Congress Considers Mandatory Crypto Backdoors 1105
disappear writes: "Wired news reports that Congress is considering restrictions on crypto software in the wake of the terrorist attack. 'Nuff said." This will be the next battle -- especially in the wake of this week's tragedies, and the the allegations that the prime suspect Osama Bin Laden is a heavy crypto user. The battle of privacy and safety is going to begin in earnest now.
My essay (Score:4, Interesting)
Please read my essay and if you like it pass it on to people. We can't let this happen. I have been saying this since day one. Please please think about this
The Price of Freedom [dyndns.org]
Jeremy
Clock It! 2001-1984=17 Years Late (Score:5, Interesting)
Carnivore is one thing, but a backdoor to all crypto is yet another. Financial transactions from private organizations are routinely encrypted for obvious reasons. Are we to trust government employees with all financial transactions merely because we elect them? I think not.
We cannot allow the government a "skeleton key" to all crypto if only for the reason that it can then be compromised by others for whom access was not intended. Urge your congresscritter just to say "no".
Heavy crypto user? (Score:5, Interesting)
Are they nuts? This guy lives isolated in mountain camps. I doubt he's even a heavy electicity user.
His sympathizers, on the other hand...
How would that help? (Score:5, Interesting)
Cryptography wouldn't really help terrorists much anyway, because electronic surveillance can still pick up who is talking to whom; the real problem is when people avoid electronic communications, because then you can't do anything without spies on the ground.
don't forget Rivest's "Winnowing and Chaffing" (Score:5, Interesting)
Traffic Analysis and Steganography (Score:1, Interesting)
So if they do ban crypto without back doors, the non-back-doored messages stick out and can them be ferried off to the NSA to be analysed with much less effort.
It's hard to argue with this, you know? I've personally stopped encoding my messages for the moment so as not to soak Echelon bandwidth - and I'm only half joking. We may have worse enemies to worry about right now than our goverment.
New Hampshire (Score:4, Interesting)
The revolutionaries who founded the United States of America are chock full of good quotes on freedom and defending freedom.
Mandatory backdoors -- french tried, gave up. (Score:5, Interesting)
For example, I worked for a major semiconductor and radio communications corporation. We encrypted all private circuits to all remote offices, in the US and abroad, except that in France we had to provide the keys to the French government.
End Result?
The French intelligence agencies would hand over to major french businesses the 'competitive intelligence' collected from foreign corporations operations in france, allowing them to underbid competitors, etc.
There are several well-documented cases of government abuse of this information. In France the level of distrust got so bad that they eventually relaxed this policy due to foreign based companies withdrawing their business.
Re:I don't think so. (Score:2, Interesting)
For those who don't know "... steganography, is the practice of embedding secret messages in other messages --
in a way that prevents an observer from learning that anything unusual is taking place. Encryption, by contrast, relies on ciphers or codes to scramble a message." (quoted from the wired article).
Its a good article. Seeing steganographyin (more obvious) use is kinda weird. Check out some of the results of this google search [google.com]. Read a few of the first hits and see what you notice.
Phil
And who didn't know this was going to happen? (Score:2, Interesting)
So why is this such a problem? After all, the necessary decryption tools would only be made available under specific, government-controlled conditions. The problem comes in a few forms. First of all, the government needs to be treated as a trusted party in all of our communications. Regardless of the regulations, a corrupt government or certain corrupt individuals could bypass these regulations, resulting in a digital Big Brother. Even on a small scale, this is completely unacceptable. The worst case is that the people's right "peaceably to assemble, and to petition the Government for a redress of grievances" could be restricted by identifying and silencing anyone who tries to organize a coordinated protest and fears such a response to public expression of government opposition.
The more important problem here is that, like "access control mechanisms," these measures will not stop the intended targets. The first step would have to be a ban on non-compliant encrypted transmissions in addition to a ban on the distribution of hardware and/or software that can be used to produce such transmissions. Even if it were possible to filter out all non-compliant encrypted traffic (this process alone is scary), this can only work for encryption at the bit level (and even then only if non-compliant encrypted data wrapped in compliant encryption can be detected and rejected). A simple word substitution code could bypass this, and a more elaborate system (think industrial strength word level encryption) could be very secure and impossible to detect. Considering that only criminals would be developing and using such "illegal" encryption, a law against it will not act as a deterrent. The criminals will still have encryption, law-abiding citizens will have no privacy, and the government will continue to pass increasingly restrictive laws of this nature. In other words, nothing good can come from this.
Re:How far down the slippery slope will we go? (Score:2, Interesting)
Either way, I agree completely. If this law, or anything remotely similar to it are passed, then the terrorists will truly have won.
Aside from that, has anyone seen the changes to security the FAA is making. Incredibly stupid if you ask me. What is so difficult about putting a reinforced steel bulkhead in between passengers and the cockpit. Or put a small room in between passenger compartments and the cockpit with a couple armed air marshalls in it. It really doesn't seem like the government thinks very much any more, does it?
Re:Best reply (Score:5, Interesting)
I don't.
The objective here isn't to stop the guy. They could've if they'd wanted to. About a week before the attack the U.S. Postal Service stopped delivering air mail to the region. They knew something we didn't, and opted not to stop it. And I think I know why.
We hear a lot about terrorism against the U.S.. We don't usually hear the other side's complaints. Obviously they don't think of it as terrorism, they think of it as some sort of a protest. I wonder what they're protesting, and why. If our government did something unjust to them, I wouldn't trust our media to tell us about it. But as a tiny little group of malcontents going up against the U.S., about their only recourse is an attack like this. Given that the U.S. government knew about it beforehand, they didn't bargain to prevent it for one of two reasons. Either the price was considered too high, or the U.S. government thought that an attack like this would end up working in their favor. They've been looking for an excuse to nullify cryptography for years now. Anybody remember the Clipper chip? The legislation keeps being defeated, because people are siding with the need for privacy. Now they've been able to demonstrate a supposed need for the U.S. government to know everything that's being said anywhere in the country. Perhaps they think it will sway the common consensus in favor of their legislation.
Galling, isn't it. More impressive (from a logistical standpoint) than crippling a nation with a store-bought knife and their own planes, is the prospect of prying your way into a nation's cryptography with someone else's store-bought knife, someone else's plane, and a bunch of lives you don't care about because you think of them as "your citizens", in the same usage as "your house" and "your car". Oh, and a temporary economic setback which you mitigate by printing more baseless currency. Clever.
Re:How far down the slippery slope will we go? (Score:2, Interesting)
Think pre-emptive (Score:2, Interesting)
What if we accepted this, and started thinking of what conditions would make this acceptable to the community at large? If you were crafting a bill with the goal of allowing governments to be able to read encrypted traffic, what restrictions would you have, and how would you implement it?
Personally, I know that the US government (or any other) can have my keys over my dead, cold keyboard. But what about this:
1) "Backdoor" keys are generated on a per-key basis. When I generate a key in PGP (or whatever), it generates a backdoor that indicates which key it's for, and sends it off (see #2).
2) Keys are not held by governments. They are held by not-for-profit 3rd party companies who's job it is to make sure that governmental key requests are legal. The board of said companies are selected by the keyholders (no more ICANNs!!).
3) One company per country. The software will ask which country you are in, and register the key with the registrar for that country.
4) Require the law enforcement agencies to go to an actual judge to get a warrant to get the key. They have to show valid cause. None of this "National Security matter" or FBI Committee.
5) If another country wants the key, they have to approach the local law enforcement for the country that holds the key, who goes to a judge. No out-of-country warrants, and this protects against international spying (Echelon, anyone?).
6) Explicitly ban the FBI or any other agency from monitoring traffic to/from the registrars. No Carnivore allowed. Not allowed to use any keys captured in a wiretap, separate warrant required. No NSA gobbling other nations key traffic.
There's some things that would still need to be worked out, like how to prevent people from registering their keys with, say, Denmark when they are in the US, and how to fund the not-for-profits (Matching funds from the Governments and the software makers? Governments and fees from the encryption user?), but you get the idea.
Thoughts?
-NapalmGod
Err... (Score:2, Interesting)
Gonna be funny to see which side wins, the backdoor proponants or the DMCA advocates.
- SBB
Re:I don't think so. (Score:4, Interesting)
Re:How far down the slippery slope will we go? (Score:3, Interesting)
Now regarding the other idea...so you put this jail cell in with a couple marshalls. What do you do when terrorists in the back of the plane start slitting the throats of women, children, or babies? You have to leave your cushy little cage to get to them, whoops sorry that's what they wanted. Do you really think the marshalls would be able to resist the temptation to leave the cage as one-by-one the passangers are all slaughtered? Do you think any of them would still have a job after the public got wind of it? It doesn't matter if they were preventing a crash, the public will still say they should have done something. It's a lose-lose situtation.
No, marshalls should be unfettered and undercover. That way, the terrorists need to have a lot more people on the plane to take it over. A trained gunner can easily take out two or three individuals before they have an opportunity to react.
I think personally what we need to develop is an emergency lockout. A panic button that when pressed will lock the plane on autopilot programmed to land at the nearest airport. If that's not technically possible, it should circle the nearest body of water or uninhabited area (using GPS). The only way to override this lockout would be with a code from ground control. This system would be that difficult to implement. It wouldn't be foolproof, but it wouldn't be something two or three men armed with forks would be able to disarm. Worst case scenario is that the plane runs out of fuel and makes a crash landing in the middle of a field. Hopefully with no fuel, people would survive that. As tech improves, it should be possible to land flawlessly.
But anyway, regardless of what changes are made...I don't think they will be necessary. The reason this happened is because no one conceived of the possibility. Everyone did what the law enforcement agencies have always said: be cooperative and don't fight back. But look what happened in PA. People will fight back now. No one is going to let themselves become a flying bomb.
God help any Arabic person who forgets to put down his pencil/fork/toothbrush before standing up in the aisle. He's likely to be tackled and beaten by a panicing mob of passengers.
- JoeShmoe
The illicid traffic daemon (Score:3, Interesting)
Raw data and meaningful statistics should be readily availible. And WE ALL HAVE TO RUN IT ON OUR MACHINES. WE have too or the FBI will hang our rights out to dry.
Internet Revolutionarys - White Hat
Crackers - Black Hat
Enablers through apathy to crackers. Squashed like grape. - Gray Hat.
Think about it, IF WE HAND THEM ALL NON-INVASIVE data they have a much harder case to make when tring to justify collection of INVASIVE DATA and we (freedom lovers) have a much better case to make.
Think about the consequences if noone ever reported gunshots outside their house ever again. That is what is happening right now, and that is why the Government is heading down the path of misery and death at our expense.
I do not know of such a program (or where to get my unencumbered data) If such a project currently exists please me/us to it so I can install it RIGHT NOW!
Well put (Score:1, Interesting)
The other particular problem with cryptography is that the big breakthroughs are nearly always at the theoretical level. So a new, super-secure product with a backdoor can always be replicated without such a backdoor by a sophisticated computer scientist. And there will always be somebody like that available to fix the inconvenience for the bad guys.
The rest of us will pay the price in reduced freedoms. In fifty years, we'll say the same thing we say today about income tax: "It was a temporary measure, just introduced to resolve a particular crisis."
So as far as I'm concerned, I'm pissed at the bad guys, and I am prepared for extreme measures as a result, on the part of my country and myself; but I hate the idea of extreme measures that are really just bullshit P.R. and politics. Leave the science to scientists.
-- Spiny
Re:How far down the slippery slope will we go? (Score:3, Interesting)
The F16 and the nuke are weapons of mass destruction. For the government to PACIFY the people, they will have to OCCUPY our cities -- not destroy them. And an occupying force is terribly vulnerable to resistance.
In the worst case scenario of a US revolution, the army will be rolling in with tanks and ranks of guys with rifles... and that's the kind of enemy that Joe Average with a Gun can in fact take on.
Look at Chechnya. The Russians had to shell Grozny into a smoking pile of rubble because the Red Army could not deal with rebels with rifles. If it was Moscow that was to be pacified, they probably wouldn't have gone to such extreme measures; the Russians HATE the Chechens.
I do not believe the American armed forces would pull a Grozny on an American city. Remember, the soldiers are our countrymen, and if average people were pissed off enough to take part in a revolution, that's going to include military folks too. They aren't the enemy... they are US.
If some faction within the gov't started NUKING our own cities, I believe that the vast majority of our people, military and civilian, would unite to take the bastards out. And we'd do it too, with our Glocks and hunting rifles and fighting spirit.
Anyway, it comes down to this: if the military tries to suppress or pacify an American revolution, they are vulnerable and I believe ultimately they will lose. If they try to utterly destroy us with nukes... well, ok, my shotgun won't help. But that isn't a revolution we're talking about there... it's genocide. I doubt things would ever come to that. We probably won't be nuking anybody as a result of the WTC attack, and that was a provocation worse than Pearl Harbor... so talk of nuking ourselves is pretty far out there.
Only outlaws will have encryption.. blah blah blah (Score:4, Interesting)
As for "mandatory crypto backdoors", I think it's become a common saying that when encryption is outlawed, only outlaws will use encryption. This is a ridiculous time to be making any hot-headed decisions on something like this. Even if the US did make some inane law mandating backdoors in encryption there are plenty of free and completely open strong algorithms out there to use. What stops terrorists from using these other programs NOT made in the US or writing their own code?
This is the kind of thing that happens after every tragedy unfortunately. Emotional people start making emotional cries for immediate changes. After a school shooting people call for a ban on guns. People, shooting another person is already illegal! Banning guns are not going to stop a *criminal* from shooting people. Banning strong encryption is not going to stop criminals or terrorists from using strong encryption! Hijacking airplanes is also a crime but that didn't stop a bunch of whacked fundamentalist motherfuckers from doing it now did it?
Re:I don't think so. (Score:2, Interesting)
Re:This was inevitable, but it's still sad... (Score:2, Interesting)
Re:Heavy crypto user? (Score:4, Interesting)
Appear to be less of a threat than you are, and you get left alone, and can choose your battles. Appear to be gaining in power, knowledge and skill, and someone will have a go at taking you out for their own good.
I'm not saying that that's the case here; just that that's what I'd do (and I'm no crimincal mastermind
Cheers,
Tim
Something to think about (Score:1, Interesting)
http://www.openbsd.org/images/tshirt-7b.jpg
Remember CipherSaber (Score:4, Interesting)
Any decent programmer can write their own encryption in a matter of minutes. Go look at the CipherSaber [gurus.com] home page.
So get out there and write build yourself a saber. Then use it to encrypt a short reply to this article with the key freedom.
Re:Mixed feelings (Score:3, Interesting)
The first thing to consider is the "trust" question. Do people trust their governments? The unavoidable answer is that here in the UK, in the USA and in many other countries, a very significant part of the population very obviously do not fully trust their governments.
Arguments about whether this attitude is well founded aren't relevant. All that counts is the existence of enough such people.
The next thing to consider is the praticalities - can it be made practically dificult for those who distrust their governments to obtain software without backdoors. Even in a "closed source" world this is going to be very dificult or even impossible - too many people already have the tools and the knowledge and it is very easy to spread the information around. In a world where "Open source" software is permitted I reckon it is simply impossible.
So we have a number of people who wish to prevent government snooping - or simply wish to reach the maximum level of security they can achieve. If those people choose to use techniques without backdoors - they can do so.
Can you "persuade" such people not to use encpryption without back doors ?
I don't think you can do it by force. The first problem is detecting them. Such People will simply encrypt their files securely and then encrypt the results again using an "approved" method.
How are you going to tell that people are using "double" encryption ?
Maybe the security services will be allowed to do audits - use their backdoors on randomly selected messages to check that people aren't hiding unapproved encryption ? Do you think that would be publically acceptable ?
What happens when security services encounter a file format they don't understand ? Can they demand that all file formats be explained to them to ensure you're not encrypting data ? Will that be universally publically acceptable ? Is it even practical ?
So if you enfore encryption with back doors all the security services will see is an apparent mass of files encrypted using the approved methods - with no practical, publically acceptable or easy method of picking out the interesting messages or recipients.
>If everyone out there is using nearly unbreakable encryption they simply don't have the resources to sift through everything they want to look at.
... and because of the above they still won't have the resources to sift it.
The only way to tell which of your 100 Million people are using unapproved crypto is to routinely open the "back door" to the privacy of all 100 million - with all the practical and political problems that follows. Even then you aren't much further forward.
What's even worse is that the REAL terrorists will be busy uploading and downloading beautiful, original, high definition photos of huge flower arrangements and landscapes - with the real (heavily encrypted) messages hidden within using stego. So while the security services are busying trying to determine which of their 100 million make it onto the next list and then the next list - they've already eliminated from further study the ones they're after. Use stego correctly and it is near to mathematically undetectable as really makes no difference.
Benjamin Franklin on liberty (Score:2, Interesting)
-Benjamin Franklin
That pretty much sums it up for me...
/rr
Re:Mixed feelings (Score:2, Interesting)
It's an interesting read, and like most things is better than senseless speculation. No offense intended.
No law (Score:1, Interesting)
Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.
What part of "Congress shall make no law...abridging the freedom of speech" does Judd Gregg not understand?
Illegal immigrant apparently warned of the attack (Score:2, Interesting)
About 10 hrs ago, before I went to work (I live in Europe) I wrote what I had just heard on local radio (all the media is still full of the events, of course - the campaigns for next week's elections for probably a new mayor of Hamburg have been interrupted) and submitted it as a /. story, which was
later rejected - I shall now post it as a comment, in case anyone is
interested.
Apparently, CIA may have been warned immediately before the attack. According to german newspaper Hannoversche Neue Presse [neuepresse.de] (article in german - it was already slashdotted this morning, or so I think), an Iranian imprisoned in Hannover, Germany (Langenhagen, near the airport) has been reported to have called CIA officials to warn about the imminent assault. When they heard he was calling from jail, they just hung up. Subsequently, he desperately tried to get a fax through to GWB.
Attempt at correction of a babelfish translation [altavista.com] follows.
Seems like someone among the terrorists' own ranks didn't think their plans were a good idea...Seems also that breaking crypto wouldn't have been able to tell them anything they couldn't find out by other means.
Kiwaiti
Ex-KGB suggests U.S. needs more LOW TECH espionage (Score:2, Interesting)
The article is here. [cnnenespanol.com]
Babel fish is here. [altavista.com]
CNN Spanish edition tends to have much broader worldwide content than CNN in English.