Non-US Encryption Is 'Theoretical', Claims CIA Chief In Backdoor Debate

Iain Thomson, writing for The Register: CIA director John Brennan told U.S. senators they shouldn't worry about mandatory encryption backdoors hurting American businesses. And that's because, according to Brennan, there's no one else for people to turn to: if they don't want to use U.S.-based technology because it's been forced to use weakened cryptography, they'll be out of luck because non-American solutions are simply "theoretical." Thus, the choice is American-built-and-backdoored or nothing, apparently. The spymaster made the remarks at a congressional hearing on Thursday after Senator Ron Wyden (D-OR) questioned the CIA's support for weakening cryptography to allow g-men to peek at people's private communications and data. Brennan said this was needed to counter the ability of terrorists to coordinate their actions using encrypted communications. The director denied that forcing American companies to backdoor their security systems would cause any commercial problems.

American Companies

LOL, how quaint. As if a company belongs to a particular nation state. Freemasons 2016, huyah!

Sir Bush, president and knighted...

Re:American Companies

[St.Creed]

National companies and multi-national companies *do* belong to a nation-state. It doesn't show much, until they need someone to get their potatoes out of some hot fire somewhere. They can't just move and up, since they need ties on a personal level when you get into the big leagues. Not to mention the fact that if they have a lot of infrastructure somewhere, it's also physically difficult to move.

Let's assume corporations don't belong to a particular nation state. Like Disney. Could be Chinese, right? Mi Lao Shu and security guards with pink rifles. Works quite well in Shanghai - they are a minority shareholder though because, for some reason or another, the local company *does* belong to their nation state and the nation state knows it. Or take Coca Cola. Wouldn't hurt the brand at all if it incorporated as a Nigerian company tomorrow, I think. Or Mercedes. It could easily become an Italian brand. Would do wonders for its design, probably. Volkswagen could move to Rumania - their cars have the same amount of pollution as the old cars they have there so they wouldn't stand out so much.

But seriously: no company can do without the protection of a nation state because in the final analysis, a tug of war between competing business interests will eventually be decided with weapons. And that is the job of the nation state. And it will only defend it's *own* companies. Companies that don't have a protector will be at a severe disadvantage. Just consider what the support of the CIA meant for Boeing when it sank lucrative trade deals in the Middle East for Airbus because they had been tapping the trade negotiations and were able to provide tapes that proved corruption. Do you think that would have happened if it had been Airbus versus Dassault? Not a chance.

Lies from Spies

[schneidafunk]

Well of course he's going to say this nonsense, no surprise there. What is surprising is hearing about it from a british newspaper without a bleep in U.S. news. I imagine apple, microsoft, google and the likes will have a response soon.

Re:Lies from Spies

[wierd_w]

There would just be something like cyanogenmod that hits less than a year later. in fact, CM would probably issue a statement that they wont include the back doors.

CM is based on AOSP, and is wholly open source. If your device supports it, then you can use real crypto, while everyone else in the US gets to enjoy fake crypto.

The issue of course, is that you would need to encrypt so much, (because GSM and other hardware assisted crypto would be backdoored, so you have to put real crypto on top) that your battery goes flat very fast.

IMHO, the solution to that is for eurozone countries to mandate denying US variant GSM devices from working in their countries as an issue of national security. The corporate backlash would be intense.

Re:Lies from Spies

[Bob+the+Super+Hamste]

Seriously why?

I find that the Brits generally do a better job covering the US than the US news does.

Re:Lies from Spies

[ceoyoyo]

Android itself is open source. Anyone can download it. It's mirrored extensively outside the US. In terms of actual devices, by far the largest providers of those are non-American companies.

Android itself uses a linux cryptography library. Those libraries are likewise open source and extensively mirrored. Of the ones that could actually be said to have a particular nationality, most of them are not the US: https://en.wikipedia.org/wiki/....

Seems like Android is an excellent example of how this guy is wrong.

Jobs Creator

[archatheist]

Glad to see that this fellow has figured out how to create new technology jobs in foreign countries. I didn't realize that was his job, but kudos nevertheless.

Re:Jobs Creator

[PCM2]

What's the saying? "When strong crypto is outlawed in the US, only non-US companies will have strong crypto"?

Good thing all mathematicians are American then

[xxxJonBoyxxx]

>> (for crypto) there's no one else for people to turn to (mofos)

Well, it's a good thing that all mathematicians have always been and will always be American then.

Re:Good thing all mathematicians are American then

[TheSouthernDandy]

You don't have to be a mathematician, you only need to be able to implement algorithms designed by mathematicians on computers. I think they called that profession "programmer" once, and there even used to be Americans who did it.

The "response" should be an indictment.

[mrchaotica]

Under 18 U.S.C. ss. 1001, lying to Congress is offense punishable by up to five years in prison (or eight if the lie is terrorism-related). The correct "response" to John Brennon's blatant, politically motivated, criminal lie is to indict him, convict him, and send him to Federal prison where totalitarian freedom-hating enemies of the American public like him belong.

Re:The "response" should be an indictment.

[NatasRevol]

In theory, yes.

In practice, not a fucking chance.

Re:The "response" should be an indictment.

[Immerman]

O course not. They're exempt under the thoroughly time-tested doctrine of "we have wealth and power, so the law doesn't apply to us unless we piss off someone even wealthier and more powerful"

Re:The "response" should be an indictment.

[mrchaotica]

The two Senators from my state plus Ron Wyden got emails from me on this issue before I posted on Slashdot. What did you do about it, mister shit-talking anonymous coward?

Re:Dumfounded at the ignorance

[pushing-robot]

When it comes to intelligence agencies, never attribute to ignorance that which can adequately be explained by malice.

Black Hat Herring

[lylefile]

The issue isn't whether the rest of the world would use it. The question is how long until the backdoor is hacked. Knowing its there will make it a prime target. Is the US government willing to back up its confidence with a guarantee to reimbursed all losses for everyone using this technology? Only then could the claim that it wouldn't "cause any commercial problems" be at all plausible.

Countries outside the US are only theoretical

[presidenteloco]

Would be only a slight generalization of his view point.

A lot of people think this is how Americans think about the rest of the world.

We've heard it's out there, but it doesn't matter very much, as long as they have a McDonalds, a 7-11, and a Starbucks.

Isn't GnuPG German?

[HawkinsD]

Hold up there a minute, Mr SpyMaster. I think GnuPG (open-source implementation of PGP) is German. Or at least: " g10code GmbH, the legal entity employing some of the GnuPG hackers" is German.

My company has been using GnuPG for ten years.

See https://gnupg.org/ .

Can't decide

[fyngyrz]

I can't decide if Brennan is stupid, or if he thinks everyone else is stupid.

I readily admit this is not an uncommon reaction of mine when I read of the things presented by elected and appointed officials. The US government is a madhouse.

Re:Can't decide

[Jawnn]

I can't decide if Brennan is stupid, or if he thinks everyone else is stupid.

Judging by the universal cringe displayed by all the analysts and technicians who an actual understanding of crypto, I'd go with "a little of both". I just can't believe he's so clueless as to not understand that math doesn't recognize lines on a map, nor can I quite believe he didn't expect to get called out on his bullshit. Either way, it was a dumbass thing to say.

Re:Can't decide

[bluefoxlucid]

If he's incompetent, the President should dismiss him from his post. (Executive)

If he's lying, Congress can impeach him.

Being so severely wrong so often is hazardous to your health.

Re:Can't decide

[Cro+Magnon]

I can't decide if Brennan is stupid, or if he thinks everyone else is stupid.

The two aren't mutually exclusive.

Re:Can't decide

[whoever57]

I can't decide if Brennan is stupid, or if he thinks everyone else is stupid.

He thinks enough people are stupid, and, unfortunately, he isn't wrong about that.

Re:Can't decide

[kheldan]

He's the head honcho of the freakin' CIA, of course he thinks everyone else is stupid, especially politicians! How else other than overweening arrogance and likely a liberal amount of narcissism do you think someone gets that job in the first place? Strong work ethic? A strong sense of justice? LOL no, more likely successfully backstabbing all the competition and covering his tracks so thoroughly that nobody could pin anything on him!

Re:Can't decide

[ceoyoyo]

Why does he have to root for a team? The US has a history, especially in cryptography, of assuming that the rest of the world is hopelessly behind them. Remember the export ban on strong cryptography? Remember the t-shirts with the RSA algorithm printed on them? This is just another aspect of the same thing. If the US doesn't provide the crypto, there's nobody else to get it from. Obviously.

Re:Can't decide

[cayenne8]

I just can't believe he's so clueless as to not understand that math doesn't recognize lines on a map, nor can I quite believe he didn't expect to get called out on his bullshit.

Well, it isn't HIS cluelessness that is the problem here..is the his audience...the US Senators/CongressCritters that he speaks to in these hearings.

See, they are the ones that pass the laws that could mandate weakening software and forcing backdoors.

He may know perfectly well that this is a false and stupid thing to say, but it IS something the TLA's want badly...so, he tells them this and they think that it won't cause harm to US businesses, and they have, instead, just helped to fight the terrorists...and have their constituents be happy about this.

It is the ignorance of the lawmakers that you have to worry about.....and unfortunately they're getting their information from a guy like this, that wants what he wants, no matter the cost to business or the constitution.

Re:Can't decide

[myowntrueself]

I see that you use this slur a lot.

If you're American yourself, please stop taking your self-hatred out on those around you. Find a therapist instead.

If not, carry on. Yay patriotism! But do have the courtesy to call out what team you do root for: it's unfair to mock one team without allowing the same in return.

I honestly don't root for any team. IMO all governments are really just organized crime syndicates.

Re:Can't decide

I can understand how you'd make that mistake, but he's not clueless. It's much worse than that.

He's a man who knows that no one can challenge the power that he's amassed for himself, because the establishment is on his side. Surveillance is just a fact of life now, some people aren't going to give up their Facebook accounts until they die and he's grinning like the shit-eater he really is, because he's getting paid to take away the same freedoms they claimed they were "defending" after September 11th happened. People are legally required to pay money out of pocket straight into the hands of the same people who are supressing their rights to privacy and free speech.

If you knew that you were taken care of for life and there were no consequences to anything you did, no matter how horrendous, how would you act? These are the same people that had pictures of their torture at Abu Ghraib published around the world, a thousand-plus-page report on their methods published around the world and what did people do? Fuck all nothing, that's what. Brennan has that grin because he knows nobody is challenging him any time soon, period.

Re:Can't decide

[compro01]

Not sure where you're getting Sweden from, as Daemen and Rijmen are from Belgium and work at a Belgian university.

Re:Dumfounded at the ignorance

[Kernel+Kurtz]

He is worse than the terrorists.

idioic AND stupid because...

[evolutionary]

If it's known there is a backdoor people WILL find it. And the arrogance that only American companies can create encryption libraries is dumbfounding. We have China's Red Flag, edition of Linux, North Korea appearently has "Red Star" and I suspect Russia has their own version of Linux as well. It may a crime to use non-use encryption, but it will be there and used if people fear for their privacy. We recently had an event in France where the CIA tried to claim encryption was used to coordinate their operation, and it turns it...it had nothing to do with coordination. The best people will use method with less technology dependencies. This will only make it easier for people (terrorists or "partner" like China) to go through their backdoors to access data. . We seem to "terrorism" as an excuse for everything the same way we used "communism" in the Mccarthy days. the end doesn't justify the means

No, he's right

[LichtSpektren]

I took a trip to Europe last week. I tried using GPG but it told me that it won't encrypt anything because I'm not in the USA. Then I tried VeraCrypt but it made my hard drive fizzle out.

AES is Belgian

[chill]

The name of the algorithm behind AES is Rijndael -- a combination of the names of the Belgian cryptographers who developed it.

His utterings are in the running for either biggest lie of the year, or most ignorant.

Considering how much

[nehumanuscrede]

the various agencies of the US Government tend to lie ( even to Congress ), I'm somewhat puzzled about why they even bother to ask questions of them anymore.

Perhaps Congress should forgo asking questions of the professional liars ( any intelligence agency ) and ask the tech world instead. I'm quite sure the likes of Cisco, Juniper, Apple, Google and many others ( assuming they're not secretly on the Governments payroll ) would have a much different perspective on the issue at hand.

Re:Dumfounded at the ignorance

[thegarbz]

This halfwit is the best that the US can come up with to head their "intelligence" apparatus?

You wouldn't come up with the same excuse given the following information:

1. You're standing in front of a group of people who consider you the expert.
2. You stand to gain a lot from forced backdoors and the job for your agency becomes far easier.
3. You have almost zero chance of being punished for lying through your teeth.

What would you have said? Personally I would have come up with the exact same thing and sugar coated it by saying all terrorists use all American technology.

'American Companies Dominate'

[Jason+Levine]

Another article has more of the exchange:

Sen. Ron Wyden (D-Ore.), another committee member and staunch privacy advocate, has pilloried proposals to give law enforcement access to encrypted data, saying bad actors would simpy use foreign-based encrypted messaging apps. Brennan argued at the hearing that such a concern was theoretical because “U.S. companies dominate the international market as far as encryption technologies that are available through these various apps.”

Warner [Sen. Mark Warner (D-Va.)] questioned Brennan’s assertion. “Two thousand apps a day are added to the phone store. Over half of those are foreign-based entities,” he said.

In a statement following the hearing, Wyden countered that allowing government access to encrypted platforms “would not stop terrorists from using strong encryption and it would undermine American competitiveness and Americans’ digital security at a time when the threat from foreign hackers and cyberattacks has never been greater.”

Let's allow the assumption that American companies currently dominate the encryption field. We'll say that's true. How long would that dominance that last if foreign companies used strong encryption and American companies used hobbled encryption left vulnerable to the American government and hackers? Thank goodness for Warner and Wyden for pointing out how idiotic Brennan 's assertion was.

Re:It's politics, stupid

[fyngyrz]

You have to be not actually dumb to get high up in government

o U.S. President George Walker Bush.
o U.S. Senator Ted Stevens.
o U.S. Representative Michele Bachmann.
o U.S. Representative Todd Akin.
o U.S. Representative Joe Barton

I rest my case. I could go on, but it's really quite painful to think about.