Slashdot Mirror
News.com: Crypto Doesn't Kill - People Do
McSpew writes: "Bravo to News.com for telling the truth about cryptography. They even cited /.'s coverage of Phil Zimmerman's real views on PGP and its possible role in any terrorist acts." On a per-word basis, this may be the best summary of why calls to ban or restrict encryption technology (as with government key escrow, or constrained key sizes) has little to do with enhancing national or world security.
It's quite a valid observation that terorists can write their own software. I managed to write an implementation of RSA in about a day from descriptions only, and that included writing my own big integers library.
A good article that could be made better by emphasizing the one-time pad cipher.
The one-time pad is a very easy cipher to explain to lay people. They need no understanding of math, not even arithmetic.
Anybody, anywhere can create a one-time pad by simply flipping a coin or rolling the dice, and use the resulting information to encrypt a message that is impervious to all manners of cryptoanalysis, even techniques made possible by the much-feared though yet-to-be-stocked quantum computer.
In other words, you can create a encrypted message without encryption software or even a computer, and yet be assured that the message is unreadable by any computer devisable today or anytime in the future.
There should be no debate here. Military-grade cryptography is available to anyone with a penny in their pocket and a sheet of paper and pencil.
We need to stop wasting time talking about this.
Is this truly the only Earth I can live on?
They could post their encryption concerns to a site http://slashdot.af/index.pl?section=askslashdot for instance. But I don't think the Taliban would let them call the intellectual currency "karma."
Inventor of the LOLbalrog meme.
Re read that article, but swap every occurrence of "crypto" with "guns".
Now you know what all the gun nuts were talking about.
It's already been done wth handguns - I figured all guns were next, but looks like crypto is next.
(This coming from a geek trying to put it in a language that many marketers, politicians, economists, etc could understand, who actually dislikes most businesses today.)
The simple fact of the matter is that the latest calls for key escrow/backdoors to encryption, just like the ban on exporting 'strong encryption' during the 90's, will in the end only hurt the US.
"Einstein argued that [...] God is not capricious or arbitrary. No such faith comforts the software engineer." ~ Brooks
The FBI has found hand-written order letters in the baggages of terrorists.
Is this PGP ?
NO !
So why does the crypto=terrorist meme still continues ?
Paradoxically, paper letters are a more secure way to transmit information than the internet...
The security agencies are already checking through most or a statistical useful percentage of the bytes that flow over the US internet, and are characterising it all. Their actions only make sense if they are doing that.
Anyone using encryption stands out; so they write a file on them.
Where they find encrypted data they can't characterise it any further; so they hit a brick wall. But its not common right now, so they can make a file. However, if everyone on the internet routinely uses uncrackable encryption they can't build a file on everyone.
On the other hand, if they have key escrow they can blow away the encryption on all the legitimate data and they are left with 'illegal' encryption; except presumably terrorists and other malcontents; a much smaller group that they can write files on.
Of course this 'monitor all the traffic on the internet idea' falls down in several other ways. As an example, suppose somebody creates a Quake III server that has some sort of low bandwidth messaging in it perhaps the player steps left at careful timed moments or something, the characterisation by the NSA would be, oh its just another Quake player, when really its sending an encrypted message as well. [I just made that Quake idea up- its called 'steganography' in general, hiding encrypted messages in something else.]
Anyway, that's really what's going on. The security agencies are using the WTC disaster as a chance to get their legislation through whilst the going is good. Of course anyone with any sense can evade it, but not every terrorist has sense.
-WolfWithoutAClause
"Gravity is only a theory, not a fact!"One week ago today, I wrote essentially the same thing to my congress people. Here is my letter in case anyone else would like to send it to their congress critters:
------
Honorable Senator xxxxxx,
I am writing to bring to your attention the pointlessness of Senator Judd Gregg's new legislation mandating backdoors in all cryptographic products. I could make many arguments that discuss our civil liberties and the right to be secure within our papers and possessions, but that argument while true and immensely important, is not even required in this case.
Simply put, with respect to strong cryptographic software, the "cat is out of the bag." The world is already full of good, secure cryptographic products with no backdoors. That is the case now, and was PRIOR to Congress' reduction of ITAR restrictions that kept us from exporting strong cryptographic products.
The world is full of smart people many of whom do not work for the NSA, and do not live within the United States. These people in the civilian cryptographic world are constantly researching and developing new cryptographic techniques, which Senator Gregg's legislation WILL NOT AFFECT. No matter how many laws you pass, NOTHING will keep the BAD GUYS from being able to download this cryptographic software from European and other web sites.
If Europe latches on to Senator Gregg's idea of mandating backdoors in all cryptographic products, then the people who want to use cryptographic products with no backdoors will simply write their own, or copy VERBATIM the computer source code for strong cryptographic software that already exists in many hundreds of published books.
Allow me to quote Bruce Schneier, perhaps the United States' leading civilian cryptographic expert:
"To illustrate the ease with which a cryptosystem can be implemented, I present the full code necessary for establishing a secure cryptographic channel over the internet, called the Diffie-Hellman Key Exchange. Both people communicating do the following:
"1. Get public key (Y, P) of the other person. This is just a pair of large numbers.
"2. Raise Y to the power of X, where X is the private key, modulo P. The result is the secret key.
"Modular arithmetic is taught to fourth-graders under the name 'clock math,' and secret-key cryptosystems are just as easy to memorize and implement as public-key systems. I could teach any twelve-year-old how to reproduce from memory in under fifteen minutes a strong cryptosystem on any Windows machine. Any terrorist is quite capable of doing the same."
This speaks volumes about the current state of cryptographic software in the world today, and the ease with which it can be implemented.
If Senator Gregg's legislation is passed, it will have ZERO affect on the people who DO have things to hide from you, and will only harm the innocent citizens of the United States who wish nothing more than to insure that their banking records and private email conversations remain truly private.
Regards,
-----
Rich...
Ignore Alien Orders
224137216
It's 309 digits long! As you can see the numbers are big and get exponentially bigger as the key size increases. The idea with public key encryption is that, while it is quite quick to multiply two numbers this size together, it is very hard to factor the result into the two parts again. It is possible but, for keys > about 56-bit, it is beyond what modern computers are capable of.
Distributed.net is a SETI@home-like project to crack ever larger keys, among other things. Check them out.
Problems like this exist in maths as well as the physical world. One such problem is used in RSA encryption, which can be used in PGP. This problem centers around the belief that it is easy to multiply two very large prime numbers, but given the product it is very difficult to go back to the original primes. I say belief deliberatly since it is possible (albeit extremely unlikely) that there is an easy way to factor large numbers. Most PGP implementations actually use Elgamal rather than RSA, but the principle is similar.
If you are interested in this subject I would strongly recommend you buy/borrow a copy of Applied Cryptography by Bruce Schneier (amazon link). This is the best crypto book available (IMHO) and explains the fundementals of the suject, including the maths behind RSA and ElGamal without requiring any previous knowledge.
Hope this helps.
Steven Murdoch.
web: http://www.cl.cam.ac.uk/users/sjm217/
What is scary about this U.S. government talk of not allowing secure encryption is that it is working so well. Even the intelligent, educated people who comment on Slashdot (Don't joke about this, it's the truth.) are being led completely away from the real issue.
The real issue is that they are trying to get you to accept that you have no right to privacy.
The really important matter is that the U.S. government is trying to get you to accept the principle that it can spy on you. They know they will lose the encryption battle.
Do you ever have the right to privacy? If there is a single case in which you have the right to privacy, then you have the right to encryption, because you need it for that case.
From the article, What should be the Response to Violence? :
"The U.S. government has three separate, very large agencies that function as global secret police: The FBI, the CIA, and the NSA. The first two are authorized to kill other people. These agencies are secret in two senses: Their activities are hidden from the people of the U.S., even though the U.S. is a democracy. They also have secret budgets. These agencies function everywhere in the world, including inside the U.S."
It has somehow been established that U.S. citizens will accept that they cannot be told about either the activities or the budget of the secret "national security" agencies. Clearly, if they did know, and if they had a chance to vote, most citizens of the U.S. would vote against many of the activities. However, U.S. citizens are not allowed to have enough information to make an informed decision about the secret agencies.
Bush's education improvements were
We've had cryptography and steganography since back when messages were tattoed on the tops of soldiers head and run between camps. The public has been sending secret messages long before it was rendered legal for them to do it, and they will continue long after it is rendered illegal again.
:)
Language has always had two purposes: 1. To aid in communication with those you like, and 2. To hinder communication with those you don't. Otherwise, we would probobly all be speaking in the same tongue or dialect. Even if these laws are passed, sending secret messages will always happen, and crypto/stego are too great a tool to be just thrown away by the people.
Use of GIF images to send secret messages is one obvious way to make your message invisible or even undetectable. Encrypting that message against any commercially available CD image would be even more useful. Any attempts to circumvent that encryption would result in extracting a CD image, and that's a DMCA violation.
"Look at me, I invented the stove!" -- Ben Franklin
...the United States military uses encryption every single day to save thousands of lives. How do you think these soldiers in the field talk to each other, relay coordinates, maintain anonymity in foreign lands to stay alive? That's right class, strong encryption!
It's ok to implement backdoors in the publically available encryption, but oh, this little stuff we use over here in our military is classified, you can't see it, and we can't even tell you we use it.. But here's a 200 page document, all conveniently highlighted in black marker, that explains everything you need to know about it.
All of these politicians and gubbermint officials supporting this type of intrusive "anal exploration" of our freedoms needs a brain exam.
(Sheesh! You'd think 11-SEP would have taught people this!)
So if you keep making suspicious remarks like that it won't be long before the black vans arrive in the dead of night to drag you away, and your neighbors pretend to hear nothing when you scream!
:)
Though I agree with everything you said, the fundamental problem goes a bit deeper than privacy.
The full underlying cause of this is nationalism and the belief that the State is an almost divine entity that will protect you from all ills provided you play by its rules.
History shows that this is a fool's bargain. Any state--and yes, flag-wavers, that includes the US--is *designed* to limit your freedoms for the "greater good". While this works for a great many people indoctrinated to accept the definitions the State provides for "freedom" and "democracy", it is not, nor has it ever been, a complete solution for people in the world, and *much* has been done in the name of the State--like much was done in the name of God before it--that is simply hateful and evil.
Allegiance to the State, a belief that the State is all, that you should be proud to be part of the State, happened in Germany in the 1930s, and it appears to be happening here. Based on some of the troll posts here, you just have to substitute Arab for Jew, and you have the basic plank of the Nazi party flying in full colors.
How does this relate to crypto? It doesn't really at all--that's the point. But, if we're really trying to make a connection, then there's the tenuous observation that crypto is math, and knows no allegiance to State, which has no allegiance to you, meaning that Crypto is like the State in that it is an abstract concept without any feeling or allegiance to anyone or anything. The major difference between Crypto and the State is that the State is established, has full access to social control mechanisms, and panders to people's senses of belonging while Crypto is simply math that individuals can use to keep pieces of themselves from the State and unto themselves.
It is natural that the State--which *fully* seeks the totality of National Socialism, and now has the capacity to make _1984_ look like a Disneyland ride--would seek to abolish the one tool that can put an individual on equal footing with it. It's up to *us* to drop our allegiance to one abstract concept and rally our efforts around the other.
I'll leave it up to you to decide which way the wind appears to be blowing.
"The more corrupt the state, the more numerous the laws."--Tacitus, The Histories
If I understand you correctly and you're saying that crypto isn't common right now, that's not true. Salespeople around the US have been selling Virtual Private Networks (VPNs) to companies for a few years now, and these encrypt all traffic between a company's sites. While there almost certainly is still much more unencrypted traffic on the net than encrypted traffic, encrypted traffic is far too common for the government to be building a file on every instance they encounter.
Many lawyers use encrypted email because of legal precedent which makes email less legally "privileged" than say a phone conversation.
Then there are all the /. nerds using SSH to talk to their servers. Do you think the FBI or NSA has a file on Shoeboy?
Everyday use of encryption is a lot more common than you might imagine.
As far as I can see, *email* encryption really is what the general media and the politicians do think the argument is all about. Because so far only a small fringe minority use encrypted email, the pols think it will hardly be missed; and besides, the obsessive secrecy probably indicates that the users are up to no good anyway.
The idea of *channel* encryption probably doesn't even cross their radar. But 'alienmole' is absolutely right: the most widespread and important use of encryption at the moment is *not* email; it is the use of ssh and friends to secure public channels. And the reason these are so important is obvious -- and probably much easier to explain to the public -- in these days of crackers and virus writers: you really don't want anyone to be able to break into your channel, and interfere with your remotely-controlled telescope or heart operation or hack into your corporate network or whatever.
The case for SSH is much easier to make than the case for PGP, because of its demonstrable real-world importance. If we can move the debate towards channel security, away from email security, it will be much easier to win.
But of course as soon as two people can ssh into the same box and talk to each other, the banning of any other uses of encryption starts to look pretty irrelevant.