Slashdot Mirror
Legislating Insecure Encryption
firewort writes: "Sen. Judd Gregg (R-New Hampshire), who called for global backdoors in encryption products in a floor speech last week, is readying legislation. This is another push for backdoors - but it seems that Gregg wants them to be used cautiously, only with permission from a US Supreme court appointed commission, subject to normal search and seizure rules." Representative Goodlatte, who has supported strong encryption before, is one of the few people speaking out against this.
I am not worried about law enforcement reading my email per se. What I'm concerned about is my competitor, enemy, or boss having access to my personal communications.
Making a deliberate flaw in a scheme makes this more possible as we all know.
The problem with these tragedies is that everyone is scared of being for encyrption and privacy for fear of being seen as sympathetic to terrorism and not getting re-elected. I'm glad there are at least one senator that can see that this was a horrible tragedy, but that that shouldn't change everyone else's rights.
Go ahead and waste your life with your inhibitions, just don't ruin other people's lives with your intolerances.
And I will keep on saying it.
Now is the time to contact your representative, your senators and probably even your local media and tell them exactly how much damage this legislation could do.
Tell them about encryption used to protect your online banking transactions. Tell them about encryption used to protect company secrets. Tell them that this is bad for trade. Tell them that this is bad for innovation (unless you're Microsoft I guess)... Tell them how you feel about it.
Don't just sit back and let this go through. If nobody says "this is bad" then it will be passed...
While telling your congress critters, be polite, spell check before sending. Fax and/or write rather than e-mail. Call them and talk to them. But however you do it, make sure that your voice is heard.
Zwack.
p.s. Yes, I've already written to my congress critters.
-- Under/Overrated is meta-moderation, and therefore is Redundant.
Perhaps we should pass a law specifically against crashing airplanes into buildings. As far as I know there isn't a law *specifically* against this, and we all know that *everyone* follows every law all the time. We probably need both a federal statute and numerous state and local ordinances to let would-be terrorists know we're serious.
creation science book
Judd Gregg was definitely around in the Senate when the last encryption debate went through, and all the same reasons we bring forth today were found valid and worthy.
The WTC disaster does not change the validity of a single one of those reasons, namely:
1) Strong encryption is vitally necessary to any digital communication involving business and finance.
2) Strong encryption is worthless if backdoors are placed into it- see Matt Blaze's skillful discovery of every single law enforcement key within the Clipper system.
So, why does this debate continue? My only guess is strong emotions combined with a fundamental misunderstanding of what is being discussed on the part of Mr. Gregg.
What we call folk wisdom is often no more than a kind of expedient stupidity.-Edward Abbey
So let me get this right, he wants to create legislation that won't stop bad guys because A) it only effects the US and B) the bad guys wouldn't bother using backdoored software AND he want's to mire it in quasi-judicial controls so that the bureaucracy will make use of the backdoor a rare and slow event (at least for legal government purposes).
If it wasn't for the fact that any such restrictions impose an extra burden on software/hardware manufacturers and limit the security of encryption, I'd start to think this was nothing but feel good legislation that would never accomplish anything. Sure doesn't seem to be accomplishing anything good.
On the issue of encryption Goodlatte is usually right on target. He has been vehemently oppose to laws which would limit its accessability to average Americans. However on other issues he is a total nut in my opinion. He is staunchly pro-DMCA and is proud that he took a part in its creation.
Yet as a Virginian I'm ashamed that someone from my state played a role in the creation of such an anti-American bill. Give the man kudos for defending crypto in Congress at a time like this, but don't think that he is a freedom-loving politician. He said at my high school (I'm a freshman in college now) that if he had it his way he'd abolish our lottery because there are "better uses" for people's money than a lottery. $1-$5 a week for the hope of striking it big is a bad thing? $1-$5 a week invested in further funding our state's infrastructure is a bad thing? $1-$5 more invested in an education system which is #7 in the nation in passing the AP tests is a bad thing? And finally $1-$5 a week invested in the same education system that has one of the highest passage rates in the nation on some of the most rigorous standardized tests in the nation?
Now is the time for us to be holding our republican values (and I don't mean the party) more dearly than ever. The purpose of establishing a republic and not a new monarchy for our people was to break the cycle of tyranny. Let's remember what happened to the Roman Republic. By the same token, let's learn from the lessons of the past so the American Republic doesn't go the same way.
Check it out:
h tm l
http://www.startribune.com/stories/1576/706443.
Basically, Phil feels responsible for helping the terrorists.
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
I can imagine it, now: Mr Terrorist uses the encryption product for which his local government (for example, the Taliban) holds the back door key. The U.S. court sez that it wants to read the mail. The U.S. then sends a nice, polite letter to the Taliban asking for that key...
When where freezes over?
-Eldurbarn
I'd like to see someone create a web database on politicians' voting records on issues relevant within the technical community (ideally with some kind of interface for selecting which issues you care about, and even in which direction). Hopefully, this would help people make more informed decisions, and, just the public knowledge that such a database is being compiled and published might influence legislative decisions a bit.
0 .html
0 .html
g .html
0 .html
0 .html
Anyhow, here is a small start. I would encourage anyone with additional data to post it right here. I'll try to add it to this list, and perhaps someone more ambitious will be able to browse the follow-ups and start a real web database on this.
United States Senate:
CALIFORNIA: Diane Feinstein, Democrat, Bad
- Co-sponsored "Combating Terrorism Act of 2001"
http://www.wired.com/news/politics/0,1283,46852,0
o Elected in 1992 (short term), 1994, 2000, 2006
MICHIGAN: Carl(?) Levin, Democrat
+ Argued against "Combating Terrorism Act of 2001"
NEW HAMPSHIRE: Judd Greg, Republican, Bad
- Called for crypto key escrow after World Trade Center bombing
http://www.wired.com/news/politics/0,1283,46816,0
o http://www.senate.gov/~gregg/body_about_judd_greg
o Elected in 1998, 2004?
UTAH: Orrin Hatch, Republican, Mixed
+ Suggested mandatory licensing for online music copyrights
- Co-sponsored "Combating Terrorism Act of 2001"
http://www.wired.com/news/politics/0,1283,46852,0
o Elected in 1976, 1982, 1988, 1994, 2000?, 2006?
VERMONT: Patrick Leahy, Democrat, Good
+ Argued against "Combating Terrorism Act of 2001"
http://www.wired.com/news/politics/0,1283,46852,0
o 1974...1998, 2004?
United States House of Representatives:
Bob Goodlatte, Virginia, 6th District, Republican, Good
+ Co-sponsored lifting of encryption controls
+ Speaking out against encryption controls after World Trade
Center Bombing. http://news.cnet.com/news/0-1005-200-7249721.html
Zoe Lofgren, California, Democrat, 16th District, Good
+ Co-sponsored lifting of encryption controls
I have posted on this topic quite a few times before, but I must post again.
I enjoy working with encryption and number theory. I enjoy the theory behind encryption and why it works so successfully.. I will try to explain how it works (to a point) and this is a BIG reason why backdoored encryption can't work.
For this example: Assume use of RSA encryption
The way that this encryption works is it finds a function f[x] that is (to a point) one way. (NOTE: impossible [as of yet] to prove that it is a true one way function but the lower limit on finding the function has never been solved.. so for all purposes as of yet it is oneway). That is... f[k] == k' (k' being encrypted version of k). The way this works is that the function f[x] which is known by everyone and the value k' could be known by someone and still not be able to convert k' back to k. This is serious advanced number theory and requires very specialized hard-to-find functions.
To allow backdoors (that can be used without having a persons program but only the encoded message) is saying that the function f[x] must be modified to the point that there exists a function g[x] (for each SPECIALIZED function f[x] [that is, each persons f[x] is different, but g[x] must decode all of them]) that can decode any function f[x]'s input. Translation: f[k]==k' but g*[k']==k (for any function f[x] specialized). This function g[x] must be found when working out the base of the encryption product and once the function f[x] is worked out so g[x] exist, it stops being a one way function and therefor stops being useful.
So basically, if this happens, we might as all just encode our messages with rot13 and it will be the same as using any new "government approved" encryption... because someone somewhere WILL leak the functions g[x], whatever[x] (for each encryption product).
(For those who are curious, the reason each f[x] is tailored to a specific person is the picking of the keys allows a "trapdoor" as RSA puts it: another part of the function f[x] that is not mandated at production time. Of course, if a g[x] can decrypt the f[x] (no matter specialized) then the trapdoor theory is useless and serves no purpose therefor weakening it to a childs toy)
And yes, I know I am speaking to the choir here.. the thing is a long time ago I was reading slashdot when someone spoke about encryption and the basics of encryption theory.. it got me interested enough to look at it myself and now I am intrigued by it and am always learning more. My example may have small errors in it.. I hope someone can call me on them if they notice--> its always best to be factually correct...
Thanks.
Somebody needs to shine the Flashlight of Reason into the Dark Corner of Stupidity don't you think?
How can this possibly be enforced? I have books, and files on my computer, describing most common encryption and public key methods. I could almost write an RSA encryption program from memory, and I certainly could write a program to XOR with a LFSR or a one-time pad.
The dumbed down articles always talk about how "complex" and "sophisticated" encryption is, but it's not really that complex, once you know the formulas. Anyone with high-school math could probably understand many of the algorithms. You could explain a one-time pad in terms of adding and subtracting.
And what is a legal definition of encryption anyway? If I XOR all my files with a constant byte, or if my ISP or the FBI happens to be looking and they don't recognize the file format and somebody calls the cops, how the hell am I going to explain how it's not encryption? Or will it be like the DMCA, and encryption will be anything they feel like.
And are they going to somehow take away my SSH that I use almost every day to do work as a sysadmin? I get paid to secure systems, should I tell my clients "This encryption is difficult to crack. Except for the government and anyone else who figures out the back door. Sorry."
Totally crazy and impractical.
If they outlaw a description of something, that would abridge the freedom of speech, or of the press. Can't throw away the First Amendment without another amendment to the Constitution of the USA. Sure, they cold outlaw the export of those descriptions, but how could they keep something that is freely published in the USA to leak away?
Sen. Judd Gregg also reintroduced legislation to make the value of pi equal to 3. "We cannot afford the inefficiencies resulting from the oddball values of pi some fringe academics have dreamed up. Our new wartime economy must be efficient, and to help with this effort, Congress will adopt legislation that will greatly simplify the design of common military hardware like wheels and gears," said Sen. Judd Gregg in a televised statement.
From the story referenced above:
"That's like telling people to take their house key down to the police station," Goodlatte said. "People are not going to have greater confidence in their security by doing that."
Good analogy. These things must be made simple, because most lawmakers have no technical education whatsoever. Did I say NONE at all? As in Duhhhh!
Secret U.S. government agencies control U.S. violence: What Should be the Response to Violence?
Bush's education improvements were
I dismissed privacy concerns as being currently out of fashion. I *wish* that I had done the same for practicality concerns, because we all agree that truly controlling the flow of such information is impossible.
I emphasized that there are many different crypto channels, and to be effective they'd have to weaken every one of them, because terrorists could simply shift to a different channel if, for instance PGP email were back-doored or weakened.
Then I explained that any inserted backdoor could be rediscovered within a reasonable time. I wish I had had access to the Clipper references mentioned here. But I was also struggling to keep this on one side of one page, so perhaps it doesn't matter.
Finally I added that the safety of our financial and network infrastructure depends on some of these alternate crypto channels, and to compromise them would put us at risk. SSH and https: were mentioned examples.
There, a case based on things other than privacy or practicality.
The living have better things to do than to continue hating the dead.
This second argument is specious for two reasons.
First, any law forbidding strong encryption without a back door could be binding on the sender of messages only. The receiver of a message encrypted without a back door could hardly be held legally liable for the action of another. Therefore, if the head of a terrorist organization outside of the US used strong encryption to send messages to terrorists inside the US, no law has been broken. The backdoor law is not extra-territorial and cannot ban someone outside the US from using non-backdoor encryption, and the receiver in the US cannot be held liable simply for receiving such a message.
Second, the argument assumes that law enforcement can somehow detect whether or not a message is encrypted using a backdoor program or not. The ability for law enforcement to archive messages and search through their contents is truly staggering, but it is not all powerful. It takes many many computer cycles to sift through unencrypted data searching for words or phrases in order to be useful at all. There is no indication that anyone would have the computational power to sift through archived messages to determine if a message is encrpted or not, yet alone whether it was encrypted with lawful or unlawful software. Making such a determination on the fly would be absolutely impossible.
Unless, of course, messages encrypted with compliant software contained flags set at specific bits to alert law enforcement to the presence of lawfully encrypted text. If that was the case, however, terrorist and other non-crypto-law abiding people could simply alter the open source code for their non-compliant crypto package to add the special bits. Law enforcement would still be unable to determine on the fly whether a message was lawfully encrypted or not.
That leaves them only one alternative. They would have to try to decode all encrypted messages on the fly in order to determine which were lawfully encrypted. That action in and of itself would violate the privacy rights of anyone whose message was decrypted simply to determine if it was lawfully encrypted.
Furthermore (or more precisely, once again), the ability to capture all messages and attempt to decrypt them on the fly in order to determine which where lawful and which were not is currently a technologically impossible task.
Based in San Francisco, EFF is a donor-supported membership organization working to protect our fundamental rights regardless of technology; to educate the press, policymakers and the general public about civil liberties issues related to technology; and to act as a defender of those liberties. Among our various activities, EFF opposes misguided legislation, initiates and defends court cases preserving individuals' rights, launches global public campaigns, introduces leading edge proposals and papers, hosts frequent educational events, engages the press regularly, and publishes a comprehensive archive of digital civil liberties information at one of the most linked-to websites in the world.
And it needs our support to ensure that it is forever capable of supporting us against legislation that seeks to eliminate our rights and privacies.
Here are the talking points against this abominations:
1. It's a total waste of time unless you have a plan to force the terrorists to use weak encryption.
2. Centralized key escrow creates a single point of failure for our national cybersecurity infrastructure.
3. Strong crypto can be defeated and has been defeated in the real world. You use existing wiretap laws to implement keyboard sniffers and the like to grab cleartext.
4. You have to be prepared to use keyboard sniffers ANYWAY, because the terrorists aren't going to comply with your law.
5. The bill violates the free speech rights of ordinary citizens and businesses. Conversion from already deployed strong crypto to crippled crypto is an effort comparable to Y2K.
6. Stop using this as an excuse for the intelligence failure. It's bogus. These terrorists made credit card purchases, airline reservations, flight school training, apartment leases using real names sometimes even on our "watch list".
7. Are we really willing to punish otherwise law abiding citizens who fail to register their crypto key? Who needs terrorists when the governement will destroy your rights for you?
8. Security cannot be achieved by weakening security. What is security if not the protection of citizen's rights?
9. The law cannot be enforced, and it's violation isn't even detectable. If you find an encrypted message, how will you know it wasn't made before the ban?
which is, specifically, that you're an idiot:
... Guess what? Ben Franklin was talking about you, you sniveling little proletarian.
We all know that encryption is hardly used except by criminals and the paranoid.
Do you bank online? Have you ever bought anything online? Does your company engage in e-commerce or EDI? Have you ever used Lotus Notes?
These are strong encryption applications, without any backdoors (yet). How will you feel about government-mandated encryption backdoors when some 31337 HaXoRs strip your bank and credit-card accounts? Are you so naive as to imagine that the government will make you whole? ("Gee, we're not responsible for losses due to criminal activity" say the cops.) Do you think that Judd Greg will recompense your life savings lost to backdoor crypto? You must be a troll, drunk, on crack, or all of the above, to have posted that moronic spineless garbage here. Just shoot yourself, it's painless.
"Those who would trade liberty for security deserve neither."
So what you're saying is that in order to have freedom you must give up some of your liberties. Fascinating semantic distinction.
As to the rest of your bizarrely illogical rant, may I take a few issues?
So you don't know anyone who uses it, and the only people who use it are criminals and paranoids. How did you manage that conclusion if you don't know any of them?
Forgive me, but does this mean that if I don't pay taxes I am exempt to having my civil liberties taken away? Or was there some checkbox on the 1040 form that read "Yes, I want to be spied on."?
As others have pointed out, this kind of bullshit proposal only has two ways of succeeding. The first is if we convice all the terrorists to upgrade to backdoored software. Good luck.
The second is if we convince everyone else to upgrade and hope the terrorists don't hear about it. Then we can construe their use of strong crypto as an admission of guilt. How many seconds of profound thought do you think it will take the next terrorist to figure out to wrap his strongly encrypted messagse in a weakly encrypted envelope?
"Aha," one might say, "but that can still be detected by decrypting the outer layer!" Yes indeed, but only if the government routinely decrypts every message sent anywhere by any means. Perhaps including the U.S. postal service. So in order to preserve our freedom we must all be spied on by means that continuously and actively compromise the privacy of every law-abiding citizen. In exchange we will learn the identities (but not the encrypted messages) of the terrorists. Then we can haul them into court and charge them with having a secret. I'm sure people willing to die a fiery death for their cause are going to tremble at the thought of being jailed for contempt of court. Or will that become a death-penalty offense as well?
but rumour has it that the NSA can crack 128bit encryption (read: this has NOTHING to do with key size - a 128bit key or a 1024bit key, it's all the same). From a semi-reliable source the NSA has been funding a massive cryptology group to essentially find mathmatical weeknesses in many of our popular algorithms. Personally, I don't believe this is true, but it makes me think twice. If this is true, the reason this legislation is coming about is because the NSA doesn't share crap with the FBI, and very little with the CIA, and it's the FBI and the CIA that want it all. Food for thought.
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
Just caught a Drugereport blurb reporting Oracle's Larry Ellison volunteering to contribute to the creation of a national ID database system.
At the same time, Newt Gingrich blabbed on Fox News that a "secure national ID system" would make air travelers feel much more secure.
Looks like we're seeing yet another power grab.
*scoove*
If you copyright your encrypted communications, then wouldn't having the backdoor mean that it's a circumvention device and therefore illegal under the DMCA?
Consultancy: If you're not part of the solution, there's money to be made in prolonging the problem
wouldn't it make more sense if we just applied current laws and required that, upon presentation of an appropriate warrent, you had to decrypt documents and files that the authorities tell you to decrypt rather than having some third parties do it for you and them?
That would be nice, except for a little item called The Fifth Amendment to the United States Constitution.
"No person... shall be compelled in any criminal case to be a witness against himself".
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
Southerners didn't free slaves until Union troops started invading and killing.
Many people thought prohibition was a good idea until they tried it.
Nobody started fixing the US economy until it collased in 1929.
Germany didn't respect its Jews until it killed 6 million of them.
The US Govt didn't get out of Vietnam until the people threatened a revolution.
And the US people didn't give the FBI, CIA and airport security the people and resources they needed until the WTC came down.
You can yell at the public all you want, but until they suffer for their folly, they won't listen. We may just have to suffer the absence of encryption until some terrorist wipes out a few million bank records, or until a few million PC users ignore the law.
You know somebody will probably figure out how toencode two different messages in one message. Decoding with the real key and the government backdoor will each give a different message.
Well then, create a better way of explaining encryption to non-technical people.
Do I have a right to speak to my woman friend or wife or children in private? If I do, then I have the right to unbreakable encryption.
There was one EXCELLENT way of fighting Osama bin Laden: Don't support the Taliban or the Saudis, as the U.S. government did for many years. Then they would fight someone else.
This encryption debate obscures the real issue: The U.S. government must stop being adversarial with the whole world.
Bush's education improvements were
Chances are the terrorists didn't use encrypted email. Why would these obviously intelligent albeit extremely evil perpetrators risk having their messages intercepted and cracked by US spooks? They met face-to-face to formulate their plans, in caves or rooms with blacked-out windows and the stereo blasting. They might have used the 'net to find the more lightly loaded flights, and then again, maybe they just went to the airport and hung around watching the crowds.
cat
I think rather than ScriptKiddies, it will be these mythical, supposedly Russian CyberMafia[tm] guys, you know, the ones who hack for dollars by breaking into e-commerce sites and getting card numbers, will probably invest in a beowulf cluster and mount an attack on the cypher to discover the backdoor, whether it's a master key or an algorithm.
cat
Exactly. Steganography is a much more effective tool for facilitating covert communication. That's why spies have been using it for decades, posting personal ads in the paper or signs on a telephone pole, or just a book code.
cat
Are all conservatives as nutty as you are?
Probably if they spent as much money investing in supercomputers as implementing this proposed law, they might be able to approach real-time decryption of messages. They can look to Google for a good example of building an inexpensive supercomputer. They could probably implement a "Private Key Cache" [Patent Pending, BTW] to try on subsequent messages from the same sender before resorting to other methods.
cat
yeah, and that's what cranking it up to like 11 is for
cat
The EFF makes a few good points and offers sample letters and links to your rep. and sen. Enjoy.
goto www.eff.org for sample letters and info.
To paraphrase churchill:
Yes I may be drunk, but you, sir, are an idiot. In the morning I will be sober.
Giving up liberties for security is a slippery slope. You never acheive security, and find that you have given up all your liberties to acheive very little.
The name of the game is a clue: terrorism. Those who let them selves be cowed by its spectre are already victims, even if they are not directly hurt by the attack.
What makes these fools think that bin Laden and organizations like Al-Qaida are going to start using their escrowed encryption programs? The only people who are going to be using this escrowed encryption are your people, your law-abiding citizens. Not even terrorists who enter the US are going to use it, obviously. Most of them may be psychos, but they are not stupid of course. If they were, they would have met their end long ago. In the meantime, someone is going to reverse engineer how you do your key escrow, and then everyone in the world who doesn't have a DMCA-like law can read escrowed encryption traffic after they reverse engineer the new chip that provides it. It may require the resources of a large semiconductor corporation to do the reverse engineering, but once that has been done, end of story.
Hopefully the NSA will do everything to make sure that your escrowed encryption is as perfect as it can be, but given the Agency's track record, I would be wary. Besides, the civilian research into key recovery systems (mostly from Silvio Micali's research, to whom the government paid $1,000,000 for use of his patents in the old Fortezza/Clipper chip) has been somewhat unpromising, and there are many complex security problems involved. What if someone cracks the escrow agency's database? The keys are going to start circulating among the rest of the world's intelligence agencies and terrorist organizations by then.
In the meantime your largely ignorant populace is going to start taking active measures to make themselves available for surveillance, in the misguided belief that this will help the security of your nation. It won't, not in any meaningful sense, but makes it far easier for Big Brother to start listening in on everything. Welcome to the American Empire.
Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre.
* Sibyl of Prague, an old woman (17th century) "From the east a dragon will come, terrible to look at, because from its 9 times 99 eyes (1999?), mortal rays will be emitted and a poisonous air leaves its mouth".
She predicted the rise of Godzilla. Cool!
GODZIRRRRRRAAAAAAA!
I thought Azrael was Gargamel's stupid cat.
Key escrow will work as a law enforcement tool in the following limited, but nonetheless useful, way.
It cannot actually prevent anyone from using cryptography that does not have a backdoor.
However, what it will do is allow law enforcement to stop, interrogate, hold and arrest a suspected terrorist on the grounds that the person has a cryptography program on their computer that does not have the approved backdoor. It will give law enforcement something to hold them on. This can be important. Let me make an analogy to the kife situation.
Prior to the events of 9/11, it was perfectly LEGAL to board an airplane with a knife with a blade up to 4 inches in length. If somebody was found trying to board an airplane, or on an airplane, with such a knife, there was no legal basis to question, much less arrest, them. Indeed, if someone was found with TEN such knives, there was no legal basis to hold them. They just walked away. Hell, you might not be able to keep them off the airplane.
Now, there is a new regulation banning ALL knives, no matter what the blade length. Will this new regulation prevent any determined person from carrying a knife on board? Given the current state of security, probably not. Unless you ban, or thoroughly search, all hand luggage, and frisk all passenengers, no. I'm sure right now I could probably carry an 8 inch (or ten 4 inch) glass, ceramic, or plexi-glass knife (knives) on board and get away with it. So, does that make the law useless?
No, because, compared to before, if they DO detect my 10 glass, ceramic, or plexi-glass knives with 4 inch blades, they can actually prevent me from boarding the plane, hold me, question me, interrogate me, and arrest me. They can pursue the matter.
Obviously, the anlogy to cryptographic software is far from perfect, but the principle is the same. No, you can't really PREVENT anyone from using such software w/o a backdoor if they really want to. But what it does do is give you a legal basis to stop, interrogate, and, if need be, arrest them.
Is it worth it? I'll leave it up to others to discuss that issue for now. But one cannot say it would serve absolutely NO purpose.
Only Women Bleed (Sex, Sharia remix)
Since the 2600 case has found that programs aren't protected speech
Do your work in California. The Ninth Circuit has found that code is protected speech (Bernstein v. Reno, I believe), and the particular case involved strong crypto!
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
I doubt they would miss the connection between quartering soldiers and/or quartering escrowed keys
Congress will just claim the "time of war" excpetion in the Third Amendment.
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
...you're fighting a losing battle, my friends.
According to a recent CNN poll, 57% of Americans say they would "willingly allow the government to read their email to help the fight against terrorism". I'd post the link but CNN's search engine sucks. It was on the Wolf Blitzer special report page yesterday, 9/20/2001.
We live in a democracy: clearly, if people here want to trade freedom for the illusion of security, that's what's going to happen. Especially if big corporations back the same laws, albeit for different reasons.
Between the people and corporations here in America, nobody really wants privacy. Nevermind little issues like your credit cards selling your purchasing habits; people are ready to live in glass houses and let the government and big business watch every bit of communication with the hope of making an arrest or a sale.
It's all for our own good, of course, since apparently Americans no longer believe that they are capable of taking care of themselves, and they no longer trust each other, and that massive government and corporate intervention is the only way to right matters.
It's a psychotic vicious circle: the more we abdicate responsibility, the more we need someone to take care of us, and the worse things get. What a surprise.
Sorry for the rant. Here's the bottom line: if you truly value freedom and privacy, the US is no longer the country for you. The aging population is tired of that sh*t, and has long since traded in principle for pragmatism. The odds of making a difference by writing letters are roughly the same as those of being suddenly turned into a 200 foot tall statue of the Marx Brothers.
So, write your letters. Make your calls. But when it really starts coming down, remember that you can vote with your feet: there are plenty of countries out there that are still civilized and that still respect the individual, and until the real exodus starts, almost every country will happily take the best and the brightest from the US, even if they are geeks / libertarians / gays / goths / vegans / anyone else who may not quite fit in to a mainstream police state.
-b
PS: don't bother replying with bogus patriotic "if you hate the US, leave" messages. In fact, I love the US, and have done more to demonstrate that than you'll ever know. But love does not necessitate blind jingoism, as some would have it.
If I wanted a sig I would have filled in that stupid box.
For one of these congressional hearings, could a knowelgable person take the crypto bible with them and a porable computer with standard components and "implement" a simple crypto while the session is going on; just to demonstrate that this is common technology. I'm sure that they have some idea that there are N products out there by N companies and that people must buy one of these products; and that these companies can get together (like Microsoft) and force the world to upgrade to the new back-door enabled version. At least, I'm sure this is what Microsoft people are telling the legislature. So... they may not be technical, but they do trust their Microsoft lobbyist; after all, they've constructed the worlds best desktop operating system and tools, of course they know what they are talking about.
So in order to preserve our freedom we must all be spied on by means that continuously and actively compromise the privacy of every law-abiding citizen.
Welcome to the American Democratic Republic. To help things along Canada should be renamed the Americal Federal Republic and gear up for taking control of the whole lot by around 2050
I got this email on Friday:
"Monday 9/24, noon, at the Mattin Center: U.S. Representative Constance Morella (8th District of Maryland) will talk regarding Information Security and Privacy."
The Mattin Center is the new arts building on the campus of Johns Hopkins University. I'll be showing up and a hope others will as well.
If you want directions or more info please respond to this post.
The RISKS of Key Recovery, Key Escrow, and Trusted Third Party Encryption
Was that the Clipper document you were looking for?
no text
If such actions became commonplace among average Americans, then reps would probably give it some consideration. As it stands, however, the average American isn't even likely to know who his/her reps are, let alone bother to contribute to any of them.
It's not enough to bash in heads, you've got to bash in minds. - Captain Hammer
Hiding tools from honest people only assures us that honest people suffer without benifit. Priciples of operation will always get out and the bad guys will always use those tools as they see fit. You can't hide crypto and we should all be using it to protect our privacy.
Here are some more people you can hate, if you still want to point a finger at Zimmerman:
The Wright brothers, for giving the terrorist a weapon.
Whittle, for developing the engines that powered that weapon.
Eifel, for giving the terrorist a target.
Diesel, for working out the use of heavier oil fuels that all jet aircraft use.
Oh yeah, don't forget that hideous man who invented the knife.
So go on and ban aviation, skyscrapers and knives as well as deadly crypto. The world will not be a better place!
Friends don't help friends install M$ junk.
I think the bill is about distributing encryption software, not send encrypted bytes. Therefore, your point of vulnerability would be distribution. You couldn't use the web or ftp. You could try gnutella or freenet. But would you trust crypto software of unknown origin? If you write "supercrypto" and I download it from freenet, how do I know it hasn't been backdoored by some third party? Digital signature? What if I have the wrong public key for you?
If the government can disrupt the normal, overt channels of communication for crypto software and development, they can do huge damage. I'll never feel comfortable with crypto software that hasn't had substantial peer review, and this scheme could prevent that.
When I think about what the legislators are trying to do, closing stable doors after the horses have bolted comes immediately to mind. How are they going to persuade terrorists to use this form of encryption?
The only thing necessary for the triumph of evil is for good men to do nothing. - Edmund Burke
For the kind of limited-scope communications involved in a terrorist mission (they've already decided the basic plan face-to-face; they only need to coordinate where and when to strike), they can just develop a small set of code phrases. This can be minimized to just two codes -- one for "go ahead" and one for "scrub the mission and meet to discuss new plans".
/. If the government wants us to respect the law, it should set a better example.
We all know that encryption is hardly used except by criminals and the paranoid. I am not trying to flame people, but it's the honest truth. Personally, I don't use it nor does anyone I know.
Hmmm... Ever buy anything online? Ever visit your bank online?
This is not just an issue of privacy. It is simply a very bad idea. What if the next attack involves publically stealing a large number of checking account numbers?
The problem is that Congress would be offering the terrorists a new and very damaging weapon-- breaking into our ecommerce transactions... Say goodby SSL, perfect forward security, etc...
LedgerSMB: Open source Accounting/ERP
The second is if we convince everyone else to upgrade and hope the terrorists don't hear about it. Then we can construe their use of strong crypto as an admission of guilt. How many seconds of profound thought do you think it will take the next terrorist to figure out to wrap his strongly encrypted messagse in a weakly encrypted envelope?
Or better yet, using classic stenographic principles, using the encrypted message as a key for encrypting a completely innocuous message. How are you going to break that one? Espectially when the key escrow has record of your key (which is the actual encrypted message.
Of course, the obvious solution here is to outlaw all encryption beyond ROT-13/5 (rotate letters 13 places and digits 5 places). OK. Will you ever buy anything online ever again?
LedgerSMB: Open source Accounting/ERP
I say that if this passes, we should make a strong attempt to break and publish (in plain english) how to get at these backdoors. No schematics, no code, nothing that can't be backed by 1st amendment protection.
;)
Then we can point out that these keys could be used to break into banks, e-commerce, etc. and urge everyone to stop using these facilities in order to protect against terrorism
LedgerSMB: Open source Accounting/ERP