Slashdot Mirror

← Back to Stories (view on slashdot.org)

FBI Again Calls For Magical Solution To Break Into Encrypted Phones (arstechnica.com)

Posted by BeauHD on from the one-size-fits-all dept.

An anonymous reader quotes a report from Ars Technica: FBI Director Christopher Wray again has called for a solution to what the bureau calls the "Going Dark" problem, the idea that the prevalence of default strong encryption on digital devices makes it more difficult for law enforcement to extract data during an investigation. However, in a Wednesday speech at Boston College, Wray again did not outline any specific piece of legislation or technical solution that would provide both strong encryption and allow the government to access encrypted devices when it has a warrant. A key escrow system, with which the FBI or another entity would be able to unlock a device given a certain set of circumstances, is by definition weaker than what cryptographers would traditionally call "strong encryption." There's also the problem of how to compel device and software makers to impose such a system on their customers -- similar efforts were attempted during the Clinton administration, but they failed. A consensus of technical experts has said that what the FBI has asked for is impossible. "I recognize this entails varying degrees of innovation by the industry to ensure lawful access is available," Wray said Wednesday. "But I just don't buy the claim that it's impossible. Let me be clear: the FBI supports information security measures, including strong encryption. Actually, the FBI is on the front line fighting cyber crime and economic espionage. But information security programs need to be thoughtfully designed so they don't undermine the lawful tools we need to keep the American people safe."

13 of 232 comments (clear)

  1. And yet again... by Travelsonic · · Score: 5, Insightful

    FBI mouthpiece is a fucking idiot. Jesus Christ, why is listening to people who clearly know better than them so goddammed difficult?

    --
    If you believe in privacy, and believe you have "nothing to hide" at the same time, you're a goddammed idiot
    1. Re:And yet again... by gweihir · · Score: 4, Insightful

      These people think _they_ define how reality works. They think that laws and power can change reality. They have no understanding that mathematics and engineering are far close to actual reality than their fantasy of how the world works will ever be. As such, once they think they have enough power to demand things, they become a serious problem.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  2. Also by 93+Escort+Wagon · · Score: 4, Funny

    I'd like a magical pony. I know magic doesn't exist, but that shouldn't mean I can't get a magical pony.

    --
    #DeleteChrome
  3. Any hole is exploitable by ArtemaOne · · Score: 4, Insightful

    There is no security when a backdoor exists. Once it is known, everyone will work to get in, and you wont find out it was cracked until it has been heavily exploited.

  4. Strong Encryption, But Not For Us by bobdehnhardt · · Score: 5, Insightful

    Anytime someone says they support strong encryption but want to be able to bypass whenever they have the need, my head wants to explode. Any bypass, back door or master key, no matter how well designed, perfectly implemented, or zealously protected, fundamentally weakens the encryption they claim to support. If a way around the encryption exists, someone will find and exploit it. Pure and simple.

    I'm all for law enforcement being able to do their job. But I'm also all for strong encryption - my job in information security depends on it, and the sensitive information of millions of people would be at risk without it. Encryption is a tool, like a hammer: people with bad intent can use it to build harm as well as upstanding citizens can use it to build good. I'm sorry, but law enforcement needs to find another way to get to those nails, rather than make hammers defective for everyone.

    1. Re:Strong Encryption, But Not For Us by Rick+Schumann · · Score: 5, Insightful

      Your safety has nothing to do with this issue and nothing to do with encrypted data. You've drunk the Security Theatre Kool-Aid, and as a result you actually believe that every brown-skinned person you see is secretly a Muslim extremist who is plotting to rape your wife and cut your kids' heads off, while you're forced to watch, before having your own head cut off; you actually believe that shit, and being in the Constant State of Terror that they've worked so hard to ensure you're firmly in, you won't listen to facts, or real statistics, or reason, you'll only listen to the Man With The Gun and The Badge, because he claims to be able to Save You From What You Fear. Congratulations, you're a complete and utter fool.

    2. Re:Strong Encryption, But Not For Us by swillden · · Score: 4, Interesting

      Any bypass, back door or master key, no matter how well designed, perfectly implemented, or zealously protected, fundamentally weakens the encryption they claim to support.

      The FBI is asking for something infeasible, and probably a bad idea even if it were feasible (see my comments here), but this is not true. Modern cryptography provides us with ready tools to do this sort of thing. Escrowing of keys, protected by public key encryption, is very well understood. It's actually pretty common in enterprise system configurations for the crucial keys on employee devices to be escrowed with the enterprise to enable it to recover data from the device in the event of employee unavailability (death, termination, etc.). What the FBI wants is fundamentally the same thing, but on a vastly larger scale.

      And it's the scale that makes it infeasible. Secure key management is hard even on a small scale, and it gets exponentially harder with scale and with the number of parties involved. In addition, there are all kinds of hard-to-handle corner cases. In the enterprise case, those are addressed with a combination of fiat -- employees must do whatever needs to be done to enable the key escrow -- and acceptance that sometimes stuff happens and data gets lost. In the FBI's scenario, the first of those is impossible and the second is unacceptable. Enterprises don't generally have to contend with employees deliberately subverting the escrow system.

      So, yes, this is a bad idea, but not because it's fundamentally impossible as you say, but because it's just way too hard. Especially since we haven't managed to figure out how to secure consumer devices at all yet.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    3. Re:Strong Encryption, But Not For Us by spire3661 · · Score: 5, Insightful

      Law and order includes strong limits on what the government can do. Our government is a COMPROMISE between the interests of the individual and the masses. I have the right to build (and distribute) and unpickable lock that can only be opened by one person. You have no right to say otherwise.

      --
      Good-bye
    4. Re:Strong Encryption, But Not For Us by mcl630 · · Score: 4, Informative

      I'm all for being able to keep data private from unauthorized viewing. But I'm also for law and order - my safety, and the safety of my family, depends on it. Encryption is a tool, like a hammer, but if you give perpetrators impenetrable boxes to hide their precious loot in then all the tools in the world will not allow them to be brought to justice - ever.

      You do realize that those "impenetrable boxes" are also protecting your banking information, medical records, credit/debit card transactions, private communications, etc, etc, etc, don't you? You and your family's safety depends on it.

  5. keeping America safe? by iggymanz · · Score: 5, Insightful

    The FBI was watching the 9/11 attackers to see what they would do. The FBI was warned by Russia about the Boston marathon bomber. FBI was given tips about Florida school shooter.

    Yeah, FBI, keeping America safe.....keeping the government safe from its citizens anyway.

  6. They want to be trusted? by Sebby · · Score: 4, Insightful

    Oh so they want full trust do they? Well, if they want us to trust them - trust by the way, that they have repeatedly proven that they have not earned or deserve - then there must be these conditions in cases of violation...

    If any individual in that organization violates any of the rules set out to protect people's privacy, in any way, shape or form, either directly or indirectly, then they must, must be punished!

    And I do mean punished. They should be terminated from their position - immediately - without pay. They forfeit any severance. They forfeit their retirement fund. They forfeit any future government employment in any level of government. They forfeit their current life savings. They forfeit their house. Basically, do the whole 'asset forfeiture' stuff to them.

    And let's not just stop at that individual. Their entire department/division should also be investigated. Everyone in it should be interrogated. Their families too. Any found complicit should suffer the same punishment. That'll keep everyone on their toes, making sure others aren't violating the rules, avoid them protecting each other or higher ups under some code of silence, or try to frame just the one individual to avoid getting caught.

    Basically, they should be treated just as they've treated past whistleblowers. Anything less means they really just get carte blanche to violate the rules at their leisure.

    Any why no due process? Simple: if they break the rules, they can't be trusted - the very basic thing they're demanding. It's their job not to break the rules. Don't do the job, get fired! Break the rule, get punished!

    If I tell you "don't push that button" then you turn around and push it, it's the same thing: Your job was to not push the button. It required no effort to not push the button!! You couldn't follow the basic rule; in fact, you deliberately went out of your way to break it. If you do push the button, you can't be trusted. Why should I trust you if you can't follow the rule?

    --

    AC comments get piped to /dev/null
  7. Let's call this what it is: NEED FOR CONTROL by Rick+Schumann · · Score: 4, Interesting

    This has nothing to do with encryption. It has little to do with Law and Order. It has to do with CONTROL. Let's face the facts: The vast majority of law enforcement, whether they admit it to even themselves or not, are in it because they want CONTROL of as many people around them as possible, and law enforcement careers give them that. They could investigate crimes and enforce the law regardless of encyption, but the fact that they can't CONTROL companies like Apple and force them to do as they are told, when they are told, without question makes them so angry that I'm sure they think about just putting a gun to Tim Cook's head and threaten to blow his head off unless he knuckles under and does as he is told to do. Surprise, surprise: many of our politicians aren't much better! They get into politics because they want power, and being an elected congressperson gives them that. They may not carry guns, but they still wield power, and in their anus-clenched-so-hard-they-could-make-diamonds obsessive-compulsive ultra-A-type personalities, they can't tolerate not knowing everything about everyone, immediately, without delay or reason why. So we have what we've got here today: a bunch of thugs with badges and guns, and a bunch of elected old farts who shuffle papers and make back-alley deals, and they all want to sift through your underwear drawer when you're not home. Naturally, they all need to be told to fuck the fuck off, not yours, you can't have it -- and they need to continue to be told that, ad infinitum.

  8. It may be possible, but we're not up to it by swillden · · Score: 4, Insightful

    As a lead cryptographic security engineer on the world's largest operating system, I think I have pretty clear visibility into the problems and potential solutions... and the truth is that while there's no information-theoretic reason why a law-enforcement access system couldn't be built while keeping the systems secure from everyone else, I have zero confidence in the industry's ability to do it in the foreseeable future.

    The truth is that we have not been able to build truly strong security into consumer devices yet. We're getting closer. The work that Apple has done is excellent, and I think the Pixel 2 is even better, but the fact is that devices still get popped with monotonous regularity. The most we've been able to achieve so far is to raise the cost of extracting data from them, as the FBI found out when they were able to pay for the extraction of the data on the San Bernardino shooter's phone.

    The FBI is asking industry to "innovate" in the same way that NASA might ask SpaceX to innovate by producing a fully reusable direct-to-Mars-and-back passenger spacecraft. Sure, there's no reason it's physically impossible, but we're quite some distance from being able to get live people to Mars at all. The FBI wants to build a secure back door while we're still working out how to make sure the hinges are mounted on the inside of the front door and the lock isn't easily pickable.

    All of this, of course, is addressing the question of technical feasibility. A separate, and perhaps even more important, question is whether or not it should be done even if it could, and what sorts of protections it would require. Mobile devices are repositories of far more personal information than any other single, non-living source has ever been. I think something more than a simple search warrant should be required -- again, assuming it were even possible.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.