Forgot your password?
typodupeerror
Encryption Security

Legislating Insecure Encryption 290

Posted by michael
from the no-deadbolts-for-you dept.
firewort writes: "Sen. Judd Gregg (R-New Hampshire), who called for global backdoors in encryption products in a floor speech last week, is readying legislation. This is another push for backdoors - but it seems that Gregg wants them to be used cautiously, only with permission from a US Supreme court appointed commission, subject to normal search and seizure rules." Representative Goodlatte, who has supported strong encryption before, is one of the few people speaking out against this.
This discussion has been archived. No new comments can be posted.

Legislating Insecure Encryption

Comments Filter:
  • This is scary (Score:1, Insightful)

    by Anonymous Coward
    Does it bother anyone besides me that Congress is using the terrorist attacks as a blank check to take away civil liberties? As we all know, this bill has been proposed that would require back doors (or weaker encryption) in all encryption products, which is NOT okay in my book. I'm all in favor of heightened security carried out in an intelligent manner, but this is completely ridiculous.
  • Everyone knows that any law that the government can abuse, it will abuse. Can anyone dispute the fact that it'll be using these backdoors routinely, if illegally, a few years down the line?
    BTW, SECOND POST BITCHES!!!
  • Security (Score:1, Insightful)

    by Anonymous Coward
    ...is only as good as its weakest link.

    Think of that what you will.
  • I am not worried about law enforcement reading my email per se. What I'm concerned about is my competitor, enemy, or boss having access to my personal communications.

    Making a deliberate flaw in a scheme makes this more possible as we all know.

  • This sort of legislation will only hinder criminals that obey the law.
  • The problem with these tragedies is that everyone is scared of being for encyrption and privacy for fear of being seen as sympathetic to terrorism and not getting re-elected. I'm glad there are at least one senator that can see that this was a horrible tragedy, but that that shouldn't change everyone else's rights.
  • Lemme tell you, I will not be re-electing this guy. He's always been the lesser of evils in the past, but I guess he didn't like second place.
  • by Zwack (27039) on Saturday September 22, 2001 @06:16PM (#2335476) Homepage Journal
    And I will keep on saying it.

    Now is the time to contact your representative, your senators and probably even your local media and tell them exactly how much damage this legislation could do.

    Tell them about encryption used to protect your online banking transactions. Tell them about encryption used to protect company secrets. Tell them that this is bad for trade. Tell them that this is bad for innovation (unless you're Microsoft I guess)... Tell them how you feel about it.

    Don't just sit back and let this go through. If nobody says "this is bad" then it will be passed...

    While telling your congress critters, be polite, spell check before sending. Fax and/or write rather than e-mail. Call them and talk to them. But however you do it, make sure that your voice is heard.

    Zwack.

    p.s. Yes, I've already written to my congress critters.
    • My letters are written... however, these are extraordinary times and more action is required.

      Most of us are aware that price gauging during a crisis is immoral. Political opportunisms and raw power grabs at these times is atrocious.

      But intentional disarming of our businesses, opening our information resources to hostile nations and criminals may be treason.

      We'd hang a soldier that gave secrets to the enemy in wartime. We'd hang a leader who conspired with the enemy to lead our troops into ambush.

      What else is appropriate for a congressperson who aids the enemy through dumbed down encryption and banned secure operating systems - even if their gain is merely political or financial?

      Congresspersons, your nation *will* hold you accountable. Do not jeopardize this nation!

      *scoove*
      Don't tread on me... or my constitution.
  • What happens when regular script kiddies discover how to use it?

    Worse, our enemys.
  • Perhaps we should pass a law specifically against crashing airplanes into buildings. As far as I know there isn't a law *specifically* against this, and we all know that *everyone* follows every law all the time. We probably need both a federal statute and numerous state and local ordinances to let would-be terrorists know we're serious.
  • Judd Gregg was definitely around in the Senate when the last encryption debate went through, and all the same reasons we bring forth today were found valid and worthy.

    The WTC disaster does not change the validity of a single one of those reasons, namely:

    1) Strong encryption is vitally necessary to any digital communication involving business and finance.

    2) Strong encryption is worthless if backdoors are placed into it- see Matt Blaze's skillful discovery of every single law enforcement key within the Clipper system.

    So, why does this debate continue? My only guess is strong emotions combined with a fundamental misunderstanding of what is being discussed on the part of Mr. Gregg.
    • The WTC disaster does not change the validity of a single one of those reasons, namely:
      1) Strong encryption is vitally necessary to any digital communication involving business and finance


      Especially where these communications can be trivially intercepted.
      On the other hand encryption is not a necessity for planning acts of terrorism. A terrorist is more likely to use such low tech methods as face to face communication.
  • Yep. Somehow it is utterly un-surprising that Congress is using this as an excuse to take away more of our basic rights. The day the WTC and Pentagon were hit I could tell instantly that Congress was going to take this and turn it in to "If you want more national security, you have to give up personal security." Anyway, we cannot allow this to happen. You can draw a parrallel:

    Congress:People
    Terrorists:USA

    Because only will of the people will be able to overcome the legislation that congress proposes, just as the will of the USA and other countries would be able to overcome the terrorists. And both the terrorists and congress are going to end up taking our rights away, as Congress is using the terrorist's acts to "justify" taking away rights for "national security."

    I end this with a note of hope: You elected your Congressmen (and Congresswomen), so now to maintain your rights, you need to call them or E-Mail them. They are there to represent YOU, so let them know how you feel!

  • How about those of us using secure encryption now? Will using non-compromised versions of PgP be a felony? Will having a copy on your hard drive be dangerous?

    The other day I was at the office store, puttzing around the crappy software (though Office Max is carrying various Linux distros.) and I noticed they were selling a nice boxed Pgp + firewall+ miscellaneous crap product from Macaffe called "network security" or something like that. Made me wonder how they are going to root all the sheeple out there that can barely maintain their windows boxen out from the supposed "terrorists".

    Strange days indeed.
  • So let me get this right, he wants to create legislation that won't stop bad guys because A) it only effects the US and B) the bad guys wouldn't bother using backdoored software AND he want's to mire it in quasi-judicial controls so that the bureaucracy will make use of the backdoor a rare and slow event (at least for legal government purposes).

    If it wasn't for the fact that any such restrictions impose an extra burden on software/hardware manufacturers and limit the security of encryption, I'd start to think this was nothing but feel good legislation that would never accomplish anything. Sure doesn't seem to be accomplishing anything good.
  • On the issue of encryption Goodlatte is usually right on target. He has been vehemently oppose to laws which would limit its accessability to average Americans. However on other issues he is a total nut in my opinion. He is staunchly pro-DMCA and is proud that he took a part in its creation.

    Yet as a Virginian I'm ashamed that someone from my state played a role in the creation of such an anti-American bill. Give the man kudos for defending crypto in Congress at a time like this, but don't think that he is a freedom-loving politician. He said at my high school (I'm a freshman in college now) that if he had it his way he'd abolish our lottery because there are "better uses" for people's money than a lottery. $1-$5 a week for the hope of striking it big is a bad thing? $1-$5 a week invested in further funding our state's infrastructure is a bad thing? $1-$5 more invested in an education system which is #7 in the nation in passing the AP tests is a bad thing? And finally $1-$5 a week invested in the same education system that has one of the highest passage rates in the nation on some of the most rigorous standardized tests in the nation?

    Now is the time for us to be holding our republican values (and I don't mean the party) more dearly than ever. The purpose of establishing a republic and not a new monarchy for our people was to break the cycle of tyranny. Let's remember what happened to the Roman Republic. By the same token, let's learn from the lessons of the past so the American Republic doesn't go the same way.
  • Check it out:

    http://www.startribune.com/stories/1576/706443.h tm l

    Basically, Phil feels responsible for helping the terrorists.
    • Please at least read the article you're linking to (and get the link [startribune.com] straight, while you're at it) before posting something like that.

      In the article, the actual quotes attributed to Zimmerman show that he feels badly about the events, but in no way do they indicate that he feels responsible for them. I think this one sums it up (in regards to some hate mail he received):

      "He raises some points that many people are raising right now, namely that terrorists can use the technology," Zimmermann said. "But it overlooks the strong need for good crypto."

    • Well, why not? Crypto, like TNT, has done more good than harm.

      Hiding tools from honest people only assures us that honest people suffer without benifit. Priciples of operation will always get out and the bad guys will always use those tools as they see fit. You can't hide crypto and we should all be using it to protect our privacy.

      Here are some more people you can hate, if you still want to point a finger at Zimmerman:

      The Wright brothers, for giving the terrorist a weapon.

      Whittle, for developing the engines that powered that weapon.

      Eifel, for giving the terrorist a target.

      Diesel, for working out the use of heavier oil fuels that all jet aircraft use.

      Oh yeah, don't forget that hideous man who invented the knife.

      So go on and ban aviation, skyscrapers and knives as well as deadly crypto. The world will not be a better place!

  • What if this sort of idea goes international?



    I can imagine it, now: Mr Terrorist uses the encryption product for which his local government (for example, the Taliban) holds the back door key. The U.S. court sez that it wants to read the mail. The U.S. then sends a nice, polite letter to the Taliban asking for that key...



    When where freezes over?

  • I'd like to see someone create a web database on politicians' voting records on issues relevant within the technical community (ideally with some kind of interface for selecting which issues you care about, and even in which direction). Hopefully, this would help people make more informed decisions, and, just the public knowledge that such a database is being compiled and published might influence legislative decisions a bit.

    Anyhow, here is a small start. I would encourage anyone with additional data to post it right here. I'll try to add it to this list, and perhaps someone more ambitious will be able to browse the follow-ups and start a real web database on this.

    United States Senate:

    CALIFORNIA: Diane Feinstein, Democrat, Bad
    - Co-sponsored "Combating Terrorism Act of 2001"
    http://www.wired.com/news/politics/0,1283,46852,00 .html
    o Elected in 1992 (short term), 1994, 2000, 2006

    MICHIGAN: Carl(?) Levin, Democrat
    + Argued against "Combating Terrorism Act of 2001"

    NEW HAMPSHIRE: Judd Greg, Republican, Bad
    - Called for crypto key escrow after World Trade Center bombing
    http://www.wired.com/news/politics/0,1283,46816,00 .html
    o http://www.senate.gov/~gregg/body_about_judd_gregg .html
    o Elected in 1998, 2004?

    UTAH: Orrin Hatch, Republican, Mixed
    + Suggested mandatory licensing for online music copyrights
    - Co-sponsored "Combating Terrorism Act of 2001"
    http://www.wired.com/news/politics/0,1283,46852,00 .html
    o Elected in 1976, 1982, 1988, 1994, 2000?, 2006?

    VERMONT: Patrick Leahy, Democrat, Good
    + Argued against "Combating Terrorism Act of 2001"
    http://www.wired.com/news/politics/0,1283,46852,00 .html
    o 1974...1998, 2004?

    United States House of Representatives:
    Bob Goodlatte, Virginia, 6th District, Republican, Good
    + Co-sponsored lifting of encryption controls
    + Speaking out against encryption controls after World Trade
    Center Bombing. http://news.cnet.com/news/0-1005-200-7249721.html

    Zoe Lofgren, California, Democrat, 16th District, Good
    + Co-sponsored lifting of encryption controls

  • by Lostman (172654) on Saturday September 22, 2001 @06:59PM (#2335599)
    I have posted on this topic quite a few times before, but I must post again.

    I enjoy working with encryption and number theory. I enjoy the theory behind encryption and why it works so successfully.. I will try to explain how it works (to a point) and this is a BIG reason why backdoored encryption can't work.

    For this example: Assume use of RSA encryption

    The way that this encryption works is it finds a function f[x] that is (to a point) one way. (NOTE: impossible [as of yet] to prove that it is a true one way function but the lower limit on finding the function has never been solved.. so for all purposes as of yet it is oneway). That is... f[k] == k' (k' being encrypted version of k). The way this works is that the function f[x] which is known by everyone and the value k' could be known by someone and still not be able to convert k' back to k. This is serious advanced number theory and requires very specialized hard-to-find functions.

    To allow backdoors (that can be used without having a persons program but only the encoded message) is saying that the function f[x] must be modified to the point that there exists a function g[x] (for each SPECIALIZED function f[x] [that is, each persons f[x] is different, but g[x] must decode all of them]) that can decode any function f[x]'s input. Translation: f[k]==k' but g*[k']==k (for any function f[x] specialized). This function g[x] must be found when working out the base of the encryption product and once the function f[x] is worked out so g[x] exist, it stops being a one way function and therefor stops being useful.

    So basically, if this happens, we might as all just encode our messages with rot13 and it will be the same as using any new "government approved" encryption... because someone somewhere WILL leak the functions g[x], whatever[x] (for each encryption product).

    (For those who are curious, the reason each f[x] is tailored to a specific person is the picking of the keys allows a "trapdoor" as RSA puts it: another part of the function f[x] that is not mandated at production time. Of course, if a g[x] can decrypt the f[x] (no matter specialized) then the trapdoor theory is useless and serves no purpose therefor weakening it to a childs toy)

    And yes, I know I am speaking to the choir here.. the thing is a long time ago I was reading slashdot when someone spoke about encryption and the basics of encryption theory.. it got me interested enough to look at it myself and now I am intrigued by it and am always learning more. My example may have small errors in it.. I hope someone can call me on them if they notice--> its always best to be factually correct...

    Thanks.
    • g[x] is not necessarily obvious given f[x].

      Assuming g[x] is based on some codebreaking technique which the academic community doesn't know but the NSA does. For a time, differential cryptography would have worked. So, DES before the NSA made it more secure could have been used for this.

      Still, the academic community could catch up any time, so this is not a good strategy.

      Other forms of back doors exist - consider PGP ADKs (assuming the implementation weren't broken). They don't reduce the security of the system significantly, but they do provide a backdoor. Of course, this assumes that their use can be mandated, which we all know is impossible.
    • Wouldn't it be nice to have a distributed.net victory about now? Crack that RC5-64 code and show folks that a backdoor can be broken by bad guys via brute force?

      Hmm... 57.395% of total keyspace checked. Time to add a few more machines and get cracking! Come on, cows!

      *scoove*
  • Somebody needs to shine the Flashlight of Reason into the Dark Corner of Stupidity don't you think?

    How can this possibly be enforced? I have books, and files on my computer, describing most common encryption and public key methods. I could almost write an RSA encryption program from memory, and I certainly could write a program to XOR with a LFSR or a one-time pad.

    The dumbed down articles always talk about how "complex" and "sophisticated" encryption is, but it's not really that complex, once you know the formulas. Anyone with high-school math could probably understand many of the algorithms. You could explain a one-time pad in terms of adding and subtracting.

    And what is a legal definition of encryption anyway? If I XOR all my files with a constant byte, or if my ISP or the FBI happens to be looking and they don't recognize the file format and somebody calls the cops, how the hell am I going to explain how it's not encryption? Or will it be like the DMCA, and encryption will be anything they feel like.

    And are they going to somehow take away my SSH that I use almost every day to do work as a sysadmin? I get paid to secure systems, should I tell my clients "This encryption is difficult to crack. Except for the government and anyone else who figures out the back door. Sorry."

    Totally crazy and impractical.
  • Sen. Judd Gregg also reintroduced legislation to make the value of pi equal to 3. "We cannot afford the inefficiencies resulting from the oddball values of pi some fringe academics have dreamed up. Our new wartime economy must be efficient, and to help with this effort, Congress will adopt legislation that will greatly simplify the design of common military hardware like wheels and gears," said Sen. Judd Gregg in a televised statement.

  • From the story referenced above:

    "That's like telling people to take their house key down to the police station," Goodlatte said. "People are not going to have greater confidence in their security by doing that."

    Good analogy. These things must be made simple, because most lawmakers have no technical education whatsoever. Did I say NONE at all? As in Duhhhh!


    Secret U.S. government agencies control U.S. violence: What Should be the Response to Violence? [hevanet.com]
    • That's a terrible analogy!

      A locked door does not prevent the police from entering a house with a search warrant. There are plenty of physical means for breaking down a door to gain entry into a person's house. A key is not necessary. However, with encrypted data, even if the police receive a warrant, they will have no way of searching through a person's secured data

      I don't understand how people can argue that just because data is stored on a person's computer, it should somehow be impervious to search warrants. Why should encryption necessarily give people more rights then they had a decade ago?

      No one on slashdot has had any problems with the FBI searching through the former residences of the suspects of the WTC attack. However, the slashdot crowed would be up in arms if the FBI somehow was able to search through encrypted data on their computers. What if an encrypted e-mail existed that could conclusively link the highjackers with Osama Bin Laden? That piece of evidence could be enough to convince the Taliban to turn the guy over, and thus, prevent a war. Unfortunately, given the current state of encryption, this piece of evidence could never be decrypted and used.

      If there is a technical means to restore the power of a search warrant, I'm all for it. While it might not stop the truly determined criminal, some crimes probably could be prevented, and as long as it's implemented correctly, no loss of personal freedoms would occur.

      Obviously, there needs to be safe guards protecting law abiding citizens from illegal search and seizure by the government by ensuring that only the intended recipient and those with a warrant can decrypt secure messages. Perhaps, this can never be accomplished, which would mean that this legislation should not be enacted. But if the law required that all encrypted messages be encrypted with both the public key of the recipient and the public key of some government agency, then I think the above goals could be meant. While I respect arguments concerning the technical feasibility of such a scheme, I don't respect people who argue that unbreakable encryption should somehow be an inalienable right.


      • Well then, create a better way of explaining encryption to non-technical people.

        Do I have a right to speak to my woman friend or wife or children in private? If I do, then I have the right to unbreakable encryption.

        There was one EXCELLENT way of fighting Osama bin Laden: Don't support the Taliban or the Saudis, as the U.S. government did for many years. Then they would fight someone else.

        This encryption debate obscures the real issue: The U.S. government must stop being adversarial with the whole world.
        • Do I have a right to speak to my woman friend or wife or children in private? If I do, then I have the right to unbreakable encryption.

          You don't have this right if a law enforcement agency has obtained permission to tap your telephone line via a court order. Again, if you use unbreakable encryption, there's no longer away to accomplish this. If a court order hasn't been obtained, not only is it illegal to listen to your private conversation, anything gained through these means is inadmissible.

          • You don't have this right if a law enforcement agency has obtained permission to tap your telephone line via a court order.

            That simply gives them the right to intercept the comminication. Otherwise when a tap was put on they would also need to put on a recorded message obliging people only to use certain languages and avoid slang...
  • I dismissed privacy concerns as being currently out of fashion. I *wish* that I had done the same for practicality concerns, because we all agree that truly controlling the flow of such information is impossible.

    I emphasized that there are many different crypto channels, and to be effective they'd have to weaken every one of them, because terrorists could simply shift to a different channel if, for instance PGP email were back-doored or weakened.

    Then I explained that any inserted backdoor could be rediscovered within a reasonable time. I wish I had had access to the Clipper references mentioned here. But I was also struggling to keep this on one side of one page, so perhaps it doesn't matter.

    Finally I added that the safety of our financial and network infrastructure depends on some of these alternate crypto channels, and to compromise them would put us at risk. SSH and https: were mentioned examples.

    There, a case based on things other than privacy or practicality.
  • Much has been said over the last week about the government's ability to enforce such a law. One groups says that outlaws and terrorist will obviously refuse to use such weak encryption and others respond that law enforcement will then be able to indict them for violation of the back door law.


    This second argument is specious for two reasons.


    First, any law forbidding strong encryption without a back door could be binding on the sender of messages only. The receiver of a message encrypted without a back door could hardly be held legally liable for the action of another. Therefore, if the head of a terrorist organization outside of the US used strong encryption to send messages to terrorists inside the US, no law has been broken. The backdoor law is not extra-territorial and cannot ban someone outside the US from using non-backdoor encryption, and the receiver in the US cannot be held liable simply for receiving such a message.


    Second, the argument assumes that law enforcement can somehow detect whether or not a message is encrypted using a backdoor program or not. The ability for law enforcement to archive messages and search through their contents is truly staggering, but it is not all powerful. It takes many many computer cycles to sift through unencrypted data searching for words or phrases in order to be useful at all. There is no indication that anyone would have the computational power to sift through archived messages to determine if a message is encrpted or not, yet alone whether it was encrypted with lawful or unlawful software. Making such a determination on the fly would be absolutely impossible.


    Unless, of course, messages encrypted with compliant software contained flags set at specific bits to alert law enforcement to the presence of lawfully encrypted text. If that was the case, however, terrorist and other non-crypto-law abiding people could simply alter the open source code for their non-compliant crypto package to add the special bits. Law enforcement would still be unable to determine on the fly whether a message was lawfully encrypted or not.

    That leaves them only one alternative. They would have to try to decode all encrypted messages on the fly in order to determine which were lawfully encrypted. That action in and of itself would violate the privacy rights of anyone whose message was decrypted simply to determine if it was lawfully encrypted.


    Furthermore (or more precisely, once again), the ability to capture all messages and attempt to decrypt them on the fly in order to determine which where lawful and which were not is currently a technologically impossible task.

    • You don't need to proactively prosecute people for breaking the back-door law for it to be effective. Once, you've obtained a search warrant for a person, you have access to his or her data. At that point, you can determine if their data has been "legally" encrypted. If it hasn't, you can choose to prosecute them on that charge unless they give you the keys to decrypt the data.
      BR
  • Please consider joining or donating to the Electronic Frontier Foundation [eff.org] or at the very least send off the proposed correspondence from their page on this subject [eff.org].

    Based in San Francisco, EFF is a donor-supported membership organization working to protect our fundamental rights regardless of technology; to educate the press, policymakers and the general public about civil liberties issues related to technology; and to act as a defender of those liberties. Among our various activities, EFF opposes misguided legislation, initiates and defends court cases preserving individuals' rights, launches global public campaigns, introduces leading edge proposals and papers, hosts frequent educational events, engages the press regularly, and publishes a comprehensive archive of digital civil liberties information at one of the most linked-to websites in the world.

    And it needs our support to ensure that it is forever capable of supporting us against legislation that seeks to eliminate our rights and privacies.

  • Here are the talking points against this abominations:

    1. It's a total waste of time unless you have a plan to force the terrorists to use weak encryption.
    2. Centralized key escrow creates a single point of failure for our national cybersecurity infrastructure.
    3. Strong crypto can be defeated and has been defeated in the real world. You use existing wiretap laws to implement keyboard sniffers and the like to grab cleartext.
    4. You have to be prepared to use keyboard sniffers ANYWAY, because the terrorists aren't going to comply with your law.
    5. The bill violates the free speech rights of ordinary citizens and businesses. Conversion from already deployed strong crypto to crippled crypto is an effort comparable to Y2K.
    6. Stop using this as an excuse for the intelligence failure. It's bogus. These terrorists made credit card purchases, airline reservations, flight school training, apartment leases using real names sometimes even on our "watch list".
    7. Are we really willing to punish otherwise law abiding citizens who fail to register their crypto key? Who needs terrorists when the governement will destroy your rights for you?
    8. Security cannot be achieved by weakening security. What is security if not the protection of citizen's rights?
    9. The law cannot be enforced, and it's violation isn't even detectable. If you find an encrypted message, how will you know it wasn't made before the ban?
    • 2. Centralized key escrow creates a single point of failure for our national cybersecurity infrastructure.

      Ack! Thanks for reminding us of this aspect of the problem. Remembering the not-so-former administration and its bumbles, we had:

      - missing hard drives at a national nuclear lab (what ever did happen with that investigation? reno'ized?)

      - lost laptops with national secrets (culprits handslapped)

      - directors putting national secrets on their home peecee

      - presidents letting movie stars kids play with the nuclear "launch codes" football

      - major spy crisis after major spy crisis

      etc.

      And you want to give these guys the keys??? Might as well let Osama keep them.

      *scoove*
  • but rumour has it that the NSA can crack 128bit encryption (read: this has NOTHING to do with key size - a 128bit key or a 1024bit key, it's all the same). From a semi-reliable source the NSA has been funding a massive cryptology group to essentially find mathmatical weeknesses in many of our popular algorithms. Personally, I don't believe this is true, but it makes me think twice. If this is true, the reason this legislation is coming about is because the NSA doesn't share crap with the FBI, and very little with the CIA, and it's the FBI and the CIA that want it all. Food for thought.
  • If you copyright your encrypted communications, then wouldn't having the backdoor mean that it's a circumvention device and therefore illegal under the DMCA?
  • Southerners didn't free slaves until Union troops started invading and killing.

    Many people thought prohibition was a good idea until they tried it.

    Nobody started fixing the US economy until it collased in 1929.

    Germany didn't respect its Jews until it killed 6 million of them.

    The US Govt didn't get out of Vietnam until the people threatened a revolution.

    And the US people didn't give the FBI, CIA and airport security the people and resources they needed until the WTC came down.

    You can yell at the public all you want, but until they suffer for their folly, they won't listen. We may just have to suffer the absence of encryption until some terrorist wipes out a few million bank records, or until a few million PC users ignore the law.
  • You know somebody will probably figure out how toencode two different messages in one message. Decoding with the real key and the government backdoor will each give a different message.
  • What makes these fools think that bin Laden and organizations like Al-Qaida are going to start using their escrowed encryption programs? The only people who are going to be using this escrowed encryption are your people, your law-abiding citizens. Not even terrorists who enter the US are going to use it, obviously. Most of them may be psychos, but they are not stupid of course. If they were, they would have met their end long ago. In the meantime, someone is going to reverse engineer how you do your key escrow, and then everyone in the world who doesn't have a DMCA-like law can read escrowed encryption traffic after they reverse engineer the new chip that provides it. It may require the resources of a large semiconductor corporation to do the reverse engineering, but once that has been done, end of story.

    Hopefully the NSA will do everything to make sure that your escrowed encryption is as perfect as it can be, but given the Agency's track record, I would be wary. Besides, the civilian research into key recovery systems (mostly from Silvio Micali's research, to whom the government paid $1,000,000 for use of his patents in the old Fortezza/Clipper chip) has been somewhat unpromising, and there are many complex security problems involved. What if someone cracks the escrow agency's database? The keys are going to start circulating among the rest of the world's intelligence agencies and terrorist organizations by then.

    In the meantime your largely ignorant populace [slashdot.org] is going to start taking active measures to make themselves available for surveillance, in the misguided belief that this will help the security of your nation. It won't, not in any meaningful sense, but makes it far easier for Big Brother to start listening in on everything. Welcome to the American Empire.

  • ...you're fighting a losing battle, my friends.

    According to a recent CNN poll, 57% of Americans say they would "willingly allow the government to read their email to help the fight against terrorism". I'd post the link but CNN's search engine sucks. It was on the Wolf Blitzer special report page yesterday, 9/20/2001.

    We live in a democracy: clearly, if people here want to trade freedom for the illusion of security, that's what's going to happen. Especially if big corporations back the same laws, albeit for different reasons.

    Between the people and corporations here in America, nobody really wants privacy. Nevermind little issues like your credit cards selling your purchasing habits; people are ready to live in glass houses and let the government and big business watch every bit of communication with the hope of making an arrest or a sale.

    It's all for our own good, of course, since apparently Americans no longer believe that they are capable of taking care of themselves, and they no longer trust each other, and that massive government and corporate intervention is the only way to right matters.

    It's a psychotic vicious circle: the more we abdicate responsibility, the more we need someone to take care of us, and the worse things get. What a surprise.

    Sorry for the rant. Here's the bottom line: if you truly value freedom and privacy, the US is no longer the country for you. The aging population is tired of that sh*t, and has long since traded in principle for pragmatism. The odds of making a difference by writing letters are roughly the same as those of being suddenly turned into a 200 foot tall statue of the Marx Brothers.

    So, write your letters. Make your calls. But when it really starts coming down, remember that you can vote with your feet: there are plenty of countries out there that are still civilized and that still respect the individual, and until the real exodus starts, almost every country will happily take the best and the brightest from the US, even if they are geeks / libertarians / gays / goths / vegans / anyone else who may not quite fit in to a mainstream police state.

    -b

    PS: don't bother replying with bogus patriotic "if you hate the US, leave" messages. In fact, I love the US, and have done more to demonstrate that than you'll ever know. But love does not necessitate blind jingoism, as some would have it.
  • For one of these congressional hearings, could a knowelgable person take the crypto bible with them and a porable computer with standard components and "implement" a simple crypto while the session is going on; just to demonstrate that this is common technology. I'm sure that they have some idea that there are N products out there by N companies and that people must buy one of these products; and that these companies can get together (like Microsoft) and force the world to upgrade to the new back-door enabled version. At least, I'm sure this is what Microsoft people are telling the legislature. So... they may not be technical, but they do trust their Microsoft lobbyist; after all, they've constructed the worlds best desktop operating system and tools, of course they know what they are talking about.
  • I got this email on Friday:

    "Monday 9/24, noon, at the Mattin Center: U.S. Representative Constance Morella (8th District of Maryland) will talk regarding Information Security and Privacy."

    The Mattin Center is the new arts building on the campus of Johns Hopkins University. I'll be showing up and a hope others will as well.
    If you want directions or more info please respond to this post.
  • When I think about what the legislators are trying to do, closing stable doors after the horses have bolted comes immediately to mind. How are they going to persuade terrorists to use this form of encryption?

Live within your income, even if you have to borrow to do so. -- Josh Billings

Working...