Slashdot Mirror
Senator Asks FBI Director To Justify His 'Ill-Informed' Policy Proposal For Encryption (gizmodo.com)
In a speech earlier this month, FBI Director Christopher Wray said the inability of law enforcement authorities to access data from electronic devices due to powerful encryption is an "urgent public safety issue." He proposed that Silicon Valley companies should add a backdoor to their encryption so that they could both "provide data security and permit lawful access with a court order." One person is not amused by Wray's proposal. Senator Ron Wyden criticized Wray on Thursday for not consulting him before going public with the proposal for encryption. Wyden said today, via Gizmodo: Your stated position parrots the same debunked arguments espoused by your predecessors, all of whom ignored the widespread and vocal consensus of cryptographers. For years, these experts have repeatedly stated that what you are asking for is not, in fact, possible. Building secure software is extremely difficult, and vulnerabilities are often introduced inadvertently in the design process. Eliminating these vulnerabilities is a mammoth task, and experts are unified in their opinion that introducing deliberate vulnerabilities would likely create catastrophic unintended consequences that could debilitate software functionality and security entirely.
[...] I would like to learn more about how you arrived at and justify this ill-informed policy proposal. Please provide me with a list of the cryptographers with whom you've personally discussed this topic since our July 2017 meeting and specifically identify those experts who advised you that companies can feasibly design government access features into their products without weakening cybersecurity. Please provide this information by February 23, 2018.
[...] I would like to learn more about how you arrived at and justify this ill-informed policy proposal. Please provide me with a list of the cryptographers with whom you've personally discussed this topic since our July 2017 meeting and specifically identify those experts who advised you that companies can feasibly design government access features into their products without weakening cybersecurity. Please provide this information by February 23, 2018.
I'll just leave this here.
The problem is not at all new, and the Senator is right to allude to the Lawman's predecessors.
In Soviet Washington the swamp drains you.
Why would you want to encrypt anything, unless you are trying to hide something nefarious from the authorities? All those crypto currencies for example, primarily exist for purchasing illegal substances and child pornography.
9-11 was a Jew job
The FBI is completely trustworthy and beyond reproach!
If the FBI says it's OK and won't be misused, by golly, they're right!
I wouldn't wait until Feb 23rd. I'd kick him to the curb without even saying "excuse me, but I'm about to kick your ass to the curb".
He be my negroe.
Sen. Ron Wyden schools FBI Dir. Christopher Wray.
Thanks Ron, seriously. Nice to see that not all politicians have lost their mind.
Senator Ron Wyden: intelligent and well-informed
FBI Director Christopher Wray: either imbecile and/or not to be trusted
#DeleteFacebook
As a republican living in OR, thank you Mr. Wyden. I wish more of legislature had an iota of common sense and understanding relating to tech before shitting out half-assed regulation with absolutely no care taken to unintended consequences.
We should be more focused on keeping the pigs honest than catching the *incredibly* rare bogeymen.
Shady as heck, preying upon the fears of those poor uninformed politicians! That's so mean!
Not trolling. Serious question. Different states have different policies and it seems likely have acceptable outcomes in their respective societies. North Korea allegedly is the worst, with the mandated document editors saving copies of, and watermarking everything you write. But even in the US we've lived with having all printers watermark all documents (why you run out of yellow ink so fast) as well as PRISM and other data slurps. On the flip side law enforcement has had to confront cryptography for centuries and presumably most of it was uncrackable in it's own era.
The key difference is ubiquity and the accessibility to the tools by a non-expert.
Their is precedence for law enforcement not allowing cryptography. For example, when encrypted CB radios were put on the market they were quickly nixed (drug smugglers used them, allegedly).
Some drink at the fountain of knowledge. Others just gargle.
Given that the FBI can't even track down messages sent between their own agents that they were required to "compliance" and archive, I'm not sure how encryption can add more difficulty. They've got a Keystone Cops vibe going there.
Then in November, the Republican challenger will say that the baby killing Democrat who is beholden to Nancy Pelosi and her San Francisco values is soft on terror and that HE'd let our Saintly law enforcement people have a backdoor to encryption to save us from ISIS and other terrorists.
It works. I've seen it time and time again. On 9/11/01 and then in November 2008, the Republicans jumped on the crazy train and chained themselves to it. The party of Gerry Ford and George H. W. Bush is dead Fred.
Ron Reagan was the one who switched the tracks to Crazy Town.
Can we mod this senator up?
In a few weeks, an avalanche of dirt (both true and untrue) from "anonymous whistle-blowers" about this Senator Wyden will start mysteriously appearing in news stories all over the country.
They'll continue at least until he resigns in disgrace, is imprisoned due to the absolutely totally not photoshopped(*) donkey-fucking kiddie-porn incest home movies, or commits suicide.
(*) The FBI have access to far better software than photoshop.
Well, then, there's at least one Congresscritter in our government who has a working brain! Who knows, maybe he can educate the rest of them?
I don't know anything about this Senator; but on this one topic alone, he would have my vote!
I'd suggest we all write him and thank him for his courage and intelligence...
https://www.wyden.senate.gov/c...
Why do you assert that criminals *will* have the backdoor key? Source? Or is that just a canard?
See, your argument also completely invalidates all of the security on your phone, as it's no different than asserting that criminals will have all signing keys. Therefore, it will enable all criminals to install whatever the fuck on your phone.
No, let's be honest. Apple has access. Apple has given access to China. Apple can give access to the FBI in response to a valid court order, and chooses not to in order to market to hipsters.
He's probably thinking short-term: kiss up to the current Boss T; and back-doors may be helpful to HIS job in the shorter term, with longer term consequences being somebody else's problem.
Unless, hackers crack the back-door quicker than he expects. Perhaps he's thinking he can then blame the product companies for "doing back doors sloppily". Thus, spin the breach as bad implementation, not bad law.
Those in higher positions are often pretty good at having a "blame plan" ready, in my experience. They don't plan much else well, but strategic blaming is a necessary skill to rise in power. CYA Calculus.
Table-ized A.I.
It just hit me that one of the reasons this story is so strange, is that someone in government (who is this Senator Wyden?) is treating the situation in a way that you might expect from an adult. I'm not used to this.
Are we sure he's a Senator from a state in America? I don't want to later find out that Oregon is a place in Wales or something like that.
Ooooohhhhh!!
What will wealthy criminals, cults, faiths, political groups, competitors, spies do when they work out the US gov has the keys to most consumer communications?
They will ask their dual citizens, faith members, criminals, corrupt military/police/gov for the federal backdoor keys.
Interesting people/cults/criminals will use the junk crypto to run real time counter surveillance on US police/federal/state/city task forces and mil.
If that fails they will watch for nations the US trusts and get a copy for that nations mil/police/gov.
Dont tell anyone the FBI has the keys, ever.
Build up a voice print database and cell phone ID matching system within the FBI. Stop using other agency/teloc/contractor support within the USA. Too many ex and former workers who might have gov methods to sell to keep track of.
Start investigations internally but always have another reason for lawyers, FOIA, human rights groups, mid and low ranking cult members, faith groups, corrupt military/police to guess at. Informers, witnesses, luck, past investigative work. Anything to keep the interesting people guessing and talking as to FBI skill sets and methods.
The bad people do not need to know the FBI has their conversations, voice prints, locations, files.
Let the bad people keep trusting their computers, cell phones, big brand junk crypto.
Ensure criminals feel confident to keep talking to their friends and with corrupt people in the military/police/gov/big brands/telcos.
Suggest to the media and lawyers that every next generation of computer and cell phone is very/too difficult for law enforcement.
Once bad people know the backdoor exists in every gen of cell phone they can just stop using that live mic and GPS they carry around.
They can return to community, faith, their own networks.
Consider how the GCHQ worked in Ireland to stop the flow of support entering Ireland. Lots of interesting people had a theory but nobody worked out the methods used to track interesting people, support moving, funding globally.
If the crypto is junk, don't tell the world, use the data gathered and win.
Domestic spying is now "Benign Information Gathering"
He's talking about "baseless attacks on professional law enforcement", "professional law enforcement" being the FBI in this case.
https://twitter.com/RonWyden/s...
I can personally reconcile those two things, but the optics aren't good. I know the response: "But my attack wasn't *baseless*." Okay. The problem is that it's a matter of opinion.
Do you have ESP?
The FBI is saying that the public law enforcement need justifies weakening already strong encryption.
Though others will disagree that encryption should be anything but the strongest available.
It looks like the senator gave him a month to dig up an excuse, and left him with very little wiggle room. It's nice to see a tech-savvy representative, and specifically one that knows how to close all the escapes at the same time to speed up the process. I'm sure the director would love to be able to stall for 30 days and then step back up into the light and kick the can down the road another 30 days, but I don't see that happening this time.
He's either going to have to dig up some at least semi-reputable cryptographers to throw under the bus, or admit that he's "pulling a trump" and ignoring all the experts around him in favor of his own opinions on the matter. (though in this case it's almost certainly coming down to just doing specifically what he's been told to do, more of a "trump by proxy" move) It's rather irritating to see we've set things up so that certain people can't make certain rules, but then we go and let them replace the person responsible for that rule with someone that will do whatever they tell them to - it defeats the purpose of the separation.
I'm also a little bit curious why I haven't seen this whole idea get compared with the TSA's baggage locks? Isn't that basically the same idea as this, though on a much more limited scale? Mandating a government back-door, and all the unintended as well as the widely-anticipated problems that you get as a result?
I work for the Department of Redundancy Department.
1. Made the location of those keys a target for criminals with a huge payoff.
2. Made it easy for certain of the authorities themselves to abuse those keys for illegitimate purposes.
The sickening thins is that this is a bi-partisan issue, that BOTH sides have horrible track records for. It seems that privacy and security of their constituents takes a back seat to anything else. Wonder why that is.
Silence is a state of mime.
One of the few state actors in the US operating with legitimacy.
The right of the people to be secure in their persons, houses, papers, and effects,[a] against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
If you believe the 4th amendment is compatible with government encryption backdoors, you are part of the problem.
Is it? I'd like to see some cost-benefit analysis, before I accept the above statement. The cost, obviously, is that some crimes (including grievous ones) will become much harder — and even outright impossible — to solve (or prove in court). The benefit is that the innocent people will have their communications and data protected from illegal snooping without personal technical knowledge.
What outweighs what is not immediately clear...
Personally, I'm inclined to agree wit your statement for the same reasons I value (worship!) the Second Amendment — whether or not it is net-beneficial, arming oneself is an inalienable human right. But I'm certain, you don't view it that way — so what's your reasoning?
In Soviet Washington the swamp drains you.
Wyden was always reliable on this sort of issue. If you search his name, you'll see a lot of past stories not unlike this one on various encryption or privacy issues.
We could use more people in Congress like him.
too bad he is not even in my State but that is the most sensible statement from a Senator that I've seen this year!
Hopefully on Feb 24 he will publish FBI Director Christopher Wray along with a suggestion that FBI Director Christopher Wray resign for being inept.
I would be a well deserved (Score:5, Insightful) for a comment that basically says, "Cite?"
this guy's a hoot! look at the list - calling out the bullshit on so many topics, including pointing out the nonsense on industrial hemp being classified as a schedule 1 drug when there's BELOW 0.3% THC in it! i like this guy :) https://www.wyden.senate.gov/n...
I guess this isn't the best time to remind Mr. FBI about the Clipper Chip near-disaster. The government though they'd force people to use backdoored encryption chips in the 90s that contained a "Law Enforcement Access Field (LEAF)" and it not only compromised security but the LEAF check hash was also easily spoofed plus the Skipjack algorithm used was ripped to shreds by cryptography researchers pretty quickly after declassification. Had we been forced to use the Clipper Chip, we'd have had a major security mess on our hands since it was practically a placebo at its one main job: security.
what makes you stick with the Rs? They've been pushing the 'Tough on Crime' / 'Think of the Children' agenda for ages. Sure, Clinton (Bill) pushed it too, but largely to court Republicans. While I'm not saying the Dems are saints I think it'd be much easier to purge and/or marginalize the corporatist schelps & authoritarian types from their party than the Rs.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
It has been decades since 1984. Why are we surprised?
As a conservative, I stand with Democrat Ron Wyden in his position. And that fact made me realize something.
To liberals who often want to ban firearms: if you support Ron Wyden's reasoning about encryption, then please realize conservatives have been making the same arguments about firearms and the second amendment since forever. (e.g. if you ban strong encryption de jure, then only criminals will have strong encryption and that will be used against the average law abiding citizen).
To conservatives to often want the state to have strong enforcement powers: don't be hypocrites. If you support the FBI/NSA/CIA desires for compromised encryption for the effectiveness of law enforcement, realize that the same logic will be used against your second amendment rights.
We the people need to work together to make sure that the state doesn't abuse it's power, and this relates to encryption and firearms. Don't let the government use partisan politics to turn us against each other so that they can do as they please.
That's all he needs to say. The damage from occasional breach by criminals will be dwarf by the gains from proper law enforcement. His arguments will be non technical. They'll pass the 'truthiness' test. Emotional if you will. To be honest such arguments usually win out in the end, if only because the people making them keep pushing for it.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Yes, you hear about those.
It's the ones you don't hear about that aren't dumb.
I've fallen off your lawn, and I can't get up.
First, just common sense, it is essential to self defense to have reliable encryption.
Second, the fed gov't already treats encryption technology like "arms" in some ways, i.e., export controls.
So NRA, where are you now? Why aren't you protecting our rights?!?!
Yeah, remember that thing from 1993 that was abandoned? There are certainly valid criticisms of Bill Clinton, but your comment is some pretty lame both-sides-ism.
If I'm ever a Jurror on a case where government obtained information without a warrant, I will do everything in my power to inspire the Jury to rule innocent.
I'd like to see the organizers of the 2018 RSA Conference to be held in April invite Mr. Wray to join in the cryptographers panel to discuss this issue. They'll eat him alive.
Ron Wyden, my crypto-homie! Slappin DOWN that fuzz with the verbal beatstick ->
...SO I CAN BITCH SLAP THEM SUCCA-FOOLZ TOO!
I would like to learn more about how you arrived at and justify this ill-informed policy proposal. Please provide me with a list of the cryptographers with whom you've personally discussed this topic since our July 2017 meeting and specifically identify those experts who advised you that companies can feasibly design government access features into their products without weakening cybersecurity. Please provide this information by February 23, 2018.
Man, I never heard of him before, but I like this Ron guy.
HA! I just wasted some of your bandwidth with a frivolous sig!
Using Public-Key Cryptography. The same crypto generally used to secure the user's keys. Generate hierarchical public-secret keys from a shared seed similar to Bitcoin wallets that use Hierarchical-Deterministic Wallet addresses, so there can be a large number if separate Public-Secret Keypairs XOR the per-key seed by a "partitioning key".
Assume the company goes through a process where they generate 500,000 "Backdoor keypairs" using HSMs --- each "user" of the service will be assigned to a randomly chosen unique backdoor public key, in the process of generation, a copy of every decryption key the user has access to during key generation will be encrypted using EC public key crypto with the selected backdoor key, then during the one-time process when the original backdoor keys are being created: divide each key into something like 20 Shares requiring 15 of 20 crypto officers gather to assemble and authorize
1 usage of that particular backdoor key ---- make the selection of key unitholders so that no more than 5 reside on the same continent, no more than 3 reside in the same nation, no more than 2 reside in the same province/local part of a nation or work for the same agency, Then require another 15 of 20 people be present to yield the Partitioning seed of the particular Backdoor key to be utilized, thus eliminating the possibility of "Convenient, surreptitious" access ----- ordering each implementation of a specified user's backdoor key will require assembling a group of people coming from at least 5 nations.
I think this story illustrates a larger, and very old problem. Any sufficiently advanced technology is indistinguishable from magic. In this case the technology we use every day has become so advanced that MANY people (whom are NOT technology experts) really do see computing devices as working like magic. They don’t understand or want to understand how technologies work. All they see is how many amazing things their devices can do.
So the politicians and law enforcement types who demand backdoors for encrypted devices will never believe real experts, cryptographers, and engineers who tell them what they are asking for is, in fact, impossible. They see it as a political argument, instead of a technical limitation. They assume the experts are lying because they just don’t want the government to be able to unlock a phone.
Not sure I agree with you.
Yes, I suppose Wyden has left a tiny sliver of wiggle room for LE. However let's be truthful. If we really could design a perfect backdoor, that would allow law enforcement and only law enforcement, and always under a proper search warrant (not a B.S. retroactive FISA warrant), wouldn't we do it? Or at least discuss doing it?
I think Wyden's statement that "...experts have repeatedly stated that what you are asking for is not, in fact, possible" adequately addresses that. It's impossible. Seems clear enough to me.
The EFF no longer maintains the list. The original list was simply those printers that produced documents where the EFF could not see any yellow tracking dots. The EFF has put this note on that list:
Simply put, the EFF believes all printers have forensic tracking codes.
Just a few stories up there was a complaint that the Russians had been given access to view source code of software they wish to deploy into their Government agencies to check for exploits it has been suggested that pretty much any Government can request to view the source code of products which will deployed into their Agencies, so how long does this Christopher Wray suspect this "exclusive backdoor" will remain exclusive, I would suggest not very. This really does nothing but demonstrate the complete incompetence of the FBI at the highest levels.
People don't seem to realize that these senators and the FBI fully understand that you can't make these things entirely secure.
Rather, they want them completely vulnerable. They don't care about other people using backdoors, because even the slightest bug that results in access to something with a backdoor is something they hope to fill private prisons with, by making even accidental touching of the completely-fucked code "hacking".
This way anyone potentially capable of hacking who isn't one of them, and anyone who can sorta touch a computer without breaking it (so they're leaving themselves a big margin of error on education) is going to be ever so easily found guilty of computer crimes.
Ok, let's see how this works, disgruntled Silicon Valley Company worker is fired. Leaks backdoor to internet. Now encryption is worthless. True story.
What did you mean if you didn't mean numbers?
And if you are now claiming the violent crime will be lss violent, well thats a win, and the whole point simpleton.
People not guns, bla bla. If we take away guns, all 12 year old girls will just become ninja assasins and start killing people with spoons.
How many innocent bystanders do you think will be accidently sliced in the jugular by a waywood spoon?