

Legislating Insecure Encryption 290
firewort writes: "Sen. Judd Gregg (R-New Hampshire), who called for global backdoors in encryption products in a floor speech last week, is readying legislation. This is another push for backdoors - but it seems that Gregg wants them to be used cautiously, only with permission from a US Supreme court appointed commission, subject to normal search and seizure rules." Representative Goodlatte, who has supported strong encryption before, is one of the few people speaking out against this.
This is scary (Score:1, Insightful)
You are overlooking something... (Score:2)
We all know that encryption is hardly used except by criminals and the paranoid.
Do you bank online? Have you ever bought anything online? Does your company engage in e-commerce or EDI? Have you ever used Lotus Notes?
These are strong encryption applications, without any backdoors (yet). How will you feel about government-mandated encryption backdoors when some 31337 HaXoRs strip your bank and credit-card accounts? Are you so naive as to imagine that the government will make you whole? ("Gee, we're not responsible for losses due to criminal activity" say the cops.) Do you think that Judd Greg will recompense your life savings lost to backdoor crypto? You must be a troll, drunk, on crack, or all of the above, to have posted that moronic spineless garbage here. Just shoot yourself, it's painless.
"Those who would trade liberty for security deserve neither."
Re:You can't have it both ways. (Score:2)
So what you're saying is that in order to have freedom you must give up some of your liberties. Fascinating semantic distinction.
As to the rest of your bizarrely illogical rant, may I take a few issues?
So you don't know anyone who uses it, and the only people who use it are criminals and paranoids. How did you manage that conclusion if you don't know any of them?
Forgive me, but does this mean that if I don't pay taxes I am exempt to having my civil liberties taken away? Or was there some checkbox on the 1040 form that read "Yes, I want to be spied on."?
As others have pointed out, this kind of bullshit proposal only has two ways of succeeding. The first is if we convice all the terrorists to upgrade to backdoored software. Good luck.
The second is if we convince everyone else to upgrade and hope the terrorists don't hear about it. Then we can construe their use of strong crypto as an admission of guilt. How many seconds of profound thought do you think it will take the next terrorist to figure out to wrap his strongly encrypted messagse in a weakly encrypted envelope?
"Aha," one might say, "but that can still be detected by decrypting the outer layer!" Yes indeed, but only if the government routinely decrypts every message sent anywhere by any means. Perhaps including the U.S. postal service. So in order to preserve our freedom we must all be spied on by means that continuously and actively compromise the privacy of every law-abiding citizen. In exchange we will learn the identities (but not the encrypted messages) of the terrorists. Then we can haul them into court and charge them with having a secret. I'm sure people willing to die a fiery death for their cause are going to tremble at the thought of being jailed for contempt of court. Or will that become a death-penalty offense as well?
Re:You can't have it both ways. (Score:2)
Welcome to the American Democratic Republic. To help things along Canada should be renamed the Americal Federal Republic and gear up for taking control of the whole lot by around 2050
Re:You can't have it both ways. (Score:2)
Or better yet, using classic stenographic principles, using the encrypted message as a key for encrypting a completely innocuous message. How are you going to break that one? Espectially when the key escrow has record of your key (which is the actual encrypted message.
Of course, the obvious solution here is to outlaw all encryption beyond ROT-13/5 (rotate letters 13 places and digits 5 places). OK. Will you ever buy anything online ever again?
Re:You can't have it both ways. (Score:2)
Yes I may be drunk, but you, sir, are an idiot. In the morning I will be sober.
Giving up liberties for security is a slippery slope. You never acheive security, and find that you have given up all your liberties to acheive very little.
The name of the game is a clue: terrorism. Those who let them selves be cowed by its spectre are already victims, even if they are not directly hurt by the attack.
Re:You can't have it both ways. (Score:2)
Hmmm... Ever buy anything online? Ever visit your bank online?
This is not just an issue of privacy. It is simply a very bad idea. What if the next attack involves publically stealing a large number of checking account numbers?
The problem is that Congress would be offering the terrorists a new and very damaging weapon-- breaking into our ecommerce transactions... Say goodby SSL, perfect forward security, etc...
Re:You can't have it both ways. (Score:2)
Required Key Escrow As Law Enforcement Tool (Score:2)
Key escrow will work as a law enforcement tool in the following limited, but nonetheless useful, way.
It cannot actually prevent anyone from using cryptography that does not have a backdoor.
However, what it will do is allow law enforcement to stop, interrogate, hold and arrest a suspected terrorist on the grounds that the person has a cryptography program on their computer that does not have the approved backdoor. It will give law enforcement something to hold them on. This can be important. Let me make an analogy to the kife situation.
Prior to the events of 9/11, it was perfectly LEGAL to board an airplane with a knife with a blade up to 4 inches in length. If somebody was found trying to board an airplane, or on an airplane, with such a knife, there was no legal basis to question, much less arrest, them. Indeed, if someone was found with TEN such knives, there was no legal basis to hold them. They just walked away. Hell, you might not be able to keep them off the airplane.
Now, there is a new regulation banning ALL knives, no matter what the blade length. Will this new regulation prevent any determined person from carrying a knife on board? Given the current state of security, probably not. Unless you ban, or thoroughly search, all hand luggage, and frisk all passenengers, no. I'm sure right now I could probably carry an 8 inch (or ten 4 inch) glass, ceramic, or plexi-glass knife (knives) on board and get away with it. So, does that make the law useless?
No, because, compared to before, if they DO detect my 10 glass, ceramic, or plexi-glass knives with 4 inch blades, they can actually prevent me from boarding the plane, hold me, question me, interrogate me, and arrest me. They can pursue the matter.
Obviously, the anlogy to cryptographic software is far from perfect, but the principle is the same. No, you can't really PREVENT anyone from using such software w/o a backdoor if they really want to. But what it does do is give you a legal basis to stop, interrogate, and, if need be, arrest them.
Is it worth it? I'll leave it up to others to discuss that issue for now. But one cannot say it would serve absolutely NO purpose.
Re:Required Key Escrow As Law Enforcement Tool (Score:4, Insightful)
Yet another flawed idea. It may work on the brain dead. But is easily avoided by everyone anyone else.
You take someone's computer, anyone's computer. They likely to have hundreds of thousands or even several million files on it - with thousands or maybe tens of thousands of executables. Somewhere in that lot is an executable which contains the "illegal" encryption and decryption routines. An exectuable with a misleading name, which also does something entirely legitimate, which may itself be compressed or encrypted.
You're going to have to scan every file to see if it is exectuable, or a compressed or encrypted executable. When you find your executable you're going to have to do some very detailed analysis to see if it offers any "forbidden" functions.
Analysis of a system for unauthourised crypto programs is going to take serious time and serious resources.
If you have a strong suspect, by the time you've unscrambled what's on their computer the result is pretty academic - it's going to be far too late to assist any ongoing investigation - the trail to the next link will have gone cold.
If you don't have a strong suspect this is going to be useless as an investigation - you can't use it for screening - ANYONE you care to check is going to take so much time and money before you can eliminate the suspect as to make the techinique worthless.
Even at its absolute best, The proposed restrictions will achieve little more that provide an extra, technical offence to charge the obviously guilty with.
The test isn't "does it serve ANY purpose" - it is "does it serve any USEFUL purpose" - and the answer is that it doesn't.
You may think that it is still worth the cost to the rest of us. I don't.
Second post. (Score:1)
BTW, SECOND POST BITCHES!!!
Security (Score:1, Insightful)
Think of that what you will.
Re:Security (Score:2)
If they outlaw a description of something, that would abridge the freedom of speech, or of the press. Can't throw away the First Amendment without another amendment to the Constitution of the USA. Sure, they cold outlaw the export of those descriptions, but how could they keep something that is freely published in the USA to leak away?
Re:Security (Score:2)
Do your work in California. The Ninth Circuit has found that code is protected speech (Bernstein v. Reno, I believe), and the particular case involved strong crypto!
Re:Security (Score:2)
Call to arms (Score:2)
Then we can point out that these keys could be used to break into banks, e-commerce, etc. and urge everyone to stop using these facilities in order to protect against terrorism
I don't think that is our main concern (Score:2)
Making a deliberate flaw in a scheme makes this more possible as we all know.
Duh (Score:1)
Re:Oh Really? (Score:2)
I'm glad someone is against it (Score:2, Insightful)
As an NH citizen (Score:1)
As I've said before... (Score:5, Informative)
Now is the time to contact your representative, your senators and probably even your local media and tell them exactly how much damage this legislation could do.
Tell them about encryption used to protect your online banking transactions. Tell them about encryption used to protect company secrets. Tell them that this is bad for trade. Tell them that this is bad for innovation (unless you're Microsoft I guess)... Tell them how you feel about it.
Don't just sit back and let this go through. If nobody says "this is bad" then it will be passed...
While telling your congress critters, be polite, spell check before sending. Fax and/or write rather than e-mail. Call them and talk to them. But however you do it, make sure that your voice is heard.
Zwack.
p.s. Yes, I've already written to my congress critters.
Re:As I've said before... (Score:2)
Most of us are aware that price gauging during a crisis is immoral. Political opportunisms and raw power grabs at these times is atrocious.
But intentional disarming of our businesses, opening our information resources to hostile nations and criminals may be treason.
We'd hang a soldier that gave secrets to the enemy in wartime. We'd hang a leader who conspired with the enemy to lead our troops into ambush.
What else is appropriate for a congressperson who aids the enemy through dumbed down encryption and banned secure operating systems - even if their gain is merely political or financial?
Congresspersons, your nation *will* hold you accountable. Do not jeopardize this nation!
*scoove*
Don't tread on me... or my constitution.
Re:As I've said before... (Score:2)
Note that I said that the behavior was immoral - not illegal, impractical, unprofitable, etc. A fundamental moral behavior for a trader is to not aggressively exploit your customer. Sure, a good profit is nice, but exploitation and establishing abnormal pricing solely upon your customer's actual or perceived crisis is predatory and unethical.
Plus, there is a function of mass hystaria that is fed by unethical traders and I'd expect them to have accountability for further inciting fear and panic.
Disagree?
Re:As I've said before... (Score:2)
Re:As I've said before... (Score:2)
How do you define obscenity? If I recall, it has a really vague "offends the community" type of legal definition, but things still work out in court.
Re:As I've said before... (Score:2)
Without getting into ethical arguments, the fact remains that businesses do NOT have that right under the law.
Getting into the ethical bit: nor should they, IMHO. We need smaller government, yes, but if there are not some controls placed on businesses they'll screw us over. This is a sensible place for gov't regulation. It protects us, and not in that offensive reading-your-email way.
For example, what if price fixing was legal... Imagine how much gas would cost. (Green freaks, replace "gas" with any other important product manufactured by only a few companies, and keep your "I wish!" statements to yourself.) With such a high barrier to entering that market, there is no practical way for a competitor to jump in and undercut the price-fixing consortium. That is the system with maximum freedom, but it still sucks!
Ante Upped: Oracle National ID System (Score:2)
At the same time, Newt Gingrich blabbed on Fox News that a "secure national ID system" would make air travelers feel much more secure.
Looks like we're seeing yet another power grab.
*scoove*
Obligatory link to eff.org alerts (Score:2)
Re:Contacting your representatives (Score:2)
If such actions became commonplace among average Americans, then reps would probably give it some consideration. As it stands, however, the average American isn't even likely to know who his/her reps are, let alone bother to contribute to any of them.
Re:would it make more sense... (Score:2)
That would be nice, except for a little item called The Fifth Amendment [usconstitution.net] to the United States Constitution.
"No person... shall be compelled in any criminal case to be a witness against himself".
Re:I am from NH, but what can I do? (Score:2)
what happens (Score:1)
Worse, our enemys.
Passing another law (Score:2)
Re:Passing another law (Score:2)
(OK, so it's the wrong topic... big deal...)
Re:Passing another law (Score:2)
What happens if someone like the NTSB want to test what happens when aircraft crash into buildings?
Re:Passing another law (Score:2)
Once the plane is in the air there is too much of an opportunity for abuse. Won't you think of the children?
What we really need are waiting periods for airline tickets. How could that not work?
Re:Passing another law (Score:2)
^ PLEASE MOD THIS UP TO 5 !!! ^ (nt) (Score:2)
What's wrong with this picture? (Score:2)
The WTC disaster does not change the validity of a single one of those reasons, namely:
1) Strong encryption is vitally necessary to any digital communication involving business and finance.
2) Strong encryption is worthless if backdoors are placed into it- see Matt Blaze's skillful discovery of every single law enforcement key within the Clipper system.
So, why does this debate continue? My only guess is strong emotions combined with a fundamental misunderstanding of what is being discussed on the part of Mr. Gregg.
Re:What's wrong with this picture? (Score:2)
1) Strong encryption is vitally necessary to any digital communication involving business and finance
Especially where these communications can be trivially intercepted.
On the other hand encryption is not a necessity for planning acts of terrorism. A terrorist is more likely to use such low tech methods as face to face communication.
The latest and greatest from Congress (Score:1)
Congress:People
Terrorists:USA
Because only will of the people will be able to overcome the legislation that congress proposes, just as the will of the USA and other countries would be able to overcome the terrorists. And both the terrorists and congress are going to end up taking our rights away, as Congress is using the terrorist's acts to "justify" taking away rights for "national security."
I end this with a note of hope: You elected your Congressmen (and Congresswomen), so now to maintain your rights, you need to call them or E-Mail them. They are there to represent YOU, so let them know how you feel!
Compliance (Score:1)
How about those of us using secure encryption now? Will using non-compromised versions of PgP be a felony? Will having a copy on your hard drive be dangerous?
The other day I was at the office store, puttzing around the crappy software (though Office Max is carrying various Linux distros.) and I noticed they were selling a nice boxed Pgp + firewall+ miscellaneous crap product from Macaffe called "network security" or something like that. Made me wonder how they are going to root all the sheeple out there that can barely maintain their windows boxen out from the supposed "terrorists".
Strange days indeed.
What's the point? (Score:2)
If it wasn't for the fact that any such restrictions impose an extra burden on software/hardware manufacturers and limit the security of encryption, I'd start to think this was nothing but feel good legislation that would never accomplish anything. Sure doesn't seem to be accomplishing anything good.
Goodlatte the crypto idiot savant of VA politics (Score:2)
Yet as a Virginian I'm ashamed that someone from my state played a role in the creation of such an anti-American bill. Give the man kudos for defending crypto in Congress at a time like this, but don't think that he is a freedom-loving politician. He said at my high school (I'm a freshman in college now) that if he had it his way he'd abolish our lottery because there are "better uses" for people's money than a lottery. $1-$5 a week for the hope of striking it big is a bad thing? $1-$5 a week invested in further funding our state's infrastructure is a bad thing? $1-$5 more invested in an education system which is #7 in the nation in passing the AP tests is a bad thing? And finally $1-$5 a week invested in the same education system that has one of the highest passage rates in the nation on some of the most rigorous standardized tests in the nation?
Now is the time for us to be holding our republican values (and I don't mean the party) more dearly than ever. The purpose of establishing a republic and not a new monarchy for our people was to break the cycle of tyranny. Let's remember what happened to the Roman Republic. By the same token, let's learn from the lessons of the past so the American Republic doesn't go the same way.
Phil Zimmerman feels responsible for 9-11 (Score:2)
http://www.startribune.com/stories/1576/706443.
Basically, Phil feels responsible for helping the terrorists.
Re:Phil Zimmerman feels responsible for 9-11 (Score:2)
In the article, the actual quotes attributed to Zimmerman show that he feels badly about the events, but in no way do they indicate that he feels responsible for them. I think this one sums it up (in regards to some hate mail he received):
Phil Zimmerman should get a Nobel Peace Prize. (Score:2)
Hiding tools from honest people only assures us that honest people suffer without benifit. Priciples of operation will always get out and the bad guys will always use those tools as they see fit. You can't hide crypto and we should all be using it to protect our privacy.
Here are some more people you can hate, if you still want to point a finger at Zimmerman:
The Wright brothers, for giving the terrorist a weapon.
Whittle, for developing the engines that powered that weapon.
Eifel, for giving the terrorist a target.
Diesel, for working out the use of heavier oil fuels that all jet aircraft use.
Oh yeah, don't forget that hideous man who invented the knife.
So go on and ban aviation, skyscrapers and knives as well as deadly crypto. The world will not be a better place!
What if this goes international? (Score:2)
I can imagine it, now: Mr Terrorist uses the encryption product for which his local government (for example, the Taliban) holds the back door key. The U.S. court sez that it wants to read the mail. The U.S. then sends a nice, polite letter to the Taliban asking for that key...
When where freezes over?
Beginning of a US congressional database (Score:2)
Anyhow, here is a small start. I would encourage anyone with additional data to post it right here. I'll try to add it to this list, and perhaps someone more ambitious will be able to browse the follow-ups and start a real web database on this.
United States Senate:
CALIFORNIA: Diane Feinstein, Democrat, Bad
- Co-sponsored "Combating Terrorism Act of 2001"
http://www.wired.com/news/politics/0,1283,46852,0
o Elected in 1992 (short term), 1994, 2000, 2006
MICHIGAN: Carl(?) Levin, Democrat
+ Argued against "Combating Terrorism Act of 2001"
NEW HAMPSHIRE: Judd Greg, Republican, Bad
- Called for crypto key escrow after World Trade Center bombing
http://www.wired.com/news/politics/0,1283,46816,0
o http://www.senate.gov/~gregg/body_about_judd_greg
o Elected in 1998, 2004?
UTAH: Orrin Hatch, Republican, Mixed
+ Suggested mandatory licensing for online music copyrights
- Co-sponsored "Combating Terrorism Act of 2001"
http://www.wired.com/news/politics/0,1283,46852,0
o Elected in 1976, 1982, 1988, 1994, 2000?, 2006?
VERMONT: Patrick Leahy, Democrat, Good
+ Argued against "Combating Terrorism Act of 2001"
http://www.wired.com/news/politics/0,1283,46852,0
o 1974...1998, 2004?
United States House of Representatives:
Bob Goodlatte, Virginia, 6th District, Republican, Good
+ Co-sponsored lifting of encryption controls
+ Speaking out against encryption controls after World Trade
Center Bombing. http://news.cnet.com/news/0-1005-200-7249721.html
Zoe Lofgren, California, Democrat, 16th District, Good
+ Co-sponsored lifting of encryption controls
Backdoored encryption is NOT encryption (Score:4, Informative)
I enjoy working with encryption and number theory. I enjoy the theory behind encryption and why it works so successfully.. I will try to explain how it works (to a point) and this is a BIG reason why backdoored encryption can't work.
For this example: Assume use of RSA encryption
The way that this encryption works is it finds a function f[x] that is (to a point) one way. (NOTE: impossible [as of yet] to prove that it is a true one way function but the lower limit on finding the function has never been solved.. so for all purposes as of yet it is oneway). That is... f[k] == k' (k' being encrypted version of k). The way this works is that the function f[x] which is known by everyone and the value k' could be known by someone and still not be able to convert k' back to k. This is serious advanced number theory and requires very specialized hard-to-find functions.
To allow backdoors (that can be used without having a persons program but only the encoded message) is saying that the function f[x] must be modified to the point that there exists a function g[x] (for each SPECIALIZED function f[x] [that is, each persons f[x] is different, but g[x] must decode all of them]) that can decode any function f[x]'s input. Translation: f[k]==k' but g*[k']==k (for any function f[x] specialized). This function g[x] must be found when working out the base of the encryption product and once the function f[x] is worked out so g[x] exist, it stops being a one way function and therefor stops being useful.
So basically, if this happens, we might as all just encode our messages with rot13 and it will be the same as using any new "government approved" encryption... because someone somewhere WILL leak the functions g[x], whatever[x] (for each encryption product).
(For those who are curious, the reason each f[x] is tailored to a specific person is the picking of the keys allows a "trapdoor" as RSA puts it: another part of the function f[x] that is not mandated at production time. Of course, if a g[x] can decrypt the f[x] (no matter specialized) then the trapdoor theory is useless and serves no purpose therefor weakening it to a childs toy)
And yes, I know I am speaking to the choir here.. the thing is a long time ago I was reading slashdot when someone spoke about encryption and the basics of encryption theory.. it got me interested enough to look at it myself and now I am intrigued by it and am always learning more. My example may have small errors in it.. I hope someone can call me on them if they notice--> its always best to be factually correct...
Thanks.
Re:Backdoored encryption is NOT encryption (Score:2)
Assuming g[x] is based on some codebreaking technique which the academic community doesn't know but the NSA does. For a time, differential cryptography would have worked. So, DES before the NSA made it more secure could have been used for this.
Still, the academic community could catch up any time, so this is not a good strategy.
Other forms of back doors exist - consider PGP ADKs (assuming the implementation weren't broken). They don't reduce the security of the system significantly, but they do provide a backdoor. Of course, this assumes that their use can be mandated, which we all know is impossible.
Re:Backdoored encryption is NOT encryption (Score:2)
Hmm... 57.395% of total keyspace checked. Time to add a few more machines and get cracking! Come on, cows!
*scoove*
Re:Backdoored encryption is NOT encryption (Score:2)
Of course, since public keys would be different lengths, then the encoded message "public key" that you mentioned would be some length X. Say, we can guess that X will be AT LEAST >= 15-20. So one could safely remove the last 15 characters and replace with A's or what have you, and the decryption of it by the intended recipient will not be affected (b/c the decryption will not be affected at all by the backdoor encryption) but won't allow the government to read it.
Now this is a way that encryption companies could make their product "compliant" with regulations, while also thumbing their nose at them. Very cute -- thanks for the heads up!
Re:Backdoored encryption is NOT encryption (Score:2)
This doesn't require any compromise of the security of the algorithms themselves. In fact, if you send an encrypted message to more than one recipient with the current version of PGP, you're doing exactly the same thing.
The compromise in security from a backdoor is that *every* message everywhere would be immediately and irrevocably exposed if the backdoor private key is ever discovered. It makes a very tantalizing target.
One way of doing this which does give some degree of damage limitation. Is whenever a PGP keyset is generated you actuallt generate 2 keysets. The second private key is encrypted with the public key of spies@evesedroppers.gov and emailed to them. Then everytime you send a PGP email it's also encrypted with the spies@evesdroppers.gov public key unique to you...
Re:Backdoored encryption is NOT encryption (Score:2)
One of the big things that makes PGP secure is that there is no single point of failure. Any compromise of this compromises the security of PGP.
The other problem is with Kerberos and IPSEC, how do you plan to send all the keys for those elsewhere. I know I'd fire anyone who copied those keys anywhere.
Re:Backdoored encryption is NOT encryption (Score:2)
It's les bad than the initial senario of only having one "backdoor key". Here someone needs to not only get hold of the "spooks key" (which can be changed frequently anyway) but also intercept enough communications to work out which backdoor key they need.
Re:Backdoored encryption is NOT encryption (Score:2)
The problem I see here, of course, is that this is effectively doubling the size of the message. It is worth noting that companies use encryption to encrypt valuable trade secrets, and doubling the size of data certainly isnt a good thing. Also, if the companies that manufacture the encryption software release (open) their specs as to if there is a fixed interleaving of governmentmsg and recipientmsg then the governmentmsg could be replaced by, say, A's or another interesting message.
Of course, if this takes hold and the companies release their source, then it would be fairly trivial to just omit the section dealing with creation of a government message in the first place.
Of course, the government private key will be found out. The problem is that "law abiding citizens" will be using this government key (while the criminals do as I suggested), therefor citizens give up their rights to solve nothing...
Re:Backdoored encryption is NOT encryption (Score:2)
Re:Backdoored encryption is NOT encryption (Score:2)
http://www.math.fu-berlin.de/~dohna/ssbib.html
Re:Backdoored encryption is NOT encryption (Score:2)
Re:Backdoored encryption is NOT encryption (Score:2)
"there's no such thing as a shared secret"
total impractical (Score:2)
How can this possibly be enforced? I have books, and files on my computer, describing most common encryption and public key methods. I could almost write an RSA encryption program from memory, and I certainly could write a program to XOR with a LFSR or a one-time pad.
The dumbed down articles always talk about how "complex" and "sophisticated" encryption is, but it's not really that complex, once you know the formulas. Anyone with high-school math could probably understand many of the algorithms. You could explain a one-time pad in terms of adding and subtracting.
And what is a legal definition of encryption anyway? If I XOR all my files with a constant byte, or if my ISP or the FBI happens to be looking and they don't recognize the file format and somebody calls the cops, how the hell am I going to explain how it's not encryption? Or will it be like the DMCA, and encryption will be anything they feel like.
And are they going to somehow take away my SSH that I use almost every day to do work as a sysadmin? I get paid to secure systems, should I tell my clients "This encryption is difficult to crack. Except for the government and anyone else who figures out the back door. Sorry."
Totally crazy and impractical.
Re:total impractical (Score:2)
Once again, geeks are treating the government like a computer, and expecting some "edge case" to cause a crash. It won't work that way. The intent of the bill will be clear, and judges will follow that intent. Look at Kaplan/DMCA.
So, if you send an email in Navajo, that is in no way a violation of the proposed bill. But if you distribute software that encrypts communications into something like Navajo, and you don't use the backdoor, that is in violation of the bill.
It almost seems like you're deliberately not getting it, in order to attack a strawman. I oppose this bill for the one sound reason: because it is a Fourth Amendment violation.
In other news... (Score:2)
Most lawmakers have NO technical education. (Score:2)
From the story referenced above:
"That's like telling people to take their house key down to the police station," Goodlatte said. "People are not going to have greater confidence in their security by doing that."
Good analogy. These things must be made simple, because most lawmakers have no technical education whatsoever. Did I say NONE at all? As in Duhhhh!
Secret U.S. government agencies control U.S. violence: What Should be the Response to Violence? [hevanet.com]
Re:Most lawmakers have NO technical education. (Score:2)
A locked door does not prevent the police from entering a house with a search warrant. There are plenty of physical means for breaking down a door to gain entry into a person's house. A key is not necessary. However, with encrypted data, even if the police receive a warrant, they will have no way of searching through a person's secured data
I don't understand how people can argue that just because data is stored on a person's computer, it should somehow be impervious to search warrants. Why should encryption necessarily give people more rights then they had a decade ago?
No one on slashdot has had any problems with the FBI searching through the former residences of the suspects of the WTC attack. However, the slashdot crowed would be up in arms if the FBI somehow was able to search through encrypted data on their computers. What if an encrypted e-mail existed that could conclusively link the highjackers with Osama Bin Laden? That piece of evidence could be enough to convince the Taliban to turn the guy over, and thus, prevent a war. Unfortunately, given the current state of encryption, this piece of evidence could never be decrypted and used.
If there is a technical means to restore the power of a search warrant, I'm all for it. While it might not stop the truly determined criminal, some crimes probably could be prevented, and as long as it's implemented correctly, no loss of personal freedoms would occur.
Obviously, there needs to be safe guards protecting law abiding citizens from illegal search and seizure by the government by ensuring that only the intended recipient and those with a warrant can decrypt secure messages. Perhaps, this can never be accomplished, which would mean that this legislation should not be enacted. But if the law required that all encrypted messages be encrypted with both the public key of the recipient and the public key of some government agency, then I think the above goals could be meant. While I respect arguments concerning the technical feasibility of such a scheme, I don't respect people who argue that unbreakable encryption should somehow be an inalienable right.
Create a better way of explaining it. (Score:2)
Well then, create a better way of explaining encryption to non-technical people.
Do I have a right to speak to my woman friend or wife or children in private? If I do, then I have the right to unbreakable encryption.
There was one EXCELLENT way of fighting Osama bin Laden: Don't support the Taliban or the Saudis, as the U.S. government did for many years. Then they would fight someone else.
This encryption debate obscures the real issue: The U.S. government must stop being adversarial with the whole world.
Re:Create a better way of explaining it. (Score:2)
You don't have this right if a law enforcement agency has obtained permission to tap your telephone line via a court order. Again, if you use unbreakable encryption, there's no longer away to accomplish this. If a court order hasn't been obtained, not only is it illegal to listen to your private conversation, anything gained through these means is inadmissible.
Re:Create a better way of explaining it. (Score:2)
That simply gives them the right to intercept the comminication. Otherwise when a tap was put on they would also need to put on a recorded message obliging people only to use certain languages and avoid slang...
Re:Most lawmakers have NO technical education. (Score:2)
In copyright, it used to be possible to copy a book or a record. But it was time consuming, and the result was not as good as the original. However, it was worthwhile if the work was out of print, and the threat of copying prevented many abuses by publishers. With digital technology, it seems we have to choose between a world of unrestricted, cheap, perfect copying, and a world of draconian restrictions and no copying at all.
Likewise with this issue of search. It doesn't bother me in principle that the government can search my communications - I just don't want it to be so cheap, easy, fast and invisible that it's automated into a huge vacuum-cleaner system. But I see no way to restore the pre-digital balance.
I think we all know that the need for a search warrant is not meaningful in itself. Some trustworthy technical barrier needs to impede these searches
My letter to congressmen hand-delivered yesterday (Score:2)
I emphasized that there are many different crypto channels, and to be effective they'd have to weaken every one of them, because terrorists could simply shift to a different channel if, for instance PGP email were back-doored or weakened.
Then I explained that any inserted backdoor could be rediscovered within a reasonable time. I wish I had had access to the Clipper references mentioned here. But I was also struggling to keep this on one side of one page, so perhaps it doesn't matter.
Finally I added that the safety of our financial and network infrastructure depends on some of these alternate crypto channels, and to compromise them would put us at risk. SSH and https: were mentioned examples.
There, a case based on things other than privacy or practicality.
Re:My letter to congressmen hand-delivered yesterd (Score:2)
The RISKS of Key Recovery, Key Escrow, and Trusted Third Party Encryption [cdt.org]
Was that the Clipper document you were looking for?
Enforcement? (Score:2)
This second argument is specious for two reasons.
First, any law forbidding strong encryption without a back door could be binding on the sender of messages only. The receiver of a message encrypted without a back door could hardly be held legally liable for the action of another. Therefore, if the head of a terrorist organization outside of the US used strong encryption to send messages to terrorists inside the US, no law has been broken. The backdoor law is not extra-territorial and cannot ban someone outside the US from using non-backdoor encryption, and the receiver in the US cannot be held liable simply for receiving such a message.
Second, the argument assumes that law enforcement can somehow detect whether or not a message is encrypted using a backdoor program or not. The ability for law enforcement to archive messages and search through their contents is truly staggering, but it is not all powerful. It takes many many computer cycles to sift through unencrypted data searching for words or phrases in order to be useful at all. There is no indication that anyone would have the computational power to sift through archived messages to determine if a message is encrpted or not, yet alone whether it was encrypted with lawful or unlawful software. Making such a determination on the fly would be absolutely impossible.
Unless, of course, messages encrypted with compliant software contained flags set at specific bits to alert law enforcement to the presence of lawfully encrypted text. If that was the case, however, terrorist and other non-crypto-law abiding people could simply alter the open source code for their non-compliant crypto package to add the special bits. Law enforcement would still be unable to determine on the fly whether a message was lawfully encrypted or not.
That leaves them only one alternative. They would have to try to decode all encrypted messages on the fly in order to determine which were lawfully encrypted. That action in and of itself would violate the privacy rights of anyone whose message was decrypted simply to determine if it was lawfully encrypted.
Furthermore (or more precisely, once again), the ability to capture all messages and attempt to decrypt them on the fly in order to determine which where lawful and which were not is currently a technologically impossible task.
Re:Enforcement? (Score:2)
BR
Re:Enforcement? (Score:2)
Computer software companies would have to install a backdoor for law enforcement agencies to unscramble secret messages on phones, e-mails and other communications used by suspected terrorists, under a proposal by U.S. Sen. Judd Gregg, R-N.H.
So, if there is enough evidence for someone to be labeled a suspected terrorist, then a search warrant could probably be obtained.
However, given today's climate, those who speak Arabic, are Muslim and anyone else from a Middle Eastern country will probably be labeled a suspected terrorist. If this means that the government can now monitor all their communications, then the terrorists have done significantly more damage then simple destroying the WTC, they've destroyed some of our most fundamental liberties.
Re:Enforcement? (Score:2)
With the result that any of these who happen to be terrorists probably can operate in the open. Since the authorities can't see the wood for the trees...
What you can do... (Score:2)
Based in San Francisco, EFF is a donor-supported membership organization working to protect our fundamental rights regardless of technology; to educate the press, policymakers and the general public about civil liberties issues related to technology; and to act as a defender of those liberties. Among our various activities, EFF opposes misguided legislation, initiates and defends court cases preserving individuals' rights, launches global public campaigns, introduces leading edge proposals and papers, hosts frequent educational events, engages the press regularly, and publishes a comprehensive archive of digital civil liberties information at one of the most linked-to websites in the world.
And it needs our support to ensure that it is forever capable of supporting us against legislation that seeks to eliminate our rights and privacies.
Talking Points Against Key Escrow (Score:2)
1. It's a total waste of time unless you have a plan to force the terrorists to use weak encryption.
2. Centralized key escrow creates a single point of failure for our national cybersecurity infrastructure.
3. Strong crypto can be defeated and has been defeated in the real world. You use existing wiretap laws to implement keyboard sniffers and the like to grab cleartext.
4. You have to be prepared to use keyboard sniffers ANYWAY, because the terrorists aren't going to comply with your law.
5. The bill violates the free speech rights of ordinary citizens and businesses. Conversion from already deployed strong crypto to crippled crypto is an effort comparable to Y2K.
6. Stop using this as an excuse for the intelligence failure. It's bogus. These terrorists made credit card purchases, airline reservations, flight school training, apartment leases using real names sometimes even on our "watch list".
7. Are we really willing to punish otherwise law abiding citizens who fail to register their crypto key? Who needs terrorists when the governement will destroy your rights for you?
8. Security cannot be achieved by weakening security. What is security if not the protection of citizen's rights?
9. The law cannot be enforced, and it's violation isn't even detectable. If you find an encrypted message, how will you know it wasn't made before the ban?
Re:Talking Points Against Key Escrow (Score:2)
Ack! Thanks for reminding us of this aspect of the problem. Remembering the not-so-former administration and its bumbles, we had:
- missing hard drives at a national nuclear lab (what ever did happen with that investigation? reno'ized?)
- lost laptops with national secrets (culprits handslapped)
- directors putting national secrets on their home peecee
- presidents letting movie stars kids play with the nuclear "launch codes" football
- major spy crisis after major spy crisis
etc.
And you want to give these guys the keys??? Might as well let Osama keep them.
*scoove*
Re:Talking Points Against Key Escrow (Score:2)
More likely they will NOT use encryption anyway. They would only send encrypted email if more than 50% of emails were encrypted...
Someone really needs to write "Terrorism for Dummies", with the intended readership law enforcement!
Hate to tell you this... (Score:2)
Stop me if you've heard this one before... (Score:2)
We need to suffer. (Score:2)
Many people thought prohibition was a good idea until they tried it.
Nobody started fixing the US economy until it collased in 1929.
Germany didn't respect its Jews until it killed 6 million of them.
The US Govt didn't get out of Vietnam until the people threatened a revolution.
And the US people didn't give the FBI, CIA and airport security the people and resources they needed until the WTC came down.
You can yell at the public all you want, but until they suffer for their folly, they won't listen. We may just have to suffer the absence of encryption until some terrorist wipes out a few million bank records, or until a few million PC users ignore the law.
Problem is (Score:2)
It's too damn late! (Score:2)
What makes these fools think that bin Laden and organizations like Al-Qaida are going to start using their escrowed encryption programs? The only people who are going to be using this escrowed encryption are your people, your law-abiding citizens. Not even terrorists who enter the US are going to use it, obviously. Most of them may be psychos, but they are not stupid of course. If they were, they would have met their end long ago. In the meantime, someone is going to reverse engineer how you do your key escrow, and then everyone in the world who doesn't have a DMCA-like law can read escrowed encryption traffic after they reverse engineer the new chip that provides it. It may require the resources of a large semiconductor corporation to do the reverse engineering, but once that has been done, end of story.
Hopefully the NSA will do everything to make sure that your escrowed encryption is as perfect as it can be, but given the Agency's track record, I would be wary. Besides, the civilian research into key recovery systems (mostly from Silvio Micali's research, to whom the government paid $1,000,000 for use of his patents in the old Fortezza/Clipper chip) has been somewhat unpromising, and there are many complex security problems involved. What if someone cracks the escrow agency's database? The keys are going to start circulating among the rest of the world's intelligence agencies and terrorist organizations by then.
In the meantime your largely ignorant populace [slashdot.org] is going to start taking active measures to make themselves available for surveillance, in the misguided belief that this will help the security of your nation. It won't, not in any meaningful sense, but makes it far easier for Big Brother to start listening in on everything. Welcome to the American Empire.
Re: (Score:2)
Demonstration of Implementation? (Score:2)
Attention: Baltimore Area Residents (Score:2)
"Monday 9/24, noon, at the Mattin Center: U.S. Representative Constance Morella (8th District of Maryland) will talk regarding Information Security and Privacy."
The Mattin Center is the new arts building on the campus of Johns Hopkins University. I'll be showing up and a hope others will as well.
If you want directions or more info please respond to this post.
Doors of stables and missing horses (Score:2)
Re:WTC attack - an absurd Liberal myth (Score:1)
Re:WTC attack - an absurd Liberal myth (Score:1)
Re: (Score:2)
Re:WRONG! WTC attack - an Illuminati conspiracy (Score:2)
* Sibyl of Prague, an old woman (17th century) "From the east a dragon will come, terrible to look at, because from its 9 times 99 eyes (1999?), mortal rays will be emitted and a poisonous air leaves its mouth".
She predicted the rise of Godzilla. Cool!
GODZIRRRRRRAAAAAAA!
Re:Alternative (Score:2)
Re:Encryption (Score:2)
Re:Encryption (Score:2)
Re:KEY ESCROW IS AGAINST BILL OF RIGHTS (Score:2)
Congress will just claim the "time of war" excpetion in the Third Amendment [usconstitution.net].
Re:Remember Napster? (Score:2)
If the government can disrupt the normal, overt channels of communication for crypto software and development, they can do huge damage. I'll never feel comfortable with crypto software that hasn't had substantial peer review, and this scheme could prevent that.
The Whole Thing Is Ridiculous (Score:2)