Slashdot Mirror
Obama Administration Explored Ways To Bypass Smartphone Encryption
An anonymous reader writes: According to a story at The Washington Post, an Obama Administration working group considered four backdoors that tech companies could adopt to allow the government to break encrypted communications stored on phones of suspected terrorists or criminals. The group concluded that the solutions were "technically feasible," but they group feared blowback. "Any proposed solution almost certainly would quickly become a focal point for attacks. Rather than sparking more discussion, government-proposed technical approaches would almost certainly be perceived as proposals to introduce 'backdoors' or vulnerabilities in technology products and services and increase tensions rather [than] build cooperation," said the unclassified memo. You can read the draft paper on technical options here.
Vote Starlight Glimmer for President in 2016! As the equalist candidate, Starlight invites all of America to experience true friendship for the very first time! Starlight believes in an America where people don't flaunt their special talents because they have no special talents to flaunt.
Rather than sparking more discussion, government-proposed technical approaches would almost certainly be perceived as proposals to introduce 'backdoors' or vulnerabilities in technology products and services and increase tensions rather [than] build cooperation
No sh*t, Sherlock
They must be making him do this like they did with the ACA.
The Republicans have really destroyed this country with the ACA
and Operation Bullrun weren't give-aways before now?
The preceding post was not a Slashvertisement.
..and at that point it's useless. By all means, try to break it; if you can then that means it needs to be improved.
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
Then they have managed to do it. Would have done it for free myself, but that is why I will never get a fat government contract, I'm too charitable. I don't even like taking money to tell people not to shit in their own water.
Saying it's Obama's Administration that did it is just as honest as saying it's Bush's Administration that allowed "enhanced interrogation" and detention facilities - it sure as hell didn't stop (or probably even start) with Bush, just like how breaking encryption sure as hell didn't begin with Obama. The problem is with the entire system, not just one political sports team or another.
would almost certainly be perceived as proposals to introduce 'backdoors'
Yes, that is exactly the definition of a backdoor: a way to bypass the owner's security measures. Any suggestion that it isn't would mean that the government is the owner of the device, not you or me.
"First they came for the slanderers and i said nothing."
Unfortunately he was thinking of one-way glass with the ability to look into our affairs.
Left MS Windows for Linux Mint and never looked back!
Vote for Bernie in 2016!
government-proposed technical approaches would almost certainly be perceived as proposals to introduce 'backdoors' or vulnerabilities in technology products and services
You think?
So what's the endgame of all this spying? Is it to turn America into a totalitarian police state? Doesn't the current elite already own the entire country and the government? Or is this just a pseudo coup d'etat where the government will be disolved and there will be someone from the NSA that will become dictator of America?
What? The motherfucker who betrayed every last one of us when he signed and extension to the PATRIOT act, which he knows full well is unconstitutional, is allowing the criminal class to try to defeat encryption? Say it ain't so!
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Maybe if the spent more time actually making the world a better place, they wouldn't have to worry so much about finding out what the "baddies" are up to.
Transceivers are often hooked directly into sensors such as microphones, and run very complex proprietary firmware that is given undue privileged access to the rest of the system's resources.
Furthermore, for nearly 15 years, Intel as been quietly introducing an entire, higher-priority computing system within your consumer laptops and desktops and probably now your tablets and smartphones: This is known as the Intel Management Engine, specifically the Intel Active Management Technology. If your computer's Intel sticker lists "vPro", then you've probably got it!
It's frightening stuff.
These systems involve their own little processors, memory, storage, network interfaces, and proprietary operating systems; as long as the machine is plugged into a power source and wired network—even if the user thinks that it's switched "off"—that little computer within "your" computer can be contacted and used to access the rest of the machine, including your storage drives (hard disks, SSDs, etc.), RAM, main CPU, GPU, etc. It has higher priority than "your" system, can take control of the display and keyboard/mouse/touchpad input so that Intel's AMT can provide VNC access from the moment the main system's boot process begins. It can do all of this while your system is running, including reading your private encryption keys from your RAM or twiddling bits on your hard disk.
Any attempt to remove or alter the proprietary software and hardware that composes the AMT can be made to and likely will be made to brick your system or make it otherwise unusable.
Well, gee, I don't know how we'd get the idea that proposals to introduce 'backdoors' might actually be proposals to introduce 'backdoors'. You can't investigate how to introduce 'backdoor's and not expect people to perceive this is what you're doing.
It's a backdoor. A weakness. And it sure as hell will get attacked to exploit. You can't put in the skeleton-keys to the kingdom and not expect everybody to attack that. That includes people that government keeps telling us are trying (and succeeding) to break into our stuff.
And then everything is vulnerable.
Of course now that they've publicly acknowledged they want to, they'll just move on to either doing it anyway in public, or just doing it so it's not public. This is the trial balloon saying "we're going to be doing this no matter what".
But, I fear all governments will keep this shit up. Even the ones who claim to want smaller, leaner government are on board with this stuff.
Lost at C:>. Found at C.
"Any proposed solution almost certainly would quickly become a focal point for attacks."
Glad someone realized that!
So what will happen is this: The US Government will mandate all phones be PRISM compliant, or at the least have the master encryption key to the data. Apple, and perhaps Google if I recall, took an engineering route to make it physically impossible to respond to an FBI request. Primarily because Apple doesn't want the liability, and secondly it costs money to staff an entire department of warm bodies to fulfill said requests.
Now comes the fun part. China is basically mandating that the top Silicon Valley CEOs fly to China and agree working with the government at backdoor access to all user accounts and data with regards to its own citizens. The US, as does EU and Australia want something similar. At some point, there will be a treaty among all major nations to mandate a Government API written into all software and cloud based services. This way, each Government can plug right into the application layer and pull data upon request.
Welcome to a period of darkness!!!!!
Life is not for the lazy.
Hope you fucking Democraps love sucking more turds out of Barry's asshole.
Oh, and Republicans? You're part of the problem too.
I paid good money for that water ill shit in it if want to.
That's why I had indoor plumbing installed.
One of the example solutions in the document is to force the device provider to update the device with a malicious update the decrypts the device. Talk about a way to encourage people to allow the device update to run! They even acknowledge this. It's quite humorous, people should read it. The paper discusses how even if a solution is implemented device owners could simply layer their own encryption on and make all data inaccessible. So if that's the case, exactly what is the point in the paper or the working group? They acknowledge right at the start that whatever you propose could easily be defeated by the consumer simply encrypting things themselves. So if the entire thing is technologically unfeasible why on earth would you even study it?
The one thing I haven't seen covered in the paper at all is that IF the US were to implement these requirements that all business involved in encryption would simply move off shore and destroy a thriving US business ecosystem. The paper's assumption is that any US developed protocol would then be exported world wide. This is profoundly illogical on many fronts. There would be numerous countries that would simply not participate in some US encryption compromising ring.
The smart ones just inject a trojan / malware into the software that controls the keyboard. The most bad ass crypto ever invented instantly falls to a keylogger that snags your passphrase.
It's easier AND they can honestly say there aren't any backdoors in the crypto itself. . .
Law enforcement officials have rejected the “backdoor” terminology. “We aren’t seeking a backdoor approach. We want to use the front door, with clarity and transparency, and with clear guidance provided by law,” FBI chief James B. Comey said at the Brookings Institution in October.
There is no front door.
Man these people are dumb.
on a assortment nike tn requin of footwear for you to try on. If you personal orthotics and use them on a regular basis it is suggested that they be brought with you when buying for items of this nature. A whole lot of persons will opt for a shoe that is wonderful browsing. This is not the way to go about gaining anything ideal. Seems to be ought to be on the bottom of the record when it arrives to factors you look and feel for when earning this variety of buy. The seem of the shoe can be addressed right after all the important variables have been appeared into.To be particular the shoe you get is perfect for you, it is a must that they be attempted on. Strolling all over the save is not excellent more than enough when you are getting operating sneakers. You in fact have to have to operate in the sneakers to be able to figure out if they are superior more than enough for you or not.For people today that are already actively involved in working, it is a will need to to get the shoes they use now to the shop with them when purchasing. Executing this can make the whole method a great deal less difficult for all functions concerned nike tn . The salesperson will be in a position to locate a little something that accommodates your wants and will also deal with any of the troubles that may possibly have been a problem with the aged shoes.
Twenty years ago very few people had a cell phone and the world got along just fine. Now most people carry a device that knows your exact location, has a microphone, a camera and is largely not under your control. It's literally a spying device. Yes, it's a spying device that has useful applications for the user as well but, is it worth it to completely give up your privacy so you can play Fruit Ninja while you sit in a waiting room? This is the not the first story on this subject and it will not be the last. If the vast majority of the population is carrying a device that can easily and thoroughly be spied on, the government *will not stop* until it has access to that device whenever it "needs" it.
"Those who would give up privacy for mindless entertainment deserve neither" -- somenickname
As someone said "If you give the good guys a key, there is nothing stopping the bad guys from stealing the key"
Basically the only good government option that's even fair is when there is consent. If someone is arrested, and the person aggrees to unlock their devices/accounts to prove their innocence, then this has to be at the consent of the person who wishes to be found innocent. If someone knows they are guilty, then they should enter a duress password that tells the device to secure-wipe. That way the government will not ask people to unlock devices by force.
If the government needs proof of wrongdoing, they should be going after the soft data collection, the call records, text messages, ISP accounts, credit card data, etc, and present that to the person defending their guilty/innocent position.
What the hell is a DINO anyway? I keep reading it as an abbreviation for dinosaur, but capitalised for emphasis. That aside, don't you think the "blame republicans" troll is getting tired and boring yet? It was funny a couple of times, but now it's just irritating.
It is not an insult to dinosaurs, who ruled the earth for 150+ million years.
Democrat In Name Only. Counterpart to RINO.
see the No True Scotsman argument for details.
Democrat In Name Only
It's a rip on RINO - Republican In Name Only
How's that hope and change working for you? What a great president America elected.
Ah, cool. Thanks for the clarification. I'd probably have more of a clue about this if I lived/worked in the US.
For purposes of making policy, we should absolutely assume that if the government can get in, so can the bad guys. (Ignoring the fact that sometimes the government IS the bad guys).
Having said that, it's an interesting intellectual exercise to consider that's not NECESSARILY true. For example, each year the encryption could be increased with a longer key, such that at any given time it costs about $1 million in computer time to decrypt a phone. The government could easily spend a million, or ten million, to decrypt Bin Laden's laptop, but nobody is going to spend a million or ten million to decrypt yours or mine.
I'm not suggesting that's actually a good idea in terms of policy , just an interesting puzzle to think about.
Also, years ago we thought it was impossible for you and, who have never met before, to publicly post messages to each other in such a way that nobody else could decrypt them - without ever talking privately to share an encryption key. Now, we use Diffie-Hellman every day to do exactly that, as part of https. We thought it was impossible to share a secret on a public forum (or network) without everyone else on the forum being able to read the secret, but we were wrong. Diffie and Hellman invented a way. Theoretically, it's entirely possible to invent something that allows access only to authorized individuals, with a public audit trail. We haven't invented it yet. Block chains like Bitcoin uses suggest that encryption can be tied to a publicly accessible log, so we know whose data they decrypted, or at least how many they did.
"Unclassified memo."
What is the real story?
years ago we thought it was impossible for you and, who have never met before, to publicly post messages to each other in such a way that nobody else could decrypt them - without ever talking privately to share an encryption key. Now, we use Diffie-Hellman every day to do exactly that, as part of https.
We are talking privately - through Mozilla, or Microsoft, or Apple, or Google. That's why your browser has a big old list of certificates.
== Jez ==
Do you miss Firefox? Try Pale Moon.
Now, we use Diffie-Hellman every day to do exactly that, as part of https. We thought it was impossible to share a secret on a public forum (or network) without everyone else on the forum being able to read the secret, but we were wrong. Diffie and Hellman invented a way.
Just thought I'd mention Ralph Merkle, the guy gets nowhere near fair credit for having co-invented public key cryptography. In fact, Hellman argues we should talk about Diffie-Hellman-Merkle key exchange.
And there were some guys at GCHQ who independently did pretty much the same. But I credit them less because it was all kept secret and they work for, you know, evil.
Gosh, thanks. That must be why the other ships call me Meatfucker -- GCU Grey Area (Eccentric)
I really don't care what the fuck Obama is, all I care is that the PEOPLE will *NOT* be victimized again!
I haven't the time to RTFA yet, so I haven't the slightest idea what the '4 backdoors' are, but anyway ... I think the most important thing we must do is to find ways to defeat whatever fucking backdoor (or backdoors) that they might use on us
Any and all suggestions will be very gratefully appreciated !
Muchas Gracias, Señor Edward Snowden !
... them moslems have been whacking mayhems to all the non-moslems ever since that motherfucking pedophile proclaimed himself to be a 'profart
Especially when his own gets penetrated.
No trusted root certificate is required in order to have a secret, encrypted conversation over a public medium. We could post secret messages to each other using Diffie-Hellman right here on Slashdot.
Root certificates are for authentication- knowing my real name rather than just my Slashdot userid raymorris.
It suggests actions/approaches that could be taken towards the collection of data. I'd like the see the unclassified memo, the one that says they're going to proceed without regards to this memo.
The Obama Administration considered a fifth option and chose it. Technology companies were forced to implement this universal back door secretly.
Hell, what's the difference? They both have a goal of destroying freedom, liberty. Flood the country with illegal aliens that benefit both parties. Democrats get em here for votes and free stuff, Republicans want em here to destroy the labor force, reduce labor cost for the cheap labor. In the end, we stopped having a representative republic over a century ago (17th amendment). It's just taken a while to completely destroy it. It's more of a post constitution "politburo" now. About the only thing left would be removing the 22nd amendment and allowing someone to be elected for life.
Newegg lists a Core i7-4471 as being about $320.
They list the Xeon E3-1241v3 (comparable speed as the above chip, but has vPro and every other feature) for $278.
You wanna explain this "BIG bucks" thing, again? You save money by buying vPro stuff, at least on the mid-range (single-processor as opposed to SMP) processors. I'm not even sure why people would build an i7 system, unless they're either overclocking or afraid of the Xeon's "features."
And there never has been at any point in human history. Sure you need a warrant to exercise a capability to spy--but there's absolutely nothing illegal about creating an apparatus that enables the spying.
I think you are confusing what is wrong with what is illegal. Not everything that you consider to be wrong is illegal.
And you are the exact reason why the country is falling apart. When confronted with "Obama did ______" that you don't like, you still blame only the Republicans. And don't get me wrong, the (R) do the exact same thing. It is almost like you have said (D) cannot do any wrong, and any wrong they do is because the (R) did it first.
The cognitive dissonance here is not surprising, but I am still amazed by it.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
There were no big racial protests in the 30s, I guess that means that everyone was super happy. Also, the 1890s were even quieter, and the 1840s quieter still.
A wise robot once said, "I think you're confusing peace with quiet". The racial divide isn't created by rabble rousers, it's exposed by them.
Let's shut down the military, police force, FBI, CIA, and NSA and use that money instead to shower the world with rose petals.
You can't rely on ANY off the shelf encryption, and ignore Snowden. You need to use a open source encryption, where the author is not known. Open source can be examined and compiled yourself; and the government can't retaliate against the author if they don't know who it is.
It's reasons like this that nobody in their right mind likes Obama. He is constantly working on ways to attack the freedoms that made our country great. This is an attack on communications, as a way for government to get even MORE CONTROL of the people.
I constantly hear people on the street talk about how they are tired of government over reach, and many of them are calling for military response against government. I personally don't want to see that happen in my country, but the politicians are creating the situation themselves, and they have no excuses.
The people should not be afraid of their government; the government should be afraid of it's people.
Technology companies have made it pretty clear that they will not allow any such technology into their communication products, no matter how solid the tech is. They'll lose the trust of consumers, lose sales, and profits.
Apple and Google in particular have been at the forefront of fighting such propositions, they won't just give in without a fight, including court battles to SCOTUS.
The biggest tragedy of the government's boneheaded approach to tech spying is that it has managed to convince an entire generation of losers that each and every one of them is a high-value government target. You aren't. Nobody gives a fuck about your insignificant little life. You don't matter. At all. Nobody is reading your emails; not because they can't, because your emails are fucking boring. Nobody is listening to your phone calls, because nobody needs to get up to date on your theories about Jon Snow. You are NOT important. At all.
It's actually possible in a very low-tech way, assuming you trust Apple. Have each device sent its current encryption key over an encrypted channel to a computer at Apple. Have that computer immediately encrypt that data with a public key, print the resulting encrypted key out on paper, along with a date stamp, then dispose of the electronic copy of the data. Whenever the paper tray fills up, an employee could lock it in a lock box, and place that lock box in a vault.
Upon receipt of a subpoena, an encrypted device image, and a processing fee of $10,000 per incident, Apple could look up the date and time when the device was last activated in their activation database and send some poor intern down to the vault to bring back the right lock box. This would narrow it down to a few thousand possible sheets of paper. Apple could manually type in each encryption key, send it to someone in a separate locked-down facility in another country where the private key is stored, and get back the decrypted key, which they would then test against the encrypted data, destroy if incorrect, and eventually send back a decrypted copy of the disk image.
Check out my sci-fi/humor trilogy at PatriotsBooks.
Whether a governmental backdoor is good idea or not should not be determined on the "good" uses the government would use it for. It should be determined on the "bad" uses (abuses) the government *could* use it for, along with the risk of it being cracked and abused by third parties.
"Grab them by the pussy" -- President of the United States of America
The use of paper and manually doing work in your scenario reminds me of how guns can be tracked to people, but not vice versa, in Texas and other states without registration.
Given the serial number of a gun found at a crime scene, the cops can ask the manufacturer which wholesaler they sold the gun to. They then ask the wholesaler which store they sold it to. They then ask the store which individual they sold it to. So they can answer the question "who bought this gun?", but can't answer "does raymorris own a gun?"
Without authentication, how do you know it's *me* doing the DH negotiation on the other end? That's the root of trust problem that certificates (and webs of trust) try to solve (and don't do a very good job of).
To have a truly reliable system, we need something that "square's Zooki's triangle": https://en.wikipedia.org/wiki/...
There is promise in newer systems that use Bitcoin-like blockchains (like Namecoin).
Um, no, your "intellectual" exercise isn't all that interesting. What you suggest is a typical sophomoric exercise and focuses only on details that it "solves" while ignoring the entirety of the problem. In particular you are overlooking the *obvious* fact that if they have a key that can be used to backdoor then anyone who can obtain a copy of the key can use the backdoor.
In other words, you can handwave all you want about "unbreakable" keys and it doesn't matter.
For a more interesting intellectual exercise consider that the US government has apparently decided to co-locate all collected intelligence in the Utah facility (satellite, intercepted Internet, SIGINT, whatever). Now, does that make a nice, juicy target for China? Russia? Israel? (All three of those actively spy on the US, not counting additional players.)
During the cold war a Soviet embassy was constructed in Canada. The Canadians asked British intelligence for assistance. Plans were acquired, analyzed, and the location of equipment deduced. Then data acquisition was built into the building. To be fair, the Soviets played the Canadians and British -- the compromised locations were then not utilized.
But where do you think the storage media for the Utah facility originated from? The controller cards for the media? There is no conceivable way that such a facility could avoid Chinese and Korean parts. Methods of jumping air gaps have been demonstrated, some of which only require control over chips.
Now, how comfortable are you -- given the high level of motivation *any* self-respecting intelligence agency would have in penetrating the facility -- that such data facilities will be the sole purview of US intelligence? Is it even plausible that *any* back door that was going to be built in to devices manufactured in China would not be known to and exploitable by the Chinese? How about them simply building in their own back doors?
But if he was a Republican, the entire media head would explode!
Let me state one more time, as a policy matter we should assume that anything that allows the good guys in can also allow the bad guys in. That's a foundational assumption and why I don't install a control panel like CPanel on my servers.
As a mathematical puzzle, it's interesting to note that's an assumption. It's not NECESSARILY true.
Here's a very rough draft of one approach, just for fun. At the end I'll show how it can be made more secure by combining it with other approaches.
Consider, it is possible using RAID6-like techniques to split up a chunk of data into different places such that in order to recover the whole, you have to acquire 6 pieces out of 8. (Ie your data is still there even if two drives fail, but you must have at least 6 drives). With XOR across the drives, if you have fewer than the required number of drives, you can learn NOTHING about the data other than it's maximum size. That's trivially provable. So we have a system in which to retrieve the key, you must possess n of the m masks, and fewer than n masks does you no good at all.
If those m masks are held by m different people, you have to get masks from n of them in order to reconstruct the key. You can chooee m and n. So maybe you decide you want 435 masks, and and 400 of those can be combined to compute the key. You send each mask to a different person, so reconstructing your key requires that 420 of those people cooperate (or 420 of them get hacked) . This is known and time-tested, it's just RAID reworded.
So IF you can find 435 people such that you can trust that SOME of them would refuse to cooperate with an illegal and unjust action, you have a mathematically sound method to store your secrets. Your key can only be revealed if 420 of the people you trusted collude - and probably if there were something untoward going on, at least one of them would snitch, revealing the plot. (Modulo physical-world concerns like having all of the mask-holders share a trojaned model of hard drive).
Now we just need to pick 435 people such that they won't all agree to do the same crime together, without anyone spilling the beans. Members of the house of representatives are elected every two years and they RARELY all agree on anything. So some might say that if all the reps agree that a certain phone should be decrypted, it's probably okay to do so. You can probably come up with better ways to pick people who can slightly trusted. Again, you don't have to trust any one of them, you only have to trust that if they ALL agree, ot can be decrypted.
We might note here that if the entire US House is out to get you, you're fucked anyway.
Now we can combine that with other techniques for better security. Perhaps you don't make a key available this way, only the first 1024 bits of a 2048-bit key. So if all members of the house agree, they can give the DOJ PART of your key. With the first half of the key, the DOJ only has to use a million computers for 24 hours to break the second half. I suspect that wouldn't be abused to often.
Again, I wouldn't want to actually implement this. The US government has been really bad at implementing anything. It's an interesting puzzle to think about how to improve upon the general idea I laid out above, though.
> Without authentication, how do you know it's *me* doing the DH negotiation on the other end?
Because your user name is right at the top of your post. And we've never shared a secret. What I don't know is your birth name. Even better, we can use DH in a crowded room. We can shout secrets to each other*, and without any pre-arranged key we can exchange secret messages, impenetrable to everyone else in the room. I know it's you I'm talking to because I can see you.
If a man-in-the-middle has the ability to CHANGE our communications, not just read them, than yes as far I'm concerned that MITM _is_ N. Criss. DH protects against _eavesdropping_, it does not provide authentication. Signed certs provide authentication.
* Shouting secrets in a crowded room such that anyone overhearing them can't decipher them may seem contrived. Yet that's exactly what wifi is. Although anyone within wifi range can pick up the signal, they can't decrypt it. Which is neat in the case where you've never been on the network before, so you never privately shared a key with the access point.
http://i.ytimg.com/vi/NOVAbKjo... This product prevents others from accessing your backdoors
The (R)s have had every ability to either break ACA via the Supreme Court (Justice Roberts - R) or simply defunding. Who the fuck cares if the whole government shuts down? Not I - not you. It hasn't happened because deep down, they want what ACA is about, mandates and corporatacracy.
I say this as someone who votes 3rd party. Typically (L). Ron Paul was an exception.