Export-level Encryption Proves Insufficient

rossjudson writes: "The Independent is running an article about the shoe bomber terrorist. The interesting bit for Slashdot readers is at the bottom -- apparently the 40-bit encryption in the export version of Windows 2000 was cracked by a set of computers using a brute force method. So let's confront the question: Should the US prohibit the export of high-encryption software? Here is a case where the default values (40 bit) clearly helped recover valuable information from a system." There's another article in New Scientist focusing on the encryption issue.

Psss, don't tell anyone

[f00zbll]

As the new scientist article stated at the end, "there are other ways." If the government has learned anything from current events is High Tech is useless when dealing with people who only trust those they know. As as the article said, "not using strong encryption just makes it easier" for bad people to exploit businesses.

Considering how much planning and communication had to take place for 9/11 to happen, we only have a video tape and a few files? Sounds like the low tech method works better for keeping things under raps. Is a computer isn't going to commit suicide if the FBI catches it (well I suppose you could boobie trap it). A terrorist on the otherhand can mislead, or commit suicide. The only thing weak encryption does is make businesses more vulnerable to government snooping and crackers. Plus the government can use things like a warrant to get access. Oh I forgot they hate having to ask judges for warrants and answering questions like "do you have sufficient proof or cause?"

French version same - here's why

[BLKMGK]

It used ot be that the French version was horribly cripled. Lotus folks actually compared it to sending mail on a postcard :-)

Anyway, it was done this way becaue th eFrench did NOT want the US Govt. to have an easier time decrypting the documens than did the French Govt. so they required a really poor encryption be used in Notes. Once the US Govt. dropped it's export restricitons the French Govt. lifted this requirement since this placed us all on a "level" playing field. One of the point revisions of R5 brought nearly all of the versions together except the French I THINK. Due to the extreme crippling they had to do the French may have had their own upgrade or have been forced to reissue certs and IDs - I'm fuzzy on this. I believe if you spend some time on the Notes site you'll find your answer.

On a plus note - Lotus has determined that 128 just isn't good enough. They mentioned plans to upgrade the crypto at Lotusphere last year but it probably won't be there till RNext goes gold. If there's one product out there that actually seems to care about security and was WAY ahead of the certificate thing it's Notes. And no, they aren't perfect...

To my surprise, the article is not a troll. ;-)

[Rogerborg]

There I was, foaming at the mouth and ready to launch into a "how can you be so stupid?" diatribe. How can you keep encryption out of the hands of Bad People by denying it to Good People? In general terms, writing laws aimed at criminals is futile, because the criminals (by definition!) won't care about the law and will use whatever technology or methods they want. Nobody would be stupid or lazy or overconfident enough to use the lame default encryption on an export system, surely?

And then I read the article.

The al-Qa'ida machine was indeed running 40 bit encryption. It's hard to credit, but it really does appear that they simply were too stupid or too lazy or overconfident to upgrade the default lame-o-crypt settings. It's astonishing, especially compared to the planning that they put into September 11th, but there it is.

No, I don't think we should try and ban strong encryption. There are plenty of Good People who can make use of it (think Tibet), and any competent and determined Bad People can get it anyway. But these opponents just demonstrated clearly that while they were determined, they were not competent, and that changes my mind, just a litle.

I can see an argument for encouraging developers (Microsoft, MacOS and yes, Linux hackers) to supply 40 bit security by default on all consumer systems. Aunt Jemima doesn't need strong encryption, you and I probably don't need it. I wouldn't want strong encryption to be limited, but honest to god, I'd be flattered if anyone ever thought it was worth breaking even 40 bits worth on anything that I produced. I want the option to upgrade to be there, but I feel no particular need to use it, and here's the kicker: the less we kick up a fuss about it - and just quietly download the strong stuff ourselves without demanding that Aunt Jemina have it by default - the better.

I can't help but think that the more noise we make about the distinctions between low and high encryption, the more likely it is that even stupid, lazy, overconfident terrorists will perk up their ears and ask "Hey! Is this something we should be thinking about? Maybe we should send Achmed out to buy a copy of 'Security For Dummies'." Because they clearly are dummies, and I'm quite happy for them to stay that way, thanks all the same.