NSA Chief: Arguing Against Encryption Is a Waste of Time

An anonymous reader writes: On Thursday, NSA director Mike Rogers said, "encryption is foundational to the future." He added that it was a waste of time to argue that encryption is bad or that we ought to do away with it. Rogers is taking a stance in opposition to many other government officials, like FBI director James Comey. Rogers further said that neither security nor privacy should be the imperative that drives everything else. He said, "We've got to meet these two imperatives. We've got some challenging times ahead of us, folks."

Job is forfeit.

New appointment for NSA Chief in 3 ... 2 ... 1 ...

Re:Job is forfeit.

[bluelip]

Nah, they just have all methods of encryption broken.

Re:Job is forfeit.

[Ravaldy]

Neither, he's a smart individual that took the time to look at the landscape and him speaking about it in the public tells me he's already convinced the people above him.

Re:Job is forfeit.

[fustakrakich]

Well yeah, next January...

Re:Job is forfeit.

[Hognoxious]

Could be a good time to invest in companies that make $5 wrenches.

Re:Job is forfeit.

[pr0fessor]

This is what I don't understand this is about more than backdoors it's also about outlawing certain encryption types which could make securing financial data difficult, hinder e-commerce, and eventually result in a rise in identity theft and fraud. As far as I know these things are not the the concern of the NSA but are absolutely something the FBI would investigate why does it appear that these positions are reversed.

Re:Job is forfeit.

[U2xhc2hkb3QgU3Vja3M]

You'll never break 4096-bit RSA with that!

Re:Job is forfeit.

[JoeMerchant]

It's a realist approach: "If guns are outlawed, only outlaws will have guns." kind of logic, and it's perfectly sound.

They can try to keep it out of mainstream consumer electronics, but there's too much "DIY" capability in the world to keep strong cryptography contained.

It reminds me of the early mp3.com days - the genie has long since left the bottle, doesn't matter if you saw it coming or not, it has happened. Now, you'll have to deal with it. Attempting to recapture the genie is a fool's errand.

Re:Job is forfeit.

[JoeMerchant]

Judges do it with "contempt of court." They don't need no steenking wrenches.

Re:Job is forfeit.

[Joce640k]

http://ciphersaber.gurus.org/

Re: Job is forfeit.

[rickb928]

He's not that smart. It's obvious that functional encryption is essential to commerce, to end-user confidence, and even to regulation.

Obvious.

Re: Job is forfeit.

[rickb928]

The NSA knows that it you try to limit functional encryption to certain uses, you will fail.

The good stuff still be found and used by the criminals, and nothing is gained.

Re:Job is forfeit.

[mlw4428]

Better a jail cell than a beating with a piece of iron.

Re:Job is forfeit.

[flopsquad]

It's the triple back burner reverse reverse psychology gambit. It goes like this:

a) Only a fool will believe that anything about breaking encryption is "challenging" for the NSA. (That, and get involved in a land war in Asia.)

b) A savvy skeptic will take this whole "yeah you should use encryption but gee it makes things difficult" charade as a sign that NSA has encryption pwned six ways from Sunday, resigning themselves to using whatever's good enough to at least prevent parties != NSA from sniffing their bits.

c) The NSA doesn't actually have encryption pwned, but is counting on b)'s resignation and a)'s inexperience/disinterest to keep the status quo, which really is challenging but not as bad as it would be if encryption became both stronger and more widely adopted.

Re:Job is forfeit.

[cfalcon]

If they have ALL the encryption broken, they can just have all the data. I'm not even mad.

A functioning attack on Serpent 256, AES, and Twofish would be a landmark accomplishment, because it would imply that there's some fundamental parts of math known only to the attacker.

Re: Job is forfeit.

[zlives]

the smart part is the second leg of the conversation...
Congress, we need infinite budget for our quantum computers and ai masters

Re: Job is forfeit.

[Hognoxious]

Reference. Nonetheless, it's a pleasant surprise that anybody got it.

Ah well, the weekend will probably go downhill from here.

Re: Job is forfeit.

[chaboud]

I think their attack is to just own the hardware that's running this code. Job. Done.

Re:Job is forfeit.

[Dynedain]

People often forget the NSA has a 2nd role as equally important to their spying operations.

They are mandated to give guidance on securing the US Government and industry against threats - and they rightly encourage departments to use encryption to avoid eavesdropping.

It's their job to encourage domestic encryption, and to try to break foreign encryption.

Re:Job is forfeit.

[gweihir]

They can try to keep it out of mainstream consumer electronics, but there's too much "DIY" capability in the world to keep strong cryptography contained.

It reminds me of the early mp3.com days - the genie has long since left the bottle, doesn't matter if you saw it coming or not, it has happened. Now, you'll have to deal with it. Attempting to recapture the genie is a fool's errand.

Indeed. Just remember that initial PGP was a single person, and so was TOR. And with the current drive to turn everyone into a software developer in school, there is just no way to prevent people from doing it. Sure, many will get it wrong, but some will not. And as encryption software can in many case be made pretty simple, bugs in it will not save the day for the NSA in the long run. Of course, they can still use targeted access, but that is expensive and risky.

This person has just understood that there is nothing to be gained going in that direction, but a lot of rather huge risks to society. It is rare to see a pragmatist actually serving in such a position.

Re:Job is forfeit.

[MillionthMonkey]

You can't just "outlaw certain encryption types". People in the rest of the world won't be falling all over each other to outlaw encryption technology that the American government can't penetrate. Who the hell would want to do business with any American company if it meant they had to spread their ass cheeks wide open for the U.S. government?

And any "bad guys" could safely and easily encrypt their plaintext "illegally", and cloak it with a steganographic layer to fool any Feds who would bother to peek through whatever half-assed backdoor they might mandate on the rest of us.

Right now most politicians don't seem to realize that what they want will require a backdoor. Or if they do, they think it will be one that will magically open just for them. They're still in the stage where they think they can just legislate fundamental changes into number theory and computer science.

Re:Job is forfeit.

[MillionthMonkey]

Why would I be a fool to think that NSA can't break properly-done encryption? Just wondering.

Re:Job is forfeit.

[flopsquad]

Well if my (admittedly tongue-in-cheek) gambit idea is correct, then you'd not be a fool, but right on the money. They just want you to think you'd be a fool for thinking that. (So I can clearly not choose the wine in front of me!)

The NSA's motivations and meta-motivations aside, I suppose it boils down to a somewhat of a tautology--if they can't break properly done encryption, you're not a fool for believing they can't break properly done encryption.

I have no way of ascertaining whether the NSA has fundamentally compromised an encryption algorithm. Or, for that matter, whether they've slid in under the door and All Your Base'd the software that's supposed to be doing the encrypting. Which makes knowing with certainty that [the encrypting you just did] == [properly done encryption] an interesting challenge.

Re: Job is forfeit.

[bytesex]

Your standards are low. That wasn't an obscure reference! Right? I mean, slashdot hasn't come all this way for a simple xkcd reference to be obscure, right?!

Right?!

Re: Job is forfeit.

[mikael]

You can have encryption that is unbreakable for the masses, but can be cracked by brute-force by those with supercomputing systems with hundreds of thousands of CPU nodes.

Re:Job is forfeit.

[KGIII]

I am a bit of a cynic. The first thing that I thought of was that he probably had political aspirations beyond his current position, namely an elected position, and wanted to be on record as being adamantly against it. I really am that cynical, I guess... I still think the same thing. :(

Re: Job is forfeit.

[rickb928]

Criminals have the flexibility to use alternative communications channels, even human couriers.

We, on the other hand, pretty much get locked into banks, ATMs, and HTTPS.

Re:Job is forfeit.

[lsatenstein]

In countries where handguns are outlawed, rifles registered and licensed and any other semi/automatic weapon is prohibited, crimes are lower and deaths, from guns about 1/100 of the USA rage. That rage is 30,000 gun deaths per year, mostly children and a few ill.
And if a crime is committed with a gun, the sentence is doubled.

However, bank robberies are way down in number, thanks to plastic, so who is the criminal going to steal from? Is it the self-serve gasoline dispenser at the corner.
   

Re:Job is forfeit.

[JoeMerchant]

Perhaps guns and crypto are a bad analogy, but this is /., and if a car analogy isn't available, a bad one will have to make do.

If crypto is outlawed, not only is it easier to homebrew crypto than guns, but also less directly harmful. What those in power fear is that crypto allows conspiracy, which can ultimately be more destructive and harmful than a single man with a gun ever could be. Crypto allows better planning and coordination of surprise attacks. It comes down to a question of privacy and personal security vs law enforcement's ability to stop "pre-crime."

My feeling is that crypto should be protected for the same reason that the right to bear arms is protected under the constitution. Ironically, I don't "bear arms" and I believe the world would be a safer place if no-one but outlaws did, and the outlaws were actively pursued and stripped of their personal implements of instant judgement and execution. I think it's a matter of the world changing over the last 200 years, and I feel that in today's world the right to communicate privately across long distance (and time) is more important to protect against those who would abuse surveillance, run massive searches on private communications, and take action - even if that action is "legal investigation" against those who say things that might be interpreted as subversive. Too much is illegal and unenforced, selective enforcement is bad enough, but selective enforcement against people who may have expressed unpopular political views at some time in the past is worse.

Translation

[NotDrWho]

The NSA has backdoors.

Re:Translation

[sinij]

The NSA has backdoors.

Cloak and dagger backdoor is preferable to legislated backdoor. With NSA-style backdoors you could find and fix them and having them is not certainty. Also, totalitarian government won't have much success demanding NSA allow them to use these.

While I'd rather not have any backdoors, to choose between two evils I'd take my chances with NSA.

Re:Translation

[shawn2772]

The NSA has backdoors.

Some, I'm sure. But the NSA cannot count on always having back doors, and this argument wouldn't make sense from that perspective unless Rogers could be certain that it always will.

No, hard as it may be to believe, I think the real situation here is that the NSA director is not an idiot, and does actually care at least a little about the "secure US communications" part of the NSA's two-fold mission. He realizes that strong encryption is absolutely essential to the future, even though it creates some obstacles for the "break everyone else's communications" side of the NSA's mission.

Though I also have no doubt that the obstacles it creates aren't nearly as large as we'd all like them to be, because there will always be lots of vulnerabilities.

Re:Translation

[digitalPhant0m]

Exactly.

Be very weary of anyone in our Government who advocates any sort of "freedom" without any arm-twisting.

Re:translation

[slew]

"We've already cracked everything, any encrypted data is clear as water for us; let's not make a big fuss so people just stay with what they've been doing. Keep cool, people."

Or more probably...

If everyone continues to uses standard encryption w/o backdoors, we have a fixed target to attack and we are the best in the world at it.

If standard encryption has backdoors this might cause cryptographers to go rogue and encryption and splinter the eco-system. Then we will be up to our eyeballs in deep shit to keep up with the mess created putting out small fires everywhere.

If you know the enemy and know yourself you need not fear the results of a hundred battles.
Victorious warriors win first and then go to war, while defeated warriors go to war first and then seek to win.

  -Sun Tzu

Re:Translation

[NatasRevol]

They've already legally gotten around needing a warrant.

FISA/Patriot act/whatever. They're not going back now.

Which also means that they don't need to abide by the 4th amendment.

And it was, to paraphrase Star Wars, done to a standing ovation.

Re:Translation

[myowntrueself]

Hey you fucking idiot.

Enemies are different than citizens.

You clearly don't work for a government

Re:Translation

[JoeMerchant]

Whatever backdoors are present, they are irrelevant if the payload being transferred is itself strong encrypted.

Re:translation

[JoeMerchant]

Symmetric key encryption is basically unbreakable. It has the challenge of sharing the key by secure channel, but once that is done, there are any number of "quasi random" sequences that perfectly mask any signal. If you happen to be able to guess where in the 2^19997 sequence the key says to start, then: kudos, you've cracked it. Thing is, just guessing on short messages can lead to false positive decryptions - you think the message said "this" but in reality it said "that", you just randomly happened upon a key that decoded the source to "this".

The only way to break a strong symmetric key (strong: something that can be implemented with an 1980s 8 bit micro encrypting >10KBps) is to get the key, if the communicating parties have adequately protected their key, you're screwed.

Re:Translation

*dissenting citizens are the enemy* the uneducated masses are okay.

Re: Translation

[rickb928]

Time to vote differently.

Re:Translation

[gtall]

Stop watching TV, it is bad for you.

Re:Translation

See as a tax paying American citizen I say they can, to paraphrase Star Wars, pass a law to a standing ovation that blatantly violates key elements of previously written law (while being silent as if it does not), but that doesn't mean its 'legal'.

In fact, regardless of what the un-elected justices have to say about the matter, as a citizen as far as I'm concerned the FISA/Patriot act/whatevers are themselves illegal.

And they DO need to abide by the 4th amendment.

And if they DONT want to abide by the 4th amendment then they'd better hurry up and collect all the guns because the fact that the 2nd amendment comes before the 4th amendment and after the 1st amendment seems to be no coincidence to me.

Amendments 1 through 5 are very clear:

1) I can say what I want
2) I can exercise self defense
3) keep your soldiers out of my life
4) keep your spies out of my life
5) keep your lawyers out of my life

Given the historical context they can be summed up as:
"Get off my lawn, government"

So if tyrants wish to violate previously written law, even if they do it unanimously in fashion of standing ovation, it is still illegal. It goes against the nature of the foundations of this nation and its basic laws. It goes against the very context and reasoning of why the constitution was written and why it was written the way it is.

Also since I'm at it, our president may be an expert on the constitution, but I do not think he is using that expert knowledge to enforce it. I think he is using that expert knowledge to subvert it. That is the fallacy behind 'I'm a constitutional professor' or whatever he has claimed and his crones have peddled.

Re:Translation

[NatasRevol]

I agree. But that doesn't mean they haven't changed the laws over the last 30 or so years. And enforced them at gunpoint.

And the supreme court has agreed with it, for the most part.

So what else is there to do?

Re:Translation

[Tharkkun]

See as a tax paying American citizen I say they can, to paraphrase Star Wars, pass a law to a standing ovation that blatantly violates key elements of previously written law (while being silent as if it does not), but that doesn't mean its 'legal'.

In fact, regardless of what the un-elected justices have to say about the matter, as a citizen as far as I'm concerned the FISA/Patriot act/whatevers are themselves illegal.

And they DO need to abide by the 4th amendment.

And if they DONT want to abide by the 4th amendment then they'd better hurry up and collect all the guns because the fact that the 2nd amendment comes before the 4th amendment and after the 1st amendment seems to be no coincidence to me.

Amendments 1 through 5 are very clear:

1) I can say what I want 2) I can exercise self defense 3) keep your soldiers out of my life 4) keep your spies out of my life 5) keep your lawyers out of my life

Given the historical context they can be summed up as: "Get off my lawn, government"

So if tyrants wish to violate previously written law, even if they do it unanimously in fashion of standing ovation, it is still illegal. It goes against the nature of the foundations of this nation and its basic laws. It goes against the very context and reasoning of why the constitution was written and why it was written the way it is.

Also since I'm at it, our president may be an expert on the constitution, but I do not think he is using that expert knowledge to enforce it. I think he is using that expert knowledge to subvert it. That is the fallacy behind 'I'm a constitutional professor' or whatever he has claimed and his crones have peddled.

The 1st amendment only says the government can't write laws to stop you saying what you want. It doesn't mean you can say whatever you want. Speaking or inciting violence/terrorist actions through your words violates the amendment.

Re:translation

[Just+Some+Guy]

Suppose I exchange a one-time pad with a friend, and we both use it correctly. That is strong encryption, and it's not crackable by anyone without the computing horsepower to simulate the universe in which I created it. Mr. Rogers didn't say "we want what-you-think-is-strong encryption for everyone, just not the real stuff". He advocated actual strong encryption for everybody.

Re:Translation

[NatasRevol]

And just how do you propose to :

Repeal laws that are illegal.

While not being able to vote out the incumbent *system* of $ for votes.
While the supreme court basically agrees with how things are being governed.

Re:Translation

[tsqr]

"the United States Constitution prohibits unreasonable searches and seizures"

Yes, it does. Unreasonable searches and seizures are those executed either without a warrant, without consent, or without a combination of probable cause and exigent circumstances. Furthermore, "no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

So no, the founders didn't accidentally put that clause in there. They also didn't put it in there for the purpose you seem to be proposing.

Re:translation

[MillionthMonkey]

I'm trying to decide what the Feds think they're going to do.

• Legislate backdoored encryption and hope people worldwide won't mind Americans being able to see their dick pics
• Mandate into law that all large pseudoprimes must be easy factorizable
• Make it illegal to send an encrypted message with no primary key included as an attachment
• Allocate billions of dollars to a "Manhattan Project" until it proves P=NP

This seems asinine. "Hello Bob? This is Alice. If you're at FBI headquarters could you please turn off the speakerphone?"

Re:Translation

[NatasRevol]

LOL.

As if the Supreme Court, by their very nature, can't clarify what the amendments do and do not mean.

As if the legislative body, by their vary nature, can't make addendums or qualifiers into law.

And they have. Often.

So basically,

[gcnaddict]

It doesn't matter if you use any variety of encrypted messaging products (imessage, cyph, silent phone, signal, etc.), we've got a backdoor for it already.

The only challenge is in justifying using it after the fact.

Re:So basically,

[kellymcdonald78]

It's called parallel construction

translation

[Noah+Haders]

"We've already cracked everything, any encrypted data is clear as water for us; let's not make a big fuss so people just stay with what they've been doing. Keep cool, people."

Dose of common sense.

[jellomizer]

The fact that software can be made (and made well) by amateurs. So such regulations saying that software shouldn't have encryption means outside sources will still make it. This will only put the big companies into a disadvantage as they wouldn't be able to make secure solutions to their system.

Re:Dose of common sense.

[Jason+Levine]

We"re also living in a global market. Let's say the US banned strong encryption tomorrow. What's to stop someone in another country from posting the source code to a strong encryption scheme? How would you prevent people from downloading and using this? You'd need to implement a "Great US Firewall" and filter all encryption-related sites. Even if you were able to do this, all you'd wind up doing is making US businesses less secure than foreign businesses. More US business hackings would leave the (valid) impression that you should trust foreign companies over US-based ones and the economy would suffer.

Encryption opponents like to pretend like they can just have Congress pass a law and all that pesky encryption will vanish with no consequences. In reality, banning encryption would create a horrible mess for businesses and consumers.

Re:Dose of common sense.

Gone are the days of 48 bit export encryption, here are the days of 48 bit domestic encryption.

Re:Dose of common sense.

[Tharkkun]

We"re also living in a global market. Let's say the US banned strong encryption tomorrow. What's to stop someone in another country from posting the source code to a strong encryption scheme? How would you prevent people from downloading and using this? You'd need to implement a "Great US Firewall" and filter all encryption-related sites. Even if you were able to do this, all you'd wind up doing is making US businesses less secure than foreign businesses. More US business hackings would leave the (valid) impression that you should trust foreign companies over US-based ones and the economy would suffer.

Encryption opponents like to pretend like they can just have Congress pass a law and all that pesky encryption will vanish with no consequences. In reality, banning encryption would create a horrible mess for businesses and consumers.

What's stopping a smart person from growing up and writing their own cryptography method as well? All it takes is 1 person. They don't need to leverage current encryption at all. That's why the whole thing is pointless. They need to embrace the different encryption protocols and devise a way to crack them. Or understand there will be things they can't crack.

Re:Dose of common sense.

[Just+Some+Guy]

We"re also living in a global market. Let's say the US banned strong encryption tomorrow.

Stop at that point and rephrase those together as "let's say the US only allows export of hardware that the US government can snoop on". Forget everything else, because our economy would be dead as every other nation would universal ban the import of our products.

When a person in power says they want to ban strong encryption, reply by asking why they're working to destroy our economy.

Re:Dose of common sense.

[blueg3]

Let's say the US banned strong encryption tomorrow. What's to stop someone in another country from posting the source code to a strong encryption scheme?

Maybe he realizes that this is part of how we got rid of "export grade" encryption in the US. Everyone was just writing software in a foreign country and people were importing it. Once you have the Internet, you can't realistically regulate software imports. Not if you're the US and the software is free. So export-grade encryption became simply a penalty for US businesses with little practical effect. At that point, you might as well accept it and change the laws to get rid of the business penalty.

Refreshing

It's refreshing to hear someone address this issue with a little sanity. However, I still don't trust any three letter agency.

Re:Refreshing

[sumdumass]

I was thinking the same thing. But i also wonder if somebody spiked his coffee too. It's odd to see an agency head put sanity and logic above political will in such a public and clear way.

Re: Refreshing

I tend to think that breaking encrypted messages is a decent part of what the NSA is budgeted to do. Legislate it away and they lose funding. Although, it is nice when pragmatic views arise, regardless of their motivations.

Re:Refreshing

[The-Ixian]

Would you trust them if they all when to 4 letters or 2 letters and a number or 1 letter and 2 numbers?

Re:Refreshing

[JazzLad]

I trust NASA, so maybe :)

Re:Refreshing

[SvnLyrBrto]

Well, they may be a bunch of evil bastards. But the NSA and the NRO are the three-letter-agencies that are most likely to be technologically clueful. So, as much as I bet they wish that a mandated backdoor for the government were a feasible option; they are also the ones most equipped to know how profoundly stupid a suggestion that is.

Re:Refreshing

[rtb61]

Straight up doing a Hollywood reboot. Reputation is crap, they are trusted by no one in the rest of the world, they really have soiled themselves and as such working with others has become very difficult. So they are forced to at least publicly attempt to rebuild their image, of course based upon the lies, years and years worth of lives, that rebuilding of reputation is going to be extraordinarily difficult. To enable working with others again, specifically in defensive roles, likely they will have to be stripped of those defensive roles and those roles passed onto another agency, mix of FBI and FCC. The shrunken NSA in offensive roles, only, as suits their lack of character, can go back to hiding behind No Such Agency, in far smaller premises and the FBI and FCC can over the existing structure.

Reverse psychology

[Nidi62]

I see what he did there. Because so many people are speaking out against everything the NSA is doing, he's trying to trick us. He knows if he comes out and says encryption is good, everyone else will shout back "no, we don't need encryption!". This will then allow the NSA to say "Ok, we will listen to you, no encryption for anyone!".

He's a genius, he's pulling the classic Bugs Bunny/Daffy Duck Hunting Season trick on us.

Re:Reverse psychology

[cayenne8]

He's a genius, he's pulling the classic Bugs Bunny/Daffy Duck Hunting Season trick on us.

DUCK Season!!!

Re:Reverse psychology

[i.r.id10t]

That or he is planning for future budgets.

"Yah, we'd really like to be able to intercept and listen in on $GROUP but they are using strong encryption so we're gonna need a few hundred million for $PROJECT so we can have a chance at listening"

Re:Reverse psychology

[FlyHelicopters]

DUCK Season!!!

WABBIT Season!!!

Re:Reverse psychology

[Torodung]

DUCK Season!!!

WABBIT Season!!!

Elmer season?

Re:Reverse psychology

[wonkey_monkey]

DUCK Season!!!

WABBIT Season!!!

Wabbit season...

Re: Reverse psychology

[i.r.id10t]

But do the congress critters in charge of allocating funds know this?

Re:Please ignore what they say.

[fustakrakich]

Liar's paradox

SA Chief: Arguing Against...

[sdinfoserv]

...civil liberties, freedom, the 4th Amendment, and the 5th Amendment is a waste of time.

"We have some challenging times ahead of us"

Bullshit. Crime rates have never been lower. The chance of being injured or killed by terrorism is vanishingly small and comparable to a lightning strike. The advantages of secure communication far outweigh any potential aid it gives to criminals. The only challenge here: a government organisation trying desperately to preserve itself and its budget in the face of increasing scruitny and irrelevance.

Re:"We have some challenging times ahead of us"

[110010001000]

Well "we" means the NSA in his statement. So you are right.

Re:"We have some challenging times ahead of us"

[chipschap]

The chance of being injured or killed by terrorism is vanishingly small

I won't argue the stats, but if so, ask yourself why this is the case.

Re:"We have some challenging times ahead of us"

[bigfinger76]

Maybe because terrorists represent a vanishingly small percentage of the overall population. In other words, they're not everywhere and out to get you. Tiger-repellant rocks, anyone?

Re:Please ignore what they say.

[gurps_npc]

So true. Guy stands up and says something we agree with and we all yell at him "He must be UP TO SOMETHING!"

People need to shut up and say thank you when you win - even if it's just a small battle of your opponent saying "It's not worth arguing against them"

sounds like a research project

[known_coward_69]

encrypt stuff with every possible key, look for some kind of common signature or order in the data and make an algorithm to break it using the possible keys

Re:sounds like a research project

[Torodung]

Heil bloody Hitler, in fact.

Satan skating to work...

[Lord_Rion]

Someone in the Government who has a clue... AND is speaking out.

I think I may faint.

A waste of time?

[fustakrakich]

Not if I'm being paid to make the argument, it isn't. Probably the best argument against encryption is that against the NSA/CIA it is snake oil, like defending yourself from a nuclear bomb with a .22

Re:A waste of time?

[Opportunist]

Typical argument from someone who doesn't understand what encryption is about and how it works. It's the same shit as "Oh, against a determined hacker you cannot fortify your system". Yes you can. But I digress.

The mathematics behind cryptography tell us that, provided there are no side channels, unknown flaws in the algorithm or implementation errors, these keys are for the foreseeable future unbreakable. With perfect forward secrecy we even have the ability to ensure that even if they manage to break one communication key, no other communications are compromised. Even with all the computing power currently available on the planet breaking such an encryption would take thousands of years, and with a little more complexity we're at the level of "longer than the universe probably is going to exist".

All this of course as long as the algorithm is solid and implementations are flawless. We have noticed that the latter is often not true, and even the former has been shown to not be the case all the time. Yes, it is possible that some TLAs do have certain information about such flaws. But as far as we know the current encryption systems are solid and safe.

Re:Cisco never gets criticized

[110010001000]

It is possible. But there is no need to do all that. Google, Microsoft, Apple, etc all HAPPILY handed over access to their databases. Emails, messages, sites visited, profiles, etc. It is too much trouble to mass tap traffic. Just go to the endpoint datastores and search through those. You cannot mass monitor all the traffic on the Internet. You can selectively monitor a subset of it, and ALL the endpoint datastores. People should be mad that Apple, Google, etc are happy to hand over all the data they collected on you. But those companies are making more and more money every quarter so obviously people don't care.

Common sense from a surprising direction

[kheldan]

Someone like that is the last person I'd expect to bust out with a public statement like that, but at least on the surface it makes me feel a little better that not everyone in the government is as dumb as a doorknob.

Re:Common sense from a surprising direction

[JustNiz]

Yeah I feel the same way.
I'd love to believe this guy just gets it, but It does very much make me wonder if something like they've just figured out how to get their quantum computer to do general case decryption has just happened though.
At least he seems to be bonking the obviously clueless lawmakers over the head for whatever reason, so I'd say its a net win.

Re:Common sense from a surprising direction

[kheldan]

but It does very much make me wonder if something like they've just figured out how to get their quantum computer to do general case decryption

See, that's not as bad as braindead politicians ruining or banning encrytion, because at least it's a more level playing field, then; the Bad Guys' encryption would be just as vulnerable as any other encryption is, and it would still likely take some time to crack the encryption in any case, so they'd be less likely to be decrypting everything, as opposed to encryption being about as effective as taking the deadbolt off the front door of your house and using a strip of duct tape instead, which is what a 'backdoored' encryption method would be like.

Re:Common sense from a surprising direction

[JustNiz]

Very much agreed.
It just occurred to me that this is actually pretty analogous to the braindead "lets ban people from owning guns" idea.
Both incorrectly presume that for some magical unexplained reason, bad guys will somehow suddenly choose to give up using the "bad thing", except in reality all thats happening is you're now stopping only already law-abiding people from defending themselves so the playing field gets even more unbalanced.

Goes both ways

[watermark]

For the people advocating for backdoors/key-escrow/etc, I always wondered what they would say about their own communications. Would they themselves be willing to escrow the keys to their own communications? All of them, including top secret ones? If not, then why?

Re:Goes both ways

[Opportunist]

But of course they would!

At least as long as they're the ones doing the escrow.

Re:Goes both ways

[PPH]

I don't know about key escrow. But when it comes to back doors, those same people sure do seem to get their panties in a bunch when they find one in their own stuff.

Reasonable encryption balance, for e-mail?

[Midnight+Thunder]

Given e-mail is for the most part sent in the clear, thus equivalent to a postcard, what amount of encryption would make it letter post equivalent (indicating privacy, rather than sensitivity)? Does 256-bit sound reasonable (thinking low effort of encryption/decryption, but easily openable by an agency, using resources they already have using a court order, if it came to it)?

Re:Reasonable encryption balance, for e-mail?

[godrik]

The problem with encrypting emails is "who performs the encryption/decryption?" If the gmail server performs the crypto, then it is pretty much useless. If the client performs the encryption/decryption, then you get two problems: key management, and loss of service. If the server does not have the full text, then you can not use server side server, indexing, .... which have become standard tools.

What happened?

[Opportunist]

Didn't we just yesterday have someone from some TLA ranting and raving about how we must accept not having encryption anymore? What happened? Found a critical flaw in all encryption schemes in the past 24 hours?

Re:No challenging time at all

[FlyHelicopters]

We are continually moving towards more and more peaceful times. We are coming to the end, though it may still take 100s or 1000s of years, of the primitive aggressive parts of our brains running our society. We are still a primitive, young society, but we are so much better than any generation in the past.

Many young people have said this MANY times over the years, they have all been wrong.

But don't worry, I'm sure it must be right THIS time.

Human nature hasn't really changed, we still use violence to resolve our disputes.

Re:Please ignore what they say.

[93+Escort+Wagon]

Norman, correlate.

Flawed premise...

[mark-t]

Encryption is bad only if you presume that either the only, or at least the far most likely reason anyone might want something to be hidden from others is because they are doing or have done something wrong.

Except that this is *FAR* from true. Insisting that people shouldn't try and hide things from people who might claim to mean well is equivalent suggesting that people really shouldn't have privacy at all, and it is nothing less than absurd to suggest that nobody should have any rights to any privacy, ever, unless you do things like outlaw clothing (which may hide a person's body from public view), for example. With a flawed premise, the entire argument for suggesting that strong encryption should be outlawed falls apart.

Re:Please ignore what they say.

[clonehappy]

Thank you! I get this all the time from people. No matter what someone says, they get the classic ad hominem attack thrown at them. Do I like the NSA? Not particularly, after everything I've seen. Do I believe anything the government has to say about most topics? Generally, no. But this man is correct, and his message is correct: "Arguing against encryption is a waste of time."

We can wax intellectual all day long about whether we think he has ulterior motives for coming out with that message, or whether the organizations he's associated with can ultimately be trusted, but the message is correct and we need to champion it. So others can see it, read it, hear it, reference it; get the message out there to the non-believers. In the end, whether they have broken all known forms of encryption or not, arguing against it is indeed a waste of time.

Blindly disagreeing with someone because they're "the NSA" means, in this case, that you have to make the argument that "Arguing against encryption is a worthwhile endeavor", and that's just stupid.

NSA key breaking

[MooseTick]

I doubt there are any backdoors in RSA keys, but most https traffic uses 256-bit symmetric keys. Let's say the NSA or whoever has a bank of computers that can crack that key in a day. With today's CPUs, you could encrypt your traffic with 10,000 keys relatively quickly. Then they would have to decrypt each one at a time. Of course, exchanging those keys may be complicated. Maybe to accomplish that you need a 4096-bit key.

The biggest problem with this theory is if they can crack a key, how long does it take? 0.001 second, 1 second, 1 day, 1 year, etc? A 10,000 key deep encryption would be fine if it takes a day to break but obviously not if the process can be completed in 2 seconds.

I've really thought about starting a service that writes OTPs to a 2TB drive, sends them to customers, and they use that to connect back to offshore servers that act as a proxy for them. Then, unless someone tampered with the drives intransit all communications would be secure.

He also Made that Point on Cyber Hygiene

[Koreantoast]

Admiral Rogers also made that point too - that 80% of the government's cybersecurity problems would be solved if he could get military personnel to treat "cyber hygiene" the same way that they manage rifles, artillery and other kinetic weapons.

Link to Full Webcast and Q&A Session

[Koreantoast]

For those interested, here is a link to the video for the full presentation which was made at the Atlantic Council on Thursday.

Be...cause...

[Greyfox]

Is it because privacy and security are only threats to tyrants? The fact that even raising the issue isn't political suicide for any politician or civil servant who dares suggest it is, frankly, embarrassing.

Re:Please ignore what they say.

[fustakrakich]

The reputation precedes them. It's simply impossible to tell when they are lying. So the safest bet is to assume the worst.

Re:Please ignore what they say.

[gurps_npc]

If you are so foolish as to assume they are always lying, then they start telling the truth to manipulate into believing lies.

The safest bet would be to ignore everything they said completely. But you don't want to play safe, you want to complain.

Back doors to themselves

[seoras]

Taking into context a certain presidential candidate's use of private email server to do government work which will not be an exceptional case but a common past and future problem for national security does the government want a back door to itself?
Since the root problem here is human individuals, bad guys, good guys, public, etc how to you prevent your own gun being turned on you.
I suspect that's part of the issue from Rogers stand point.

Of course he may not have got the memo about "2+2=5" and the other one reminding him that "The heresy of heresies is common sense"
He could just be looking for a good Retirement Package in time for the Ski season.

Re:No challenging time at all

[Shompol]

We are coming to the end, though it may still take 100s or 1000s of years, of the primitive aggressive parts of our brains running our society.

Aggressive parts are there to give you a chance at natural selection. It cannot be abolished. Just because we stopped spearing people we don't like does not mean we stopped reaping benefits of sometimes being aggressive.