Tech Giants Hit by NSA Spying Slam Encryption Backdoors

A coalition of Silicon Valley tech giants has doubled down on its criticism of encryption backdoors following a proposal that would give law enforcement access to locked and encrypted devices. From a report: The group, which focuses on efforts to reform government surveillance, said in a statement that it continues to advocate for strong encryption, and decried attempts to undermine the technology. "Recent reports have described new proposals to engineer vulnerabilities into devices and services -- but they appear to suffer from the same technical and design concerns that security researchers have identified for years," the statement read. The renewed criticism follows a lengthy Wired article, in which former Microsoft software chief Ray Ozzie proposed a new spin on key escrow. Device encryption has hampered police investigations, and law enforcement officials have pushed tech companies to fix the problem -- even by way of suing them.

Here's the problem, feds, listen up

[Opportunist]

Unlike these companies I can speak easily to you since I have no horse in that race. I don't have to bullshit you so you keep buying my software and so you don't send the IRS down on me to keep my finance department in enough red tape to ensure they don't do anything sensible anymore this decade.

Here's the problem: If you mandate a backdoor into software, nobody with at least a hint of sanity will use that software. If you mandate that all software used within your jurisdiction has to have that flaw, you put your domestic industry at a severe disadvantage over every other on the planet, because you open them up to industrial espionage.

"Government only" backdoor keys are much, but not government only for long. Such keys are valuable. They offer entrance to all the sweet, juicy R&D details that every company and some governments on this planet want. Do you think that such keys have a price? You bet. Do you think that "give me the key or your little baby girl gets a bullet through her head" is too high a price for some governments? Think again.

People have weaknesses. Everyone has them. Even if they can't be bribed, they can be bullied, coerced, threatened or simply blackmailed. Works with everyone. I have not met a single person that had no weak spot you could exploit to get them to do anything, literally anything, you wanted. For most it's family. People do a hell of a lot of things if you offer them the life of their children in return.

Even China, one of the most restrictive countries with a surveillance state that would make Orwell wonder whether they used his books as manuals, wasn't foolish enough to demand something like this from its industries. That alone should tell you just how bad an idea it is.

Re:Here's the problem, feds, listen up

[Rick+Schumann]

Friend, here's the detail you're missing: They know all this and they don't give a fuck; they want access to everything, on demand, bar none, and they don't give a fuck if that means Joe Average gets his identity stolen, bank accounts drained, and life permanently ruined, so long as they can grab more and more power. They'll gladly ruin everyone and everything just to satisfy their lust for power and control. That is why they HAVE TO BE STOPPED.

A panopticon what?

[Impy+the+Impiuos+Imp]

The biggest problem isn't crime but dictatorship. We should not be giving dictatorships free reasons to force backdoors just so some agents can get brownie points catching crooks. For each crook caught, how many millions continue to live with a boot on their neck?

Stop building the tools of tyrrany.

Re:Criticism or collusion

[bluefoxlucid]

We really need more heroes in Congress, like Senator Ron Wyden who both voted against FOSTA/SESTA (because it's stupid and makes the problem worse) and lost his shit at Christopher Wray for asking for backdoored encryption. Representatives with the integrity to stand for what's right even if it's a losing battle and politically unfavorable.

I'm hoping to see Rikki Vaughn replace Cardin this term; and I'm going for Elijah's seat, so there's that. We need legislation putting a stop to the overuse of powers in secret against our own citizens.

Executive Order 13526 was an important step for government transparency; and at some point, we have to work toward accepting manageable risk--allowing for that it may be slightly more-difficult to achieve a national security end goal, yet still not likely that an adversary will advance its campaign against the Nation--in order to protect the rights of our people. Yes, restricting what the NSA can pull from Facebook in total darkness and restricting the use of national security gag orders to clear and present dangers might telegraph things a bit and keep some enemies of the state circling at distance instead of sitting around while we purportedly close in on them; that's better than the State becoming the shadowed enemy of the people.

Re:This is the fight that will define the future

[Rick+Schumann]

Why the fuck should I listen to anything some skeezy AC has to say, especially when you're clearly and obviously a Trump supporter, and as such your basic intelligence is in question? Post under your real name, and leave off with the references to the orange-haired pussy-grabbing moron in the Whitehouse and then maybe I'll consider whatever the hell it is you have to say.

Well-known "security" guy Ray Ozzie

[93+Escort+Wagon]

As I recall, Ozzie was at Microsoft during the heyday of remote SQL ports being open by default, IIS 4, IE 6... basically back when Windows security was a laughingstock. Why anyone would take anything he says regarding security seriously is beyond me.

Let's call this what it is.

[ErikTheRed]

You can't have security and backdoors. Let's just say, for the sake of argument, that Ray Ozzie's approach - assuming it worked perfectly (heh) - of vendor-held key escrow was legislated and implemented. This is a huge leap for the industry, but they could do it. It would never be reasonably secure, and it would be near impossible to fix the flaws, but let's say it was done. The next step would be Fed-held key escrow. This is an almost microscopically tiny incremental step - just moving some boxes, folks - but at that point the concept of digital privacy is as dead as the rest of the Bill of Rights. Don't kid yourself that that isn't the end game here.

So let's call this bullshit what it is: "Flat Earth Encryption." It's technically infeasible, practically infeasible, and politically infeasible to have any sort of key escrow system that won't be abused like an underage Congressional intern.

Re:The problem with Ozzie's system

[b0s0z0ku]

As usual for a techie, Ozzie fails to apprehend the human aspect. The government only needs to force the company to agree -- risk of an audit or even criminal charges against company officials will do so. So it's still 100% the government's call.

And I don't happen to trust many governments. Even if you did trust the US government (don't forget: it's one of the world's largest incarcerators), do you trust the Chinese? Or the Russians? Both of which will be ruthless with a company's ability to do business if they're not obeyed.

Nah, better to have unbreakable devices. If a few criminals get away with it, that's life -- you can't have a perfectly safe, perfectly controlled society.

Re:This is the fight that will define the future

[skids]

It's worse than that, because then people who really wanted security would turn to concealing the fact that they were using their own non-backdoored system through a lot of clever steganography. Which means, everyone would be a suspect of using illegal cryptography, so the government would then have to develop tools to detect steganographically hidden encrypted messages. Which means doing AI/entropy analysis on "all teh data" and accusing people because some heuristic fucked up and gave a false positive.

Let's get this very straight

[cloud.pt]

Some facts: the US has forced, and further wants to force companies to provide backdoors to their hardware and software; the US has barred the sale of, or outright banned Chinese, Russian, etc. companies, both at the state and consumer-level, such as ZTE, Huawei or Kaspersky, for allegedly (and in the case of ZTE, admitedly) using backdoors in their hardware/software to spy on the US; China and Russia have obviously done the same, or heavily scrutinized US companies and/or forced them to have local servers and fully transparent operations to the state and even banned like the US (see China and Cisco/Apple/Microsoft); other countries have done similar things to data companies such as Facebook, Reddit, Google, either because they don't hand the keys to the kingdom to their own state authorities like they do the US, or because they can't control data flow like they can on state-based data; and last but not least, due to the Patriot Act, we know of 3 US companies that for sure have had spying on their own citizens, due to warrant canary expiration - we don't know of any other country that has done things similar, but we can assume from their own actions, that China (...), Russia (see the Telegram, VK and other shenanigans), and Iran (...) have as well.

Now, we see this report that companies are fighting back. I am no US citizen or even live there, but I have to admit, this fight is a losers' fight and nothing more than PR stunt for privacy-centric, non-tech savvy consumers. All these companies are US-based and/or have main operations in the US, and whatever they do, they have to abide to US law. And most of all, in a game where every state is playing dirty, there is no room to play fair, especially when you are (still) the player with the better hand. IRIS and secret court orders and gag orders and whatnot were scandalous when they got out, but really, one should really see them for what they are - not killing people in all-out-war, yet killing privacy indiscriminately. Violation of privacy is, in a way, like nukes and any WMD but instead of affecting life, it affects a core freedom. So unless everybody starts signing some very closed, transparent non-proliferation agreements, things aren't really gonna improve for us, the small folk, forever exploited, previously by compulsory military service, and now by compulsory data-gathering exploitation. If there's one thing certain, it is that countries like China, Russia, Iran, or even the US, as they are today, democratically, will never sign such accords because they allow spying on their own citizens, let alone sign it to foreign citizens. None of these countries are even enforcing this on people protected with diplomatic passports, who supposedly should have immunity at all levels to perform their tasks, even on data-snooping.

So whatever you want to make of it, things are dead simple - companies themselves have to take the initiative of NOT using data as they do today for their business models, and in the same way, states cannot indiscriminately enforce their own citizens to surrender non-essential data with a bureaucratic excuse. It's never been about encrypting data or using data anonymously - it's like R. Stallman put it in his recent opinion piece. Companies can stop pretending to care, and should start caring for real.

Hilarious

One thing I thought was hilarious about Ozzie's not-very-original scheme is step 1: getting a court order. The Wired article breathlessly explained the government would absolutely NOT be able to request the decrypted PIN without a court order. Pinky-swear! They emphasized that as a key aspect of the program.

The thing is, how does Apple/Google/Microsoft/etc know whether a court order was actually obtained? All any LEO has to do is to send the code and they get the decrypted PIN back, no verification required. And with hundreds (thousands?) of these requests coming in per day, how would anyone have the time to verify those court orders anyway? Sounds ripe for abuse to me.

They also did a neat little bait-and-switch in the Wired article. At first, Ozzie claimed that the private key would be kept secure. Very, very secure, like in a deep, dark vault with biometric-based authorization required, like they do for the signing keys for IOS updates. So very, very, *very* secure. Again, that super-security was touted as a major feature of the program.

Then someone pointed out (late in the article) that that kind of heavy security would not be practical with hundreds of unlock requests coming in per day. Who would they hire to do hundreds of biometric scans per day to checkout and re-checkout and re-checkout the same key, over and over and over again. Then Ozzie quickly pivoted and said, "Oh well, they'd be as secure as developer keys, then." WTF? News-for-ya: There's a big difference in the security required for OS signing keys vs. dev keys.