Questioning the Dispute Over Key Escrow

Nicola Hahn writes: The topic of key escrow encryption has once again taken center stage as former Secretary of Homeland Security Michael Chertoff has spoken out against key escrow both at this year's Aspen Security Forum and in an op-ed published recently by the Washington Post. However, the debate over cryptographic back doors has a glaring blind spot. As the trove of leaks from Hacking Team highlights, most back doors are implemented using zero-day exploits. Keep in mind that the Snowden documents reveal cooperation across the tech industry, on behalf of the NSA, to make products that were "exploitable." Hence, there are people who suggest the whole discussion over key escrow includes an element of theater. Is it, among other things, a public relations gambit, in the wake of the PRISM scandal, intended to cast Silicon Valley companies as defenders of privacy?

Solution: Don't Trust Anyone (within reason)

[Dutch+Gun]

Client-side end-to-end encryption using perfect forward secrecy is the only thing we can "trust" now, sadly. Key escrow? Who gives a crap? Our government has destroyed all reasonable expectation of trust or privacy, and it's not like private corporations can't be compelled to cooperate. The problem is, it's not really feasible to vet source code for the vast majority of people, even for open source projects, since it's a highly specialized skill set. And how do we ensure that an update doesn't come along specifically to open up an exploit or a back door? Essentially, we're now in a position of trying to decide which projects we can trust with our privacy.

I used to snicker at people who thought like this, maybe throwing in a "tinfoil hat" joke here and there. Damn... it's not quite at the level of CIA implanted brain bugs, or thought-controlling water additives, but the government is getting damn creepy with it's mass surveillance.

Re:Solution: Don't Trust Anyone (within reason)

[flink]

It doesn't matter if what you are using is exploitable or not. If a state agency is targeting you specifically, you are screwed no matter what. They will probably find a way to collect the information you want. However, using end-to-end encryption with well vetted tools will keep your communications out of these global dragnets the NSA and it's ilk have been running.

You're not going to stop them from hacking your computer if they want to get in, but frankly you're not important enough, but it is worthwhile to keep your data from being swept up incidentally.

The central pro-escrow argument is idiotic.

[Kaz+Kylheku]

Why would criminals conform with laws that require them to use back-doored crypto, when they can deploy the real thing through their organizations, and leave the back-doored crap to the honest citizens? Criminals don't conform with laws (by definition!) and so they will use whatever crypto they see fit.

Zero-days are not "back doors".

[tlambert]

Zero-days are not "back doors".

Unless the zero day flaw was put there intentionally, as back doors are put there intentionally, a zero day flaw is not a back door, it's just some incompetent who should be employed asking me "Do you want fries with that?", rather than employed writing security sensitive software. In other words: your average bad programmer.

Re:How predictable

[jcr]

Go fuck yourself, you fascist cunt.

-jcr