The Rise of the New Crypto War

blottsie writes: For more than 20 years, the U.S. government has been waging a war on encryption, with the security and privacy of all Americans at stake. Despite repeated warnings from security experts, the FBI and other agencies continue to push tech companies to add "backdoors" to their encryption. The government's efforts, which have angered tech companies and researchers, are part of a long-running campaign to pry into every secure system—no matter what the consequences. This article takes readers from the first Crypto War of the early 1990s to the present-day political battle to keep everyone who uses the Internet safe.

Justify the Budget, Keep Peasants In Fear

[WillAffleckUW]

1984 was right, it was just 20 years early, and this is the script they are working off of.

Look, we all know where the terrorists are and who is spreading it, and how to track and follow them. Encryption is no more a threat than a candy bar behind a locked glass case in a supermarket too high for kids to reach is.

The reason they defeat the spies is the spies are too stupid, and ignore the real threats due to the massive overkill of non-relevant data and metadata that obfuscates the actual threats.

They already have access to your phones and already subvert them for target cases, so it's just more justification for insane stuff we don't need.

Re:"...keep everyone who uses the Internet safe."

[Rasperin]

Did the fourth amendment rights ever get worked out in relation to them hacking into computer systems (or wouldn't this law be in direct violation?)?

I ask in earnest to see if these things were ever challenged in the past.

"Saving Lives" is their claimed priority...

[ameline]

If that were actually true that saving lives or keeping people safe were their true priority, they could be vastly more effective by spending their money on reducing the highway traffic fatality rate. Over 30,000 people die on the roads of America every year. Reduce that by 10% and you'll save the equivalent of a 9/11 attack *every* year.

Of course safety and saving lives is not their primary purpose -- it's entrenching their power structures. The ability to pry into everyone's communications and files is (in their opinion) essential to that.

Re:"Saving Lives" is their claimed priority...

[ArcadeMan]

The same kind of numbers could be used against tobacco, alcohol, food with excessive amounts of fat/sodium/etc. Except there's money to be made with those, so the number of deaths doesn't matter.

Re:"Saving Lives" is their claimed priority...

Want to know how to spend money to save lives? Stop bashing the younger generations and give them some career path.

What I feared most, a brain drain, is already happening. Americans [1] are bailing to Latin American countries because they can't find any jobs, and student loan debt guarantees a shitty credit record for life. So, it is either live like a mendicant, commit suicide, or move to a country that wants intelligent people that will better themselves.

We have an entire segment of disaffected people. What happens when there finally is no hope? Look at Egypt and the Arab Spring. Occupy may be dead, but those people are still there. All and all, it would be a lot cheaper to fund something like the WPA and give meaningful labor than to pay for what it would take to handle a constant, protracted insurgency.

As for security, demanding backdoors is retarded (yes, the "R" word.) After Snowden sold out the NSA, this drove a wedge between the US and close allies. Security companies that get harassed in the US can easily set up shop in other nations, with that country's intelligence department calling the shots [2].

Further demands on backdoors in security are just masterful foot-shooting. If this keeps being pressured, I'm sure most companies have moved their security coding offshore, or even spawned separate companies that are not under the US flag. Then, the only thing that can be done is bar secure crypto from being imported or used, which can be easily done with a stroke of a pen.

[1]: Technically residents of the United States of America, but Americans is a phrase used here.

[2]: Want to do business in China? Some firm over there has to own 51% of any venture on their soil.

Re:"Saving Lives" is their claimed priority...

[ameline]

I didn't say it wasn't getting better (mainly through better safety features and better design in cars), but that spending money on the security state is an incredibly inefficient way to make people safer and save lives. Doing almost anything *other* than just lighting the money on fire (you know -- sending a message :-) would likely be a more effective way to make people safer.

Re:"Saving Lives" is their claimed priority...

[ameline]

I'm Canadian -- I can't vote in American elections.

I can and do vote here in Canada, and in our upcoming election we have an option (NDP) who have promised to repeal the horribly flawed bill C51 (https://en.wikipedia.org/wiki/Anti-terrorism_Act,_2015). I encourage all like minded Canadians to get out and vote this fall.

Re:Knowledge is a weapon

[ArcadeMan]

I use ROT26. So far, all my communications have gone unnoticed.

Re:Knowledge is a weapon

[weilawei]

I'm sorry, could you say that again?

Re:Knowledge is a weapon

[ArcadeMan]

Whoops, I'm sorry. I used ROT26 twice in my previous post.

crypto war 3.0 you mean?

[Kishin]

I keep saying we should call it the Third Crypto Wars because NSA + GHCQ already won the Second. They did that in a secret war on all systems and cryptography with aid from post-9/11 legislation. The Snowden leaks attest to what they accomplished. Most crypto out there doesn't deliver on its claims because they backdoored, weakened, or bypassed (endpoints) it. Now, from a position of dominance, NSA and FBI are launching a Third War on Crypto which is a mixture of public (see article) and secret (try to see TPP). This is an attempt to automatically achieve what they currently work hard for. We're not going to stand a chance of winning this third round if we don't acknowledge they already won the second. And did it without hardly anyone noticing pre-Snowden. That's how bad our current position is and why we need to fight that much harder for strong security across the whole stack.

Note: I've only seen a few strong constructions ever posted on Slashdot or most other IT news sites. *Those* kinds of things don't get popular. NSA etc love that. It's why the majority doesn't stand a chance whether using proprietary or FOSS. Rare exceptions to that.

Nick P

Re:crypto war 3.0 you mean?

[linuxrocks123]

Bullshit. One of the most interesting things to come out of the Snowden revelations was the discovery that the NSA doesn't have any secret ways into properly done crypto -- Schneier even noted as much in his interview with Snowden.

You're right that most people's communications aren't encrypted -- that's an artifact of people trusting large corporations like Google and Apple with their data. But dm-crypt and loop-AES on Linux have been safe for a long time, and, though I wouldn't personally trust BitLocker and Apple's equivalent, I've seen no concrete evidence they're backdoored, either. And then there's TrueCrypt and its successors, which are brilliant pieces of work. TrueCrypt has even been audited and found solid.

This is the second crypto war. The government lost the first with Clipper and Skipjack, but the low priority most people put on security and the general low level of intelligence of criminals meant that they didn't often run into problems, despite their loss. Most people accept the defaults on software, and encryption isn't the default.

Now, Google and Apple are announcing that they will make encryption the default on their phones. This is the cause for the government's alarm: encryption by default would be very inconvenient for them. They've always known this, which is why they fought the first crypto war. They lost, and encryption slowly but surely became more and more prevalent. Now it promises to be Android+iOS-level prevalent. They don't want that, for obvious reasons. This is their last stand. And they will lose, for the same reason they lost the first crypto war: encryption is a fait accompli.

Unfortunately, they have a point. Not being able to read legitimate criminals' communications will likely make the police's job harder. We have a system of privacy protections that attempts to strike a balance between privacy and law enforcement, and encryption tilts the scale all the way in favor of privacy and against law enforcement. There's nothing anyone can really do to fix that; it's just how the world works now. But it's worth acknowledging that there is a problem here, even though we don't have a solution to the issue, and even though the FBI's proposed solution is completely insane.

Re:crypto war 3.0 you mean?

[AHuxley]

Re "revelations was the discovery that the NSA doesn't have any secret ways into properly done crypto "
The NSA and GCHQ have enough hold over emerging academics, crypto, open source and crypto history to shape any useful standards.
Before Snowden the idea was that some one or something to do with academics, open source, political scandal, private sector legal leadership, private sector risk, the press or very smart people or antivirus protection teams would notice "something" about weak international crypto standards and the computer press globally would ensure a rapid international exposure and correction.
Nothing was noticed in the banking and telco networks of the 1960's, 70's? into the home computers of the 1980s, the emerging social and security standards, beyond 2000... company and university experts and their endless funding and grants.
The UK enjoyed plain text decryption in pre ww2 Europe and into the 1950's. The US expected the same on any emerging networks.
NATO nations and any country with links to the West got expert help to secure their systems and new networks. Totally secure along the network. Reverting to plain text in realtime for the NSA and GCHQ every upgrade and decade.
Re "This is the cause for the government's alarm: encryption by default would be very inconvenient for them."
The hardware and low level text input will always revert to plain text to be displayed or entered by the user. Law enforcement will always have access to that if the device is to be sold in the US or UK. The user can run any application they want and developer can compile, sell any application they like on top but the voice and text at its most readable level always reverts to a form that is wiretap friendly as sold within the device by design as sold.
Compile, design, encrypt, its the hardware and OS that will always be ready to report back when needed every time a cell or other network connection is made.
re "There's nothing anyone can really do to fix that"
The Soviet Union fixed the issue by using one time pads in the 1950's for a short time but had to give up as it had so much data to move globally. Once upgraded entire networks where again fully open to the NSA and GCHQ at all levels over decades.
France had all its diplomatic traffic intercepted by the US and UK in the 1950's. Hardware fixes in the 1960's helped but then the amazing upgrade offers from the GCHQ in the early 1970's opened most interesting French networks to the US and UK again.
re "The government lost the first with Clipper" The US and UK had hardware, networks and software standards as shipped. A generation was distracted from understanding the lower layers of popular OS or networks standard as shipped by ideas that an extra 'special' chip was needed.
The sale and use of home computer or cell phone at a low cost was all that was needed.
re "There's nothing anyone can really do to fix that" The world is slowly understanding that decades of weak networks and junk crypto standards are not just open to 5 eye nations. Smart people, dual citizens and other trusted nations with other regional goals all now know of the the same methods and ideas and have have been enjoying the same access.
Companies and people with good emerging products and ideas need anonymity and privacy so they can bring a product to market. Having competing nations read deals, grants and support requests is going to result in loss to established competing brands.
The fix is for nations and their own brands to get their internal anonymity and privacy back. More back doors in every computer and networks open as shipped is not going to help with that.
The crypto war was lost in the 1920's with telephone networks and embassy networks. No emerging network was ever out of reach again.

Back door man

[PopeRatzo]

If the recent Hacker Team story has taught us, there is no such thing as a "secure back door". Just when you think you're cleverly safe creeping in a back door, there's someone else peering up your back door.

Re:Back door man

[srmalloy]

And the OPM breach has shown us even more clearly the consequences of failing to use the strongest encryption, security tools, and IA policies available. Using encryption technology that's designed to be bypassed at need, with that 'need' determined by anyone other than the owner of the data, is the electronic equivalent of hiding a spare key under the welcome mat and believing that your home is still secure when it's locked up.

Core problem: backdoor = all messages in plaintext

[MtnDeusExMachina]

The article is quite good, and later on it points out that any back door leads to all of the bad guys having just as much or more access to communications as the government or law enforcement have. Comey, FBI, etc. are wishing for visibility into communications, but are not technical enough to realize that they are actually asking for there to be no encryption at all, since the presence of the backdoor renders the communication useless for sensitive information. Another topic that isn't addressed is protecting the public from misuse of the backdoor by government. The existence of pervasive surveillance eventually will lead to the creation of two classes of citizens: The first class "good" ones with law enforcement access to all communications, and the second class, who do not have such access to back doors.

Re:Knowledge is a weapon

[fnj]

I used ROT520 twice for much extra security.

Re: "...keep everyone who uses the Internet safe."

[Rasperin]

My opinions of the ACA not-withstanding, what do you call 17 U.S. 518 (1819) and 118 U.S. 394 (1886).

I used wikipedia for easy access, but I provide the reference numbers if you like to look them up. And these aren't the only cases, (note one is 1819 so don't even begin to say this wasn't established in the early years of the US). The SCOTUS job _IS_ to interpret the law, actually it's not just limited to the SCOTUS but the judical branch interprets, lower courts are forced to take a higher courts interpretation though.

Re:"...keep everyone who uses the Internet safe."

[The+Real+Dr+John]

It will only keep happening as long as people don't complain. Whenever enough people complain enough, things change.