The Rise of the New Crypto War 91
blottsie writes: For more than 20 years, the U.S. government has been waging a war on encryption, with the security and privacy of all Americans at stake. Despite repeated warnings from security experts, the FBI and other agencies continue to push tech companies to add "backdoors" to their encryption. The government's efforts, which have angered tech companies and researchers, are part of a long-running campaign to pry into every secure system—no matter what the consequences. This article takes readers from the first Crypto War of the early 1990s to the present-day political battle to keep everyone who uses the Internet safe.
"...keep everyone who uses the Internet safe." (Score:2)
Re: (Score:2)
Re: (Score:3)
I ask in earnest to see if these things were ever challenged in the past.
Re: (Score:2)
Pretending that their intent was to make life difficult for people over who live in a republican led state that didn't build an exchange is insanity...
That didn't happen. Nobody is claiming that these Supreme Court rulings were done to make things hard for average people or for certain states. Consequence != intent.
Re: (Score:2)
The choice was between interpreting the law so it could fulfil its intended purpose
Lack of severability (that is, the law was intended to stand as a whole, not be reinterpreted piecemeal) was one such intent and that was disregarded by the Court.
Re: (Score:2)
the Secretary shall ... establish and operate such Exchange within the State and the Secretary shall take such actions as are necessary to implement such other requirements.
There are plenty of places in the law (in general) where references to things are somewhat indirect. If I'm operating on behalf of someone with power of attorney, there are regulations referring to the person I'm representing, but the they actually apply to me.
I see the wording of the above section of the ACA as being effectively setting up "an exchange established by the State" on behalf of the State when it won't do it for itself.
It also is beyond reasonable to believe that the if the intention was to cr
Re: (Score:3)
I used wikipedia for easy access, but I provide the reference numbers if you like to look them up. And these aren't the only cases, (note one is 1819 so don't even begin to say this wasn't established in the early years of the US). The SCOTUS job _IS_ to interpret the law, actually it's not just limited to the SCOTUS but the judical branch interprets, lower courts are forced to take a higher courts inter
Re: (Score:2)
Like an open back door into your home usable by the US Govt. would make you safer, right? Right FBI director James Comey?
Re: (Score:3)
It will only keep happening as long as people don't complain. Whenever enough people complain enough, things change.
Justify the Budget, Keep Peasants In Fear (Score:4, Insightful)
1984 was right, it was just 20 years early, and this is the script they are working off of.
Look, we all know where the terrorists are and who is spreading it, and how to track and follow them. Encryption is no more a threat than a candy bar behind a locked glass case in a supermarket too high for kids to reach is.
The reason they defeat the spies is the spies are too stupid, and ignore the real threats due to the massive overkill of non-relevant data and metadata that obfuscates the actual threats.
They already have access to your phones and already subvert them for target cases, so it's just more justification for insane stuff we don't need.
Not really a new war (Score:2)
Knowledge is a weapon (Score:2)
Learn how things work. Learn why things work. Build things, experiment, and never make an assumption without clearly identifying it as such, even if it's only a mental note.
Don't take someone else's word--look it up and verify it. Try it out. Play with concepts. I don't recommend using your own crypto in production (at all, since the odds are against you being a qualified cryptographer), but implementing known algorithms for educational purposes and then running attacks against them will give you a much bet
Re:Knowledge is a weapon (Score:4, Funny)
I use ROT26. So far, all my communications have gone unnoticed.
Re: (Score:3)
I'm sorry, could you say that again?
Re:Knowledge is a weapon (Score:4, Funny)
Whoops, I'm sorry. I used ROT26 twice in my previous post.
Re: (Score:1)
Whoops, I'm sorry. I used ROT26 twice in my previous post.
Is NOT the joke supposed to be " I used ROT13 twice ..."?
Tim S.
Re: (Score:3)
I used ROT520 twice for much extra security.
"Saving Lives" is their claimed priority... (Score:5, Insightful)
If that were actually true that saving lives or keeping people safe were their true priority, they could be vastly more effective by spending their money on reducing the highway traffic fatality rate. Over 30,000 people die on the roads of America every year. Reduce that by 10% and you'll save the equivalent of a 9/11 attack *every* year.
Of course safety and saving lives is not their primary purpose -- it's entrenching their power structures. The ability to pry into everyone's communications and files is (in their opinion) essential to that.
Re:"Saving Lives" is their claimed priority... (Score:4, Insightful)
The same kind of numbers could be used against tobacco, alcohol, food with excessive amounts of fat/sodium/etc. Except there's money to be made with those, so the number of deaths doesn't matter.
Re: (Score:1)
Users of tobacco, alcohol, unhealthy food, etc., are consciously choosing to harm themselves.
In an automobile accident, someone who was following the rules can get harmed/killed by someone else, without consent.
Limiting the former is a nanny state tactic, wherein the government knows better than you what choices you should make for your own life. It is not the right balance between freedom and security.
Ensuring that people who don't follow the rules can't drive, on the other hand, is actively protecting in
Re:"Saving Lives" is their claimed priority... (Score:5, Insightful)
Want to know how to spend money to save lives? Stop bashing the younger generations and give them some career path.
What I feared most, a brain drain, is already happening. Americans [1] are bailing to Latin American countries because they can't find any jobs, and student loan debt guarantees a shitty credit record for life. So, it is either live like a mendicant, commit suicide, or move to a country that wants intelligent people that will better themselves.
We have an entire segment of disaffected people. What happens when there finally is no hope? Look at Egypt and the Arab Spring. Occupy may be dead, but those people are still there. All and all, it would be a lot cheaper to fund something like the WPA and give meaningful labor than to pay for what it would take to handle a constant, protracted insurgency.
As for security, demanding backdoors is retarded (yes, the "R" word.) After Snowden sold out the NSA, this drove a wedge between the US and close allies. Security companies that get harassed in the US can easily set up shop in other nations, with that country's intelligence department calling the shots [2].
Further demands on backdoors in security are just masterful foot-shooting. If this keeps being pressured, I'm sure most companies have moved their security coding offshore, or even spawned separate companies that are not under the US flag. Then, the only thing that can be done is bar secure crypto from being imported or used, which can be easily done with a stroke of a pen.
[1]: Technically residents of the United States of America, but Americans is a phrase used here.
[2]: Want to do business in China? Some firm over there has to own 51% of any venture on their soil.
Re: (Score:1)
Wrong, wrong, wrong. Wholly owned foreign enterprises (WOFE) have been available in China since China joined the WTO way back when. These limited corporations are fully owned by the foreign investor. There is another structure called a Joint Venture (JV) that does require a 51% share by the Chinese side, but these are typically used in restricted industries like publishing or mining where WOFEs are not allowed. They are stupid and I don't know why any foreign company ever does them.
Americans are fleei
Death OR Taxes (Score:2)
The most effective way to do that is put more troopers on the road and better highway design/maintenance. But that requires higher taxes, and a good portion of America would rather risk death than pay more taxes. "Freedom to die".
Re: (Score:1)
it's entrenching their power structures.
I'm sorry but every time I see this get modded up, I have remind everybody that it cannot happen without us. If you're going to continue voting for the same old shit over and over, please understand that your complaints really can't be taken seriously.
Re: (Score:3)
I can and do vote here in Canada, and in our upcoming election we have an option (NDP) who have promised to repeal the horribly flawed bill C51 (https://en.wikipedia.org/wiki/Anti-terrorism_Act,_2015 [wikipedia.org]). I encourage all like minded Canadians to get out and vote this fall.
Re: (Score:2)
If that were actually true that saving lives or keeping people safe were their true priority, they could be vastly more effective by spending their money on reducing the highway traffic fatality rate.
Ahem, look particularly at column 4, fatalities per 100,000,000 vehicle miles traveled [wikipedia.org].
Re: (Score:3)
Re: (Score:2)
Re: (Score:1)
Baseless conspiracy theory. Take DES for instance. It was invented 45 years ago and we still don't know any practical attacks that do much better than bruteforce. The gap between civilian and intelligence crypto skills is not that large, especially as fewer and fewer crypto gurus are willing to be associated with government agencies.
Re: (Score:2)
Re: (Score:1)
"DES is now considered to be insecure for many applications. This is mainly due to the 56-bit key size being too small; in January, 1999, distributed.net and the Electronic Frontier Foundation collaborated to publicly break a DES key in 22 hours and 15 minutes (see chronology)."
https://en.wikipedia.org/wiki/Data_Encryption_Standard
Re: (Score:2)
I believe with modern hardware the NSA can break DES almost in realtime.
This could not be worded any worse (Score:1, Insightful)
crypto war 3.0 you mean? (Score:2)
I keep saying we should call it the Third Crypto Wars because NSA + GHCQ already won the Second. They did that in a secret war on all systems and cryptography with aid from post-9/11 legislation. The Snowden leaks attest to what they accomplished. Most crypto out there doesn't deliver on its claims because they backdoored, weakened, or bypassed (endpoints) it. Now, from a position of dominance, NSA and FBI are launching a Third War on Crypto which is a mixture of public (see article) and secret (try to see
Re: (Score:3)
Bullshit. One of the most interesting things to come out of the Snowden revelations was the discovery that the NSA doesn't have any secret ways into properly done crypto -- Schneier even noted as much in his interview with Snowden.
You're right that most people's communications aren't encrypted -- that's an artifact of people trusting large corporations like Google and Apple with their data. But dm-crypt and loop-AES on Linux have been safe for a long time, and, though I wouldn't personally trust BitLocker
Re: (Score:3)
The NSA and GCHQ have enough hold over emerging academics, crypto, open source and crypto history to shape any useful standards.
Before Snowden the idea was that some one or something to do with academics, open source, political scandal, private sector legal leadership, private sector risk, the press or very smart people or antivirus protection teams would notice "something" about weak international cry
Re: (Score:1)
"Bullshit. One of the most interesting things to come out of the Snowden revelations was the discovery that the NSA doesn't have any secret ways into properly done crypto -- Schneier even noted as much in his interview with Snowden."
I think you missed the whole point: NSA has been secretly beating many crypto you cite for years with a myriad of bypasses. They piled up attacks on applications, OS's, firmwares, and so on. They have it to the point that it's automated with QUANTUM. Linux's fragmentation gave n
Re: (Score:2)
I think we're talking past each other. Internet vulnerabilities don't really matter that much to me in the analysis; there is no reason one can't do his crypto on a computer not connected to the Internet if he's concerned about Internet exploits. And the FBI/NSA resorting to 0-days is a rearguard action. They can only afford to do that to high-value targets, because using a 0-day and getting caught means you lose the 0-day.
And of course mainstream security is low. If we're going to say that we "lost the
Re: (Score:1)
You have points on the 0-days being on the lower end compared to pervasive backdoors. Far as worst compromise, it's actually NSA compromising insane numbers of hosts using automated QUANTUM hits and drones via WiFi attacks. Much worse than manual stuff FBI does. That they continue to subvert things with little challenge is in their favor, as well. Far as crypto, NSA promoted strong algorithms while hiding all the ways their implementation could be busted (eg side channels). AES was actually more prone to th
Re: (Score:2)
The stuff you're talking about is the stuff there is less public information about, so it's hard to know how effective it is. QUANTUM certainly sounds scary in principle, but we know very little about how effective it is. And, since it's using 0-days, they can't just use it against anyone they want without potentially burning the 0-day. The exploit can be automated, but the decision to deploy it can't be. Untargeted "dragnet surveillance" -- the most politically problematic part of Snowden's revelations
Back door man (Score:5, Insightful)
If the recent Hacker Team story has taught us, there is no such thing as a "secure back door". Just when you think you're cleverly safe creeping in a back door, there's someone else peering up your back door.
Re:Back door man (Score:4, Insightful)
And the OPM breach has shown us even more clearly the consequences of failing to use the strongest encryption, security tools, and IA policies available. Using encryption technology that's designed to be bypassed at need, with that 'need' determined by anyone other than the owner of the data, is the electronic equivalent of hiding a spare key under the welcome mat and believing that your home is still secure when it's locked up.
So is the Internet considered Telecom or no? (Score:1)
Wait a second, the EFF was just telling me the Internet is a Telecommunications Service, not an Information Service, in order to get the Title II regulations they were cheerleading for.
When the FCC contorts CALEA, something only supposed to apply to telecommunications, against cryptography on the Internet, it's the end of days, the Internet is dead, ...
When the FCC contorts Title II, something only
Re: (Score:2)
Wait a second, the EFF was just telling me the Internet is a Telecommunications Service, not an Information Service, in order to get the Title II regulations they were cheerleading for.
Either the Internet is an Information Service (meaning Title II and CALEA don't apply), or it isn't (so it's a telecommunication service, and CALEA does apply), but you can't have it both ways.
Providing access to the Internet is a telecommunications service. (Your ISP is acting as a telecommunications service)
Offering content is an information service. (Wikipedia is an information service)
It is also possible for a single company to act as both a telecommunications service and an information service. (Google provides Internet Access and offers Content)
While all a part of the "Internet" here in the US each aspect is regulated differently. CAELA explicitly does not apply to information services su
Re: (Score:1)
That's a creative argument, but the problem is, the law doesn't make that distinction.
In both cases, you're peering with another person and exchanging packets with them.
Wikipedia exchanging packets with an ISP isn't any different than me exchanging packets with my ISP.
Indeed, such an assertion would fly in the face of Net Neutrality that says all packets are equal. Wikipedia exchanging packets with me, isn't any different than Wikipedia exchanging packets with Cogent, isn't any different than Cogent exchang
Re: (Score:2)
Wikipedia exchanging packets with an ISP isn't any different than me exchanging packets with my ISP.
This isn't really all that difficult to understand.
Wikipedia's ISP is subject to CALEA. Wikipedia itself acting as an information service is not.
Re: (Score:1)
Only because the law was expanded in 2005: https://www.eff.org/issues/cal... [eff.org]
The law still makes a distinction between ISPs (information services) and telecom: https://www.law.cornell.edu/us... [cornell.edu]
Core problem: backdoor = all messages in plaintext (Score:2)
Re: (Score:2)
You (and possibly the article) are making an improper distinction. Anyone who breaks into my computer or my putatively secure communications is a bad guy, whether they work for some government or other or not. And it doesn't matter which government. And, no, even if they had a warrant that wouldn't mean they weren't a bad guy, it would just mean they might not be operating illegally.
Re: (Score:1)
Re: (Score:1)
It's not just the "bad guys"... (Score:1)
I've seen arguments to the erect of "we would give a backdoor to the NSA, except, others could exploit it". NOOOOO! The NSA are demonstrated liers, perjurers, torturers, and murderers. They cannot be trusted. The US government, and pretty much any government, cannot be given this power. They will abuse it. The only good government is a government constrained from doing evil. The US government needs more constraint, not less.
Bucket Loads Of Fear (Score:2)