Slashdot Mirror
News.com: Crypto Doesn't Kill - People Do
McSpew writes: "Bravo to News.com for telling the truth about cryptography. They even cited /.'s coverage of Phil Zimmerman's real views on PGP and its possible role in any terrorist acts." On a per-word basis, this may be the best summary of why calls to ban or restrict encryption technology (as with government key escrow, or constrained key sizes) has little to do with enhancing national or world security.
It's quite a valid observation that terorists can write their own software. I managed to write an implementation of RSA in about a day from descriptions only, and that included writing my own big integers library.
Nuff said.
All for improving the homeland security, of course.
The problem I see, is that most people view somethings that's encrypted as something more tangable. They want to be able to get their hands on it. They assume simply because people want to hide what a message says, it must be bad/evil. I'd like to be able to keep all my info private.
CIA officials just need to find better ways of snooping on people.
I really hate Dan Patrick.
A good article that could be made better by emphasizing the one-time pad cipher.
The one-time pad is a very easy cipher to explain to lay people. They need no understanding of math, not even arithmetic.
Anybody, anywhere can create a one-time pad by simply flipping a coin or rolling the dice, and use the resulting information to encrypt a message that is impervious to all manners of cryptoanalysis, even techniques made possible by the much-feared though yet-to-be-stocked quantum computer.
In other words, you can create a encrypted message without encryption software or even a computer, and yet be assured that the message is unreadable by any computer devisable today or anytime in the future.
There should be no debate here. Military-grade cryptography is available to anyone with a penny in their pocket and a sheet of paper and pencil.
We need to stop wasting time talking about this.
Is this truly the only Earth I can live on?
They could post their encryption concerns to a site http://slashdot.af/index.pl?section=askslashdot for instance. But I don't think the Taliban would let them call the intellectual currency "karma."
Inventor of the LOLbalrog meme.
Re read that article, but swap every occurrence of "crypto" with "guns".
Now you know what all the gun nuts were talking about.
It's already been done wth handguns - I figured all guns were next, but looks like crypto is next.
(This coming from a geek trying to put it in a language that many marketers, politicians, economists, etc could understand, who actually dislikes most businesses today.)
The simple fact of the matter is that the latest calls for key escrow/backdoors to encryption, just like the ban on exporting 'strong encryption' during the 90's, will in the end only hurt the US.
"Einstein argued that [...] God is not capricious or arbitrary. No such faith comforts the software engineer." ~ Brooks
What about the priority of preserving through logic and appeals to legitimate and justified self-interest the freedoms terrorists would like to destroy with their intimidation attacks? That one suits me.
Great little piece. The bad news is that most of us all here have already been nodding at this argument furiously for so long, migraines are setting in.. What this needs is to be disseminated amounst the sheeple in the same carcinogenic manor as half assed "Nostradamus Predicted this" emails that have filled my box faster then sircam did.
Crypto Doesn't Kill - People Do
The second amendment of the statue of liberty clearly states: "cool guys shall have the unalienable liberty to wield strong crypto in order to insure against the prospect of a tyrannical state." Or at least I think it does, I am not sure as I have been playing Wolfstenstien for the last six day in a row and can't be bothered to check.
When crypto is outlawed, only outlaws will have crypto. You can have my copy of PGP when you pull if from my cold dead fingers!
The FBI has found hand-written order letters in the baggages of terrorists.
Is this PGP ?
NO !
So why does the crypto=terrorist meme still continues ?
Paradoxically, paper letters are a more secure way to transmit information than the internet...
Long ago when PGP was first announced I had a key generated. I have long since forgot about using PGP until PZ's /. post.
I have since installed, and configured PGP and GNU/GPG software on my home and work machines and am making active use of signing my documents. Not only that I've helped several others do the same thing.
Also, in my crypto-arsenal is OpenSSH which is a godsend to me since I no longer use telnet or ftp services on any of my computers accessible to the internet.
It's not that I worry about who is listening, or why; I have nothing to hide. I know that if someone is listening, they won't get squat out of my communications.
But it's ok to restrict guns.
Why no restriction on crypto ?
On the nerdy side of this, how do you implement the key escrow/backdoors onto crypto sw? The above mentioned (I assume) backdoor in government given executables and hidden algorithm (with weaknesses) just wouldn't be possible.
This leaves few chances like weakening strong algorithms by resetting most of the bits in a key or something similar. Is there any other way to achieve a backdoor?
I feel it would be very near (mathematically) impossible to develop an strong algorithm with some serious weakness (the backdoor), which nobody wouldn't find.
Isn't that the root of the problem?
/. readers, how are you going to explain crypto to your normal joes on the street (and those folks in power)?
While crypto makes sense to majority of the
Same idea applies to software. Why do the users of our software need a college degree to use it with ease?
My 2 cents.
The security agencies are already checking through most or a statistical useful percentage of the bytes that flow over the US internet, and are characterising it all. Their actions only make sense if they are doing that.
Anyone using encryption stands out; so they write a file on them.
Where they find encrypted data they can't characterise it any further; so they hit a brick wall. But its not common right now, so they can make a file. However, if everyone on the internet routinely uses uncrackable encryption they can't build a file on everyone.
On the other hand, if they have key escrow they can blow away the encryption on all the legitimate data and they are left with 'illegal' encryption; except presumably terrorists and other malcontents; a much smaller group that they can write files on.
Of course this 'monitor all the traffic on the internet idea' falls down in several other ways. As an example, suppose somebody creates a Quake III server that has some sort of low bandwidth messaging in it perhaps the player steps left at careful timed moments or something, the characterisation by the NSA would be, oh its just another Quake player, when really its sending an encrypted message as well. [I just made that Quake idea up- its called 'steganography' in general, hiding encrypted messages in something else.]
Anyway, that's really what's going on. The security agencies are using the WTC disaster as a chance to get their legislation through whilst the going is good. Of course anyone with any sense can evade it, but not every terrorist has sense.
-WolfWithoutAClause
"Gravity is only a theory, not a fact!"Yet, 90% of you people here think that it's ok to ban or prohibit people from using guns.
Guns don't kill people.. people kill people. You disgusting group of hippocrites.
My girlfriend is studying AUSLAN, the Australian variant of Sign Language. (for the deaf ...) I wonder if it would be possible to use sign language within a game like CounterStrike or Op Force ... use the squad leader giving no/no go signals to spell out a morse code message :)
Play Simon Says in FPS games for world peace goddammit!
One week ago today, I wrote essentially the same thing to my congress people. Here is my letter in case anyone else would like to send it to their congress critters:
------
Honorable Senator xxxxxx,
I am writing to bring to your attention the pointlessness of Senator Judd Gregg's new legislation mandating backdoors in all cryptographic products. I could make many arguments that discuss our civil liberties and the right to be secure within our papers and possessions, but that argument while true and immensely important, is not even required in this case.
Simply put, with respect to strong cryptographic software, the "cat is out of the bag." The world is already full of good, secure cryptographic products with no backdoors. That is the case now, and was PRIOR to Congress' reduction of ITAR restrictions that kept us from exporting strong cryptographic products.
The world is full of smart people many of whom do not work for the NSA, and do not live within the United States. These people in the civilian cryptographic world are constantly researching and developing new cryptographic techniques, which Senator Gregg's legislation WILL NOT AFFECT. No matter how many laws you pass, NOTHING will keep the BAD GUYS from being able to download this cryptographic software from European and other web sites.
If Europe latches on to Senator Gregg's idea of mandating backdoors in all cryptographic products, then the people who want to use cryptographic products with no backdoors will simply write their own, or copy VERBATIM the computer source code for strong cryptographic software that already exists in many hundreds of published books.
Allow me to quote Bruce Schneier, perhaps the United States' leading civilian cryptographic expert:
"To illustrate the ease with which a cryptosystem can be implemented, I present the full code necessary for establishing a secure cryptographic channel over the internet, called the Diffie-Hellman Key Exchange. Both people communicating do the following:
"1. Get public key (Y, P) of the other person. This is just a pair of large numbers.
"2. Raise Y to the power of X, where X is the private key, modulo P. The result is the secret key.
"Modular arithmetic is taught to fourth-graders under the name 'clock math,' and secret-key cryptosystems are just as easy to memorize and implement as public-key systems. I could teach any twelve-year-old how to reproduce from memory in under fifteen minutes a strong cryptosystem on any Windows machine. Any terrorist is quite capable of doing the same."
This speaks volumes about the current state of cryptographic software in the world today, and the ease with which it can be implemented.
If Senator Gregg's legislation is passed, it will have ZERO affect on the people who DO have things to hide from you, and will only harm the innocent citizens of the United States who wish nothing more than to insure that their banking records and private email conversations remain truly private.
Regards,
-----
Rich...
Ignore Alien Orders
In terms of keys, I believe 512-bit keys are no longer secure, as someone found all the primes needed to break any 512-bit pub/pri RSA key, and several others. I however can't remember the reference, so don't shoot me if I got something wrong.
I suspect that it's a majority, but I doubt it's anything like 90 percent. Besides computers, a lot of people who read slashdot have other interests, and I've seen enough related comments to know that this occasionally includes guns.
timothy
jrnl: http://tinyurl.com/c2l8yr / foes: http://tinyurl.com/ckjno5
In the case of PGP you could use an additional public key, wich belongs to the secret police.
Any message thats being encrypted will be encrypted with the recipients AND the escrowed key.
Software that allows Messages to be encrypted with only the recipients key is outlawed then. (and only outlaws have privacy, oh yeah)
What I want to know is do any of these Congressmen realize that maybe, just maybe encryption is used for some legitimate purpose. I don't know, like... e-commerce? Online banking, shopping, etc all rely on good encryption to keep those Congressmen's credit card details safe from crackers. Even a small back door would be cracked wide open is a very short amount of time.
Plus the current encryption technology is scalable. The terrorists could just modify the old software if needed and use it. Outlaw something and only the outlaws will use it! The only thing that will be achieved is the crippling of legitimate stuff, like e-commerce.
But I'm preaching to the choir here. I just hope other News sites follow News.com's lead and not the Washington Post's.
I know this is slightly offf topic but can someone explain to me why u cant decrypt from the public key and the encrypted data? I was taught in maths that any mathematical expression can be modified to find lost values, so if the public key is good enuff to be used with the expression to encrypt the data, and if you know the expression and the public key, then why cant u turn the process around? Im confused :) Im one of those that takes this stuff jsut to work :)
Support your right to Encrypt Bears!
Keep honking, I'm encrypting.
Krispy Cream is people
After all, the Feds can install keystroke loggers on your 'puter, or they can call out a van full of TEMPEST equipment. The keystroke loggers require agents to physically enter the premises, which obviously requires a warrant. As for the TEMPEST equipment, no precedent exists AFAIK, but the ruling regarding thermal imaging may be helpful.
Ooh, moderator points! Five more idjits go to Minus One Hell!
Delendae sunt RIAA, MPAA et Windoze
It would be more sensible to assume most terrorists aren't so sophisticated. But, in that case, they wouldn't depend on computers for encryption. They would use code phrases, one-way pads, and many other methods that do not depend on computers.
In the end, the people most affected by encryption limiting laws would be common middle-class citizens in the developed nations, people who do on-line shopping and banking, or who use credit cards for any purchases. Remember, you don't need to do any on-line shopping to be vulnerable if your local shopkeepers keep your credit card numbers in vulnerable computers.
Now there is finally someone who understands the gun issue... On wait, this article is about encryption!
I do everything the voices in my head tell me to...
"You can have my copy of PGP when you pull if from my cold dead fingers!"
.sig! (RSA algoritam in 3 lines of perl)
. .) *)$/)
And you can have my PGP passphrase when you pry it from my cold, dead brain.
Don't forget folks, The export-a-crypto-system
#!/bin/perl -sp0777iX+d*lMLa^*lN%0]dsXx++lMlN/dsM0j]dsj
$/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1
lK[d2%Sa2/d0$^Ixp"|dc`;s/\W//g;$_=pack('H*',/((
For more info, see http://www.cypherspace.org/~adam/rsa/
Anyone quoted by a reporter knows how little they understand
Don't believe what you read is the truth.
One thing I find interesting is that these terrorists could have just as easily used cleartext email to distribute their logistic plans. Couldn't they have just have a predetermined language and the actual emails would have looked as innocuous as someone writing their friend to meet somewhere.
Let's meet at 7:45 in front of the Arthur Anderson school on the 11th
Translation: You will overtake American Airlines flight 745 on the 11th
That would look totally benign, yet be the actual trigger to the event. No crypto needed!
What is scary about this U.S. government talk of not allowing secure encryption is that it is working so well. Even the intelligent, educated people who comment on Slashdot (Don't joke about this, it's the truth.) are being led completely away from the real issue.
The real issue is that they are trying to get you to accept that you have no right to privacy.
The really important matter is that the U.S. government is trying to get you to accept the principle that it can spy on you. They know they will lose the encryption battle.
Do you ever have the right to privacy? If there is a single case in which you have the right to privacy, then you have the right to encryption, because you need it for that case.
From the article, What should be the Response to Violence? :
"The U.S. government has three separate, very large agencies that function as global secret police: The FBI, the CIA, and the NSA. The first two are authorized to kill other people. These agencies are secret in two senses: Their activities are hidden from the people of the U.S., even though the U.S. is a democracy. They also have secret budgets. These agencies function everywhere in the world, including inside the U.S."
It has somehow been established that U.S. citizens will accept that they cannot be told about either the activities or the budget of the secret "national security" agencies. Clearly, if they did know, and if they had a chance to vote, most citizens of the U.S. would vote against many of the activities. However, U.S. citizens are not allowed to have enough information to make an informed decision about the secret agencies.
Bush's education improvements were
Why don't we petition MTV to have clay death match Between Bruce Schneier (the guy that wrote Applied Cryptography), and John Ashcroft (The evil goverment guy that wants to take away your rights). I think it would be hilarous, and it would send a msg to Mr john Ashcroft that he has got to be joking about his stupid law proposal.
Heck, didn't they once do David Quresh (the wacko in Waco), and Janet Reno?
Not to be too off topic, I use ssh, and my old 2.6 pgp everyday... so I would be the first to go to jail on key escrow, or the first to send email to my friends in Germany using keys stronger than 2^8 (more like 2^128 at least)..
It isn't a lie if you belive it.
i haven't been following these topics lately, and maybe i sound redundant, but can anyone tell me how earth did people get the impression that terrorists used the internet for communication? and even if so, why on earth would they be using our standard protocols instead of their own protocols with 2^1000 0000 bit encryption???
Don't quote me on this.
Crypto is an IDEA. You can ban a real, material item that kills people, you can't ban an IDEA. You may as well ban people's thoughts of killing other people. When you can make a gun out of thin air by sitting in front of a computer coding for a few minutes, then I will agree that you should ban Crypto as well.
Steganography.
Steganography.
Steganography.
Fire anti-lameness filter torpedoes...
We've had cryptography and steganography since back when messages were tattoed on the tops of soldiers head and run between camps. The public has been sending secret messages long before it was rendered legal for them to do it, and they will continue long after it is rendered illegal again.
:)
Language has always had two purposes: 1. To aid in communication with those you like, and 2. To hinder communication with those you don't. Otherwise, we would probobly all be speaking in the same tongue or dialect. Even if these laws are passed, sending secret messages will always happen, and crypto/stego are too great a tool to be just thrown away by the people.
Use of GIF images to send secret messages is one obvious way to make your message invisible or even undetectable. Encrypting that message against any commercially available CD image would be even more useful. Any attempts to circumvent that encryption would result in extracting a CD image, and that's a DMCA violation.
"Look at me, I invented the stove!" -- Ben Franklin
You write as if a "real, material item that kills people" is necessarily bad. If so, ban cars. Ban alcohol. Especially alcohol since, IMO, it has no redeeming qualities. Crypto and guns are both just tools which can be misused. Naive people who don't want to be shot think giving up guns they don't have will make them safe. Thinking people who don't want to get shot understand that the way to make that not happen is to protect yourself. That false sense of security feels so good people are willing to wrap themselves in it and ignore reality.
I thought it was strange seeing a van from Flowers By Irene, and then another one, parked in the same spot, from Frederico's Best Italian.
(:( I just slaughtered a Simpson's quote. I feel shamed.)
They wouldn't, anyway, because we're a bunch of overweight slobs who can't be inconvenienced to waddle down to the polls.
:P
Sad but true, we don't give a damn. Even when big things (IE, DMCA, Encryption, whatever else) are set down on the line, we just sit on Slashdot and bitch about it.
Voting only works when people vote.
I think this whole tragedy just proves that we need stronger laws against crypto. I think we also need stronger gun control laws now as well after this tragedy to prevent similar attacks from happening in the future. Because we all know that cryto kills people just as much as guns do.
(Before you flame realize that I am being completely sarcastic!)
...the United States military uses encryption every single day to save thousands of lives. How do you think these soldiers in the field talk to each other, relay coordinates, maintain anonymity in foreign lands to stay alive? That's right class, strong encryption!
It's ok to implement backdoors in the publically available encryption, but oh, this little stuff we use over here in our military is classified, you can't see it, and we can't even tell you we use it.. But here's a 200 page document, all conveniently highlighted in black marker, that explains everything you need to know about it.
All of these politicians and gubbermint officials supporting this type of intrusive "anal exploration" of our freedoms needs a brain exam.
dd if=/dev/urandom ibs=256 count=1 | uuencode binladen.msg
is a criminal act? 'uuencode' may not be strong crypto, but it's still crypto...
(Damn! I like that "Gestapo Key" notion!)
If their ONLY purpose was to KILL people.
There are some reports, that I can't conform, that say that the trigger for the attacks was the Assassination of the leader of the Northern Alliance (Taliban opposition). This would make sense as he was killed two days before the attacks by Taliban suicide bombers posing as journalists. The camera exploded! The whole operation could have been planned months in advance with absolutely NO contact between the terrorists, encrypted or otherwise. Once again I can't remember where I read this but I'm pretty sure it was CNN. Anyone else heard anything?
Cryto is not a weapon. It's a form of privacy. Comparing it to weapons is like comparing apples to bmw(s). Weapons are meant for killing, cryto is meant for privacy. There is an ongoing governmental idea that citizens are to blame for everything. How is that so? When people restrict your rights or are trying to at least, that gives a strong message that they don't think you deserve them/will misuse the freedoms. If you talk to a senator that is for restricting cryto, in any argument he'll use is that everyone is a potential terrorist and that the gov't (big brother) will need to keep an eye out on that person to make sure they don't do anything wrong. Most people would agree since their automatic response is "well i don't do anything wrong, why should i care?". But the underlying issues are "There goes my privacy". While most people are willing to take steps to prevent what happened at 9/11, they don't know what steps to take. You think by listening to the scapegoating done by congress any progress will get done?.. This is politics people, it's all based on promisses and no followthrough. Though i'm preaching to the chior, this has to be repeated so that it sinks in.
Though most people think that this issue is just like guns, please let me explain why it's not. Guns don't kill people, people kill people Back to my issue with backdoors in crytos, if you think the gov't will use this only in terrorist cases, well first think about what is the definition of a terrorist according to the gov't. It's considered to be anyone who's against the gov't, and trust me, there are lots of people. Just look at other times this has happened (backdoor in encryption proggies in other gov'ts) and france is the tell all. It didn't work there due to corruption and it won't work here. Whether the gov't spys on people and puts them in jail for any small infraction or buisness secrets get sold to the highest bidder, it doesn't make it right. That bundled with the fact that the use of stenography and encryption is overrated in terrorist organizations, you have to wonder if another agenda is behind this, even if the agenda is the advancement in a political career. And if it is, it's a goddamn shame that politicians use disasters like this for their own gain. What happened to illegal searches and seasures? That's been thrown out the door and isn't even a topic. I'm not talking about airport security, but people searching others at malls and whatnot. It's wrong. I want to know who'll be the voice of reason in this troubled times and yell out "We will not let the acts of these cowards to change our lives that we take for granted".
... therefore relative to recent tragedies things are going to be hot for a while. Live with it. At least its just a portion of your civil liberties that's being sacrificed. Think of your citizen soldiers putting their lives on the line in response to the tragedy in defence of liberty.
'Buck-up buddy, things are-a chagin. We're not in Kansas anymore!'
- D-4-D3m0cracy!
The most advanced form of communications technology used in these attacks thats I've seen released, was a handwritten letter, photocopied and distributed to the terrorists.
Lets demand funding for posting federal marshalls at every photocopy machine.
That would help americans feel safe again.. Yeah.
No discussion of technology's role in the terrorist attacks against New York and Washington is complete without also addressing the destructive role played by Microsoft and the BSA ( http://www.bsa.org ) in holding back third world economies and thereby increasing hatred for the United States.
Third world countries are forced to send dollars they cannot afford to spend to the United States (Microsoft) to gain and maintain admittance to the world economy -- or face punitive action.
If you can't feed your kids because you have no money, and the cash strapped company or agency you work for can't pay you more because they are paying ransom to Bill Gates so that they can continue to communicate and participate with the industrialized world...
Microsoft and the BSA are helping to fan the flames of hatred against us. Perhaps they are not identifiable factors in the latest round of terrorism, but next time?
So if you keep making suspicious remarks like that it won't be long before the black vans arrive in the dead of night to drag you away, and your neighbors pretend to hear nothing when you scream!
:)
That messaging scheme requires that both parties already have prior knowledge of what kind of messages are going to be sent, so they know what to look for. Really it's just a small memorized one time pad. You cannot send completely new messages that way.
No, it wouldn't, because of the way PGP encrypts messgages. Public-key crypto is slow, while many private-key algorithms are much faster. So, when encrypting a message, PGP creates a random key, and uses that key to encrypt the plaintext with a conventional, private-key cipher (CAST, IDEA, 3DES, Blowfifh, etc.).
Then, once the message is encrypted, PGP encrypts that random key (the "session key") with the recipient('s|s') public key(s), using a public-key cipher like RSA. This allows you to encrypt a message for multiple recipients without needing a separate copy for each recipient (which would be required if the whole message were encrypted with a public-key cipher).
PGP has included a similar feature in its corporate version for some time, calling it the "additional decryption key". The idea is that it would be set by the admin in a site-wide installation, allowing messages to be recovered if one party couldn't remember his passphrase or some such thing.
Though I agree with everything you said, the fundamental problem goes a bit deeper than privacy.
The full underlying cause of this is nationalism and the belief that the State is an almost divine entity that will protect you from all ills provided you play by its rules.
History shows that this is a fool's bargain. Any state--and yes, flag-wavers, that includes the US--is *designed* to limit your freedoms for the "greater good". While this works for a great many people indoctrinated to accept the definitions the State provides for "freedom" and "democracy", it is not, nor has it ever been, a complete solution for people in the world, and *much* has been done in the name of the State--like much was done in the name of God before it--that is simply hateful and evil.
Allegiance to the State, a belief that the State is all, that you should be proud to be part of the State, happened in Germany in the 1930s, and it appears to be happening here. Based on some of the troll posts here, you just have to substitute Arab for Jew, and you have the basic plank of the Nazi party flying in full colors.
How does this relate to crypto? It doesn't really at all--that's the point. But, if we're really trying to make a connection, then there's the tenuous observation that crypto is math, and knows no allegiance to State, which has no allegiance to you, meaning that Crypto is like the State in that it is an abstract concept without any feeling or allegiance to anyone or anything. The major difference between Crypto and the State is that the State is established, has full access to social control mechanisms, and panders to people's senses of belonging while Crypto is simply math that individuals can use to keep pieces of themselves from the State and unto themselves.
It is natural that the State--which *fully* seeks the totality of National Socialism, and now has the capacity to make _1984_ look like a Disneyland ride--would seek to abolish the one tool that can put an individual on equal footing with it. It's up to *us* to drop our allegiance to one abstract concept and rally our efforts around the other.
I'll leave it up to you to decide which way the wind appears to be blowing.
"The more corrupt the state, the more numerous the laws."--Tacitus, The Histories
Cryptography doesn't kill, it is merely a useful tool. Steak knives are useful tools too, except in the hands of a rare few.
If a guy get's stabbed in an dark street by a crazed kitchen knife wielding person, steak knives would not be outlawed will they?
Most people (in the US) have been taught to be afraid of math (or any other intellectual pursuit) by our oh-so-wonderful public schools. (Times table drill with flashcards, anyone?) To say "it's nothing but math" is equivalent to saying "you have no hope of understanding it" for most people - especially for all the liberal arts/BA/lawyer types that form our elites.
An esoteric scratched itch:
Homeworld Map Maker Tool
Maybe I don't understand how key-escrow works, but if you build a backdoor key in your encryption system, how long do you think you can keep that key secret? Distributed.net cracked rc5-56 after 250 days in 1997, and if there was a 2nd master key wouldn't they have found it as well? Given the amount of time it takes to develop and distribute a new cryptographic system, it seems insane to consider doing it every other year since your backdoor keys can be retrieved in an exhaustive brute for crack. Instead of keeping the government on top of everything, it would simply stop everyone from using state sponsored encryption algorithms, and plunge the spooks into complete darkness.
Imagine you wanted to send a locked box to somebody, how can they open it? And stop anyone else opening it in transit and not let anyone else see your key to the padlock. Simple, you padlock the box and keep the key. Send the box to the recipient. Your recipient then puts another padlock on the box and sends the box back to you. You remove your padlock and resend the box back. And the recipient removes their padlock. The upshot is. The box has been locked the whole time in transit and nobody has seen your key or the recipients. Using this concept with a file, is simplicity itself. Take a file and multiply each byte by a number only you know. Send the file off to the person you want privacy with. That person then mutiplies each byte by a number only they know. They then send it back to you, you then divide each byte by your secret number and resend it, your recipient divides each byte by their secret number, voila file decoded. I fail to see how a back door can be made. Or how such a simple idea can be kept a secret.
From the article: "Once surveillance tools receive legitimization, who can guarantee that they'll always be used in enlightened ways by an administration in, oh, how about the year 2084?"
This is a good point. I'm glad someone finally pays attention to what's going on. Each standalone piece of legislation eventually gets combined into something larger when newer legislation is added. Rarely if ever is any legislation removed. The end result is that the government can only increase its power, decreasing that of its people. We can talk all we want about passing laws, like encryption backdoors, national ID cards, etc. The problem is that most people understand how these laws affect their lives now, but they don't extrapolate and try to picture the future. Furthermore...
From the article: "The competitive angle: If U.S. companies are forced to play by the these rules, rest assured there are foreign companies aplenty that will get around the Americans' export ban."
... You can't say that the encryption won't be cracked. Where there's a will, there's a way, and the backdoors will eventually be cracked. It's only a matter of time. Crackers (and foreign companies) will continue to use unencumbered encryption, while accessing our communications through the backdoors. The whole scheme sounds great from our law enforcement's point of view, but will actually make us much less secure. Imagine financial, legal and medical information getting into the wrong hands. (Besides, you don't honestly believe the government will use the same weak encryption as we will, do you?)
To make a long story short, as with any technology and knowledge, encryption can be used for good or evil. Chances are, most everything is used mostly for good. We shouldn't punish our entire country because some jerk-off from Wastelandistan may have used encryption.
Doesn't work. As far as I remember the news reports, the tickets were mostly bought a while before the attack, and they were bought over a period of a few days. If there was such a trigger event, it was something else.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
If I understand you correctly and you're saying that crypto isn't common right now, that's not true. Salespeople around the US have been selling Virtual Private Networks (VPNs) to companies for a few years now, and these encrypt all traffic between a company's sites. While there almost certainly is still much more unencrypted traffic on the net than encrypted traffic, encrypted traffic is far too common for the government to be building a file on every instance they encounter.
Many lawyers use encrypted email because of legal precedent which makes email less legally "privileged" than say a phone conversation.
Then there are all the /. nerds using SSH to talk to their servers. Do you think the FBI or NSA has a file on Shoeboy?
Everyday use of encryption is a lot more common than you might imagine.
Except that all you need to do is doubly-encrypt your messages - first with strong crypto, then with government-approved crypto. This can't be detected without going through the legal process of obtaining a key, so widespread scanning for non-approved crypto will only turn up the conscientious objectors and a few really dumb folk. Then again, some people say stupidity should be a crime...
All this backdoor nonsense is simply a ploy to shorten the processing time on the supercomputers to crack it. Save a few billion dollars here and there in computation time.
-
Couldn't agree more. Get a LIFE people! We have much bigger things to worry about than crypto!!!
If any of you "hacker" types actually cared about other people you would understand what really happened on Sept. 11 and pry yourselves from your monitors and join the real world. There's more to life than spending all of your waking hours in front on a computer!
To really drive the point home about how hard it is to factor these big numbers, check out the prize list for The RSA Factoring Challenge. If anyone doesn't believe that it's difficult, well, there's a total of about $635,000 waiting for the person who can prove that it's not!
People who have never fired a gun are more likely to demonize guns. People who have not beneficially used cryptography are more likely to support restrictions on crypto.
.22 rifle. Therefore, I am permanently in the pro-gun camp. I could come up with lots of "reasons" but the real reason is experience. Likewise, most religious people follow the religion in which they were raised.
When I was a child, I was trained to fire a
As for sanity checks, what's the point? Accidental and criminal shooting far outnumber shootings by insane people. It's just that the media gives more play to "loony kills 20" than to "drug dealer shoots another drug dealer, again."
email without encryption == postcard
..
email with encryption == letter in envelope
banning encryption == banning envelopes
That's the condensed verson of the letter I sent to my representative a while back, and would send to my Senators except for the unfortunate fact that I'm in Texas
73 de N5VB (ex-KD5BIV) AR SK
So you have a backdoor to all encryption: in 2005, Osama Bin Laden II has managed to crack the back door -- but he doesn't tell anybody, because that would undercut public confidence in the cryptosystem. Instead what he does, is eavesdrop on 'secure' conversations, and mess up financial transactions for the next year or 3.... until people realize what's going on, and trash the back doors
At that point, we're back were we started from -- except for the fact that we've had a few years of badly compromised commerce and communications.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
Ok, everyone that is using encryption seems to have there panties in a twist over this. My question is, why? Why, just because you decide you want to use encryption should you be given any more protection than those who dont.
Assuming that the government has an infinite number of monkeys, does the fact that it is encrypted really matter? All encryption is adding is complexity to the equation. In Big O terms, some constant, which can be dropped.
Quite frankly, i can care less whether the government *can* look at what i do, the real question is under what circumstances are they allowed to do so. Let them be able to look at anything they want as along as they have a court order saying that they are allowed to do it. This is a privacy issue that has nothing to do with whether it happens to be encrypted or not.
How is this any different than saying, 'I correspond with my friend in Japaneese because most people in the US dont understand it and i feel safer that way. How dare the US government employ Japaneese linguists who can understand it.' I really don't care if they can read it, the real question is should they read it. Everything else is just technology, which isn't a good basis to use for reasoning.
Bottom line, do i care that they can decrypt anything that they want? No. Do i care that they want to do so without a court order. You bet I do.
Sure, lets put backdoors on all or encryptions so hackers and find out how to get it. Smart move. And you know, If you make a gun not fire when a terrorist holds it. He'll just go get a different gun. Meaning, if you make encryption open for snooping, they'll just employ someone to right an encryption program that isn't open. Hell, how many encryption algarithims are known right now? If they put a back door in the software doesn't not effect the algaritm, the algrithim is still secure. What is all this summitting key's to the government crap, what terrorist is going do be so much of a moron to use a key he gave to the government? This is all a bunch of MOO POO!
Try the bombing of Laos and Cambodia to the tune of 2 million deaths by the US during the Vietnam unpleasantness... Attacks against sovereign nations on their own soil. If you feel so strongly about a one hour attack on NY and six thousand dead then I would hope you would feel at least as strongly about your responsibility in millions of deaths around the world in the protection of 'American Interests'.
I suggest you get your priorities straight..
Not knowing much about these things I found a document from somewhere describing the ADK stuff. The problem seems to be all the necessary trouble while encrypting, which doesn't make it a backdoor really. If you "forgot" to use the ADK feature there wouldn't be a "backdoor" anymore..
So, while this was a good idea, it wouldn't work unless the usage of some second key was somehow built-in into the algorithm itself, unavoidably and unknown to the users. The original question still remains open; what kind of backdoors are technically possible in the real world usage that wouldn't be either found out and defeated by hackers or wouldn't render the method too insecure to be used seriously by anyone (clipper, crippled DES and others, whatever..)?
Of course there has always been some speculation about the NSA knowing certain weaknesses in various algorithms, but even if they did, it wouldn't make wide spread usage of yet-to-be-developed future encryption methods "backdoorable"..
Many of the guns=crypto arguments I am reading here have one fatal flaw:
Most people understand they do not have the right to point a gun at a cop or a federal officer. So why would those same people think they have they right to use crypto when the feds have a need to know?
Don't get the wrong idea. I don't like the idea of having my personal data searched without a search warent. But you need better logic than bastardizing the gun ownership argument.
Same thing applies with cars, planes, trains. .gov would want to tap my phones is if I were doing something bad (drug deals, white slavery, anything)
Thing I'm really ticked off about is the title of this article..
On a per-word basis, this may be the best summary of why calls to ban or restrict encryption technology (as with government key escrow, or constrained key sizes) has little to do with enhancing national or world security.
I'm a NRA member, I own a car. Guns and cars can be dangerous things, especially in the hands of the wrong people. The thing I don't like about the quick blurb at the top is.. restrict encryption technology Restrictions are in place for our own safety. An all out ban will never happen but we do need ways for law enforcement to go after the bad guys. Goverment phone taps do not bother me because I know the only reason the
We all need to start accepting the fact that American is tightening it's belt. It's time we all started using the internet responsibly.
--toq
~~moderators note* Posted with my real account because I take responsibility for my opinions, even if they get a -1, unlike anonymous karma whores.
"We are facing an enemy like we've never faced before, we can't see him, we can't bomb him. and[...]"
He's right, and to make every computer-illeterate american feel safe, his administration pointed a "tangible" enemy on which they can "look like they can do something about it".
Too bad they are forgetting that people can now use the net if they want to find out about stuff they don't understand fully. And besides, even if you're flipping burgers, you can understand that there's a shitload of material already available to build a safe encryption mechanism with what's on the net.
Talk about shooting in any directions. I'd feel much safer knowing they've catched the leaders of all the known terrorists groups, and that people increase the immigration security/background check.
--- Metamoderating abusive downgraders since my 300th post.
"At least its just a portion of your civil liberties that's being sacrificed"
Well, there goes another one. And now that we don't have privacy, what about cruel and unusual punishment? That's got to go too. How about freedom of speech? The right to express an opinion that the government is wrong?
Crytpography will soon be doublethink (the Party can use it to keep us secure by not allowing us to be secure). Anything else is Newspeak.
"I think he was truly surprised at how little I cared about how big a market the Mac had" - Linus on Jobs
As far as I can see, *email* encryption really is what the general media and the politicians do think the argument is all about. Because so far only a small fringe minority use encrypted email, the pols think it will hardly be missed; and besides, the obsessive secrecy probably indicates that the users are up to no good anyway.
The idea of *channel* encryption probably doesn't even cross their radar. But 'alienmole' is absolutely right: the most widespread and important use of encryption at the moment is *not* email; it is the use of ssh and friends to secure public channels. And the reason these are so important is obvious -- and probably much easier to explain to the public -- in these days of crackers and virus writers: you really don't want anyone to be able to break into your channel, and interfere with your remotely-controlled telescope or heart operation or hack into your corporate network or whatever.
The case for SSH is much easier to make than the case for PGP, because of its demonstrable real-world importance. If we can move the debate towards channel security, away from email security, it will be much easier to win.
But of course as soon as two people can ssh into the same box and talk to each other, the banning of any other uses of encryption starts to look pretty irrelevant.
Not just write their own, there is a heap of good working encryption stuff, including steganography, available outside the USA for essentially no effort. The effect of outlawing encryption (or legislating key-escrow) will be to leave ``real'' encryption only in the hands of the terrorists and other outlaws.
The gun people have a saying ``If guns are outlawed, only outlaws will have guns.'' They're right, in a general sense, but this catch-cry is a two-edged sword. If guns (or truly secure encryption) is outlawed, ordinary people who must use them for their reasonable daily business will be, by definition, outlaws.
The idea of laws scaring terrorists is unbelievably stupid, thick, dumb, brainless, naive, irresponsible and many other bad things. It reminds me of the locality which has a $500 fine for detonating a nuclear explosive within city limits. If the cost of your terror mission against ``the great satan'' is your own life and the lives of many others what difference is the threat of a fine or jail term - or for that matter even a death sentence - ever going to make to you?
Got time? Spend some of it coding or testing
Yabbut if a properly-encrypted message is indistinguishable from noise, isn't the only way you can tell if "authorized" software has been used is to try to decrypt it?
So the FBI/NSA/DOD/whoever winds up decrypting everybody's messages and reading all of them... "just to make sure that authorized software was used," of course!
crypto is used by the government and miltiraies worldwide, as a matter of course. since ages. whats the bug fuss about? corporations also use it to protect confidential data, R&D, competitive bidding for contracts and the like. Maybe some politicl activists in china or n korea..or even terrorists in pakistan and UK. whats new about these things? does the nsa even care about mr joe sixpack fooling with encryption.
I have always found the U.S. government's logic behind export restriction of strong encryption to be specious at best (say that five times fast...). To paraphrase: if we prevent all strong crypto originating in the U.S. from leaving its borders, we will therefore prevent strong crypto from existing elsewhere, as the United States maintains a monopoly on mathematics, and no non-U.S. mathematician could possibly be as clever as that.
If you were to browse the bookshelves of an arbitrary math grad student, I'm afraid that you'd find many of the text's authors are not U.S. citizens. Mathematics knows no political boundaries.
... a governamental act will never stop software development. i'm Brazilian and i've implemented an rfc2440 compliant crypto system with some coleagues. all from scratch. if we could do this, why couln't not anyone do??
Well, usually I am, but this was totaly true. RSA is quite simple algorithm really. Its only a few mathematical operations that can be described in a single line in mathematical notation.
I hate to AOL here, but I've always been a supporter of the 2nd (and the wholeness of the rest of them) amendment, as well as encryption, ever since talk of banning it started being tossed around by the clueless in power. They don't realize that they can't ban encryption in afghanistan or wherever this stuff is going on, and there are plenty of ways (as stated above) to make strong encryption look weak. Its as the old saying goes, updated to fit the times, "if you outlaw encryption, only outlaws will use encryptiion."
.
Still, the idea of some sort of trigger is clever. Whatever it may have been, if they used one, it would have meant that there were no phones to tap, no secret encrypted messages to crack, etc. Hell, the last time they talked to one another could have been two years ago while they were still in Afghanistan. Very low tech and very effective. Scary.
The gun people have a saying ``If guns are outlawed, only outlaws will have guns.'' They're right, in a general sense, but this catch-cry is a two-edged sword. If guns (or truly secure encryption) is outlawed, ordinary people who must use them for their reasonable daily business will be, by definition, outlaws.
And if a new Gestapo were ever to go door to door and confiscate all guns, they might as well confiscate all machine shop equipment, too, since gun barrels, parts, etc. can be fabricated at machine shops. You think thousands of computer programmers getting laid off from their dot-bomb jobs slowed the economy? Imagine how fast and hard America's economy would crash if no machine shop work could be done.
If strong encryption were outlawed and the new Gestapo were to tap communications and discover an algorithm they can't break, they won't bother feeding it to a new Colossus to try and crack it, they'll simply kick the door in, and confiscate all computers. But it's too late, the message has been sent. Essentially what they did was to take the machine shop away after it made the guns.
Then the message telling the recipient how to blow up Gestapo headquarters will be sent via one-time pad over shortwave radio (remember "numbers" stations??)
Basic moral to the story, where there's a will, there's a way.
If the US cracks down on crypto what does it mean exactly for the rest of the world.While NSA will remain the leader in crypt,i suppose there wil be enough developemnt to cause serious nuisance(to put it no stronger) to the suits at nsa. The question is whether a us/canada/israeli restriction on crypto mean anything.....i mean u can buy schenier at amozon!
Wanted : A Signature.