Why Governments Lie About Encryption Backdoors

Lauren Weinstein says there are smart people in government, "who fully understand the technical realities of modern strong encryption systems and how backdoors would catastrophically weaken them," but asks So why do they continue to argue for these backdoor mechanisms, now more loudly than ever? The answer appears to be that they're lying to us. Or if lying seems like too strong a word, we could alternatively say they're being 'incredibly disingenuous' in their arguments. You don't need to be a computer scientist to follow the logic of how we reach this unfortunate and frankly disheartening determination regarding governments' invocation of terrorism as an excuse for demanding crypto backdoors for authorities' use.

Lie?

I don't understand why people believe a single word from the (US) government. Every time, on nearly every topic but especially security / military, what they say turns out to be not true.

Re:Lie?

[bill_mcgonigle]

I don't understand why people believe a single word from the (US) government

It's part of their religion.

Every time, on nearly every topic but especially security / military, what they say turns out to be not true.

Talking snakes poll even better - objective truth has little relevance.

But also consider the mental load of admitting that they're being economically and culturally ruined by these people. That would imply a moral imperative to action, which would require them to get off the couch. Technology has created the best living conditions in human history which brings comfort. They don't realize that fascistic regulations prevent that technology & comfort from being many times better. That's where the flying cars are.

Re:Lie?

The SOLE reason governments (aka: not you, but the puppet masters you sheeple put into office) want backdoors and crypto bans is NOT because terrists (aka: murderers, killers, criminals, thugs), IN FACT all of them have NO real impact, look upi death rates by cause.... but because governments around the world are SCARED SHITLESS that in this new CONNECTED world where people are aware of each other and TALKING with each other and sharing ideas and solutions and futures..... that the PEOPLES OF THE WORLD are now WAKING UP and realizing that governments, especially the crony thieves of old, are UNNECESSARY.
To put it quite frankly, the US GOVT, and every other one, is AFRAID of losing their power and being REPLACED by actual effective legitimate non-corrupt totally open entities that serve ONLY the people, NOT THEMSELVES.
Do you have any FUCKING idea what kind of FALL FROM POWER and change that represents to these dynasties of elites?
So they are now trying to INVADE *your* PRIVATE communications so that they can see WHAT YOU'RE THINKING in that regard, and then MANIPULATE all of what you see, hear, read, and disintermediate your actions, steer markets, and all their old tricks.... SO THAT THE STAY IN POWER, AND TAKE MORE POWER AND RIGHTS FROM YOU.
Make NO mistake, this has nothing to do with anything but THEM and them alone.
WAKE UP WORLD... think about it... you'll realize there are more Springs needed than just the Arab Spring, fall of Berlin Wall, etc... the ones for and by you right at home.

Re:Lie?

[Opportunist]

Are you kidding? The only reason why they didn't claim that power yet is that it's simply more cost effective to offload that shit onto governments.

It's like having colonies. We realized that it's more cost effective and less of a hassle to simply put puppets in control and prop them up while at the same time keeping them fully dependent on our money. That way you can have your cake and eat it too, you can still have full control over your colonies, their raw materials and what they produce for you, while at the same time having no expenses for keeping it under control.

Same with corporations and countries.

They got used to it

[spire3661]

The government simply got used to being able to see everything at all times. Now that we can create blind spots, they are paranoid and lashing out.

Re:They got used to it

[Kjella]

Well I think it's just as much the general public not being used to early, brutal death anymore. I just checked the mortality statistics here in Norway:

0-1 years old: <0.25%
0-45 years old: <2%
0-66 years old: <10%

That is rather amazing when you consider there's still fatal accidents, diseases, murder and suicide. But we're chipping away at it bit by bit, adding safety measures, advancing medicine, reducing crime, improving mental care. Then a guy with a Kalashnikov fucks it up good, killing lots of people who with 98-99% probability should have lived decades, minimum. I'm not sure how they really coped with that during WWI and WWII when young men (and quite a few others) were dying left, right and center but I know today it's such an abomination we don't deal with it at all. We want it solved and eradicated, not just make the reasonable precautions and live with the residual risk.

Re:They got used to it

[dryeo]

Has forcible rape skyrocketed or has the number of women actually filing charges skyrocketed? It has been getting easier for a woman to charge a rapist without being put on trial herself.

The Goberments...

[MindPrison]

We've read the "Government does this, the Government doesn't do what it should, and the Government is corrupted etc." so many times it becomes both tiring and old, especially since most of it is just us - the people - voicing our opinions about things we've "heard" about, and even if it was true - we do basically NOTHING about it...but talk.

That said...even if you elected someone else - the power of knowledge is too tempting for ANYONE to resist. Therefore the way is OPEN SOURCE all the way. The safest way is actually no secrets in any source or any software, keep everything open - and then no one will be able to put in back doors or abuse bugs that are unknown as everyone will be able to peek inside and help fixing it.

What we need to do is to stop this endless paranoid game of "who do you trust?" and start producing results and solutions. We can do this together...the "gorberment" can't do anything about it, if anything - they should keep to what they do best (whatever that is) and leave the technology to enthusiasts like us, WE - the people - will pretty much make sure your privacy is safe because we'll all end up using open source software.

The only thing "goberment" is achieving with this crazy "who do you trust?" game is making sure would-be terrorist keep digging a deeper hole to hide in and grow a HUGE database of every persons private lives - kept - for their interpretation, with the kind of knowledge and power NO man should hold.

What you do with your computer or in your home - isn't government business no matter what the cause is. If you don't have the freedom to think freely, voice your opinions at will - then you don't have any freedoms at all.

Now, if they ever outlaw open source, then we'll be in trouble (or rather - they will).

it's not the smart people, it's the PHB

Because the smart people don't drive the commentary, they just stand there in the background face-palming them selves.

Honestly government isn't any different from enterprise:

The Techs & Scientists give management a clear answer on a subject, stipulating all the factors and issues with a stance that the boss is taking, providing alternate approaches & data that shows what they want is irrelevant anyway.

The PHB doesn't like what he's hearing so just goes out and says what he thinks, regardless of the facts. "Well that's what I've promised the client, so you'll have to deliver"

Do you think that politicians & leaders in the "security" services are any different ?

Re:it's not the smart people, it's the PHB

[Opportunist]

The bible containing proof that god exists is like Harry Potter containing proof that magic exists.

Focused on attack instead of defense.

[dweller_below]

Part of the problem is that many believe that we can attack our way to security. They are confused about the fundamental nature of attack and defense when applied to the internet. They don't understand the combination of global connectivity and automation. They don't understand that any action of internet attack or defense has unintended consequences.

In the old days, you could attack one thing. You could defend one thing. But, that doesn't map well to the internet. Now, we all talk to each other. We all use the same methods of defense. When one actor attacks another, the attack is exposed, analyzed, and re-used. Now, when somebody attacks, they increase the cost of defense for everybody. When somebody comes up with improved defense, we all learn how to increase the cost of attack for everybody.

For over a decade, several branches of the US government have focused almost all their energy on attacking others across the internet. The result is an internet where compromise and breach are daily events. Somehow, our protectors don't see that they are crafting the tools of our demise and handing them to our enemies. If we are honest, we are more to blame for the great compromise at the OPM than our attackers. If we had spent the last decade on creating and encouraging defense, then breach would be difficult and rare.

Now, our governments are blindly following the tradition of attack. They wish to attack the protocols we use to determine identity and create security. They don't see or care that everybody else will do likewise. They don't see the great devastation that will follow.

Re:How does it work

Because encryption is usually a bit more complex then just that. A common system is to encrypt the data with a a strong symmetric cipher, using a single-use key key generated on the fly, then encrypt a copy of that key with the method of the user's choice, such as a password or asymmetric cipher. This way, you lessen the impact of using a slower or weaker method, as it is encrypting what is hopefully a relatively small and utterly random packet of data. Diffie-Hellman key exchange, NTFS file encryption, and others use this principle.

The 'master key' exploit should be fairly obvious, at this point: Every time the system creates a key package, it creates another copy of the single-use key, encrypted with a hidden 'master key' supplied by whoever ordered the backdoor. This doesn't compromise the integrity of the cipher used on the data, or on the other key packages. The danger lies in the security of the Master Key itself, which must be included in some form in every single instance of the encryption system. Unless the Master Key is made truly unique for every instance - a records-keeping nightmare - then an attacker only needs to break one key to break them all.

Since the failure of the Vietnam war

[Curlsman]

The late Ben Bradlee of the Washington Post has recalled:
"I guess it started for me with Vietnam, when the establishment felt it had to lie to justify a policy that, as it turned out, was never going to work ... [documented] hidden away in the Pentagon Papers..."
https://www.washingtonpost.com...

It seems to me we (the electorate) keep sending the people who are best at it, because they keep telling us what we want to hear, back in.

Because It Works

[chill]

The simple truth is that while unbreakable encryption is out there in the form of books or papers with the math, most people -- bad guys included -- are lazy and just going to use what the simple, convenient stuff. (The back-doored stuff.)

They fall into the trap of thinking "there are so many people using Facebook chat, the authorities will never find MY stuff in all that noise". In many cases they end up using simple code-book substitution and trivial code names. Instead of Abdul al-Hazred, they'll use "Mr. White". Instead of the Twin Towers they'll use "Faculty of Commerce". They think they're being clever because THEY would never catch this stuff.

I've had this argument with gov't lawyers and it boiled down to me saying "but this is trivial to bypass -- smart bad guys would just use X", and them responding "yeah, but we'll catch the stupid ones and there are a TON of those".

Anyone who has studied the history of crypto knows it is damn near impossible to get it right every last time, much less develop it without bugs. Even WITH source code samples, algorithms and coding skills people who have been doing this for a lifetime screw it up. Thus, "the horse has escaped the barn" isn't really an honest argument. That horse is going to trip of its own volition fairly quickly.

The popular cryptographer and author Bruce Schneier in his blog recalled a conversation with fellow crypto expert Matt Blaze of the University of Pennsylvania, who said the publication of the Snowden documents would begin a âoenew dark age of cryptography, as people abandon good algorithms and software for snake oil of their own devising.â

The Four Best Arguments Against Backdoors

[MarkvW]

(1) Aldrich Ames;
(2) Kim Philby;
(3) J. Edgar Hoover; and
(4) the State of Alabama (NAACP v. Button).

Sooner or later the Supreme Court is going to revisit the Fourth Amendment as it relates to wireless communications. Perhaps the feds are trying to shape the course of public opinion in this regard.

Re:How does it work

[BradleyUffner]

Because encryption is usually a bit more complex then just that. A common system is to encrypt the data with a a strong symmetric cipher, using a single-use key key generated on the fly, then encrypt a copy of that key with the method of the user's choice, such as a password or asymmetric cipher. This way, you lessen the impact of using a slower or weaker method, as it is encrypting what is hopefully a relatively small and utterly random packet of data. Diffie-Hellman key exchange, NTFS file encryption, and others use this principle.

The 'master key' exploit should be fairly obvious, at this point: Every time the system creates a key package, it creates another copy of the single-use key, encrypted with a hidden 'master key' supplied by whoever ordered the backdoor. This doesn't compromise the integrity of the cipher used on the data, or on the other key packages. The danger lies in the security of the Master Key itself, which must be included in some form in every single instance of the encryption system. Unless the Master Key is made truly unique for every instance - a records-keeping nightmare - then an attacker only needs to break one key to break them all.

Wouldn't it then be fairly trivial for a user (or easy to use utility) to delete the 2nd copy of the key, removing the back door?

Bill of RIghts built on distrust of government

[Tony+Isaac]

The Bill of Rights recognizes that the government needs to be kept at arm's length, to be limited in its power. In the last few decades, we've been slowly giving more and more power to the government, sometimes in the name of "national security," (Patriot Act) sometimes in the name of "fairness for all" (Affordable Care Act). We've been taught to let the friendly folks at Washington take care of us. Now we're starting to see the dark side again. The government is saying, "Trust us with your data!"--either when they take it secretly (NSA/Snowden) or when they demand it publicly (backdoors). Maybe it's time for a digital Bill of Rights. The problem is, the government isn't just going to sit down and let go of the power they already have.