nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
Deputy AG Rosenstein calls for law to require encryption backdoors

Silver badge

Flogging a Dead Horse?

Or just a throwaway speech tailored to his audience?

27
0
Silver badge

Re: Flogging a Dead Horse?

Probably they're going to try again to get public support for it now that Trump is president. He was on record as against Apple during their battle with the FBI so they'll have his support. The problem is that the public is still at best split on this issue - and Trump's low popularity isn't going to help him win any converts beyond his base.

Fortunately congress can't get anything done, and the stuff they MUST get done will take priority over arguing about stuff like this, so we don't have to worry about any laws of the type of Rosenstein wants happening.

18
0
Silver badge

Re: Flogging a Dead Horse?

I doubt Trump will spend much energy on the little stuff, that's more Obama's style. Trump has a big ego and only big causes will energize him, such as Immigration, Taxes, Health Care and the like.

2
0
Silver badge
Devil

Re: Flogging a Dead Horse?

if you flog it enough, it becomes *UNDEAD*

http://tvtropes.org/pmwiki/pmwiki.php/Main/UndeadHorseTrope

Anyway, Rosenstein's "audience" is more like "the D.C. Establishment" as he's one of THEM...

Don't these numbskulls understand that if you FORCE A BACK DOOR like that, you render the encryption WORTHLESS©®¶™? And then EVERYBODY will download some foreign entity's encryption, and/or use PGP, and/or use an algorithm OF THEIR OWN DESIGN [me], which would render this worthless argument into complete irrelevance.

Or, like 'gun control', if it's not "hitting the target by aiming properly" it's making sure that law abiding citizens cannot DEFEND THEMSELVES [because ONLY the criminals will have them].

So if we ONLY want terrorists and criminals to be the ones with proper encryption, then going THAT DIRECTION will ENSURE IT.

14
10
Silver badge

Re: Flogging a Dead Horse?

You're probably right that Trump won't see it as a cause worth his time, but that won't stop the FBI from trying once again to mandate encryption backdoors. They've been pushing this in one form or another since Clipper back in the 90s, even though the genie has been out of the bottle so long he has grandkids.

9
0
Gold badge
Coat

"if you FORCE A BACK DOOR like that, you render the encryption WORTHLESS"

No, in a word. They don't.

I'm not sure what the correct collective noun is for when people like this get together and one of them gives a speech like this.

A "lynch mob" of Aholes, perhaps?

4
1
Silver badge

Re: Flogging a Dead Horse?

Yup, send in the throwaway moral panic to go with it. Still no sign of the NSA/GCHQ paper accompanying it for peer review to tell us how it's safe to do it. Probably because the NSA/GCHQ don't think it's actually possible either..

5
0
Silver badge

Re: "if you FORCE A BACK DOOR like that, you render the encryption WORTHLESS"

"A "lynch mob" of Aholes, perhaps?"

How about..

A clusterfuck of dingbats.

7
0
Silver badge

Re: Flogging a Dead Horse?

@Big John

Trump has a big ego and only big causes will energize him, such as Immigration, Taxes, Health Care and the like.

HELLO!!!

Terrorists!

Wasn't it his first Executive Order to persecute Muslims as all his followers consider them a terrorist risk that needs controlled and monitored?

1
1
Anonymous Coward

Re: Flogging a Dead Horse?

"Don't these numbskulls understand that if you FORCE A BACK DOOR "

Random use of CAPS always reminds me of the Sun, Mirror, etc. i.e. content that is for those with a very low IQ...

2
0
Anonymous Coward

Re: Flogging a Dead Horse?

In the words of Sandor Clegane....stupid c*nt.

0
0

If they succeed than US software will be at a disadvantage elsewhere in the world.

Anything known to Apple, Microsoft, Facebook etc is automatically known to the US government is not a good advertising line.

23
0
Silver badge

It's funny; US conservatives often deride gun control by saying "criminals don't obey laws, so if we ban guns then only criminals will have them."

The same logic applies to banning (or back-dooring) encryption. The sheeple will use the security-neutered comms to send cat pics to mom, and ISIS / the mafia / etc. will use something like PGP.

TLAs will gain access to mountains of "where you at" messages, pictures of food, and other useless data. Meanwhile, the thugs will continue their thuggy business unabated...with the added benefit of not getting their bank accounts hacked, because now they're the only ones who have secure comms.

42
0
Silver badge

"... ISIS / the mafia / etc. will use something like PGP."

I'm sure they already do, with well managed key distribution and a bullet in the head for anyone who does anything that threatens their security.

6
0
Silver badge
Linux

call to arms

It's funny; US conservatives often deride gun control by saying "criminals don't obey laws, so if we ban guns then only criminals will have them."

The same logic applies to banning (or back-dooring) encryption. The sheeple will use the security-neutered comms to send cat pics to mom, and ISIS / the mafia / etc. will use something like PGP

But unless enough "sheeple" also use proper encryption, then 'properly encrypted' becomes a sufficiently valuable property for identifying 'traffic of interest' and allows TLAs to concentrate resources on looking out for opsec fuckups or meta-data so ISIS will need to cut over to using lame-o encryption on their seecrit comms steggoed into cat videos

Video for cats -->

1
2
Silver badge
Paris Hilton

Re: call to arms

"But unless enough "sheeple" also use proper encryption"

Take a look at the top of your browser, right now. See that bit that starts 'https://' ?

If you need any more clues - I refer you to the right doshonourable Paris Hilton, T.A.R.T. ->>

1
0
Roo
Silver badge
Windows

"TLAs will gain access to mountains of "where you at" messages, pictures of food, and other useless data."

Google, Whatsapp, Facebook et al all leverage that 'useless' data to generate cash. Presumably the TLAs & gov can and will do exactly the same - much like our allegedly confidential NHS records here in the UK.

1
0
Silver badge

I'm sure they already do, with well managed

I doubt it. Too many of them are incompetent dumbasses

1
0
Anonymous Coward

Re: call to arms

"But unless enough "sheeple" also use proper encryption, then 'properly encrypted' becomes a sufficiently valuable property for identifying 'traffic of interest' "

But if it's "properly encrypted" then it's not going to help...Disguising sources on the internet is easy via TOR / VPN / Proxy etc etc.

1
0
Silver badge

Re: call to arms

"

But unless enough "sheeple" also use proper encryption, then 'properly encrypted' becomes a sufficiently valuable property for identifying 'traffic of interest'

"

Not if the properly encrypted messages are sent over a connection that has compromised encryption. In that case the FBI et al will have to decrypt all the weakly-encrypted traffic in order to find out who is using "proper" encryption, which is not practical.

2
0
Silver badge

"Anything known to Apple, Microsoft, Facebook etc is automatically known to the US government is not a good advertising line."

It's a very good line for vendors not in that list.

3
0
Anonymous Coward

Re: call to arms

"then 'properly encrypted' becomes a sufficiently valuable property for identifying 'traffic of interest' "

That argument doesn't quite work. You can detect well-encrypted message bodies by measuring their degree of randomness (and then checking that they aren't simply well-compressed, which also makes them look random). But detecting by looking at the ciphertext that they've been encrypted with a back door is a completely different, i.e. impossible, problem. So in practice they will have to pick a message for analysis based on its metadata or on the sender or receiver's profile, and only then will they find out whether it has a back door. Of course, if it's suspect based on metadata, it may become a bit more suspect if there's no back door, but that doesn't have evidentiary value. Not that actual evidence seems to mean a lot to these spooks.

Oops, better be AC for this one... although I wonder whether that helps... who's that knocking at the door?

0
0
Silver badge

Re: call to arms

"But detecting by looking at the ciphertext that they've been encrypted with a back door is a completely different, i.e. impossible, problem."

I don't believe it is. If you can identify the application / traffic type then presumably you could test it against a known backdoor key and see if the output makes sense / is non random. Or even testing it against a whole suite of keys wouldn't be hard baring in mind the CPU power these guys have leverage.

You could also make "authorised" backdoored encrypted traffic in some way distinctive. After all if you are forcing a backdoor then presumably you can force whatever else you want as part of the package.

Then the use case here is if you know it's encrypted in a "non authorised manner" and the source or destination is something that you have / can compromise then with a bit of extra effort you can still go take a look what is inside it. We already know the security services had exploits for most OS, VPNs, network hardware, etc, etc for many years. And worked by compromising and exploiting internal networks to get access for things they couldn't otherwise crack. I would imagine that they have already replaced all the exploits that were previously stolen and released with new ones.

I wouldn't be surprised if they have exploits in things like imessage, WhatsApp, etc. etc too. They are not going to admit it if they do. In that case they can potentially monitor you just by sending a message or even a packet....

And don't forget there are known security flaws in many of these apps anyway that a well resourced adversary could attack. For instance https://www.scmagazineuk.com/ss7-vulnerability-defeats-whatsapp-encryption-researchers-claim/article/530945/ and http://bgr.com/2017/01/13/whatsapp-encryption-broken-key-generated-nsa-oh-no/

0
0
Silver badge

irresistable force vs

immovable object.

My money's on maths (the latter protagonist here).

何となく、そんな矛盾の問題はとても面白いですよね。

7
0
Silver badge

Re: irresistable force vs

My money's on maths

"The laws of mathematics are very commendable but the only laws that applies in Australia is the law of Australia."

-- Malcolm Turnbull

6
0

Impossible

Good quality encryption is already in the public domain (eg OpenPGP ) and any attempt to insert a backdoor is very unlikely to succeed when the source is publicly available.

For people who REALLY want to keep information secret - it is possible to use multiple encryption programs in series (eg use 7-Zip to create a password protected Zip file then use ccrypt to encrypt the Zip file then use OpenPGP to encrypt the output from ccrypt.). Done properly there is no way of recovering the original message without knowing the keys even if one of the programs has a backdoor.

10
0
Silver badge

Re: Impossible

Except by the simple method of keeping you in prison indefintely until you reveal the keys and holding you upside down in a tank of water with electrodes on your bits until you remember

22
0
Silver badge
Holmes

Re: Impossible

That level of pain is normal here, and yes I'm serious. I've been tasered and that didn't work out so well for the cops. Hardest part was pulling out the hooks. The shock did nothing. They decided that talking me out of one of my rambles was better idea.

The real problem for law enforcement is that it's only companies that they have a real bit of leverage on. I'm now a private citizen and unless they figure out some way of banning encryption entirely, there are probably close to a myriad of ways we citizens can short-circuit their monitoring. Save for the point to point metadata, and some of that can be scrambled too, the content is a mystery.

They've been told and told that only by leveraging the end-point (hacking the devices on each end) will they be able to gain access to the content. And that's dead on*. Anything else is a pipe dream and as I recall, AG Sessions has a thing about people that smoke drugs.

* - In the military I worked professionally in a dozen fields of engineering, half that in analysis (including intelligence), had a nuclear security clearance, and used to fix NSA gear when it broke and the cryppies couldn't fix it. [Real easy to troubleshoot if you know what should be looking for in-circuit.] Also a computer scientist, statistician, econometrician and a bunch of other applied math stuff. The point of this footnote is that there isn't a damn thing in the world preventing me from literally encrypting the world+dog, should I choose to do so. The hardest part is killing side-channel attacks. And then, share the results. Short of locking me up forever which will have to be solitary since there's stuff they don't want me to talk about. Ever. And I'm far from the only one with these distinct libertarian/anti-authoritarian impulses.

16
2
Silver badge

Re: Impossible

Done properly there is no way

Of course there is a way. There is a very well known side channel attack - you download the key by attaching two electrodes to the testicles and applying short pulses of 5Kv..

3
3
Silver badge

Re: Impossible

keeping you in prison indefintely until you reveal the keys and holding you upside down in a tank of water with electrodes on your bits until you remember

PTSD interferes with my memory recall. As does being pissed off at someone trampling over my rights.

7
0
Silver badge

Re: Impossible

holding you upside down in a tank of water with electrodes on your bits until you remember

Or the (much more cheap) rubber cosh and big burly types option.

1
0
Silver badge

Re: Impossible

you download the key by attaching two electrodes to the testicles

Will only work on ~51% of the population..

5
0
Coat

Re: Impossible

"or people who REALLY want to keep information secret - it is possible to use multiple encryption programs in series "

That's why I double encrypt everything with ROT-13 when I want to make sure it stays secret. ;-)

Dave

P.S. I'm waiting for an intelligent genius to develop an encryption routine which, when the data is decrypted with one key, produces the secret text, but, when decrypted with an alternate key, produces a grocery list.

2
0
Silver badge

Re: Impossible

"

P.S. I'm waiting for an intelligent genius to develop an encryption routine which, when the data is decrypted with one key, produces the secret text, but, when decrypted with an alternate key, produces a grocery list.

"

It's been done.

Search "TrueCrypt" (or VeraCrypt") and "hidden container"

4
0
Orv
Bronze badge

Re: Impossible

There are deniable encryption systems that come close, but they have strong usage constraints that make them not super practical for day to day use. Generally they let you selectively decrypt portions of the data without revealing how many portions are still encrypted. This only helps you if the cops aren't sure what you have, of course -- if they have other evidence you have a specific piece of info, they can just keep you in jail on contempt charges until you cough up the passphrase for it.

1
0
Silver badge

Re: Impossible

> it is possible to use multiple encryption programs in series (eg use 7-Zip to create a password protected Zip file then use ccrypt to encrypt the Zip file then use OpenPGP to encrypt the output from ccrypt.). Done properly there is no way of recovering the original message without knowing the keys even if one of the programs has a backdoor.

Obligatory

Also your idea whilst stopping attacks on specific ciphers does bit assist when said TLA compromises your RNG.

0
0

Re: Impossible

Those dumbkopff at teh upepr levels of NSA/GCHQ/MI5/MI6/CSE/CSIS, etc can't do toodle SQUAT

when I can write an OPEN SOURCE text and video messaging app that works on MULTIPLE OSes

and web browsers which can encrypt data to and from almost ANY application!

I can design and code Triple AES-256, Elliptic Curve and Quantum Computing Shor's

resistant encryption algorithms EVERYWHERE in almost ANY application!

And of course I will GIVE IT AWAY COMPLETELY FREE AND OPEN SOURCE !!!

and there is NOTHING they can do about it! BECAUSE...I'm ONE of those people

who simply IGNORESTHE LAW if I find it to be stooopid and/or outrageously illegal

and/or immoral! I JUST IGNORE IT AND SEND MY SOFTWARE OUT ANYWAYS!

NOT A THING THEY CAN DO ABOUT IT AS I keep dead hand switches active

EVERYWHERE in the world!

0
3
Silver badge

Re: Impossible

I hope you don't litter your coding remarks with that many capital letters :)

0
0
Silver badge
Facepalm

And in other news...

A new bill was just introduced into Congress to repeal the law of gravity. "After all," stated a congressional spokesperson, "it's a LAW, so Congress has the power to repeal it, at least in the U.S. With gravity under our control, it will be much more economical to explore space since the rockets won't need as much fuel to take off. We're also looking into making both pi and e equal to 3.0 to simplify mathematics for our children and bring up STEM scores."

50
0

Re: And in other news...

I regret to have to say that tehre are almost certainly US congresscritters that would go along with all three of those.

27
0
Silver badge

Shyster Stupidity

Given the average shyster over here has problems with basic arithmetic I am not surprise at the near Congresscritter level of stupidity here.

7
2
Anonymous Coward

Maybe it's time America updated it's constitution to make privacy a right with retribution for anyone who proposes to take it away. Little by little they empower the enforcers and disempower the people. Where is the line? Isn't this surrendering our freedom to terrorism?

14
0
Anonymous Coward

Privacy is a constitutional right, just not an explicitly listed one. It underlies decisions like Rowe vs. Wade that tend to piss a lot of people off when they discover the government can't compel behaviors they don't like.

While making it an explicit right wouldn't change much legally, it would sure do a lot for the whiners that want the government to run our lives.

12
0
Silver badge
Pirate

" It underlies decisions like Rowe vs. Wade that tend to piss a lot of people off when they discover the government can't compel behaviors they don't like."

unless it's the OBAKA-CARE INDIVIDUAL MANDATE (according to the Supreme Court, anyway)

/me still waiting for THAT @#$%-ing thing to GO THE @#$% AWAY and I will _CONTINUE_ to _VIOLATE_ that "law" until it does... because it's a "hardship"

2
30
Silver badge

On the bright side today, the California Supreme Court shut down retention of automatic license plate recording data. Have to wait for the full judgement to see how effective it will be against private firms, not just law enforcement. The LAPD ain't happy. Good.

12
0
Gold badge
Gimp

"the California Supreme Court shut down retention of automatic license plate recording data."

A situation the British can only dream of.

UK police forces have been doing this for a decade, despite no apparent formal request to set it up in the first place, and absolutely no government or local authority oversight.

12
0
Silver badge
Big Brother

Re: "the California Supreme Court shut down retention of automatic license plate recording data."

The police in the UK have been told holding mug shots and DNA info on ordinary citizens is illegal and they should destory what they have and not collect any more. Guess what they're doing? Exactly as they dam well please and we don't have an one with the nerve to hold the police to account for breaking the law.

12
0
Devil

An unbreakable backdoor would be nice

And as we are on it. Could we also outlaw general relativity? Why should we limit ourselves to the speed of light?

18
0
Silver badge

Re: An unbreakable backdoor would be nice

According to the law, usage of the backdoor would be only permitted by law enforcement. Also to guarantee the well known concept of "security by obscurity", backdoored software would be classified as "munitions" and made illegal to export to other countries. Practically, usage and specific knowledge of backdoors would be limited only to cases vital to national security and not made available to local agencies to access people's phones without securing warrants- ok, yeah I can't keep going.

11
0
ST
Silver badge
Angel

Re: An unbreakable backdoor would be nice

> backdoored software would be classified as "munitions" and made illegal to export to other countries

Encryption software or any encryption device is already classified as munition in the US, and it has been so for a very long time, at least since WWII.

Currently, any encryption algorithm using a key, or key pair, wider than 1024 bits falls under ITAR, and is considered munition. It cannot be exported to any country without prior permission from the US Department Of Commerce - Bureau of Industry and Security.

Just because an encryption algorithm is open source - that is, the source code is publicly available, it does not mean that the software is not subject to EAR export restrictions.

This is a relaxation of the rules that have existed since WWII. Before 1997, any encryption software or device was considered munition, regardless of key length.

4
2

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing