Slashdot Mirror
Non-US Encryption Is 'Theoretical', Claims CIA Chief In Backdoor Debate (theregister.co.uk)
Iain Thomson, writing for The Register: CIA director John Brennan told U.S. senators they shouldn't worry about mandatory encryption backdoors hurting American businesses. And that's because, according to Brennan, there's no one else for people to turn to: if they don't want to use U.S.-based technology because it's been forced to use weakened cryptography, they'll be out of luck because non-American solutions are simply "theoretical." Thus, the choice is American-built-and-backdoored or nothing, apparently. The spymaster made the remarks at a congressional hearing on Thursday after Senator Ron Wyden (D-OR) questioned the CIA's support for weakening cryptography to allow g-men to peek at people's private communications and data. Brennan said this was needed to counter the ability of terrorists to coordinate their actions using encrypted communications. The director denied that forcing American companies to backdoor their security systems would cause any commercial problems.
LOL, how quaint. As if a company belongs to a particular nation state. Freemasons 2016, huyah!
Sir Bush, president and knighted...
Well of course he's going to say this nonsense, no surprise there. What is surprising is hearing about it from a british newspaper without a bleep in U.S. news. I imagine apple, microsoft, google and the likes will have a response soon.
Some people die at 25 and aren't buried until 75. -Benjamin Franklin
This halfwit is the best that the US can come up with to head their "intelligence" apparatus?
Glad to see that this fellow has figured out how to create new technology jobs in foreign countries. I didn't realize that was his job, but kudos nevertheless.
"No sane man will dance." -- Marcus Tullius Cicero
are you shitting me with this
Those who can, do. Those who cannot, subvert free speech.
This guy is smoking some premium shit.
He realizes that many of the Nordic area countries in Europe have some really talented crypto people, and that it would take all of about 2-3 years for some seriously competing cryptographic solutions to hit the commercial space, right?
What will his precious 3-letter agency do when everyone stops sitting on inertia, and is compelled to create cryptography outside their control, while all the people in the US are forced to use the shitty crap he insists on-- you know, where the rest of the world can actually keep secrets secret, but his own country now cant, and foreign governments the world over just backdoor the shit out of everything, resulting in a powerful asymmetry in effective intelligence gathering?
What a fucking douche.
He's using FUD. Simple trick to get people to change up something you can't break. Trying to convince them that their stuff is being read by the US. And if they change up their techniques, maybe the US intelligence apparatus gets lucky and then *can* actually read their stuff.
I suspect professionals will understand this and roll their eyes, continuing on as before.
>> (for crypto) there's no one else for people to turn to (mofos)
Well, it's a good thing that all mathematicians have always been and will always be American then.
Under 18 U.S.C. ss. 1001, lying to Congress is offense punishable by up to five years in prison (or eight if the lie is terrorism-related). The correct "response" to John Brennon's blatant, politically motivated, criminal lie is to indict him, convict him, and send him to Federal prison where totalitarian freedom-hating enemies of the American public like him belong.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
Someone might wish to bring his attention to Bouncy Castle...
https://www.bouncycastle.org/latest_releases.html
Non US Encryption, so yeah, there's that.
The issue isn't whether the rest of the world would use it. The question is how long until the backdoor is hacked. Knowing its there will make it a prime target. Is the US government willing to back up its confidence with a guarantee to reimbursed all losses for everyone using this technology? Only then could the claim that it wouldn't "cause any commercial problems" be at all plausible.
I guess he not only tore down that wall on command, he must also have executed all of the USSR's cryptologists. And their children. And blinded all the babies so they couldn't learn anything about cryptography.
Nice work, Brennan. I can only hope your attempt to hoodwink congressmen into believing your crap didn't work.
Would be only a slight generalization of his view point.
A lot of people think this is how Americans think about the rest of the world.
We've heard it's out there, but it doesn't matter very much, as long as they have a McDonalds, a 7-11, and a Starbucks.
Where are we going and why are we in a handbasket?
Hold up there a minute, Mr SpyMaster. I think GnuPG (open-source implementation of PGP) is German. Or at least: " g10code GmbH, the legal entity employing some of the GnuPG hackers" is German.
My company has been using GnuPG for ten years.
See https://gnupg.org/ .
Never attribute to malice that which can be explained by mere idiocy.
I can't decide if Brennan is stupid, or if he thinks everyone else is stupid.
I readily admit this is not an uncommon reaction of mine when I read of the things presented by elected and appointed officials. The US government is a madhouse.
I've fallen off your lawn, and I can't get up.
Jonny, listen. There is a thing called "compiler". That's a program that lets anyone around the globe take source code, that is like some sort of text that anyone who knows how to program can read (trust me on that one, anyone who can program can read this stuff. Just because you can't doesn't mean nobody else can, there is intelligence outside of your agency on the planet, ya know? Some of it even in people). That source code can also be changed by people who can read it. And then they put that source code into a compiler.
What this means for your backdoor is that even if there was only 'murrican code (which there isn't, but let's play pretend as you usually do) is that your backdoor gets ripped out of that code, tossed onto the pile of junk code where it belongs and you're standing outside the door.
You AND your industry.
Because if I can easily create a non-broken version of your code, why the hell should I use yours which is inferior?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
if the Government spooks & goons can peek at your stuff then the criminals that are good at cybercrime will find a way to crack the key to the Government's backdoor
Politics is Treachery, Religion is Brainwashing
The biggest threat to US security is US security.
He shouldn't have said it was just theoretical. After all, how does he know for certain that it doesn't already exist and the US hasn't detected it?
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
I have a feeling non-US encryption will not be theoretical for long with that attitude.
Software should contain the following warning, taking 50% of the package/screen:
"WARNING: This software uses intentionally weak encryption. Your data will be vulnerable to brute force attack. You are encouraged NOT to store any critical data using this product, such as SSNs, personal data, HIPPA data, etc. You are encourage to purchase identity theft protection insurance, as you WILL be vulnerable. Identity theft insurance also uses intentionally vulnerable encryption, you are encouraged to store your personal documents in a sock drawer, along with your cash."
Like the "theoretical" encryption Rijndael...?
If it's known there is a backdoor people WILL find it. And the arrogance that only American companies can create encryption libraries is dumbfounding. We have China's Red Flag, edition of Linux, North Korea appearently has "Red Star" and I suspect Russia has their own version of Linux as well. It may a crime to use non-use encryption, but it will be there and used if people fear for their privacy. We recently had an event in France where the CIA tried to claim encryption was used to coordinate their operation, and it turns it...it had nothing to do with coordination. The best people will use method with less technology dependencies. This will only make it easier for people (terrorists or "partner" like China) to go through their backdoors to access data. . We seem to "terrorism" as an excuse for everything the same way we used "communism" in the Mccarthy days. the end doesn't justify the means
"Imagination is more important than knowledge" - Einstein
I took a trip to Europe last week. I tried using GPG but it told me that it won't encrypt anything because I'm not in the USA. Then I tried VeraCrypt but it made my hard drive fizzle out.
I would like to apologize on behalf of the American people. Director Brennan clearly has no knowledge on the subject which he is speaking about and was advised poorly by his staff.
The name of the algorithm behind AES is Rijndael -- a combination of the names of the Belgian cryptographers who developed it.
His utterings are in the running for either biggest lie of the year, or most ignorant.
Learning HOW to think is more important than learning WHAT to think.
To find every cent at Bank Of America is gone.
For the longest time, US encryption was held back by being classified as "munitions".
Businesses were held back from using encryption for the same reason - so, SSL was implemented overseas and NOT in the US. Made a rather large hit.
The US encryption standard (AES) was designed by the Dutch researchers.
the various agencies of the US Government tend to lie ( even to Congress ), I'm somewhat puzzled about why they even bother to ask questions of them anymore.
Perhaps Congress should forgo asking questions of the professional liars ( any intelligence agency ) and ask the tech world instead. I'm quite sure the likes of Cisco, Juniper, Apple, Google and many others ( assuming they're not secretly on the Governments payroll ) would have a much different perspective on the issue at hand.
Might as well kill off what remains of made in US electronics, cuz security!
For example, AES is a Belgian design. The US has long since lost leadership in this. That is if they ever had it.
Incidentally, when did US TLAs catch any terrorists "coordinating via encryption" the last time? Oh, right, NEVER.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
As other posters have said, his words are those of an idiot.
Any possibly that he is actually saying that known crypto algorithms have been broken by the US? I doubt it, but it is interesting to ponder.
like most Americans. They all believe that they "made all the things", and conveniently ignore that _everything_ builds upon existing innovation, and that almost _everything_ made in the U.S involves highly skilled European and Asian first-generation immigrants, and technology and research coming from all corners of the world.
It sounds like they have a lot of the CENTRAL and AGENCY, but not INTELLIGENCE.
Given that nearly every major tech company has large presence in multiple foreign countries, then they move their headquarters outside the US. For instance, I know for a fact that MS has contingency plans to move headquarters 60 miles up the road to Vancouver BC for some situations and given their presence in India, that likely wouldn't be much of a challenge either. I'm sure that most other big players are similar. They simply leave to avoid the law. Yay, great for America right?
This guy should write a book on how to drive away the American tech industry and promote off-shoring of jobs.
Just because most encryption is developed by us companies, doesn't mean it'll always stay that way. Something like this just makes Offshore and Foreign vendors become more attractive. Why would anyone buy a software security package that is known to be compromised or have back doors. Even if it's meant only for the "good guys" to get through, something like that is just a ticking timebomb, eventually it'll get into the hands of someone who shouldn't have it, then at that point, you may as well have no encryption at all.
Who's to say that some other country will do any better? I agree it is a poor move and will likely just end up being abused more against US citizens than espionage. However, it's not like the US is the only surveillance-happy country out there. The UK and China are as bad, if not worse. At least the US is being relatively transparent about their intentions. I doubt you would get much notification if China mandated that all its companies installed backdoors in their products.
It would be "aiding or giving comfort to the enemies of the United States" – by encouraging them to take over for the US companies that this type of legislation would kill.
You or I would go to Federal Prison for that.
Who actually invented public key encryption first, oh yeah a British fella working for gchq one evening in his head cos he couldnt write it down
Eat your vegetables to be stronger and defeat terrorism. Give us your privacy so we can defeat terrorism. Give us your tax money to combat terrorism. Re-elect this/that president to keep combating terrorism. Watch cat videos to be cute enough to combat terrorism.
It is funny how the "terrorism" excuse is used by the gov all the time except for giving us the freedom to own guns. Why not "own more guns and we will even make them cheaper so you can help us defend this country from terrorism"?
And how long does it theoretically take for some non US entity to grab some existing OSS code out there today, fork it an package it un-crippled?
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Fire his ass. Preferably, out of a very large cannon, pointed straight at the Moon.
I am seriously hoping that the spy masters force American encryption to have a mandated backdoor!
In other news i will be starting a Canadian company to create encryption products! Thank you dear spymasters for relinquishing your monopolistic hold on encryption, I look forward to competing with other countries in this growing market!
Statements like the ones that Brennan has made make him look extremely short sighted which should terrify the white house. even is he is spot on that any other option is "theoretical" how can he be so naive to believe that there aren't at least 40 other countries with the skills and abilities to go from theoretical to operational in under 4 months (which is the length of a business quarter and seems to be about as far ahead as any politician or business person can think"
on a serious note, do Americans not realize how quickly their elected representatives are making them irrelevant in the current age. they may have helped birth the internet but trying to stuff everything back in Pandora's box does nothing but make Americans in general look foolish.
The director denied that forcing American companies to backdoor their security systems would cause any commercial problems.
This is lie, an outright lie, and I hope he was under oath when testifying before congress. Absolute, outright lie! Liar, liar, pants on fire. Everyone email their representative and let them know the director outright lied to their face and cite the CEO of Cisco.
This will hurt American Tech in China. To interoperate, China will steal all corporate America's IP and integrate it into their products.
Dr. Mr. Director of CIA, your reality distortion field is NOT WORKING! I am still in disbelief. This is how you kill American products in emerging markets and hurt growth. What an absolute lie!
Encryption Routines created by people who are not American
- AES (Rijndael)
- IDEA
- Serpent
Hashing Routines created by people who are not American
- SHA-3 (Keccak)
So the Current Encryption Standard and Future Hashing Standards in the US were created by non-American's, but hey, "non-American solutions are simply 'theoretical.'"
You have to be not actually dumb to get high up in government. But you do have to have a certain capacity to believe in the institutional lies, or at least repeat them as if you mean them. They still institutionally believe in a rather simplistic device to the point that gaming the thing is a criminal offence, for example.
More to the point, this here is politics in action. He is furthering an agenda in front of an audience that made this agenda-pushing their day-and-night jobs, but who do not necessarily have any clue whatsoever about what goes on under the veneer of the nice words from the very respectable chief of this here government outfit reporting to congress. So he's basically daydreaming his "truth" into existence. If he can get it enacted in law, he has won.
* Quiz: What other organisation institutionally believes in an unproven, even outright silly, bullshit device based on similar principles?
https://en.wikipedia.org/wiki/Motives_for_spying
https://en.wikipedia.org/wiki/Edward_Snowden
https://en.wikipedia.org/wiki/Treason
http://www.merriam-webster.com/dictionary/subterfuge
http://www.wisegeek.org/what-are-the-penalties-for-treason.htm
https://en.wikipedia.org/wiki/False_flag
https://kat.cr/tails-1-4-1-i386-iso-multilang-tntvillage-t10922671.html
http://lsuzvpko6w6hzpnn.onion/tails-1-4-1-i386-iso-multilang-tntvillage-t10922671.html
Ask the CIA why Microsoft spies and Google spies and Facebook spies. Expect him to say he has no idea.
God is watching you John. Life is too short to go to Hell for your Jesuit masters.
Comment removed based on user account deletion
Another article has more of the exchange:
Let's allow the assumption that American companies currently dominate the encryption field. We'll say that's true. How long would that dominance that last if foreign companies used strong encryption and American companies used hobbled encryption left vulnerable to the American government and hackers? Thank goodness for Warner and Wyden for pointing out how idiotic Brennan 's assertion was.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
The AES encryption algorithm is Rijndael, which is Belgian
The runner-up for the contest for becoming the AES standard was Serpent, which was a British/Danish/Israeli collaboration.
Third place went to the Twofish algorithm, designed by Bruce Schneier, a US citizen who happens to be a vocal opponent of backdoors.
The "main" encryption du jour happens to be from outside the USA. The best alternative is also from outside the USA. Of course, the nationality of the creators doesn't matter - the USA is able to make modified implementations that include backdoors, but the original non-backdoored versions are already out there for everyone to use instead.
Oh dear god, really? This is why we are ineffective. The men in charge are idiots, morons and buffoons.
Do not look at laser with remaining good eye.
I can not believe he is head of an agency with the word "Intelligence" in it.
ALL encryption is theoretical. I wonder they would want to blow that cover.
“He’s not deformed, he’s just drunk!”
"Intelligence" in CIA is purely theoretical.
Damn, I did not know that americans was that stupid !
the various agencies of the US Government tend to lie ( even to Congress ), I'm somewhat puzzled about why they even bother to ask questions of them anymore.
Perhaps Congress should forgo asking questions of the professional liars ( any intelligence agency ) and ask the tech world instead. I'm quite sure the likes of Cisco, Juniper, Apple, Google and many others ( assuming they're not secretly on the Governments payroll ) would have a much different perspective on the issue at hand.
Companies aren't on the payroll of the government, it's the other way around.
My beliefs do not require that you agree with them.
If CIA director John Brennan is a double agent for the Russians or Chinese. This is exactly what they would want to have happen. I'm sure Feinstein will back it 100%. Perhaps she's an agent for them as well. It fits.
I'm sure Werner Koch could get a giggle out of such a statement.
Some months ago Bruce Schneier on his blog S.O.S. made a call for a survey of global (read: non-US) encryption tools. The exercise smelled fishy at the time. I suspect this is all a choreographed psy-op and this was just the next step that the insiders knew was going to happen months ago. Because it is that stupid and retarded.
In other news, the US invented everything and won WW2 single-handed.
that sounds interesting. In general it feels like the end-game is fundamentally reshaping the vision that people have that they are free to just go and invent anything they want without asking permission first. The totalitarians are rationally afraid that even beyond inventors with non-conforming intent, there are probably children and less intelligent people that could often invent something that a non-conformist might use against the conformists somehow. If we had a new government office, like the patent office, that inventors were required to screen their potential ideas with prior to further work, it would be much more efficient for the nation. Or so I think their worldview goes.
The director denied that forcing American companies to backdoor their security systems would cause any commercial problems.
Personally I'm avoiding US products when I have an alternative.
according to Brennan, there's no one else for people to turn to: if they don't want to use U.S.-based technology because it's been forced to use weakened cryptography, they'll be out of luck because non-American solutions are simply "theoretical."
LOL! Who the fuck is this clown?
He might be onto something. The last time we tried to write a point-to-point encrypted texting software, our working team suddenly grew with three american employees, wearing blacks suits and sunglasses!
... complete moron, blatant liar, or maybe both.
Does anyone in Washington remember what happened back in the 90's when the State Department declared strong cryptography a weapon and put heavy export controls on it? Hell I was a teenager and ever I remember. Tons of EU companies sprang up to fill the gap. Ireland, in particular, had quite a few software companies spring up offering software product with strong encryption. It wasn't that long ago that the government finally figured out how useless the export controls were and loosened them to where they are now. They did nothing but hurt US tech companies. How in the hell could anyone not think the same thing would happen again?
I browse on +1 so AC's need not respond, I won't see it.
I worked in radio til gov't handed the entire spectrum over to Clr Chnl. Loss of jobs and democracy was palpable (during reign of Clinton 1).
Now that I found work doing DevOps, guess that will be flattened by Clinton 2.
We all know story of Ford. Surely we have heard the name Honda as well....
It's tempting to dismiss this as him being wrong by orders of magnitude and then talking down our noses at him by assuming we need to explain what an order of magnitude is, or that he's adopting this stance for transparent political reasons, but let's assume for the moment that he's telling the truth. What would he have to know for that statement to be true?
Have you all forgotten the Snowden revelations yet? How it became known that the US grabbed cell phone encryption standards before the ink was dry on them, how they tapped the lines between Google data centres. If the operational tools for creating for encryption are compromised or at least weakened, it may well be that they have visibility into source code in a lot of industries as well as communications, which is as good *if not better*.
---- The above post was generated by the Turing Institute. Maybe.
What an idiot. Imperialism is bad, but technological imperialism is simply stupidity masked as pride.
Organization? You must be joking..
I would go with theoretical anyday.
File under: Obama Administration
Where not spying on the citizens is maximized, but called something else.
Where "open" and "transparent" is secret off-site servers, massive document deletion/destruction, and more redacted documents than any previous administration
Where terrorism is "man caused disasters", and nearly all the terrorism on the planet in the past 40 years has no common thread other than "extremism".... better watch-out for those "extreme coders", "extreme athletes", extreme JWs and/or Mormons knocking on your door, etc...
Goebbles would be so very proud: controlling the population by controlling the vocabulary and telling massive blatant lies. Baghdad Bob was a piker...
The AES NIST standard encryption competition finalists:
CAST-256--Canada
CRYPTON--South Korea
DEAL--Canada and Norway
DFC--France
E2--Japan
FROG--Costa Rica
HPC--U.S.A.
LOKI97--Australia
MAGENTA--Germany
MARS--U.S.A.
RC6--U.S.A.
Rijndael--Belgium
SAFER+--U.S.A.
SERPENT--Norway
TWOFISH--U.S.A.
http://www.eurekalert.org/pub_...
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
why do you elect idiots? weak encryption is a double edged sword... at the minimum...
While I get what you are trying to say... that is so, so wrong that I realllllly hope you are nowhere near any crypto code, in either your professional or personal hours.
Getting the basics of a crypto function right is easy. The algorithms, complete with pseudocode or even a basic implementation in some real language, are well-published. As you say, anybody with halfway-decent skill can implement them from specifications.
Getting the details of a crypto library write is really bloody hard! There's always a risk of incorrect behavior in some edge case that completely breaks your system, for example - Heartbleed was probably the most famous and easiest-to-understand of these, but there's plenty of others across many libraries - but risks like that are not unique to crypto libs (although they are usually *worse* in a crypto lib). Side-channel attacks like timing attacks, padding oracles, CPU cache line attacks (technically a kind of timing attack, but not the sort most people think of when you say "timing attack"), and many more things than I know about bedevil implementations of such things.
Just like nobody but an expert in crypto theory should ever attempt to design their own crypto algorithm, nobody but an expert in crypto implementation should ever attempt to write a cryptosystem in live code. If you think "anyone with halfway-decent coding ability can implement them from the specs and get an encryption library with no backdoor", then there is ~0% chance that you could implement a crypto library and get one that cannot be broken, at which point who cares if it has a backdoor explicitly built in?
There's no place I could be, since I've found Serenity...
They don't need weak encryption, they drop hellfire via clear channel metadata every day.
Being good at all the political games to get into a high position does not automatically mean competence with a different skillset.
Especially when there is nepotism in the mix.
Remember this?
"Brownie, you're doing a heck of a job"
I can't decide if Brennan is stupid, or if he thinks everyone else is stupid.
Judging by the universal cringe displayed by all the analysts and technicians who an actual understanding of crypto, I'd go with "a little of both". I just can't believe he's so clueless as to not understand that math doesn't recognize lines on a map, nor can I quite believe he didn't expect to get called out on his bullshit. Either way, it was a dumbass thing to say.
'Merica has the very best, the classiest and yugest mathers in the world. Our math people are gooder then all teh other country mather people. So American crypto is thu bestest kind of crypto there is. It is withow pier, barn un. So if you wants crypto you has to get it frum Americuh, or your just pretending to use cyrtop because no other cuntry can crypto liek we cann cyrpto .
Amuricha iz number WON!
(Didn't someone recently rail against the teaching of Algebra in American schools? How can anyone reasonably expect this nation to keep up with things like cryptography and cryptanalysis when we don't even teach basic math? And how does anyone imagine our crypto to be the only real crypto when there are lots of other countries out there, many with brilliant people, even some (gasp!) mathematicians and cryptography experts! Is this dude serious? Or is he a troll?)
Im only aware of 4 countires, America,russia, china, and terrorizerstan. Clearly we must be the only smart people.
OMG Ponies!!! with Glitter!!!! I miss Pink
We sell them weapons to fight the pinko commi bastards then we bomb them?
OMG Ponies!!! with Glitter!!!! I miss Pink
Pretty sure that everything outside of the USA is theoretical.
Nobody has proven that any of it exists.
I'd say the case of the FBI going third party to Crack an iPhone disproves this bullshit.