Slashdot Mirror
Questioning the Dispute Over Key Escrow
Nicola Hahn writes: The topic of key escrow encryption has once again taken center stage as former Secretary of Homeland Security Michael Chertoff has spoken out against key escrow both at this year's Aspen Security Forum and in an op-ed published recently by the Washington Post. However, the debate over cryptographic back doors has a glaring blind spot. As the trove of leaks from Hacking Team highlights, most back doors are implemented using zero-day exploits. Keep in mind that the Snowden documents reveal cooperation across the tech industry, on behalf of the NSA, to make products that were "exploitable." Hence, there are people who suggest the whole discussion over key escrow includes an element of theater. Is it, among other things, a public relations gambit, in the wake of the PRISM scandal, intended to cast Silicon Valley companies as defenders of privacy?
Client-side end-to-end encryption using perfect forward secrecy is the only thing we can "trust" now, sadly. Key escrow? Who gives a crap? Our government has destroyed all reasonable expectation of trust or privacy, and it's not like private corporations can't be compelled to cooperate. The problem is, it's not really feasible to vet source code for the vast majority of people, even for open source projects, since it's a highly specialized skill set. And how do we ensure that an update doesn't come along specifically to open up an exploit or a back door? Essentially, we're now in a position of trying to decide which projects we can trust with our privacy.
I used to snicker at people who thought like this, maybe throwing in a "tinfoil hat" joke here and there. Damn... it's not quite at the level of CIA implanted brain bugs, or thought-controlling water additives, but the government is getting damn creepy with it's mass surveillance.
Irony: Agile development has too much intertia to be abandoned now.
Going long on whoever the hell makes aluminum foil...
Help save the critically endangered Blue Iguana
Aren't you glad you voted for Obama? Such change he brought.
Wow! Another story on Slashdot about the evil Government and the NSA. How predictable. You guys need get a new narrative. This plot line is getting old.
If the data or encryption key is out of your possession, you must assume it is public. If you want to secure your data, it must be encrypted before it leaves your computer. And if you want to trust your computer, you can't use a proprietary OS.
Most people don't need that level of security... some convenience is worth the likely loss of privacy (to a point). I'm not going to worry about getting my cousin to use PGP in order to email about our family reunion. But if you are concerned about privacy, you have either already eliminated cloud services from your daily workflow or you are an idiot.
"I will trust Google to 'do no evil' until the founders no longer run it." Hello Alphabet.
... former Secretary of Homeland Security Michael Chertoff has spoken out against key escrow...
So....what's his financial angle this time?
He was the one who pawned the Full Body X-Ray machines that were eventually pushed onto prisons.
I would really like to get a job where I can do what did and does. How does one get those?
Oh yeah, know the right people which is always the case.
So they can buy a fucking clue? No, there will be no "escrow" the administration you represent has continued a policy of spying on our communications. Therefore any suggestions, changes, or stupid fucking ideas that would compromise my data's security is off the table. Now as the former VP would say, go fuck yourself!
Harrison's Postulate - "For every action there is an equal and opposite criticism"
Why would criminals conform with laws that require them to use back-doored crypto, when they can deploy the real thing through their organizations, and leave the back-doored crap to the honest citizens? Criminals don't conform with laws (by definition!) and so they will use whatever crypto they see fit.
Understatement of the the century!
“He’s not deformed, he’s just drunk!”
When we are called on to secure our effects, our failure will be recognized as our fault.
Didn't turn on encryption? Too bad, pay up.
Did set a strong password? Too bad, pay up.
Didn't patch? Too bad, pay up.
When the US backdoors every encryption system in the world and we're all systematically defrauded of everything we've ever worked for they're going to point the finger at us for at least one of these three things, and possibly more. It's going to be our fault we got hacked, despite the fact they're throwing billions at the idea of making us all hackable. What's more we can't prove it because of the veil of secrecy.
If they screw up then the world, its people, and all its banking systems and local governments are going to be on the hook. When they screw up we won't know about it. This is immoral, but no less than I'd expect for the most arrogant government in the world today.
Zero-days are not "back doors".
Unless the zero day flaw was put there intentionally, as back doors are put there intentionally, a zero day flaw is not a back door, it's just some incompetent who should be employed asking me "Do you want fries with that?", rather than employed writing security sensitive software. In other words: your average bad programmer.
Major US tech companies can NOT fight the full might of the US government. They are beholden to all those laws, secret or otherwise.
That means one of two things is true. Either (1) those companies are no longer located or have any corporate assets or personnel in the United States, or (2) they are complicit in the NSA's spying. This holds true of all the major US tech companies. Apple, Facebook, Google, Cisco, whoever.
It's fairly clear which of those is true, no?
Besides perjuring himself in testimony to the congress, he's responsible for billions of counts of felony wiretaps against innocent people. That motherfucker belongs behind bars, not shooting his mouth off about how we should all make it easier for fascist scumbags to wipe their asses with the constitution.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Doesn't the NSA have a patent on Key Escrow? At the very least they should provide it royalty free to everyone... I want to get one free thing out of this whole mess.
Don't trust the government? How about the people who work for the government?
It is irrevalent whether or not you trust the government to do the right thing when you know that corporations and government agencies are riddled with foreign spies. Furthermore, can anyone guarantee that out of all the people who have access to escrow that not a single one would want a slice of the trillion dollar pie that China has in cash, or that no one will say No! to the kind of cash that a wall street investment firm can bring to the table?
Let's ask Jonathon Pollard how much we can trust the people who work for these agencies to not sell the keys kept in escrow.
Think how much easier it is to target people if you have a system designed for the purpose. Exploits are most useful if they aren't used all the time. Every time they are used, you risk detection. Once the exploit is detected by enough "bad guys", you are put in the odd position of knowing that you are complicit in weakening the "good guys" security too and exposing them to risk from the "bad guys". By having a standard mechanism for truly legal requests, you can save the other *expensive* exploits for the cases without warrants - extending their useful life. My guess
A conspiracy is when two or more people get together (conspire) to take advantage of one or more people. Conspiracies are the norm, not the exception.
Conspiracy Theorist, as a phrase, was ironically (for you) deliberately created by the CIA as a means of discrediting people who had ideas about how they might be fucking us.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Is it, among other things, a public relations gambit, in the wake of the PRISM scandal, intended to cast Silicon Valley companies as defenders of privacy?
this. Yes absolutely. Googe knew everything about PRISM except possibly it's classified name, thus their straightfaced "we had not heard nor did you know about PRISM". Ditto every other Silicon Valley company. Do you thik Intel got to where it is while defying the US Government's request for backdoors into their products? Or do you think the government did not request a backdoor?
There are legitimate threats out there people. Unreadable communications can be a real threat to national security- think ENIGMA and Turing. It's just a fact. But bad people has 1000 other ways to disguise their communications including all the variations on one time pads. At least with crypto you have a chance of getting the key or finding a flaw in the crypto or getting access to the pre-encrypted message creating event or the post encryption message reading event.
With other secret sharing schemes what is information is buried in the open in a way known only to the sharers. Is that really a more tractable problem to solve? I can think of a lot of ways to nominate portions of infomation junk as being significant. Woodward communicated with Deep Throat by putting a flowerpot with a red flag onto his balcony. Think of all the bits of information flying around,both public (Twitter) and private. Think of how the problem compounds when IoT comes online. There are enough ip6 addresses to give every grain of sand on earth 1000 unique IP addresses. Do the math. Each of these communicating to any other at will sending messages. Yeah.
Want to know where the real threat is coming from? It's coming from Silicon Valley VCs and companies they are funding. Just as none of these types, from the engineers to the investors ever really thought through what would happen if they made protocols and machines which were inherently (unfixably) insecure and then continued to not think about it, even as it became clear society was going to be critically depending on these protocols and machines, so 100,000 fold with IoT.
It's a headlng rush into chaos and oblivion driven by the most greedy, shortsighted and willfully ignorant members of our community. If you say "hey, maybe we shouldn't "democratizing" synthetic biology without thinking through the implications and how it could be used to deconstruct society and civilization, then you're a Big Government commie. Under the cover of spittingly stupid quips like of "well, any technology can be used for good or evil, I can kill you with a hatpin!" we are creating technology that will give one person th e power to take down whole cities, whole geographically or genetically defined populations, civilization itself.
And if you think no one would do that because of some variant of nuclear MAD then you really are a fucking idiot with no knowledge of history, people or the real world.