Slashdot Mirror
Congress Considers Mandatory Crypto Backdoors
disappear writes: "Wired news reports that Congress is considering restrictions on crypto software in the wake of the terrorist attack. 'Nuff said." This will be the next battle -- especially in the wake of this week's tragedies, and the the allegations that the prime suspect Osama Bin Laden is a heavy crypto user. The battle of privacy and safety is going to begin in earnest now.
This is what I am afraid of! :(
:(
Please read my essay and if you like it pass it on to people. We can't let this happen. I have been saying this since day one. Please please think about this
The Price of Freedom
Jeremy
Carnivore is one thing, but a backdoor to all crypto is yet another. Financial transactions from private organizations are routinely encrypted for obvious reasons. Are we to trust government employees with all financial transactions merely because we elect them? I think not.
We cannot allow the government a "skeleton key" to all crypto if only for the reason that it can then be compromised by others for whom access was not intended. Urge your congresscritter just to say "no".
Are they nuts? This guy lives isolated in mountain camps. I doubt he's even a heavy electicity user.
His sympathizers, on the other hand...
From what I've heard, Osama Bin Laden doesn't use cryptography so much as he avoids using electronic communications at all. He has even (gasp) been reported to meet with his underlings *physically*, as in "lets all go into the same room and talk face-to-face".
Cryptography wouldn't really help terrorists much anyway, because electronic surveillance can still pick up who is talking to whom; the real problem is when people avoid electronic communications, because then you can't do anything without spies on the ground.
Tarsnap: Online backups for the truly paranoid
Back in 1998 Rivest wrote Chaffing and Winnowing: Confidentiality without Encryption.
The thing is that, if we'd all been using PGP for all of our email for the past five or ten years, it would be much, much harder to catch a terrorist using the system. You can do traffic analysis so much more easily when only a few percent of messages are encrypted.
So if they do ban crypto without back doors, the non-back-doored messages stick out and can them be ferried off to the NSA to be analysed with much less effort.
It's hard to argue with this, you know? I've personally stopped encoding my messages for the moment so as not to soak Echelon bandwidth - and I'm only half joking. We may have worse enemies to worry about right now than our goverment.
I think "Live free or die" is pretty good. Along with "Don't tread on me," and "the best we can hope for the people is that they are armed."
The revolutionaries who founded the United States of America are chock full of good quotes on freedom and defending freedom.
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
For example, I worked for a major semiconductor and radio communications corporation. We encrypted all private circuits to all remote offices, in the US and abroad, except that in France we had to provide the keys to the French government.
End Result?
The French intelligence agencies would hand over to major french businesses the 'competitive intelligence' collected from foreign corporations operations in france, allowing them to underbid competitors, etc.
There are several well-documented cases of government abuse of this information. In France the level of distrust got so bad that they eventually relaxed this policy due to foreign based companies withdrawing their business.
I do not deploy Linux. Ever.
For those who don't know "... steganography, is the practice of embedding secret messages in other messages --
in a way that prevents an observer from learning that anything unusual is taking place. Encryption, by contrast, relies on ciphers or codes to scramble a message." (quoted from the wired article).
Its a good article. Seeing steganographyin (more obvious) use is kinda weird. Check out some of the results of this google search. Read a few of the first hits and see what you notice.
Phil
I'm surprised it took this long for this to get reported. It was obvious from the start that this coordinated terrorist action would be used as justification to restrict cryptography. As expected, the knee-jerk reaction has come, creating another threat for informed people to worry about. Unfortunately though, in the current situation, all kinds of restrictive laws can be passed without any serious opposition in Congress in the name of defense.
So why is this such a problem? After all, the necessary decryption tools would only be made available under specific, government-controlled conditions. The problem comes in a few forms. First of all, the government needs to be treated as a trusted party in all of our communications. Regardless of the regulations, a corrupt government or certain corrupt individuals could bypass these regulations, resulting in a digital Big Brother. Even on a small scale, this is completely unacceptable. The worst case is that the people's right "peaceably to assemble, and to petition the Government for a redress of grievances" could be restricted by identifying and silencing anyone who tries to organize a coordinated protest and fears such a response to public expression of government opposition.
The more important problem here is that, like "access control mechanisms," these measures will not stop the intended targets. The first step would have to be a ban on non-compliant encrypted transmissions in addition to a ban on the distribution of hardware and/or software that can be used to produce such transmissions. Even if it were possible to filter out all non-compliant encrypted traffic (this process alone is scary), this can only work for encryption at the bit level (and even then only if non-compliant encrypted data wrapped in compliant encryption can be detected and rejected). A simple word substitution code could bypass this, and a more elaborate system (think industrial strength word level encryption) could be very secure and impossible to detect. Considering that only criminals would be developing and using such "illegal" encryption, a law against it will not act as a deterrent. The criminals will still have encryption, law-abiding citizens will have no privacy, and the government will continue to pass increasingly restrictive laws of this nature. In other words, nothing good can come from this.
I thought you only had to be 21 to buy handguns, but rifles and shotguns are legal for 18+ year olds to own...
Either way, I agree completely. If this law, or anything remotely similar to it are passed, then the terrorists will truly have won.
Aside from that, has anyone seen the changes to security the FAA is making. Incredibly stupid if you ask me. What is so difficult about putting a reinforced steel bulkhead in between passengers and the cockpit. Or put a small room in between passenger compartments and the cockpit with a couple armed air marshalls in it. It really doesn't seem like the government thinks very much any more, does it?
Shit adds up at the bottom...
`I think the best reply one can give to the politicians who want to impose this is: "And Osama Bin Laden is going to throw away his foreign-developed, non-backdoored encryption software and buy US-made backdoored encryption software exactly why?'"
I don't.
The objective here isn't to stop the guy. They could've if they'd wanted to. About a week before the attack the U.S. Postal Service stopped delivering air mail to the region. They knew something we didn't, and opted not to stop it. And I think I know why.
We hear a lot about terrorism against the U.S.. We don't usually hear the other side's complaints. Obviously they don't think of it as terrorism, they think of it as some sort of a protest. I wonder what they're protesting, and why. If our government did something unjust to them, I wouldn't trust our media to tell us about it. But as a tiny little group of malcontents going up against the U.S., about their only recourse is an attack like this. Given that the U.S. government knew about it beforehand, they didn't bargain to prevent it for one of two reasons. Either the price was considered too high, or the U.S. government thought that an attack like this would end up working in their favor. They've been looking for an excuse to nullify cryptography for years now. Anybody remember the Clipper chip? The legislation keeps being defeated, because people are siding with the need for privacy. Now they've been able to demonstrate a supposed need for the U.S. government to know everything that's being said anywhere in the country. Perhaps they think it will sway the common consensus in favor of their legislation.
Galling, isn't it. More impressive (from a logistical standpoint) than crippling a nation with a store-bought knife and their own planes, is the prospect of prying your way into a nation's cryptography with someone else's store-bought knife, someone else's plane, and a bunch of lives you don't care about because you think of them as "your citizens", in the same usage as "your house" and "your car". Oh, and a temporary economic setback which you mitigate by printing more baseless currency. Clever.
I think it's interesting to note how our government (the CIA no less!) through voice of america is promoting encryption and anonymous web browsing in china. It's quite a contradiction. Would we want to share our backdoors with china so they could monitor terrorist activitys within the PRC? http://dailynews.yahoo.com/h/ap/20010830/tc/voa_ch ina_1.html
I suspect that this is going to happen if we want it to or not. However, it's possible that, at this stage in the game, the groundrules can be changed.
What if we accepted this, and started thinking of what conditions would make this acceptable to the community at large? If you were crafting a bill with the goal of allowing governments to be able to read encrypted traffic, what restrictions would you have, and how would you implement it?
Personally, I know that the US government (or any other) can have my keys over my dead, cold keyboard. But what about this:
1) "Backdoor" keys are generated on a per-key basis. When I generate a key in PGP (or whatever), it generates a backdoor that indicates which key it's for, and sends it off (see #2).
2) Keys are not held by governments. They are held by not-for-profit 3rd party companies who's job it is to make sure that governmental key requests are legal. The board of said companies are selected by the keyholders (no more ICANNs!!).
3) One company per country. The software will ask which country you are in, and register the key with the registrar for that country.
4) Require the law enforcement agencies to go to an actual judge to get a warrant to get the key. They have to show valid cause. None of this "National Security matter" or FBI Committee.
5) If another country wants the key, they have to approach the local law enforcement for the country that holds the key, who goes to a judge. No out-of-country warrants, and this protects against international spying (Echelon, anyone?).
6) Explicitly ban the FBI or any other agency from monitoring traffic to/from the registrars. No Carnivore allowed. Not allowed to use any keys captured in a wiretap, separate warrant required. No NSA gobbling other nations key traffic.
There's some things that would still need to be worked out, like how to prevent people from registering their keys with, say, Denmark when they are in the US, and how to fund the not-for-profits (Matching funds from the Governments and the software makers? Governments and fees from the encryption user?), but you get the idea.
Thoughts?
-NapalmGod
Backdoor? So, we won't need to use DeCSS anymore?
Gonna be funny to see which side wins, the backdoor proponants or the DMCA advocates.
- SBB
help me i've cloned myself and can't remember which one I am
When all the lawful crypto users are using back-door laden crypto, the criminals and terrorists will walk right through those back doors to wreak more havoc. How does that help anyone?
I don't care if it's 90,000 hectares. That lake was not my doing.
Blocking off the cabin is not an good option. What if the pilot kills the co-pilot and wants to go sucicidal? Apparently today someone tried to get onto a plane with fake pilot identification so this might be a real threat. What if there is a fire, toxic gas or similar? Heck, what if they have to use the bathroom or need to eat or stretch their legs? I really don't think this will ever happen.
Now regarding the other idea...so you put this jail cell in with a couple marshalls. What do you do when terrorists in the back of the plane start slitting the throats of women, children, or babies? You have to leave your cushy little cage to get to them, whoops sorry that's what they wanted. Do you really think the marshalls would be able to resist the temptation to leave the cage as one-by-one the passangers are all slaughtered? Do you think any of them would still have a job after the public got wind of it? It doesn't matter if they were preventing a crash, the public will still say they should have done something. It's a lose-lose situtation.
No, marshalls should be unfettered and undercover. That way, the terrorists need to have a lot more people on the plane to take it over. A trained gunner can easily take out two or three individuals before they have an opportunity to react.
I think personally what we need to develop is an emergency lockout. A panic button that when pressed will lock the plane on autopilot programmed to land at the nearest airport. If that's not technically possible, it should circle the nearest body of water or uninhabited area (using GPS). The only way to override this lockout would be with a code from ground control. This system would be that difficult to implement. It wouldn't be foolproof, but it wouldn't be something two or three men armed with forks would be able to disarm. Worst case scenario is that the plane runs out of fuel and makes a crash landing in the middle of a field. Hopefully with no fuel, people would survive that. As tech improves, it should be possible to land flawlessly.
But anyway, regardless of what changes are made...I don't think they will be necessary. The reason this happened is because no one conceived of the possibility. Everyone did what the law enforcement agencies have always said: be cooperative and don't fight back. But look what happened in PA. People will fight back now. No one is going to let themselves become a flying bomb.
God help any Arabic person who forgets to put down his pencil/fork/toothbrush before standing up in the aisle. He's likely to be tackled and beaten by a panicing mob of passengers.
- JoeShmoe
-- I wonder which will go down in history as the bigger failure: the War on Drugs or the War on Filesharing
Raw data and meaningful statistics should be readily availible. And WE ALL HAVE TO RUN IT ON OUR MACHINES. WE have too or the FBI will hang our rights out to dry.
Internet Revolutionarys - White Hat
Crackers - Black Hat
Enablers through apathy to crackers. Squashed like grape. - Gray Hat.
Think about it, IF WE HAND THEM ALL NON-INVASIVE data they have a much harder case to make when tring to justify collection of INVASIVE DATA and we (freedom lovers) have a much better case to make.
Think about the consequences if noone ever reported gunshots outside their house ever again. That is what is happening right now, and that is why the Government is heading down the path of misery and death at our expense.
I do not know of such a program (or where to get my unencumbered data) If such a project currently exists please me/us to it so I can install it RIGHT NOW!
Novel theory: Modern Man evolved from psychopath
This is a very nice statement of the problem, and of my position as well. I (like everyone) am apalled by recent events, of course, and am prepared to undergo reasonable (i.e. effective) changes in my life and behavior in response. But stupid, feel-good measures (like some of the new airport security rules) make me angry. As stated here so clearly, prohibitions and complicated rules that only affect the law-abiding population just make matters worse -- by ceding those very liberties we cherish.
The other particular problem with cryptography is that the big breakthroughs are nearly always at the theoretical level. So a new, super-secure product with a backdoor can always be replicated without such a backdoor by a sophisticated computer scientist. And there will always be somebody like that available to fix the inconvenience for the bad guys.
The rest of us will pay the price in reduced freedoms. In fifty years, we'll say the same thing we say today about income tax: "It was a temporary measure, just introduced to resolve a particular crisis."
So as far as I'm concerned, I'm pissed at the bad guys, and I am prepared for extreme measures as a result, on the part of my country and myself; but I hate the idea of extreme measures that are really just bullshit P.R. and politics. Leave the science to scientists.
-- Spiny
-- We all have enough strength to endure the misfortunes of other people. La Rochefoucauld
Sure, in the 1700's, people with shotguns might have been a credible threat to the government. But have you noticed that the US government today enjoys the use of such toys as F-16s and nuclear weapons? How will owning a shotgun help defend you against that?
The F16 and the nuke are weapons of mass destruction. For the government to PACIFY the people, they will have to OCCUPY our cities -- not destroy them. And an occupying force is terribly vulnerable to resistance.
In the worst case scenario of a US revolution, the army will be rolling in with tanks and ranks of guys with rifles... and that's the kind of enemy that Joe Average with a Gun can in fact take on.
Look at Chechnya. The Russians had to shell Grozny into a smoking pile of rubble because the Red Army could not deal with rebels with rifles. If it was Moscow that was to be pacified, they probably wouldn't have gone to such extreme measures; the Russians HATE the Chechens.
I do not believe the American armed forces would pull a Grozny on an American city. Remember, the soldiers are our countrymen, and if average people were pissed off enough to take part in a revolution, that's going to include military folks too. They aren't the enemy... they are US.
If some faction within the gov't started NUKING our own cities, I believe that the vast majority of our people, military and civilian, would unite to take the bastards out. And we'd do it too, with our Glocks and hunting rifles and fighting spirit.
Anyway, it comes down to this: if the military tries to suppress or pacify an American revolution, they are vulnerable and I believe ultimately they will lose. If they try to utterly destroy us with nukes... well, ok, my shotgun won't help. But that isn't a revolution we're talking about there... it's genocide. I doubt things would ever come to that. We probably won't be nuking anybody as a result of the WTC attack, and that was a provocation worse than Pearl Harbor... so talk of nuking ourselves is pretty far out there.
Benjamin Franklin didn't have terrorists walking onto airplanes and crashing them into buildings full of tens of thousands of people. I think you can safely say this situation is quite a bit different than anything anyone could have predicted 200 years ago.
As for "mandatory crypto backdoors", I think it's become a common saying that when encryption is outlawed, only outlaws will use encryption. This is a ridiculous time to be making any hot-headed decisions on something like this. Even if the US did make some inane law mandating backdoors in encryption there are plenty of free and completely open strong algorithms out there to use. What stops terrorists from using these other programs NOT made in the US or writing their own code?
This is the kind of thing that happens after every tragedy unfortunately. Emotional people start making emotional cries for immediate changes. After a school shooting people call for a ban on guns. People, shooting another person is already illegal! Banning guns are not going to stop a *criminal* from shooting people. Banning strong encryption is not going to stop criminals or terrorists from using strong encryption! Hijacking airplanes is also a crime but that didn't stop a bunch of whacked fundamentalist motherfuckers from doing it now did it?
What makes every one think that terrorists need off the shelf products? Here is a case of a terrorist group gathering information and training they needed to commit such horrendous acts. Could they not write ther own encryption programming? And how will we/technoguardians be able to handle all the messages in the ether anyway? Every one applauds the shrinking of the world, and enabling the individual to do so many things with his/her Dick Tracy Radio/TV/wristwatch due to technology. Such things as terror attacks orchestrated using this same technology are a certain and now proven biproduct. Kinda like atomic waste, ya know guys? I am neither in favor of becoming a troglodyte, nor sticking our collective heads in the sand, nor a "technology rules cheerleader." If this was a case of lax security (I assume that metal detectors were not used at the gates, else these knives, being metal would have shown up. If the knives were plastic, then a frisking would have been helpful, yes? If there were knives purloined from the kitchenettes aboard the planes... it goes on and on and on) then security must be tightened (well, duh!) in all phases of transportand become an obstacle course for those who desire the downfall of whichever servant of satan/communism/fascism/fur fashion industry/butterflycatchers is to be targetted. Some less thoughtful individuals elsewhere in the threads have suggested that every one must be armed in order for such things to be stopped. My question is: if some yahoo sees a jet overhead and one is armed to the teeth wherever one goes, what will keep said yahoo from shooting down the jet with a rocket launcher (witness: a couple years back when a motocycle group in Norway got a hold of one such device) in the off chance that there is a terrorist aboard and holding a butterknife to the captain's throat, just because the yahoo thinks it might be the case? And then of course we need to have each passenger seat equipped with a lever which will drop napalm on a suspected yahoo, if there is a suspicion of a ground-dwelling yahoo is under the plane. Don't you love the absurdity? What other answer might there be than to have an army state such as Sparta where every citizen is required to serve in the military and become accomplished in hand to hand combat in tight places, or...? What is a "Super Power" to do?
rooooar
Linux vs BSD flamewars aside...
http://www.openbsd.org/images/tshirt-7b.jpg
Any decent programmer can write their own encryption in a matter of minutes. Go look at the CipherSaber home page.
So get out there and write build yourself a saber. Then use it to encrypt a short reply to this article with the key freedom.
Your argument is one I have seen before. But it is fundamentally flawed.
The first thing to consider is the "trust" question. Do people trust their governments? The unavoidable answer is that here in the UK, in the USA and in many other countries, a very significant part of the population very obviously do not fully trust their governments.
Arguments about whether this attitude is well founded aren't relevant. All that counts is the existence of enough such people.
The next thing to consider is the praticalities - can it be made practically dificult for those who distrust their governments to obtain software without backdoors. Even in a "closed source" world this is going to be very dificult or even impossible - too many people already have the tools and the knowledge and it is very easy to spread the information around. In a world where "Open source" software is permitted I reckon it is simply impossible.
So we have a number of people who wish to prevent government snooping - or simply wish to reach the maximum level of security they can achieve. If those people choose to use techniques without backdoors - they can do so.
Can you "persuade" such people not to use encpryption without back doors ?
I don't think you can do it by force. The first problem is detecting them. Such People will simply encrypt their files securely and then encrypt the results again using an "approved" method.
How are you going to tell that people are using "double" encryption ?
Maybe the security services will be allowed to do audits - use their backdoors on randomly selected messages to check that people aren't hiding unapproved encryption ? Do you think that would be publically acceptable ?
What happens when security services encounter a file format they don't understand ? Can they demand that all file formats be explained to them to ensure you're not encrypting data ? Will that be universally publically acceptable ? Is it even practical ?
So if you enfore encryption with back doors all the security services will see is an apparent mass of files encrypted using the approved methods - with no practical, publically acceptable or easy method of picking out the interesting messages or recipients.
>If everyone out there is using nearly unbreakable encryption they simply don't have the resources to sift through everything they want to look at.
... and because of the above they still won't have the resources to sift it.
The only way to tell which of your 100 Million people are using unapproved crypto is to routinely open the "back door" to the privacy of all 100 million - with all the practical and political problems that follows. Even then you aren't much further forward.
What's even worse is that the REAL terrorists will be busy uploading and downloading beautiful, original, high definition photos of huge flower arrangements and landscapes - with the real (heavily encrypted) messages hidden within using stego. So while the security services are busying trying to determine which of their 100 million make it onto the next list and then the next list - they've already eliminated from further study the ones they're after. Use stego correctly and it is near to mathematically undetectable as really makes no difference.
AJB
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
-Benjamin Franklin
That pretty much sums it up for me...
/rr
Unfortunately... according to an ex-cia officer interviewed in this article, not only don't they have 10,000, they don't have any. He goes on to explain from an operational point of view the difficulties in infiltrating an organization such as the one that orchestrated the attack against the WTC.
It's an interesting read, and like most things is better than senseless speculation. No offense intended.
AMENDMENT I
Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.
What part of "Congress shall make no law...abridging the freedom of speech" does Judd Gregg not understand?
About 10 hrs ago, before I went to work (I live in Europe) I wrote what I had just heard on local radio (all the media is still full of the events, of course - the campaigns for next week's elections for probably a new mayor of Hamburg have been interrupted) and submitted it as a /. story, which was
later rejected - I shall now post it as a comment, in case anyone is
interested.
Apparently, CIA may have been warned immediately before the attack. According to german newspaper Hannoversche Neue Presse (article in german - it was already slashdotted this morning, or so I think), an Iranian imprisoned in Hannover, Germany (Langenhagen, near the airport) has been reported to have called CIA officials to warn about the imminent assault. When they heard he was calling from jail, they just hung up. Subsequently, he desperately tried to get a fax through to GWB.
Attempt at correction of a babelfish translation follows.
Seems like someone among the terrorists' own ranks didn't think their plans were a good idea...Seems also that breaking crypto wouldn't have been able to tell them anything they couldn't find out by other means.
Kiwaiti
Member of the Legion Of Microsoft Haters
The article is here.
Babel fish is here.
CNN Spanish edition tends to have much broader worldwide content than CNN in English.
That which does not kill you, postpones the inevitable.