Non-US Encryption Is 'Theoretical', Claims CIA Chief In Backdoor Debate

Iain Thomson, writing for The Register: CIA director John Brennan told U.S. senators they shouldn't worry about mandatory encryption backdoors hurting American businesses. And that's because, according to Brennan, there's no one else for people to turn to: if they don't want to use U.S.-based technology because it's been forced to use weakened cryptography, they'll be out of luck because non-American solutions are simply "theoretical." Thus, the choice is American-built-and-backdoored or nothing, apparently. The spymaster made the remarks at a congressional hearing on Thursday after Senator Ron Wyden (D-OR) questioned the CIA's support for weakening cryptography to allow g-men to peek at people's private communications and data. Brennan said this was needed to counter the ability of terrorists to coordinate their actions using encrypted communications. The director denied that forcing American companies to backdoor their security systems would cause any commercial problems.

American Companies

LOL, how quaint. As if a company belongs to a particular nation state. Freemasons 2016, huyah!

Sir Bush, president and knighted...

Re:American Companies

[St.Creed]

National companies and multi-national companies *do* belong to a nation-state. It doesn't show much, until they need someone to get their potatoes out of some hot fire somewhere. They can't just move and up, since they need ties on a personal level when you get into the big leagues. Not to mention the fact that if they have a lot of infrastructure somewhere, it's also physically difficult to move.

Let's assume corporations don't belong to a particular nation state. Like Disney. Could be Chinese, right? Mi Lao Shu and security guards with pink rifles. Works quite well in Shanghai - they are a minority shareholder though because, for some reason or another, the local company *does* belong to their nation state and the nation state knows it. Or take Coca Cola. Wouldn't hurt the brand at all if it incorporated as a Nigerian company tomorrow, I think. Or Mercedes. It could easily become an Italian brand. Would do wonders for its design, probably. Volkswagen could move to Rumania - their cars have the same amount of pollution as the old cars they have there so they wouldn't stand out so much.

But seriously: no company can do without the protection of a nation state because in the final analysis, a tug of war between competing business interests will eventually be decided with weapons. And that is the job of the nation state. And it will only defend it's *own* companies. Companies that don't have a protector will be at a severe disadvantage. Just consider what the support of the CIA meant for Boeing when it sank lucrative trade deals in the Middle East for Airbus because they had been tapping the trade negotiations and were able to provide tapes that proved corruption. Do you think that would have happened if it had been Airbus versus Dassault? Not a chance.

Re:American Companies

[MobSwatter]

LOL, how quaint. As if a company belongs to a particular nation state. Freemasons 2016, huyah!

Sir Bush, president and knighted...

And they should pay no mind to the boycott on US products involving code produced within the US either...

The trouble with Mason's is what the banksters did to them long ago, a line was drawn and if you didn't swing the mafia/banksters way you became cannon fodder. Freemason's were the ones that built a lot of stuff, from what I understand of my great grandfather, a master mason out of Wisconsin who left his initials on the underground river plug under Virginia City and was tossed into Lake Tahoe for his efforts to pay the crew and that was pretty close to what they did with the Asian rail workers, Freemason was a perverted definition of a Mason by the mafia/banksters, because the work of a Freemason was paid for with their own blood.

Re:American Companies

[dbIII]

Well put.

A very good example on the domestic level that we can all safely point at (since it's dead and buried) is Enron. The final CEO of that Texas based company spent the majority of several years in Washington forging strong political links and calling in favors. That is a major reason why what turned out to be a company with far less than zero worth was able to get away with running like that for so long before the bankers tore them apart.
On the foreign side - Joint Strike Fighter. So many allies have been told by the US government to give money to Lockheed Martin. There is a LOT of that sort of thing going on with government helping out defence contractors at the expense of foreign policy with so much money and trips to Vegas just falling into people's pockets it smells almost as bad as the sort of corruption you get in China.

Re:American Companies

[djinn6]

I don't disagree with the rest of your post, but it seems to me the CIA's job should not be business espionage. There's nothing stopping Boeing from doing that themselves.

Lies from Spies

[schneidafunk]

Well of course he's going to say this nonsense, no surprise there. What is surprising is hearing about it from a british newspaper without a bleep in U.S. news. I imagine apple, microsoft, google and the likes will have a response soon.

Re:Lies from Spies

[wierd_w]

There would just be something like cyanogenmod that hits less than a year later. in fact, CM would probably issue a statement that they wont include the back doors.

CM is based on AOSP, and is wholly open source. If your device supports it, then you can use real crypto, while everyone else in the US gets to enjoy fake crypto.

The issue of course, is that you would need to encrypt so much, (because GSM and other hardware assisted crypto would be backdoored, so you have to put real crypto on top) that your battery goes flat very fast.

IMHO, the solution to that is for eurozone countries to mandate denying US variant GSM devices from working in their countries as an issue of national security. The corporate backlash would be intense.

Re:Lies from Spies

[Bob+the+Super+Hamste]

Seriously why?

I find that the Brits generally do a better job covering the US than the US news does.

Re:Lies from Spies

[ceoyoyo]

Android itself is open source. Anyone can download it. It's mirrored extensively outside the US. In terms of actual devices, by far the largest providers of those are non-American companies.

Android itself uses a linux cryptography library. Those libraries are likewise open source and extensively mirrored. Of the ones that could actually be said to have a particular nationality, most of them are not the US: https://en.wikipedia.org/wiki/....

Seems like Android is an excellent example of how this guy is wrong.

Re:Lies from Spies

[umghhh]

Let us see. There are governments that wholeheartedly cooperate with US on 'security' i.e. war on drugs and war on terrorism and other such - UK for instance. French cooperate because they have a good reason, Swedish cooperate because their ruling class is inbred so much that that affects their brains, the southern flank is corrupt and thus cheap to buy and the eastern flank are so scared of Ruskis (not sure if the Ukraine affair was done on this purpose or just happened this way but either way - well done!) that they do what they are told even if they disagree. Who is left - Germans? They have the Emperor in Berlin who after the wiretapping of her phone came to the public, decided to do nothing, she also refused to reveal the trigger lists because NSA did not let her. Hmmm - how big chances of that do you think there are there? 1%? Besides after the same Merkel invited millions of people to swim and walk to Germany there is an urgent need to eavesdrop everybody now. There are simply too many good reasons why European elites will cooperate. The matters are too complex and if my educated neighbours say to such arguments that they obey the law and have thus nothing to fear I'd say chances of success are null. Admittedly if against all the odds such law would have been passed then indeed the big IT gorillas would try to repeal the laws but quite frankly you do not believe this happens, ever. I do not either.

Re:Lies from Spies

What is surprising is hearing about it from a british newspaper without a bleep in U.S. news.

The US news media is incredibly insular. They got as far as "Non-US ..." and lost all interest.

Seriously. Say the entirety of Ethiopia is wiped off the map.
Headlines in Europe: "Ethiopia destroyed by unknown cause. Over 100 million presumed dead."
Headlines in US: "Tragedy befalls Ethiopia. Over 100 US tourists presumed dead."

... followed shortly by "Could aliens have caused the Ethiopia disaster? Hear what Twitter users have to say!"

Re:Lies from Spies

[dpilot]

Gee, you've completely missed Russia and China. Of course both of those nations would probably applaud such a move on the part of the US, because it makes pursuing their desires easier.

It's time to remember the classification of encryption as a weapon, and invoke our second amendment rights, "If encryption is outlawed, only outlaws will have encryption."

Re:Lies from Spies

[rahvin112]

Good luck with that, the US would simply threaten to stop sharing intelligence information and EU countries would buckle under in about 30 seconds. EU spying apparatuses are entirely dependent on data supplied by the US and the 5 eyes program just like the EU is totally dependent on the US to guarantee their defense. That's the complication of relying on the US to fund these activities for you as the EU is unwilling to pay the cost to do this themselves.

Re:Lies from Spies

[currently_awake]

You are suggesting that your phone baseband isn't backdoored. Or that you can audit the firmware running on it?

Re:Lies from Spies

[ceoyoyo]

No, I'm saying that lots of phones running Android isn't a good example of the "practical truth" of there not being any encryption outside the US.

Of COURSE the baseband is compromised.

Re:Lies from Spies

[LVSlushdat]

What is surprising is hearing about it from a british newspaper without a bleep in U.S. news.

Not surprising at all.. The American news media has become the defacto US Department of Propaganda... What do you expect??

Re:Lies from Spies

[Maow]

There would just be something like cyanogenmod that hits less than a year later. in fact, CM would probably issue a statement that they wont include the back doors.

CM is based on AOSP, and is wholly open source. If your device supports it, then you can use real crypto, while everyone else in the US gets to enjoy fake crypto.

In the binary blobs is where it'll be found.

Which you address:

The issue of course, is that you would need to encrypt so much, (because GSM and other hardware assisted crypto would be backdoored, so you have to put real crypto on top) that your battery goes flat very fast.

>

Too bad there isn't much left of the European telecomm manufacturors (Nokia, Erikson(sp?), and Blackberry for that matter (widening the net)).

IMHO, the solution to that is for eurozone countries to mandate denying US variant GSM devices from working in their countries as an issue of national security. The corporate backlash would be intense.

I agree with everything you've said, but on the last point, expect the US to respond with

"Nice Airbus, shame if something happened to exports to USA.

Care for some Freedumb Fries?"

Then the Europeans fold like a house of cards (sadly).

Re:Lies from Spies

[Carewolf]

I imagine apple, microsoft, google and the likes will have a response soon.

You have vivid imagination.

Re:Lies from Spies

[dbIII]

and invoke our second amendment rights

The right to hand your guns back when you turn 45 and are no longer considered a potential member of the militia?
The STATE has second amendment rights, the right to draft your ass into uniform and get you to fight. You have your gun rights because they have not been taken away. It has nothing to do with the second amendment no matter what the ranting of people in nothing but a sports club, the NRA, consists of. That's why you get to keep your guns even when you no longer fit the "militia" definition.

Re:Lies from Spies

[Impy+the+Impiuos+Imp]

The 2nd directly mentions The People and not the states. The state cannot regulate away the people keeping and bearing arms, as that is the backbone upon which is built the well-regulated militia, which is what is necessary to keeping freedom.

"The state shall have the power to take away arms...the right to keep and bear arms shall not be infringed." -- this makes no sense if government can take it away under "regulated militia".

Re:Lies from Spies

[schneidafunk]

Have you not been following the news?
http://www.latimes.com/busines...

Re:Lies from Spies

[dbIII]

So when you turn 45 what then? You are no longer potentially part of the "well regulated militia". If it was all about the second amendment as Oliver North and the other NRA directors say then the government could take those guns away once you hit the age limit.

The reason they don't is because you have the right to do anything unless laws are enacted to stop you having that right. There is no law to stop you. The second amendment distraction from a sporting club turned political has nothing to do with it.

The 2nd directly mentions The People and not the states

Not "states" - the state. In this context "state" means nation or national government, as it does in many political documents worldwide especially the US constitution. I put it in all capitals to try to make that more obvious but kept the word "state" since that's in the document. See also

Dumfounded at the ignorance

[fnj]

This halfwit is the best that the US can come up with to head their "intelligence" apparatus?

Re:Dumfounded at the ignorance

[tiberus]

What?!? Hey, guess neither of a new the US was an international leader in technology and encryption.

Um, yeah...

Re:Dumfounded at the ignorance

[pushing-robot]

When it comes to intelligence agencies, never attribute to ignorance that which can adequately be explained by malice.

Re:Dumfounded at the ignorance

[Kernel+Kurtz]

He is worse than the terrorists.

Re:Dumfounded at the ignorance

[thegarbz]

This halfwit is the best that the US can come up with to head their "intelligence" apparatus?

You wouldn't come up with the same excuse given the following information:

1. You're standing in front of a group of people who consider you the expert.
2. You stand to gain a lot from forced backdoors and the job for your agency becomes far easier.
3. You have almost zero chance of being punished for lying through your teeth.

What would you have said? Personally I would have come up with the exact same thing and sugar coated it by saying all terrorists use all American technology.

Re:Dumfounded at the ignorance

[Bob+the+Super+Hamste]

Statements like that aren't for the people who work for him, or even the /. crowd. They are for the consumption of the assorted idiots and defectives in congress as well as to placate the general populous that has know knowledge of how encryption works. He knows exactly what he is after and is positioning things so that he gets them even if he is lying through his teeth. Before the Paris attacks there were statements out of the FBI or CIA (I forget which) where one of their people said it would take a terror attack where the terrorists used encryption before they could seek to get rid of strong crypto available to the general public. Then a few weeks later the Paris attacks happen and there was tons of news coverage about the terrorists using encryption. Also lets not forget the whole San Bernardino attack and that fucking iPhone. This is just the next step in their long game. Sadly no tin foil is needed.

Re:Dumfounded at the ignorance

When it comes to intelligence agencies, is there a difference?

Jobs Creator

[archatheist]

Glad to see that this fellow has figured out how to create new technology jobs in foreign countries. I didn't realize that was his job, but kudos nevertheless.

Re:Jobs Creator

[PCM2]

What's the saying? "When strong crypto is outlawed in the US, only non-US companies will have strong crypto"?

Re:Jobs Creator

[ceoyoyo]

That cart has left the horse. US export laws caused much of the cryptography business to move out of the US decades ago.

Re:Jobs Creator

[HiThere]

Last time it was:
"When strong crypto is outlawed in the US, US companies will import it from outside."

Of course, it was a little be different last time, it wasn't possession of strong crypto that was illegal, it was on exporting it. But that was still enough of a barrier that it got developed outside the US.

Only "theoretical"?

This guy is smoking some premium shit.

He realizes that many of the Nordic area countries in Europe have some really talented crypto people, and that it would take all of about 2-3 years for some seriously competing cryptographic solutions to hit the commercial space, right?

What will his precious 3-letter agency do when everyone stops sitting on inertia, and is compelled to create cryptography outside their control, while all the people in the US are forced to use the shitty crap he insists on-- you know, where the rest of the world can actually keep secrets secret, but his own country now cant, and foreign governments the world over just backdoor the shit out of everything, resulting in a powerful asymmetry in effective intelligence gathering?

What a fucking douche.

Re:Only "theoretical"?

[Opportunist]

"Purely theoretically" you could just take any OSS encryption implementation, audit the living shit out of it to ensure that none of li'l Jonny's backdoors remain and recompile it.

If that takes a WEEK I'd be surprised.

Re:Only "theoretical"?

[sexconker]

Be sure to audit your compiler, the compiler used to compile it, 8 layers of firmware/uefi/bios, and the physical CPU itself.

Re:Only "theoretical"?

[HiThere]

It would take a lot longer than a week. Years wouldn't surprise me. What *would* surprise me is if someone hasn't already done it.

Re:Only "theoretical"?

[Opportunist]

That's actually the interesting part, more so than whether or not I can invent an "independent" encryption implementation.

If absolute confidentiality is key, the most sensible solution would be to split it into the three parts of receiving the encrypted message, decrypting the message and outputting the cleartext, implement each part in a separate unit and have them interface only in an easily auditable way, so that at the very least you can ensure that the unit that can transmit information to the outside neither knows what keys are used nor what clear text message is the result.

But yes, that's actually the tricky part.

Re:Only "theoretical"?

[cwsumner]

That's actually the interesting part, more so than whether or not I can invent an "independent" encryption implementation. ...

Nothing in this world is absolute.
But making it just a little bit more secure can save your life. 8-)

Lack of perfection is not an excuse for failing to try...

You aren't understanding him

He's using FUD. Simple trick to get people to change up something you can't break. Trying to convince them that their stuff is being read by the US. And if they change up their techniques, maybe the US intelligence apparatus gets lucky and then *can* actually read their stuff.

I suspect professionals will understand this and roll their eyes, continuing on as before.

Good thing all mathematicians are American then

[xxxJonBoyxxx]

>> (for crypto) there's no one else for people to turn to (mofos)

Well, it's a good thing that all mathematicians have always been and will always be American then.

Re:Good thing all mathematicians are American then

[TheSouthernDandy]

You don't have to be a mathematician, you only need to be able to implement algorithms designed by mathematicians on computers. I think they called that profession "programmer" once, and there even used to be Americans who did it.

Re:Good thing all mathematicians are American then

[chihowa]

No kidding. The current Advanced Encryption Standard in the US (Rijndael) was even created by two Belgian mathematicians.

Re:Good thing all mathematicians are American then

[F.Ultra]

Not only that but the submissions during the AES process came from all over the world. And looking at the names of the current submissions to the upcoming CEASAR I wonder if there is even a single American among them: https://competitions.cr.yp.to/...

The "response" should be an indictment.

[mrchaotica]

Under 18 U.S.C. ss. 1001, lying to Congress is offense punishable by up to five years in prison (or eight if the lie is terrorism-related). The correct "response" to John Brennon's blatant, politically motivated, criminal lie is to indict him, convict him, and send him to Federal prison where totalitarian freedom-hating enemies of the American public like him belong.

Re:The "response" should be an indictment.

[NatasRevol]

In theory, yes.

In practice, not a fucking chance.

Re:The "response" should be an indictment.

Well, given the fact that the Chinese are at least as smart and as technological advantage as far as public math goes as the Americans, and have more than enough money to do it and more than enough reason to do it, you could actually argue that this guy is advocating for a position where China can break American encryption, while using non-weakened encryption of their own (which there is no reason to believe to be any worse than the best American encryption).

So, well, what is the punishment for high treason?

Re:The "response" should be an indictment.

[mrchaotica]

Speaking of "in theory," considering what the news is reporting about how the FBI is going after the wife of the Orlando shooter, wouldn't failure to indict make every member of Congress an accomplice?

Re:The "response" should be an indictment.

[bluefoxlucid]

High-treason is defined in the U.S. Constitution and is punished by execution.

Re:The "response" should be an indictment.

[Megol]

No?

Re:The "response" should be an indictment.

[Bob+the+Super+Hamste]

Good luck.

As much as I would like to see people like him sent off to federal PMITA prison it isn't going to happen. These guys are part of the protected class and they really need to screw over congress. Even spying and hacking into the Senate Intelligence Committee servers didn't' get them into trouble, so I doubt anything will ever come of this. I just wonder what they have on the congress critters.

Re:The "response" should be an indictment.

[Immerman]

O course not. They're exempt under the thoroughly time-tested doctrine of "we have wealth and power, so the law doesn't apply to us unless we piss off someone even wealthier and more powerful"

Re:The "response" should be an indictment.

[geekmux]

In theory, yes.

In practice, not a fucking chance.

If "practice" has been reduced to not-a-fucking-chance-in-hell, then US law is nothing more than a "theory".

I really grow tired of the American people supporting criminals who blatantly ignore the law, especially when those same Americans want to bitch about how fucked up things are.

Re:The "response" should be an indictment.

[mrchaotica]

The two Senators from my state plus Ron Wyden got emails from me on this issue before I posted on Slashdot. What did you do about it, mister shit-talking anonymous coward?

Re:The "response" should be an indictment.

[davester666]

I'm ok with trading him to China. Or even just giving him to them as a sign of goodwill.

Re:The "response" should be an indictment.

[LVSlushdat]

Under 18 U.S.C. ss. 1001 [house.gov], lying to Congress is offense punishable by up to five years in prison (or eight if the lie is terrorism-related). The correct "response" to John Brennon's blatant, politically motivated, criminal lie is to indict him, convict him, and send him to Federal prison where totalitarian freedom-hating enemies of the American public like him belong.

Oh didnt you know?.. 18 U.S.C. ss. 1001 ONLY applies to the unwashed plebs, ie: Joe and Jane Six-pack.. People like Brennon don't have to worry about violating any of those pesky laws..

Re:The "response" should be an indictment.

[LVSlushdat]

Oooops... Forgot the /s for the sarcasm-challenged among us....

Re:The "response" should be an indictment.

[ChadL]

China seems to be well ahead of the US on the regulating encryption front, so I don't think that China will be ahead in terms of the general populous using encryption that can't be broken (excluding governments, of course). This article indicates that a lot of Chinese firms don't use encryption in China at all to avoid having to deal with giving the government keys. They also mandate usual encryption algorithms (SMS4 comes to mind) which are presumably selected because they can be broken.

Re:The "response" should be an indictment.

Under 18 U.S.C. ss. 1001 [house.gov], lying to Congress is offense punishable by up to five years in prison (or eight if the lie is terrorism-related). The correct "response" to John Brennon's blatant, politically motivated, criminal lie is to indict him, convict him, and send him to Federal prison where totalitarian freedom-hating enemies of the American public like him belong.

They didn't even slap Jimmy Clapper's wrist for his blatant, repeated perjury. What makes you think they'll do anything to this yo-yo?

Re:The "response" should be an indictment.

[driblio]

But he didn't lie. And he's not stupid (see thread above). An idiot, yes. But here's what he said: "American *companies* dominate the market for encryption *apps*". Absolutely true. Then he said something about "theoretically, foreign companies could [have strong encryption and] dominate the market." But they don't. And they won't [dominate the market].

Because people don't give a shit about encryption, they're not going to stop using their iphones or facebook. Hardcore terrorist can already use whatever encryption they like, but they don't- they use pain GSM SMS. He knows that. This isn't about that. This is about making sure the average American doesn't use encryption on a day-to-day basis.

I'm sure I had a point in there somewhere.

Re:The "response" should be an indictment.

[razberry636]

He didn't technically lie to congress. No cryptography is provably secure. We can prove some to be insecure, and that's when we stop using them. Until then we believe that our current technologies are secure.

It's true: non-US encryption is theoretical, but so is US-developed encryption. It's all theoretical.

I don't know if saying something that is technically true but is misleading would be enough to convict someone of lying to congress.

Correction: I don't know if it would be enough to convict a high mucky-muck of a TLA.

Re:The "response" should be an indictment.

[meerling]

He's already lied to them before, and even admitted to it when pressed.
Of course, nothing happened then, and he doesn't believe anything will happen now.
Kind of makes you wonder if he's got a black file on the politicians he uses for leverage.

Re:The "response" should be an indictment.

[NatasRevol]

Who said they're supported? Read through the comments. No one supports this bullshit.

But that doesn't mean we're not realistic.

Re:The "response" should be an indictment.

[NatasRevol]

The FBI doesn't report to congress, so no.

Re:The "response" should be an indictment.

[Demena]

Where do those numbers come from?

Re:The "response" should be an indictment.

[dbIII]

So, well, what is the punishment for high treason?

You get to run for office with photos of you wrapped in a flag and then when that fails you get a gig as one of the directors of the National Rifle Association.
That's if high treason is giving classified anti-tank weapons and a pile of other ordinance to Hezbolla less than a year after they blew up over a hundred US Marines.
These days high treason probably means beating a Russian at chess instead.
Giving weapons to terrorists (North) or giving away state secrets for sex (Petraeus) just doesn't seem to make the grade when political connections are strong.

Re:The "response" should be an indictment.

[dave420]

You are confusing "slashdotters who have replied to this thread" with "All Americans". That is not going to do you any favours, as it just takes one American supporting this tripe for your claim to be false. Try to ditch the hyperbole and exaggerations - if your argument is sound that won't hurt it one iota.

Black Hat Herring

[lylefile]

The issue isn't whether the rest of the world would use it. The question is how long until the backdoor is hacked. Knowing its there will make it a prime target. Is the US government willing to back up its confidence with a guarantee to reimbursed all losses for everyone using this technology? Only then could the claim that it wouldn't "cause any commercial problems" be at all plausible.

Re:Black Hat Herring

[msauve]

"Is the US government willing to back up its confidence with a guarantee to reimbursed all losses for everyone using this technology?"

You do realize that simply ends up being taxpayers footing the bill.

Better to hold CIA director John Brennan, and those congresscritters who support such backdoors personally responsible for the consequences of their actions..

Re:Black Hat Herring

[bluefoxlucid]

You do realize that simply ends up being taxpayers footing the bill.

Most people think money is wealth, and don't believe in labor and production. They think you work for money, and don't think about where all the shit they're buying comes from (aside from "CHINA!").

You can't eat money, as much as everyone seems to want to.

Countries outside the US are only theoretical

[presidenteloco]

Would be only a slight generalization of his view point.

A lot of people think this is how Americans think about the rest of the world.

We've heard it's out there, but it doesn't matter very much, as long as they have a McDonalds, a 7-11, and a Starbucks.

Re:Countries outside the US are only theoretical

[PCM2]

The irony is that 7-Eleven is a Japanese company.

Re:Countries outside the US are only theoretical

[Darinbob]

Everything is theoretical. Theoretically, setting off a bomb in my basement would cause a lot of unnecessary damage. Theoretically, invading a country would damage diplomatic efforts with that country.

I think Brennan is using this word to confuse congress. They'll think "oh, it's just a theory, like evolution and climate change, so we can ignore it."

Re:Countries outside the US are only theoretical

[Carewolf]

Would be only a slight generalization of his view point.

A lot of people think this is how Americans think about the rest of the world.

We've heard it's out there, but it doesn't matter very much, as long as they have a McDonalds, a 7-11, and a Starbucks.

We are talking about people who believe the Super Bowl is some kind of world wide event, that people who haven't been culturally brainwashed to watch the most boring sport in world would watch. And who considers the NHL a world championship.

Re:Countries outside the US are only theoretical

[AK+Marc]

https://en.wikipedia.org/wiki/... 7-Eleven is a US company. The owners changed in the '90s when Southland went bankrupt, but the HQ is, and has always been in the US (unless you count the holding company, who changed their name to match).

Isn't GnuPG German?

[HawkinsD]

Hold up there a minute, Mr SpyMaster. I think GnuPG (open-source implementation of PGP) is German. Or at least: " g10code GmbH, the legal entity employing some of the GnuPG hackers" is German.

My company has been using GnuPG for ten years.

See https://gnupg.org/ .

Re:Isn't GnuPG German?

[Richard_at_work]

Britains GCHQ came up with public key encryption years before others, so its not as if the rest of the world cant do encryption theory...

Re:Isn't GnuPG German?

Also AES is based on Rijndael which was created by a couple of Belgium cryptographers lol

Re:Isn't GnuPG German?

[BitZtream]

. . So your talking about software which is a OSS REIMPLEMENTATION of software written in America. So, his point is 100% true in relation to PGP. You simply don't understand the roots of the germen implementation.

Now this bullshit about encryption back doors and export restrictions are EXACTLY why GnuPG exists.

Can't decide

[fyngyrz]

I can't decide if Brennan is stupid, or if he thinks everyone else is stupid.

I readily admit this is not an uncommon reaction of mine when I read of the things presented by elected and appointed officials. The US government is a madhouse.

Re:Can't decide

[Jawnn]

I can't decide if Brennan is stupid, or if he thinks everyone else is stupid.

Judging by the universal cringe displayed by all the analysts and technicians who an actual understanding of crypto, I'd go with "a little of both". I just can't believe he's so clueless as to not understand that math doesn't recognize lines on a map, nor can I quite believe he didn't expect to get called out on his bullshit. Either way, it was a dumbass thing to say.

Re:Can't decide

[CrashNBrn]

I'm opting for F'N-Batshit-Crazy - which could include him thinking everyone else is stupid.

Re:Can't decide

[bluefoxlucid]

If he's incompetent, the President should dismiss him from his post. (Executive)

If he's lying, Congress can impeach him.

Being so severely wrong so often is hazardous to your health.

Re:Can't decide

[Cro+Magnon]

I can't decide if Brennan is stupid, or if he thinks everyone else is stupid.

The two aren't mutually exclusive.

Re:Can't decide

[whoever57]

I can't decide if Brennan is stupid, or if he thinks everyone else is stupid.

He thinks enough people are stupid, and, unfortunately, he isn't wrong about that.

Re:Can't decide

[kheldan]

He's the head honcho of the freakin' CIA, of course he thinks everyone else is stupid, especially politicians! How else other than overweening arrogance and likely a liberal amount of narcissism do you think someone gets that job in the first place? Strong work ethic? A strong sense of justice? LOL no, more likely successfully backstabbing all the competition and covering his tracks so thoroughly that nobody could pin anything on him!

Re:Can't decide

[zlives]

actually i would say he was telling the 100% truth. The target for backdoor is compliant American citizens that would only purchase approved and not legally blocked soft/hardware. This has nothing to do with terrorists, corporations or any one with any knowledge at all.

Re:Can't decide

[ceoyoyo]

Why does he have to root for a team? The US has a history, especially in cryptography, of assuming that the rest of the world is hopelessly behind them. Remember the export ban on strong cryptography? Remember the t-shirts with the RSA algorithm printed on them? This is just another aspect of the same thing. If the US doesn't provide the crypto, there's nobody else to get it from. Obviously.

Re:Can't decide

[cayenne8]

I just can't believe he's so clueless as to not understand that math doesn't recognize lines on a map, nor can I quite believe he didn't expect to get called out on his bullshit.

Well, it isn't HIS cluelessness that is the problem here..is the his audience...the US Senators/CongressCritters that he speaks to in these hearings.

See, they are the ones that pass the laws that could mandate weakening software and forcing backdoors.

He may know perfectly well that this is a false and stupid thing to say, but it IS something the TLA's want badly...so, he tells them this and they think that it won't cause harm to US businesses, and they have, instead, just helped to fight the terrorists...and have their constituents be happy about this.

It is the ignorance of the lawmakers that you have to worry about.....and unfortunately they're getting their information from a guy like this, that wants what he wants, no matter the cost to business or the constitution.

Re:Can't decide

[lgw]

"The US"? Each individual living here? Including all the US cryptographers pointing out how silly this was, and selling T-shirts?

Stereotyping whole countries by their sillier government acts is fine if were doing patriotic trash-talking, like calling people "Murcans" or "cheese-eating surrender monkeys" or "I know he wasn't Canadian, or he would have apologized afterwards". That's just being silly, but if you're going to do that, it's rude not to identify your side.

Re:Can't decide

[unrtst]

If he's incompetent, the President should dismiss him from his post. (Executive)

If he's lying, Congress can impeach him.

Being so severely wrong so often is hazardous to your health.

And when neither happens, then similar rules apply to both the President and Congress. This eventually trickles down to blaming the voters. The majority of voters are currently proving that point quite well in their handling of the current presidential election, so this should be no surprise to anyone that's conscious.

Re:Can't decide

[ceoyoyo]

It's fairly common custom to use the name of a country when referring to official actions undertaken by that country. For example, "the US invaded Iraq."

In the specific case of a democracy, official policy is determined by the government, which is elected by the citizenry, so collective responsibility for national activities can be ascribed to those citizens, if you're into that kind of thing.

Re:Can't decide

[myowntrueself]

I see that you use this slur a lot.

If you're American yourself, please stop taking your self-hatred out on those around you. Find a therapist instead.

If not, carry on. Yay patriotism! But do have the courtesy to call out what team you do root for: it's unfair to mock one team without allowing the same in return.

I honestly don't root for any team. IMO all governments are really just organized crime syndicates.

Re:Can't decide

[BitZtream]

Considering AES is a product of Sweden, he's stupid at a minimum for thinking that bullshit would fly, and he's CIA so you know for a fact that he thinks your stupid and he's lying.

Re:Can't decide

[bluefoxlucid]

I wish they'd let citizens debate a stand-in and then give a pass or fail to debate presidential and congressional candidates. I like the argument about how Trump can't debate Bernie on policy, but Bernie can't debate Trump on finances (where is Bernie getting all this money?), because I can actually develop economic policy *and* show exactly where the money's coming from. I would break Trump in a policy debate and, honestly, sometimes I just want to crush *someone*.

Re:Can't decide

I can understand how you'd make that mistake, but he's not clueless. It's much worse than that.

He's a man who knows that no one can challenge the power that he's amassed for himself, because the establishment is on his side. Surveillance is just a fact of life now, some people aren't going to give up their Facebook accounts until they die and he's grinning like the shit-eater he really is, because he's getting paid to take away the same freedoms they claimed they were "defending" after September 11th happened. People are legally required to pay money out of pocket straight into the hands of the same people who are supressing their rights to privacy and free speech.

If you knew that you were taken care of for life and there were no consequences to anything you did, no matter how horrendous, how would you act? These are the same people that had pictures of their torture at Abu Ghraib published around the world, a thousand-plus-page report on their methods published around the world and what did people do? Fuck all nothing, that's what. Brennan has that grin because he knows nobody is challenging him any time soon, period.

Re:Can't decide

[lgw]

"Murcans" is offensive? Goddamn people are touchy these days.

I'm not offended by trash-talking -- that's all good fun, like your mother said last night -- but I am offended when people trash-talk their own country.

Re:Can't decide

[ceoyoyo]

"Americans" is the collective term for citizens of the United States of America. "'Murricans" is a mild slur of "Americans." Americans are collectively responsible for this ass holding office. As such, he's representing you to the world when he says that the rest of the world is too dumb to implement encryption without American help.

Use of the slur seems reasonable in this case. If you collectively don't like it, get rid of the jerk. If you individually don't like it, stop taking criticism of the collective personally. Perhaps you like feeling proud of being an American when your country does something good, but you'd rather pass the buck when they do something asinine?

Re:Can't decide

[Rakarra]

It's intentionally insulting. Yeah, it's not majorly insulting, just something to make the eyes roll a bit at his immaturity. He wouldn't have used it if he wasn't trying to be insulting. That's the entire point.

Re:Can't decide

[compro01]

Not sure where you're getting Sweden from, as Daemen and Rijmen are from Belgium and work at a Belgian university.

Re:Can't decide

[FlyHelicopters]

I would break Trump in a policy debate and, honestly, sometimes I just want to crush *someone*.

And he would break you in the game of persuasion... which he is quite good at....

You're assuming the average person cares about policy details, facts, and logic... they don't...

Re:Can't decide

Yeah, that's why there are so many Clipper devices deployed right? /s

BTW, who came up with the AES algorithm? Was that the United States? lol

Re:Can't decide

[Livius]

Or, he is both lying and incompetent, and he's showing off how powerful he is in comparison to mere citizens by the fact that he will face none of those consequences.

Re:Can't decide

[JenovaSynthesis]

Yeah. I guess he never heard of the 16 year old Irish girl who came up with an encryption method better than what RSA was using at the time.

Re:Can't decide

He may know perfectly well that this is a false and stupid thing to say, but it IS something the TLA's want badly...so, he tells them this and they think that it won't cause harm to US businesses, and they have, instead, just helped to fight the terrorists...and have their constituents be happy about this.

I have this theory that if the anti-backdoor people really want the least harm in the long run, the right answer is to let the pro-backdoor people have their way in the short run. Really, think about how it will play out.

Re:Can't decide

[meerling]

Definitely both

Re: Can't decide

[backslashdot]

Yeah cause governments don't double down on failure and blame something else?

Re:Can't decide

[jcr]

I can't decide if Brennan is stupid, or if he thinks everyone else is stupid.

These are not mutually exclusive.

Idiots are often shockingly arrogant.

-jcr

Re:Can't decide

[CanadianMacFan]

Or he's smart because he's telling the Senators exactly what they want to hear.

Re:Can't decide

[rtb61]

In this case the underlying claim behind "US companies dominate the international market as far as encryption technologies that are available through these various apps, and I think we will continue to dominate them,", is extremely threatening. The US under the guise of the North American Territorial Occupation farce is also claiming cross border hacking is a declaration of war and should result in a military strike. So that claim of dominance is really pushing the bound of , block our backdoors and we will consider you a foreign threat and take you out. Pushing dominance brooks no peace, brooks no diplomacy, preserving dominance demands killing all opposition in the most bloody and violent manner possible to send a message. That maroon is an idiot threat to world peace and should be put out to pasture, where he can grumble and makes threats at passing flies and annoying weeds. Keep talking the demand for dominance America and everyone is going to tell you to fuck off.

Re:Can't decide

[AchilleTalon]

That's why lobbying exists. I cannot believe the Senators were not 'educated' on the matter by the enterprises with interests in this law to not pass.

Re:Can't decide

[ultranova]

I can't decide if Brennan is stupid, or if he thinks everyone else is stupid.

Probably neither. We're witnessing the equivalent of climate change "scepticism": he has a position based on ideology which happens to disagree with reality, yet has to convince other people it's nonetheless true, so he'll simply say any excuse he can think of in hopes one of them sticks.

Re: Can't decide

[LinuxLuver]

Maybe he knows something we don't know. Like... They have managed to compromise - somehow - almost every encryption method out there. Or he wants us to believe they have. Around and around we go on that one.

Re:Can't decide

[RockDoctor]

I can't decide if Brennan is stupid, or if he thinks everyone else is stupid.

That's an inclusive-OR, isn't it. I.E. Brennan is that stupid, and he thinks everyone else is stupid enough to swallow this line.

Didn't the German state invest some money in paying for development of GPG a few years ago? So shouldn't the German Ambassador be creating a diplomatic incident out of this?

Re:Can't decide

[bluefoxlucid]

Trump is good at persuasion and negotiation; it's part of business.

You're assuming the average person cares about policy details, facts, and logic... they don't...

The problem comes when you lay out facts and logic in short, concise form in front of someone people look to for leadership, and his only response is, "Uh, I don't believe that." You can get away with that to a very limited degree, even with the authority of popularity behind you; it's impossible to continue to look good when your attacks are cleanly parried and reversed.

Take Trump's talk about immigration, for example. Trump said we let hundreds of thousands of Muslim immigrants into this country, and "hundreds" of they and their children have been implicated in acts of terror. Pundits are yelling a lot of "No Mr. Trump, you're wrong and stupid," pointing out that the Orlando shooter's parents moved to America 25 years ago and he was born and raised American, so there's no sensible way to pre-screen this. Of course nobody buys into that.

We associate terrorism with murder.

In the United States, we have 4.9 murders per 100,000 people per year. Of 783,000 Muslim refugees from Afghanistan and Iran in the past 15 years, three (3) have been implicated in terrorism. Over 15 years, we've stocked 2.77 million Muslim immigrants and their children, including those refugees. If only 100 are implicated in terrorism, then any single full-blooded American is TWENTY TIMES as likely to be a murderer as one of these Americanized Muslims. Even if as many as 2,000 were implicated as terrorists--which even Trump hasn't claimed--that's still a lower rate of murderers among Muslim American immigrants than all other Americans.

You pull something like that. It puts Trump on the defensive. Now he has to say something about how a non-immigrant American is way more likely to murder you than a Muslim immigrant, but not really, because Islam; or he has to just claim whatever you just said isn't true, somehow. You pull out all your contorted logic *after* you put him on defense. Trump argued that Muslims don't turn in their own; the FBI says otherwise. This is where you pull out the logical argument that someone born and raised American for the whole 20 years of his life and radicalized over the Internet by out-of-country extremists isn't a threat we missed when his parents immigrated here.

You don't go in and say, "Let's think about this rationally: do you really believe there's a checkbox that says you plan to raise a child to be a fifth-column terrorist while you're here in America?" You quickly and sharply pull out facts-and-figures, something hard that will nudge him off-balance. Then, before he recovers, you hit him with every other proposition; the audience will just see a clown stumbling around on stage. If you start with something that doesn't solidly undermine his argument and force a response, you'll just get mocked for having a differing and sheltered opinion, and then *you* look stupid, which means no one's convinced you have a clue what's going on.

I like economic policy though.

Trump's entire argument against Bernie-style policies (e.g. a UBI) is funding: where do you get the money? I can actually tackle that (Bernie can't; he has undeveloped ideals with lots of holes, most of which are legitimately dangerous). This is a *huge* problem for Trump, because his entire line of debate would be undermined: for any attack he has, I can give a short and concrete answer.

Not only can I answer for funding problems, but I can also cite and control immigration risks, fanciful unemployment risks, and risks of diminishing the support of our existing system. My arguments for a Citizen's Dividend include that it establishes a basic standard-of-living and worker protection via a non-wage income stream, which avoids the job loss and reduction of consumer buying power cause

Re:Can't decide

[dave420]

You frequently make mistakes a few seconds of googling would solve... You might want to replace your hubris with something more useful.

Re:Can't decide

[beastofburdon]

The answer is generally that they think you are stupid. History also agrees with them on most subjects too.

Re:Can't decide

[beastofburdon]

That is not an if, that is a guarantee.

Re:Can't decide

[FlyHelicopters]

In the United States, we have 4.9 murders per 100,000 people per year. Of 783,000 Muslim refugees from Afghanistan and Iran in the past 15 years, three (3) have been implicated in terrorism. Over 15 years, we've stocked 2.77 million Muslim immigrants and their children, including those refugees. If only 100 are implicated in terrorism, then any single full-blooded American is TWENTY TIMES as likely to be a murderer as one of these Americanized Muslims. Even if as many as 2,000 were implicated as terrorists--which even Trump hasn't claimed--that's still a lower rate of murderers among Muslim American immigrants than all other Americans.

You pull something like that. It puts Trump on the defensive.

No, he'll respond with a funny comeback, everyone will laugh, and completely forget all that boring stuff you said.

Re:Can't decide

[bluefoxlucid]

Depends on how you structure it. That up there is a lot to read; it's not a lot to say. You can abridge some of the numbers, let Trump try to call your bluff, then dump more numbers (that happens when you just say something like, "Over the past 15 years with millions of Muslim immigrants, all we've found is that any given American is twenty times as likely to murder you as the next Muslim immigrant!"). Taking the bait on a bluff like that gets the audience smiling and waiting to see what ridiculous shit your opponent pulls out... unless they pull out something concrete.

As for making a funny comeback, well... that works equally as well both ways. If Trump draws up this mean dialogue about how Mexicans will rape your 8-year-old daughter and then stuff her full of cocaine to traffic over the border, a silly quip about how Trump seems disturbingly obsessed with sticking things in third-grade girls will come off as flippant and uncaring. It belittles the audience, because it's a blatant grab for their attention and support; you need some kind of substance. Part of it also relies on how well you can show, and a couple jokers doesn't work too well; the risk of being *the* joker is your opponent might just call you on it, pointing out that you're showing a lack of real concern for real issues--in other words, claiming that you don't really care about the things the audience finds important, and thus that you don't stand with them.

Re:Can't decide

[slashdotwannabe]

I can't decide if Brennan is stupid, or if he thinks everyone else is stupid.

He's giving the Senators plausible cover stories to protect themselves for when they vote for bills that would write mandatory backdoors into law. That's not stupid; that's playing the game masterfully.

Never, ever, think of your enemy as stupid -- even if s/he appears to be, even if s/he IS -- as it will cause you to underestimate them. Always assume that what appears to be their stupidity is a deception, and look at it until you find it. If you cannot find it, assume that it is YOU that is being stupid.

Re:Can't decide

[slashdotwannabe]

I'm not offended by trash-talking -- that's all good fun, like your mother said last night -- but I am offended when people trash-talk their own country.

Huh. You know what I'm offended by? Fucking morons who vote against their interests because the lies they're fed make them feel good. Idiots who don't bother to fact-check the bullshit they're eating by the bucketload because it allows them to see themselves as better than someone. Asswipes who think "my country, right or wrong". In other words, 'Muricans.

I'm an AMERICAN. I read both sides of every issue. I fact-check sources. I follow the money. My priorities are Conscience, Country, God, (Party?), NOT God, Party, Country, (Conscience?). I understand Cui Bono is the basis for nearly everything someone paid for me to see. I do the work required of a Citizen of this country and take it as my sacred duty... and 'Muricans fucking PISS ME OFF. They make us look stupid. They give other countries a reason to doubt our global leadership and the very notion of Democracy itself (for example, the very popular belief in China that a Technocracy is much better than a Democracy, the United States being the number one example of why). They are a threat to our very existence, blithely voting in dumbfuck ideas that shit all over the Constitution like arresting reporters and protesters, a Mexican border wall or banning Muslims because it makes them feel good.

But yea, you go ahead and be offended by people who trash-talk their country, because the Lord knows that YOUR country can do no wrong, and in the case of the United States, the First Amendment doesn't apply to people who offend your sensibilities...

Dear Mr. Brennan

[Opportunist]

Jonny, listen. There is a thing called "compiler". That's a program that lets anyone around the globe take source code, that is like some sort of text that anyone who knows how to program can read (trust me on that one, anyone who can program can read this stuff. Just because you can't doesn't mean nobody else can, there is intelligence outside of your agency on the planet, ya know? Some of it even in people). That source code can also be changed by people who can read it. And then they put that source code into a compiler.

What this means for your backdoor is that even if there was only 'murrican code (which there isn't, but let's play pretend as you usually do) is that your backdoor gets ripped out of that code, tossed onto the pile of junk code where it belongs and you're standing outside the door.

You AND your industry.

Because if I can easily create a non-broken version of your code, why the hell should I use yours which is inferior?

Re:Dear Mr. Brennan

[rlp]

'Compiler' you say, yeah about that ... https://www.ece.cmu.edu/~gange...

Re:Dear Mr. Brennan

[Opportunist]

That you audit the compiler first is a given. I mean, no later than this it's a given that the first thing you do when auditing source code is auditing the compiler for it.

Re:Dear Mr. Brennan

[Megol]

Yes and the problem (theoretically) applies even to assembly code on a bare-bone system without an OS. It's actually worse than that for many systems as many have embedded control processors for power control, supporting secure boot etc.

Which is why the idea of open-source hardware is attractive even if it in itself doesn't plug all potential security holes...

Re:Dear Mr. Brennan

[Opportunist]

Even if OS-Hardware had security holes, at least it won't have security holes placed there intentionally. Accidental security holes may be known to your adversary. Deliberate security holes are by definition known to your adversary.

Re:Dear Mr. Brennan

[Demena]

And correct policy would be to assume that that they are known. Any important messages are handled by cipher not encryption. By any sensible agency. They are not after the professionals but the amateurs. The motives here are deeper than we are discussing.

what this idiot dont get is

[FudRucker]

if the Government spooks & goons can peek at your stuff then the criminals that are good at cybercrime will find a way to crack the key to the Government's backdoor

Re:what this idiot dont get is

[Nethemas+the+Great]

You make the probably invalid assumption that they care.

threat assessment

[micahraleigh]

The biggest threat to US security is US security.

It's not "theoretical."

[BarbaraHudson]

He shouldn't have said it was just theoretical. After all, how does he know for certain that it doesn't already exist and the US hasn't detected it?

Re:wait

[Opportunist]

The problem with Johnny is that he knows so little that it's hard to say whether he is actually trying to bullshit you or whether he really believes what he says.

Rijndael?

Like the "theoretical" encryption Rijndael...?

Re:Rijndael?

[Bob+the+Super+Hamste]

Shut your filthy Commie Islam loving pie hole. /sarcasm

Although it does look like AES 256 has some problems with related key attacks.

Re:Rijndael?

[gweihir]

Well, banks all over the world use it for the most critical transactions. But since all the money is electronic, I guess in some sense it is "theoretical money" and banking is a "theoretical business".

Re:Rijndael?

[cryptizard]

There are no significant protocols or implementations that use related keys though, this attack is purely theoretical. Also, 2^100 work is still out of the range of reasonable attackers for the foreseeable future.

Re:Rijndael?

[Bob+the+Super+Hamste]

All true and and effort of ~2^100 is huge requiring massive amounts of energy even on an ideal computer, I believe a significant percentage of the total worldwide energy production for an entire year. My point was that AES 256 is turning out to not be as strong as believed and for this type of attack is weaker than AES 192. There are other options out there but are not as fast but were considered to have a high security margin instead of just a moderate one during the AES competition.

It may be time to have a new competition to get a new set of algorithms but this time go for some that should hold until the heat death of the universe which would mean a key length in the 540 to 600 bit range (they need to be unbreakable on quantum computers otherwise we could get buy with key lengths in the 270 to 300 bit range). I use these number because even on an ideal computer the universe runs out of energy before the key space can be searched but I forget the exact value as it was a while since I did that calculation and both of those number sound about right.

Re:Rijndael?

[cryptizard]

Interestingly, the reason AES-256 is vulnerable to this related key attack is because it uses a modified key schedule compared to AES-128. AES-128 is not vulnerable to any significant related key attacks, so in that respect it is actually more secure than AES-256. As far as I am aware, the fastest attack in any model against AES-128 runs in time something like 2^125. So, I don't think it is fair to call it quits on AES just yet. Also, some prominent cryptographers like Bruce Schneier have suggested that simple increasing the number of rounds in AES-128 would eliminate most if not all of the attacks on it.

Re:Rijndael?

[Nethemas+the+Great]

AES? You mean the American Encryption System?

Re:Rijndael?

[Bob+the+Super+Hamste]

I have read much the same but a break is a break and the breaks don't get worse over time. Personally I just want to poke the bear as I am getting sick of these attempts to weaken or backdoor encryption and would like to put it beyond their ability to ever have any hope of cracking it unless they get out the jumper cables and car battery. It has been a real concerted effort for almost the last year or so to make it so that people view encryption poorly and let the FBI and CIA have their backdoors and weakened ciphers available for all so they can spy on us.

idioic AND stupid because...

[evolutionary]

If it's known there is a backdoor people WILL find it. And the arrogance that only American companies can create encryption libraries is dumbfounding. We have China's Red Flag, edition of Linux, North Korea appearently has "Red Star" and I suspect Russia has their own version of Linux as well. It may a crime to use non-use encryption, but it will be there and used if people fear for their privacy. We recently had an event in France where the CIA tried to claim encryption was used to coordinate their operation, and it turns it...it had nothing to do with coordination. The best people will use method with less technology dependencies. This will only make it easier for people (terrorists or "partner" like China) to go through their backdoors to access data. . We seem to "terrorism" as an excuse for everything the same way we used "communism" in the Mccarthy days. the end doesn't justify the means

Re:idioic AND stupid because...

[epine]

If it's known there is an undiscovered backdoor people WILL find it.

So what? After you exhume the first backdoor, you no longer know whether additional undiscovered backdoors still exist. Merely finding a backdoor is no guarantee you can exploit it yourself.

In the security business, if there's a thing, there's ambiguity of the thing. You can't simply make this go away by busting out all-caps at the critical juncture.

Wait, it gets worse.

The NSA just needs to get a law passed that a certain piece of equipment must implement an NSA kernel, then install some frightfully devious code that doesn't actually contain a backdoor, so that the security industry can run around in circles failing to break the "known" back door.

There's no naive like all-caps naive. Accept no substitutes.

No, he's right

[LichtSpektren]

I took a trip to Europe last week. I tried using GPG but it told me that it won't encrypt anything because I'm not in the USA. Then I tried VeraCrypt but it made my hard drive fizzle out.

Re:No, he's right

[gweihir]

Hehehehe, nice.

My Apologies

[jesse.alan.johnson]

I would like to apologize on behalf of the American people. Director Brennan clearly has no knowledge on the subject which he is speaking about and was advised poorly by his staff.

AES is Belgian

[chill]

The name of the algorithm behind AES is Rijndael -- a combination of the names of the Belgian cryptographers who developed it.

His utterings are in the running for either biggest lie of the year, or most ignorant.

Re:AES is Belgian

[cryptizard]

It doesn't matter who developed it, the thing that doesn't seem to fit into his world view is that the details for all these encryption schemes are already out there. Anyone with halfway decent coding ability can implement them from the the specs to get an encryption library with no backdoor. And the crypto that we have now, by all estimations, should be more than good enough for the next few decades.

Re:AES is Belgian

[fustakrakich]

C'mon, he is just reading a speech the propaganda minister gave him. They all have to do this, even the president

Re:AES is Belgian

[BarneyGuarder]

The name of the algorithm behind AES is Rijndael -- a combination of the names of the Belgian cryptographers who developed it.

Right. And after 10 seconds of searching, one finds the Wikipedia page on AES:

The Advanced Encryption Standard (AES), also known as Rijndael[4][5] (its original name), is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001.[6]

AES is based on the Rijndael cipher[5] developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen

I don't know which possibility is more concerning: that the director has such myopic American exceptionalism or that he would expect the public to be so stupid.

Considering how much

[nehumanuscrede]

the various agencies of the US Government tend to lie ( even to Congress ), I'm somewhat puzzled about why they even bother to ask questions of them anymore.

Perhaps Congress should forgo asking questions of the professional liars ( any intelligence agency ) and ask the tech world instead. I'm quite sure the likes of Cisco, Juniper, Apple, Google and many others ( assuming they're not secretly on the Governments payroll ) would have a much different perspective on the issue at hand.

Re:Considering how much

[nehumanuscrede]

as an afterthought, it has been shown time and time again that even when they DO have actionable intelligence on a would-be terrorist, they typically fail to act on the information. So, other than spying for different purposes than what they would have us believe, I fail to see the point in giving them access if they're incapable of doing anything with it.

The only thing backdooring encryption will do is ensure the world avoids US made products at all costs. It will likely bankrupt several major companies and completely undermine the security of. . . . well. . . . just about anything that is stored or transmitted.

Re:Considering how much

[Jason+Levine]

Exactly this. Even if you could somehow, magically, prevent non-backdoored strong encryption from existing (and that would be some serious "rewrite the laws of physics" level magic there), your improved security from terrorists would be exactly 0. However, your vulnerability from criminals exploiting the backdoors for their own nefarious purposes would shoot through the roof. And that's not even getting into government abuse of their backdoor.

Re:Considering how much

[sinij]

Perhaps Congress should forgo asking questions of the professional liars ( any intelligence agency ) and ask the tech world instead. I'm quite sure the likes of Cisco, Juniper, Apple, Google and many others would have a much different perspective on the issue at hand.

Yes, they will have different perspective, but this doesn't mean that they are on our side. This perspective is to squeeze out competition by any means possible and to minimize their own liability. They would likely tell us that consumers don't like privacy and would only use cryptography to pirate movies and hide child porn.

Re:Considering how much

[cbhacking]

While that's a tempting view to hold... Apple encrypts their iOS devices with crypto the government cannot easily, if at all, break (the San Bernadino shooter's phone, which kept them flummoxed for a while, was an old model and improvements have been made since then). Apple also recently announced changes to their app SDK that basically means your servers *must* use good TLS, unless you want to apply for exceptions for every unsecured connection your app wants to make. Microsoft has been making BitLocker available in more and more devices, and as far as I know the government has no way to break that either (unless you let Win10 upload your recovery key to Microsoft, which is not the most trustworthy move on their part but can be avoided). Google has been pushing encryption on their devices as well, and between their data centers, and in their browser. Amazon temporarily dropped encryption on Kindle Fire devices, but then restored it. Not sure what Cisco/Juniper/F5 would have to say (and they've sometimes been the bottleneck on crypto (TLS) advances on the Internet, though I think that's more out of laziness and lack of quality than anything else), but they've got to compete with the likes of Huawei and aren't going to want the government to do anything that makes them look even less trustworthy than those folks. I wouldn't trust anything out of Oracle even if they just said the sky was blue, but I doubt it's actually in their best interest to have backdoored crypto either. In other words, there are plenty of tech companies that are demonstrably fighting against this bullshit.

Of course, at some level all those companies rely on other organizations (hardware manufacturers, certificate authorities, compiler providers, all the way up to the people who pick cryptographic primitives to support and identify the parameters that are best to use with them) to make it possible to build a backdoor-less crypto system. Remember Dual_EC_DRBG, and how the NSA bribed RSA Security to make it the default? How about "Reflections on Trusting Trust" (PDF link)?

That is utter nonsense

[gweihir]

For example, AES is a Belgian design. The US has long since lost leadership in this. That is if they ever had it.

Incidentally, when did US TLAs catch any terrorists "coordinating via encryption" the last time? Oh, right, NEVER.

Re:That is utter nonsense

[gweihir]

1. OSes are not the only things doing crypto. In fact they usually do it only as extra functionality.
2. Linux is a major OS in the security-sphere and it is not "build in the US". Some of the people involved in it are US residents, that is all.
3. The focus on commercial products is misleading. For example, OpenSSL is not a commercial product, but more important than most/all commercial cypto.
4. Much crypto made by US companies is actually not implemented in the US.

I think he was trying to sell a thinly camouflaged lie for propaganda purposes. But I fully agree on your conclusion. In fact I know of European companies that are already looking for domestic replacements for US products, specifically because of the threat of US backdoors. Implementing crypto well is hard, but not that hard and there are plenty of people outside of the US that can do it well.

Is he saying that known crypto is broke?

[Nkwe]

As other posters have said, his words are those of an idiot.

Any possibly that he is actually saying that known crypto algorithms have been broken by the US? I doubt it, but it is interesting to ponder.

CIA = ?

[GreatOldOne]

It sounds like they have a lot of the CENTRAL and AGENCY, but not INTELLIGENCE.

Re:CIA = ?

[bsDaemon]

They're often referred to around this area as "Clowns in Action".

Then the tech company becomes non-US

[Bugler412]

Given that nearly every major tech company has large presence in multiple foreign countries, then they move their headquarters outside the US. For instance, I know for a fact that MS has contingency plans to move headquarters 60 miles up the road to Vancouver BC for some situations and given their presence in India, that likely wouldn't be much of a challenge either. I'm sure that most other big players are similar. They simply leave to avoid the law. Yay, great for America right?

Re:Then the tech company becomes non-US

[cbhacking]

Redmond is well over 60 miles from the border - more like 120, and more if you want to get into Vancouver proper - but your point stands. They'd lose out tremendously if they had to avoid selling to the US too, but quite possibly less than they'd lose out if nobody *but* the US would buy backdoored products.

this guy whould write a book...

[rbgnr111]

This guy should write a book on how to drive away the American tech industry and promote off-shoring of jobs.

Just because most encryption is developed by us companies, doesn't mean it'll always stay that way. Something like this just makes Offshore and Foreign vendors become more attractive. Why would anyone buy a software security package that is known to be compromised or have back doors. Even if it's meant only for the "good guys" to get through, something like that is just a ticking timebomb, eventually it'll get into the hands of someone who shouldn't have it, then at that point, you may as well have no encryption at all.

Re:this guy whould write a book...

[GreatOldOne]

This guy should READ a book.

Re:this guy whould write a book...

[cryptizard]

Most encryption is not developed by US companies, it is developed by academics, who are famously difficult to censor or control. Also as other people have said, lots of those academics are not Americans.

Re:this guy whould write a book...

[Bob+the+Super+Hamste]

Even those who are US citizens tend to like to poke people like Director Brennan in the eye with a stick. I mean it isn't like Schneier is out there preaching the virtues of the CIA, but instead has basically told them and the FBI to go piss up a rope.

The devil you know

[mamono]

Who's to say that some other country will do any better? I agree it is a poor move and will likely just end up being abused more against US citizens than espionage. However, it's not like the US is the only surveillance-happy country out there. The UK and China are as bad, if not worse. At least the US is being relatively transparent about their intentions. I doubt you would get much notification if China mandated that all its companies installed backdoors in their products.

Re:The devil you know

[ukoda]

Actually the Chinese government are pretty open about it. The non-Chinese company I worked for in China had VPN connections to a free country and also to the USA. They were told they would be expected to install government supplied equipment on their internal network so the government could properly monitor their communications. It had not happen yet as of when I left their employ.

Aiding and Abetting

[Sir+Holo]

It would be "aiding or giving comfort to the enemies of the United States" – by encouraging them to take over for the US companies that this type of legislation would kill.

You or I would go to Federal Prison for that.

Gchq

[martin]

Who actually invented public key encryption first, oh yeah a British fella working for gchq one evening in his head cos he couldnt write it down

Response question

[DarkOx]

And how long does it theoretically take for some non US entity to grab some existing OSS code out there today, fork it an package it un-crippled?

Re:Response question

[ceoyoyo]

Negative twenty years? Lots of open source encryption packages were started by non-Americans and specifically hosted outside the US in the 90s because of US export restrictions.

File under WTF, he seriously said that?

[Proudrooster]

The director denied that forcing American companies to backdoor their security systems would cause any commercial problems.

This is lie, an outright lie, and I hope he was under oath when testifying before congress. Absolute, outright lie! Liar, liar, pants on fire. Everyone email their representative and let them know the director outright lied to their face and cite the CEO of Cisco.

This will hurt American Tech in China. To interoperate, China will steal all corporate America's IP and integrate it into their products.

Dr. Mr. Director of CIA, your reality distortion field is NOT WORKING! I am still in disbelief. This is how you kill American products in emerging markets and hurt growth. What an absolute lie!

Re:File under WTF, he seriously said that?

[Bob+the+Super+Hamste]

While I will write my idiot Senators and defective Congressman I doubt it will do any good. I write them a lot and nothing ever comes of it but it doesn't stop me from writing them anyway. It isn't like they went after the CIA when they hacked the Senate Intelligence Committee and spied on them so why would they go after them for this minor infraction.

Ummm let me think about this

[dayton967]

Encryption Routines created by people who are not American
- AES (Rijndael)
- IDEA
- Serpent

Hashing Routines created by people who are not American
- SHA-3 (Keccak)

So the Current Encryption Standard and Future Hashing Standards in the US were created by non-American's, but hey, "non-American solutions are simply 'theoretical.'"

It's politics, stupid

You have to be not actually dumb to get high up in government. But you do have to have a certain capacity to believe in the institutional lies, or at least repeat them as if you mean them. They still institutionally believe in a rather simplistic device to the point that gaming the thing is a criminal offence, for example.

More to the point, this here is politics in action. He is furthering an agenda in front of an audience that made this agenda-pushing their day-and-night jobs, but who do not necessarily have any clue whatsoever about what goes on under the veneer of the nice words from the very respectable chief of this here government outfit reporting to congress. So he's basically daydreaming his "truth" into existence. If he can get it enacted in law, he has won.

* Quiz: What other organisation institutionally believes in an unproven, even outright silly, bullshit device based on similar principles?

Re:It's politics, stupid

[fyngyrz]

You have to be not actually dumb to get high up in government

o U.S. President George Walker Bush.
o U.S. Senator Ted Stevens.
o U.S. Representative Michele Bachmann.
o U.S. Representative Todd Akin.
o U.S. Representative Joe Barton

I rest my case. I could go on, but it's really quite painful to think about.

Re: It's politics, stupid

[rickb928]

Whoosh...

Re:It's politics, stupid

[Carewolf]

Try a list of top bureaucrats, you know, the government folk who aren't elected.

You mean the people hand picked by the retard elects to serve as their assistents?

Re:It's politics, stupid

[fyngyrz]

I didn't exactly forget her. I just stopped listing idiots after I got to five.

Re:It's politics, stupid

[fyngyrz]

So mid-level government positions rather than top level, as the post I responded to asserted. Congress writes the legislation that controls the regulatory agencies. The president directs the executive branch. That's as high up as you can get in those two branches; there is nothing higher. The assertion that "You have to be not actually dumb to get high up in government" is clearly false. The judiciary is different, in that those are appointments.

If you'd like to make the assertion that "You have to be not actually dumb to get appointed to a subordinate position in government or to the judiciary" that's fine. See if anyone argues with you. I won't. It's probably rare, at least.

Which is not to say that such appointed people are not often evil bags of shit, because of course they are.

Re:It's politics, stupid

[fyngyrz]

lol. You assume or imply (why?) I was trying to make it to high office. I most certainly have not been doing that. Never threw my hat in the ring even once, for any public position. Nor do I ever plan to. I can't see how the government we have presently could possibly mutate into anything I'd want anything to do with, and it certainly isn't that now. My policy WRT the US government is "eat the bread, watch the circus, vote whenever possible."

Re:It's politics, stupid

[fyngyrz]

Obama is probably one of the most intelligent presidents we've ever had. He is an extremely intelligent person. Like him or despise him, he's been playing chess to congress's "angry checkers" for the entire seven-plus years he's been in office thus far.

The fact that you imply he is "dumb" identifies you as someone who has absolutely no clue what is going on.

Comment removed

[account_deleted]

Comment removed based on user account deletion

'American Companies Dominate'

[Jason+Levine]

Another article has more of the exchange:

Sen. Ron Wyden (D-Ore.), another committee member and staunch privacy advocate, has pilloried proposals to give law enforcement access to encrypted data, saying bad actors would simpy use foreign-based encrypted messaging apps. Brennan argued at the hearing that such a concern was theoretical because “U.S. companies dominate the international market as far as encryption technologies that are available through these various apps.”

Warner [Sen. Mark Warner (D-Va.)] questioned Brennan’s assertion. “Two thousand apps a day are added to the phone store. Over half of those are foreign-based entities,” he said.

In a statement following the hearing, Wyden countered that allowing government access to encrypted platforms “would not stop terrorists from using strong encryption and it would undermine American competitiveness and Americans’ digital security at a time when the threat from foreign hackers and cyberattacks has never been greater.”

Let's allow the assumption that American companies currently dominate the encryption field. We'll say that's true. How long would that dominance that last if foreign companies used strong encryption and American companies used hobbled encryption left vulnerable to the American government and hackers? Thank goodness for Warner and Wyden for pointing out how idiotic Brennan 's assertion was.

Re:'American Companies Dominate'

[fnj]

Let's allow the assumption that American companies currently dominate the encryption field.

Let's not. Let's not even allow that COMPANIES dominate any technology. I think the words you want are "worlwide" instead of "American", and "scientists" instead of "companies".

Re:'American Companies Dominate'

[MightyMartian]

Let's pretend math works differently in the US than elsewhere in the world...

Clearly the man is either a simpering halfwit, or more likely believes Congress is full of simpering halfwits. Sadly, he may be right.

Re:'American Companies Dominate'

[hawaiian717]

A few messaging applications I can think of that aren't developed in the US:

Line: Japan
WeChat: China
Kik: Canada
BlackBerry Messenger: Canada
QQ: China
Threema: Switzerland
Viber: Originally Israel, now owned by a Japanese company
Gadu-Gadu: Poland
Telegram: Russia/St. Kitts and Nevis

Re:'American Companies Dominate'

[Jason+Levine]

I'm fully aware that Brennan’s assumption was wrong. My point was that even if he were right (which he isn't), then requiring backdoors in all encryption in the US would destroy any dominance that exists (even if it exists solely in Brennan’s mind).

Completely incompetent or lying? No need to answer

The AES encryption algorithm is Rijndael, which is Belgian
The runner-up for the contest for becoming the AES standard was Serpent, which was a British/Danish/Israeli collaboration.
Third place went to the Twofish algorithm, designed by Bruce Schneier, a US citizen who happens to be a vocal opponent of backdoors.

The "main" encryption du jour happens to be from outside the USA. The best alternative is also from outside the USA. Of course, the nationality of the creators doesn't matter - the USA is able to make modified implementations that include backdoors, but the original non-backdoored versions are already out there for everyone to use instead.

he is a drooling moron...

[Lumpy]

Oh dear god, really? This is why we are ineffective. The men in charge are idiots, morons and buffoons.

Re:WOOO!

[ceoyoyo]

Yeah, I had that thought as well. Except I think I'll start a bank.

What an IDIOT

[rholtzjr]

I can not believe he is head of an agency with the word "Intelligence" in it.

Translation

[fustakrakich]

ALL encryption is theoretical. I wonder they would want to blow that cover.

Its the other way 'round

[gosand]

the various agencies of the US Government tend to lie ( even to Congress ), I'm somewhat puzzled about why they even bother to ask questions of them anymore.

Perhaps Congress should forgo asking questions of the professional liars ( any intelligence agency ) and ask the tech world instead. I'm quite sure the likes of Cisco, Juniper, Apple, Google and many others ( assuming they're not secretly on the Governments payroll ) would have a much different perspective on the issue at hand.

Companies aren't on the payroll of the government, it's the other way around.

Re:Its the other way 'round

[HiThere]

Actually, it works both ways. Sometimes the government overrules the desires of the companies, and sometimes the other way around. Neither, however, is primarily interested in benefiting the citizens, or even the voters.

Meanwhile, across the pond...

[simplypeachy]

I'm sure Werner Koch could get a giggle out of such a statement.

In other news...

[JustNiz]

In other news, the US invented everything and won WW2 single-handed.

Re:Wait tell he wakes one day

[HiThere]

The Bank of America is a private institution. As, in fact, is the Federal Reserve. Alexander Hamilton made carefully sure that the monetary system in the US would be under (certain) private ownership.

Can't tell if...

[EvilSS]

... complete moron, blatant liar, or maybe both.

Does anyone in Washington remember what happened back in the 90's when the State Department declared strong cryptography a weapon and put heavy export controls on it? Hell I was a teenager and ever I remember. Tons of EU companies sprang up to fill the gap. Ireland, in particular, had quite a few software companies spring up offering software product with strong encryption. It wasn't that long ago that the government finally figured out how useless the export controls were and loosened them to where they are now. They did nothing but hurt US tech companies. How in the hell could anyone not think the same thing would happen again?

A few things,

[sandbagger]

It's tempting to dismiss this as him being wrong by orders of magnitude and then talking down our noses at him by assuming we need to explain what an order of magnitude is, or that he's adopting this stance for transparent political reasons, but let's assume for the moment that he's telling the truth. What would he have to know for that statement to be true?

Have you all forgotten the Snowden revelations yet? How it became known that the US grabbed cell phone encryption standards before the ink was dry on them, how they tapped the lines between Google data centres. If the operational tools for creating for encryption are compromised or at least weakened, it may well be that they have visibility into source code in a lot of industries as well as communications, which is as good *if not better*.

What an IDIOT..

[h8sg8s]

What an idiot. Imperialism is bad, but technological imperialism is simply stupidity masked as pride.

The list

[evilviper]

The AES NIST standard encryption competition finalists:

        CAST-256--Canada
        CRYPTON--South Korea
        DEAL--Canada and Norway
        DFC--France
        E2--Japan
        FROG--Costa Rica
        HPC--U.S.A.
        LOKI97--Australia
        MAGENTA--Germany
        MARS--U.S.A.
        RC6--U.S.A.
        Rijndael--Belgium
        SAFER+--U.S.A.
        SERPENT--Norway
        TWOFISH--U.S.A.

http://www.eurekalert.org/pub_...

Re:John Brennan is an ASSHOLE

[BlueStrat]

Fire his ass. Preferably, out of a very large cannon, pointed straight at the Moon.

"One of these days, Alice, one of these days!

Bang, zoom!

To the moon, Alice, to the moon!"

https://youtu.be/98qw86DsdZ0

Strat

Never roll your own!

[cbhacking]

While I get what you are trying to say... that is so, so wrong that I realllllly hope you are nowhere near any crypto code, in either your professional or personal hours.

Getting the basics of a crypto function right is easy. The algorithms, complete with pseudocode or even a basic implementation in some real language, are well-published. As you say, anybody with halfway-decent skill can implement them from specifications.

Getting the details of a crypto library write is really bloody hard! There's always a risk of incorrect behavior in some edge case that completely breaks your system, for example - Heartbleed was probably the most famous and easiest-to-understand of these, but there's plenty of others across many libraries - but risks like that are not unique to crypto libs (although they are usually *worse* in a crypto lib). Side-channel attacks like timing attacks, padding oracles, CPU cache line attacks (technically a kind of timing attack, but not the sort most people think of when you say "timing attack"), and many more things than I know about bedevil implementations of such things.

Just like nobody but an expert in crypto theory should ever attempt to design their own crypto algorithm, nobody but an expert in crypto implementation should ever attempt to write a cryptosystem in live code. If you think "anyone with halfway-decent coding ability can implement them from the specs and get an encryption library with no backdoor", then there is ~0% chance that you could implement a crypto library and get one that cannot be broken, at which point who cares if it has a backdoor explicitly built in?

Skillset

[dbIII]

Being good at all the political games to get into a high position does not automatically mean competence with a different skillset.
Especially when there is nepotism in the mix.

Remember this?
"Brownie, you're doing a heck of a job"

Re: Good thing all mathematicians are American the

[AgNO3]

Im only aware of 4 countires, America,russia, china, and terrorizerstan. Clearly we must be the only smart people.

Re: Good thing all mathematicians are American the

[AgNO3]

We sell them weapons to fight the pinko commi bastards then we bomb them?