Slashdot Mirror
FBI Again Calls For Magical Solution To Break Into Encrypted Phones (arstechnica.com)
An anonymous reader quotes a report from Ars Technica: FBI Director Christopher Wray again has called for a solution to what the bureau calls the "Going Dark" problem, the idea that the prevalence of default strong encryption on digital devices makes it more difficult for law enforcement to extract data during an investigation. However, in a Wednesday speech at Boston College, Wray again did not outline any specific piece of legislation or technical solution that would provide both strong encryption and allow the government to access encrypted devices when it has a warrant. A key escrow system, with which the FBI or another entity would be able to unlock a device given a certain set of circumstances, is by definition weaker than what cryptographers would traditionally call "strong encryption." There's also the problem of how to compel device and software makers to impose such a system on their customers -- similar efforts were attempted during the Clinton administration, but they failed. A consensus of technical experts has said that what the FBI has asked for is impossible. "I recognize this entails varying degrees of innovation by the industry to ensure lawful access is available," Wray said Wednesday. "But I just don't buy the claim that it's impossible. Let me be clear: the FBI supports information security measures, including strong encryption. Actually, the FBI is on the front line fighting cyber crime and economic espionage. But information security programs need to be thoughtfully designed so they don't undermine the lawful tools we need to keep the American people safe."
FBI mouthpiece is a fucking idiot. Jesus Christ, why is listening to people who clearly know better than them so goddammed difficult?
If you believe in privacy, and believe you have "nothing to hide" at the same time, you're a goddammed idiot
I'd like a magical pony. I know magic doesn't exist, but that shouldn't mean I can't get a magical pony.
#DeleteChrome
There is no security when a backdoor exists. Once it is known, everyone will work to get in, and you wont find out it was cracked until it has been heavily exploited.
But it turns out that a $5 wrench turns out to be as good as key escrow.
Anytime someone says they support strong encryption but want to be able to bypass whenever they have the need, my head wants to explode. Any bypass, back door or master key, no matter how well designed, perfectly implemented, or zealously protected, fundamentally weakens the encryption they claim to support. If a way around the encryption exists, someone will find and exploit it. Pure and simple.
I'm all for law enforcement being able to do their job. But I'm also all for strong encryption - my job in information security depends on it, and the sensitive information of millions of people would be at risk without it. Encryption is a tool, like a hammer: people with bad intent can use it to build harm as well as upstanding citizens can use it to build good. I'm sorry, but law enforcement needs to find another way to get to those nails, rather than make hammers defective for everyone.
The FBI was watching the 9/11 attackers to see what they would do. The FBI was warned by Russia about the Boston marathon bomber. FBI was given tips about Florida school shooter.
Yeah, FBI, keeping America safe.....keeping the government safe from its citizens anyway.
Oh so they want full trust do they? Well, if they want us to trust them - trust by the way, that they have repeatedly proven that they have not earned or deserve - then there must be these conditions in cases of violation...
If any individual in that organization violates any of the rules set out to protect people's privacy, in any way, shape or form, either directly or indirectly, then they must, must be punished!
And I do mean punished. They should be terminated from their position - immediately - without pay. They forfeit any severance. They forfeit their retirement fund. They forfeit any future government employment in any level of government. They forfeit their current life savings. They forfeit their house. Basically, do the whole 'asset forfeiture' stuff to them.
And let's not just stop at that individual. Their entire department/division should also be investigated. Everyone in it should be interrogated. Their families too. Any found complicit should suffer the same punishment. That'll keep everyone on their toes, making sure others aren't violating the rules, avoid them protecting each other or higher ups under some code of silence, or try to frame just the one individual to avoid getting caught.
Basically, they should be treated just as they've treated past whistleblowers. Anything less means they really just get carte blanche to violate the rules at their leisure.
Any why no due process? Simple: if they break the rules, they can't be trusted - the very basic thing they're demanding. It's their job not to break the rules. Don't do the job, get fired! Break the rule, get punished!
If I tell you "don't push that button" then you turn around and push it, it's the same thing: Your job was to not push the button. It required no effort to not push the button!! You couldn't follow the basic rule; in fact, you deliberately went out of your way to break it. If you do push the button, you can't be trusted. Why should I trust you if you can't follow the rule?
AC comments get piped to
Simple fix. Tariffs. It will solve the encryption imbalance and make phones great again
Be Excellent To Each Other
Ok, fine. Don't believe it.
But if you're honest, you'll definitely recognize that everyone else believes it. Apparently you're the one smart person in America, and you're surrounded by fools and so-called "experts" who lack your insight.
Now prove everyone else wrong, inventor Christopher Wray.
"Believe me!" -- Donald Trump
If you want a pretty decent example of this, look at the encryption methods used in such things as DirecTV or Dish Network receivers. For many years,the "smartcards" containing your authorized programming were hacked in a cat and mouse game. You had to buy this programmer devices or that piece of PC software to keep up with it, but it was absolutely possible to unlock those things so you had all the programming without paying (or with just paying for a bare minimum subscription to keep something flagged as an active account).
Then, both of them discontinued their existing card technology and rolled out mandatory upgrades, and the hole was effectively sealed. Nobody I'm aware is really hacking these things anymore, in any big commercial way?
As I understand it, many of the previous hacks were really the result of leaks.... Someone was paid off to reveal a way to access the card and modify it.
That's always going to be the "weak spot" ... having such a hole that you're aware of and leave in there for internal use. If you give keys to a "trusted third party" like the FBI -- same problem only amplified because now the info exists both with the manufacturer AND the agency holding the keys. Twice as likely it will get leaked out by somebody, somewhere.
This sounds great! Another single database that once cracked makes it easier for bad actors to crack the security. Sorry, I don't mean to be snarky, but it is a mathematical impossibility to have any means available of recovering a key, implementing a back door, or using any kind of key escrow, without an increase in the odds of breaking a security scheme. And while the argument of law enforcement is valid in principle, our financial transaction system absolutely relies on security and non-repudiation. The FBI isn't wrong to wish for a thing, but this guy is only a couple of steps away from not buying "2+2=4".
This has nothing to do with encryption. It has little to do with Law and Order. It has to do with CONTROL. Let's face the facts: The vast majority of law enforcement, whether they admit it to even themselves or not, are in it because they want CONTROL of as many people around them as possible, and law enforcement careers give them that. They could investigate crimes and enforce the law regardless of encyption, but the fact that they can't CONTROL companies like Apple and force them to do as they are told, when they are told, without question makes them so angry that I'm sure they think about just putting a gun to Tim Cook's head and threaten to blow his head off unless he knuckles under and does as he is told to do. Surprise, surprise: many of our politicians aren't much better! They get into politics because they want power, and being an elected congressperson gives them that. They may not carry guns, but they still wield power, and in their anus-clenched-so-hard-they-could-make-diamonds obsessive-compulsive ultra-A-type personalities, they can't tolerate not knowing everything about everyone, immediately, without delay or reason why. So we have what we've got here today: a bunch of thugs with badges and guns, and a bunch of elected old farts who shuffle papers and make back-alley deals, and they all want to sift through your underwear drawer when you're not home. Naturally, they all need to be told to fuck the fuck off, not yours, you can't have it -- and they need to continue to be told that, ad infinitum.
I have been hearing Liberals and Progressives telling me for 2 weeks non-stop how the US Constitution only gives me the right to use whatever tools were in existence at the time it was written (or amended). Personal computing devices most certainly did not exist in the early 1790s when the amendments known as the Bill of Rights were adopted so they cannot possibly be covered by the 4th Amendment anymore than television and radio are covered by the 1st Amendment.
Don't like it? Then get of the Leftist bandwagon trying to completely ignore one-tenth of the Bill of Rights and stop promoting false ideas about what rights we have.
If you support a string of lies against one right, those same lies will be used against your interests in regards to other rights.
single point of failure - the manufacture code to generate said unlock key. no better than nay other key escrow system - one leak and everyone's got no security.
-------
1. Enjoy your job
2. Make lots of money
3. Work within the law
Choose any two.
As a lead cryptographic security engineer on the world's largest operating system, I think I have pretty clear visibility into the problems and potential solutions... and the truth is that while there's no information-theoretic reason why a law-enforcement access system couldn't be built while keeping the systems secure from everyone else, I have zero confidence in the industry's ability to do it in the foreseeable future.
The truth is that we have not been able to build truly strong security into consumer devices yet. We're getting closer. The work that Apple has done is excellent, and I think the Pixel 2 is even better, but the fact is that devices still get popped with monotonous regularity. The most we've been able to achieve so far is to raise the cost of extracting data from them, as the FBI found out when they were able to pay for the extraction of the data on the San Bernardino shooter's phone.
The FBI is asking industry to "innovate" in the same way that NASA might ask SpaceX to innovate by producing a fully reusable direct-to-Mars-and-back passenger spacecraft. Sure, there's no reason it's physically impossible, but we're quite some distance from being able to get live people to Mars at all. The FBI wants to build a secure back door while we're still working out how to make sure the hinges are mounted on the inside of the front door and the lock isn't easily pickable.
All of this, of course, is addressing the question of technical feasibility. A separate, and perhaps even more important, question is whether or not it should be done even if it could, and what sorts of protections it would require. Mobile devices are repositories of far more personal information than any other single, non-living source has ever been. I think something more than a simple search warrant should be required -- again, assuming it were even possible.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Biometrics can be stolen. And when they are stolen, there is no way to change them. Has been known to any actual expert for decades.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Imagine I want to tell Travelsonic something secret. I don't have his email address or any other way to contact him other than posting here, for all to see. My desire is to post openly, where everyone can read it, but only Travelsonic can tell what it means. We have no means of agreeing on a secret password or anything.
Cryptography experts tells us that's impossible. Or was impossible, until Diffie and Hellman figured out a very clever way to do it. Diffie-Hellman key exchange is now used all the time, of course. It's a brilliant solution to a problem that seemed impossible for many years.
Therefore I don't think it's unreasonable to say "I understand we don't have any way to X, but it's possible that some clever innovation can somehow achieve this goal, something nobody had thought of yet.". In his remarks he acknowledged that there is not a solution, currently. He said he's not proposing any law or regulation, because there isn't any law that could make sense right now. He's right, most any such law that could be passed today would be bad.
In fact, I happen to know of some innovative ideas that partially solve the need. It's possible to do encryption in such a way that you can't read the message, but you can check if the message has certain strings in it. You can build a chip that, without revealing some fact , cryptographically proves that the fact is stored in the chip.
Simple salted hashing of text and call message numbers makes it impossible to know who someone called, yet still possible to answer whether they called one specific number. So the FBI could find out whether a suspect called Muhammad Atta, without being able to tell who else they called. This isn't super-advanced technology - every web site that has password login uses salted hashes, or should be using them.
I'm fact saving only the salted hash of the numbers you call and text would be MORE SECURE than what your phone does today.
This guy may, five years from now, propose something stupid. If so I'll oppose it. I don't see expressing a desire to consider what innovative solutions might solve certain needs, with a search warrant, as stupid. Such a search might have some uninformed people making dumb proposals, but he made none in this case.