Slashdot Mirror
Why Crypto Backdoors Wouldn't Work
An anonymous reader writes: Your devices should come with a government backdoor. That's according to the heads of the FBI, NSA, and DHS. There are many objections, especially that backdoors add massive security risks.
Would backdoors even be effective, though? In a new writeup, a prominent Stanford security researcher argues that crypto backdoors "will not work." Walking step-by-step through a hypothetical backdoored Android, he argues that "in order to make secure apps just slightly more difficult for criminals to obtain, and just slightly less worthwhile for developers, the government would have to go to extraordinary lengths. In an arms race between cryptographic backdoors and secure apps, the United States would inevitably lose."
Would backdoors even be effective, though? In a new writeup, a prominent Stanford security researcher argues that crypto backdoors "will not work." Walking step-by-step through a hypothetical backdoored Android, he argues that "in order to make secure apps just slightly more difficult for criminals to obtain, and just slightly less worthwhile for developers, the government would have to go to extraordinary lengths. In an arms race between cryptographic backdoors and secure apps, the United States would inevitably lose."
I seem to recall that we went through this in the mid to late 90s, where the government insisted any use of strong cryptography should as a matter of law, have a backdoor for the government. Then suddenly they dropped it, and all of us paying attention knew they got their way by some other means. Now post-Snowden, I guess we know what that was, and they're back to beating this horse all over again.
The answer should be no, with absolutely no further discussion.
Snowden insisted the journalists remove the battery from their phones and put the phones in the fridge.
That pretty much tells you how useful 'encryption' on Android would be against back doors. None, if you can't protect your speech near the phone you can't protect the password.
Police and government have promoted remote-controlled kill switches on cars for the last 20 years. Although it exists via General Motors OnStar, it's not practical. That will change with vehicle-assisted driving and driver-less cars.
The government already has access via hand-held battering rams and 14 tonne, wheeled wrecking-balls (AKA assault vehicles). Big money and brute force doesn't work on encryption, unless they turn it into rubber-hose decryption (Oblig. XKCD). But the three-letter agencies can't do that 200 times a day, so they want a cheap, simple solution that labels the common people as criminals without rights.
...has the fact a program simply won't work deterred the Government from attempting it anyways?
Seems to me, everytime they talk about this kind of thing, it does exactly what I want. Raise crypto awareness. Keep trying guberment. The more you preach for backdoors, the more people you make aware of the usefulness of crypto. Streisand effect anyone?
Making strong crypto illegal would only affect those in the US's jurisdiction. It would not affect the most desirable targets (outside US jurisdiction) and would have a chilling effect on demand for US technology products.
And the even simpler argument. I'm not a U.S. Citizen. Why would I be happy the U.S. Has the ability to backdoor my app?
But warrants are [whining voice]SOOOO HAAARD. You have to show probable cause and all that stuff. It's too much work.[/whining voice]
Plus, [overly paranoid voice]in the time it takes to get a warrant, a criminal could enact another 9-11 or could destroy the evidence that they were planning that.[/overly paranoid voice].
Those are the reasons why law enforcement needs access to stuff without a warrant. The whiny, paranoid reasons why.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
Making strong crypto illegal would only affect those in the US's jurisdiction. It would not affect the most desirable targets (outside US jurisdiction) and would have a chilling effect on demand for US technology products.
Theres already a chilling effect on demand for US technology products.
I'd like to see a company in a privacy-respecting nation such as Netherlands to release some decent network hardware...
In the free world the media isn't government run; the government is media run.
It's just not technically feasible if there is any respect for liberty...
*Ah, there's the rub, isn't it?*
“He’s not deformed, he’s just drunk!”
8) People will only buy tech made outside of America, costing America jobs and draining away expertise.
And this is where you get off track. The whole point is to backdoor enough of the system that there's a means to collect 90% of the information from 99% of people. There is no presumption for a "technically feasible" way to collect 100% of the necessary information from 100% of the people. If there were--and presuming we had a just system in place to use the information--, then we'd have a way to catch all criminals who planned terrorist attacks, or really anything, with an Android phone. Instead, at best the hope is to get large bits and pieces that narrow down the list of who to monitor and monitor as best as one can in as many ways as one can (since not everything is done with smart phones, anyways).
Honestly, the whole point is precisely that pervasive surveillance is key. It's not that any sort of surveillance must be 100% effective. Because that's a useless definition of the word "work".