Slashdot Mirror
Congress Considers Mandatory Crypto Backdoors
disappear writes: "Wired news reports that Congress is considering restrictions on crypto software in the wake of the terrorist attack. 'Nuff said." This will be the next battle -- especially in the wake of this week's tragedies, and the the allegations that the prime suspect Osama Bin Laden is a heavy crypto user. The battle of privacy and safety is going to begin in earnest now.
without much fight. All the right words will be said for fear and fright
And if you fight against it you will probably lose... unfortunately. Maybe in a year. Or two. But the mood of the American people is quite frightening- cold rage.
Besides- who says the government CAN"T break them already? It probably just takes a bit more effort...
I'm sure some open-source (and even minor corporations) would never agree to this.
Especially those not in the US.
Do you like German cars?
This is what I am afraid of! :(
:(
Please read my essay and if you like it pass it on to people. We can't let this happen. I have been saying this since day one. Please please think about this
The Price of Freedom
Jeremy
Those who give up essential liberties for temporary safety deserve neither liberty nor safety. - Benjamin Franklin
Slashdot 's editors are dickheads
Crypto algorithms are well-documented and not difficult to implement. Circumventing backdoors would be as simple as writing your own software, or use an older version of open source software such as GPG that doesn't support government-known backdoors. Sure, it'd be illegal in the U.S., but is that going to stop terrorists? All this will do is make it difficult for law-abiding corporations and individuals to keep data secure.
Criminals, on the other hand, will continue to use widely available crypto packages with no back door and will still be able to transmit messages without threat of law enforcement decrypting them.
Realistically, since the threat originates abroad, you would need to make all countries of the world follow this law. Also keep in mind that terrorists don't usually follow laws. Thirdly, home grown crypto is easy because Applied Cryptography (great book) costs $40.
Carnivore is one thing, but a backdoor to all crypto is yet another. Financial transactions from private organizations are routinely encrypted for obvious reasons. Are we to trust government employees with all financial transactions merely because we elect them? I think not.
We cannot allow the government a "skeleton key" to all crypto if only for the reason that it can then be compromised by others for whom access was not intended. Urge your congresscritter just to say "no".
We can rest assured that all terrorists will promptly upgrade their crypto systems to use the backdoored versions. They are a patriotic and considerate bunch after all.
sheesh.
legislators.
Like the concept could possibly work. Why dont you just forbid terrorists from using oxygen? About as practical, and 100% effective.
Are they nuts? This guy lives isolated in mountain camps. I doubt he's even a heavy electicity user.
His sympathizers, on the other hand...
Sure, they want backdoors into email encryption now, and it seems harmless, but what will they want next? Why not have every home in America bugged; that way we can know when a burgaler is going to commit a crime. Cameras everywhere, low crime. Of course, the price will be the right of privacy.
And when your behaviors are available freely for government inspection, it's much easier for them to supress behaviors they do not approve of (cause they know when it happens, unlike now when it can be hidden behind closed doors). You know, meetings about how to reform government.
Of course the government will tell you that they'll use these backdoors only when they need to, national security type things. That's what the Dean at my old high school said, and then we caught him watching the monitors repeatedly for the fun of it.
Oh yeah, not that the government has to actually be watching for you to be good now. Think how different your ations would be if you thought that the government might be watching at all times. This is pure, hardcore social control. It's like a gaurd tower in a jail. If there are clear windows, you can always tell when you are watched and when you are not. If the windows are dark, then you never know if you are being watched, so you act as if you are always being watched.
They might as well run a wire into our head.
F-bacher
James Tiberius Kirk: "Spock, the women on your planet are logical. No other planet in the galaxy can make that claim."
From what I've heard, Osama Bin Laden doesn't use cryptography so much as he avoids using electronic communications at all. He has even (gasp) been reported to meet with his underlings *physically*, as in "lets all go into the same room and talk face-to-face".
Cryptography wouldn't really help terrorists much anyway, because electronic surveillance can still pick up who is talking to whom; the real problem is when people avoid electronic communications, because then you can't do anything without spies on the ground.
Tarsnap: Online backups for the truly paranoid
Illustrious Baron Harkonen today decreed that
all citizens will be equiped with remote-controlled
heart-plugs. This will make us all safe, because
only the loving Baron will have the transmitter,
and he will only use it to protect us.
-I like my women like I like my tea: green-
Did you know, you can walk into almost any store and buy a knife WITHOUT ANY BACKGROUND CHECK? They should at least check the buyer for dark hair and skin, the signs of a terrorist.
And I understand that plans to make knives are available on the internet? It used to be, only a skilled craftsman could make one, now any punk in his mom's basement can craft a steel blade capable of hijacking an airplane and crashing it into a building!
I think the best reply one can give to the politicians who want to impose this is:
"And Osama Bin Laden is going to throw away his foreign-developed, non-backdoored encryption software and buy US-made backdoored encryption software exactly why?"
Back in 1998 Rivest wrote Chaffing and Winnowing: Confidentiality without Encryption.
IMHO, this is just one more step towards a police state.
I do not deploy Linux. Ever.
This is base grandstanding by a politician in the wake of tragedy. Saying that it needs international cooperation is tantamount to admitting that it can't be done and setting up to blame the rest of the world when it fails.
The constitution was written by a group of people that had visceral knowledge of what it means to need a revolution, in the bloodiest sense of that word. Our modern laws would be a lot better if they were informed by that same knowledge.
A Call for Open Standards
"They that give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin, 1759. "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized." -- 4th Ammendment to the U.S. Constitution "[...]and every time we allow the government to grow in power at the expense of the people, we put ourselves in jeopardy of losing the ability to free ourselves of them if it goes too far." -- Thomas Jefferson (quotes taken from matthew rothenberg's 7/11/2000 article on the fbi's carnivore: http://www.zdnet.com/zdnn/stories/comment/0,5859,2 601960,00.html )
I think the point that some on TV have made that there is a significant lack of "human' intelligence (i.e. spies) is a lot more important than the lack of electronic surveillance and crackable crypto. I believe our intelligence agencies have become too preoccupied with their toys, and have forgotten that the most relevant communications occur in person.
On top of that, they already have the tools, and putting mandatory backdoors on future products is not going to affect existing software. What would they do to them for using unauthorized software? arrest them?
If this even gets close to being implemented, we need some sort of pledge from the intelligence community, backed by strict legislation, that any such system can ONLY be used or the purpose of national security and anti-terrorism, and any use beyond that would be strictly prohibited, and any other information obtained shouldn't leave the place it was intercepted from.
Just my 2 cents, right now I do not feel any of us really is in any position to make a real judgement about this. Keep that in mind when forming some opinion that you would be unwilling to comprimise, as a few of us here often do.
After every mass murder with the least connection to firearms, some politician proposes extreme restrictions on civilian ownership, without regard for whether it would have prevented the particular incident in question. One of the first bills proposed after the OKC bombing was new gun control laws.
After every crime where the offender ever even saw a computer, let alone had an AOL account, some congressman will propose new 'Internet Crime' laws restricting freedom online.
The only saving grace is these rash proposals seldom become law.
I do not deploy Linux. Ever.
I think "Live free or die" is pretty good. Along with "Don't tread on me," and "the best we can hope for the people is that they are armed."
The revolutionaries who founded the United States of America are chock full of good quotes on freedom and defending freedom.
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
For example, I worked for a major semiconductor and radio communications corporation. We encrypted all private circuits to all remote offices, in the US and abroad, except that in France we had to provide the keys to the French government.
End Result?
The French intelligence agencies would hand over to major french businesses the 'competitive intelligence' collected from foreign corporations operations in france, allowing them to underbid competitors, etc.
There are several well-documented cases of government abuse of this information. In France the level of distrust got so bad that they eventually relaxed this policy due to foreign based companies withdrawing their business.
I do not deploy Linux. Ever.
Exactly. Makes you wonder if the folks in congress haven't thought of something utterly obvious like this? Makes you wonder if it's about terrorism at all.
"Of course it's about terrorism and defending liberty and democracy", you say. "It's fucking heartless to think this is some plot to handcuff us. Come on, thousands of innocent people DIED in the WTC, we've got to DO something, QUICK!"
Right now, I'm not worried about terrorism at all.
"This year will go down in history. For the first time, a civilized nation has full gun registration. Our streets will be safer, our police more efficient, and the world will follow our lead into the future."
Adolf Hitler, 1935
You see, even IF there was complete security, this isn't a good thing, as long as the govermnent isn't really democratic (look it up, there IS no democracy on planet earth... it's representative democracies, which is an oxymoron). Because your safety always depends on the govermnent not to screw you over.
So I'm asking you, do you feel lucky?
Americans and Europeans (me being german, and for me being the answer a "no", and a very resounding one after the things I heard our politicians say in the last 2 days), do you trust your governments completely, blindly, and does that "no time for criticism now, we have to stand together as the civilized nations of the free world, we'll do what we have to do (and we'll tell you what that is when it's already underway)" help to increase that trust?
Appropriate commentary here, dated yesterday:
The main source of our strength is our freedom and open society. The United States already has the most powerful military in the world. We don't need the symbolic jaw, jaw, jaw of more laws, but the will to use our existing war power.
Paul Weyrich, head of the Free Congress Foundation, aptly wrote: "The truth is that if we further emasculate our Constitution the terrorists will have achieved the greatest victory imaginable. Their triumph won't just be the thousands of people they killed, the triumph will be if they see our democratic institutions crumble. If President Bush can navigate a responsible course where we make an appropriate response to those who have perpetrated these unspeakable crimes while at the same time protecting our essential freedoms in the process he will end up being the greatest President of the modern age."
Another essay from yesterday, "Freedom First", is also a worthy read.
This is the same argument that crypto supporters have been using all along. Corporations were complaining that they had to compete with foreign companies' products that had much stronger encryption while they were limited to 40/56/whatever-bit encryption for exported products. The argument appears to have fallen on deaf ears for the last 10-20 years. I don't see why now it would be any different.
And good luck to the government getting people to dump all their current SSL/SSH software in favor of this new awesome backdoored version. Especially with products like OpenSSH which will remain downloadable from any number of sites for quite a while.
rooooar
In the U.S. it's more and more like a favor the state gives to some people, some of the time, depending on how benevolent somebody feels that day. So bow to the demands of the spooks, make backdoors mandatory, give people long jail terms for circumventing them, and the terrorists win. They win bigger than they ever imagined by making life worse for ordinary U.S. citizens.
In the name of pride we have to win this without cheating. Cheating means using the same tactics as the bad guy. No murdering civilians. No spying on our own people. No cameras in the bedrooms.
Make cryptography a crime and only criminals will have cryptography.
Life's a bitch but somebody's gotta do it.
As for the terrorists being considered martyrs by their people, well as far as I'm concerned, we will obliterate the very people that would consider these terrorists martyrs
Yes... lets kill those damn civillians. That'll teach them never to mess with the United "We are Freedom" States of America. Let's take away their choice to have beliefs, because their beliefs are WRONG! Hell, why don't we just run jumbo jets into their embassies... or would that bear too striking a resemblance to the attack itself?
If you want to kill civillians then you are no better then the terrorists... so does that mean we should kill you too?
The sad fact is that we will indeed lose freedom, not for security, but for the perception of security. All kinds of measures will be taken, laws enacted, procedures implemented. Getting on a plane will be a nightmare, but while everyone will be at least inconvenienced, no real prevention will occur.
People want action - they want something done. It doesn't matter if it helps or not. The perception is that anything is better than nothing. I had to go to Bethesda Naval Base today. Only one entrance was open, you had to show ID, another guard had a mirror-onna-stick to look under the cars, another guy was walking around with a shotgun. Looks good, seems secure. Except...
Except a shotgun is only useful within 50 yards at best, the mirror is useless because no one is hanging onto the undercarriage of a car (and you put explosives on the floorboards and in the trunk, not under the car), and although they demanded an ID from me as a passenger, they didn't actually look at it carefully, much less check it with NCIC.
So how much freedom are you (or realistically, is your mother or neighbour) willing to give up?
woof.
As others have already notices Bin Laden did two things, avoid electronic communication, and when he did use crypto, he certainly wouldn't be using back-doored software. So essentially, himself and the other terrorists wouldn't be slowed down, our American civil rights would be violated however.
Alright, now to the non-reduntant part of my post. On Tuesday, Tom Clancy was on CNN in the afternoon. CNN had Tom, because Tom wrote a book about terrorists chrashing a plane into the Capitol building, and killing both houses of Congress, and the President. Well, Tom said that the real problem we had in not seeing this coming is that the CIA employs some 20,000 people, and only about 800 of them are spooks. The only way to fight terrorism effectively is with a large, well-trained intelligence corps. We need at least twice, if not three or four as many spooks out in the field, infiltraiting these terrorist groups, so that we are aware of these plans before they something like Tuesdays events happen.
Cryptography isn't our problem, an incredibly small spy system is.
foxxtrot
-- this
All they'd have to do is hide no-backdoor encrypted messages within backdoor-encrypted messages, and it would be undetected unless Carnivore automatically decrypted all messages, which conflicts with what the lawmakers are saying -- "only under the oversight of a court".
God. I just read Levy's Crypto about a month ago, and I thought this was *over*.
The reason this was *over* in the past is because the FBI is blissfully unaware that strong crypto is standard operating procedure for US corporations, and is only used by nefarious bad guys.
We're talking about outlawing every copy of products like Windows 2000 and Lotus Notes, every router that implements VPN, and so on. The impact on US business would be horrendous. And the big money finance folks would just ignore the order.
Traditionally, the crypto issue has been framed as a rights issue with the cypherpunks against the feds. This neglects the significant commercial impact.
Business. Numbers. Money. People. Computer World.
The French don't trust their citizens and for years banned all encryption (except some businesses, with them having to hand over keys). They may have, as you allege, used the intelligence in an underhand way. However, I think your reason for 'relaxing' their stance on encryption is mistaken, or only part of the reason. Upon discovering all about Echelon, and the extent to which the USA have been gathering intelligence on French business (and allegedly lost billions due to NSA handing key data for US businesses), it brought about the greatest 180 degree turn in crypto politics seen to date. From a complete ban to full support of strong encryption, with the encouragement of open-source software. To think things had steadily been improving since this article 2 years ago. It would be a blow to the memories of those lost if their sacrifice failed to make the world a better place.
Phillip.
Property for sale in Nice, France
For another perspective on eternal vigilance, David Brin's book The Transparent Society talks about the issues of ubiquitous cheap video cameras combined with cheap communications and computing. The recent face-recognition uses at Florida sports stadiums and the cheap X10 cameras with the annoying pop-up web ads are only the beginning.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Benjamin Franklin didn't have terrorists walking onto airplanes and crashing them into buildings full of tens of thousands of people. I think you can safely say this situation is quite a bit different than anything anyone could have predicted 200 years ago.
As for "mandatory crypto backdoors", I think it's become a common saying that when encryption is outlawed, only outlaws will use encryption. This is a ridiculous time to be making any hot-headed decisions on something like this. Even if the US did make some inane law mandating backdoors in encryption there are plenty of free and completely open strong algorithms out there to use. What stops terrorists from using these other programs NOT made in the US or writing their own code?
This is the kind of thing that happens after every tragedy unfortunately. Emotional people start making emotional cries for immediate changes. After a school shooting people call for a ban on guns. People, shooting another person is already illegal! Banning guns are not going to stop a *criminal* from shooting people. Banning strong encryption is not going to stop criminals or terrorists from using strong encryption! Hijacking airplanes is also a crime but that didn't stop a bunch of whacked fundamentalist motherfuckers from doing it now did it?
and
The idea was always there that congress might have to restrict the freedoms of those living within the republic to protect the common good, especially where individuals were trying to provoke the unimaginable horrors of war. Sure you can have a long debate on exactly where to draw the line, you can disagree with where they are currently suggesting the line be drawn, but lets not pretend its quite as simplistic as your one quote implied.
If you disagree with what they propose then demonstrate alternatives or show why their proposal is worse than the threat faced by the USA. There are good arguments to be made, there are quite probably better ways of dealing with the threat but if all you do is run out old quotes then you are doing what Franklin said;
--
Nic (expecting to be moderated to -1000 but figures it needed to be said anyway)
Carnivore was in at ISPs on Wednesday and will be into Tier 1's by now. Remeber to intercept 'net traffic you have to look at ALL the packets. To trap "encrypted" data whatever that may be you have to read 'em. Imagine the power to open ALL snail mail and read it to check if it's suspicious...
There's a distinct danger that this kind of monitoring will be installed, relatively unchecked, with Civil Rights groups unable to mount a credible defence due to the devastating nature of the terrorist attacks. This will happen not just in the US but easily in the UK, France and Australia who have similar laws or technology in place.
And once it's in, you can bet it won't come out again. Think 5 years down the line...
Any decent programmer can write their own encryption in a matter of minutes. Go look at the CipherSaber home page.
So get out there and write build yourself a saber. Then use it to encrypt a short reply to this article with the key freedom.