Slashdot Mirror
U.S. Using Key Escrow To Steal Secrets?
Anonymous Coward writes "US/UK stealing industrial secrets?
Report: U.S. Uses Key Escrow To Steal Secrets "
Report: U.S. Uses Key Escrow To Steal Secrets "
← Back to Stories (view on slashdot.org)
← Back to Stories (view on slashdot.org)
It seems that too many people watch X-Files, and are starting to confuse fact and fiction. This seems like a paraphrasing of the Echelon story run here about 1 1/2 weeks ago. That story, too, seemed design to confuse fact and fiction (very few verfiable sources were cited).
;-).
The hardware and man hours required for this level of communications monitoring is simply too great. Besides, too many people would know about this if this were true. The secret would have gotten out long ago, and with many more verifiable sources.
Ever think that Intel & Microsoft made it through clever, strategic, and downright dirty business tactics? If Intel had illegally obtained secrets from competitors, don't you think their chips would be at least as fast as their competitors? Don't you think that you, too, could do pull some pretty brutish moves if you had $20 billion cash-on-hand to use as investment capital?
Look, maybe I'm wrong. Maybe there is a huge conspiracy. However, I usually tend to believe that the simplest explanation is also usually the correct one.
I'm not trying to say that the US gov't doesn't have the ability to track any given piece of e-mail, or that they can't crack any widely used encryption scheme, or that they can't monitor any given phone conversation in most parts of the world. I'm just saying that they don't monitor *every* e-mail and/or http: request. They can't crack *every* encrypted message. They can't monitor *every* phone call simultaneously. There's simply too much to do for that to be possible. And, while the US does have some interesting technologies in its military and intelligence wings, these technologies are orders of magnitude better than what ordinary individuals and companies have access to.
Ever wonder why the F-117 (the "stealth fighter") is composed of flat panels, all at odd angles? For purposes of stealth aircraft, corners are bad ju-ju. Yet the F-117 has tons of them. The reason is that the plane was designed in the early 70s, using commonly available technology during that time (not alien tech, as some suggest). They couldn't model curved surfaces on the supercomputers of their day! If they had access to some superior, ultra-fast technology, the F-117 would have looked more similar to the B-2. This isn't intended as definative proof that the US doesn't have such wonderous computing & networking tech. It is merely intended to show that the US gov't, too, proceeds at the same pace as the rest of the world, albeit with a quarter step head start. The tech required to do these sorts of things is simply too great--and I therefore reject these stories as X-Files inspired paranoia (and I hope that I am correct
--Be human.
I'm appalled by these findings. I always dismissed stories of what the spooks are listening to as totally blown out of proportion. Not any more. After reading the technical details section in the report it seems clear that the NSA so far must be ecstatic with joy over the popularity of the Internet: less pesky voice recognition, less error-prone handwriting recognition, more digital food, easy to digest, high in information content and relatively easy to filter.
I think the best way to make the spooks life harder is for as many people as possible to use strong crypto: the more well-encrypted messages they listen to the more resources they have to dedicate to the much harder task of breaking strong crypto rather than developing strong filters.
If I were a company interested in keeping my stuff secret, I wouldn't buy any American software: the Lotus example in the report is ridiculous --- does the US government really need a convenient way of listening in on the Swiss governments internal dealings ?
The only reasonable choice is Free Software. Use GPG, hit on it, beat on it, try to break it until we can believe it's reasonably secure.
Fill the Internet with encrypted noise to get the spooks sweating. It's not important if they can break your 'Happy birthday, Mom!' message; but all those encrypted 'Happy birthday' messages might keep them from reading the stuff you really don't want anybody to read.
This report is a Good Thing for a number of reasons. It documents how the NSA and our "national security state" have been joined at the hip to U.S. economic interests. It corroborates various reports over the years of state sponsored economic surveillance. It debunks that argument that key-recovery is needed for law enforcement. Lots of good stuff with the authoratative imprimateur of the EU.
But the real good news is found in both " Comint capabilities after 2000" and in " Policy issues for the European Parliament". The cost of ComInt surveillance has proven to be prohibitive - a waste of time and money. And the rise of optical fibre networks has rendered snooping methods obsolete. But best of all, "Communications intelligence organisations recognise that the long war against civil and commercial cryptography has been lost."
Finally, check out this recommendation:
The bad news is this is a report by the Chief Geek at EU to the parliament. What are the chances that anyone other than geeks will pay any attention?The complete report has some nice recommendations. Such as:
:)
2. At the technical level, protective measures may best be focused on defeating hostile Comint activity by denying access or, where this is impractical or impossible, preventing processing of message content and associated traffic information by general use of cryptography.
5. At the present time, Internet browsers and other software used in almost every personal computer in Europe is deliberately disabled such that "secure" communications they send can, if collected, be read without difficulty by NSA. US manufacturers are compelled to make these arrangements under US export rules. A level playing field is important. Consideration could be given to a countermeasure whereby, if systems with disabled cryptographic systems are sold outside the United States, they should be required to conform to an "open standard" such that third parties and other nations may provide additional
applications which restore the level of security to at least enjoyed by domestic US customers.
We could tell them that is already possible
I don't like key escrow at all and have strong feelings about my own right to privacy. However the article in question is just fluff. Think about it: it is a report generated from the bowels of European bureacracy which has repeatedly proved itself to be totally clueless, and has numerous axes to grind. Basically, the report says two things:
One, the US/UK/etc. intelligence agencies collect data from the world communications network. So? Does this surprise anybody? Didn't we hear about it a zillion times before? Would anybody expect any intelligence agency with proper capabilities to do otherwise? So the UK spooks have a terabyte of Usenet data. Big deal. If I had a terabyte of storage handy I could have it, too. DejaNews likely has much more. Usenet is public forum anyway so I don't see any problems here.
Two, US intelligence agencies use intercepted data for commercial advantage of US companies. Again, this is old news. The report doesn't add any new hard data except some vague allegations that I (at least) have heard before. Airbus has been bitching about being spied upon for years by now.
In any case I don't see what this has to do with key escrow. It was a bad idea, it is a bad idea and it will stay a bad idea. *Of course* the spooks love it, but that's only to be expected and has been demonstrated numerous times before.
So I guess I don't understand what the whole noise is about.
Kaa
Kaa
Kaa's Law: In any sufficiently large group of people most are idiots.
The Lotus "example" is pure unsubstatianted, poorly researched garbage!!!
I have been working with Lotus Notes since version 2 first came out, I know the product well. The entire time Lotus and now Lotus\IBM (actually IRIS) have been producing Notes the Govt. has been all over them about their encryption. The entire time Lotus has been putting out a "weaker" 40bit version of Notes to satisfy the export laws, until R5.
Now, Lotus has come up with a compromise that they had hoped would allow them to get back to having only one code stream. That solution was to escrow 24bits (believe that's right) with NSA such that they could export Notes without major changes. This has been PUBLICLY STATED BY LOTUS in at least two VERY PUBLIC conferences dedicated to Notes that I have personally attended - and probably many others I haven't. Anyone attend Euro-Lotusphere that can comment? Folks, IT WAS NO SECRET! Period - end of story - full stop. Lotus made this known! To assert otherwise is truly funny!
This story about the Swiss is pure BS - if they didn't know that 24bits were escrowed with NSA it was because they didn't ask - not the fault of Lotus is it? Is the US Govt. policy on encryption so secret that the Swiss never bothered to wonder how it was Lotus got a product "stronger" than 40bits out of the country? Come on - are they that stupid? Someone in Switzerland didn't do their homework, covering it up by saying Lotus did this in "secret" is pretty silly.
If you want really bad - look at the French version of Notes. It's WEAKER than 40bits! How, Why?! Well, it seems the French Govt. wouldn't allow them to sell Notes in their country if it wasn't this weak! Yup, R5 French is weak as wet tissue and not because Lotus wanted it this way. In a security forum hosted by Lotus they publicly stated they wouldn't use the French version no matter what - it's that weak and they hate it! But, they had to satisfy the French Govt. or not sell their product. I THINK the French version is only 24bit - I'm not positive.
Lotus is NOT a bad guy in this, stupid reporters to the contrary. Sit in on any of the security forums at Lotusphere and listen to the Lotus guys talk about how they don't think 64bit is strong enough anymore, how they intend to go 128bit or better (did R5 get this? I'm not yet using it yet), and how they do their Public Key stuff. These guys are and have been so far ahead of the X509 crap it's not even funny. These guys have had certificates for years and STILL have useful features not yet implemented in X509 (hello - cert chaining?). They did this for funsies? And then we get articles that blast Lotus for being in cahoots with the Govt or NSA? Obviously someone isn't paying attention and hasn't done any research on Lotus - their making encryption so easy to use in Notes has NOT made them the US Govt's friend by ANY stretch of the imagination!
P.S. Know what's really funny? That someone will read an article like this or the one dealing with the Swiss and take it as gospel without ever researching it. Heh, if you want to know how it all really works Lotus has a White Paper in PDF on their site that goes DEEP into the details. I'd provide an URL but it's not handy, I'm only part way through it myself but it's damned detailed. Let's see M$ put something this detailed together about Exchange or NT! (lol)
Build it, Drive it, Improve it! Hybridz.org
The one in the TechWeb article is slightly mangled... if you didn't figure it out, try this.
Check out the May 1999 STOA newsletter for a very quick summary (scroll down a bit). None of it is US authored, AFAICT.
Java: the COBOL of the new millenium.