Legislating Insecure Encryption

firewort writes: "Sen. Judd Gregg (R-New Hampshire), who called for global backdoors in encryption products in a floor speech last week, is readying legislation. This is another push for backdoors - but it seems that Gregg wants them to be used cautiously, only with permission from a US Supreme court appointed commission, subject to normal search and seizure rules." Representative Goodlatte, who has supported strong encryption before, is one of the few people speaking out against this.

This is scary

[Anonymous Coward]

Does it bother anyone besides me that Congress is using the terrorist attacks as a blank check to take away civil liberties? As we all know, this bill has been proposed that would require back doors (or weaker encryption) in all encryption products, which is NOT okay in my book. I'm all in favor of heightened security carried out in an intelligent manner, but this is completely ridiculous.

Security

[Anonymous Coward]

...is only as good as its weakest link.

Think of that what you will.

I'm glad someone is against it

[progbuc]

The problem with these tragedies is that everyone is scared of being for encyrption and privacy for fear of being seen as sympathetic to terrorism and not getting re-elected. I'm glad there are at least one senator that can see that this was a horrible tragedy, but that that shouldn't change everyone else's rights.

ban crypto

[Anonymous Coward]

I would rather see cryptography banned outright than legislation to require back doors.

If there are back doors, they WILL be exploited by the wrong people while creating the ILLUSION of security. Crypto back doors create a huge opportunity for economic terrorism. If people know there is no security of data transmission, they will more likely treat the media accordingly.

Of course, this will spell the end of on-line business and be a huge hit on the economy both in the short and long term but why should that stop futile attempts to "do something" to stop terrorism?

Re:Required Key Escrow As Law Enforcement Tool

[choco]

>However, what it will do is allow law enforcement to stop, interrogate, hold and arrest a suspected terrorist on the grounds that the person has a cryptography program on their computer

Yet another flawed idea. It may work on the brain dead. But is easily avoided by everyone anyone else.

You take someone's computer, anyone's computer. They likely to have hundreds of thousands or even several million files on it - with thousands or maybe tens of thousands of executables. Somewhere in that lot is an executable which contains the "illegal" encryption and decryption routines. An exectuable with a misleading name, which also does something entirely legitimate, which may itself be compressed or encrypted.

You're going to have to scan every file to see if it is exectuable, or a compressed or encrypted executable. When you find your executable you're going to have to do some very detailed analysis to see if it offers any "forbidden" functions.

Analysis of a system for unauthourised crypto programs is going to take serious time and serious resources.

If you have a strong suspect, by the time you've unscrambled what's on their computer the result is pretty academic - it's going to be far too late to assist any ongoing investigation - the trail to the next link will have gone cold.

If you don't have a strong suspect this is going to be useless as an investigation - you can't use it for screening - ANYONE you care to check is going to take so much time and money before you can eliminate the suspect as to make the techinique worthless.

Even at its absolute best, The proposed restrictions will achieve little more that provide an extra, technical offence to charge the obviously guilty with.

The test isn't "does it serve ANY purpose" - it is "does it serve any USEFUL purpose" - and the answer is that it doesn't.

You may think that it is still worth the cost to the rest of us. I don't.