Congress Considers Mandatory Crypto Backdoors

disappear writes: "Wired news reports that Congress is considering restrictions on crypto software in the wake of the terrorist attack. 'Nuff said." This will be the next battle -- especially in the wake of this week's tragedies, and the the allegations that the prime suspect Osama Bin Laden is a heavy crypto user. The battle of privacy and safety is going to begin in earnest now.

People will hand it over

[purduephotog]

without much fight. All the right words will be said for fear and fright

And if you fight against it you will probably lose... unfortunately. Maybe in a year. Or two. But the mood of the American people is quite frightening- cold rage.

Besides- who says the government CAN"T break them already? It probably just takes a bit more effort...

Re:People will hand it over

[Erasmus+Darwin]

"Besides- who says the government CAN"T break them already?"

The fact that they're passing legislation to add mandatory backdoors is a pretty big clue that they probably can't break some crypto already. A known backdoor significantly decreases confidence in a crypto-system and will cause the bad guys to be more vague and/or use the uncrackable but less convenient "one time pad".

Re:People will hand it over

[csbruce]

I think that the U.S. government will have a very difficult time convincing the terrorists that they should be using the government-crackable encryption rather than the easily available hard-to-crack kind. I guess the U.S. is determined not to be a relevant player in cryptography research or commerce.

Well...

[Scoria]

I'm sure some open-source (and even minor corporations) would never agree to this.

Especially those not in the US.

I think I speak for slashdot when I say

[Mdog]

Those who give up essential liberties for temporary safety deserve neither liberty nor safety. - Benjamin Franklin

Re:Mixed feelings

[napir]

Crypto algorithms are well-documented and not difficult to implement. Circumventing backdoors would be as simple as writing your own software, or use an older version of open source software such as GPG that doesn't support government-known backdoors. Sure, it'd be illegal in the U.S., but is that going to stop terrorists? All this will do is make it difficult for law-abiding corporations and individuals to keep data secure.

I don't think so.

[stuccoguy]

Make it illegal to have crypto with no back doors and all law abiding crypto users will use back-door laden crypto and their law abiding messages will be an open book to law enforcement agencies.

Criminals, on the other hand, will continue to use widely available crypto packages with no back door and will still be able to transmit messages without threat of law enforcement decrypting them.

Re:I don't think so.

[Zagadka]

With carnivore, the government sees all traffic. They see crypto they can't break, they trace it with help from the ISP, they pay someone a not-so-friendly visit.

But encrypted data can be hidden in non-encrypted data, in ways that make it virtually impossible to detect, using steganography. So the criminals could send photos to eachother, or even have a web-cam feed with data steganographically encoded into the frames.

Take a look at OutGuess, for example. You might also find this article to be interesting, particularly the part with the photos of the Statue of Liberty.

Re:I don't think so.

[denshi]

The whole "terrorists of the future" techno-fear bunk completely misses the lessons given over the last few days. Let me repeat:

A small band of essentially unarmed men captured 4 airplanes by playing to passengers & pilots fears. They then drove these planes into tall buildings, killing several thousand. Their total cost was rudimentary flight training, plane tickets (did they buy in advance?), and room & board while planning. They brought no advanced weapons, hacked no computer systems. Once again, it has been shown that the unaided human mind is the most dangerous weapon in the known universe.

There was, save the existence of airplanes, no technology whatsoever in Tuesday's attacks. Just victims' fear and the terrorists' willingness to die. These are social problems, and all the techno-fear 'solutions' that have been bandered about over the last few days both here and in the mainstream media, are completely ineffective to affect these social problems.

How does changing our crypto laws fix that?? Take as an example bin Laden, which the investigation is leaning towards. Where is the ambiguity there? In 1996 he issued a fatwah declaring war on the United States. How could we assume that that was nothing; that something like this wouldn't eventually happen? There are so many ways to infiltrate these groups, there are existing ways to harass their activities both within the US and without. How does attacking the civil liberties of US citizens to use technology freely aid the capture of a group whose men can perform such audacities without the aid of technology??

Re:I don't think so.

[The+Pim]

Take a look at OutGuess, for example.

And you might look at Stegdetect, by the author of OutGuess. He claims to detect many other popular steganography techniques. The feds throw stegdetect onto carnivore, and you can expect using steganography to earn you one of those unpleasant visits.

Steganography is a long, long way from offering the practical security of encryption. Is it really possible to create a system that is undetectable even if the algorithm is public? Nobody's sure yet. Do the bad guys have the means to create their own effective algorithms and keep them secret? Questionable. Can they use a stego system correctly on a wide scale? Unlikely at present, since there is no popular, easy (for non-technical users) software, nor is there the widespread understanding of how to use stego that there is about crypto (these things do matter when it comes to the successful implementation of any security scheme).

The point is, the government can (by imposing on everyone's liberty) effectively stop criminals from communicating privately. Therefore, we need to come up with a better argument than "it won't work", in order to prevent it.

Re:I don't think so.

[The+Pim]

If someone wants to hide information, they will, period.

The history of cryptography has shown that the seemingly simple goal of transmitting hidden information is actually really, really hard. The suggestion that if the government outlaws the well known digital privacy schemes, people will come up with others just as good, is naive. It's the same reasoning that says that secret encryption algorithms should be more secure than public algorithms. It grossly underestimates the techniques available to detect and break poorly designed systems.

If the author of OutGuess can detect most steganography, I would not feel at all secure using your "hide the encrypted message in an executable" trick.

Re:I don't think so.

[MarkusQ]

Please stop convincing yourself it can't work. It can work, and pretending otherwise will only make it more likely.

The people who are pretending are the ones that claim it can work. Crypto, as an arms race, is over. Given sufficient computational power on both sides, there is a guaranteed win for the encryptor.

Claiming otherwise is like claiming the second player can force a win in Naughts-and-Crosses (aka Tick-Tack-Toe). It simply isn't true. The effort to hide information grows O(log2(N)) for parameters N for which the effort to find the information can not be bounded by a polynomial. In English: as the game gets more complex, it gets harder to encrypt at a much slower rate than it gets harder to decrypt.

At some point (say, now) encryption has such a lead that it isn't even possible to say what contains encrypted data and what doesn't. Even the fact of encryption becomes hidden. From that point on, the decryptor is left with social tools (infiltration, hoping the bad guy slips up, etc.). Technology (and legislation about technology) can't help.

-- MarkusQ

Re:I don't think so.

[quintessent]

There was, save the existence of airplanes, no technology whatsoever in Tuesday's attacks.

How do you coordinate those efforts without communication technology? The government frustrated similar terrorist efforts on more than one occasion (including New Year's Eve) by being able to intercept and decrypt their communications. So, yes, if you forget that the point of encryption is being able to communicate, then you might have some kind of point. But communication is needed. How do you say, you get on this flight, watch out for this, the president is likely going to be here, oh wait, this flight was delayed or canceled, reschedule this thing a week later, wait, they seem to suspect us, call everything off until two months from now. How do people in remote locations give each other the kind of encouragement and coordination necessary to hijack four planes at once for suicide missions, if there isn't communications technology? The media has reported that steganography has become a central part of Bin Laden's "terrorist training camps." Authorities believe that terrorists have been using images on porn and other sites to hide encrypted messages. A better question to ask is:
Does curbing encryption work in spite of the steganographic techniques they have been using? But the technology issue can't just be tossed aside. It is key to the actions of modern terrorists.

Re:I don't think so.

[driftingwalrus]

If I where to send an e-mail that something like this:

Hi George, how's the family? We're doing great over here, Lisa just gave birth to a baby boy, 6 lbs. We're planning on visiting New York September 12th, and hope we can see before heading home. Will you be in the area? Maybe we can get together for lunch.

Would you know that the sender was REALLY telling the reader to set off a fire bomb(baby boy), approx. 6lbs in weight charge, September 12th at ? Or how about a numbers station?

They quote numbers indicating page and word number in a certain book. m Like fourth word on the third page. The receiver then looks it up and reconstructs the message. This, my friend, is steganography. I honestly don't see how a computer could pick this stuff out.

This will do little good.

[ThePurpleBuffalo]

Realistically, since the threat originates abroad, you would need to make all countries of the world follow this law. Also keep in mind that terrorists don't usually follow laws. Thirdly, home grown crypto is easy because Applied Cryptography (great book) costs $40.

Huh

Like the concept could possibly work. Why dont you just forbid terrorists from using oxygen? About as practical, and 100% effective.

How far down the slippery slope will we go?

[Ghoser777]

Sure, they want backdoors into email encryption now, and it seems harmless, but what will they want next? Why not have every home in America bugged; that way we can know when a burgaler is going to commit a crime. Cameras everywhere, low crime. Of course, the price will be the right of privacy.

And when your behaviors are available freely for government inspection, it's much easier for them to supress behaviors they do not approve of (cause they know when it happens, unlike now when it can be hidden behind closed doors). You know, meetings about how to reform government.

Of course the government will tell you that they'll use these backdoors only when they need to, national security type things. That's what the Dean at my old high school said, and then we caught him watching the monitors repeatedly for the fun of it.

Oh yeah, not that the government has to actually be watching for you to be good now. Think how different your ations would be if you thought that the government might be watching at all times. This is pure, hardcore social control. It's like a gaurd tower in a jail. If there are clear windows, you can always tell when you are watched and when you are not. If the windows are dark, then you never know if you are being watched, so you act as if you are always being watched.

They might as well run a wire into our head.

F-bacher

Re:How far down the slippery slope will we go?

[kin_korn_karn]

that's right. here's what you do to keep it from happening:

Go to wal-mart. go to that counter in the back with all the funny-looking thin things sticking up. there's a cash register back there and a cabinet, against a wall, that has these wood and metal things in it that you've probably seen. They're guns. Now that you're back at this weird counter in wal-mart, buy a gun (if you're 21 and otherwise legal to buy one). You'll want a 12 gauge shotgun, and a box or two of #4 rounds, 2 3/4 inch (standard) size.

Now, take it out to the country. Load it. fire it. nobody will notice right now. get used to firing it. shotguns kick hard, but they kill fast and you don't have to aim very well with them.

Why did you do this?

See, when you can own guns, you have power over the government. They even wrote it into the law of the land, the Constitution, to ensure that the american people could have guns for cases just like this one that this thread describes. And once it gets to Orwellian levels, where the government is truly oppressing you and denying you your rights as an American citizen, you can pick up your gun and fight for your rights, like James Madison and Thomas Jefferson knew we would have to.

You're probably sitting there thinking, "what a crackpot." Hey, it's your freedom, I plan to keep mine.

Best reply

[Todd+Knarr]

I think the best reply one can give to the politicians who want to impose this is:
"And Osama Bin Laden is going to throw away his foreign-developed, non-backdoored encryption software and buy US-made backdoored encryption software exactly why?"

Re:Heavy crypto user?

[gad_zuki!]

He's a millionare that runs a sophisticated terrorist network consisting of cells all over the world.

Yes, Dorothy, there are computers in the third world.

gladly giving away our civil liberties?

[solipsists]

"They that give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin, 1759. "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized." -- 4th Ammendment to the U.S. Constitution "[...]and every time we allow the government to grow in power at the expense of the people, we put ourselves in jeopardy of losing the ability to free ourselves of them if it goes too far." -- Thomas Jefferson (quotes taken from matthew rothenberg's 7/11/2000 article on the fbi's carnivore: http://www.zdnet.com/zdnn/stories/comment/0,5859,2 601960,00.html )

Re:don't forget Rivest's "Winnowing and Chaffing"

[scrytch]

> Back in 1998 Rivest wrote Chaffing and Winnowing: Confidentiality without Encryption [mit.edu].

Massively informative. But the intent to maintain privacy is still there, and let's not kid ourselves, that's what they really want to eliminate. It'll be just as illegal as any crypto to use this. They may as well just make it mandatory to put the NSA on the cc: line.

Re:Mixed feelings

[ttyRazor]

I think the point that some on TV have made that there is a significant lack of "human' intelligence (i.e. spies) is a lot more important than the lack of electronic surveillance and crackable crypto. I believe our intelligence agencies have become too preoccupied with their toys, and have forgotten that the most relevant communications occur in person.

On top of that, they already have the tools, and putting mandatory backdoors on future products is not going to affect existing software. What would they do to them for using unauthorized software? arrest them?

If this even gets close to being implemented, we need some sort of pledge from the intelligence community, backed by strict legislation, that any such system can ONLY be used or the purpose of national security and anti-terrorism, and any use beyond that would be strictly prohibited, and any other information obtained shouldn't leave the place it was intercepted from.

Just my 2 cents, right now I do not feel any of us really is in any position to make a real judgement about this. Keep that in mind when forming some opinion that you would be unwilling to comprimise, as a few of us here often do.

Climbing the bodies of innocents as a soapbox.

[Nonesuch]

Using this sort of tragedy to advance a political career or a particularly opressive agenda is disgusting, but is also standard procedure for many politicians, American or otherwise.

After every mass murder with the least connection to firearms, some politician proposes extreme restrictions on civilian ownership, without regard for whether it would have prevented the particular incident in question. One of the first bills proposed after the OKC bombing was new gun control laws.

After every crime where the offender ever even saw a computer, let alone had an AOL account, some congressman will propose new 'Internet Crime' laws restricting freedom online.

The only saving grace is these rash proposals seldom become law.

Re:Mixed feelings

[Sniser]

Exactly. Makes you wonder if the folks in congress haven't thought of something utterly obvious like this? Makes you wonder if it's about terrorism at all.

"Of course it's about terrorism and defending liberty and democracy", you say. "It's fucking heartless to think this is some plot to handcuff us. Come on, thousands of innocent people DIED in the WTC, we've got to DO something, QUICK!"

Right now, I'm not worried about terrorism at all.


"This year will go down in history. For the first time, a civilized nation has full gun registration. Our streets will be safer, our police more efficient, and the world will follow our lead into the future."

Adolf Hitler, 1935



You see, even IF there was complete security, this isn't a good thing, as long as the govermnent isn't really democratic (look it up, there IS no democracy on planet earth... it's representative democracies, which is an oxymoron). Because your safety always depends on the govermnent not to screw you over.

So I'm asking you, do you feel lucky?

Americans and Europeans (me being german, and for me being the answer a "no", and a very resounding one after the things I heard our politicians say in the last 2 days), do you trust your governments completely, blindly, and does that "no time for criticism now, we have to stand together as the civilized nations of the free world, we'll do what we have to do (and we'll tell you what that is when it's already underway)" help to increase that trust?

On this very subject (link)

[Brian+Stretch]

Appropriate commentary here, dated yesterday:

The main source of our strength is our freedom and open society. The United States already has the most powerful military in the world. We don't need the symbolic jaw, jaw, jaw of more laws, but the will to use our existing war power.

Paul Weyrich, head of the Free Congress Foundation, aptly wrote: "The truth is that if we further emasculate our Constitution the terrorists will have achieved the greatest victory imaginable. Their triumph won't just be the thousands of people they killed, the triumph will be if they see our democratic institutions crumble. If President Bush can navigate a responsible course where we make an appropriate response to those who have perpetrated these unspeakable crimes while at the same time protecting our essential freedoms in the process he will end up being the greatest President of the modern age."

Another essay from yesterday, "Freedom First", is also a worthy read.

Re:Mixed feelings

[Evro]

This is the same argument that crypto supporters have been using all along. Corporations were complaining that they had to compete with foreign companies' products that had much stronger encryption while they were limited to 40/56/whatever-bit encryption for exported products. The argument appears to have fallen on deaf ears for the last 10-20 years. I don't see why now it would be any different.

And good luck to the government getting people to dump all their current SSL/SSH software in favor of this new awesome backdoored version. Especially with products like OpenSSH which will remain downloadable from any number of sites for quite a while.

Do this and the terrorists win

[SurfsUp]

Here in Germany (I'm a Canadian by the way) privacy is a constitutionally guaranteed right. Too bad it isn't in the U.S.

In the U.S. it's more and more like a favor the state gives to some people, some of the time, depending on how benevolent somebody feels that day. So bow to the demands of the spooks, make backdoors mandatory, give people long jail terms for circumventing them, and the terrorists win. They win bigger than they ever imagined by making life worse for ordinary U.S. citizens.

In the name of pride we have to win this without cheating. Cheating means using the same tactics as the bad guy. No murdering civilians. No spying on our own people. No cameras in the bedrooms.

Make cryptography a crime and only criminals will have cryptography.

Re:We've defeated suicide terrorists before

[Tsian]

As for the terrorists being considered martyrs by their people, well as far as I'm concerned, we will obliterate the very people that would consider these terrorists martyrs

Yes... lets kill those damn civillians. That'll teach them never to mess with the United "We are Freedom" States of America. Let's take away their choice to have beliefs, because their beliefs are WRONG! Hell, why don't we just run jumbo jets into their embassies... or would that bear too striking a resemblance to the attack itself?

If you want to kill civillians then you are no better then the terrorists... so does that mean we should kill you too?

Re:OT: get a new quote

[BadDoggie]

The problem is that almost everyone gets the quote wrong and I've only ever once seen it properly attributed. It was not Jefferson or Franklin or Einstein or any of the other dozen names I've seen attached to it. The earliest reference to such a quote was from Ludwig Thoma. Franklin never even stole it for Poor Richard's Almanac (that anyone can definitively show).

The sad fact is that we will indeed lose freedom, not for security, but for the perception of security. All kinds of measures will be taken, laws enacted, procedures implemented. Getting on a plane will be a nightmare, but while everyone will be at least inconvenienced, no real prevention will occur.

People want action - they want something done. It doesn't matter if it helps or not. The perception is that anything is better than nothing. I had to go to Bethesda Naval Base today. Only one entrance was open, you had to show ID, another guard had a mirror-onna-stick to look under the cars, another guy was walking around with a shotgun. Looks good, seems secure. Except...

Except a shotgun is only useful within 50 yards at best, the mirror is useless because no one is hanging onto the undercarriage of a car (and you put explosives on the floorboards and in the trunk, not under the car), and although they demanded an ID from me as a passenger, they didn't actually look at it carefully, much less check it with NCIC.

So how much freedom are you (or realistically, is your mother or neighbour) willing to give up?

woof.

Sorry, it doesn't work that way

[MattW]

All they'd have to do is hide no-backdoor encrypted messages within backdoor-encrypted messages, and it would be undetected unless Carnivore automatically decrypted all messages, which conflicts with what the lawmakers are saying -- "only under the oversight of a court".

Re:People will hand it over - crypto's already out

[IntlHarvester]

God. I just read Levy's Crypto about a month ago, and I thought this was *over*.

The reason this was *over* in the past is because the FBI is blissfully unaware that strong crypto is standard operating procedure for US corporations, and is only used by nefarious bad guys.

We're talking about outlawing every copy of products like Windows 2000 and Lotus Notes, every router that implements VPN, and so on. The impact on US business would be horrendous. And the big money finance folks would just ignore the order.

Traditionally, the crypto issue has been framed as a rights issue with the cypherpunks against the feds. This neglects the significant commercial impact.

The Price of Liberty is Eternal Vigilance....

[billstewart]

"The price of freedom is eternal vigilance" means us watching the government - not the other way around. Sometimes they get out of hand, and need to be reminded, like Senator Gregg, R-NH, whose speech started this discussion. We spent the whole Clinton Administration beating up on the NSA and the export bureaucrats and doing EFF lawsuits and anti-Clipper petitions and building DES-crackers to get the Feds to acknowledge that neither the First, Fourth, and Fifth Amendments nor the economics of computer technology were on their side, and generally it was the Democrats supporting the anti-civil-rights side (not too surprising) and the Republicans playing good guys (unusual, but it happened to align with business interests and oppose the administration.) Now that the Republicans are in control of the Presidency, we're seeing them start to switch sides (not too surprising, unfortunately, and there was always a split between the more pro-business Republicans who were mostly pro-crypto and the more social-conservative pro-police ones who were against it.)

For another perspective on eternal vigilance, David Brin's book The Transparent Society talks about the issues of ubiquitous cheap video cameras combined with cheap communications and computing. The recent face-recognition uses at Florida sports stadiums and the cheap X10 cameras with the annoying pop-up web ads are only the beginning.

Maybe, lets hear what Jefferson had to say

[nichughes]

"The criminal attempts of private individuals to decide for their country the question of peace or war, by commencing active and unauthorized hostilities, should be promptly and efficaciously suppressed."

and

"That individuals should undertake to wage private war, independently of the authority of their country, cannot be permitted in a well-ordered society. Its tendency to produce aggression on the laws and rights of other nations, and to endanger the peace of our own is so obvious, that I doubt not [Congress] will adopt measures for restraining it effectually in future."

The idea was always there that congress might have to restrict the freedoms of those living within the republic to protect the common good, especially where individuals were trying to provoke the unimaginable horrors of war. Sure you can have a long debate on exactly where to draw the line, you can disagree with where they are currently suggesting the line be drawn, but lets not pretend its quite as simplistic as your one quote implied.

If you disagree with what they propose then demonstrate alternatives or show why their proposal is worse than the threat faced by the USA. There are good arguments to be made, there are quite probably better ways of dealing with the threat but if all you do is run out old quotes then you are doing what Franklin said;

Any fool can criticize, condemn and complain and most fools do.

--

Nic (expecting to be moderated to -1000 but figures it needed to be said anyway)

Defending Freedom by reducing it...

[lverrall]

It looks like the first casualty of this "War" on anti-freedom anti-democracy Terrorists is to remove personal Freedom through monitoring and, potentially, usurp the democratic process of what can be monitored by and by who.

Carnivore was in at ISPs on Wednesday and will be into Tier 1's by now. Remeber to intercept 'net traffic you have to look at ALL the packets. To trap "encrypted" data whatever that may be you have to read 'em. Imagine the power to open ALL snail mail and read it to check if it's suspicious...

There's a distinct danger that this kind of monitoring will be installed, relatively unchecked, with Civil Rights groups unable to mount a credible defence due to the devastating nature of the terrorist attacks. This will happen not just in the US but easily in the UK, France and Australia who have similar laws or technology in place.

And once it's in, you can bet it won't come out again. Think 5 years down the line...