Slashdot Mirror
Export-level Encryption Proves Insufficient
rossjudson writes: "The Independent is running an article about the shoe bomber terrorist. The interesting bit for Slashdot readers is at the bottom -- apparently the 40-bit encryption in the export version of Windows 2000 was cracked by a set of computers using a brute force method. So let's confront the question: Should the US prohibit the export of high-encryption software? Here is a case where the default values (40 bit) clearly helped recover valuable information from a system." There's another article in New Scientist focusing on the encryption issue.
Yeah because prohibiting the export of this will prevent anyone evil from getting hold of it...
Sig is taking a break!
Advanced Math Textbook +
Computer +
Low-level programming skills =
High Grade Encryption... Anywhere in the world.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
40 bits is nothing, and has been for decades. /chosen/ to be crackable. And in my book, and in the minds of many others, that pretty much disqualifies it from even being called 'crypto'.
That limit was
THL.
Keeping
Should the US prohibit the export of high-encryption software?
Sure, why not? It isn't as if there are any cryptographers in any other countries in the world, is it?
Legislation is pointless, and even damaging in this case. The cryptography playing field is fairly level. That's not inherently a good or a bad thing; just as al-Queda can encrypt their files, they are equally prevented from intercepting sensitive information by the same technology. If legislation restricts crypto, we will find ourselves in a situation in which the FBI can't crack terrorist comms, yet terrorists can intercept commercial data. Airline security information, oilrig blueprints, whatever.
I feel that the only good laws are ones that can be enforced to a reasonable degree. If we had no police officers that gave speeding tickets, then having speed limits would not do any good. I feel that higher level encryption can be had by anyone that wants it. They can just download it from anywhere. The only things that keeps people from illegally downloading it is a little message that says "If you don't live in the US, please download the suckier version." You don't have to be evil just to circumvent the system and get higher level encryption. Anyone can just click the button to download it. Therefore, I don't think this law should be in place as there is no way to enforce it.
This doesn't prove out the fact that we should restrict crypto export to 40 bits... What it proves is that this guy was an idiot for relying on it. We all know that restricting the export of anything like intellectual property is like trying to catch helium molecules with a screen door. Additionally this policy is so arrogant to assume that the US is the only source for this type of technology... OK, ignorant/arrogant, whatever...
No man is an island, but Gary is a city in Indiana.
Export Level encryption proves insufficient.
That's the point.
Don't you think one of the reasons the government would want weak encryption in foriegn (and therefor, possibly adversarial) computers, so it's easier to break into them?
Remember, for the most part, US laws protect US citizens, and are valid only within the confines of the United States. Since we don't really seem to care about how our government gathers information outside our country, It makes sense that the Government would want to make this easy, and one way is through export controls.
Don't like it? You have other options.
And note to Eurotrolls, who might take the chance to cry US-centric, or brute american, or whatever trash you usually spew, don't think for a second your government isn't engaged in every kind of spying it can.
Alcohol, Tobacco and Firearms should be the name of a store, not a government agency.
So let me get this straight...
Two journalist are in Afghanistan, one of their laptop is broken, so they deside to buy anther one.
So far, so good, I would probably have tried to repair it and ask for replacement, but then, I am not in Afghanistan.
They buy two computers, another laptop and a desktop. What did they buy the desktop for again?
And they buy it from people who are looting buildings? I always thought journalist to have low ethics anyway...
Instead of re-installing the PC, they decide to look at what is on it. Ok, I can understand that, but they must have spent quite some time looking at those files to determine that they were willing to spend five days to crack some of the encrypted files they found.
In other words, two american journalist pick up a PC (they had no reason to buy), and they happen to find Terrorist secret files on it. Sounds too good to be true. I don't buy it, it's a setup.
And now they use that to attest of the validity of the export restriction on encryption.
If the BSA or RIIA is going after me because I have some illegal stuff on my hard disk, I can just claim that I got my PC second hand, and that all this stuff was left there by the terrorists who had the PC first...
Black holes occur when God divides by zero.
Why do people think that having a law regarding exporting software/code is going to stop ANYONE from using it?
And laws against theft don't stop determined shoplifters, and laws against copyright infringement don't stop determined Napster users, et cetera, et cetera. But that's not the point. The point is to make it (a) difficult and (b) punishable if someone does it, in order to keep it to a minimum.
A better argument would be to point out that there are ways to circumvent the law without breaking it -- by simply creating the software/hardware in another country using the same mathematical principles, for instance. But for the love of Pete, people, stop using "laws can always be broken" as an argument against making laws.
If this guy was informed about cryptography (not necessarily knowledgable, but informed - sort of like having the equivalent of a financial planner for cryptography) he would've used one of a number of bolt on products to really secure his computer. Some of these products are commercial, others are open source. He may have more difficulty getting (and if he's properly informed - less trust in) the higher grade commercial packages but it'd still be doable. Fly to California, go to Fry's and buy it. If he goes for the source code route its just about impossible to police. You can get it anywhere in the world where there's an internet connection or a mail system (CD ROM or a package of floppies through the mail).
Saying that 40 bit encryption is an assistance to the CIA/FBI/NSA is only true if you rely on having stupid terrorists, in this case it was obviously true. Suppose they hired the equivalent of a director of IT though, who would come up with approved solutions. Life would become more difficult for the government. Whether the solutions that are proposed are legal or not doesn't matter. You're planning on blowing up aircraft, knocking down buildings and killing people. You won't even bat an eyelash at breaking encryption laws.
What low grade encryption really helps with is gathering data against ordinary citizens such as the guy who was a bit less than honest about his tax return.
Also, despite this low grade encryption the attack wasn't stopped. It's only after everybodies eyes were on this guy that his computer was examined and found to have low grade encryption.
Chris Kuivenhoven is a thief, beware
I've just read 50 posts saying that limiting export strength encryption won't stop any non-US people from using higher encryption. I agree that this makes perfect sense. It's completely logical.
But everyone seems to conveniently ignore the fact that this group DID rely on the export strength encryption that they had available. They DIDN'T use PGP or any one of the myriad of other options for better encryption. Perhaps the premise that a slashdot reader is familiar with other encryption techniques isn't equivalent to the premise that an Al-Qaida member will be familiar with other encryption techniques.
Any reasonable and complete argument against limiting export strength encryption at least needs to address this fact. One could argue that it is an unusual case, that it won't be repeated, that you don't care if non-US folks have default access to better encryption, etc.
But arguing that it will never stop anyone from using better techniques seems silly when presented with this case of a group using exactly the default abilities that they were given in Win2k.
"Should the US prohibit the export of high-encryption software? Here is a case where the default values (40 bit) clearly helped recover valuable information from a system."
If the US could somehow ensure that we were the only ones who provided encryption, this may be an argument on national security bounds. However, we cannot.
If anything, all of this talk about encryption has provided criminals with the knowledge that we can eventually break in. Even if that were not the case, better encryption is available in any of over a hundred countries, many with little concern for US regulations. I believe 128-bit encryption has been freely available for years, provided by companies outside the US.
We need freely available encryption of every higher levels to stay ahead of our enemies (and some would argue our friends). Consider it only took five days to break the 40-bit encryption. How long would it take someone to brute force his or her way into a financial institution? Banks, trading firms; electronic merchants, etc. are and or should be constantly upgrading their security and encryption levels.
Encryption should be viewed like a car. A car has very powerful, valuable, perhaps even essential uses. Unfortunately, people can use cars to rob, kidnap, and murder. Still, we allow and even encourage access to cars because the benefits far outweigh the problems that periodically occur.
Correct. 40-bit keys have no protective value. Remember the article about IBM's crypto chip being broken? (Somebody please provide the link to /. article, I can't at the moment.) In practice, they broke single DES, 56 bits worth of security in a good block cipher. In brute force.
It took at most 2 days with ~1000 $US worth of gear to find the key. Let's assume that they needed the full 48 hours to get that key broken. Simple math follows:
48 hours is 48*3600 seconds. It takes this much time to brute-force a 56-bit key. 40 bits is 1/(2^16) times the size of that, hence the time to break a 40-bit key with similar equipment is 48*3600/(2^16) seconds. This is no more than about 2.6 seconds.
To underline this as clearly as I can: 40-bit keys provide NO security. They may have provided some, at a time - but definetely not for some time now.
There is no such thing as good luck. There is only misfortune and its occasional absence.
The ability to protect and secure information is vital to the growth of electronic commerce and to the growth of the Internet itself.
You are absolutely right. I'm surprised that sheer profit motive alone hasn't pushed big software corporations and their pals in Congress to permit and even encourage the export of more sophisticated encryption. Using weak encryption makes about as much sense as guarding your premises with flimsy locks and corrugated fences. I'm just as interested in keeping the government out of my business as I am keeping out competitors.
So what if better code-making leads to better code-breaking? You build better bullet-proof glass, and someone comes up with better bullets. (Likewise missile shield: missiles; mousetrap: mouse, etc.) It's progress. It's full employment for developers, programmers and marketers. I think profit motive will trump "patriotism" on this issue.
The only real newsworthy bit I saw in it is that apparently the people who bought the laptop and then decrypted the disk are not govenrment operatives, but "just" people working for the Wall Street Journal. If anything, this says that moderate cryptography knowledge has become routine in corporate America.
When the NSA can uncover my deepest secrets, that's one thing. When a potential employer can decrypt anything protected with twenty year old technology, I don't worry yet, but talk to me again in my mid-40s. I wonder when some of the early posts to alt.anonymous.* will become decipherable.
A truly smart person probably wouldn't belive that terrorist action would accomplish their goals.
I fear that that thought process is what got us into this mess in the first place. We have always assumed that these terrorists were unorganized nutcases running around with bombs attached to themselves.
And then on 9/11 we found out how organized and intelligent they could be and how ignorant we were. The truth is that there are some scarily intelligent people in these terrorist organizations who are using religious ferver to control otherwise sane individuals.
"If ignorant both of your enemy and yourself, you are certain to be in peril." - Sun Tzu. The Art of War
Despite this public knowledge, Al Quaeda has been using weak (MS-supplied) crypto to protect sensitive information... that could be discovered within days. Therefore:
Just my US$0.02...
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
What the crypto regulations really do is prevent most people in the USA from adopting it. None of the three-letter agencies want everyone encrypting their E-mail or network traffic by default. That simply wouldn't do -- if everyone did it, how would they know who actually has something to hide? So they make it a pain in the ass for software developers to incorporate it into their software and they make it a pain in the ass for most users (Who don't know to go to international sites where you don't have to fill out a form to download the software) to get it.
The irony is that now they're bitching because the network is so insecure and how a cyber-attack could bring down public utilities and banks and things. Well they're just reaping what they've sown. The network would have tended to cryptographic authentication and tighter security except for the artificial and fundamentally useless restrictions the federal government has put in place.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
This is dead-on accurate. The line between "terrorist" and "freedom fighter" is pretty damn thin, probably even non-existant. Mostly, the thing that determines what label applies is which side you are on.
By current standards, the actions of the French Resistance in WWII would be considered "terrorism". However, the partisans of the French Resistance will probably never be refered to as terrorists, because their opponents (the Nazis) are nearly universally recognized as being evil and (more importantly) they were on the winning side
IMHO what seperates the terrorist from a legitimate partisan is that the latter will not intentionally target civilians. The Pentagon was a valid military target by the accepted standards of warfare and international law; the WTC was not. If the 9/11 bombers had taken over the planes on the ground and evacuated the passengers first before making their kamakazi attacks, and if they had restricted themselves to military & government targets, the US would not have the near-universal international support we are currently enjoying for our military efforts in Afghanistan. If you want to be treated as a soldier and not a murderer, you need to play by the accepted rules of warfare. The fact that al-Queda and other terrorist groups fail to understand this basic premise just goes to show how ignorant and delusional they really are.
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
Soon, Bill will claim that this is a reason why the government should strengthen the Windows monopoly (SSSCA anyone?) rather than break it up. After all, if al-Queda had used a non-Microsoft OS, the FBI might have less evidence against Reid.
So why didn't he go lock himself in the lavatory and light it, instead of trying to do it in his seat?
10 PRINT CHR$(205.5+RND(1)); : GOTO 10