Slashdot Mirror
US Tech Giants Ask Obama Not To Compromise Encryption
An anonymous reader writes: Two industry bodies which represent Microsoft, Apple, Facebook, IBM, and others, have written to President Obama urging that the U.S. government not seek to legislate "official back doors" into encryption techniques. The Software and Information Industry Association and the Information Technology Industry Council sent the "strongly worded" letter on Monday, saying, "Consumer trust in digital products and services is an essential component enabling continued economic growth of the online marketplace. Accordingly, we urge you not to pursue any policy or proposal that would require or encourage companies to weaken these technologies, including the weakening of encryption or creating encryption 'work-arounds.'" The letter is the latest salvo in a public battle for secure communications, one that has reached the public eye in a way that few security stories do.
After the last renewal of the Patriot act, wouldn't it just be easiest for the US government to name each of these companies an "ISP" so they'd be compelled to collect information on their (unencrypted) servers?
They actually mean "Consumer trust in _closed-source_ digital products and services is an essential component enabling continued economic growth..."
The article lists five representative companies, but the summary omits the second one of the five for some reason.
U.S. American tech company immigrants are coming, with their educations and disposable incomes.
Why do we need encryption rules in the TPP?
A key priority for the U.S. semiconductor industry regarding the Trans-Pacific Partnership (TPP) Agreement currently under negotiation has been to introduce rules to prevent restrictions on the import and use of commercial encryption technologies.
You can bet VPN and other technologies are on the plate too.
If you Google "encryption and TPP" you will find a link to the PDF without having to fill anything out.
http://go.semiconductors.org/w...
"If any question why we died, Tell them because our fathers lied."
I think if they can't manage to convince politicians how dangerous their plans are, there will be some TV adverts that tell the lay person in an easy to understand way what is going on and what the risks are.
If the same message is brought to people in adverts by Apple, Google, Microsoft, Facebook, Amazon, eBay, and they all tell you that the politicians want to mess up your life, that would get people's attention. Not just on Slashdot.
No matter how well intentioned the government may be in requesting a crypto back door, all it does is open up a hole for potential criminals and state actors to steal information from individuals and corporations alike. Unless the government was somehow able to indemnify and protect all parties involved, there should be no back doors. End of story.
Obama will take your money, and he'll do what the security agencies want.
Just out of curiosity, what would a weakly worded reaction look like?
Wow, these idiots actually think that they will be the only ones with access to these back doors? They'd be hacked in minutes, and every secret that every American company had would be in the hands of the Chinese, Russians, and independent hackers.
These idiot authoritarians need to be taught that their idiocy KILLS American business. But then, I guess they don't care. They think they can just print their way to prosperity.
Because Patriot Act, and because the children, and the security, and soccer moms, and God Bless America.
People will clamor for more controls, more restrictions, because they've been trained now (since the 30s) that government produces wealth while business creates oppression.
Most of the recently proposed crypto algorithms aren't American. The cat is out of the bag - crypto is an academic subject now, and everyone's participating.
Religion is what happens when nature strikes and groupthink goes wrong.
A government that does this:
http://www.theguardian.com/wor...
is simply no longer interested in the rule of law other than to further their handler's interests.
So, request away! Ask for a pony while you're at it.
Please do not read this sig. Thank you.
Not backdoored, just vulnerable. That happens as science progresses. That 1024 bit key that was secure a few years ago, is not secure today. What is good enough moves each year, but people and companies do not.
Modern app appers use Windows 10, which apps apps that app other apps so they don't need encryption!
Encryption is only needed for luddite programs like Windows 7, which aren't capable of apping apps!
Apps!
Weak encryption is effectively the same as no encryption. Encryption has no value unless it cannot be broken. You cannot make encryption only weak for the "good" guys. It simply doesn't work that way and wishing will not make it otherwise. Any government official that argues in favor of weak encryption is either ignorant of how encryption works or is corrupt/self-serving and just wants their job to be easier without regard to the consequences.
Yes I am fully aware that "bad" guys having access to strong encryption presents certain challenges. However weakening your own encryption to the government can spy on the populace will not EVER solve that problem.
Systems are being hacked at the moment en masse, without "weak" encrytpion.
I do not understand how people do not see the danger of back doors and encryption that can be broken at will.....
If our government can do it,so can other hostile governments and 3rd party players (mob, hackers, terrorists) with the correct information.
http://www.itic.org/dotAsset/58fbf8de-cd86-47a0-a114-43a55776d2e6.pdf
There's the letter. I had to search for the bit Reuters quoted to find it, which is a fucking shame.
What else are these companies going to say? Public statements and actions like this are meaningless.
In the marketplace of encryption, all it takes is one covertly compromised new algorithm that beats the competition for commercial use. The compromise itself must be computationally hard to detect, and there are approaches to that. Bottom line, however, is that I don't see how anything industry says could have the slightest bearing on whether this asymmetry is pursued.
Those who sleep together reap together.
What is this, the Third Reich?
Not vulnerable, specifically engineered to ensure that the technological gap between groups like the NSA and academic research is enough to allow the NSA to break, but no one else to spot it.
That is a backdoor.
Are you saying that backdoor'ed encryption is a mathematical impossibility, or that it won't work in practice because the backdoor key will eventually leak due to hacking, rogue employees, etc?
When the US creates a backdoor in its security software, the world will laugh! We will hunt you down, break into Apple and Microsoft, download all master copies of OSX and Windows, make it open source, improve security, and say bye bye!
Thanks for all you've given us in the past century. We can do without you now.
Are you saying that backdoor'ed encryption is a mathematical impossibility, or that it won't work in practice because the backdoor key will eventually leak due to hacking, rogue employees, etc?
It is almost certainly a practical impossibility and I'm confident it is a mathematical impossibility too. A key is either possible to crack in a reasonable amount of time or it isn't. There is no middle ground. You can hand a key to whomever you like but if you create the backdoor by weakening the encryption then it is weak for everyone who would be interested in cracking said encryption. If the NSA can figure it out, so can others. Furthermore, each additional party you had a key to creates another vector for attack which is the practical problem. Even if the encryption were somehow secure we know from experience that keeping the systems that store the keys secure presents some security challenges that we are in no danger of solving.
Dollars are much more effective
In the end, companies will do what's in their best interest regardless of who thinks they can control it.
I've been in the IT game long enough to remember the Clipper Chip debacle, Phil Zimmerman, and a host of other stupid ideas government have tried to foist on the private sector.
What with open source software being open and the world being smaller than it was 20 years ago, the chances of government control are slim. Someone can simply move offshore and take care of business. The US Governments is already the cause of so much money being lost to the US economy. Obama did say he wanted to "fundamentally transform" America. He's done that, and in ways that are not so good. We have less freedoms than we did 20 years ago. Things have become so politically correct. Everything and everyone is under a microscope now.
And I hate to say this but if they legislate bullshit like that... Move all your businesses overseas.
On another note it will save them the hassle and expense of bullshitting about there being no American Tech workers while they shuttle H1Bs in by the boatload and use American Tech workers to train their own replacements.
They are just making this hubub to throw people off. They have key loggers and ways to view your screens that can not be detected with normal means. Using some other form of network that is hard to spot. Don your tin foil hats cause they can read brain waves too. Who really knows? With all the things I have read on USB and viruses being able to bridge air gaps; I don't know, it could very well be as advanced as I am making fun of. Mosquito sized drones and all.
when I was a kid, this is the sort of thing I would expect to hear of the USSR... now it's here...
it seems to me that if they force backdoors or weak security, wouldn't that hurt most us based IT security vendors?... wouldn't that force any that wanted to sell internationally to relocate outside the US?
what is the point of any encryption at all if there is a backdoor built in, or it's weak to begin with....
"You cannot make encryption only weak for the "good" guys. It simply doesn't work that way and wishing will not make it otherwise"
The broken elliptic-curve random generator actually had such a feature: it was likely that the NSA has a secret key that could be used to recover the internal state of the random generator. However, recovering this secret key was impossible for all practical purposes.
For encryption, one could demand that encrypted data includes a header that contains the key to decrypt the data, that key being encrypted using a public key provided by the "good guys". Voila, the good guys can decrypt your data and the bad guys cannot.
Avantslash: low-bandwidth mobile slashdot.
Key = MD4(WHOLE_INTERNET) *SHA1(WHOLE_INTERNET);
CypherTXT = xor(Key,KlearTXT);
console_write("Your'e Welcome")
works great for full-disk or email
Free as in bier but send pizza instead.
Thank You.
I am pretty paranoid about this stuff usually and I know there have been similar measures in the UK already but there is absolutely no way this would survive or even make it to a law in the US. The encryption falls under free speech and it would devastate US tech companies overseas.
Anyone else catch the nonsensical bomb-threat at the White House yesterday?
I was passing a TV set to CNN and that was the focus. I've not seen much about it otherwise.
But they evacuated the Press Room once or twice.
Eventually somebody stood at a podium to opine about how we all need to address this issue of Encryption because it hinders their ability to catch the bad guys when the bad guys "misuse" encryption.
I was incredibly offended at the very idea. It's so stupid - you either use it or you don't. Using encryption to keep the feds from looking over your shoulder and reading your communications is not "misuse". It's the entire purpose and absolutely correctly used as such. And in the context of the US, it would seem we have the 1st, 4th and 5th amendments to consider.
Not only was I disgusted at this moment of sheer propaganda, I found myself very inclined to believe the entire thing was completley staged.
The gap you speak of is a myth. Your belief that the NSA has superior intelligence and skills is nothing but blind faith in a bullshit myth. In order to work for the NSA you have to be stupid enough to work for the NSA. Everybody seems to miss that fact for some reason.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
The U.S. Government has already coerced many encryption developers to weaken their encryption. This to me seems like these big companies are trying to garner some consumer favor and seem like good responsible corporate citizens. But most realize they aren't.
In both cases all it would take would be for that sensitive info to leak out *one time* and the whole scheme is blown worldwide for everyone. And don't say you'll just change the super secret government private key. It'll only be good for two weeks or so at a time, and all encrypted everything everywhere would have to be re-encrypted with brand new keys every time there was a leak (because, you know, you're including your private key in every stored encrypted file).
Have they forgotten that we had multiple people over the years trying to sell/give away nuclear weapons secrets from the very beginning of the program?
And I bet for every person that would sell nuclear weapons secrets, you could find a thousand that would sell backdoor encryption keys.
How can they possibly imagine that no one could be found to divulge the backdoor for a few million dollars?
For one thing, certain Wall Street firms would have the backdoor keys within days, if not hours.
And if money didn't work, those firms aren't at all afraid to use their ex-FIS/GRU employees to do whatever it takes.
... who noticed that the summary says "secure communications", not secure devices or secure storage? Maybe their lawyers are thinking the right to be secure in their papers and persons would cover that, but the government doesn't seem to think that way.
The NSA might not have superior intelligence and skills, but it does have superior resources. Logjam is a good example here. They could exploit a known weakness while it was still assumed nobody had the capacity to break it.
Weak encryption is effectively the same as no encryption
I disagree. Weak encryption is significantly worse because it is misleading. At least with no encryption you know that your information is unprotected. With weak encryption you run the risk of being misled into believing that your information its protected when, in fact, it is trivially accessible.
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
Reminds me of a movie called: Wag the dog.
Starting a small business
Starting a small business is a big challenge. Starting a new small business is not an easy task. But if you follow some simple task it can be easier. Small business is good for a new investor who wants to start and learn business.
http://www.smallbusinesstips.gq/