back to article Deputy AG Rosenstein calls for law to require encryption backdoors

The deputy US Attorney General said he wants legislators to force technology companies to decrypt people's private conversations. Rod Rosenstein on Wednesday told a crowd of over 600 police officers that software developers should be required by law to unscrambled end-to-end encrypted chatter on demand – and if the engineers …

Page:

  1. Youngone Silver badge

    Flogging a Dead Horse?

    Or just a throwaway speech tailored to his audience?

    1. Anonymous Coward
      Anonymous Coward

      Re: Flogging a Dead Horse?

      Probably they're going to try again to get public support for it now that Trump is president. He was on record as against Apple during their battle with the FBI so they'll have his support. The problem is that the public is still at best split on this issue - and Trump's low popularity isn't going to help him win any converts beyond his base.

      Fortunately congress can't get anything done, and the stuff they MUST get done will take priority over arguing about stuff like this, so we don't have to worry about any laws of the type of Rosenstein wants happening.

      1. Anonymous Coward
        Anonymous Coward

        Re: Flogging a Dead Horse?

        I doubt Trump will spend much energy on the little stuff, that's more Obama's style. Trump has a big ego and only big causes will energize him, such as Immigration, Taxes, Health Care and the like.

        1. Anonymous Coward
          Anonymous Coward

          Re: Flogging a Dead Horse?

          You're probably right that Trump won't see it as a cause worth his time, but that won't stop the FBI from trying once again to mandate encryption backdoors. They've been pushing this in one form or another since Clipper back in the 90s, even though the genie has been out of the bottle so long he has grandkids.

        2. Velv

          Re: Flogging a Dead Horse?

          @Big John

          Trump has a big ego and only big causes will energize him, such as Immigration, Taxes, Health Care and the like.

          HELLO!!!

          Terrorists!

          Wasn't it his first Executive Order to persecute Muslims as all his followers consider them a terrorist risk that needs controlled and monitored?

    2. bombastic bob Silver badge
      Devil

      Re: Flogging a Dead Horse?

      if you flog it enough, it becomes *UNDEAD*

      http://tvtropes.org/pmwiki/pmwiki.php/Main/UndeadHorseTrope

      Anyway, Rosenstein's "audience" is more like "the D.C. Establishment" as he's one of THEM...

      Don't these numbskulls understand that if you FORCE A BACK DOOR like that, you render the encryption WORTHLESS©®¶™? And then EVERYBODY will download some foreign entity's encryption, and/or use PGP, and/or use an algorithm OF THEIR OWN DESIGN [me], which would render this worthless argument into complete irrelevance.

      Or, like 'gun control', if it's not "hitting the target by aiming properly" it's making sure that law abiding citizens cannot DEFEND THEMSELVES [because ONLY the criminals will have them].

      So if we ONLY want terrorists and criminals to be the ones with proper encryption, then going THAT DIRECTION will ENSURE IT.

      1. John Smith 19 Gold badge
        Coat

        "if you FORCE A BACK DOOR like that, you render the encryption WORTHLESS"

        No, in a word. They don't.

        I'm not sure what the correct collective noun is for when people like this get together and one of them gives a speech like this.

        A "lynch mob" of Aholes, perhaps?

        1. Sir Runcible Spoon

          Re: "if you FORCE A BACK DOOR like that, you render the encryption WORTHLESS"

          "A "lynch mob" of Aholes, perhaps?"

          How about..

          A clusterfuck of dingbats.

      2. Anonymous Coward
        Anonymous Coward

        Re: Flogging a Dead Horse?

        "Don't these numbskulls understand that if you FORCE A BACK DOOR "

        Random use of CAPS always reminds me of the Sun, Mirror, etc. i.e. content that is for those with a very low IQ...

    3. streaky

      Re: Flogging a Dead Horse?

      Yup, send in the throwaway moral panic to go with it. Still no sign of the NSA/GCHQ paper accompanying it for peer review to tell us how it's safe to do it. Probably because the NSA/GCHQ don't think it's actually possible either..

    4. Anonymous Coward
      Anonymous Coward

      Re: Flogging a Dead Horse?

      In the words of Sandor Clegane....stupid c*nt.

  2. Scoular

    If they succeed than US software will be at a disadvantage elsewhere in the world.

    Anything known to Apple, Microsoft, Facebook etc is automatically known to the US government is not a good advertising line.

    1. fidodogbreath

      It's funny; US conservatives often deride gun control by saying "criminals don't obey laws, so if we ban guns then only criminals will have them."

      The same logic applies to banning (or back-dooring) encryption. The sheeple will use the security-neutered comms to send cat pics to mom, and ISIS / the mafia / etc. will use something like PGP.

      TLAs will gain access to mountains of "where you at" messages, pictures of food, and other useless data. Meanwhile, the thugs will continue their thuggy business unabated...with the added benefit of not getting their bank accounts hacked, because now they're the only ones who have secure comms.

      1. frank ly

        "... ISIS / the mafia / etc. will use something like PGP."

        I'm sure they already do, with well managed key distribution and a bullet in the head for anyone who does anything that threatens their security.

        1. Bronek Kozicki

          I'm sure they already do, with well managed

          I doubt it. Too many of them are incompetent dumbasses

      2. 's water music
        Linux

        call to arms

        It's funny; US conservatives often deride gun control by saying "criminals don't obey laws, so if we ban guns then only criminals will have them."

        The same logic applies to banning (or back-dooring) encryption. The sheeple will use the security-neutered comms to send cat pics to mom, and ISIS / the mafia / etc. will use something like PGP

        But unless enough "sheeple" also use proper encryption, then 'properly encrypted' becomes a sufficiently valuable property for identifying 'traffic of interest' and allows TLAs to concentrate resources on looking out for opsec fuckups or meta-data so ISIS will need to cut over to using lame-o encryption on their seecrit comms steggoed into cat videos

        Video for cats -->

        1. Sir Runcible Spoon
          Paris Hilton

          Re: call to arms

          "But unless enough "sheeple" also use proper encryption"

          Take a look at the top of your browser, right now. See that bit that starts 'https://' ?

          If you need any more clues - I refer you to the right doshonourable Paris Hilton, T.A.R.T. ->>

        2. Anonymous Coward
          Anonymous Coward

          Re: call to arms

          "But unless enough "sheeple" also use proper encryption, then 'properly encrypted' becomes a sufficiently valuable property for identifying 'traffic of interest' "

          But if it's "properly encrypted" then it's not going to help...Disguising sources on the internet is easy via TOR / VPN / Proxy etc etc.

        3. Cynic_999

          Re: call to arms

          "

          But unless enough "sheeple" also use proper encryption, then 'properly encrypted' becomes a sufficiently valuable property for identifying 'traffic of interest'

          "

          Not if the properly encrypted messages are sent over a connection that has compromised encryption. In that case the FBI et al will have to decrypt all the weakly-encrypted traffic in order to find out who is using "proper" encryption, which is not practical.

        4. Anonymous Coward
          Anonymous Coward

          Re: call to arms

          "then 'properly encrypted' becomes a sufficiently valuable property for identifying 'traffic of interest' "

          That argument doesn't quite work. You can detect well-encrypted message bodies by measuring their degree of randomness (and then checking that they aren't simply well-compressed, which also makes them look random). But detecting by looking at the ciphertext that they've been encrypted with a back door is a completely different, i.e. impossible, problem. So in practice they will have to pick a message for analysis based on its metadata or on the sender or receiver's profile, and only then will they find out whether it has a back door. Of course, if it's suspect based on metadata, it may become a bit more suspect if there's no back door, but that doesn't have evidentiary value. Not that actual evidence seems to mean a lot to these spooks.

          Oops, better be AC for this one... although I wonder whether that helps... who's that knocking at the door?

          1. TheVogon

            Re: call to arms

            "But detecting by looking at the ciphertext that they've been encrypted with a back door is a completely different, i.e. impossible, problem."

            I don't believe it is. If you can identify the application / traffic type then presumably you could test it against a known backdoor key and see if the output makes sense / is non random. Or even testing it against a whole suite of keys wouldn't be hard baring in mind the CPU power these guys have leverage.

            You could also make "authorised" backdoored encrypted traffic in some way distinctive. After all if you are forcing a backdoor then presumably you can force whatever else you want as part of the package.

            Then the use case here is if you know it's encrypted in a "non authorised manner" and the source or destination is something that you have / can compromise then with a bit of extra effort you can still go take a look what is inside it. We already know the security services had exploits for most OS, VPNs, network hardware, etc, etc for many years. And worked by compromising and exploiting internal networks to get access for things they couldn't otherwise crack. I would imagine that they have already replaced all the exploits that were previously stolen and released with new ones.

            I wouldn't be surprised if they have exploits in things like imessage, WhatsApp, etc. etc too. They are not going to admit it if they do. In that case they can potentially monitor you just by sending a message or even a packet....

            And don't forget there are known security flaws in many of these apps anyway that a well resourced adversary could attack. For instance https://www.scmagazineuk.com/ss7-vulnerability-defeats-whatsapp-encryption-researchers-claim/article/530945/ and http://bgr.com/2017/01/13/whatsapp-encryption-broken-key-generated-nsa-oh-no/

      3. Roo
        Windows

        "TLAs will gain access to mountains of "where you at" messages, pictures of food, and other useless data."

        Google, Whatsapp, Facebook et al all leverage that 'useless' data to generate cash. Presumably the TLAs & gov can and will do exactly the same - much like our allegedly confidential NHS records here in the UK.

    2. Doctor Syntax Silver badge

      "Anything known to Apple, Microsoft, Facebook etc is automatically known to the US government is not a good advertising line."

      It's a very good line for vendors not in that list.

  3. Frumious Bandersnatch

    irresistable force vs

    immovable object.

    My money's on maths (the latter protagonist here).

    何となく、そんな矛盾の問題はとても面白いですよね。

    1. fidodogbreath

      Re: irresistable force vs

      My money's on maths

      "The laws of mathematics are very commendable but the only laws that applies in Australia is the law of Australia."

      -- Malcolm Turnbull

  4. Duncan Macdonald

    Impossible

    Good quality encryption is already in the public domain (eg OpenPGP ) and any attempt to insert a backdoor is very unlikely to succeed when the source is publicly available.

    For people who REALLY want to keep information secret - it is possible to use multiple encryption programs in series (eg use 7-Zip to create a password protected Zip file then use ccrypt to encrypt the Zip file then use OpenPGP to encrypt the output from ccrypt.). Done properly there is no way of recovering the original message without knowing the keys even if one of the programs has a backdoor.

    1. Yet Another Anonymous coward Silver badge

      Re: Impossible

      Except by the simple method of keeping you in prison indefintely until you reveal the keys and holding you upside down in a tank of water with electrodes on your bits until you remember

      1. Anonymous Coward
        Holmes

        Re: Impossible

        That level of pain is normal here, and yes I'm serious. I've been tasered and that didn't work out so well for the cops. Hardest part was pulling out the hooks. The shock did nothing. They decided that talking me out of one of my rambles was better idea.

        The real problem for law enforcement is that it's only companies that they have a real bit of leverage on. I'm now a private citizen and unless they figure out some way of banning encryption entirely, there are probably close to a myriad of ways we citizens can short-circuit their monitoring. Save for the point to point metadata, and some of that can be scrambled too, the content is a mystery.

        They've been told and told that only by leveraging the end-point (hacking the devices on each end) will they be able to gain access to the content. And that's dead on*. Anything else is a pipe dream and as I recall, AG Sessions has a thing about people that smoke drugs.

        * - In the military I worked professionally in a dozen fields of engineering, half that in analysis (including intelligence), had a nuclear security clearance, and used to fix NSA gear when it broke and the cryppies couldn't fix it. [Real easy to troubleshoot if you know what should be looking for in-circuit.] Also a computer scientist, statistician, econometrician and a bunch of other applied math stuff. The point of this footnote is that there isn't a damn thing in the world preventing me from literally encrypting the world+dog, should I choose to do so. The hardest part is killing side-channel attacks. And then, share the results. Short of locking me up forever which will have to be solitary since there's stuff they don't want me to talk about. Ever. And I'm far from the only one with these distinct libertarian/anti-authoritarian impulses.

        1. StargateSg7

          Re: Impossible

          Those dumbkopff at teh upepr levels of NSA/GCHQ/MI5/MI6/CSE/CSIS, etc can't do toodle SQUAT

          when I can write an OPEN SOURCE text and video messaging app that works on MULTIPLE OSes

          and web browsers which can encrypt data to and from almost ANY application!

          I can design and code Triple AES-256, Elliptic Curve and Quantum Computing Shor's

          resistant encryption algorithms EVERYWHERE in almost ANY application!

          And of course I will GIVE IT AWAY COMPLETELY FREE AND OPEN SOURCE !!!

          and there is NOTHING they can do about it! BECAUSE...I'm ONE of those people

          who simply IGNORESTHE LAW if I find it to be stooopid and/or outrageously illegal

          and/or immoral! I JUST IGNORE IT AND SEND MY SOFTWARE OUT ANYWAYS!

          NOT A THING THEY CAN DO ABOUT IT AS I keep dead hand switches active

          EVERYWHERE in the world!

          1. Sir Runcible Spoon

            Re: Impossible

            I hope you don't litter your coding remarks with that many capital letters :)

      2. Sir Runcible Spoon

        Re: Impossible

        keeping you in prison indefintely until you reveal the keys and holding you upside down in a tank of water with electrodes on your bits until you remember

        PTSD interferes with my memory recall. As does being pissed off at someone trampling over my rights.

      3. CrazyOldCatMan Silver badge

        Re: Impossible

        holding you upside down in a tank of water with electrodes on your bits until you remember

        Or the (much more cheap) rubber cosh and big burly types option.

    2. Voland's right hand Silver badge

      Re: Impossible

      Done properly there is no way

      Of course there is a way. There is a very well known side channel attack - you download the key by attaching two electrodes to the testicles and applying short pulses of 5Kv..

      1. CrazyOldCatMan Silver badge

        Re: Impossible

        you download the key by attaching two electrodes to the testicles

        Will only work on ~51% of the population..

    3. Dave 32
      Coat

      Re: Impossible

      "or people who REALLY want to keep information secret - it is possible to use multiple encryption programs in series "

      That's why I double encrypt everything with ROT-13 when I want to make sure it stays secret. ;-)

      Dave

      P.S. I'm waiting for an intelligent genius to develop an encryption routine which, when the data is decrypted with one key, produces the secret text, but, when decrypted with an alternate key, produces a grocery list.

      1. Cynic_999

        Re: Impossible

        "

        P.S. I'm waiting for an intelligent genius to develop an encryption routine which, when the data is decrypted with one key, produces the secret text, but, when decrypted with an alternate key, produces a grocery list.

        "

        It's been done.

        Search "TrueCrypt" (or VeraCrypt") and "hidden container"

      2. Orv Silver badge

        Re: Impossible

        There are deniable encryption systems that come close, but they have strong usage constraints that make them not super practical for day to day use. Generally they let you selectively decrypt portions of the data without revealing how many portions are still encrypted. This only helps you if the cops aren't sure what you have, of course -- if they have other evidence you have a specific piece of info, they can just keep you in jail on contempt charges until you cough up the passphrase for it.

    4. Adam 1

      Re: Impossible

      > it is possible to use multiple encryption programs in series (eg use 7-Zip to create a password protected Zip file then use ccrypt to encrypt the Zip file then use OpenPGP to encrypt the output from ccrypt.). Done properly there is no way of recovering the original message without knowing the keys even if one of the programs has a backdoor.

      Obligatory

      Also your idea whilst stopping attacks on specific ciphers does bit assist when said TLA compromises your RNG.

  5. ma1010
    Facepalm

    And in other news...

    A new bill was just introduced into Congress to repeal the law of gravity. "After all," stated a congressional spokesperson, "it's a LAW, so Congress has the power to repeal it, at least in the U.S. With gravity under our control, it will be much more economical to explore space since the rockets won't need as much fuel to take off. We're also looking into making both pi and e equal to 3.0 to simplify mathematics for our children and bring up STEM scores."

    1. Old Used Programmer

      Re: And in other news...

      I regret to have to say that tehre are almost certainly US congresscritters that would go along with all three of those.

  6. a_yank_lurker

    Shyster Stupidity

    Given the average shyster over here has problems with basic arithmetic I am not surprise at the near Congresscritter level of stupidity here.

  7. Anonymous Coward
    Anonymous Coward

    Maybe it's time America updated it's constitution to make privacy a right with retribution for anyone who proposes to take it away. Little by little they empower the enforcers and disempower the people. Where is the line? Isn't this surrendering our freedom to terrorism?

    1. Anonymous Coward
      Anonymous Coward

      Privacy is a constitutional right, just not an explicitly listed one. It underlies decisions like Rowe vs. Wade that tend to piss a lot of people off when they discover the government can't compel behaviors they don't like.

      While making it an explicit right wouldn't change much legally, it would sure do a lot for the whiners that want the government to run our lives.

      1. bombastic bob Silver badge
        Pirate

        " It underlies decisions like Rowe vs. Wade that tend to piss a lot of people off when they discover the government can't compel behaviors they don't like."

        unless it's the OBAKA-CARE INDIVIDUAL MANDATE (according to the Supreme Court, anyway)

        /me still waiting for THAT @#$%-ing thing to GO THE @#$% AWAY and I will _CONTINUE_ to _VIOLATE_ that "law" until it does... because it's a "hardship"

    2. Anonymous Coward
      Anonymous Coward

      On the bright side today, the California Supreme Court shut down retention of automatic license plate recording data. Have to wait for the full judgement to see how effective it will be against private firms, not just law enforcement. The LAPD ain't happy. Good.

      1. John Smith 19 Gold badge
        Gimp

        "the California Supreme Court shut down retention of automatic license plate recording data."

        A situation the British can only dream of.

        UK police forces have been doing this for a decade, despite no apparent formal request to set it up in the first place, and absolutely no government or local authority oversight.

        1. James 51
          Big Brother

          Re: "the California Supreme Court shut down retention of automatic license plate recording data."

          The police in the UK have been told holding mug shots and DNA info on ordinary citizens is illegal and they should destory what they have and not collect any more. Guess what they're doing? Exactly as they dam well please and we don't have an one with the nerve to hold the police to account for breaking the law.

  8. Chairo
    Devil

    An unbreakable backdoor would be nice

    And as we are on it. Could we also outlaw general relativity? Why should we limit ourselves to the speed of light?

    1. DNTP

      Re: An unbreakable backdoor would be nice

      According to the law, usage of the backdoor would be only permitted by law enforcement. Also to guarantee the well known concept of "security by obscurity", backdoored software would be classified as "munitions" and made illegal to export to other countries. Practically, usage and specific knowledge of backdoors would be limited only to cases vital to national security and not made available to local agencies to access people's phones without securing warrants- ok, yeah I can't keep going.

      1. Anonymous Coward
        Angel

        Re: An unbreakable backdoor would be nice

        > backdoored software would be classified as "munitions" and made illegal to export to other countries

        Encryption software or any encryption device is already classified as munition in the US, and it has been so for a very long time, at least since WWII.

        Currently, any encryption algorithm using a key, or key pair, wider than 1024 bits falls under ITAR, and is considered munition. It cannot be exported to any country without prior permission from the US Department Of Commerce - Bureau of Industry and Security.

        Just because an encryption algorithm is open source - that is, the source code is publicly available, it does not mean that the software is not subject to EAR export restrictions.

        This is a relaxation of the rules that have existed since WWII. Before 1997, any encryption software or device was considered munition, regardless of key length.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like