriminals and terrorists could exploit.
The fact that they actually made the right call helps...
(Score: 0) by Anonymous Coward on Thursday January 26 2017, @12:58AM
They are all pro-surveillance.
This should not in any way be a partisan issue, it is US (the people) versus THEM (the politicians and their authoritarian backers of various stripes and creeds.)
We need to remind them who is in charge and stop acting like livestock for them to do as they please.
And people need to stop whining about liberals or conservatives and allowing them to divide us over the stupid parts of each side's ideology, rather than uniting over the common pieces neither side SUPPOSEDLY wants infringed.
(Score: 3, Insightful) by Thexalon on Wednesday January 25 2017, @05:08PM
I've been consistently critical of the surveillance state, regardless of who's in charge of it. And I'm certainly not alone in that.
I agree that partisan hackery exists, on all sides, but there is such a thing as ideological consistency. Basically, scratch somebody who works specifically in politics (whether professionally or not), and you'll find a lot of partisan hacks. Go for anybody else, and you'll find that while they often favor one party over another, they're much less partisan hacks.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by LoRdTAW on Wednesday January 25 2017, @01:54PM
I'd say it's more akin to allowing johnny law to have a skeleton key to every lock "just in case". Once that key is discovered and copied, it's all over and there is no going back. A free for all will ensue.
(Score: 3, Informative) by darnkitten on Wednesday January 25 2017, @05:41PM
Already have 'em... [knoxbox.com]
They're intended for fire departments, but...
(Score: 2) by urza9814 on Friday January 27 2017, @12:53AM
1) They're not on every lock. They're on apartments and office buildings which voluntarily decided to grant that access. I have no problem with the government having a program where I can voluntarily submit my encryption key. I wouldn't, but they're free to provide a drop box for 'em.
2) It's not a single master key, it's a different key for every local fire department. Much less risk. But of course, you can't really do that with crypto as it isn't tied to a physical location.
3) I believe most building codes specify that your front door has to be weak enough that the fire department can break it down. In the commercial buildings where these things are installed, the doors are often glass. So if they didn't have these keys they'd just use "brute force" and break through the door, which would probably be *faster* than using the key anyway. So unlike crypto keys, physical keys don't actually offer much protection to begin with.
4) Those boxes should be installed so they trip the building alarms when opened. In a fire, it doesn't matter, because the alarm is already going off. If you open one to try to break in when there ISN'T a fire, you're going to have the whole damn building coming towards you wondering what the hell is going on.
(Score: 2) by tibman on Wednesday January 25 2017, @07:00PM
Here, you can 3d print TSA master keys: https://github.com/Xyl2k/TSA-Travel-Sentry-master-keys [github.com]
SN won't survive on lurkers alone. Write comments.
(Score: 3, Funny) by DannyB on Wednesday January 25 2017, @05:45PM
Protip: You keep the encryption key secret by wearing the t-shirt inside out. That's how.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 0) by Anonymous Coward on Wednesday January 25 2017, @10:11PM
Cover it with a white sheet. [independent.co.uk]
(Score: 3, Insightful) by The Mighty Buzzard on Wednesday January 25 2017, @01:23PM
He can suck it. I'll stick to OSS solutions where most of that crew would kick you right he fuck off the team, and tell the entire world why, if you even thought about backdooring the crypto.
My rights don't end where your fear begins.
(Score: 4, Insightful) by fadrian on Wednesday January 25 2017, @01:46PM
After the new Congress passes a law stating that all encryption will have a back door, I doubt many developers on the team would continue under the threat of prosecution. Then the grunts will come in and add in an insecure back door.
You can't fight stupid when the law says you have to be that way.
Sessions is a disaster in a lot of other ways too, such as voting rights and marijuana legalization...
That is all.
(Score: 4, Insightful) by jcross on Wednesday January 25 2017, @01:54PM
You mean any *American* developers would quit the team. As long as there's somewhere in the world safe from this bullshit, I expect we'll have options. Also, good luck trying to force backdoors on the likes of Apple and Google. At some point it would start to look anti-business, which is anti-jobs-in-usa, and then I expect the administration might temper their stance.
(Score: 0) by Anonymous Coward on Wednesday January 25 2017, @02:19PM
Uncle Sam has extradition treaties with many of his underlings... I mean... ALLIES, and he probably will find a very good excuse to arrest one of these non-American developers when she (all the best programmers are transgender, of course) comes to the US to attend a conference on Feminism in Cryptography.
Yes. I dislike everyone.
(Score: 4, Insightful) by Grishnakh on Wednesday January 25 2017, @06:08PM
That won't happen. Such people are already not coming to America, after the infamous debacle with Sklyarov. With Trump/Sessions in power, everyone's going to stay away.
(Score: 3, Insightful) by TheGratefulNet on Wednesday January 25 2017, @03:14PM
indians who where not born here have ALWAYS been happy to do the government's dirty work. they'll happily do it and for low wages, too.
many american citizens (the R variety, mostly, since that is the party with the authority boot-licking attitude) will also happily work against their own best interests; but foreigners are even 'better' since they don't have the full understanding of what made america great, way back when we started.
our principles are not theirs; they come from another culture and they could really care less if we bottom-out and become a hellhole. their country already is, for that matter, and they are doing nothing to really fix their own country, either, truth be told.
so, you can find willing pigs to do the bigging piggies' bidding. shame but its true and everyone knows it.
look at the googlers and yahoos and such. those people work for companies that also sell us all out. and they convince themselves that they are not doing the man's dirty work. cog dissonance at its best.
"It is now safe to switch off your computer."
(Score: 2) by nitehawk214 on Wednesday January 25 2017, @06:39PM
I used to set up FreeSWAN tunnels for my work back in the late 90s. The project rules were such that no American was allowed to contribute due to the laughable "weaponized encryption" laws back then. No restrictions on usage, though.
I think those laws were repealed or scaled back some years ago.
"Don't you ever miss the days when you used to be nostalgic?" -Loiosh
(Score: 0) by Anonymous Coward on Thursday January 26 2017, @01:09AM
Canada is one of the few 'green' nations in the chart on
http://infogalactic.com/info/Restrictions_on_the_import_of_cryptography [infogalactic.com]
(or wikipedia if you prefer, but fsck supporting Wales and his financially motivated 'non-profit')
along with Ghana and a few other places you wouldn't think of as freedom loving utopias and paragons of democracy :)
In fact most of the 'free world' looks decidedly unfree based on the restrictions noted in that chart.
(Score: 0) by Anonymous Coward on Thursday January 26 2017, @06:58AM
Yep, this is an american fire drill here, as opposed to a chinese one.
I run FreeBSD and am not at all concerned with any of the spying these assholes are capable of.
As long as we have a free people on the planet somewhere, uninfected uncompromised code will always be.
Or course those running M$ windoz are already compromised with backdoors and an OS that spies on you and rats you out everytime you switch the thing on.
I imagine M$ compliance will satisfy these critters and leave them to quandary OSS and something they can't touch, meddle with or control.
And this is priceless!
(Score: 3, Insightful) by Anonymous Coward on Wednesday January 25 2017, @01:35PM
"overcome encryption under lawful authority"
That could be the front door.
Get a warrant and force the bad guy to provide the key.
Hmmm, there's that pesky 5th amendment.
I guess it's back to the back door.
Which brings up the old question of how do you make a backdoor that can only be used by the good guys when they have permission.
You can't.
What's really sad is that the in the Congressional hearing, nobody called him in it.
Is that because there is no understanding of the technical issues, or they feel security should trump liberty, or probably both?
(Score: -1, Spam) by Anonymous Coward on Wednesday January 25 2017, @01:48PM
Trump! Trump! Trump!
(Score: 2) by Gaaark on Wednesday January 25 2017, @05:16PM
Let's make backdoors beautiful again.
https://unintentionalgoatse.wordpress.com/2010/12/31/pee-wee-herman-goatse/ [wordpress.com]
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 4, Insightful) by LoRdTAW on Wednesday January 25 2017, @01:50PM
Encryption with a back door isn't encryption.
(Score: 5, Insightful) by meustrus on Wednesday January 25 2017, @02:09PM
The fundamental problem with treating digital encryption like physical locks - which would lead to law enforcement having the right to break in - is the same as the fundamental problem facing everything digital: scale. The police can, with a lot of time, expense, and visibility, break any safe. But there is no way for the police to break encryption with a lot of time, expense, and visibility. There is only a way for the police to break encryption quickly, cheaply, and invisibly.
That's just how computers work. Encryption, which must be designed to keep information safe wherever it is copied, must accomplish a task that is impossible to achieve in physical space to be useful. And achieving that task - being difficult to break into even if when it is on high-end hostile computer systems - necessarily prevents the police from gaining access.
That brings us to the problem of scale. Because breaking any encryption means breaking lots of encryption quickly, cheaply, and invisibly, there is no effective way to limit the backdoor to one lock at a time. It will be used at scale to break into lots of things really quickly. It's like the police want to be able to break into a safe from brand X, but in order to do it, they are going to be able to break into every safe from brand X at the same time. Not only that, but any enterprising criminals who found out how the cops did it would be able to do the same thing. The only thing keeping jewel thieves out of every safe is that breaking into them requires time, can be noisy, and must be done behind physical security. Hackers have all the time they need and can make all the noise they want because they can break through security, make a very portable copy of the information, and run off with it to break in on their own time.
Unfortunately this fundamental difference between the physical and digital worlds is not something that the average person understands. We live in the physical world. Only the math and software nerds understand the implications of the digital world. And there has been very little effort to explain the fundamental differences in such simple terms.
We are likely to see this problem keep coming up every time our politicians represent the understanding of the population at large rather than the understanding of the elite. Much as I dislike this administration and assert that the do not represent the majority of the population, politically speaking they must represent the majority understanding on most issues. It's a simple matter of their messaging - Republicans are only willing to accept declarations from the elite when they sound like common sense, whereas Democrats are willing to accept declarations that appear to come from experts even when they conflict with common sense. And in this case, the reality definitely conflicts with common sense, because common sense is based on the physical world.
I don't expect Democrats to fix this problem. Obama made it worse. Law enforcement experts tend to override cryptography experts when it comes to law enforcement, so relying on expert opinion simply isn't a viable strategy. Our only hope is to make Republican voters - and right-leaning movements all over the world - understand intuitively how the digital world works. Because ultimately, if they understood what encryption backdoors meant, they would oppose it as government overreach.
If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
(Score: 2) by Non Sequor on Wednesday January 25 2017, @04:00PM
I'm going to play devil's advocate here.
Let's say you have a cryptographic system where there is an algorithm that uses a publicly available constant in the process. This algorithm would be framed so that a private constant can be used to reduce the complexity of cracking a key to something that could be accomplished with a very large supercomputer. Maybe new constants are published at regular intervals to reduce issues with leaks of the private constant and maybe encryption users could regularly decrypt and re-encrypt using the newer constant to prevent older encrypted data from becoming less secure over time.
Now suppose that use of this scheme was mandated, enforced by a fine, with exemptions for encryption used for health records, sales transactions, and messages under attorney-client privilege. Messages and personal data are under the mandate, but personal encryption users would be subject to at most a fine for violating the mandate and not subject to criminal prosecution. Service providers offering encrypted storage or messaging, on the other hand, likely would not be able to risk the fine.
This is probably what the middle ground looks like. A pure backdoor system where the authorities can access any encrypted information at any time is a straw man of what the other side wants. They may actually even say they want it, but when you come down to it, they're mistaken on what they want, because they'll definitely want data security for certain pragmatic purposes and they'll grudgingly concede certain explicit civil rights uses such as attorney-client privilege if pressed hard enough.
If a serious middle ground proposal in this vein is aired, they will get the major tech companies on board and they will cut out the legs from under the traditional encryption advocates. Of course, that doesn't mean the middle ground proposal will actually work, since there are a lot of other devils in the details. A sloppy execution results in it falling apart, and there is plenty of attack surface in this kind of framework. But the point is that eventually the conversation may change so that rather than arguing from a fundamental position, you're arguing about expected pragmatic outcomes of a particular plan. That's going to be a much different animal.
Write your congressman. Tell him he sucks.
(Score: 0) by Anonymous Coward on Wednesday January 25 2017, @04:52PM
That sounds exactly like: https://en.wikipedia.org/wiki/Dual_EC_DRBG [wikipedia.org] in that the whole security of the thing depends on two constants being independent. The security of the whole thing goes out the window if there is a valid solution to (Backdoor EC multiplication Secret1) = Secret2. True, solving that inverse operation is hard, but not impossible. And once someone gets it, the whole thing is insecure in that you can predict the random output.
(Score: 2) by meustrus on Thursday January 26 2017, @03:42PM
That is indeed a middle ground. It's also completely unworkable because of whom it targets: service providers like Facebook or Apple. These service providers are the people with lobbying power. They don't want to succumb to this surveillance because of two reasons: 1) it incurs unnecessary expenses on their part (which is the same reason all industries resist regulation of any kind), and 2) it will make their users angry, possibly angry enough to leave the platform. And ultimately, while conservatives should be concerned about reason #1, security buffs are very concerned about #2.
It comes down to the exact same problem as digital piracy. Right now Facebook is like Napster: operating outside the rules (in this case the unwritten rules or else they'd have met the same fate). When Napster was shut down, users who left the platform didn't stop pirating. They moved to a decentralized platform that was harder to crack down on. Similarly, if Facebook were required to build in backdoors, users would leave in favor of a decentralized platform. This would similarly make it harder to enforce the rules, and much like the difference between DRM-based legal stores and torrents, the legitimate customers would end up with a product that is inferior to what the terrorists get. And the terrorists still win.
In short, if you make encryption illegal, then only terrorists will have encryption.
Which is how we get to where we currently are: the NSA gets secret powers because if they got what they needed by law, everyone would know what they are doing and the bad actors would work to prevent it. The NSA probably doesn't want Facebook to have legally required backdoors because that would actually make their existing tools - which rely on people using Facebook without really thinking about their security - less effective.
What the NSA should really want is specifically to target individual users, not services. The realistic fear is that terrorists will create a real encrypted platform outside of US control. They wouldn't even need to solve hard decentralization problems to keep the platform safe from air strikes; they could use the already-available decentralization solution that the Pirate Bay uses to avoid being shut down everywhere: keep lots of mirrors. Your "devil's advocate" scheme will do nothing to help combat this situation and may even help bring it about.
If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
(Score: 2) by urza9814 on Friday January 27 2017, @01:22AM
You've already got a problem. You can't re-encrypt to make the data more secure, because someone may already have a copy of the data that used the old encryption keys. Or you might just forget to re-encrypt an old copy that's sitting on your backup server. You can't assume that the criminal is only trying to break into live data. They'll take the data and sit on it for a few months or even years, and until they crack it, you may not even know it's been stolen (and even then you still might not know). In fact, *they already do this*. Thankfully, most encryption schemes are designed to last quite a few years, and hopefully the data they protect is useless by the time they can be cracked...but yeah, that's another scheme that just makes things easier for the criminals.
Any encryption scheme designed to be broken is, well, broken.
(Score: 2) by Hyperturtle on Wednesday January 25 2017, @04:29PM
I hope you are right that this can be done, that this can be effectively communicated, and that people are willing to try to understand.
There is a reason that many tech companies are made up of individuals that are not on the fringes of the political spectrum. A lot of that has to do with the view of what change is and what it represents.
Certainly, change is a constant. It would seem that some people will go to great lengths to avoid change, though, and willful ignorance (I am not saying stupidity--I am saying the refusal to accept something and carrying on as normal) is an unfortunate response by people that don't have a good alternative to the change.
Often it makes things worse, like policies that are not in the best interests of those resisting change, made more easily implemented because of a refusal to understand the issues and a desire for nothing to happen. The problem is that changes are more easily introduced and implemented when the populace is ignorant--willful or otherwise.
IT is an excellent arena where we can safely conclude that the populace is ignorant of the difficulties and concerns surrounding many concepts within it-- privacy, security -- and the merger of both, encryption-- but we can also conclude that the populace knows how to respond to fear. Consider one-issue voters. They are often compelled to vote out of fear that their one issue will no longer be decided in their favor.
It is easier to tap into an emotion than it is to relate to an "expert", even worse when they are described as egghead geeks that are so far removed that they don't understand the 'realities'.
I am hoping for the best, but expect that Big Brother Inside (the clipper chip, if you recall--something President Clinton proposed back during his presidency) will see its modern equivalent make a resurgence. This may result in a mandate... and the support will be drummed up because of various threats described that have only one solution to maintain your safety--complete surrender of privacy in the digital realm in the name of security, because terrorist pedophiles want to take your rights while praying in a different religion as they compete for outsourcing contracts to replace your jobs.
(Score: 4, Insightful) by mendax on Wednesday January 25 2017, @07:31PM
This is what idiots like Jeff Sessions and his ilk do not understand: You can have strong encryption without backdoors or you can have NO encryption. There can be no in between. There can be no half measures. With regard to strong, nearly unbreakable encryption, the cat is out of the bag and no amount of regulation will put it back. Law enforcement is going to have to accept this fact. If backdoors are mandated, there will be some entrepreneur outside the United States who will provide the means for encryption without a backdoor. And, of course, everyone here knows that a backdoor is just an invitation for the black hats to break in and steal personal information.
I'm sure that government would like to opt for NO encryption, but that is impossible because it is a vital part of the American economic system now. E-commerce and banking is impossible without strong encryption.
There is also another argument against backdoors. At one time there was a proposal that in order to use strong encryption one had to register one's private key with the federal government. That's all well and good except that because the cat is out of the bag regarding public key encryption, such a regulation will mean that only the bad guys will have unmonitored communications.
In short, backdoors simply will not work and it's about time these idiots figure this out.
It's really quite a simple choice: Life, Death, or Los Angeles.
(Score: 0) by Anonymous Coward on Wednesday January 25 2017, @07:43PM
how about a real physical key?
if lawful authority has the physical encrypted device in hand then they can really unlock it with a real key and then remove the
chips that are storing the data (and get around the encryption)?
this would be "okay" if the real key were securely stored, difficult to copy and would leave a paper trail if removed (and used)
from the real physical storage box .. somewhere.
but ofc this "solution" isn't what is wanted. what IS wanted is the means to willy-nilly spy over great distances thru a
in-place network (internet) by any 'lil whim ... and you don't have to worry because you're a good law abiding person that has nothing to hide ...
(Score: 0) by Anonymous Coward on Wednesday January 25 2017, @07:50PM
User Al want's to setup an encrypted session to user Bob.
The Govt agent George want's the ability to look into the session give permission from Judge Judy.
To support this somebody we trust, Kim, sets up a set of Key servers.
Kim creates a set of PKI key pairs and publishes the public keys K1..Kn.
These keys are grouped into separate key servers so that each private key is only known of a few servers.
Bob makes a PKI key pair and publishes the public key to Al.
Al chooses a random session key and sends it to Bob using Bob's PKI.
Al also includes an encrypted version of the session key encrypted with his choice of a subset of K1 through Kn.
Al and Bob can talk using the session and George can watch the encrypted traffic.
George gets permission to see the decrypted traffic from Judy.
Judy tells servers K1 through Kn that this is ok.
George looks at the key subset Al used to encrypt his access key and asks the proper Keyservers to decrypt the session key.
The Key servers do this,but keep a good audit trail that George did this for this specific session.
George can now see the traffic the Judy authorized and there is a good audit trail to make sure that this is all that happened.
Good news:
No new algorithm are required. The encryption algorithm is as good as it was before the backdoor was installed.
Bad news:
Only good guys and lazy or dumb bad guys can be expected to provide the access key.
If some bad guy manages to get the private keys from the key servers, he can see all the traffic for the whole system.
Moral, even with an algorithmically robust backdoor, the operations problems of keeping such powerful keys are overwhelming.
It's wiser not to make such keys in the first place.
(Score: 0, Offtopic) by Anonymous Coward on Wednesday January 25 2017, @07:51PM
I know y'all may think this blindingly obvious, but the real lead here is: Candidate who wants to make America "GREAT" "again" ends up putting together a team that is advocating exactly the same totalitarian shit as before.
Kind of like how the candidate who would give us "HOPE AND CHANGE" ended up putting together a team that advocated exactly the same totalitarian shit as before. Kind of like how the candidate who was going to be The Decider... granted he gave us two new fronts to fight combat engagements on (that still aren't settled,) but his team even before September 11 advocated exactly the same totalitarian shit as before. Then you had the Slick one whose wife just lost the election. He gave us prurient sexual escapades and did manage to balance the budget and take credit for a normal economic upturn (and his veep claims credit for Teh Internets.) He had a staff who advocated the same totalitarian shit as before - see for example Tomahawk missiles against the Taliban. Before him you had the Daddy of The Decider, who lasted only one term in office because his team gave us the same totalitarian shit as before (despite taking back Kuwait.) Then you had the B-list Actor who was excellent at oratory but was clueless enough to have a staff who started giving us the same shit as we have now - who were actually continuing the same shit as Nixon and Ford did. His predecessor, Jimmy Carter, was genuinely new and different because we were sick of Ford/Nixon.... And Carter is still today regarded by many as a wonderful humanitarian and diplomat but who in his single term was one of the WORST Presidents the United States ever had.
So. What's your real theme here, and why the fuck would anyone not expect that Mr. Make America Great Again would have anything but a staff who would give us the same totalitarian shit that's been shoveled down our throats since before McCarthyism?
You young idiots... get the picture yet? I hope so. Because then you'll have genuinely learned something new that those of us who were stupid enough to vote for Reagan, Bush, Clinton, Bush, and Obama didn't learn when we were young and stupid.
Thanks for reading.
(Score: 2) by takyon on Wednesday January 25 2017, @10:25PM
Yeah, I think I'm going to continue submitting updates on the Crypto Wars, regardless if it is the same shit that has been going on for 2+ decades.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 0) by Anonymous Coward on Wednesday January 25 2017, @11:55PM
Big Brother is watching. They are pushing double-speak as "alternate facts". Reminds me of that Doctor Who quote posted on i09:
The United States is becoming scarier by the day.
--
Why is Donald Trump hiding his tax returns?