Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cyber Security Enhancement Act Passes Senate

Posted by timothy on from the why-can't-we-take-a-pass-instead dept.

XorNand writes "The Cyber Security Enhancement Act (which was attached to the Homeland Security Act) was overwelming approved by the U.S. Senate today. According the EFF this soon-to-be-law allows "any government entity (federal, state, or local) to request email and voicemail from your ISP or telephone provider without a warrant or probable cause." The passage of the Homeland Security Bill is covered here on CNN.com. Yippee."

10 of 112 comments (clear)

  1. neo-email by TheSHAD0W · · Score: 3, Interesting

    Definitely.

    There's been a lot of talk about canning our current email system and going with a semi-p2p replacement. This replacement should include cryptography.

  2. Re:Time to up the size of your gpg keys!!! by cperciva · · Score: 3, Interesting

    I'm sure the parent post is intended in jest, since 16Kbit RSA keys are not subject to any known attack; but if you have enough cpu power to perform rsa operations on longer keys (remember, decryption and signing are O(n^2 log n) operations), there's no reason to accept gpg's limits.

    Writing a fully functioning RSA implementation from scratch is the work of a couple months; if you're really paranoid (which you must be if you want keys longer than 16Kbits) then you should be able to spare a couple months.

    --
    Tarsnap: Online backups for the truly paranoid
  3. So Much for the 4th Amendment by TheWanderingHermit · · Score: 5, Interesting

    ...Or is it unreasonable search and seizure if the material they obtain is not on your property or within your reach and control?

    I swear Bush sounds more and more facist and like a smooth talking Hitler every day. "We're in danger. We'll protect you and preserve your freedom. All it will cost is your freedom."

    1. Re:So Much for the 4th Amendment by MacAndrew · · Score: 3, Interesting

      Don't worry, be happy.

      Congress is powerless to change the constitution. That's why it's called a constitution. So the 4th Amendment is safe. One thing Congress can do is raise the bar higher, placing more stringent requirements on law enforcement. It can also decide to provide effective remedies for privacy violations.

      Whether a conversation or piece of property is protected depends on a complicated analysis called "reasonable expectation of privacy." That is, was there an expectation of privacy that was objectively reasonable, as opposed to what you privately desired.

      However, the Supreme Court already trashed the 4th A. over the last couple of decades. It has more holes than cheesecloth, ask any drug defendant.

      The one area where the rules have been fairly strict is wiretap, and the reason for it is a federal statute on point. It would be a shame to see this undermined. American sensitivities to abuse of wiretap were heightened by the Vietnam and Watergate era. But that indignation has faded over the years.

      The tension between liberty and security is perennial.

  4. Re:Time to up the size of your gpg keys!!! by cperciva · · Score: 3, Interesting

    I was including the large integer arithmetic and proven strong prime generation. If you don't need to generate keys, and you already have a large integer arithmetic package, then yes, RSA can be implemented in a few minutes.

    --
    Tarsnap: Online backups for the truly paranoid
  5. Re:They were waiting... by Anonymous Coward · · Score: 2, Interesting

    The sort of privacy rollbacks we're seeing have been hotly desired by certain groups for years. They probably already had their ideal statutes written up, ready for a quick edit in the wordprocessor. So it is more accurate to view this sort of legislation not as a kneejerk reaction but as a kneejerk opportunity for a long-simmering reaction.

    That is exactly the case with the USA Patriot Act. It's also why the justice dept used everything in it's power to keep it from being circulated to congress before the vote. It was a wish list of everything they had wanted and failed to get at some other point in the past all rolled into one bill.

    I've got a better idea to protect our privacy -- they want to read our mail? Okay. Lets send it to them! Everytime you write an email, or recieve an Email -- BCC it to president@whitehouse.gov, someone @fbi.gov, your congressmen, the secret service, the CIA, TIA, the DEA.

    Get a million people doing that every day and they just might get annonyed with getting what they want. ;-)

  6. Re:Thank God for crypto by Soul-Burn666 · · Score: 3, Interesting

    Is there a possible way to make a message be decrypted in two different ways with two different keys?

    Read: Can I encrypt two messages into one, and with two different keys, one when used reveals MessageA and the other when used reveals MessageB?

    That way, you can encrypt your message and include some spam in the other message, encrypt them both to one file, and give them your "spam" key. Thus, you give up your password to be legal and it doesn't help them with nothing :)

    --
    ^_^
  7. Re:Thank God for crypto by Zocalo · · Score: 3, Interesting
    Is there a possible way to make a message be decrypted in two different ways with two different keys?

    I'm not aware of any actual implementations, but it's certainly possible. All that is required for generation is to GPG the two alternate messages, stick the two bits together in an envelope and transmit. What is required is for the decryption engine to be able to determine which half of the message has been decrypted to the original and silently discarding the other half.

    A fairly obvious way of acheiving this is to MD5 checksum the two plain text messages and append that to each message before encryption. Upon decrypting both parts with the available key, only one "plain text" message should match the MD5, and the other could then be safely discarded.

    Of course, law enforcement isn't totally dumb and it's not going to take them long to realise that they need to ask for both keys when confronted with this kind of message. Also, there are probably issues with obstruction of justice by deliberately giving the wrong key to an authorised party. Your legislative system may vary of course...

    --
    UNIX? They're not even circumcised! Savages!
  8. Pundit-surfing by Dannon · · Score: 3, Interesting

    My impulse is, of course, to be greatly concerned about my privacy with this. Not a bad thing, altogether. But I've done some looking around at what other people have to say on the matter.

    On the one hand, I've heard a lot of folks on the radio and read no few columns by smart people saying we need to be paranoid. Rational paranoia's not a bad thing, I think. Just because you're not paranoid doesn't mean they're not out to get you.

    On the other hand, another writer I like to read has pointed out that, as far as political, legal, and material freedoms goes, we're a lot more free than we have ever been in history, and the very fact that we have a number of people who are incredibly sensitive to violations of civil liberty means that civil servants have to keep on their toes about it. And the Heritage Foundation has published a memo explaining that DARPA's Total Information Awareness isn't quite what Safire of the NYT said it is, and it's not quite what everyone (rightly) fears.

    Still, I won't budge from my first point. A little rational paranoia is a healthy thing to have. I've been doing my best to be 'safe', and to teach good habits to my not-so-tech-savvy friends. Now that I've got most of my family Back Home using PGP-friendly e-mail clients, I'm going to take some time to show them just how easy it is to use these nigh-impossible-to-forge signatures when I visit for the holidays.

    --
    Good judgment comes from experience.
    Experience comes from bad judgment.
  9. Time To Implement "Project White Noise" by Deagol · · Score: 3, Interesting
    A while back, I was inspired (by the news of yet another anti-privacy law that got passed) to start a project that would fill the ether with encrypted email for the sake of pissing off three-letter agencies who are on witch hunts.

    It was meant to be like the old usenet practice of adding "spook fodder" to the end of posts. Also, like type II anonymous remailers, it was designed to help thwart traffic analysis.

    There'd be a set of scripts (or easy to compile programs) that would sit on a client machine. These scripts would have a list of email recipients (either static, or snarfed periodically from a current source), and it would send out an encrypted "message" to each address according to a set of rules defined coupled to that address.

    Messges could be sent at random intervals or with a specific frequency.

    The payload could either be encrypted, plaintext, or crypto-grade random garbage.

    The encryption could be symetric, asymetric, or even with a throw-away one-time-pad (generated on the fly and then discarded).

    The payload of encrypted messages could be plain text, garbage, or another encrypted message.

    Of course, this could be done with the current anonymous remailers. But I've found the remailers to be already overloaded and unreliable. Because the project's goal is primarily to add noise to existing email traffic, it would lend itself to be served by clients with sporadic connections.

    There's the possibility of propogating real messages in this system, but running SMTP servers on sporadic clients seems like a bad idea (even discounting the potential for abuse by spammers, etc.). I was thinking of a store-and-forward type of system, using P2P networks. The software could be a P2P client. It would queue a "real" message by sharing it out. Other clients would search for a designated string to find these messgaes and download them (there'd obviously need to be some sanity checking to prevent garbage inputs). Once the originating client knows that the message has been downloaded "x" number of times (some redundancy would be desireable, I would think), it would remove the message from the queue so the recipient doesn't get thousands of copies of the message.

    I know, this idea is really rough around the edges. I had a really nice write-up a while back, but I lost it. The fact that my coding skills don't extend beyond half-page sed/awk/perl/bash scripts (don't laugh, I'm just a sysadmin) hasn't helped in my realization of this idea. :)

    If anyone knows of a project that even remotely comes close to what I have described, please post links!

    --
    Method of processing duck feet