Slashdot Mirror
Crypto Guru David Chaum's Private Communications Network Comes With a Backdoor (softpedia.com)
An anonymous reader writes: David Chaum, father of many encryption protocols, has revealed a new anonymity network concept called PrivaTegrity. Chaum, on who's work the Onion protocol was based, created a new encryption protocol that works as fast as I2P and the Onion-Tor combo, but also has better encryption. The only downside, according to an interview, is that he built a backdoor into the darn thing, just to please governments. He says that he's not going to use the backdoor unless to unmask crime on the Dark Web. Here's the research paper (if you can understand anything of it).
1. Is anyone going to trust something with a backdoor?
2. who's ?
No way am I trusting Chaum. I'm no chump
When PrivaTegrity’s setup is complete, "Nine Server Administrators" in nine different countries would all need to cooperate to trace criminals within the network and decrypt their communications.
If you can trace criminals you can trace dissidents and political opponents. Anonymity is difficult enough without it being broken by design.
Private citizens who care won't use this because they care about not having their communications intercepted.
Big bad government won't use this because they care about not having foreign intelligence intercepting their communications, but will happily spy on anything they can get.
Botnet operators rejoice at the birth of another avenue for hard to kill C&C.
Just telling everyone your software has a backdoor is the same spending all of your development time masturbating. No-one is going to use this crap.
He says that he's not going to use the backdoor *wink* *wink* *nudge* *nudge*
Yeah but did he pinky-promise it?
Is he claiming he found a way to safely have backdoored communications?
Guy's an idiot genius!
I can pretty much, guarantee in writing, that if there's a _real_ backdoor (this could be all BS),
there will be individuals outside of the 9 "CHOSEN" who will have access to it. Further, if he's
dumb enough to deploy it, he's looking at a long time in a U.S. jail if the authorities want him to
decrypt some traffic - they're not going to believe the 9 people BS as much as the next guy!
CAP === 'appender' (I see /. is using non-words now)
"What you can do, your enemy can do". "Security" doesn't happen when you have backdoors, for anyone, period.
Bye bye, security researcher, hello government lackey.
Oh yes! The world will be a better place when governments are aided by secure communications developers in fighting crimes like apostasy, being gay, etc., and whatever new "crimes" might be defined out of thin air in the future.
I'm sure the criminals that will be brought to justice, and hanged, shot and stoned will understand the wisdom of this move.
In other words, what a simpleton.
If he sticks a backdoor in, then its already broken. The UK is making a law that lets it demand access to all forms of communications in secret. So called "obligations" on companies to provide full take decrypted access. NOT JUST FOR BRITAIN, companies like Vodafone operate across the world, they would be under these secret obligations for all of their operations worldwide.
If his back-doored protocol took off, then it follows, he would get hit by one of these secret law wire-taps, and he wouldn't be able to enforce his own promise. He'd be compelled to hand over all the data.
We Brits (and UK Parliament) only just discovered that the police and spooks had grabbed hundreds of databases and had for years had warrant free access to all our private data. Theresa May stood up in front of Parliament and explained how they'd done this in secret for years. SECRET THAT IS, FROM PARLIAMENT.
http://www.theguardian.com/world/2015/nov/04/theresa-may-surveillance-measures-edward-snowden
Sorry Europe/USA, that misused 1984 law likely means they grabbed your data too already, it was a vague "Secretary of State can give directions to telecoms companies in secret", which doesn't sound like mass surveillance, but they chose to interpret it "give us a live feed to your database".
And if they grabbed bulk data, then it also included yours, if the ISPs didn't filter the data for particular UK citizens, then it didn't filter them for other countries either. Lots of British companies hit by that law operate in lots of other countries, and all of their data will already have been handed over.
The new law is to prevent an inevitable legal challenge since mass surveillance is not legal, and the law does not give them the power they used it for.
Prosecutors were told details from this database too (remember Parliament were kept in the dark), so its likely been used for Parallel Construction.
What his is proposing seems complicated. Here's something simple.
Build a sealed system which generates good private keys and publishes the corresponding public keys. The box should also be able to decrypt a few small things given it using these keys, but it should publish a signed log of these decryptions. Users should be able to search these publications to see who is looking at their stuff. There might be a provision to delay, but not prevent this publication for up to 6 months in total. Definitely also publish the whole design of the system for public audit.
Distribute about 10 of these systems to a wide range of governments. Something like the sitting security council members. Provide a means for inspection to make sure the systems stay sealed. Provide some diversity in the systems so that if one is compromised, they are not all compromised.
Whenever a private secure session is started, the session keys should be encrypted using a public key from each of the above systems and the result published with the session.
If some outside party wants to decrypt the session, he has to go to each of the countries and get their help. The details of this would be published to all by each system in a clear authenticated manner.
This should provide a public, limited backdoor which is simple to understand.
Like all such things it probably has holes, but I don't see them.
Assuming the system is judged to be secure and it was implemented for something like the Iphone, it would be interesting to see if it satisfies the needs of those calling for backdoors, or if they desire more privacy or freedom to act.
Simpler than that: Make all encryption is 100% secure. Only Alice and Bob can read the data.
If law enforcement wants access to the data for crime purposes, THEY GET A WARRANT for either Alice or Bob that demands they decrypt, and Alice and Bob have their normal rights to fight the demand in court, and failure to comply is risking contempt of court.
If Alice or Bob are not in your jurisdiction, then its none of your fucking business. Go ask the country they are in to do it.
See how simple that it?
As soon as you put a backdoor in, everyone is demanding full take access now. That British Snoopers Charter is a template, every country from USA to China, India to Nigeria will implement the same law, and force companies with subsidiaries in their country to hand over all their data to their spooks in secret.
Really we need to implement end to end encryption and urgently.
If anything has an intentional backdoor built in, no matter how secure, it makes the entire thing insecure because someone smarter & more malicious than you will find a way to exploit it...always.
It's DiceDot now. Corporate probably has focus groups of soccer moms saying the site assumes too much knowledge.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
What I'm taking away from this is that anything David ever has made or will make in the future should not be trusted.
It's DiceDot now. Corporate probably has focus groups of soccer moms saying the site assumes too much knowledge.
As amusing as that thought is, you don't need a focus group, just look at the anon coward posts in literally every single story that complain about not spelling out common 30 year old technical terms - like TCP or DOS.
They even bitch that a link to wikipedia is too much work for them.
Granted that just raises the question "Why are we listening to ACs?", but sadly these people are not made up boogiemen, and their numbers seem to be on the rise :/
The controlling person for those servers would be "obligated" under secret laws to hand over the data. i.e. the policy is subverted by any single failure point
The hardware running them would be hacked.
The software for policy would be changed (like Juniper routers code was)
If the hardware runs on multinational ISP hardware: the ISP is compelled via other subsidiary abroad to remote access the server.
The OS of the servers receives one of those 'special' updates, subverting the policy.
The software is stolen, analyzed and broken.
Talking about how the policy would work, and blah blah blah....it's all just smoke and mirrors. The core thing is : there is a backdoor, waiting to be exploited.
Juniper and Cisco can't secure their routers, so he can't secure his 9 servers.
Erm, what?
With deep sorrow we announce the departure of another great security guy we once had. You will be missed.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Then anyone using would likely have to be coerced to use it. Then when some piece needed to be decrypted the likely result would be a message encrypted with another tool that the user has done their damnedest to ascertain has no back door.
Wow good job, we've found a way to bloat data packets even further. Up the bandwidth!
Mr. Chaum has clearly underestimate the resolve of governments around the world. If needed, they will coerce the holder(s) of the key(s) to get what they want. Anyone that has even part of the key to the backdoor is going to put a giant bull's eye on themselves and their loved ones.
a better idea would be to take the improvements made and upgrade the Tor protocol.
Anons need not reply. Questions end with a question mark.
Kudos to David or disclosing that but what was he thinking adding in a backdoor?
Sounds like he hoped to cash in on some government contracts (possibly some sales for CEOs looking to snoop in on employees) but the fact is companies selling equipment and software with back doors on balance are losing market share globally due to national security concerns (ask tech companies like Cisco that were in bed with the NSA how their sales are doing in China these days)
Over the long term communications software with backdoors in it has no future. With encrypted VOIP on the horizon the era of wiretap is coming to an end. Given an alternative, few want to adopt technology with backdoors other than those that want to snoop in to our communications.. aka government officials. (ironically both on the left and right... Bush and Obama... alleged "opposites"... but in practice birds of a feather when it comes to mass surveillance of private communication)
While many deluded megalomaniac politicians demand we all use equipment/software with back doors in t (trust them they won't illegally peek - see Snowden) the market is clearly moving in the opposite direction. This is especially true on a software front where it is near impossible to regulate due to the speed and ease of distribution. For all the talk of privacy versus security, what seems to be happening is that all the legislators in world are powerless against the programmers of the world!
Given current trends it seems inevitable software developers will l eventually provide us the means to have easy to use end-to-end encryption whether politicians and the police like it or not. They will make it open source for transparency.... distribute it around the world...and it will be free for all. No central point for the control freaks to regulate into submission. True power to the people.
There's a term for that in data security circles. That's what we call NOT PRIVATE, for fuck's sake.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
LOL, err, I mean, "NO".
Sorry, I don't know who he'll trust or what he'll use it for. I also don't know that Bad Guys(c) won't be able to break into it.
And by "Bad Guys" I mean the NSA/CIA/FBI as well as the friendly folks from the Russian Business Network or other criminal organizations.
Just cruising through this digital world at 33 1/3 rpm...
> Don't believe anything you read in The Onion -- they are a satire and humor website.
You're confusing the Onion protocol with the Onion news site.
The Onion protocol takes your messages and makes them funnier by applying a Poe's Law algorithm.
I think that would be spelled "Chaump"
Can you blame him? When the government takes the stance it has taken since some years, you either play ball with it or... Well, there are no other choices.
What would you do in his place? Let's suppose you just wrote the ultimate unbreakable encryption system, and managed to bundle in anonymizing features just for the hell of it, and it works. What do you think would happen? You'll receive a visit from a friendly government officer who will explain - kindly at first - why you should build some "safeguards" in, appealing to your patriotism and sense of duty to the nation, to your instincts as a parent, to your conscience as a good citizen.
I don't think you will ever build anything like that, but if it comes to that I would advise you to cave in right at that moment so you can chalk it up to patriotism and whatever, and feel better about it afterwards. Because if you do not, I can guarantee things will get ugly, real fast. If you are an employee, you will lose your job and never find another. If you're an independent contractor, you will find no customers willing to contract you. Then the tax bureau will take a keen interest in you. Your kids (if you have any) will find their grades mysteriously going down. Their applications to college will be rejected. By this time you will have lost your home and on your way to below the poverty level. And we haven't even begun.
So, do you still think he was wrong to build a backdoor in?
What are ACs?
USA would only need to compromise two servers (Russia and China) to get everything on that cryptonet but as we already know, servers can not be penetrated.
...comes with a backdoor. Beware.
Every spy agency, then, would see that they could monitor sensitive communications simply by collaborating with other spy agencies?
So, do you still think he was wrong to build a backdoor in?
Yes.
In this case, a former /. member that hasn't bothered using their login for the last couple of years.
Doctor Who's work on the onion planet of Spinthoz was limited to an unofficial visit, which means there were no welcome protocols involved.
http://tardis.wikia.com/wiki/O...
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
The thing is, yes you will all go 'LOL' but you're not paying attention to the subtext. I'm posting this AC because I am an AC; I don't have an account. So people won't see this, perhaps, unless a non-AC says the same thing.
Here's the thing: nations all over the world say "we want a secure backdoor", encryption experts say "it can't be done". This repeats for a while until the nations start saying "OK, if it can't be done, what can be done?" (which is roughly the tenor of everything coming out of the US and UK right now -- what can our experts do?)
So, he's built them the system they want. A secure network that can support international trade and has a backdoor system that solves the "once one nation has a backdoor, everyone will want a backdoor" problem.
So you all go 'er no, LOL HAHA', but here's the subtext. This is a product _and_ a thought experiment.
If Five Eyes agree they will agree all requests (which is in itself unlikely; Five Eyes countries do still compete with each other), then the remaining four keyholders gain significant bargaining power. Yes, it means four keys left to crack, but the Five Eyes countries will understand that this means those four keys must be uncrackable, because of the number nine. The number nine says that (to mix metaphors) the Five Eyes boot could be on the other foot if only one participant changes sides. So the crackability of the keys is a problem. If Five Eyes can do it now, an alternate future Five Eyes will be able to do it more easily. So they can't weaken the keys.
As to the remaining four keyholders -- the power they have comes from what they can purchase with every agreement, and the chance that they might form a bloc (the Rest Of The Eyes).
But what if they choose to exert this power with their own requests? Very quickly it will become apparent that the Five Eyes can't afford to say no to any requests from any of the remaining four, in case their own requests are blocked. But if China and Saudi Arabia get a key, they will make a lot of requests that Five Eyes will never approve.
All encryption may be maths, but all _use_ of encryption is politics. This idea (which is a work of genius) builds the politics into the success of the system, and thus moves the encryption debate along, because while all participants will think they can game this system, none of them can risk it.
1. Get a copy of the PrivaTegrity,
2. De-compile it
3. Analise product
4. Remove Back Door.
4.1 Put a new back door in it?(this part never gets old)
5. Miller Time.
It's fucking centeralized, no shit it has a backdoor. geniuses.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
So... my question would be... Quis custodiet ipsos custodes? who will appoint, monitor and document the decisions of these administrators and if necessary revoke their anointed status as the determiners of what is or isn't acceptable evil (e.g. is sharing a commercial movie evil enough to attract the attention of "the nine"... how about a casual statement calling for the non-constitutional overthrow of a government... clearly child porn would be considered evil, but what would the cut off age be, 16, 17 or 18... would planning to blow up a public facility in a western country be more evil than threatening to blow up a public facility in a country already mired in a civil war)? Will they be accuser, prosecutor, judge and jury? who will take cases to them and which legal system will apply... can they be sued in the event that they err? what will keep them beyond reproach and will their decisions be made public? will it be possible to appeal their decisions?
Lots of questions and no clear answers.
...this "backdoor" requires the persuasion/coercion of half a dozen people, or the compromise of half a dozen computers.
I'm putting my money on the world's intelligence agencies to achieve at least all of the above.
Why would anyone bother to use it instead of PGP?
Sure I knew you could.
Us terrorists will only have to blow up one of those servers and our communications will be forever secure !
What you say ? backups ? copies ? offsite ?
How private and secure exactly did you say this system was ?
... and > 9 "democratic countries" fell for the falsified "weapons of mass destruction evidence" the US presented to lure them into supporting the Iraq war.
Slashdot stole my unescaped "greater than" character.
I love the smell of satire in the morning.
who's != whose
Nine governments in agreement sounds like an unlikely scenario regardless what the topic is.
Except where there is something in it for them. Like when they say if you agree to open the door when I want something, then I will open the door when you want something. Maybe we just all agree to leave the door open all the time for convenience.
Why would you need to trace dissidents and political opponents by their electronic communications when they put themselves out in the open trying to gain support from like minded individuals? Dissidents and political opponents who want to remain anonymous and communicate only over the internet end up being dismissed as just another keyboard warrior who likes to rant about the in justices in the world. Of course my viewpoint is not universal and some countries are proactive and imprison or kill anyone voicing a complaint about their government. The only time law enforcement agencies would need to use every tool available, including electronic communications, to track down a dissident is when said dissident starts blowing up buildings and killing people who don't agree with their particular views.
Three Rings for the Elven-kings under the sky,
Seven for the Dwarf-lords in their halls of stone,
Nine for Mortal Men doomed to die,
One for the Dark Lord on his dark throne
In the Land of Mordor where the Shadows lie.
One Ring to rule them all, One Ring to find them,
One Ring to bring them all and in the darkness bind them
In the Land of Mordor where the Shadows lie.
...omphaloskepsis often...
He wants to catch men who like young girls.
Man+Girl marraige was legal in US states until feminist cunts had it banned starting in the 1880s (state by state).
Prior to that a man could marry, say, a 7 year old sweet pretty young girl in delaware, and a 9 or 10 or 12 year old
in other states. This (especially the younger ages) was more in keeping with the beliefs of good Old Testament
books such as the book of Deuteronomy (Deuteronomy chapter 22, verse 28-29, in hebrew, allows men to rape
young girls (age from infancy till adolecence (read the hebrew)) and simply keep them as their woman, after
paying the girls father some silver) (Deuteronomy also refers to the man as ba'al: master (of the woman), something
that has been stamped out in woman's societies).
The penalty for enticing others to follow a god/ruler/judge other than that of Deuteronomy is death. Furthermore
it is the reader, it appears, who is directly appealed to in the text to deliver this death in such cases.
This man, who created a product aimed at turning over men who like young girls over to the feminist
authorities who rule over all of us world-wide, entices us all to follow the ruler of the feminist countries:
not the ruler/judge/God written of in Deuteronomy.
Clearly what should happen to people such as him are that they are killed.
His actions are just like that of whomever created the "Intel Management Engine",
another backdoor on all Intel chipsets which includes a on-chipset vnc server paired to the
integrated GFX card's framebuffer.
This is the SJW world we live in. The wost crime imaginable is a man taking a young girl
and ruling over her. And faggot pieces of shit like this cryptographer agree and try to make
sure that is stamped out completely (GIRLS NOT BRIDES! etc). He is an enemy.
I pray for the day that these enemies make the night as brillant as the sun.
When they burn, God willing (please let it happen, somehow).
Hans Reiser did nothing wrong.
The only downside, according to an interview, is that he built a backdoor into the darn thing, just to please governments.
So in other words, it's worthless. How many days will it be before criminals in the US government sell the backdoor to their criminal buddies in China?
I'm curious, would not selling someone a privacy enhancing program with a built-in backdoor be considered a deliberate attempt at deception and fraud? Especially if you are banking on the fact (as someone has already mentioned) that pointy-hair bosses (or purchasing agents for pointy-hair bosses) don't really understand the ramifications of a "backdoor"?
The fact is there are a lot of people who wish to do as much harm as they can. We have always had well-poisoners in our midst but thanks to current and near-future technology, their ability to do great harm to great numbers of people is increasing dramatically. I've said this before but here it is again. Tell me I am wrong:
1) The number of technologies that can cause serious, deadly harm to humans and other living things is going up.
2) The number of substantively different or novel attacks that technology is capable of producing, each requiring its own custom defense, is going up more than arithmetically, possibly geometrically.
3) The number of people required to wield those technologies in order to create one of those attacks is going down, heading distressingly towards one.
4) The number of people which can be simultaneously harmed by such an attack is going up, distressingly, headed towards millions or billions.
5) Failure to thwart a plausible large and successful attack will result in a distressingly large expansion of the powers of the national security state and a distressingly large diminuation of civil liberties, individual freedoms and privacy, heading towards fascism.
So what do you want from the world's governments? To just not take any preemptive measures? If you read what he's suggesting, he's suggesting that no one government be able to decrypt traffic without the others' approval. It's not a bad as in evil idea - we have to give the government the powers it needs and as Enigma has shown, decrypting the enemies communication is crucial- it's just that it won't work for mundane reasons. But it's a start at the kind of crazy, out of the box thinking we need.
He's not shown any reason why the 9 governments (who have to all agree to decrypt transmission X using their collective keys or it can't be decrypted) wouldn't just engage in politicking of the worst sort. We already have the Five Eyes collaborating in secret -for decades- and we already have the 11 FISA judges absolutely positively rubber-stamping just anything that comes their way.
https://en.m.wikipedia.org/wik...
What more proof do we need that when the circle of power gets small enough, there are no good guys? Governments are good at convincing their own kind to cooperate and this would all just devolve into horse trading. You give me my dissidents and I'll give you yours and we'll stay fat n' happy in a world we like to call "Things As They Ought To Be".
It won't work. But I praise his attempt mightily. The basic issue is, we need a police force whose sole purpose is to monitor the police force (NSA CIA ETC.)
and whose authority is final barring a super-majority of both houses of Congress (say). None of those agencies are going to go for that, obviously. A real issue is this- once the oversight circle expands enough, you get traitors and leakers and spies. But is that truly worse than a nation whose agencies ARE corrupt or whose population BELIEVE they are corrupt and act on that belief?
The effect of being in member of a TLA on the human psyche is profound and negative. The human mind wasn't made to perpetually tread water in an horizonless sea of stress hormones. It changes your brain; it changes who you are and how you perceive people and the world. You become someone who fits the job, and that eventually makes you very very different from ordinary citizens, especially with respect to your value system. You might very well decide to "collect it all" even if that makes no logistical or operational sense, and you know it. You might very well come to devalue privacy to a degree that outsiders would find shocking, even demented. You might very well see the Constitution or some of its amendments as the biggest threat to the nation.
Here's my first idea. Part of our problem is, we lack a particular representational language. We need a language, a way of expressing
From the Wired article: "Chaum argues that PrivaTegrityâ(TM)s setup is more secure than Tor, for instance, which passes messages through three volunteer computers which may or may not be trusted."
...unlike this PrivaTegrity thing, which requires you to 100% trust a FIXED set of 9 volunteer computers (which apparently cannot be trusted not to collude against you). At least TOR's security model HAS into account the possibility of malicious nodes (which is the whole reason why messages are onion-encrypted) AND it lets you choose the hops (you're not forced to use the 9 "trusted" nodes).
*facepalm* yeah, this is totally going to work...
So you're saying that standing up to your government and overthrowing it is never possible? The government is always right even when it isn't?
Custom electronics and digital signage for your business: www.evcircuits.com
Get rid of him.
>What would you do in his place? Let's suppose you just wrote the ultimate unbreakable encryption system, and managed to bundle in anonymizing features just for the hell of it, and it works. What do you think would happen? You'll receive a visit from a friendly government officer who will explain - kindly at first - why you should build some "safeguards" in, appealing to your patriotism and sense of duty to the nation, to your instincts as a parent, to your conscience as a good citizen.
KILL THEM.
It's not like you can marry a qt little girl anyway, the CUNTtries banned that in 1880.
Every techie faggot is a feminist today.
They all oppose men marrying girl children.
>In the United States, as late as the 1880s most States set the minimum age at 10-12, (in Delaware it was 7 in 1895).[8] Inspired by the "Maiden Tribute" female reformers in the US initiated their own campaign[9] which petitioned legislators to raise the legal minimum age to at least 16, with the ultimate goal to raise the age to 18. The campaign was successful, with almost all states raising the minimum age to 16-18 years by 1920.
Also see: Deuteronomy chapter 22 verses 28-29, hebrew allows men to rape girl children and keep them: thus man + girl is obviously fine. Feminists are commanded to be killed as anyone enticing others to follow another ruler/judge/god is to be killed as-per Deuteronomy. It is wonderful when this happens from time to time: celebrate)
Holy fuck you have some serious issues with 50% of the human race. Go and get counselling, please.
You are sick.
There's a ton of discussion elsewhere (ie, g+), and the Wired article completely misses that he's assuming we know about a classic (and cool) solved problem in computer science, "byzantine generals with collusion".
I suspect it will be attractive to anyone who could lose their master key of a sysadmin quits, and unattarctive to the security services, who don't want to ask for or honour court orders (:-))
davecb@spamcop.net
Now that the backdoor has been revealed, it certainly won't be considered as a TOR upgrade, and governments and individuals are now fully aware (or should be) of what a backdoor actually means will steer clear of it. We know of at least one government that will strong-arm the other 8 into doing whatever is asked of them. Let's hope Chaum's project dies an early death.
this is a new fad - we have adblock with acceptable ads, and here we have a private encrypted communication that can be read by someone else when needed. Great.
because no one is going to give a shit about this or any other work you do
Yeah, your view isn't universal. There are people out there trying to trace dissidents and political opponents electronically because those dissidents know they'll be in jail for a long time or killed if caught. That law enforcement "should" only get involved when dissent becomes violent is a nice thought, but in China the police become involved if you happen to mutter that the local cops are corrupt, or if someone mentions that you practice meditation and believe that materialism isn't the bees knees.
So yeah, ideally this is how internet communication would work. But if that was how it worked, why in hell would we have needed to start encrypting dissent and opposition in the first place?