Non-US Encryption Is 'Theoretical', Claims CIA Chief In Backdoor Debate

Iain Thomson, writing for The Register: CIA director John Brennan told U.S. senators they shouldn't worry about mandatory encryption backdoors hurting American businesses. And that's because, according to Brennan, there's no one else for people to turn to: if they don't want to use U.S.-based technology because it's been forced to use weakened cryptography, they'll be out of luck because non-American solutions are simply "theoretical." Thus, the choice is American-built-and-backdoored or nothing, apparently. The spymaster made the remarks at a congressional hearing on Thursday after Senator Ron Wyden (D-OR) questioned the CIA's support for weakening cryptography to allow g-men to peek at people's private communications and data. Brennan said this was needed to counter the ability of terrorists to coordinate their actions using encrypted communications. The director denied that forcing American companies to backdoor their security systems would cause any commercial problems.

American Companies

LOL, how quaint. As if a company belongs to a particular nation state. Freemasons 2016, huyah!

Sir Bush, president and knighted...

Re:American Companies

[St.Creed]

National companies and multi-national companies *do* belong to a nation-state. It doesn't show much, until they need someone to get their potatoes out of some hot fire somewhere. They can't just move and up, since they need ties on a personal level when you get into the big leagues. Not to mention the fact that if they have a lot of infrastructure somewhere, it's also physically difficult to move.

Let's assume corporations don't belong to a particular nation state. Like Disney. Could be Chinese, right? Mi Lao Shu and security guards with pink rifles. Works quite well in Shanghai - they are a minority shareholder though because, for some reason or another, the local company *does* belong to their nation state and the nation state knows it. Or take Coca Cola. Wouldn't hurt the brand at all if it incorporated as a Nigerian company tomorrow, I think. Or Mercedes. It could easily become an Italian brand. Would do wonders for its design, probably. Volkswagen could move to Rumania - their cars have the same amount of pollution as the old cars they have there so they wouldn't stand out so much.

But seriously: no company can do without the protection of a nation state because in the final analysis, a tug of war between competing business interests will eventually be decided with weapons. And that is the job of the nation state. And it will only defend it's *own* companies. Companies that don't have a protector will be at a severe disadvantage. Just consider what the support of the CIA meant for Boeing when it sank lucrative trade deals in the Middle East for Airbus because they had been tapping the trade negotiations and were able to provide tapes that proved corruption. Do you think that would have happened if it had been Airbus versus Dassault? Not a chance.

Lies from Spies

[schneidafunk]

Well of course he's going to say this nonsense, no surprise there. What is surprising is hearing about it from a british newspaper without a bleep in U.S. news. I imagine apple, microsoft, google and the likes will have a response soon.

Re:Lies from Spies

[wierd_w]

There would just be something like cyanogenmod that hits less than a year later. in fact, CM would probably issue a statement that they wont include the back doors.

CM is based on AOSP, and is wholly open source. If your device supports it, then you can use real crypto, while everyone else in the US gets to enjoy fake crypto.

The issue of course, is that you would need to encrypt so much, (because GSM and other hardware assisted crypto would be backdoored, so you have to put real crypto on top) that your battery goes flat very fast.

IMHO, the solution to that is for eurozone countries to mandate denying US variant GSM devices from working in their countries as an issue of national security. The corporate backlash would be intense.

Re:Lies from Spies

[Bob+the+Super+Hamste]

Seriously why?

I find that the Brits generally do a better job covering the US than the US news does.

Re:Lies from Spies

[ceoyoyo]

Android itself is open source. Anyone can download it. It's mirrored extensively outside the US. In terms of actual devices, by far the largest providers of those are non-American companies.

Android itself uses a linux cryptography library. Those libraries are likewise open source and extensively mirrored. Of the ones that could actually be said to have a particular nationality, most of them are not the US: https://en.wikipedia.org/wiki/....

Seems like Android is an excellent example of how this guy is wrong.

Re:Lies from Spies

[dpilot]

Gee, you've completely missed Russia and China. Of course both of those nations would probably applaud such a move on the part of the US, because it makes pursuing their desires easier.

It's time to remember the classification of encryption as a weapon, and invoke our second amendment rights, "If encryption is outlawed, only outlaws will have encryption."

Jobs Creator

[archatheist]

Glad to see that this fellow has figured out how to create new technology jobs in foreign countries. I didn't realize that was his job, but kudos nevertheless.

Re:Jobs Creator

[PCM2]

What's the saying? "When strong crypto is outlawed in the US, only non-US companies will have strong crypto"?

Only "theoretical"?

This guy is smoking some premium shit.

He realizes that many of the Nordic area countries in Europe have some really talented crypto people, and that it would take all of about 2-3 years for some seriously competing cryptographic solutions to hit the commercial space, right?

What will his precious 3-letter agency do when everyone stops sitting on inertia, and is compelled to create cryptography outside their control, while all the people in the US are forced to use the shitty crap he insists on-- you know, where the rest of the world can actually keep secrets secret, but his own country now cant, and foreign governments the world over just backdoor the shit out of everything, resulting in a powerful asymmetry in effective intelligence gathering?

What a fucking douche.

Good thing all mathematicians are American then

[xxxJonBoyxxx]

>> (for crypto) there's no one else for people to turn to (mofos)

Well, it's a good thing that all mathematicians have always been and will always be American then.

Re:Good thing all mathematicians are American then

[TheSouthernDandy]

You don't have to be a mathematician, you only need to be able to implement algorithms designed by mathematicians on computers. I think they called that profession "programmer" once, and there even used to be Americans who did it.

The "response" should be an indictment.

[mrchaotica]

Under 18 U.S.C. ss. 1001, lying to Congress is offense punishable by up to five years in prison (or eight if the lie is terrorism-related). The correct "response" to John Brennon's blatant, politically motivated, criminal lie is to indict him, convict him, and send him to Federal prison where totalitarian freedom-hating enemies of the American public like him belong.

Re:The "response" should be an indictment.

[NatasRevol]

In theory, yes.

In practice, not a fucking chance.

Re:The "response" should be an indictment.

Well, given the fact that the Chinese are at least as smart and as technological advantage as far as public math goes as the Americans, and have more than enough money to do it and more than enough reason to do it, you could actually argue that this guy is advocating for a position where China can break American encryption, while using non-weakened encryption of their own (which there is no reason to believe to be any worse than the best American encryption).

So, well, what is the punishment for high treason?

Re:The "response" should be an indictment.

[Immerman]

O course not. They're exempt under the thoroughly time-tested doctrine of "we have wealth and power, so the law doesn't apply to us unless we piss off someone even wealthier and more powerful"

Re:The "response" should be an indictment.

[mrchaotica]

The two Senators from my state plus Ron Wyden got emails from me on this issue before I posted on Slashdot. What did you do about it, mister shit-talking anonymous coward?

Re:The "response" should be an indictment.

[LVSlushdat]

Under 18 U.S.C. ss. 1001 [house.gov], lying to Congress is offense punishable by up to five years in prison (or eight if the lie is terrorism-related). The correct "response" to John Brennon's blatant, politically motivated, criminal lie is to indict him, convict him, and send him to Federal prison where totalitarian freedom-hating enemies of the American public like him belong.

Oh didnt you know?.. 18 U.S.C. ss. 1001 ONLY applies to the unwashed plebs, ie: Joe and Jane Six-pack.. People like Brennon don't have to worry about violating any of those pesky laws..

Re:The "response" should be an indictment.

[razberry636]

He didn't technically lie to congress. No cryptography is provably secure. We can prove some to be insecure, and that's when we stop using them. Until then we believe that our current technologies are secure.

It's true: non-US encryption is theoretical, but so is US-developed encryption. It's all theoretical.

I don't know if saying something that is technically true but is misleading would be enough to convict someone of lying to congress.

Correction: I don't know if it would be enough to convict a high mucky-muck of a TLA.

Re:Dumfounded at the ignorance

[pushing-robot]

When it comes to intelligence agencies, never attribute to ignorance that which can adequately be explained by malice.

Black Hat Herring

[lylefile]

The issue isn't whether the rest of the world would use it. The question is how long until the backdoor is hacked. Knowing its there will make it a prime target. Is the US government willing to back up its confidence with a guarantee to reimbursed all losses for everyone using this technology? Only then could the claim that it wouldn't "cause any commercial problems" be at all plausible.

Countries outside the US are only theoretical

[presidenteloco]

Would be only a slight generalization of his view point.

A lot of people think this is how Americans think about the rest of the world.

We've heard it's out there, but it doesn't matter very much, as long as they have a McDonalds, a 7-11, and a Starbucks.

Isn't GnuPG German?

[HawkinsD]

Hold up there a minute, Mr SpyMaster. I think GnuPG (open-source implementation of PGP) is German. Or at least: " g10code GmbH, the legal entity employing some of the GnuPG hackers" is German.

My company has been using GnuPG for ten years.

See https://gnupg.org/ .

Re:Isn't GnuPG German?

Also AES is based on Rijndael which was created by a couple of Belgium cryptographers lol

Can't decide

[fyngyrz]

I can't decide if Brennan is stupid, or if he thinks everyone else is stupid.

I readily admit this is not an uncommon reaction of mine when I read of the things presented by elected and appointed officials. The US government is a madhouse.

Re:Can't decide

[Jawnn]

I can't decide if Brennan is stupid, or if he thinks everyone else is stupid.

Judging by the universal cringe displayed by all the analysts and technicians who an actual understanding of crypto, I'd go with "a little of both". I just can't believe he's so clueless as to not understand that math doesn't recognize lines on a map, nor can I quite believe he didn't expect to get called out on his bullshit. Either way, it was a dumbass thing to say.

Re:Can't decide

[bluefoxlucid]

If he's incompetent, the President should dismiss him from his post. (Executive)

If he's lying, Congress can impeach him.

Being so severely wrong so often is hazardous to your health.

Re:Can't decide

[Cro+Magnon]

I can't decide if Brennan is stupid, or if he thinks everyone else is stupid.

The two aren't mutually exclusive.

Re:Can't decide

[whoever57]

I can't decide if Brennan is stupid, or if he thinks everyone else is stupid.

He thinks enough people are stupid, and, unfortunately, he isn't wrong about that.

Re:Can't decide

[kheldan]

He's the head honcho of the freakin' CIA, of course he thinks everyone else is stupid, especially politicians! How else other than overweening arrogance and likely a liberal amount of narcissism do you think someone gets that job in the first place? Strong work ethic? A strong sense of justice? LOL no, more likely successfully backstabbing all the competition and covering his tracks so thoroughly that nobody could pin anything on him!

Re:Can't decide

[zlives]

actually i would say he was telling the 100% truth. The target for backdoor is compliant American citizens that would only purchase approved and not legally blocked soft/hardware. This has nothing to do with terrorists, corporations or any one with any knowledge at all.

Re:Can't decide

[ceoyoyo]

Why does he have to root for a team? The US has a history, especially in cryptography, of assuming that the rest of the world is hopelessly behind them. Remember the export ban on strong cryptography? Remember the t-shirts with the RSA algorithm printed on them? This is just another aspect of the same thing. If the US doesn't provide the crypto, there's nobody else to get it from. Obviously.

Re:Can't decide

[cayenne8]

I just can't believe he's so clueless as to not understand that math doesn't recognize lines on a map, nor can I quite believe he didn't expect to get called out on his bullshit.

Well, it isn't HIS cluelessness that is the problem here..is the his audience...the US Senators/CongressCritters that he speaks to in these hearings.

See, they are the ones that pass the laws that could mandate weakening software and forcing backdoors.

He may know perfectly well that this is a false and stupid thing to say, but it IS something the TLA's want badly...so, he tells them this and they think that it won't cause harm to US businesses, and they have, instead, just helped to fight the terrorists...and have their constituents be happy about this.

It is the ignorance of the lawmakers that you have to worry about.....and unfortunately they're getting their information from a guy like this, that wants what he wants, no matter the cost to business or the constitution.

Re:Can't decide

[lgw]

"The US"? Each individual living here? Including all the US cryptographers pointing out how silly this was, and selling T-shirts?

Stereotyping whole countries by their sillier government acts is fine if were doing patriotic trash-talking, like calling people "Murcans" or "cheese-eating surrender monkeys" or "I know he wasn't Canadian, or he would have apologized afterwards". That's just being silly, but if you're going to do that, it's rude not to identify your side.

Re:Can't decide

[myowntrueself]

I see that you use this slur a lot.

If you're American yourself, please stop taking your self-hatred out on those around you. Find a therapist instead.

If not, carry on. Yay patriotism! But do have the courtesy to call out what team you do root for: it's unfair to mock one team without allowing the same in return.

I honestly don't root for any team. IMO all governments are really just organized crime syndicates.

Re:Can't decide

I can understand how you'd make that mistake, but he's not clueless. It's much worse than that.

He's a man who knows that no one can challenge the power that he's amassed for himself, because the establishment is on his side. Surveillance is just a fact of life now, some people aren't going to give up their Facebook accounts until they die and he's grinning like the shit-eater he really is, because he's getting paid to take away the same freedoms they claimed they were "defending" after September 11th happened. People are legally required to pay money out of pocket straight into the hands of the same people who are supressing their rights to privacy and free speech.

If you knew that you were taken care of for life and there were no consequences to anything you did, no matter how horrendous, how would you act? These are the same people that had pictures of their torture at Abu Ghraib published around the world, a thousand-plus-page report on their methods published around the world and what did people do? Fuck all nothing, that's what. Brennan has that grin because he knows nobody is challenging him any time soon, period.

Re:Can't decide

[ceoyoyo]

"Americans" is the collective term for citizens of the United States of America. "'Murricans" is a mild slur of "Americans." Americans are collectively responsible for this ass holding office. As such, he's representing you to the world when he says that the rest of the world is too dumb to implement encryption without American help.

Use of the slur seems reasonable in this case. If you collectively don't like it, get rid of the jerk. If you individually don't like it, stop taking criticism of the collective personally. Perhaps you like feeling proud of being an American when your country does something good, but you'd rather pass the buck when they do something asinine?

Re:Can't decide

[compro01]

Not sure where you're getting Sweden from, as Daemen and Rijmen are from Belgium and work at a Belgian university.

Re:Can't decide

[bluefoxlucid]

Trump is good at persuasion and negotiation; it's part of business.

You're assuming the average person cares about policy details, facts, and logic... they don't...

The problem comes when you lay out facts and logic in short, concise form in front of someone people look to for leadership, and his only response is, "Uh, I don't believe that." You can get away with that to a very limited degree, even with the authority of popularity behind you; it's impossible to continue to look good when your attacks are cleanly parried and reversed.

Take Trump's talk about immigration, for example. Trump said we let hundreds of thousands of Muslim immigrants into this country, and "hundreds" of they and their children have been implicated in acts of terror. Pundits are yelling a lot of "No Mr. Trump, you're wrong and stupid," pointing out that the Orlando shooter's parents moved to America 25 years ago and he was born and raised American, so there's no sensible way to pre-screen this. Of course nobody buys into that.

We associate terrorism with murder.

In the United States, we have 4.9 murders per 100,000 people per year. Of 783,000 Muslim refugees from Afghanistan and Iran in the past 15 years, three (3) have been implicated in terrorism. Over 15 years, we've stocked 2.77 million Muslim immigrants and their children, including those refugees. If only 100 are implicated in terrorism, then any single full-blooded American is TWENTY TIMES as likely to be a murderer as one of these Americanized Muslims. Even if as many as 2,000 were implicated as terrorists--which even Trump hasn't claimed--that's still a lower rate of murderers among Muslim American immigrants than all other Americans.

You pull something like that. It puts Trump on the defensive. Now he has to say something about how a non-immigrant American is way more likely to murder you than a Muslim immigrant, but not really, because Islam; or he has to just claim whatever you just said isn't true, somehow. You pull out all your contorted logic *after* you put him on defense. Trump argued that Muslims don't turn in their own; the FBI says otherwise. This is where you pull out the logical argument that someone born and raised American for the whole 20 years of his life and radicalized over the Internet by out-of-country extremists isn't a threat we missed when his parents immigrated here.

You don't go in and say, "Let's think about this rationally: do you really believe there's a checkbox that says you plan to raise a child to be a fifth-column terrorist while you're here in America?" You quickly and sharply pull out facts-and-figures, something hard that will nudge him off-balance. Then, before he recovers, you hit him with every other proposition; the audience will just see a clown stumbling around on stage. If you start with something that doesn't solidly undermine his argument and force a response, you'll just get mocked for having a differing and sheltered opinion, and then *you* look stupid, which means no one's convinced you have a clue what's going on.

I like economic policy though.

Trump's entire argument against Bernie-style policies (e.g. a UBI) is funding: where do you get the money? I can actually tackle that (Bernie can't; he has undeveloped ideals with lots of holes, most of which are legitimately dangerous). This is a *huge* problem for Trump, because his entire line of debate would be undermined: for any attack he has, I can give a short and concrete answer.

Not only can I answer for funding problems, but I can also cite and control immigration risks, fanciful unemployment risks, and risks of diminishing the support of our existing system. My arguments for a Citizen's Dividend include that it establishes a basic standard-of-living and worker protection via a non-wage income stream, which avoids the job loss and reduction of consumer buying power cause

what this idiot dont get is

[FudRucker]

if the Government spooks & goons can peek at your stuff then the criminals that are good at cybercrime will find a way to crack the key to the Government's backdoor

threat assessment

[micahraleigh]

The biggest threat to US security is US security.

Re:Dumfounded at the ignorance

[Kernel+Kurtz]

He is worse than the terrorists.

idioic AND stupid because...

[evolutionary]

If it's known there is a backdoor people WILL find it. And the arrogance that only American companies can create encryption libraries is dumbfounding. We have China's Red Flag, edition of Linux, North Korea appearently has "Red Star" and I suspect Russia has their own version of Linux as well. It may a crime to use non-use encryption, but it will be there and used if people fear for their privacy. We recently had an event in France where the CIA tried to claim encryption was used to coordinate their operation, and it turns it...it had nothing to do with coordination. The best people will use method with less technology dependencies. This will only make it easier for people (terrorists or "partner" like China) to go through their backdoors to access data. . We seem to "terrorism" as an excuse for everything the same way we used "communism" in the Mccarthy days. the end doesn't justify the means

No, he's right

[LichtSpektren]

I took a trip to Europe last week. I tried using GPG but it told me that it won't encrypt anything because I'm not in the USA. Then I tried VeraCrypt but it made my hard drive fizzle out.

My Apologies

[jesse.alan.johnson]

I would like to apologize on behalf of the American people. Director Brennan clearly has no knowledge on the subject which he is speaking about and was advised poorly by his staff.

AES is Belgian

[chill]

The name of the algorithm behind AES is Rijndael -- a combination of the names of the Belgian cryptographers who developed it.

His utterings are in the running for either biggest lie of the year, or most ignorant.

Re:AES is Belgian

[BarneyGuarder]

The name of the algorithm behind AES is Rijndael -- a combination of the names of the Belgian cryptographers who developed it.

Right. And after 10 seconds of searching, one finds the Wikipedia page on AES:

The Advanced Encryption Standard (AES), also known as Rijndael[4][5] (its original name), is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001.[6]

AES is based on the Rijndael cipher[5] developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen

I don't know which possibility is more concerning: that the director has such myopic American exceptionalism or that he would expect the public to be so stupid.

Considering how much

[nehumanuscrede]

the various agencies of the US Government tend to lie ( even to Congress ), I'm somewhat puzzled about why they even bother to ask questions of them anymore.

Perhaps Congress should forgo asking questions of the professional liars ( any intelligence agency ) and ask the tech world instead. I'm quite sure the likes of Cisco, Juniper, Apple, Google and many others ( assuming they're not secretly on the Governments payroll ) would have a much different perspective on the issue at hand.

That is utter nonsense

[gweihir]

For example, AES is a Belgian design. The US has long since lost leadership in this. That is if they ever had it.

Incidentally, when did US TLAs catch any terrorists "coordinating via encryption" the last time? Oh, right, NEVER.

Aiding and Abetting

[Sir+Holo]

It would be "aiding or giving comfort to the enemies of the United States" – by encouraging them to take over for the US companies that this type of legislation would kill.

You or I would go to Federal Prison for that.

Gchq

[martin]

Who actually invented public key encryption first, oh yeah a British fella working for gchq one evening in his head cos he couldnt write it down

Re:Dumfounded at the ignorance

[thegarbz]

This halfwit is the best that the US can come up with to head their "intelligence" apparatus?

You wouldn't come up with the same excuse given the following information:

1. You're standing in front of a group of people who consider you the expert.
2. You stand to gain a lot from forced backdoors and the job for your agency becomes far easier.
3. You have almost zero chance of being punished for lying through your teeth.

What would you have said? Personally I would have come up with the exact same thing and sugar coated it by saying all terrorists use all American technology.

Re:Dear Mr. Brennan

[Opportunist]

That you audit the compiler first is a given. I mean, no later than this it's a given that the first thing you do when auditing source code is auditing the compiler for it.

Ummm let me think about this

[dayton967]

Encryption Routines created by people who are not American
- AES (Rijndael)
- IDEA
- Serpent

Hashing Routines created by people who are not American
- SHA-3 (Keccak)

So the Current Encryption Standard and Future Hashing Standards in the US were created by non-American's, but hey, "non-American solutions are simply 'theoretical.'"

It's politics, stupid

You have to be not actually dumb to get high up in government. But you do have to have a certain capacity to believe in the institutional lies, or at least repeat them as if you mean them. They still institutionally believe in a rather simplistic device to the point that gaming the thing is a criminal offence, for example.

More to the point, this here is politics in action. He is furthering an agenda in front of an audience that made this agenda-pushing their day-and-night jobs, but who do not necessarily have any clue whatsoever about what goes on under the veneer of the nice words from the very respectable chief of this here government outfit reporting to congress. So he's basically daydreaming his "truth" into existence. If he can get it enacted in law, he has won.

* Quiz: What other organisation institutionally believes in an unproven, even outright silly, bullshit device based on similar principles?

Re:It's politics, stupid

[fyngyrz]

You have to be not actually dumb to get high up in government

o U.S. President George Walker Bush.
o U.S. Senator Ted Stevens.
o U.S. Representative Michele Bachmann.
o U.S. Representative Todd Akin.
o U.S. Representative Joe Barton

I rest my case. I could go on, but it's really quite painful to think about.

'American Companies Dominate'

[Jason+Levine]

Another article has more of the exchange:

Sen. Ron Wyden (D-Ore.), another committee member and staunch privacy advocate, has pilloried proposals to give law enforcement access to encrypted data, saying bad actors would simpy use foreign-based encrypted messaging apps. Brennan argued at the hearing that such a concern was theoretical because “U.S. companies dominate the international market as far as encryption technologies that are available through these various apps.”

Warner [Sen. Mark Warner (D-Va.)] questioned Brennan’s assertion. “Two thousand apps a day are added to the phone store. Over half of those are foreign-based entities,” he said.

In a statement following the hearing, Wyden countered that allowing government access to encrypted platforms “would not stop terrorists from using strong encryption and it would undermine American competitiveness and Americans’ digital security at a time when the threat from foreign hackers and cyberattacks has never been greater.”

Let's allow the assumption that American companies currently dominate the encryption field. We'll say that's true. How long would that dominance that last if foreign companies used strong encryption and American companies used hobbled encryption left vulnerable to the American government and hackers? Thank goodness for Warner and Wyden for pointing out how idiotic Brennan 's assertion was.

Completely incompetent or lying? No need to answer

The AES encryption algorithm is Rijndael, which is Belgian
The runner-up for the contest for becoming the AES standard was Serpent, which was a British/Danish/Israeli collaboration.
Third place went to the Twofish algorithm, designed by Bruce Schneier, a US citizen who happens to be a vocal opponent of backdoors.

The "main" encryption du jour happens to be from outside the USA. The best alternative is also from outside the USA. Of course, the nationality of the creators doesn't matter - the USA is able to make modified implementations that include backdoors, but the original non-backdoored versions are already out there for everyone to use instead.

Re: Good thing all mathematicians are American the

[AgNO3]

Im only aware of 4 countires, America,russia, china, and terrorizerstan. Clearly we must be the only smart people.