Slashdot Mirror
Tech Giants Hit by NSA Spying Slam Encryption Backdoors (zdnet.com)
A coalition of Silicon Valley tech giants has doubled down on its criticism of encryption backdoors following a proposal that would give law enforcement access to locked and encrypted devices. From a report: The group, which focuses on efforts to reform government surveillance, said in a statement that it continues to advocate for strong encryption, and decried attempts to undermine the technology. "Recent reports have described new proposals to engineer vulnerabilities into devices and services -- but they appear to suffer from the same technical and design concerns that security researchers have identified for years," the statement read. The renewed criticism follows a lengthy Wired article, in which former Microsoft software chief Ray Ozzie proposed a new spin on key escrow. Device encryption has hampered police investigations, and law enforcement officials have pushed tech companies to fix the problem -- even by way of suing them.
It's not so clear to me that these "Tech Giants" didn't provide the NSA with access.
They already could have had backdoors, but noooo, they had to forbid Huawei to enter the US market.
Oer perhaps Huawei did not have any backdoors and they knew it would be unpossible to convice them to have backdoors and they thought they at least had a shot with the other players. (Or all the rest already HAS NSA backdoors)
Or the backdoors are already in placve and this is to both safe face for the companies AND to let people believe their data is safe.
I remember a time when I was innocent and thought that all those people with tinfoilhats where crazy. Times have changed.
Also remember that it is only paranoya if you THINK you are being followed, not when you actually are.
Don't fight for your country, if your country does not fight for you.
This is the battle for the future of the Internet, computing, and ultimately the privacy rights of every single citizen of the United States, and perhaps the entire world.
If the anal-retentive, power-grubbing law-enforcement and politician types get their way, then there will be no such thing as 'private communications', 'secure data', or for all intents and purposes 'privacy' -- unless you're law enforcement, a politician, or (of course) The Rich. There will also, ironically, be less of things called 'justice' and 'law and order', because in their mad, foaming-at-the-mouth dash to have access to all things at all times, bar none, they will open the door for criminals to freely and easily take whatever data or communications they want; even your average script-kiddie would soon enough be able to break into whatever data-store they want. Your financial accounts? Your very identity? Up for grabs -- unless you're a cop, are a politician, or have money.
THAT IS WHY THERE HAS TO BE A LINE DRAWN IN THE SAND; HERE, AND NO FARTHER.
Unlike these companies I can speak easily to you since I have no horse in that race. I don't have to bullshit you so you keep buying my software and so you don't send the IRS down on me to keep my finance department in enough red tape to ensure they don't do anything sensible anymore this decade.
Here's the problem: If you mandate a backdoor into software, nobody with at least a hint of sanity will use that software. If you mandate that all software used within your jurisdiction has to have that flaw, you put your domestic industry at a severe disadvantage over every other on the planet, because you open them up to industrial espionage.
"Government only" backdoor keys are much, but not government only for long. Such keys are valuable. They offer entrance to all the sweet, juicy R&D details that every company and some governments on this planet want. Do you think that such keys have a price? You bet. Do you think that "give me the key or your little baby girl gets a bullet through her head" is too high a price for some governments? Think again.
People have weaknesses. Everyone has them. Even if they can't be bribed, they can be bullied, coerced, threatened or simply blackmailed. Works with everyone. I have not met a single person that had no weak spot you could exploit to get them to do anything, literally anything, you wanted. For most it's family. People do a hell of a lot of things if you offer them the life of their children in return.
Even China, one of the most restrictive countries with a surveillance state that would make Orwell wonder whether they used his books as manuals, wasn't foolish enough to demand something like this from its industries. That alone should tell you just how bad an idea it is.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Everyone makes arguments like "backdoors in encryption would make devices vulnerable to malicious actors". This argument should not be made. We don't NEED a reason to deny the NSA or FBI access to our devices. Remember we the people make the decisions. This is our government, grow some balls and tell them (at voting time) that we run the show.
The biggest problem isn't crime but dictatorship. We should not be giving dictatorships free reasons to force backdoors just so some agents can get brownie points catching crooks. For each crook caught, how many millions continue to live with a boot on their neck?
Stop building the tools of tyrrany.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
You know the end-to-end text messaging replacement that doesn't include encryption?
Sure sure. Amerikka JUST turned the corner to fascism. Just now. Not during Nixon's admitted racist war against the minorities and poor. Sure thing white guy.
We need back doors because we are Borg.
You will be assimilated. Resistance is futile.
You will be a drone under control of the rich and powerful.
You will not have thoughts that are only your own.
but at least it's easier to ignore than encryption.
As I recall, Ozzie was at Microsoft during the heyday of remote SQL ports being open by default, IIS 4, IE 6... basically back when Windows security was a laughingstock. Why anyone would take anything he says regarding security seriously is beyond me.
#DeleteChrome
blah blah blah TRUMP blah blah blah HILLARY blah blah blah FASCISM
You can't have security and backdoors. Let's just say, for the sake of argument, that Ray Ozzie's approach - assuming it worked perfectly (heh) - of vendor-held key escrow was legislated and implemented. This is a huge leap for the industry, but they could do it. It would never be reasonably secure, and it would be near impossible to fix the flaws, but let's say it was done. The next step would be Fed-held key escrow. This is an almost microscopically tiny incremental step - just moving some boxes, folks - but at that point the concept of digital privacy is as dead as the rest of the Bill of Rights. Don't kid yourself that that isn't the end game here.
So let's call this bullshit what it is: "Flat Earth Encryption." It's technically infeasible, practically infeasible, and politically infeasible to have any sort of key escrow system that won't be abused like an underage Congressional intern.
Help save the critically endangered Blue Iguana
In the article Ozzie proposes a slight modification to the golden key solutions previously proposed. Instead of a single master key that would unlock every single device or system, his system relies on the manufacturer or creator to create specific asymmetric paired keys. When law enforcement requires a device or account to be unlocked, the manufacturer can unlock with their private paired key. In the case of San Bernandino, Apple would unlock only that particular iPhone.
The problem with this is that it requires the creator or manufacturer to be the stewards of these keys for an indefinite amount of time. In the case of Apple, they have to maintain keys for as long as an iPhone could exist which could be decades. It is also going to be problematic for companies or organizations that no longer exist. When companies go bankrupt, one of the few remaining assets they could sell is their data.
It doesn't shift the problem of risk to the stewards. It is still possible that the keys could be stolen; it just means hackers do not have to steal a single key.
Practically how will this work with independent developers? Open source developers would never follow this system.
Well, there's spam egg sausage and spam, that's not got much spam in it.
Simple Constitutional Argument.
There's a reason why you don't want backdoors to be open to the government.
-- Tigger warning: This post may contain tiggers! --
PGP came out how many decades ago? And yet it's still better than what most people use today.
There's a technologicially-easy but socially-hard solution to this problem: stop using "tech giants"' products to secure your communications. Free is the right way to do this genre of software, because there's no one particular individual to coerce into weakening it. And that's really what we need: independence from meddling, because purposely-making-it-wrong is pretty much the main weakness we're facing today.
Proprietary software makes have obviously gone to extreme effort to avoid making their stuff work well, and it's time we relieved them of this expensive burden. That's how it should be presented to them.
You sure woke!
Tell us about waiting in line at the charity hospital poorboy.
Why does it have to be a software encryption key backdoor that can be stolen and abused by anyone from anywhere?
If law enforcement needs access to data on a device, presumably they already have the device. Is it so hard to build a device that can be 'somewhat' easily opened (or physically broken like a break class in case of fire) with an internal switch or socket that can set triggered to decrypt the data or provide a hardware root login?
I mean, FFS, if law enforcement doesn't have physical access to the device, and a warrant to break it, they have no business poking around in anyone's data to begin with.
Masters of the Universe: We object to backdoors and weak encryption!
Government: Aw, that's cute. Here's some money, now shut up and behave.
Scruting the inscrutable for over 50 years.
Is that Qualcomm (who is used in basically all the chinese phones not using MediaTek SoCs, since afaik RockChip doesn't produce any cellular SoCs) already has a master signing key for all their SoCs, with a per vendor child signing key. So in theory any Chinese phone should be compromisable by the Chinese government, and those phones are a subset of the phones compromisable by the NSA and select 5 Eyes partners. When you factor in that all ARM/MIPS hardware was effectively designed by British companies (now owned by Softbank and... who for MIPS?), and all x86+PPC hardware is designed by US controlled corporations with much of it designed in foreign countries (Intel's Israel branch doing major portions of both x86 design and Intel ME today.) the picture of just how backdoored modern hardware should be considered is *NOT* pretty.
In order to have a chance at any sort of national security, or secure processors, we really need either openly audited designs produced internationally, published transparently, and then audited by parties suspcicious of the manufacturing nation. And we need fabs producing versions of these chips on each of the major continents, ideally under politically hostile regimes. Only by playing each party against the others will we have a chance at sabotage free chips, as each party is jockeying for a bigger piece of the trust pie.
Yes, there will be cases that will go unsolved, but that is worth total freedom. I will not use anything that requires key escrow. It's just not worth it. Better cases go unsolved than give in. I will continue to use crypto I know is safe to use, as the open source crowd do keep a very tight watch on this stuff.
Yep. 1st, 2nd, 3rd, 4th, and 5th amendment violations.
1st: Crypto is speech. Courts have ruled. .GOV needs a warrant
2nd: Crypto was under ITAR, therefore it's an armament.
3rd: specified here
4th: Beaten to death.
5th: Obvious
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
1. Secure
2. Broken
If anybody can decrypt your information without your informed consent, it is by definition NOT #1.
This whole thing is absolutely ridiculous BS. The people the NSA is trying to track are not going to use devices with backdoors if we added them, so this is very clearly not targeted at those people. This is general law enforcement desire that they're trying to justify with fears of terrorist attacks.
I see your analogy, but I doubt that a court would. The prior responder has a better argument....but it's still not good enough to stop the government until afterwards, and maybe not then.
Just being illegal won't stop the government. It often hasn't in the past. (I'd like to claim it never has, but that's quite difficult to prove.)
I think we've pushed this "anyone can grow up to be president" thing too far.
Some facts: the US has forced, and further wants to force companies to provide backdoors to their hardware and software; the US has barred the sale of, or outright banned Chinese, Russian, etc. companies, both at the state and consumer-level, such as ZTE, Huawei or Kaspersky, for allegedly (and in the case of ZTE, admitedly) using backdoors in their hardware/software to spy on the US; China and Russia have obviously done the same, or heavily scrutinized US companies and/or forced them to have local servers and fully transparent operations to the state and even banned like the US (see China and Cisco/Apple/Microsoft); other countries have done similar things to data companies such as Facebook, Reddit, Google, either because they don't hand the keys to the kingdom to their own state authorities like they do the US, or because they can't control data flow like they can on state-based data; and last but not least, due to the Patriot Act, we know of 3 US companies that for sure have had spying on their own citizens, due to warrant canary expiration - we don't know of any other country that has done things similar, but we can assume from their own actions, that China (...), Russia (see the Telegram, VK and other shenanigans), and Iran (...) have as well.
Now, we see this report that companies are fighting back. I am no US citizen or even live there, but I have to admit, this fight is a losers' fight and nothing more than PR stunt for privacy-centric, non-tech savvy consumers. All these companies are US-based and/or have main operations in the US, and whatever they do, they have to abide to US law. And most of all, in a game where every state is playing dirty, there is no room to play fair, especially when you are (still) the player with the better hand. IRIS and secret court orders and gag orders and whatnot were scandalous when they got out, but really, one should really see them for what they are - not killing people in all-out-war, yet killing privacy indiscriminately. Violation of privacy is, in a way, like nukes and any WMD but instead of affecting life, it affects a core freedom. So unless everybody starts signing some very closed, transparent non-proliferation agreements, things aren't really gonna improve for us, the small folk, forever exploited, previously by compulsory military service, and now by compulsory data-gathering exploitation. If there's one thing certain, it is that countries like China, Russia, Iran, or even the US, as they are today, democratically, will never sign such accords because they allow spying on their own citizens, let alone sign it to foreign citizens. None of these countries are even enforcing this on people protected with diplomatic passports, who supposedly should have immunity at all levels to perform their tasks, even on data-snooping.
So whatever you want to make of it, things are dead simple - companies themselves have to take the initiative of NOT using data as they do today for their business models, and in the same way, states cannot indiscriminately enforce their own citizens to surrender non-essential data with a bureaucratic excuse. It's never been about encrypting data or using data anonymously - it's like R. Stallman put it in his recent opinion piece. Companies can stop pretending to care, and should start caring for real.
One thing I thought was hilarious about Ozzie's not-very-original scheme is step 1: getting a court order. The Wired article breathlessly explained the government would absolutely NOT be able to request the decrypted PIN without a court order. Pinky-swear! They emphasized that as a key aspect of the program.
The thing is, how does Apple/Google/Microsoft/etc know whether a court order was actually obtained? All any LEO has to do is to send the code and they get the decrypted PIN back, no verification required. And with hundreds (thousands?) of these requests coming in per day, how would anyone have the time to verify those court orders anyway? Sounds ripe for abuse to me.
They also did a neat little bait-and-switch in the Wired article. At first, Ozzie claimed that the private key would be kept secure. Very, very secure, like in a deep, dark vault with biometric-based authorization required, like they do for the signing keys for IOS updates. So very, very, *very* secure. Again, that super-security was touted as a major feature of the program.
Then someone pointed out (late in the article) that that kind of heavy security would not be practical with hundreds of unlock requests coming in per day. Who would they hire to do hundreds of biometric scans per day to checkout and re-checkout and re-checkout the same key, over and over and over again. Then Ozzie quickly pivoted and said, "Oh well, they'd be as secure as developer keys, then." WTF? News-for-ya: There's a big difference in the security required for OS signing keys vs. dev keys.
Sure, sure. You go right on believing that.
Oh, you have proof?
No?
I did not think so.
James Comey sees a darkness abroad and in the general public here, and wants the tools to get evidence against those bad actors. The problem is, of course, those tools work on the good and bad alike, turning us all into potential victims of a surveillance state. None of us are perfect. Encryption backdoors make Lavrentiy Beria's quote even more profoundly threatening: "Show me the man and I'll find you the crime."
"Trump is golden, pure, fantastic, uncorrupt and uncorruptible!
Obama is dirt, terrible, illegal, awful!"
Your post is a sea of lies from end to end. It's too much to process piece by piece, so let's just say that it appears to stem from the right wing ranting media. There are a couple of somewhat interesting points in there from an academic point of view. I decline to discuss those with someone with no respect for truth.
Look to the company you keep. You seem to love the Commander Liar In Chief (it's tough to tell, considering the blizzard of spittle in there), so you have no reputational basis for making your claims. Good day.
Comey lied, he illegally got a FISA warrant for Carter Page. Fact
Roseinstein renewed it 3 times covering a year. Fact
FISA covers target, all their contacts, all their contacts. Fact
That would include Trump and all his campaign. Fact
McCabe said no FISA warrant without Russian dossier. Fact
Comey and FBI never verified dossier and passed it off to FISA court as verfied. Fact
You are unable to deal with facts. Fact
You are a miserable truth denying snowflake that can't handle the truth. Fact
Let me know which of the above listed facts is untrue.
A more sinister explanation is that many of these companies, which have already caved to Chinese censorship and spying demands, are helping the Chinese government maintain a monopoly on snooping.
Let's apply Occam's razor: here are the explanations I see
1) Apple, et al, are altruistically protecting everyone from spying, and China is rehoming data to China that they can't read.
2) Apple, et al, are amoral corporations, have caved to China, and are using encryption to keep you in the walled garden.
3) Apple, et al, are ethical corporations trying to protect people's rights, and have law enforcement caveats for some dicatorships, but not bad democracies
4) Apple, et al, are amoral corporations, are taking money from the Chinese government, and have been paid to protect the communications from other intelligence agencies.
The simplest explanation is that the encryption is 2), that the encryption is to trap you, not protect you but 4) has a solid business case behind it.
Stop making sense. You are going to lose. You have a family to threaten, right? Or just a search history? You should just stop now. Pick an area of direct action instead. Listen to me. I'm not posting AC.
If the US government has sufficient evidence, one loses the 4th (search warrant) and the 5th (subpoena) amendment rights.
When the US government can 'stop and frisk' at will (violates 4th and 5th), and claim digital data is not personal or private (In cases of 'cloud services' and '3rd-party', so true.), an individual is already deprived of privacy.
The congress-critters shouting 'look, terrorist' are happy to throw voters under a bus but they're not thinking about about their employers: How is Bank America going to transfer money, if the encryption is compromised? How are Lockheed and McDonnell-Douglas going to discuss military secrets if the conference call is tapped? How is Intel and AMD going to upload the blue-prints to a Japanese fab-factory if the IP is copied? How will Trump hide his offshore accounts if his emails are 'opened'?
If this law truly applied to everybody, then everybody will know the secrets of corporate America in mere days. But it's not corporate America committing mass-murders, smuggling drugs or sex-trafficking. The lie those politicians are telling isn't "we must protect you (from poor people)", it's "you are the problem".
This is a law aimed purely at working-class individuals. Individuals who already tell Facebook everything and send their passwords to DashLane, RoboForm and LastPass (already compromised). When one adds compromised hardware like Intel ME and police empowered to use key-logging virii, the reality of digital privacy is, there is little digital privacy. This, like AT&T Room 641a and US NSL, is about the data of the not-so-rich being delivered directly to the government.
So if they have a suspect, they get a warrant to put a bug on their device.
Send the phone a software update that reduces the security and adds a trojan.
Police can then monitor any further activity on that device.
This can be done right now with existing tech and doesn't reduce the security for innocent people.
What can't be done is be able to snoop on EVERY device in retrospect without opening everybody to malicious characters.
The debate over the 5th is about whether you can be compelled to give up your passcode, thereby (potentially) incriminating yourself. If there's a backdoor in your device, you're not incriminating yourself, and the 5th doesn't apply. So this is far from "Obvious".
The question is not whether a warrant is required or not. The question is whether it's required to enable the government to be able to read a device with a warrant, and there's at least some precedent in CALEA, which requires all telecommunication systems to allow government wiretapping. The Fourth is inapplicable, because its protection ends with a warrant (which it places restrictions on).
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
I am so grateful to Enrique for helping me spy into my husband text messages and letting me know the truth about his affairs with other women remotely without having any access to his phone , you can also contact him through his website for any kinda hacking service via: w w w. enriquehackdemon11.c o m
Regards