Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Encryption Businesses Government Security

Going Dark Crypto Debate Going Nowhere (threatpost.com) 111

msm1267 writes: FBI general counsel James Baker reiterated a theme his boss James Comey started months ago, that Silicon Valley needs to find a solution to the "Going Dark" encryption problem. Two crypto and security experts, however, pointed out during a security event in Boston that encryption remains the best defense against the government's surveillance overreach and espionage hacking targeting intellectual property. “If we were able to engineer a mechanism where we’re splitting a key and having a third party escrow it where the government could ask for it, the very next thing that would happen is that China et al will ask for the same solution. And we’re unlikely to give them the same solution,” Eric Wenger, director of cybersecurity and privacy, said. “Complexity kills, and the more complex you make a system, the more difficult it is to secure it. I don’t see how developing a key-bases solution secures things the way you want it to without creating a great deal of complexity and having other governments demand the same thing.”
This discussion has been archived. No new comments can be posted.

Going Dark Crypto Debate Going Nowhere

Comments Filter:
  • by Anonymous Coward on Sunday November 08, 2015 @03:00PM (#50888973)

    Do what is best.

    • by AmiMoJo ( 196126 ) on Sunday November 08, 2015 @03:31PM (#50889127) Homepage Journal

      Going dark is the solution, not the problem.

  • “If we were able to engineer a mechanism where we’re splitting a key and having a third party escrow it where the government could ask for it, the very next thing that would happen is that China et al will ask for the same solution. And we’re unlikely to give them the same solution,”

    You're likely to give them the same, or a similar solution.

    And the first thing they will use it for is to crack open all messaging to spy on political threats to them. This stuff is regularly abused in the US, with no technological barriers to a political operative misusing the system currently (i.e. without a warrant.) But at least they'd have to hide it or get in severe trouble. In China, Russia, many other countries, there is no fear because it's official policy.

    • Why do they have to hide it in the US? There is nobody actually watching the system to make sure it is not abused. How much did Snowden download and nobody caught on. Hell, did they even 'catch' any of the people doing loveint or were they all self-reported?

      They aren't even remotely interested in catching people abusing the system.

    • [...] the very next thing that would happen is that China et al will ask for the same solution.

      I think this is actually backwards compared to how it may actually play out. This month's *Harper's Magazine* has an interesting essay about American businesses operating in China. (*Harper's* is paywalled, but you get a few free views per month.) The essay can be found here:

      "The New China Syndrome: American business meets its new master" [harpers.org]

      The gist of the essay is that China's authoritarian government strong-arms

      • Arrest is a much bigger deal in China than most readers would think since it leads to a 99+% conviction rate.
      • But then China will have the same conundrum: If they ask for it, and are granted it, now the NSA will have the potential mechanism to spy on THEM.

    • by Lumpy ( 12016 )

      Actually knowing how incompetent american companies are. Not only will they give the China govt the same thing it will have the SAME FUCKING KEYS.

    • by gtall ( 79522 )

      " This stuff is regularly abused in the US, with no technological barriers to a political operative misusing the system currently (i.e. without a warrant.)"

      Reference or are you just talking out of your ass?

  • Not quite... (Score:5, Insightful)

    by Anonymous Coward on Sunday November 08, 2015 @03:15PM (#50889037)

    ...the very next thing that would happen is that China et al will ask for the same solution...

    No, that would be second. The first thing would be US agencies demanding keys without warrants and with gag orders.

    • We don't give them the keys, we give them the decoded data. Otherwise they can decode everything instead of just what is on the warrant. Option B is we have end to end encryption where the ISP doesn't have the keys.
  • What do we want? (Score:5, Insightful)

    by Anonymous Coward on Sunday November 08, 2015 @03:19PM (#50889069)

    âoeWeâ(TM)re looking for help. We want all the smart people in this country to help us figure out this complicated problem weâ(TM)ve been struggling with for a long time,â Baker said. âoeAt the most fundamental level, it is about the relationship between the people and the government when it relates to surveillance by the government of the people and under what set of circumstances do people want that to happen. What do you want us to do? What risks are you wiling to take and what can we do to mitigate risks out there that exist on all sides of the equation?â

    Yes, Mr. Baker, it is about the relationship between the people and the government. What we wanted you to do was to treat the Fourth Amendment as a law, not as an obstacle to be circumvented. You have demonstrated yourselves incapable of obeying the laws you profess to uphold. So, what we want now is for you to go away. If that means a terrorist kills a few of us every now and then, so be it. Right now the terrorists are killing a lot fewer civilians than our policemen, so frankly, if I've gotta take the risk, I'd rather take my chances with the bad guys than the good guys.

    Until then, remember this is professional, not personal. You Feebs actually pretty good at police work when you get off your asses and go do it. Maybe if we make it hard enough for you to spy on us illegally, you'll be forced to resort to good old-fashioned HUMINT-style police work for the rest of your cases. Try serving and protecting the public for a change. You might even start to enjoy it. And we might, after a few decades, start to trust you again.

  • by Anonymous Coward

    The simple fact is, government, in all its forms, requires access to everything in your life. Accept it, you are a plebe with your ass hanging out. Yay, modernization? Get real people, understand your place in the universe.

    This is a message to those in control: You have won this battle but you will will never break us. The true "us". Those that fight your tyranny and everyone that can't understand. Your days are numbered.

  • by Anonymous Coward on Sunday November 08, 2015 @03:27PM (#50889117)

    There's no reason for normal email, IMs, video chats, web surfing, etc to be available at all to anybody who isn't among the intended recipients.

    These protocols are in the clear for historical reasons: people didn't imagine that the government would be a bad actor. Since they now are, it's time to add strong encryption to all of those things.

    The whole internet needs to "go dark" from the perspective of the Stasi fucks.

    • There's no reason for normal email, IMs, video chats, web surfing, etc to be available at all to anybody who isn't among the intended recipients.

      Yes there is. To catch criminals and to solve crimes.

      • by Anonymous Coward

        Ah. So you obviously gave the police a spare key to your house, just in case they get a warrant and need to enter more easily?

        • They don't need a key, they can break the door down.

          • If you truly believe that then surely any and *all* conversations should be recorded or minuted and submitted to the government for examination.

            Having a chat with a buddy over a beer on a Saturday afternoon -- better write down exactly what was said and (e)mail it off -- or you're a damned commie spy and terrorist!

            Sorry, but regardless the cost, the right to privacy ought to be an inalienable one that can not be usurped by a small bunch of paranoid politicians and bureaucrats who have proven themselves (tim

  • by He Who Has No Name ( 768306 ) on Sunday November 08, 2015 @03:31PM (#50889129)

    All structures are, in the end, flammable. Literally or figuratively.

    Even panopticons.

  • by r-diddly ( 4140775 ) on Sunday November 08, 2015 @03:33PM (#50889139)
    One Gang of Criminals Claims They're Way Better than the Other Gangs
    Wants Privileged Data Access
  • by NostalgiaForInfinity ( 4001831 ) on Sunday November 08, 2015 @03:37PM (#50889151)

    This debate isn't about "terrorists"; any sophisticated organization with something substantial to hide isn't going to rely on Apple's or Google's encryption, they are going to be using their own, something that is easy enough to do.

    The entire debate is about day-to-day police work: police want to be able to search your phone and your E-mail with the same ease with which they can open your car's trunk. The problem with that isn't that they may or may not use it against minor offenders, the problem is that if you put that capability in the hands of a million law enforcement officers and government investigators, they will invariably abuse it for personal and political gain, blackmail, and amusement.

    • No. The real issue is do we want the police to search email in order to solve crimes or do we want the police to search email in order to find crimes. The whole issue of warrants is that they are used in order to solve and not find crimes.

      The terrorism issue is relevant in that the only effective way to stop terrorists is to search email of vast numbers of persons before any crime has been committed.

      • "the only effective way to stop terrorists is to search email of vast numbers of persons before any crime has been committed."

        False.

      • No.

        "No" what?

        The whole issue of warrants is that they are used in order to solve and not find crimes.

        Correct. And that is by design.

        The terrorism issue is relevant in that the only effective way to stop terrorists is to search email of vast numbers of persons before any crime has been committed.

        That's bullshit. And even if it were true, it still wouldn't be a justification for destroying the foundations of a free society.

      • by whoever57 ( 658626 ) on Sunday November 08, 2015 @05:32PM (#50889671) Journal

        The terrorism issue is relevant in that the only effective way to stop terrorists is to search email of vast numbers of persons before any crime has been committed.

        What terrorists? There have been well-publicised cases where people have breached airport perimeters. If there were any serious terrorists, they would have planted a bomb on a plane, or, an even better target, the queue for the security check.

        We should put the threat into context. How many people die every year in traffic accidents? How many people die because of lack of access to affordable healthcare? More lives could be saved through access to healthcare, support for the homeless, etc. than through the vast spending on "security".

        No, the spending on security is really just spending on keeping the security apparatus in place. It's the self-sustaining and self-justifying military-industrial-intelligence complex.

      • by KGIII ( 973947 )

        Other than attacks from foreign powers or things that otherwise come to light, the government's job is not to stop crimes before they happen. Doing so means, arbitrarily, lost freedoms. The government's job is the prosecution of criminal acts - not prevention of them. This doesn't mean that they can't prevent crimes before they happen. It means that they can't restrict our liberties in order to do so.

        You are the problem.

        • by dave420 ( 699308 )
          I think you meant "intrinsically" or "without exception" as opposed to "arbitrarily", unless you were trying to point out the complete lack of an argument in your argument...
          • by KGIII ( 973947 )

            Yes, yes I did mean intrinsically. I blame maybe being a little high, tired, and stupid. :D

      • by gweihir ( 88907 )

        I think the only way email surveillance is going to help against "terrorists" is that it makes it easier to find idiots that the FBI can then turn into fake terrorists. No actual terrorists will or was ever be caught this way. They do know that the NSA/GCHQ/Stasi/GeStaPo can read email, you know.

  • Nothing new here (Score:2, Informative)

    by Anonymous Coward

    ... we're unlikely to give them the same solution ...

    Bullshit. If anything, the US state department will demand they implement the same flawed solution, or worse, a less secure implementation.

    ... show-up with a court order, and can't get the fruits of surveillance because of encryption.

    Leaving aside the honesty of this statement, a court order doesn't open safes, or reveal where the suspect's off-site storage is either. The real problem is encryption offers near-perfect secrecy for a low, low price, so everyone has it. Plus, the bad behaviour of most governments over the last decade motivates everyone to use it. An information device offers a detai

  • and makes demands, that's not a debate. That's a tantrum. There is no debate here.
  • Terrorists etc. who wanted to have been able to use one-time pads or personal couriers who memorized their messages since well before modern cryptography.

    Sure, it was a bit more cumbersome and not always practical, and when implemented naively, it was vulnerable to rubber-hose cryptanalysis [xkcd.com] but then again, so is an encrypted smart-phone when you have access to someone who knows the password.

    So, tell me again, if bad guys will continue to have these options, why is it a good idea to weaken all other forms o

    • by gweihir ( 88907 )

      Aehm, SHA1 is not a cipher, hence no key?

      Other than that, I fully agree.

  • by Ambassador Kosh ( 18352 ) on Sunday November 08, 2015 @04:15PM (#50889321)

    The FBI and NSA are right that good default crypto will make it harder to catch criminals and the extremely rare terrorists. It will also make it harder to catch people doing quite a number of other bad things.

    However, they also brought this on themselves. Overall this is like the response to ads online. Ads got so extremely bad that people just installed adblockers that block everything. Now many sites are finding it hard to even survive due to ads being blocked. If you unblock the ads on the site though you find out the ads are extreme with sound, video, taking over clicks, and with dozens of ads on a page and so you go back to blocking.

    If the Ad industry had stayed to banner ads and maybe one or two small ads on the sidebars of a page and with no music or video then it is likely that people would not have gone to the effort to block them. They created this mess all on their own.

    If the NSA had not started watching everyone in a fairly blatant violation of the law and the courts made it so you can't even try to stop them since they rule you have not standing since you can't prove you where watched then this reaction would not be happening. What the NSA did damaged Apple, Microsoft, Google, Facebook and many others along with pissing off average people a lot. When the average person thought the NSA was just going after evil people outside the country they where okay with it. Finding out they go after citizens in the country also is unacceptable.

    I have no idea how to deal with the actual legitimate concerns of the NSA and FBI and also deal with their abuse. We all know that they will keep abusing their powers if they can. If you compromise encryption in any way then others will find the backdoors also and use them.

    This is not a good situation and in the end I don't know how it will play out. It should be possible for the NSA and FBI to get access to data upon probably cause and with a court order I just don't see any realistic way to do that anymore given what they have done.

    • by swb ( 14022 ) on Sunday November 08, 2015 @10:09PM (#50890607)

      I have no idea how to deal with the actual legitimate concerns of the NSA and FBI and also deal with their abuse. We all know that they will keep abusing their powers if they can. If you compromise encryption in any way then others will find the backdoors also and use them.

      Just what ARE their legitimate concerns? How many homacidal rapists, armed robbers, etc are out there RIGHT NOW that could have been caught if only their phones could have been cracked, but since they weren't, they had to let them go?

      I see this first and foremost being used against the political enemies of whoever runs the FBI these days, whether its journalists, domestic antigovernment activists, NGOs, etc. And then after that as a way to score cheap points efficiently going after low-level crooks whose prosection would otherise require the FBI to work instead of charging a bunch of people with crimes like lying to the FBI and conspiring to lie to the FBI.

      I just don't buy any "because terrorists" arguments. If a cell of terrorists wanted to plan a Mumbai/Nairobi style attack on a mall or something, it'd be easy, but it never happens and I doubt it has to do with cracking smartphones.

      The NSA is supposed to by gathering intelligence outside our borders, and no amount of mandatory key escrow within the US will force overseas users to not use encryption. Banning the practice here doesn't magically make the technology disappear.

      And I can only guess that the NSA has a whole array of clandestine, cloak and dagger operations to supplement their data acquisition.

  • Dear Mr. Baker (Score:5, Interesting)

    by sheetsda ( 230887 ) <doug...sheets@@@gmail...com> on Sunday November 08, 2015 @04:50PM (#50889467)

    Dear Mr. Baker,

    I have an interest in this discussion as an engineer on a product that uses encryption. Here's a small sample of my companies customer list:

    - Federal Bureau of Investigation
    - US Department of Defense
    - US Department of State
    - US Department of Homeland Security
    - US Air Force
    - US Army
    - Naval Air Warfare Center Weapons Division
    - Northrop Grumman
    - Lockheed Martin
    - Raytheon

    I am sure these organizations would love to hear why you need access to their data. I am sure the governments of China and Russia would never dream of hacking into your key repository, honest.

    Disclaimer: opinions expressed here are mine and do not represent my employer.

  • Crypto does away with the NEED for many aspects of government. 1. Governments have traditionally done a wonderful job printing money when they are broke Obviously this hurts people who save a currency, but since there are less of them these days who cares! Bitcoin and gold offer a way to decouple the value of a currency from the government lack of discipline. Even though it is a legal tender in the constitution, raids on gold currency have been enough to hurt it's image. It is hard to store
  • ...to not abuse the powers we granted it in good faith for the common defense and the public good we can have this discussion about how to deal with legally granted search warrants in pursuit of a legitimate and well targeted crime. Until then I feel for these people in criminal justice trying to do what I am sure is a hard job, but its a non starter. This situation is a direct result of abuse and corruption. You broke it, you bought it.

  • by hawguy ( 1600213 ) on Sunday November 08, 2015 @06:01PM (#50889763)

    “This is about rule of law and the fundamental rights we have from the Constitution, creating laws that enable government to obtain the results of surveillance in ways that are consistent with constitutional rights,” Baker said. “Today, that’s not happening. We are not able to use what’s available today with a 4th Amendment warrant. We do what the law requires, show up with a court order, and can’t get the fruits of surveillance because of encryption.”

    Without encryption, what happens when they show up with their warrant and I say "Sorry, I don't have any secrets here, they are hidden in a land far far away and you'll never find them".

    How is that any different than if I say "Sorry, my secrets are encrypted, and you'll never decrypt them".

    Besides, if commercially available encrypted products are required to have a back door, the smart criminals are just going to use real (i.e. "illegal") encryption to store up their secrets.

  • Just use layered encryption. If they come after you, you know they have been snooping on you. Then just reveal harmless data. If the do not come after you, they get nothing. So, as so often, outlawing secure crypto or mandating backdoors only means that only the criminals will have secure crypto. In a sane state of affairs, everybody will have it. And the clinically paranoid "servants of the people" will just have to get over themselves and realize people are not so willing anymore to accommodate them after

  • "Going Dark" encryption problem.

    This isn't a problem.

    --
    BMO

Promising costs nothing, it's the delivering that kills you.

Working...