Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Encryption Communications Government Security The Internet Technology

NSA Chief: Arguing Against Encryption Is a Waste of Time (theintercept.com) 184

An anonymous reader writes: On Thursday, NSA director Mike Rogers said, "encryption is foundational to the future." He added that it was a waste of time to argue that encryption is bad or that we ought to do away with it. Rogers is taking a stance in opposition to many other government officials, like FBI director James Comey. Rogers further said that neither security nor privacy should be the imperative that drives everything else. He said, "We've got to meet these two imperatives. We've got some challenging times ahead of us, folks."
This discussion has been archived. No new comments can be posted.

NSA Chief: Arguing Against Encryption Is a Waste of Time

Comments Filter:
  • by Anonymous Coward
    New appointment for NSA Chief in 3 ... 2 ... 1 ...
    • Re:Job is forfeit. (Score:5, Insightful)

      by bluelip ( 123578 ) on Friday January 22, 2016 @12:37PM (#51351647) Homepage Journal

      Nah, they just have all methods of encryption broken.

      • Re:Job is forfeit. (Score:5, Insightful)

        by Ravaldy ( 2621787 ) on Friday January 22, 2016 @12:40PM (#51351681)

        Neither, he's a smart individual that took the time to look at the landscape and him speaking about it in the public tells me he's already convinced the people above him.

        • Re:Job is forfeit. (Score:5, Insightful)

          by JoeMerchant ( 803320 ) on Friday January 22, 2016 @01:52PM (#51352281)

          It's a realist approach: "If guns are outlawed, only outlaws will have guns." kind of logic, and it's perfectly sound.

          They can try to keep it out of mainstream consumer electronics, but there's too much "DIY" capability in the world to keep strong cryptography contained.

          It reminds me of the early mp3.com days - the genie has long since left the bottle, doesn't matter if you saw it coming or not, it has happened. Now, you'll have to deal with it. Attempting to recapture the genie is a fool's errand.

          • by gweihir ( 88907 )

            They can try to keep it out of mainstream consumer electronics, but there's too much "DIY" capability in the world to keep strong cryptography contained.

            It reminds me of the early mp3.com days - the genie has long since left the bottle, doesn't matter if you saw it coming or not, it has happened. Now, you'll have to deal with it. Attempting to recapture the genie is a fool's errand.

            Indeed. Just remember that initial PGP was a single person, and so was TOR. And with the current drive to turn everyone into a software developer in school, there is just no way to prevent people from doing it. Sure, many will get it wrong, but some will not. And as encryption software can in many case be made pretty simple, bugs in it will not save the day for the NSA in the long run. Of course, they can still use targeted access, but that is expensive and risky.

            This person has just understood that there i

          • In countries where handguns are outlawed, rifles registered and licensed and any other semi/automatic weapon is prohibited, crimes are lower and deaths, from guns about 1/100 of the USA rage. That rage is 30,000 gun deaths per year, mostly children and a few ill.
            And if a crime is committed with a gun, the sentence is doubled.

            However, bank robberies are way down in number, thanks to plastic, so who is the criminal going to steal from? Is it the self-serve gasoline dispenser at the corner.

            • Perhaps guns and crypto are a bad analogy, but this is /., and if a car analogy isn't available, a bad one will have to make do.

              If crypto is outlawed, not only is it easier to homebrew crypto than guns, but also less directly harmful. What those in power fear is that crypto allows conspiracy, which can ultimately be more destructive and harmful than a single man with a gun ever could be. Crypto allows better planning and coordination of surprise attacks. It comes down to a question of privacy and persona

        • He's not that smart. It's obvious that functional encryption is essential to commerce, to end-user confidence, and even to regulation.

          Obvious.

          • by zlives ( 2009072 )

            the smart part is the second leg of the conversation...
            Congress, we need infinite budget for our quantum computers and ai masters

          • by mikael ( 484 )

            You can have encryption that is unbreakable for the masses, but can be cracked by brute-force by those with supercomputing systems with hundreds of thousands of CPU nodes.

        • People often forget the NSA has a 2nd role as equally important to their spying operations.

          They are mandated to give guidance on securing the US Government and industry against threats - and they rightly encourage departments to use encryption to avoid eavesdropping.

          It's their job to encourage domestic encryption, and to try to break foreign encryption.

      • by Hognoxious ( 631665 ) on Friday January 22, 2016 @12:56PM (#51351805) Homepage Journal

        Could be a good time to invest in companies that make $5 wrenches.

      • This is what I don't understand this is about more than backdoors it's also about outlawing certain encryption types which could make securing financial data difficult, hinder e-commerce, and eventually result in a rise in identity theft and fraud. As far as I know these things are not the the concern of the NSA but are absolutely something the FBI would investigate why does it appear that these positions are reversed.

        • The NSA knows that it you try to limit functional encryption to certain uses, you will fail.

          The good stuff still be found and used by the criminals, and nothing is gained.

        • You can't just "outlaw certain encryption types". People in the rest of the world won't be falling all over each other to outlaw encryption technology that the American government can't penetrate. Who the hell would want to do business with any American company if it meant they had to spread their ass cheeks wide open for the U.S. government?

          And any "bad guys" could safely and easily encrypt their plaintext "illegally", and cloak it with a steganographic layer to fool any Feds who would bother to peek throu

      • Re:Job is forfeit. (Score:4, Interesting)

        by flopsquad ( 3518045 ) on Friday January 22, 2016 @03:20PM (#51352977)
        It's the triple back burner reverse reverse psychology gambit. It goes like this:

        a) Only a fool will believe that anything about breaking encryption is "challenging" for the NSA. (That, and get involved in a land war in Asia.)

        b) A savvy skeptic will take this whole "yeah you should use encryption but gee it makes things difficult" charade as a sign that NSA has encryption pwned six ways from Sunday, resigning themselves to using whatever's good enough to at least prevent parties != NSA from sniffing their bits.

        c) The NSA doesn't actually have encryption pwned, but is counting on b)'s resignation and a)'s inexperience/disinterest to keep the status quo, which really is challenging but not as bad as it would be if encryption became both stronger and more widely adopted.
        • Why would I be a fool to think that NSA can't break properly-done encryption? Just wondering.
          • Well if my (admittedly tongue-in-cheek) gambit idea is correct, then you'd not be a fool, but right on the money. They just want you to think you'd be a fool for thinking that. (So I can clearly not choose the wine in front of me!)

            The NSA's motivations and meta-motivations aside, I suppose it boils down to a somewhat of a tautology--if they can't break properly done encryption, you're not a fool for believing they can't break properly done encryption.

            I have no way of ascertaining whether the NSA has
      • by cfalcon ( 779563 )

        If they have ALL the encryption broken, they can just have all the data. I'm not even mad.

        A functioning attack on Serpent 256, AES, and Twofish would be a landmark accomplishment, because it would imply that there's some fundamental parts of math known only to the attacker.

    • Well yeah, next January...

  • Translation (Score:5, Insightful)

    by NotDrWho ( 3543773 ) on Friday January 22, 2016 @12:31PM (#51351583)

    The NSA has backdoors.

    • Re:Translation (Score:5, Insightful)

      by sinij ( 911942 ) on Friday January 22, 2016 @12:41PM (#51351685)

      The NSA has backdoors.

      Cloak and dagger backdoor is preferable to legislated backdoor. With NSA-style backdoors you could find and fix them and having them is not certainty. Also, totalitarian government won't have much success demanding NSA allow them to use these.

      While I'd rather not have any backdoors, to choose between two evils I'd take my chances with NSA.

      • Re:Translation (Score:4, Informative)

        by JoeMerchant ( 803320 ) on Friday January 22, 2016 @01:55PM (#51352325)

        Whatever backdoors are present, they are irrelevant if the payload being transferred is itself strong encrypted.

    • Re:Translation (Score:5, Insightful)

      by Shawn Willden ( 2914343 ) on Friday January 22, 2016 @01:02PM (#51351873)

      The NSA has backdoors.

      Some, I'm sure. But the NSA cannot count on always having back doors, and this argument wouldn't make sense from that perspective unless Rogers could be certain that it always will.

      No, hard as it may be to believe, I think the real situation here is that the NSA director is not an idiot, and does actually care at least a little about the "secure US communications" part of the NSA's two-fold mission. He realizes that strong encryption is absolutely essential to the future, even though it creates some obstacles for the "break everyone else's communications" side of the NSA's mission.

      Though I also have no doubt that the obstacles it creates aren't nearly as large as we'd all like them to be, because there will always be lots of vulnerabilities.

    • Exactly.

      Be very weary of anyone in our Government who advocates any sort of "freedom" without any arm-twisting.

    • by gtall ( 79522 )

      Stop watching TV, it is bad for you.

  • So basically, (Score:4, Interesting)

    by gcnaddict ( 841664 ) on Friday January 22, 2016 @12:32PM (#51351593)
    It doesn't matter if you use any variety of encrypted messaging products (imessage, cyph, silent phone, signal, etc.), we've got a backdoor for it already.

    The only challenge is in justifying using it after the fact.
  • translation (Score:4, Interesting)

    by Noah Haders ( 3621429 ) on Friday January 22, 2016 @12:32PM (#51351597)

    "We've already cracked everything, any encrypted data is clear as water for us; let's not make a big fuss so people just stay with what they've been doing. Keep cool, people."

    • by slew ( 2918 )

      "We've already cracked everything, any encrypted data is clear as water for us; let's not make a big fuss so people just stay with what they've been doing. Keep cool, people."

      Or more probably...

      If everyone continues to uses standard encryption w/o backdoors, we have a fixed target to attack and we are the best in the world at it.

      If standard encryption has backdoors this might cause cryptographers to go rogue and encryption and splinter the eco-system. Then we will be up to our eyeballs in deep shit to keep up with the mess created putting out small fires everywhere.

      If you know the enemy and know yourself you need not fear the results of a hundred battles.
      Victorious warriors win

    • Symmetric key encryption is basically unbreakable. It has the challenge of sharing the key by secure channel, but once that is done, there are any number of "quasi random" sequences that perfectly mask any signal. If you happen to be able to guess where in the 2^19997 sequence the key says to start, then: kudos, you've cracked it. Thing is, just guessing on short messages can lead to false positive decryptions - you think the message said "this" but in reality it said "that", you just randomly happened u

      • I'm trying to decide what the Feds think they're going to do.
        • Legislate backdoored encryption and hope people worldwide won't mind Americans being able to see their dick pics
        • Mandate into law that all large pseudoprimes must be easy factorizable
        • Make it illegal to send an encrypted message with no primary key included as an attachment
        • Allocate billions of dollars to a "Manhattan Project" until it proves P=NP

        This seems asinine. "Hello Bob? This is Alice. If you're at FBI headquarters could you please turn off

    • Suppose I exchange a one-time pad with a friend, and we both use it correctly. That is strong encryption, and it's not crackable by anyone without the computing horsepower to simulate the universe in which I created it. Mr. Rogers didn't say "we want what-you-think-is-strong encryption for everyone, just not the real stuff". He advocated actual strong encryption for everybody.

  • by jellomizer ( 103300 ) on Friday January 22, 2016 @12:33PM (#51351607)

    The fact that software can be made (and made well) by amateurs. So such regulations saying that software shouldn't have encryption means outside sources will still make it. This will only put the big companies into a disadvantage as they wouldn't be able to make secure solutions to their system.

    • by Jason Levine ( 196982 ) on Friday January 22, 2016 @12:55PM (#51351795) Homepage

      We"re also living in a global market. Let's say the US banned strong encryption tomorrow. What's to stop someone in another country from posting the source code to a strong encryption scheme? How would you prevent people from downloading and using this? You'd need to implement a "Great US Firewall" and filter all encryption-related sites. Even if you were able to do this, all you'd wind up doing is making US businesses less secure than foreign businesses. More US business hackings would leave the (valid) impression that you should trust foreign companies over US-based ones and the economy would suffer.

      Encryption opponents like to pretend like they can just have Congress pass a law and all that pesky encryption will vanish with no consequences. In reality, banning encryption would create a horrible mess for businesses and consumers.

      • by Anonymous Coward

        Gone are the days of 48 bit export encryption, here are the days of 48 bit domestic encryption.

      • We"re also living in a global market. Let's say the US banned strong encryption tomorrow.

        Stop at that point and rephrase those together as "let's say the US only allows export of hardware that the US government can snoop on". Forget everything else, because our economy would be dead as every other nation would universal ban the import of our products.

        When a person in power says they want to ban strong encryption, reply by asking why they're working to destroy our economy.

      • by blueg3 ( 192743 )

        Let's say the US banned strong encryption tomorrow. What's to stop someone in another country from posting the source code to a strong encryption scheme?

        Maybe he realizes that this is part of how we got rid of "export grade" encryption in the US. Everyone was just writing software in a foreign country and people were importing it. Once you have the Internet, you can't realistically regulate software imports. Not if you're the US and the software is free. So export-grade encryption became simply a penalty for US businesses with little practical effect. At that point, you might as well accept it and change the laws to get rid of the business penalty.

  • Refreshing (Score:5, Insightful)

    by Anonymous Coward on Friday January 22, 2016 @12:38PM (#51351657)

    It's refreshing to hear someone address this issue with a little sanity. However, I still don't trust any three letter agency.

    • I was thinking the same thing. But i also wonder if somebody spiked his coffee too. It's odd to see an agency head put sanity and logic above political will in such a public and clear way.

      • by Anonymous Coward

        I tend to think that breaking encrypted messages is a decent part of what the NSA is budgeted to do. Legislate it away and they lose funding. Although, it is nice when pragmatic views arise, regardless of their motivations.

      • by rtb61 ( 674572 )

        Straight up doing a Hollywood reboot. Reputation is crap, they are trusted by no one in the rest of the world, they really have soiled themselves and as such working with others has become very difficult. So they are forced to at least publicly attempt to rebuild their image, of course based upon the lies, years and years worth of lives, that rebuilding of reputation is going to be extraordinarily difficult. To enable working with others again, specifically in defensive roles, likely they will have to be s

    • Would you trust them if they all when to 4 letters or 2 letters and a number or 1 letter and 2 numbers?

    • Well, they may be a bunch of evil bastards. But the NSA and the NRO are the three-letter-agencies that are most likely to be technologically clueful. So, as much as I bet they wish that a mandated backdoor for the government were a feasible option; they are also the ones most equipped to know how profoundly stupid a suggestion that is.

  • by Nidi62 ( 1525137 ) on Friday January 22, 2016 @12:39PM (#51351667)
    I see what he did there. Because so many people are speaking out against everything the NSA is doing, he's trying to trick us. He knows if he comes out and says encryption is good, everyone else will shout back "no, we don't need encryption!". This will then allow the NSA to say "Ok, we will listen to you, no encryption for anyone!".

    He's a genius, he's pulling the classic Bugs Bunny/Daffy Duck Hunting Season trick on us.

  • by sdinfoserv ( 1793266 ) on Friday January 22, 2016 @12:44PM (#51351727)
    ...civil liberties, freedom, the 4th Amendment, and the 5th Amendment is a waste of time.
  • by Anonymous Coward on Friday January 22, 2016 @12:46PM (#51351731)

    Bullshit. Crime rates have never been lower. The chance of being injured or killed by terrorism is vanishingly small and comparable to a lightning strike. The advantages of secure communication far outweigh any potential aid it gives to criminals. The only challenge here: a government organisation trying desperately to preserve itself and its budget in the face of increasing scruitny and irrelevance.

  • encrypt stuff with every possible key, look for some kind of common signature or order in the data and make an algorithm to break it using the possible keys
  • Someone in the Government who has a clue... AND is speaking out.

    I think I may faint.

  • by kheldan ( 1460303 ) on Friday January 22, 2016 @01:26PM (#51352073) Journal
    Someone like that is the last person I'd expect to bust out with a public statement like that, but at least on the surface it makes me feel a little better that not everyone in the government is as dumb as a doorknob.
    • by JustNiz ( 692889 )

      Yeah I feel the same way.
      I'd love to believe this guy just gets it, but It does very much make me wonder if something like they've just figured out how to get their quantum computer to do general case decryption has just happened though.
      At least he seems to be bonking the obviously clueless lawmakers over the head for whatever reason, so I'd say its a net win.

      • but It does very much make me wonder if something like they've just figured out how to get their quantum computer to do general case decryption

        See, that's not as bad as braindead politicians ruining or banning encrytion, because at least it's a more level playing field, then; the Bad Guys' encryption would be just as vulnerable as any other encryption is, and it would still likely take some time to crack the encryption in any case, so they'd be less likely to be decrypting everything, as opposed to encryption being about as effective as taking the deadbolt off the front door of your house and using a strip of duct tape instead, which is what a 'ba

        • by JustNiz ( 692889 )

          Very much agreed.
          It just occurred to me that this is actually pretty analogous to the braindead "lets ban people from owning guns" idea.
          Both incorrectly presume that for some magical unexplained reason, bad guys will somehow suddenly choose to give up using the "bad thing", except in reality all thats happening is you're now stopping only already law-abiding people from defending themselves so the playing field gets even more unbalanced.

  • For the people advocating for backdoors/key-escrow/etc, I always wondered what they would say about their own communications. Would they themselves be willing to escrow the keys to their own communications? All of them, including top secret ones? If not, then why?

  • Given e-mail is for the most part sent in the clear, thus equivalent to a postcard, what amount of encryption would make it letter post equivalent (indicating privacy, rather than sensitivity)? Does 256-bit sound reasonable (thinking low effort of encryption/decryption, but easily openable by an agency, using resources they already have using a court order, if it came to it)?

    • by godrik ( 1287354 )

      The problem with encrypting emails is "who performs the encryption/decryption?" If the gmail server performs the crypto, then it is pretty much useless. If the client performs the encryption/decryption, then you get two problems: key management, and loss of service. If the server does not have the full text, then you can not use server side server, indexing, .... which have become standard tools.

  • Didn't we just yesterday have someone from some TLA ranting and raving about how we must accept not having encryption anymore? What happened? Found a critical flaw in all encryption schemes in the past 24 hours?

  • Encryption is bad only if you presume that either the only, or at least the far most likely reason anyone might want something to be hidden from others is because they are doing or have done something wrong.

    Except that this is *FAR* from true. Insisting that people shouldn't try and hide things from people who might claim to mean well is equivalent suggesting that people really shouldn't have privacy at all, and it is nothing less than absurd to suggest that nobody should have any rights to any privacy,

  • I doubt there are any backdoors in RSA keys, but most https traffic uses 256-bit symmetric keys. Let's say the NSA or whoever has a bank of computers that can crack that key in a day. With today's CPUs, you could encrypt your traffic with 10,000 keys relatively quickly. Then they would have to decrypt each one at a time. Of course, exchanging those keys may be complicated. Maybe to accomplish that you need a 4096-bit key.

    The biggest problem with this theory is if they can crack a key, how long does it take?

  • For those interested, here is a link to the video for the full presentation [atlanticcouncil.org] which was made at the Atlantic Council on Thursday.
  • by Greyfox ( 87712 ) on Friday January 22, 2016 @05:42PM (#51354053) Homepage Journal
    Is it because privacy and security are only threats to tyrants? The fact that even raising the issue isn't political suicide for any politician or civil servant who dares suggest it is, frankly, embarrassing.
  • Taking into context a certain presidential candidate's use of private email server to do government work which will not be an exceptional case but a common past and future problem for national security does the government want a back door to itself?
    Since the root problem here is human individuals, bad guys, good guys, public, etc how to you prevent your own gun being turned on you.
    I suspect that's part of the issue from Rogers stand point.

    Of course he may not have got the memo about "2+2=5" and the other on

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (1) Gee, I wish we hadn't backed down on 'noalias'.

Working...