Back to MD5, et. al.
OK, so instead of a "backdoor," they'll just mandate that outdated cryptography algorithms be used. Hey, it was good enough for 1991, right?
US President Donald Trump's pick for his Attorney General and head of the FBI will have security specialists nervous, since both believe breaking encryption is a good idea. Senator Jefferson Beauregard "Jeff" Sessions III (R‑AL) is Trump's pick for the top legal job in the US. In congressional testimony, he outed himself as a …
That would be one way to lose I suppose.
The other way to lose is the way they've already tried. Legislate to make it illegal to export this sort of tech, then watch as the rest of the world shows that they know how to do maths too.
It was called the encryption wars, and the US Government lost then gave up fighting.
Some people have short memories though.
Ah the encryption war days.. 40bit unless you were a bank and you could get 56bit and back then UK companies did good trade in encryption alternatives not hamstrung by US law.
They don't just want to be able to break the encryption its about doing it as easily as possible. There is a reason the NSA has some of the largest computer complexes in the USA.
Security is also not just around crypto strength but key management, how many folks use the same password for multiple sites.
"Security is also not just around crypto strength but key management, how many folks use the same password for multiple sites."
Or fundamentally the implementation - choose and manage the right crypto, undertake decent key management and you're in a good place. Not necessarily a perfect place for the paranoid but laziness typically leads to a poor implementation which undermines all the goodness the mathematicians did in the firstplace.
keep in mind that "it was decided" back THEN that stupid regulations regarding encryption were not only bad for business, they left people at risk for various forms of theft. _AND_ they open the doors for FOREIGN COMPETITION.
you can't "make America great again" while hobbling its ability to compete. sanity should soon take over any possible hype, FUD, or over-reaction with respect to encryption, on BOTH sides of the argument.
And EVERYONE knows that a gummint-mandated skeleton key won't cut it, either. There are too many good "foreign alternatives" already, the source files for various forms of encryption are already out there, and mandating back doors would just motivate the open source community to provide 'non-US alternatives" faster than any legislation would pass in Con-Grab.
I doubt we have ANYTHING to worry about. WATCH OUT FOR, certainly. Hold their feet to the fire over it, ABSOLUTELY.
Besides, backdoors to encryption is just lazy police work. Tell them to get WARRANTS and do it the 'old school' way.
I think you're right that we don't have anything to worry about. So that's good.
I'm not sure I see your point on old school warrants though. In the San Bernardino iPhone case they had done it the old fashioned way and they did have a court ruling, but it didn't help them. Unless you mean that you want backdoors which can only be used with a warrant.
That can't be repeated often enough: FBI wants to catch criminals, or at least they want to be seen doing stuff, so they want to break encryption. NSA on the other hand has the job to look out for national security, from both sides. It should be obvious that weak encryption makes it easier for the good guys to go after the bad guys, but also makes it easier for the bad guys to go after the good guys (whoever you think "good" and "bad" guys are). And the NSA has concluded again and again, that overall weak encryption is worse for the good guys.
(The NSA doesn't care about privacy, so when they say weak encryption is overall bad, it means it's overall bad even if you ignore any privacy problems. When you count in privacy, weak encryption is even worse).
I'll second the no worries. I don't believe anyone is considering any kind of return to known broken methods. Anyone who believes that there is "unbreakable encryption" is being deceived. They want to try to prevent their own boffins from leaking vulnerabilities that they discover. They want to leave the next heartbleed-like vulnerability undiscovered for as long as possible. So, in other words, the same thing every government (including those in the EU) is already doing.
Just business as usual. The quality of the encryption is, and will always be, the responsibility of those using it.
The problem is, the good encryption is already out there, so the bad guys will continue to use it and he "good guys" will be forced to use breakable encryption that can be exploited by bad guys.
If you are already breaking the law, what is another law on the way? Just use unbreakable encryption, at worst you'll be done for using that, if they can't prove anything else.
Fact is, anyone with a bit of maths and a 1980's copy of "The Art of Computer Programming" can create an unbreakable implementation of the RSA algorithms. It won't be fast (you need a bit more maths to make it fast), but it's good enough to send text messages that are unbreakable.
If you want to export anything outside the US and europe, you already need to have outdated technology.
Even openssl is considered export controlled despite it being easily available. Put it in your product and you are limited where you can sell it. This despite the ability for a 12 year old kid being able to set it up and use it on a raspberry pi.
At some point politicians will understand that encryption is just maths at work and trying to restrict it is self defeating
"At some point politicians will understand that encryption is just maths at work and trying to restrict it is self defeating"
That is wishful thinking. :)
These folks have never at any point in their lives had to understand encryption to get what they want. Why would they start learning now when barking orders has worked so very well for them all their entitled lives ?
As a European (even though some want to take that brand away from me) I have no issue with the restrictive EU Gun laws especially those in the UK.
At the age of 45 I have never or known anyone personally to have been threatened, injured or killed with a firearm.
I'm more than happy for that to continue.
Like the folks in the US will ever lift their fat arses and AR-15s off the sofa to 'rise up' and take back what's theirs.
Yeah they talk the talk...
it will be like the restrictive gun ownership laws in most European countries. Bad guys and bad governments will have boat loads of them, working people will have to be nice like sheep, hoping nothing bad happens to them.
Yeah. Like US gun owners stopped the "Patriot" act from being passed and enforced. Like they prevented Shrub from attacking Iraq. Like they prevented Ruby Ridge and Waco. Like they stopped government torturers. Like they blocked the path to the White House for TV stars with fascist tendencies.
Hopefully, it was just a bad analogy.
Â(M°^D\Éò%~GÞTmù|®ÓC~Z~IõtÅ-~]¼`@ y´¡H~_^R-Ý6sRØj~]Ð4~åfuôE~@ÜHjÂQÎ1Uõ%S»ÖX~G¢D¨^R5³â^[W^M2mÎÐ~Hîk²| %|Ù^^S«^Dy~MH~]Åõ`·õ*~UäSm#r²èF«ÜÍ"Ã)~[øR@´&~J±¡D~U^LvÚCeRùh~NÂ-yîTu^RNuéOyµ^K_Îí~^^@àSw^]X~Pæð©^QzÎÎò~Jû7bÖ^_~R?²æ^X|è^\P°°BÒ6¢Ò÷^·û%B~R*²^[sb~R*~[Ü^Tk¿.| µ6i~[×>~[®#|É-Þ@ ~F k~VÑé~C| ]¾^PK2ÝE{a^VXÅí©ü0^RÃ^[P~Bîðª^\w~M @W
1f~B^Es»^U~VîÒzå^WH´õsà>~\Îócvý&~UäIº${¹~^÷~^ÎÁqÅ4~Rù^M~H»$~I®íHP^A~@~U. ~U^Fc~VÊ6~DåQu^OAuâ:x°^T^PÍ.£7Z¼$ ~Jöð£^\~BÒ^Sò«^EéfÐ^S~R^FeÁé!~E¤É*°°tÕ:M×^D`Êý&~P~PT²(~A©ßF¤âÁ]| ^Dsò^M~TÁ×i®ïC¤^O^?~U^]a¦ _~LÌâ\åN½&^L2~_^Z6~Wö^Y~@5~Z,SÀ^Z ~P÷D`^U~àÀB¦ 2uË^_~N»^UoÅ zè"Q¶ùoÛõ| Å^Dm»üá~OÑNÆÕ~C¡ÞL~WË^Mgp!~[ù^M~I¿'~E»õC~^^T-åBr¢^Fi~NÔî2| @º S{æD|a^YbÏA~Z»à^T| * ~Jõð¡^Y~HÜÀ5©ÿ=jÅ^Q~L¹^Uµï)|ì^NSn°tÕ6¡~@^@XÊò0~PÑLm(r£çI~_Ý^Z"±.~QµP~R»$^?·âNP {ë2s¦^@]~JÕ1~Bó^M·^R^@sÙBna^V_~@<«ò2UÆ#NAç>£^_~NÝ^T;¦^Dõ!×^^~Dògmì^S~NÜ^^Mbñuá=~\Òûkϵá~YØE»Õ{¥Õ<©Ü^BtÉà¡^D^M~Tº^\6¯öT¤^Hrç.n~Uü^V~XÇâ~áa¾^\Nsãö|¦^EeÒ6©^FàSÅ^Z ~Dô9^V~CÎ^Lò| ^D?fÕ$~IôVÁé!~Eé×^Cb~Z
I dunno about encryption, it looks to me like another ordinary day on the wrong end of a V.22 1200bits/second dialin modem session. Y'know, in the days of interactive end user computing provided by online multi user access to shared external services. Cloud V1.0, if you like.
Those weren't the days.
"{ë2s¦^@]~JÕ1~Bó^M·^R^@sÙBna^V_~@<«ò2UÆ#NAç>£^_~NÝ^T;¦^Dõ!×^^~Dògmì^S~NÜ^^Mbñuá=~\Òûkϵá~YØE»Õ{¥Õ<©Ü^BtÉà¡^D^M~Tº^\6¯öT¤^Hrç.n~Uü^V~XÇâ~áa¾^\Nsãö|¦^EeÒ6©^FàSÅ^Z ~Dô9^V~CÎ^Lò| ^D?fÕ$~IôVÁé!~Eé×^Cb~Z"
I don't know you well enough to do that to you I'm afraid. But I'm open minded. Let's just take it easy, go on a few dates first.
This post has been deleted by its author
Quite. The net is world-wide. And why should governments and people outside the US use software that they know the US government can break?
It's magical thinking - we want something that works in this impossible way so we demand that you make it for us. We've passed a law, so you've got to do it!
Trump only cares about the US. He went on record in his inauguration speech say he's only going to take Americans into account in what he does. If he was told it would cut Apple's overseas sales by 75% forcing the inclusion of an FBI backdoor but legally barring them from putting in a backdoor for any other country, he wouldn't think its a problem. In his mind it would be worth it because he believes it would make us safer.
I hope if such a law is passed that Apple moves its HQ out of the US to escape the reach of Trump's laws. I'll happily pay the 'tariff' that Trump would no doubt place on iPhone imports if they did that, and I'd love to watch all his whiny 3am tweets after it was announced.
"When everyone from the local mayor to the president has email and a cellphone that can be remotely hacked from Russia/China/Craggy Island - I'm looking forward to reading the daily wikileaks"
Not going to happen if the UK snoopers charter is anything to go by. Everyone in the world (or at least in the U.S.) will have to use backdoor encryption with one select group given an exemption - anyone in public office in the US of A who will have totally leak proof encryption.
That is basically what they have done with the snoopers charter. Everything has to be tracked for everybody everywhere in the UK, except those in government linked roles because of course they would never do anything to harm the country or it's citizens - honest guv, would I lie to you. How about a new watch, genuine Rolex it is, got is from a friend after it fell off a lorry. Special deal today only - don't worry about the Made in China sticker, that's only to reduce the import tax.
Just like the anti-pornography bills doing the rounds in the US and the UK - they are essentially attempting to legislate an end result, rather than a process.
Why am I reminded of this?
Tell Comey yes, he can have his backdoor - on one condition.
If anyone outside of the FBI ever demonstrates that they can decrypt any of these backdoored encryption techniques, Comey and all his successors will be immediately executed for treason.
No waiting in Death Row, and no defence possible at trial. Instant death.
Such a demo would prove he or a successor must have leaked his key and personally made the bank accounts of all Amercians insecure.
Comey, do you bet your life on nobody ever finding that extra key? Eg by torturing one of your staff?
Because that's what this suggestion does. It bets the data security of your entire nation on your personal ability to make sure the backdoor key is never found.
>There is already a physical version of the encryption backdoor. The TSA theft facilitation locks on all luggage.
This would be a good way of explaining this to voters.
Your house, car, and your daughter's dorm room at college are going to have locks which every cop, TSA, fire, paramedic, DEA, IRS, FCC, MMB agents have a key for.
Do you feel safer ?
and hi-res images of the TSA backdoor key were published, meaning that anyone can get in . . .
do you feel even safer?
similar to the FBI/NSA bulk personal dataset super profiled databases of our overcollected private stuff - where it is presumed the crims/vlad have third-party access to it all . . . or have crims/vlad stopped paying & perverting (several/hundreds of) the million squirrels with secret access . . . sigh
How about this - the government gets a different encryption protocol (they'd want that anyway, the security services aren't _that_ stupid). However, this also has a backdoor, and the skeleton key is given to the press. I'll bet the government skeleton key leaks first....
A few years ago India blocked access to Github for a few days over the site hosting encryption code, it's reported that Syrian developers had released an app that was written using open source encryption for fighters in that country to securely communicate.
The horse has already bolted and all backdooring will do is make the US less secure and its tech companies less competitive.
"The horse has already bolted and all backdooring will do is make the US less secure and its tech companies less competitive."
That sounds like the Trash Administrations Primary Goal; "get back at anyone and everything from California that opposed them! Starting with those nasty computer companies! Excuse me while I draft a threatening electronic letter to a colleague using my PowerBook laptop contraption."
I must remember to send the local FBI office a bag of dogshit labeled "Terrorist Treats. Do NOT sample!" for their anniversary. If they're as stupid as the FIB agents in GTA V, they will bite before checking. Then I will steal their FIB sedan and joyride it until the wheels fall off! HAHA! Hacking people is easy!
"Soon, the only way to have secure email in the US will be to run your own server."
like Mrs. Clinton? (I couldn't resist, heh)
Seriously, though, PGP has been around for long enough. If we don't want to get sniffed, we can just PGP every e-mail from this day forward. So post your public key "wherever", and tell everyone to encrypt all mail sent to you using that key. Simple, really.
/me already has my own mail server, muahahahah!
Seriously, though, PGP has been around for long enough. If we don't want to get sniffed, we can just PGP every e-mail from this day forward. So post your public key "wherever", and tell everyone to encrypt all mail sent to you using that key. Simple, really.
There are aspects to PGP that don't make it a good tool for security, especially not when taking in data from informants. Read the book "Hut 6" by Gordon Welchman and you'll know what PGPs' problem has been from day 1: meta-data.
There are aspects to PGP that don't make it a good tool for security, especially not when taking in data from informants. Read the book "Hut 6" by Gordon Welchman and you'll know what PGPs' problem has been from day 1: meta-data.
That depends what you mean by "security" though.
If security involves protecting content and/or verifying source, then it does that very well. The actual contents of a message and it's integrity can be encrypted and signed. This is what De-mail sought to do - allow people to send legal documents electronically.
By contrast if you want anonymity, then that's a related - but distinct - kettle of fish.
The needs of someone wanting to leak evidence of war crimes to Wikileaks (securely and anonymously connect to Wikileaks and then run like hell) are different to those of a business wanting to protect trade secrets and/or create an audit trail of correspondence.
In the former case, PGP is a terrible idea (in fact in the former case, e-mail full stop is a terrible idea. E-Mail is a fundamentally leaky system and you're better off with TOR or a Signal-like P2P solution). But in the latter case, it has a lot of potential.
You can't anonymously verify the integrity of a message (unless you have already established an out-of-band comms channel).
You most certainly can [verify the integrity of a message]. That's what PGP signatures are for.
Making such verification routine would cut down on a lot of fraud, ransomware etc. Email protocols ought to be moved onto something which incorporates PGP for this reason. There may even be some additional advantages....
"Managing email securely is something that has to be amortised over a number of people"
over a number of *trustworthy* people, surely?
Which given that the authorities have proved themselves untrustworthy in public, and that Big Business is definitely untrustworthy, and that the dark corners of the authorities have shown themselves to be untrustworthy in private e.g. they're perfectly happy to break the law (e.g. undercover agents in perfectly legal organisations) it kinda sorta leads back to DIY. Which is indeed a bit awkward, if it takes lots of effort.
A ha! I have found the terrists! This website and indeed this very page use encryption, so all of you are the terrists! I shall now be forced to report you to the terrist authority.
...But, now that I've posted this here, that means I'm a terrist too. And when the terrist authority comes to look for evidence, they'll use encryption to verify the authentication of the page as well, so they too must be terrists... </sarcasm>
Within five minutes of being born we're pretty much all criminals, do we really want to extend that to calling us all terrorists?
There's a bit of a lack of comprehension of how the Internet actually works.
Without strong encryption, the internet would become as secure as a chaotic market market in a bazaar somewhere with everything just sitting there in easy reach of shop lifters.
It's effectively like removing the walls from your house.
Fundamentally, the problem is the political debate is about as IT savvy as a bunch of 60-70 year old guys having a drunken bar conversation about it. They're totally clueless but highly opinionated and think they can solve everything.
"It's effectively like removing the walls from your house."
Not at all; you're overreacting.
It's like giving a key to all the locks in your house to every member of the FBI, DEA, NSA, CIA and they might loan it to the Sheriff's Department, the State Police or the County Dog Catcher.
And if the lock maker sells in Russia or China they might give a copy to the FSB and the FSS
What could go wrong?
Hey!! Less of the bashing 60-70 year old guys! (Guess who's just had a significant birthday...)
The problem is not their age, it is that they are wilfully thick, stupid politicians(*) pandering to the lowest electoral denominator.
(*) Other types of politician are available, but are becoming difficult to find in this post-truth, post-science, post-expert age.
"The problem is not their age, it is that they are wilfully thick, stupid politicians(*) pandering to the lowest electoral denominator."
There is no evidence to indicate that the lowest electoral denominator gives a flying fig about encryption. There is more evidence to indicate these clowns just want a competitive advantage over the proles baked into law.
Oh, how quaint.
How many millenials use emails these days? don't they all use Social Media for everything?
I guess the Feebs etc need to realise that 2020 is not that far away.
Oh wait. 2020? Oh yes, when the USA is formally declared a 3rd world country and Trump gets thrown out of office.
Perhaps they are going to keep their heads down and wait for him to go away.
"We're going to remove regulation. Regulation is killing industry, killing business. Sad"
What he gives with one hand he takes away with another. You can make it law, but that doesn't mean companies will comply.
You can fine those that don't comply, but at some point the cost of doing business in the US outweighs the profits, and the tech giants will relocate to a less regulated jurisdiction.
Simple. You just announce that the tech companies won't relocate. Problem solved.
The same way the UK government decided that the banks won't relocate due to Brexit. The trivial detail that they are now jamming the exits is irrelevant. Announcements by ministers obviously outweigh reality.
"Coming from a law enforcement background, I believe this is a more serious issue than Tim Cook understands,"
Love this part. Not a single ounce of contempt, here.
See, dude is from lawe inforchment, so obviously has a clue about cryptography, and how Grace and Eve do/don't need any gov. authorization to share any backdoor, when, even in the IT filed, few people have ...
What a douchebag ...
Think of it as a reward for his help in getting Trump elected with those timely Hatch Act violations-I-mean press conferences. The primary qualification for an administration position is obviously personal loyalty above all, and competence is a distant runner-up.
Anon for obvious reasons.
All you tech fanbois in the US who were so happy to stump for this tangerine tantrum because you were not smart enough to recognize a fascist when he speaks are in for a jolly good rogering. You richly deserve what is about to happen to you. The rest of us, intelligent Americans and the whole world, do not. So congratulations assholes.
Who dislikes ineffective, business-hobbling regulations defeats Trump the terrorist fighter.
There's some hope, but I think his fear of all things Islamic is going to win out.
So, get ready to buy your encryption solutions from non-U.S. vendors.
Trump doesn't hate ineffective, business-hobbling regulations. He hates any regulation that prevents him or his friends from making a quick buck. Any regulation that helps them do so, is a good one though.
Once there is a encryption algorithm backdoor (as exists with AES), a computer challenge to hack the algorithm to determine the methods used would be offered and that backdoor entry will be known to everyone. What will happen, in my view, to circumvent that problem is that there will be pre-encryption of information perfomed on a second system and that data is walked across to a physically separate separate system before it hits the storage and transmission software.
Computers are now fast enough to encrypt voice before it hits the packetizing software. Your conversation could be monitored, but that's it. The voice message can be encrypted live before leaving the computer.
Of course, the government would want access to your hardware. But what if the encryption was done by a service out of reach of the government?
As well. One could use a random interspersal of several algorithms to do encryption, where for example, some group of bytes are encrypted with one algorithm, and the other group with another. It could be the same algorithm, but with different encryption keys.
Treat encryption like a mamal being pregnant. Its either yes, or no --secure or backdoored.
You can't have security if the government wants to have access to your hardware and transmissions.