Slashdot Mirror
What The CIA WikiLeaks Dump Tells Us: Encryption Works (ap.org)
"If the tech industry is drawing one lesson from the latest WikiLeaks disclosures, it's that data-scrambling encryption works," writes the Associated Press, "and the industry should use more of it." An anonymous reader quotes their report:
Documents purportedly outlining a massive CIA surveillance program suggest that CIA agents must go to great lengths to circumvent encryption they can't break. In many cases, physical presence is required to carry off these targeted attacks. "We are in a world where if the U.S. government wants to get your data, they can't hope to break the encryption," said Nicholas Weaver, who teaches networking and security at the University of California, Berkeley. "They have to resort to targeted attacks, and that is costly, risky and the kind of thing you do only on targets you care about. Seeing the CIA have to do stuff like this should reassure civil libertarians that the situation is better now than it was four years ago"... Cindy Cohn, executive director for Electronic Frontier Foundation, a group focused on online privacy, likened the CIA's approach to "fishing with a line and pole rather than fishing with a driftnet."
The article points out that there are still some exploits that bypass encryption, according to the recently-released CIA documents. "Although Apple, Google and Microsoft say they have fixed many of the vulnerabilities alluded to in the CIA documents, it's not known how many holes remain open."
The article points out that there are still some exploits that bypass encryption, according to the recently-released CIA documents. "Although Apple, Google and Microsoft say they have fixed many of the vulnerabilities alluded to in the CIA documents, it's not known how many holes remain open."
Now the powers to be really have an incentive to outlaw encryption. Great!
This is what really pisses me off: the unstated assertion that *only* the US gubmint has these techniques.
"I don't know, therefore Aliens" Wafflebox1
... is that, with the cat out of the bag, Congress will be working hard to criminalize consumer encryption like it has been done in so many other totalitarian dictatorships.
One thing has been made clear by all of this though: we are not free. We do not live in the land of liberty. And, the government is completely out of our control.
The leaks tell us that encryption only works if the endpoints are secure, which they are not.
I am TheRaven on Soylent News
Not surprising, really, given that's exactly what encryption was invented for. To military standards. For military purposes. To prevent other militaries doing exactly what you don't want them to do.
All the scaremongering around encryption "being broken" by these "acres of datacentre" junk is just that - scaremongering. Hell, didn't the NSA recently ask for help breaking Skype? I'm sure there's a certain amount of misdirection there (I'm still not convinced on EC cryptography, which was brought along with the help of the NSA choosing certain curves), but nobody has yet shown practical attacks against large enough primes used in PKE.
So far, everything they've done is via side-channel attacks and those are present in every system anyway. And when you have these organisations paying for tools that can open up iPhones, you know that they are struggling to cope.
If you want to secure data, encrypt it and abide by all the necessary precautions for it (i.e. don't enter the passphrase on untrusted computers, etc.).
The whole point of encryption is that you can publish your data on the web and point EVERYONE at it (e.g. Wikileaks insurance file) and nobody can access it without the key. If you don't trust Google or similar to hold your files, only allow them access to the encrypted containers and not the decrypted files.
It's quite clear that encryption is doing its job. And if it wasn't, it would be fixed quite quickly (e.g. we're already preparing against quantum computing attacks).
And that's the point of the argument.
If breaking the encryption was easy, they could just decrypt everything they get off of the wire and not have to insert back doors into software and target into a suspect's OS.
But since encryption is (financially/time/computationally) expensive, it's cheaper to exploit flaws in software.
Help! I'm a slashdot refugee.
Will you please stop pasting this bullshit into every thread dealing with processors and security? It's written in the style of a paranoid conspiracy theorist which ensures that nobody will read it or click the links. All you're doing is making people scroll a lot to get past your bullshit so that they can read comments that are actually about the article.
The point is, getting around encryption is too costly to do it on a mass scale, so they can only really do it for the small portion of targets judged worth it.
It's like with door locks. Your door lock is good at stopping casual probing, but pretty much useless against a determined attacker. If a government agency (any government) decides that they really need to enter your home then they will enter. It may be with a warrant, with an armoured bulldozer or with a covert penetration team. But it's much too costly and much too risky to do so unless you have really good reason. They can't do it for every house in the city, on the off chance somebody might have something interesting stashed away somewhere.
Same thing with crypto: it may not stop them if they decide you are a high-value target. But it stops mass surveillance dragnets in their tracks.
Trust the Computer. The Computer is your friend.
[citation needed]
Sarcasm aside, I'm really interested in reading more about that.
it may not stop them if they decide you are a high-value target. But it stops mass surveillance dragnets in their tracks.
And that's really what privacy laws are supposed to be about. If the government has a legitimate good faith reason to be investigating someone they have the tools to do this and to a point should have reasonable rights to investigate. Broad sweeping surveillance however should not provide them the same degree of resolution on any given individual. Law enforcement and defense surveillance should have to jump through some hoops and do some actual work to target any individual. That's the entire point of the 4th Amendment we well as several others. An investigation should be harder than looking up a database record because government's have shown they cannot resist abusing such power when made available to them. The notion that encryption will somehow make it impossible for them to do their job just hasn't been shown to be true in reality.
In practical terms however the reason encryption works isn't a moral one. It works because it keeps the economic cost for police to watch a given individual remains non-trivial so that they have to pick and choose who is worth bothering to watch. It used to be that getting the records and communications required a significant expenditure of resources. With email, modern phone systems, and the internet some of that became much easier. So much easier that it causes all sorts of problems with protecting civil liberties. Encryption balances things back out. They can still come after you if they need to but it has to rise to a certain level of suspicion to make it worth their while.
The intelligence community has given all indications, time and again, that breaking cryptography is not the vector the usually resort to in order to obtain information. Other, more traditional, techniques, today euphemistically (and pretentiously) called "social engineering", are much cheaper and effective, under most circumstances.