Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Jersey Congressman Seeks To Bar NSA Backdoors In Encryption

Posted by timothy on from the that'll-stop-'em-sir dept.

Frosty P writes "Congressman Rush D. Holt, a New Jersey Democrat, has proposed legislation (summary, full text) that would prohibit the agency from installing 'back doors' into encryption, the electronic scrambling that protects e-mail, online transactions and other communications. Representative Holt, a physicist, said Friday that he believed the NSA was overreaching and could hurt American interests, including the reputations of American companies whose products the agency may have altered or influenced. 'We pay them to spy,' Mr. Holt said. 'But if in the process they degrade the security of the encryption we all use, it's a net national disservice.'"

13 of 200 comments (clear)

  1. Pointless posturing by Scutter · · Score: 5, Insightful

    A law to stop the NSA? Yeah, that oughta do the trick. *rolls eyes*

    --

    "Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
    1. Re:Pointless posturing by Red+Jesus · · Score: 5, Informative

      Whoa, now. While it's true that the NSA has a history of disregarding the law, it's bad to fall into the trap of believing that there's no point to creating such laws at all.

      What do you want Congressman Holt do? Rip off his shirt and physically attack James Clapper? That's not going to help curtail the powers of the NSA and you know it. Congress creates laws. That's what they're supposed to do. If you think the law is a good idea, then proposing the law isn't "pointless posturing," it's Congress' job.

      It's easy to get so lost in cynicism that you stop believing that forward progress is possible. But it's an ugly fact that many of the NSA's recent activities have had explicit Congressional approval. Revoking that approval is an essential step to fixing the situation, and Congressman Holt should be applauded for attempting to do so.

    2. Re:Pointless posturing by Scutter · · Score: 5, Insightful

      I would like our current laws to be enforced. If the NSA is violating the law, those responsible should be prosecuted. If they aren't enforced, then there is literally no point in creating new laws.

      --

      "Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
    3. Re:Pointless posturing by Jah-Wren+Ryel · · Score: 5, Insightful

      I would like our current laws to be enforced.

      As John Oliver said on the Daily Show when these stories started to break:

      "Mr. President, no one is saying you broke any laws, we're just saying it's a little bit weird you didn't have to."

      --
      When information is power, privacy is freedom.
    4. Re:Pointless posturing by bondsbw · · Score: 5, Insightful

      Any law that the NSA violates puts them at risk in court, and this could be especially hazardous as political climates change.

      If the law isn't being enforced, that is the direct fault of the the President of the United States. He is in charge of enforcement, especially of executing laws related to national security. Don't weaken the law simply because the President fails to act.

      --
      All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
    5. Re:Pointless posturing by istartedi · · Score: 4, Insightful

      I would like our current laws to be enforced

      And... Enforcement is the job of the Executive Branch, not Congress. Lots O' luck.

      --
      For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
    6. Re:Pointless posturing by swillden · · Score: 5, Informative

      A law to stop the NSA? Yeah, that oughta do the trick. *rolls eyes*

      Your cynicism has run away with your sense.

      The NSA has clearly been breaking the law, but they've been doing it through a series of rationalizations, and they've just been edging over the line, not just ignoring the law completely. Specifically, they have redefined the word "collection" to mean "reading", which allows them to hoover up all the information they can get access to and then only later have to decide what they can legally look at and what they can't. And, of course, once they have the data, mistakes are inevitably made or in some cases they may even decide flat out that there is sufficient justification to ignore the law "in this case". And of course there has been no law at all against installing back doors, just a tension with the other mission of the NSA, which is to ensure the security of US signals. Again, some rationalization can allow them to get past that.

      That's the kind of thing that it's very easy for good people who feel like they're working for the higher good to do. They can easily tell themselves that they're following the law except in isolated cases where it really, really matters because they have really, really good reasons.

      A law like this would be different, because backdooring systems must be done well in advance of any specific case where the backdoor would be used, making it extraordinarily difficult to rationalize it... and also making violations abundantly clear. To really make certain, the law should apply severe criminal penalties to anyone who knew about and didn't report the violation.

      I would like to see the law also require them to quietly go about closing all of the backdoors/weaknesses they've already put in place.

      Another change to the law that I think would be very useful is to explicitly clarify the definition of "collect". Granted that it's impossible in many cases not to collect a little extra data alongside the stuff that you're really trying to grab, but that could be addressed by specifying data retention limits in the law. Perhaps they should only have 24 hours to evaluate the origin/destination of captured data, and then be required by law to discard anything that they can't substantiate as being lawful for them to collect. Another suggestion I've heard would allow the NSA to capture everything they want, but would require them to immediately escrow all of it with a court or other agency, from whom they could request the pieces they can show they should have access to. That court or agency would, of course, have as its primary job to ensure the NSA doesn't cross the lines.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  2. Locks? by QuantumLeaper · · Score: 5, Insightful

    If the NSA can get through a Backdoor, how do you know if a competitor or enemy is not getting in though the same backdoor?

    1. Re:Locks? by Anonymous Coward · · Score: 4, Interesting

      You can also use the same sort of mathematics that makes DH, ECDH, RSA and ECDSA possible to design secure-looking moduli or curves (in the case of ECDH and ECDSA) that are secure as long as you don't know the parameters used to generate the curve. It's basically DSA/DH but with three factors instead of the usual two.

      Both parties know the curve (it's a published standard), and one party (the guy with the private key) has both factors of the configuration parameter, the other party knows only the composite of the two secret factors (the public key). Now the exchanged nonce can be obtained by either the party with the private key or the party with the curve factors (the NSA).

      It is speculated that some published curves for ECDSA, have been designed in such a way that some aspect of their generation that is only known to the NSA allows elliptic curve solutions to be rapidly reduced. It is at least well known by cryptographers that certain curves are insecure in any usage, and that other curves might be designed to be trivially reduced only with some knowledge of the parameters used to generate them. What is not known is whether designing curves in such a manner doesn't also make them weak to other yet-to-be-discovered reduction methods.

      Interesting tidbit: there is no theory of security* for either ECDSA, RSA or DH, faith in all of these public key cryptographies rests solely on the lack of a theory of insecurity for them and the belief that if it were easy to create a theory of insecurity, someone would have published one by now (and some partial reductions of RSA have been published, prompting the necessity of using larger RSA keys than previously thought necessary)

      * For commonly used symmetric block ciphers, theories of security exist, that is there is good mathematical reason to believe they are secure and not merely presumption.

    2. Re:Locks? by Teancum · · Score: 4, Interesting

      The NSA is interested in people using encryption /it/ can break but others cannot. This helps maintain its monopoly on secrets, which is the source of its power (that it may also be useful in protecting American businesses and interests from foreign penetration is a bonus). Therefore it will point you towards stronger tools if it can, so its advice is not totally without merit.

      The kinds of people that publish non-classified papers about encryption by the NSA also know damn well that there are other very smart people around the world who do not work for the NSA, the U.S. federal government, or even give a damn about America.

      Seriously, where do you come up with this crap?

      Yes, if you see something published by the NSA, perhaps take it with a grain of salt and do your own kind of analysis. Learn a bit about mathematics first and understand not just that they have pontificated about some sort of algorithm but understand why they came to those conclusions. If not yourself, then at least find somebody who you can trust.

      There are secure encryption methods that are being used, and there is a good reason why the NSA wants to be assisting with the larger cryptographic community in developing secure forms of communication. Don't get into this kind of conspiracy theory bullshit and claim that they have some kind of mystical powers that simply don't exist. The NSA doesn't have any sort of monopoly over the concept, and of course neither did the Germans with the Enigma machine. In fact, it would have helped the Germans in World War II to have at least discussed their design with a few mathematicians prior to spending so much effort building the device rather than being so damn clever that some of the design ideas actually backfired and made it easier to crack that encryption method.... not that the guys at Bletchley Park complained if German engineers made their job easier.

      NSA agents aren't gods. They are good at what they do because they are professionals who do encryption on a full time basis and have received advanced training in mathematics. It is sufficient training that some of those people could teach mathematics as a professor at almost any university in the world, yet they choose to use their efforts to understand encryption in regards to the country they serve. That doesn't make them sinister, just patriots... patriots that know there are people just like them in other countries around the world.

      Besides, all encryption, from any point in history, has always been an issue of how much effort must be applied in order to break the code, not the question as to if the message can be read at all. If you need the services of a server farm covering a hundred acres working for a month in order to crack a message, you've done your job. The NSA isn't going to be applying that kind of brute force decryption effort on love letters between you and your girlfriend.

  3. 100 points for effort by Anonymous Coward · · Score: 5, Insightful

    but if you're worrying about the reputation of US companies, you're too late.

    1. Re:100 points for effort by Anonymous Coward · · Score: 5, Insightful

      Yesterday's news marks the very first day for what will become a very bad time for American closed source security products. It would almost have been better for them if Snowden had been able to leak the actually collaborating and subverted companies names rather than just the generalization "all major ones" - because as it stands now, big or small, they are all equally guilty and will suffer the democratic process their customers voting with their feet/wallets abandoning their backdoored closed source products. They all gave guarantee's of being secure before and the PR departments are working overtime to try and maintain the illusion, but it is a hopeless battle now... trust once lost is veery hard to recuperate.

      but if you're worrying about the reputation of US companies, you're too late.

      Especially when there is an army of politicians - all ONE of them AFAIK - calling this out.

  4. Re:This is a stupid idea. by Jah-Wren+Ryel · · Score: 5, Interesting

    but they tend not to screw with cryptography which is allowed to be on the GSA schedule when embodied in communications equipment for sale to the U.S.Military.

    So the NSA did not screw with Dual_EC_DRBG in the NIST standard? Or is it just that any hardware which implements Dual_EC_DRBG is going to be rejected without explanation when it is submitted for FIPS 140 certification?

    --
    When information is power, privacy is freedom.