Slashdot Mirror
U.S. Gov't Grapples With Clash Between Privacy, Security
schwit1 writes:
WaPo: "For months, federal law enforcement agencies and industry have been deadlocked on a highly contentious issue: Should tech companies be obliged to guarantee U.S. government access to encrypted data on smartphones and other digital devices, and is that even possible without compromising the security of law-abiding customers?"
NSA director Adm. Michael S. Rogers wants to require technology companies to create a digital key that could open any smartphone or other locked device to obtain text messages or photos, but divide the key into pieces so that no one person or agency alone could decide to use it. But progress is nonexistent:
"The odds of passing a new law appear slim, given a divided Congress and the increased attention to privacy in the aftermath of leaks by former NSA contractor Edward Snowden. There are bills pending to ban government back doors into communications devices. So far, there is no legislation proposed by the government or lawmakers to require Internet and tech firms to make their services and devices wiretap-ready."
NSA director Adm. Michael S. Rogers wants to require technology companies to create a digital key that could open any smartphone or other locked device to obtain text messages or photos, but divide the key into pieces so that no one person or agency alone could decide to use it. But progress is nonexistent:
"The odds of passing a new law appear slim, given a divided Congress and the increased attention to privacy in the aftermath of leaks by former NSA contractor Edward Snowden. There are bills pending to ban government back doors into communications devices. So far, there is no legislation proposed by the government or lawmakers to require Internet and tech firms to make their services and devices wiretap-ready."
So what's the acceptable limit?
Should they be allowed to watch you urinate?
Should they be allowed to watch you defecate?
Is it okay if they do this with a device that has an "Internet of Things" sticker on it?
, but divide the key into pieces so that no one person or agency alone could decide to use it.
Exactly how do they intend to split a key; by piling layers of encryption atop each other or by splitting the RSA public key modulo's factors into multiple authorities?
Given the option of piling layers of encryption on top of each other, it would seem that private keys would need to be divulged to create this encrypted comm. system
Introducing my super clever hack:
Wait till the key is needed.
Write the key down.
Use it whenever we want from then on, but make sure we tell everyone we're not.
An example of how to do cryptographically secure secret sharing:
Shamir's secret sharing.
There are other secret sharing schemes there, follow the link to the main article.
They will just do it anyway. It doesn't matter. Most people prefer to feel secure, they don't care how it's done.
“He’s not deformed, he’s just drunk!”
NSA director Adm. Michael S. Rogers wants to require technology companies to create a digital key that could open any smartphone or other locked device to obtain text messages or photos, but divide the key into pieces so that no one person or agency alone could decide to use it. But progress is nonexistent:
Sure. I totally believe that you're going to do that. I mean, it's not like you scum have a history of blatantly lying to the American people and doing the complete opposite of what you say you will, right?
How about no. Just fuck off and stop invading my privacy. You have absolutely no right there, whether you split that responsibility with other criminal--I mean, government-- organizations or not (not that I believe you'd even do that much).
That was easy.
The problem here is that uncrackable-without-the-secret crypto poses a problem for the "give us everything!" police investigators... these are the guys who want warrentless wiretaps and other gifts from the tech industry.
There's no master key that can solve all crypto... what they really want is a password that causes the device to give up its locks.
One should also remember that government employees with privileged access are people, and people can misuse the access they have.
We should recognize that the Fourth Amendment of the US Constitution was created to prevent this exact scenario. Law abiding people encrypt sensitive information to protect it from misuse by criminals, but the information can be misused by ANYONE with access.
Dividing a backdoor key between multiple parties simply creates a requirement that all parties agree to access the information before it can be accessed. It doesn't guarantee that the access will be lawful.
So... what makes the NSA think that anyone could actually keep these ultimate "keys to the kingdom" secret? I mean, just about everything else of theirs that was secret has leaked out thanks to a single contractor. Can you imagine how valuable these keys are, and how much money could be made by selling them? Hell, the US couldn't even keep our nuclear weapon plans under wraps.
And what's awesome about this scheme is that once the secret is out, every single smartphone in the US is compromised all at once. Whee!
Irony: Agile development has too much intertia to be abandoned now.
The idea could work. Meet the seven people who hold the keys to worldwide internet security http://www.theguardian.com/tec...
No matter how many US agencies you distribute the key over, one thing is absolute certain: If you require US companies to make any and all contents on mobile devices available to US government (and, considering who owns it, US corporations), absolutely NO non-US company could sensibly buy anything anymore from a US tech company.
Hell, the chance to not be spied on would be bigger if you bought Chinese crap!
Quite seriously, why should anyone trust a country that has a worse record when it comes to industrial spying than China?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
"Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety."
----Benjamin Franklin, Historical Review of Pennsylvania, 1759
Lets say that congress passes a law requiring all phone / tablet makers implement an encryption backdoor (key sharing or whatever - technical details aside for now).
First, would this pass constitutional muster? You're compelling companies not to implement encryption unless the gov't has a way in. Seems like some sort of 1st Amendment issue to me but I'm not lawyery enough to have a valid opinion.
Second, how would this work with open source projects? Cyanogenmod, for example. Same constitutional questions as above, but with the added problem of how do you enforce the law against an open source project? Do you declare git repos containing non-compliant Android forks to be illegal?
Does this only apply to cellphones which are regulated telecommunications devices? Or would it also apply to tablets, which are really personal computing devices? And if it applies to tablets, would it apply to other personal computing devices such as laptops and desktop PCs? And if so, does it only apply to encryption software sold with the device, or also to third-party supplied encryption software? And if it does apply to 3rd party software, does it only apply to commercial software, or free open source software as well? Are there 1st Amendment issues involved in regulating the distribution of free software, and if so do they apply only to compiled machine code, or to source code as well? The devil is in the details and I'm not really sure where dividing lines would be drawn.
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
They can have a back door to my phone - as soon as they give me the key to all THEIR systems (up to and including the President and IRS etc) so that when WE have the right to data, they can't say "we lost it". What? Its only fair - they watch me, I watch them
-- 73 de KG2V For the Children - RKBA! "You are what you do when it counts" - the Masso
Jesus people....When a Democrat is in office, you whacked kid liberal lefty use kinder or "conflicted" words. When Bush was in, these same people were calling him the Devil. We laugh at you.
For normal people, we recognize the right to privacy so there is no clash. The title is misleading. The Republicans don't recognize the average person as human thus they believe we have no rights. They strongly believe in the Constitution, but don't think it applies to the average person.
There's no clash. The law is perfectly clear on that subject. Only the government is choosing to ignore it.
Seven puppies were harmed during the making of this post.
Dr. Petrov: [Ramius has taken the Political officers Missile key and kept it] Sir! The reason for having two keys is so that no one man may...
Captain Ramius: May what, Doctor?
Dr. Petrov: Arm the missiles Captain.
Captain Ramius: Mmm, thank you for your concern Doctor
Have gnu, will travel.
Offer someone an extreme choice, "Here's a car for only $60,000!" and they'll be more likely to accept a more moderate choice (Here's a car for $30,000!) because it's better by contrast, not objectively. Today we're reading, "should the government get to read everything, everywhere?" and your answer is obviously "fuck no". But that immediate answer isn't the point.
Later you'll be presented with, "Should the government get extra-legal access to some things?" and because of this framing you'll be more likely to say "yes".
If video games influenced behavior the Pac Man generation would be eating pills and running away from their problems.
"We know you're worried about the implications of all the snooping we're doing.
But trust us, we're grappliing with the consequences.
No, we're not about to stop. Nor are we even going to attempt to slow the growth of our snooping.
But we are grappling with it.
Trust us."
In what manner was the US government concerned with privacy?
After 9-11, we were supposed to just stop being Americans and give up the whole idea of what our founding fathers wanted.
Be a coward, and given them all the power they want, and see where that will get you.
https://www.youtube.com/c/BrendaEM
Dividing the key makes sure a single individual cannot have access. But since all individual workers obey to their employer, it does not prevent any NSA access.
This is just a measure against rogue NSA employee access, not against NSA access.
For normal people, we recognize the right to privacy so there is no clash. The title is misleading. The Republicans don't recognize the average person as human thus they believe we have no rights. They strongly believe in the Constitution, but don't think it applies to the average person.
Can we say "Diane Feinstein?" The disease is not specific to one political party or the other. The disease is specific to those those love power over everything else.
"NSA director Adm. Michael S. Rogers wants to require technology companies to create a digital key that could open any smartphone or other locked device to obtain text messages or photos, but divide the key into pieces so that no one person or agency alone could decide to use it."
That has to be the most laugh-out-loud tactic I've heard in awhile, yet also really clever as it could easily fool someone trying to be reasonable yet isn't informed as to the NSA (and even FBIs) tactics and capabilities.
Yes, you split your key into say 3 pieces. Company holds a piece of what becomes basically a password, as does the FBI and NSA. If the FISA court says OK to a request, the company/FBI/NSA give each other the pieces. There are a few problems:
1. The NSA/others now just have to make it a serious goal to get those pieces via other means out of the FBI/CIA and corporate servers without telling anyone and they've got all the access all the time.
2. If brute-forcing, you've drastically dropped the strength of the key.
3. Stuff I'm not smart enough to think about.
I swear they throw this stuff at low-information websites & voters to see what sticks, and it's sad how much of it does.
I think most people fear a SWAT team coming in and shooting them in their own homes, than jihadist terrorists.
NSA has not measurably made anyone more secure since they started this big brother program. You assume it works, but collecting more noise does not make the signal stronger.
This idea of 'secure' you have, indicates a nice trust of the perfect nature of your leaders (i.e. the NSA), but those of us in foreign countries know where that leads to.
Really, swap NSA for KGB and you've got the situation you're creating. A case where the spooks will slowly ensure that all the partner countries are further and further right wing and in a feedback loop those will ensure the US goes to a military extreme dictatorship.
Consider the state of 5 eyes countries now, can you seriously tell me the info the US has on those political systems isn't used to twist them more US military centric? Because its visible for all to see what they've been doing. New parties (UKIP in the UK for example), face leak after leak of their most embarrassing secrets, and when phone calls from 3 years ago before the person was even a UKIP candidate are leaked, you ask yourself who records and indexes and stores that data, if its not the spooks?
When they want to pass a law to legalize adding a backdoor, it means they already added the backdoor and want to make it legal.
See the 2007 tapping of US telephone exchanges, they made a law to legalize and give immunity to the telecoms companies it when it was exposed. Obviously you don't want to announce it if possible, so you only pass a law when forced to.
PRISM showed they already plugin in to major corporations data.
All those 'Cloud Cameras', that send the video up to the website.... All the phone calls you make, the messaging services,.... all feeding General Collect-it-all's giant datacenters. All with US corporate complicity.
But she is a DINO so everything she does is the fault of the Republicans.
If a backdoor key exists, then the company that created it must by law give it to any lawful government authority that requests it. For example, if a company does business in Saudi Arabia, and a backdoor key exists, they may be compelled under Saudi law to give that key to the Saudi's. If a company does business in Russia, they may be compelled by the Russian government to give them the key. That's the nature of a backdoor. You can't just give it to only one entity. And let's not forget about Gemalto. They have cellphone encryption keys for the SIM cards they produced, which were held on their servers so that law enforcement agencies could obtain backdoor access to cellular communications via the legal process. However, the NSA broke into their servers and stole all of their secret keys, and then used them to mass decrypt cellular traffic. That's a real example of key escrow in action, and it completely failed to protect anyone.
"but divide the key into pieces so that no one person or agency alone could decide to use it."
We've already seen cases where the FBI will back local/state law enforcement in hiding information about Stingray. The other agencies would happily scratch each others back to share these keys, so there's no real effective "wall" between agencies that makes this acceptable.
Sorry, but if you create a system with a security compromising flaw in it, even a well hidden, obfuscated, extremely well guarded flaw, someone aside from the "intended" users of said compromise are going to use it to break in.
The government's "need to know" does NOT trump my right to privacy. And if there's a real problem with that, they'd better be overtly bringing soldiers in to try to make me comply.
Chas - The one, the only.
THANK GOD!!!
U.S. Gov't Grapples With Clash Between Privacy, Security.
Are you kidding me? Our government has and will spy on us. We no longer live in the old USA.
Why this kinda thing is even floated must be for the young who don't know better. I know for a fact it was going on via satellite (phone calls and more than meta data) since I was in A school in 1988. Only back then, key words flagged the targets because of computer speed. These days, game over for privacy
The only thing they're "grappling" with is how to continue unlimited spying while convincing you they're respecting your privacy.
./.
Allready here.
Like a vnc server pulling from the frame buffer OS independent?
Remember the BS in the 90's? Skipjack? Pushed by Janet Reno IIRC.
It was shit then, and it's even stinkier now...
And you war-obsessed, money-blinded, overly-religious conservatives are saying what, exactly, about the current president? That he's some kind of angel of sunlight? No. You guys are currently calling him the worst president ever, claiming he's gonna make himself dictator (despite the 22nd Amendment to the US Constitution), comparing his administration to ... well let's not Godwin this. Notice I did NOT single out any current or past US political party.
Here's a newsflash: since before this country was founded, the person currently holding the highest office in most any country has been called every nasty name or epithet in [the then current version of] the book by his or her opposition, while that person's supporters of course use "softer" words when criticizing him or her, with variances of course depending on the country.
And yeah, I meant every word of that opening sentence. Why? Because I am a moderate, and would like to think I can see *both* sides of the current political climate, and conservatives today are just as bad as they were 50, 100, 200 years ago. The noises you make are the same, only the reasons and target of that noise have changed.
How's the phrase go? "Reality leans liberal" or something like that? Maybe it does, but only if you compare it to "conservative" as the terms are measured in the US. Compare it to the rest of the civilized world, and reality is (and should be) a lot closer to center/moderate.
Steering this back on topic, that means we keep our privacy, security, strong encryption without ANYONE else holding the keys but us), and so on, and the government goes and dunks its collective heads in the toilet. They don't need our data to make us any safer, and we don't need to BE any "safer" anyway.
Anything the US Congress decides to do legally to force security gaps is going to end up in economic disaster. It's already happening with sales of Cisco and other networking gear manufacturers products taking huge hits abroad or even outright bans for certain contracts. And Silent Circle moved it's corporate headquarters to Switzerland just to be able to give the finger to any secret orders. Last time they tried this it was called the clipper chip. Failed miserably. How about instead of sanctioning privacy violations, you make sure your actions follow the moral high ground and aren't dubious. Then people will trust you enough to make exceptions.
In the twisted world of espionage logic, it's guilty until proven innocent. Or at least innocent, but eventually you'll be guilty of something therefore we will watch you now. Just like the statistics, just with a little less perceived fear.
It is in the interest of anybody to help in providing the best possible encryption because "Whatever govs can do, crooks will do better". It not only helps the industry or privacy. It also protects itself as it is likely that such mandatory back doors will be technically outdated and hacked quickly after put in place. Weak Encryption has decided the fate of Mary Queen, the deciphering of the Zimmerman telegram a hundred ago played a role in the outcome of WWI and weaknesses in the use of the enigma cryptology was important in WW2. Since then, technology has exploded and become more important everywhere. Any government proposing to weaken its own communication infrastructure by mandatory crippling their own industries will be in a disadvantage. The dream is of course that high up, secure systems are going to be used. As they will not have been well tested, they are likely to be hacked even faster than a device for the masses with a backdoor which has withstood standard attacks and gone through peer review by hackers. And if some really sweet military grade encryption will remain to be safe, it will be a goldmine for a company selling devices with such additions abroad.
However, the NSA broke into their servers and stole all of their secret keys, and then used them to mass decrypt cellular traffic. That's a real example of key escrow in action, and it completely failed to protect anyone.
The reason not to have a back door key. Even if the key was divided up a copy of all parts would soon be gathered.
Well this does show the encryption does at least slow them down or they wouldn't want a backdoor.
If I write a letter to my U.S. Congressman / Senator will that actually help?
I believe the FBI uses probable cause warrants for the vast majority of their cases; I even seem to recall an NYT article outlining the places where they'd screwed up -- they certainly existed, and were far larger than they should have been... but it was nothing like "all the time." As for "to oppress and enslave" and "stupid people", a) there is definitely stuff going on that I'm uncomfortable with, but b) the people making it happen are folks just like you: egomaniacs who are always sure they're right. It's clear you're smart. It's also clear you're stupid. These two statements are not mutually exclusive.