Slashdot Mirror
Going Dark Crypto Debate Going Nowhere (threatpost.com)
msm1267 writes: FBI general counsel James Baker reiterated a theme his boss James Comey started months ago, that Silicon Valley needs to find a solution to the "Going Dark" encryption problem. Two crypto and security experts, however, pointed out during a security event in Boston that encryption remains the best defense against the government's surveillance overreach and espionage hacking targeting intellectual property. “If we were able to engineer a mechanism where we’re splitting a key and having a third party escrow it where the government could ask for it, the very next thing that would happen is that China et al will ask for the same solution. And we’re unlikely to give them the same solution,” Eric Wenger, director of cybersecurity and privacy, said. “Complexity kills, and the more complex you make a system, the more difficult it is to secure it. I don’t see how developing a key-bases solution secures things the way you want it to without creating a great deal of complexity and having other governments demand the same thing.”
Do what is best.
“If we were able to engineer a mechanism where we’re splitting a key and having a third party escrow it where the government could ask for it, the very next thing that would happen is that China et al will ask for the same solution. And we’re unlikely to give them the same solution,”
You're likely to give them the same, or a similar solution.
And the first thing they will use it for is to crack open all messaging to spy on political threats to them. This stuff is regularly abused in the US, with no technological barriers to a political operative misusing the system currently (i.e. without a warrant.) But at least they'd have to hide it or get in severe trouble. In China, Russia, many other countries, there is no fear because it's official policy.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
https://www.youtube.com/watch?v=1UlapnsFLhc
Whichever Political Marketing Think-Tank boot-lickers helped that asshole(James B. Comey) cook up this "Going Dark" catch-phrase should suck on a tail pipe until they fall asleep.
So because each country has its own crypto key all the crime have to do is ship phones internationally.
So unless the USA believe it should be able to have access to Chinas key , or Koreas, Germanys, Brazils, etc etc etc
Or perhaps the US has become so arrogant that it believes that it is the ONLY government who is allowed a key, at which point of course ALL US companies will be regarded as CIA spies and their hardware/software banned in the rest of the world.
There is no solution to this. The USA can NOT be trusted by their own citizens, let alone the rest of the world.
...the very next thing that would happen is that China et al will ask for the same solution...
No, that would be second. The first thing would be US agencies demanding keys without warrants and with gag orders.
Yes, Mr. Baker, it is about the relationship between the people and the government. What we wanted you to do was to treat the Fourth Amendment as a law, not as an obstacle to be circumvented. You have demonstrated yourselves incapable of obeying the laws you profess to uphold. So, what we want now is for you to go away. If that means a terrorist kills a few of us every now and then, so be it. Right now the terrorists are killing a lot fewer civilians than our policemen, so frankly, if I've gotta take the risk, I'd rather take my chances with the bad guys than the good guys.
Until then, remember this is professional, not personal. You Feebs actually pretty good at police work when you get off your asses and go do it. Maybe if we make it hard enough for you to spy on us illegally, you'll be forced to resort to good old-fashioned HUMINT-style police work for the rest of your cases. Try serving and protecting the public for a change. You might even start to enjoy it. And we might, after a few decades, start to trust you again.
The simple fact is, government, in all its forms, requires access to everything in your life. Accept it, you are a plebe with your ass hanging out. Yay, modernization? Get real people, understand your place in the universe.
This is a message to those in control: You have won this battle but you will will never break us. The true "us". Those that fight your tyranny and everyone that can't understand. Your days are numbered.
I'm 100% certain this is actively being used to arm-twist compliance/favorable votes from congress, thereby subverting the checks and balances of our government's constitution(and therefore undermining what little remained of effective democracy in the United States).
Ipso facto:
A successful, bloodless, coup d'etat.
This achievement being the inevitable downstream consequence of the work done by the Federalist Party.
Naive me perspective:
"Simultaneously: the catalyst for the eventual failure of the federal government to maintain it's legitimacy in the eyes of the public."
Experienced older me perspective:
"So nothing has changed at all then?"
There's no reason for normal email, IMs, video chats, web surfing, etc to be available at all to anybody who isn't among the intended recipients.
These protocols are in the clear for historical reasons: people didn't imagine that the government would be a bad actor. Since they now are, it's time to add strong encryption to all of those things.
The whole internet needs to "go dark" from the perspective of the Stasi fucks.
Why do they have to hide it in the US? There is nobody actually watching the system to make sure it is not abused. How much did Snowden download and nobody caught on. Hell, did they even 'catch' any of the people doing loveint or were they all self-reported?
They aren't even remotely interested in catching people abusing the system.
Sleep your way to a whiter smile...date a dentist!
All structures are, in the end, flammable. Literally or figuratively.
Even panopticons.
One Gang of Criminals Claims They're Way Better than the Other Gangs
Wants Privileged Data Access
This debate isn't about "terrorists"; any sophisticated organization with something substantial to hide isn't going to rely on Apple's or Google's encryption, they are going to be using their own, something that is easy enough to do.
The entire debate is about day-to-day police work: police want to be able to search your phone and your E-mail with the same ease with which they can open your car's trunk. The problem with that isn't that they may or may not use it against minor offenders, the problem is that if you put that capability in the hands of a million law enforcement officers and government investigators, they will invariably abuse it for personal and political gain, blackmail, and amusement.
Bullshit. If anything, the US state department will demand they implement the same flawed solution, or worse, a less secure implementation.
Leaving aside the honesty of this statement, a court order doesn't open safes, or reveal where the suspect's off-site storage is either. The real problem is encryption offers near-perfect secrecy for a low, low price, so everyone has it. Plus, the bad behaviour of most governments over the last decade motivates everyone to use it. An information device offers a detailed, easy-to-copy record of the suspect's activities stored in one location. The government wants full access to this strategic convenience and now demands that corporations provide it. (My country just forced all ISPs to save all meta-data.)
This is like demanding a copy of every safe key so that "law enforcement investigations on a local level, and surveillance efforts on national security and terrorism fronts" aren't hampered by the desire for privacy. In addition to enabling abuse by the government, every criminal will attempt to break into the key storage. Recent events reveal that governments aren't able to secure civilian data, making failure of the key storage, inevitable. Or just as bad, a universal back-door (again, recent events reveal corporations won't install quality security on back-doors), will mean the end of all privacy, once the universal key is found.
and makes demands, that's not a debate. That's a tantrum. There is no debate here.
I think this is actually backwards compared to how it may actually play out. This month's *Harper's Magazine* has an interesting essay about American businesses operating in China. (*Harper's* is paywalled, but you get a few free views per month.) The essay can be found here:
"The New China Syndrome: American business meets its new master"
The gist of the essay is that China's authoritarian government strong-arms American businesses, using all of the tools at its command, including outright arrest of business executives, and that this is only going to get worse, to the point where China will be setting U.S. policy by proxy, via business lobbying. After reading that essay yesterday, my guess is that China may someday soon pressure businesses for a backdoor, be granted that backdoor, and that the U.S. government may then get its wish based on China's precedent.
quiquid id est, timeo puellas et oscula dantes.
Terrorists etc. who wanted to have been able to use one-time pads or personal couriers who memorized their messages since well before modern cryptography.
Sure, it was a bit more cumbersome and not always practical, and when implemented naively, it was vulnerable to rubber-hose cryptanalysis but then again, so is an encrypted smart-phone when you have access to someone who knows the password.
So, tell me again, if bad guys will continue to have these options, why is it a good idea to weaken all other forms of cryptography to the point where they are about as useful as SHA1 with a small key (if that)?
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
The FBI and NSA are right that good default crypto will make it harder to catch criminals and the extremely rare terrorists. It will also make it harder to catch people doing quite a number of other bad things.
However, they also brought this on themselves. Overall this is like the response to ads online. Ads got so extremely bad that people just installed adblockers that block everything. Now many sites are finding it hard to even survive due to ads being blocked. If you unblock the ads on the site though you find out the ads are extreme with sound, video, taking over clicks, and with dozens of ads on a page and so you go back to blocking.
If the Ad industry had stayed to banner ads and maybe one or two small ads on the sidebars of a page and with no music or video then it is likely that people would not have gone to the effort to block them. They created this mess all on their own.
If the NSA had not started watching everyone in a fairly blatant violation of the law and the courts made it so you can't even try to stop them since they rule you have not standing since you can't prove you where watched then this reaction would not be happening. What the NSA did damaged Apple, Microsoft, Google, Facebook and many others along with pissing off average people a lot. When the average person thought the NSA was just going after evil people outside the country they where okay with it. Finding out they go after citizens in the country also is unacceptable.
I have no idea how to deal with the actual legitimate concerns of the NSA and FBI and also deal with their abuse. We all know that they will keep abusing their powers if they can. If you compromise encryption in any way then others will find the backdoors also and use them.
This is not a good situation and in the end I don't know how it will play out. It should be possible for the NSA and FBI to get access to data upon probably cause and with a court order I just don't see any realistic way to do that anymore given what they have done.
Computer modeling for biotech drug manufacturing is HARD!
Dear Mr. Baker,
I have an interest in this discussion as an engineer on a product that uses encryption. Here's a small sample of my companies customer list:
- Federal Bureau of Investigation
- US Department of Defense
- US Department of State
- US Department of Homeland Security
- US Air Force
- US Army
- Naval Air Warfare Center Weapons Division
- Northrop Grumman
- Lockheed Martin
- Raytheon
I am sure these organizations would love to hear why you need access to their data. I am sure the governments of China and Russia would never dream of hacking into your key repository, honest.
Disclaimer: opinions expressed here are mine and do not represent my employer.
Crypto does away with the NEED for many aspects of government. 1. Governments have traditionally done a wonderful job printing money when they are broke Obviously this hurts people who save a currency, but since there are less of them these days who cares! Bitcoin and gold offer a way to decouple the value of a currency from the government lack of discipline. Even though it is a legal tender in the constitution, raids on gold currency have been enough to hurt it's image. It is hard to store gold securely. As for blockchain crypto this is something truly new which could take power from the big monopoly (it is also hard to store individual bitcoins securely, but the blockchain would be almost impossible to corrupt). 2. Registering property, marriage licenses, contracts, etc could also be handled by blockchain. We no longer need to send billions a year to our local, state, and central governments to do such minor accounting for us. 3. The forth and fifth amendment. Crypto gives this some actual teeth-- i.e. requiring a real warrant, and not incriminating oneself. Is it any wonder that Proton Mail, Wuala, etc, and other strong crypto services are being attacked by state entities?? 4. While they RUN over our basic Constitutional rights, the government is still regulating us to death. This really does hurt small business. It is possible the people could vote more directly over the internet would reduce the need for representatives and regulatory agencies. Bypassing the lobbyists on both sides of the issues. As long as the individual rights are not up for a vote. And as long as one group is not allowed to subjugate another economically -- which via well-meaning programmed have sucked the economic marrow from the average family imo. In short, this is an historic moment to stand up (individually, and through groups like the EFF and maybe the ACLU). Laws like the anti crypto ones will be a huge win for centralized power over the individual/family. Centralized power is it's only real true goal. Do you trust 100 data-awareness power with auto facial identity etc, to be wielded intelligently 1, 5,10, 20 years out? I for one do not.
can only increase the system attack surface.
...to not abuse the powers we granted it in good faith for the common defense and the public good we can have this discussion about how to deal with legally granted search warrants in pursuit of a legitimate and well targeted crime. Until then I feel for these people in criminal justice trying to do what I am sure is a hard job, but its a non starter. This situation is a direct result of abuse and corruption. You broke it, you bought it.
Peace, or Not?
“This is about rule of law and the fundamental rights we have from the Constitution, creating laws that enable government to obtain the results of surveillance in ways that are consistent with constitutional rights,” Baker said. “Today, that’s not happening. We are not able to use what’s available today with a 4th Amendment warrant. We do what the law requires, show up with a court order, and can’t get the fruits of surveillance because of encryption.”
Without encryption, what happens when they show up with their warrant and I say "Sorry, I don't have any secrets here, they are hidden in a land far far away and you'll never find them".
How is that any different than if I say "Sorry, my secrets are encrypted, and you'll never decrypt them".
Besides, if commercially available encrypted products are required to have a back door, the smart criminals are just going to use real (i.e. "illegal") encryption to store up their secrets.
Actually knowing how incompetent american companies are. Not only will they give the China govt the same thing it will have the SAME FUCKING KEYS.
Do not look at laser with remaining good eye.
Just use layered encryption. If they come after you, you know they have been snooping on you. Then just reveal harmless data. If the do not come after you, they get nothing. So, as so often, outlawing secure crypto or mandating backdoors only means that only the criminals will have secure crypto. In a sane state of affairs, everybody will have it. And the clinically paranoid "servants of the people" will just have to get over themselves and realize people are not so willing anymore to accommodate them after they have been revealed to be criminal and the law means nothing to them.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
"Going Dark" encryption problem.
This isn't a problem.
--
BMO
Disclaimer: I am 100% behind the Constitution and the founding fathers' vision for America. I do not support the NSA, I think they are violating the rights of millions of American's and I have no qualms about saying so.
That said fact... There is one thing that has perplexed me. Maybe someone can offer more info.
Why is it that, if what they're doing is so wrong, literally nobody with any real authority in government seems to be trying to stop them. You'd think at least a few people in those positions (Snowden notwithstanding) would go "Hey! We need to dial this back!" Instead, we get promises from candidates, many of whom end up going back on what they said.
Could it be possible that maybe, just maybe, this is actually necessary, and everyone higher up in government understands it? Have hundreds of terrorists attacks been stopped by three letter agencies? To be fair, what if they stopped a second 9/11 from happening just yesterday? What if some ISIS cell was *this* close to launching a successful attack? It would make sense that the government would not reveal the thwarting of such an attack, for fear of sparking mass panic. Is it possible that everything that's being done is actually being done with what are least good intentions? Granted, just because they have good intentions doesn't mean it's the right course of action. A lot of people who have done terrible things did so with good intentions.
I find it hard to believe that all of these massive government agencies are fully staffed by malicious assholes who are actively plotting world domination. I don't believe in massive government conspiracies. They can't seem to cooperate on anything, so I highly doubt they're all working together towards some evil goal. I feel like this is more an example of people who are trying to do good, and possibly succeeding behind our backs.
All of this said, I hope that someone can offer better perspective.
Mr. Baker argues that we need to weaken encryption or make it easier to crack so that he and other government agents can listen in to prevent, or so he claims, terrorism. However, there is another way and that's to put the fear of God into our enemies. We haven't been doing that under our current president and our enemies no longer respect or fear us. That must be changed. It can start with more effective retaliation for terrorist attacks that do occur. First, we need to be more prolific in hunting down and killing those responsible for the attacks and we should not hesitate to punish governments that don't cooperate, up to and including targeted attacks on their military and economic infrastructure, as we did during the days of gunboat diplomacy. At the same time, we must not fail to reward friends and allies for their loyalty, which may include, from time to time, overlooking certain inconvenient and thorny human rights issues. Finally, we must not forget who are enemies are, as President Obama has done with Iran to the consternation of our allies and the delight of the mullahs in Tehran who are now doubt even now marveling at the stupidity of both the American president and the people who elected him.
Arrest is a much bigger deal in China than most readers would think since it leads to a 99+% conviction rate.
" This stuff is regularly abused in the US, with no technological barriers to a political operative misusing the system currently (i.e. without a warrant.)"
Reference or are you just talking out of your ass?
i can go into any Computer textbook and look up the algorithms for strong encryption. does that mean that the tech companies have to start burning books as part of their proposed solution to the FBI?
why do we have such blow hard's in charge of these decisions with out having even the most basic understanding of how this shit works..
i have also started noticing that this divide is starting to affect businesses too as the people moving into upper management were in middle management during the tech boom of the 80's and 90's and thus have very little experience with how technology work other than what their grand kids teach them.
(note: today i had to explain why MS access is not a suitable band-aid solution for our ERP system that has yet to be decided on, mainly because the Pointy hair has no idea about the finer points of computer systems and our sales guy knows just enough to be dangerous. Acess was the sales guys suggestion.)
"APK doesn't think that DNS servers are worth running and seems to believe that somehow Microsoft Active Directory can run without DNS." - by Coren22 (1625475) on Tuesday October 27, 2015 @12:58PM (#50811615)
Where'd I say AD will run minus DNS Coren22? I've said AD = internal network DNS dependent as far back as 2007 http://forums.tweaktown.com/wi...
(Search this in BOLD there "To warn users who have ActiveDirectory/AD LAN-WAN setups to NOT use external DNS servers!" referring to OpenDNS suggestions for those using AD stupid in the POSTS BEFORE IT in my security guides for users (geared to stand alone single machines no less), & right there on that page proves it stupid - so even if you posted as myself someplace here on /. "impersonating me", I have your ass NOW, shithead!)
I've also stated MANY TIMES I use remote DNS in OpenDNS @ home (but not @ work on AD networks + exchange/outlook: Free OpenDNS model doesn't work with AD dependent Exchange + Outlook specifically you lying little imbecile).
I also don't hardcode in "every site there is under the sun" is why, so I have to use DNS, but OpenDNS & rarely.
I also RARELY MISS A LOOKUP since I put where I spend a good 95++% of my time online in my favorite sites into hosts @ the TOP of hosts for utmost LOCAL FASTER RESOLUTION SPEEDS and more reliability vs. Open DNS (not OpenDNS) resolvers being abused, Kaminsky redirect poisoned DNS servers (of which 99.999% of ISP DNS are not proofed against to this very day even though a patch exists which OpenDNS uses), rogue DNS servers, and yes ROUTERS with bushwhacked by malware DNS settings (happening a LOT lately).
Hardcodes in hosts are faster than remote DNS, waste less resources than local dns in power, cpu cycles, RAM, & other I/O by FAR considering ALL THE PARTS of such a setup in programs, data, I/O, & power (especially if setup as a separate machine).
APK
P.S.=> You're a disgusting liar... apk
Coren22 says "hosts=bad" (they add security, speed, & reliability) & bitches on admin priv to UPDATE vs. threats
"So, have you figured out why privilege escalation is a bad thing yet?" - by Coren22 on Tuesday September 22, 2015 @05:15PM (#50577809)
& admits using admin priv himself
+
How else can I programmatically update hosts minus it in Windows?
---
"Of course it requires elevation to write to the hosts file" - by Coren22 (1625475) on Wednesday September 23, 2015 @05:35PM (#50585879)
You FINALLY later admit there's no other way!
FACT:
Even MalwareBytes AntiMalware (best one) DEMANDS you use admin privelege (you saying it's "bad" too?) it can't do its job fully otherwise, like many security tools do!
APK
P.S.=> Lastly - Coren22, there is a CURE for your "outism" due to your retarded by assburgers clearly defective brain (lol) - quit making childish sigs about me & sockpuppet accounts as well as telling lies about me - I'll stop OUTING you, immature "signature boy" troll... apk
"I guess we should avoid your crap, it looks like it is marked as malware. Good luck getting that removed." - by Coren22 (1625475) on Monday November 02, 2015 @03:52PM (#50850445)
It's safe proven by 57 antivirus programs recently in BOTH its 64-bit model https://www.virustotal.com/en/...
+
Its 32-bit model too https://www.virustotal.com/en/...
&
More "SALT IN YOUR WOUNDS" -> http://f.virscan.org/APKHostsF...
---
MalwareBytes' hpHosts Admin (MalwareBytes employee) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus per this VERY recent testing of them all http://www.av-test.org/en/news...
APK
P.S.=> /.'ers say my work is good too:
"his hosts program is actually pretty good" - by xenotransplant (4179011) on Monday August 10, 2015 @03:34PM (#50287195)
"I like your host file system." - by Karmashock (2415832) on Wednesday September 09, 2015 @03:57PM (#50489401)
"APK is kinda right... I've given up on JS based adblocking and gone to blackholing in /etc/hosts, just like it was back in the 90s. The computational load has gotten intolerable for any ad-blocking using JS. I've tried his hosts file generating software. It works." - by bmo (77928) on Thursday October 15, 2015 @11:30AM (#50736071)
"his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources" by alexgieg (948359) on Friday September 25, 2015 @09:57AM (#50596461)
... apk
See subject & links where I tried to make peace - says it all w/ proof of it from his trolling "signature boy" mouth http://slashdot.org/comments.p... & here too http://slashdot.org/comments.p... + here http://slashdot.org/comments.p...
* :)
(I've discovered that trying to make peace with a mental retard due to assbergers & OUTISM is a difficult thing & largely apparently unachievable...)
APK
P.S.=> You brought it on yourself Coren22, nobody else - you sow the wind? Here comes the whirlwind, & all your sockpuppets, signatures, & fellow trolls can't stop it (lol, you're 'outta bullets' in downmods) - so "the beatings will continue" until you stop your immature childish signature bs... apk
See subject: Says it all & this link, dismantling him point-by-"so-called 'point'" of his publicly http://slashdot.org/comments.p...
* :)
(Coren22, I tried to give you a chance, 3x no less - you're a fool: You mistake mercy for weakness, like cretin brutes in the streets do... you paid the price!)
APK
P.S.=> I notice you stopped responding there - "Gosh, golly gee - why's that?" (not) - but I expect you'll TRY some more b.s. as that's all "your kind" (trolls) understand - crap like downmodding my posts or ac troll me!
(Which you & your sockpuppets OR fellow trolls have here already NOW TELLING OTHERS TO TROLL ME BY UNIDENTIFIABLE AC POSTS http://slashdot.org/comments.p... as I've torn you ALL up 1 by 1 every time as I have yourself above... you did this, to yourself "signature boy")... apk