Crypto-gurus: Which idiots told the FBI that Feds-only backdoors in encryption are possible? Four cryptography experts have backed a US Senator's campaign to force the FBI to explain how exactly a Feds-only backdoor can be added to strong and secure encryption. The four are: Stanford professor Martin Hellman, of Diffie-Hellman fame and who helped invent the foundations of today's crypto systems; Columbia professor and …
Good question.
It's a very smart political move. Either they think this with no basis in reality other than "We wants it," or someone actually told them they could have this and they have to name the scam artist "researcher(s)*" in question.
*Lagos University perhaps?
Approaching this from a business perspective. Our lords and masters have decreed that something must be done. They will not listen to those with suitable knowledge, so the only thing left to do is to give them something, anything and make a bloody f*ckton of money while doing it. Very soon someone else will have this idea and will make a f*ckton of money from it. Probably someone like BAE or Lockheed Martin. The final results do not matter. The fact that someone up high can tick a box that says “it is done” is sufficient. Start a company, sell magic thinking. Close down after a few years and retire to somewhere warm and cheap.
So, are you going to complain that what is being asked for is impossible, or are you going to follow the American dream and profit from it?
"Approaching this from a business perspective. Our lords and masters have decreed that something must be done. "
Much the same idea occurred to me when reading about AI detection of terrist videos. They got 600K, we could certainly aim higher than that,
With sufficient funds, we could subcontract the job to GCHQ and let them get into systems using more conventional, but tried and tested methods, such as social engineering.
"With sufficient funds, we could subcontract the job to GCHQ and let them get into systems using more conventional, but tried and tested methods, such as social engineering."
That wouldn't work because it's not what the numpties in government want. It's something they have already. What they want is something new and magical that doesn't take any effort to apply. GCHQ know as well as anyone that a load of bollocks that is.
The answer, as ever, lies with Sir Humphrey's explanations to Hacker that seeing money being spent means that everyone's happy because something's being seen to be done. So, just let out a contract to develop this magic with GCHQ, maybe in conjunction with some independent experts, being the arbiters of whether it works without any risks.
That way, with some utterly rudderless guidance from themselves, HMG can persuade themselves that they're setting out to achieve this goal and maybe keep quiet about it - and even quieter about the ultimate failure. For good measure perhaps IDS can be put in charge; he has just the right track record for it.
Yeah, I'd think twice about that little scheme. What's most likely to happen is someone will do just as you suggest, the system will get hacked just like everyone with any knowledge of the subject expects and that f*ckton of money and much more will be poured into the endless drain of lawsuits that result.
Simple solution. All passwords are sent to a government approved location when creating your account along with all other details. Therefore you know your password and the government also knows it. No mathematical problems with this.
How do I claim my money? Also, can I be indemnified against any claims if someone manages to hack the computer with everybody's account details?
Key escrow is fine in principle, but it's not really escrow if your government is using it to read all emails for "dodgy" content. Don't worry about hacking; every government and agency will want access to the database, so it will be leaked anyway.
A slightly more elegant solution would be for one "trusted" agency under each government to be able to issue keys and use a "secure" local database to decrypt its citizens emails and forward the contents if "appropriate".
Using an unapproved key will lose you your email rights. But it's not all bad news - TXT & 1337 speak and spammers random-word techniques will be detected as secondary encryption, and the perpetrators removed from society.
> All passwords are sent to a government approved location when creating your account along with all other details.
Great! My SAP/SAR (above Top Secret) security clearance, an ID thief's wet dream, along with all other clearances was leaked by a hack of the US Office of Personnel Management. (Google OPM hack.) This is one-stop-shopping for hackers.
Ok, so what we really do is tell the government that we can do the work, and that we'll need £££££ (and every six months say it's tricky and could we have more £££ please).
Then we create a demo system that does whatever they want.
Then we take the rest of the money and set up a bolt hole a long way away, and then run away with the cash.
That way no impossible 'secure backdoors' need to be made, and we get loads of money.
It's the perfect plan, all we need is a name for our company...
All this article is telling you is that when the money wants something there's always going to be a ready supply of toadies who are prepared to tell them 'yes'. Especially if, like encryption, its going to be someone else's problem to deliver. You don't need to be a heavyweight mathematician to know that there is no such thing as a backdoor to an encryption algorithm; any attempt to put one in is just going to be an elaborate bypass mechanism, one that's bound to be found sooner or later.
When faced with loads of money and an unfeasible job, the trick is to get in the channel. You don't want a contract to provide the encrypted software : you want a contract to organise, advertise and filter the hopeful applicants.
And make sure the contract deliverables are exactly those things : not an actual working application.
"And make sure the contract deliverables are exactly those things : not an actual working application."
You're too pessimistic. I'm sure we can all think of big projects which consume money without producing anything that remotely resembles a working application. A work in progress is just fine.
Pretty much hit the nail on the head.
Had that sort of thing happen so very many times. Over-eager sales twonk promises a customer a "feature" to get the sale. "Can you add the ability to do X?" says the customer, "Sure, no problem" says the sales twonk. "Sold!!" says the customer.
"Oh by the way", says the sales twonk in his briefing to the developers, "I've told them we can do X. That's OK, isn't it? Not to difficult to do?"
"No it fucking isn't OK" I say. "That's next to impossible to deliver for the price you quoted."
"Just fucking do it. OK" says the boss.
So we do it. It doesn't really work properly. The project is massively over budget and late. The customer is pissed off and I'm in the shit with the boss.
But the fucking sales wanker got his fucking commission, so that's OK.
Even if it could be made to work (which it cannot), what is going to stop terrorists from using a one-time-pad (or some simpler, highly secure cryptography) to create high entropy messages, embed these in some video of a cat using standard steganography and sending these through what is now no longer a secure channel?
> what is going to stop terrorists from using a one-time-pad (or some simpler, highly secure cryptography) to create high entropy messages,
I think your mistake here is that you are assuming they want it to fight terrorists and other high-level bad actors.
They already have spy agencies with satellites, entire data centres dedicated to cracking, local HUMINT resources, spies, strike teams, cyber-espionage networks (i.e. physically placing exploits into hardware of high-level targets while in transit from the manufacturers, Cisco routers, etc. ) execution squads and 100's of billions of dollars to spend on those.
No, they want it to mass-monitor their own citizens.
Our sources cannot be identified in order to protect their identities.............................................................................................................................................................
(from massive ridicule by people that actually know what they're talking about).
Yeah, that caught my attention too.
"The FBI is also unlikely to release the names of those it has been consulting over fears that they would be ridiculed and come under pressure from their peers not to work on such an approach."
The third possibility is that the experts the FBI is citing would be appalled to find out that they've been misquoted for this purpose, and would repudiate FBI leadership immediately.
I'm reminded of Mnuchin's economist survey (not a misquote, but similarly embarrassing).
This will keep going until one of several things happens...
1) Wyden is no longer in the picture.
2) The governments (all of them who want this) toss a lot of money down the food chain/contractor toilet and get no results.
3) The agencies and politicians who push this get a clue.
4) Hell freezes over.
If 1) happens possibly someone else who has a clue is waiting in the wings to replace him.
Given what the governments want, 2) is possible.
3) Not happening.
4) is the most likely....
I'm in favour of 2). There's nothing remarkable about govt. IT projects that fail to deliver. The politicians continue to believe that they're going to succeed and it keeps them happy because they're Doing Something. The sooner they head of in that direction the better. They'll stop bleating, someone will get dosh that would inevitably be spent on something worthless and the rest of us would get a break from this endless whining. I might even consider coming out of retirement to work on it; I'm not a cryptographer but I could fail at it as successfully and expensively as someone who is.
This will keep going until one of several things happens indefinitely
(fixed it for ya)
politicians see an opportunity with every disaster, like 'let no disaster go unexploited"
article: "those in favor of backdoors are just treading water until something happens that causes a shift in public opinion"
pretty much what I said, I think. You see it with GUN CONTROL all of the time. Let some wack-job criminal psychopath go off and shoot up a high school, and the GUN CONTROL arguments start within 15 minutes.
Similarly, you'll see the SAME THING with back doors on ALL encryption.
What's next, EVERY LOCK must have a MASTER KEY that ONLY the gummint can use? Ha ha ha ha, that's so funny [but it's the SAME DAMN THING that "they" want for encryption].
And it's not about the money, so much as the POWER and CONTROL. When "they" have the power, and "they" have the control, the money just shows up. Yeah, right about now, ALL of this is SO! BLATANTLY! OBVIOUS! to *ANYONE* watching current events...
what THEY want:
a) permanent power/influence to control OUR lives
b) take money from one group so they can favor another
c) buy influence with money given to them by lobyists and friends
d) engage in nepotism and favoritism of various kinds
e) "It's good to be the king"
f) scare people into giving them even MORE power, whenever possible.
In the Star Wars saga, Jar Jar Binks was manipulated into recommending that temporary powers be given to the chancellor to win the Clone War. With this extra power, he later became EMPEROR [and ultimately revealed his TRUE agenda by dissolving the senate, becoming an evil dictator].
Thsi is SO much like real life, isn't it? THIS is what those elitist politicians want, for themselves and their friends. Yeah, "drain the swamp".
A broken clock shows the correct time twice* a day.
Gah. I can take this from hoi polloi, but on a technical site, people should know better. Clocks have many failure modes.
A stopped clock is right twice a day - assuming a conventional analog 12-hour clock.
If both hands fall off the spindle and lie flat at the bottom of the crystal, the clock is broken, but it will not show the correct time at any time of day. If both hands are pointing exactly to any number other than 12, it will not show the correct time (because the hour hand only points to the hour on the hour). If the hands are spinning wildly, it may show the correct time any number of times in a day. And so forth.
Right, that's my Pedantry of the Week entry for this one.
He's represented Oregon since 1981 in the House, and then since 1996 in the Senate.
I think it's a mistake to tar all politicians with the same dirty brush. Wyden has the luxury of very strong backing in his district, so he doesn't have to prostitute himself to get re-elected. And of course one reason he has strong support is that he has a reasoned and substantive approach to the job of a legislator, and his constituency notices.
All that said, I don't think the fight against backdoored encryption will be successful for very much longer.
"I don't think the fight against backdoored encryption will be successful for very much longer."
It technically can't succeed, though. All that can be done is to force the default crypto included in device to be backdoored. It is impossible to stop people from using the strong crypto that already exists in the world.
"All that said, I don't think the fight against backdoored encryption will be successful for very much longer."
That war has already been lost.
a) PGP
b) IDEA
c) OpenSSL
etc.
The genii is out of the bottle, Pandora's box is open and you're NOT going to stuff ANY of this back in. Anybody who's decent at math could invent a new encryption method, some stronger and some weaker than others, and the concept of a block cipher or stream cipher is pretty well known. [I even invented one myself, and published in prose how to make it work, as a protest against U.S. encryption export laws back in the 90's, until the laws were changed, but I never took the page down - it's still there].
Even bitcoin is a form of encryption with the block chain. Imagine invalidating all crypto-currencies because they now require a back-doorable block chain. Is _THAT_ part of "their" agenda?
And like it is with guns: make them illegal, and ONLY criminals will have them. So it would also be with non-back-doored encryption. Make it illegal, and ONLY criminals will use it!
Also, ask S. Korea how well it worked to require a specific type of encryption for ALL online banking transactions (aka SEED)...
https://www.theregister.co.uk/2015/04/02/south_korea_to_deport_microsoft_activex/
@FozzyBear (and others)
There are many politicians - all around the world - who are reasonable, intelligent, public-minded, and genuinely dedicated to governing for the people.
The problem is that the way politics as a whole works ensures that these worthy few rarely reach positions where they have much real power and never in concentrations high enough to make any tangible difference.
"a Politician seems to be listening to actual experts"
On the surface, this is how things appear. Since the politician is a Democrat, I have to wonder what that agenda is. If it's civil liberties, I'll give him a slow clap for being right. If it's some further agenda down the road, I'll keep my eyes wide open...
"He's most likely playing his own games here"
ack
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
