US Congressional Committee Concludes Encryption Backdoors Won't Work (betanews.com) 98
"Any measure that weakens encryption works against the national interest," reports a bipartisan committee in the U.S. Congress. Mark Wilson quotes Beta News:
The Congressional Encryption Working Group (EWG) was set up in the wake of the Apple vs FBI case in which the FBI wanted to gain access to the encrypted contents of a shooter's iPhone. The group has just published its end-of-year report summarizing months of meetings, analysis and debate. The report makes four key observations, starting off with: "Any measure that weakens encryption works against the national interest".
This is certainly not a new argument against encryption backdoors for the likes of the FBI, but it is an important one... The group says: "Congress should not weaken this vital technology... Cryptography experts and information security professionals believe that it is exceedingly difficult and impractical, if not impossible, to devise and implement a system that gives law enforcement exceptional access to encrypted data without also compromising security against hackers, industrial spies, and other malicious actors...
The report recommends that instead, Congress "should foster cooperation between the law enforcement community and technology companies," adding "there is already substantial cooperation between the private sector and law enforcement." [PDF] It also suggests that analyzing the metadata from "our digital 'footprints'...could play a role in filling in the gap. The technology community leverages this information every day to improve services and target advertisements. There appears to be an opportunity for law enforcement to better leverage this information in criminal investigations."
This is certainly not a new argument against encryption backdoors for the likes of the FBI, but it is an important one... The group says: "Congress should not weaken this vital technology... Cryptography experts and information security professionals believe that it is exceedingly difficult and impractical, if not impossible, to devise and implement a system that gives law enforcement exceptional access to encrypted data without also compromising security against hackers, industrial spies, and other malicious actors...
The report recommends that instead, Congress "should foster cooperation between the law enforcement community and technology companies," adding "there is already substantial cooperation between the private sector and law enforcement." [PDF] It also suggests that analyzing the metadata from "our digital 'footprints'...could play a role in filling in the gap. The technology community leverages this information every day to improve services and target advertisements. There appears to be an opportunity for law enforcement to better leverage this information in criminal investigations."
Re: (Score:2)
Richard Burr is not a Democrat.
by putting back doors in (Score:2)
Re:by putting back doors in (Score:5, Insightful)
There are two fatal flaws in your reasoning:
1. You assume that "the police" and "the criminals" are disjoint sets.
2. You assume that innocent people have nothing to hide, and nothing to fear from the police.
Re: (Score:2)
There are two fatal flaws in your reasoning:
1. You assume that "the police" and "the criminals" are disjoint sets.
He does no such thing. He is suggesting that, say, Apple would hold a key and would only unlock a device in response to the concurrence of two separate branches of government. In this case the executive and judicial.
2. You assume that innocent people have nothing to hide, and nothing to fear from the police.
He made no such assumption.
Re: (Score:1)
Re: (Score:2)
He does no such thing. He is suggesting that, say, Apple would hold a key and would only unlock a device in response to the concurrence of two separate branches of government. In this case the executive and judicial.
Do you mean like how the telecommunication companies would only hand over metadata and content to law enforcement when presented with lawful orders until the point where Congress had to pass a law granting them immunity because they did not? How did that work out? Why would it be any different with Apple?
Re: (Score:3)
Re: (Score:2)
If phones can't be trusted, then you have to use a connected device that can be.
Tether the secured device to the phone so they are separate and the phone only sees the encrypted data.
Re: by putting back doors in (Score:1)
There should be no keeper of the keys. The keys should be inaccessible to the manufacturer and anybody but the person who owns the device. Then we dont have this problem and the FBI can go to hell. Why is it just because something's electronic that they should have unfetterred access to it? And with courts largely comprised of pro-cop judges search warrants aren't all that much of an impediment or check in far too much of this country.
Disturbing. (Score:5, Insightful)
While most people start thinking, "oh what a breath of fresh air, the government getting it right for once," I worry, "have aliens infiltrated our government? Because it seems like they are listening experts and making logical conclusions." ;)
Re: (Score:3, Insightful)
The backdoors are starting to impact international trade, making US products less appealing. China has also had problems with backdoors, but this allows different countries to become more competitive while the US remains politically divided (preventing them from competing globally in the future, over the long-term).
Re:Disturbing. (Score:5, Insightful)
... "have aliens infiltrated our government? Because it seems like they are listening experts and making logical conclusions."
I expect the experts testifying used illustrations in crayon and very small words. And they still got a weasel-worded statement from the committee. "Cryptography experts and information security professionals believe that it is exceedingly difficult and impractical, if not impossible, to devise and implement a system..." No, that's not what they said. Every single one of them said it is impossible. Because it is.
Congresses come and go, but there is one invariant: they all have trouble with mathematics.
Re: (Score:2)
"Congresses come and go, but there is one invariant: they all have trouble with mathematics."
That's not saying much, most people have trouble with mathematics.
Re:Disturbing. (Score:5, Insightful)
"Congresses come and go, but there is one invariant: they all have trouble with mathematics."
That's not saying much, most people have trouble with mathematics.
Most people aren't making Federal policy decisions related to science, math, and technology while being unversed in science, math, and technology.
Re: Disturbing. (Score:1)
It is infeasible to be a break 2048 bit Diffie-Hel (Score:4, Insightful)
I'm sure cryptography experts did in fact say it's infeasible or impractable. That's what those of us who work in the field say about things we think nobody can do (probably). For instance, it's currently infeasible to crack 2048 bit Diffie-Hellman. We tend to avoid saying something is impossible, because as soon as you say that someone's likely to do it :) Theoretically, it's trivial to crack Diffie-Hellman, it's not cracked because of the PRACTICAL difficulty of doing so.
There's nothing theoretically preventing a master key from working just fine, only PRACTICAL problems of a) keeping the government key secret (while it's used) and b) selecting ciphers and implementations that won't be hacked ten years from now. The practical issues mean it's impractical to have a government master key.
Re: (Score:1)
only PRACTICAL problems of a) keeping the government key secret (while it's used)
This is what makes it totally impossible. They couldn't keep big secrets like the nuclear bomb - one would think it'd be nice if others really had to do all the development all the way from basic principles. Failing on the big secrets, how could you expect them to keep smaller secrets like a master key that allow full control of one series of phones from one particular brand? Doesn't seem as interesting a secret to keep as "details of a nuke" so it'll get out even easier.
Other governments will want their ow
Re: (Score:2)
I'm sure cryptography experts did in fact say it's infeasible or impractable. That's what those of us who work in the field say about things we think nobody can do (probably). For instance, it's currently infeasible to crack 2048 bit Diffie-Hellman. We tend to avoid saying something is impossible, because as soon as you say that someone's likely to do it :) Theoretically, it's trivial to crack Diffie-Hellman, it's not cracked because of the PRACTICAL difficulty of doing so.
Since the government's position [wikipedia.org] is that "limited" is any duration of time which is bounded, I do not know what they are complaining about. Under that definition, any encryption key can be cracked in a limited amount of time.
Re: (Score:2)
I expect the experts testifying used illustrations in crayon and very small words. And they still got a weasel-worded statement from the committee. "Cryptography experts and information security professionals believe that it is exceedingly difficult and impractical, if not impossible, to devise and implement a system..." No, that's not what they said. Every single one of them said it is impossible. Because it is.
Congresses come and go, but there is one invariant: they all have trouble with mathematics.
The technology part for key escrow and similar systems works fine but the social part is completely broken. Congress cannot pass a law limiting access which the government cannot later ignore.
They do "study and ignore" all the time. (Score:5, Informative)
While most people start thinking, "oh what a breath of fresh air, the government getting it right for once," I worry, "have aliens infiltrated our government? Because it seems like they are listening experts and making logical conclusions." ;)
You see this a lot.
A stock thing for Congress to do when there's a lot of public pressure over some crisis is to take the pressure off themselves by commissioning a study. By the time the study is finished the crisis is old news and the pressure is gone. The results of the study can then be safely ignored and the Congresscritters can continue to vote the same way as always.
The only thing the study results are usually used for is occasional speech sound bites for proponents of the side that agrees with the conclusions. Since the conclusions don't actually matter, the study groups don't have to be packed to come up with a desired result. So sometimes they come up with something accurate and useful. But it's still noise as far as actually changing anything politically sensitive. About the best thing it does is occasionally help a legislator understand an issue better and/or formulate a better way to present his position.
One example of this is the Second Amendment. Congress commissioned a study on whether the framers intended it to protect an individual right of members of the civilian population to arm themselves as they see fit. The study went deep and came to a resounding conclusion that this was exactly the point. This was reported in 1982.
Then Congress and the executive branch completely ignored the study and continued legislating and enforcing ever more gun restrictions - to this day, nearly 35 years later. Most of the federal level legal changes that favor those who want to buy guns and use them for self defence have come from the Supreme Court, which came to the same conclusion by their own procedures.
Re: (Score:3, Insightful)
Yes, Congress can do a lot to fight cryptography:
1: Use a modified version of NAC, requring all Internet connected devices to have a hardware DRM stack, and routers having to have a locked down chipset to enforce this. This is already here in some respects -- the FCC demanded all radio firmware be locked down and resistant from user modifications. From there, approved applications can be required, and people's PCs can be scanned, with the results of having something like PGP resulting in arrest.
2: Take
Re: (Score:2)
I like how you somehow ignore the fact that the Congressional study was started after the NRA coup in 1977 where the gun manufacturers overthrew the hunters in charge of the NRA and became a gun manufacturer lobbying firm.
Actually, it was a grass-roots uprising (by people such as myself and my wife) against the elitists who wanted the NRA to be about supporting just gun sports for the rich and stay out of protecting the gun owners' rights to actually HAVE and USE guns for things like self-defense, hunting,
Re: (Score:2)
Just to add to this, the membership coup in the NRA was prompted by the 1968 Gun Control Act when the membership realized that the government was going to whittle down gun rights to nothing if they were not opposed and the ACLU had no interest in defending all civil rights. The ACLU likes to say that they do not defend the 2nd Amendment because the NRA already handles it but they never did (for a sinister reason) even when the NRA did not. Before the coup, the NRA was generally for gone control except if
Arms and Armies (Score:5, Interesting)
Fascinating. What did the study say about the utter uselessness of the militia (as demonstrated by the burning of the Capitol in 1814), the intentions of the Founders not to have a military in peacetime, and the current lack of any organized militia, that being necessary to the security of a free state? Do you imagine that any part of warfare has changed since 1789? Do you feel that muskets and automatic machine guns should be treated identically by legislation? How are we doing on the citizen-farmer thing that the Founders were also in favor of? Is it possible that the conditions under which the 2nd Amendment were drafted have little or nothing to do with the society that has resulted?
I believe that it is only consistent, that if one wishes to argue the Founders' perspective on the second amendment, that if they argue in favor of an individual right to bear arms, they must also argue against the United States maintaining a standing army in peacetime. Furthermore, the Founders would probably not have considered our police forces as anything other than a standing army targeted against the People; certainly no such thing existed during their lifetimes. I am sure your mental gyrations will be fascinating to watch.
Re: (Score:1)
As you note, the issues of bearing arms and forming a standing militia have wrongly been separated. But obeying the purpose of the second amendment raises some issues: What authority does the US government have to order citizens to repel invading forces, to fight overseas, to fight for allies such as South Korea and the Philippines, to illegally invade a country such as Iraq? Then there's the issue of generals and intelligence officers: One doesn't get those skills by monthly drills and an annual tri-st
Re: (Score:3)
There is no prohibition of a standing army in the second amendment, and the Federalist papers do note that explicitly. However, there is no positive mention of the concept of standing armies either in the Federalist papers nor any other writings of the Founders, they were universally opposed to them as an inherent threat to liberty. The authors of the Federalist papers considered that they had adequately prepared against such things without needing to put in an explicit proscription. And the various abuses
Re: (Score:2)
I believe that it is only consistent, that if one wishes to argue the Founders' perspective on the second amendment, that if they argue in favor of an individual right to bear arms, they must also argue against the United States maintaining a standing army in peacetime.
Oddly, you say that in an incredulous manner, but surprise! We should NOT be maintaining a standing army in peacetime.
Furthermore, the Founders would probably not have considered our police forces as anything other than a standing army targeted against the People; certainly no such thing existed during their lifetimes.
I am unsure wtf you are on about with the police forces. Policemen have been a fixture of society since prehistoric times. You gotta stop smoking that wacky tobaccy if you wish to be coherent. To be fair, the current state of police forces is more like an occupying army... but your discussion concerning police is still incoherent. Perhaps you should have saved that little gem for another top
Re: (Score:2)
I did skip a sentence there, as you say the point was not entirely coherent, but it wasn't worth the trouble to post a correction. The first police forces in the US were created during the mid-19th Century. Prior to that, there were such things as beadles and tipstaves, night watchmen, and other private security forces, but they did not have guns, because muskets and long rifles are not particularly effective at that task. The first "bobbies" were armed with clubs and wooden noisemakers, which they later tr
"Rights to bear arm" (Score:2)
One example of this is the Second Amendment. Congress commissioned a study on whether the framers intended it to protect an individual right of members of the civilian population to arm themselves as they see fit. The study went deep and came to a resounding conclusion that this was exactly the point. This was reported in 1982.
Then Congress and the executive branch completely ignored the study and continued legislating and enforcing ever more gun restrictions - to this day, nearly 35 years later. Most of the federal level legal changes that favor those who want to buy guns and use them for self defence have come from the Supreme Court, which came to the same conclusion by their own procedures.
Well, it's kind of telling when you live in a country where "constantly carrying lethal force, and being ready to use it to kill any random schmuck" seems a normal rational decision.
To us on in more peaceful countries, you sound like someone asking to introduce a new amendment in your constitution to make it legal for everyone to drive a tank around just to be able to defend themselves against any potential threat - like an invader or a terrorist ramming the crowd with a truck.
And don't start about "being a
Re: (Score:2)
While most people start thinking, "oh what a breath of fresh air, the government getting it right for once," I worry, "have aliens infiltrated our government? Because it seems like they are listening experts and making logical conclusions." ;)
I must admit my basic assumptions about Congress were rattled a bit...
but then I remembered that this is a very small subset of the legislative body overall.
So, somehow they got the right people looking and listening to the actual experts...
even lotto tickets hit sometimes...
now back to business as usual.
Re: (Score:2)
Re: (Score:2)
While most people start thinking, "oh what a breath of fresh air, the government getting it right for once"
Interesting, becasue that's not what I was thinking at all. I was thinking "What astonishing hubris implicit in this debate that they assume they have the authority to access data that has been explicity access controlled by encryption." Apparently just because they are in government or law enforecement they assume they have this authority, when they actually do not. The only persons who can grant this access are the encryption key holders. So, no, I don't think they got it right by any means.
Re: (Score:3)
Nope. They no doubt spent millions of dollars on a study to tell them what they could have learned for free by asking any software engineer who has ever spent even a single week in his/her entire life implementing any sort of cryptographic software. This is why our g
Re: (Score:2)
The alternative would seem to be to find people who appear to be experts, and just trust them. That can backfire. For matters of policy, it's very useful to have determined who the actual experts are and what the basic situation is like.
A backdoor would be in the wild in a week (Score:5, Insightful)
Re: (Score:2)
Oh, have they been sending you the memos saying what's secret and what's been leaked, or are you just talking out of your ass.
Re: (Score:2)
We're extrapolating based on the fact that it seems increasingly difficult to keep secrets these days, even the NSA, who have admitted that Snowden's leaks have been very "damaging" to them. What about the Italian hacking firm "Hacking Team" which was itself hacked, and all its secrets laid bare? I'll bet some of the Democratic National Committee's leaked internal e-mails even talked about such security concerns. And then there's good ole Yahoo, with about a billion leaked e-mail credentials at last coun
Re: (Score:2)
100% agreed. You *CANNOT* keep secrets. Consider...
* Aldrich Ames https://en.wikipedia.org/wiki/... [wikipedia.org]
* Jonathan Pollard https://en.wikipedia.org/wiki/... [wikipedia.org]
* Edward Snowden https://en.wikipedia.org/wiki/... [wikipedia.org]
sanity? (Score:2)
It almost sounds like they listened to reason for once? Hearing the expert testimony of many experts in the field, enduring the BS babble of the FBI, and came to a logical conclusion?
Now I'm worried that the bodysnatchers have gotten into congress...
Re: (Score:3)
Yea, there's a lot of very good research done in Washington. Look at some of the work generated by the CBO. Much of it is logical, reasonable and will never be implemented because logic and reason have no place in US politics.
Re:sanity? (Score:4, Informative)
It isn't just U.S. politics, it is politics the world over. Actually, come to it, it is the human condition.
Re: (Score:2)
Who would by a US crypto or networking product with the NSA, GCHQ, Australia, Canada, NZ, the FBI, city, state police, their workers, ex staff and former staff having the once secret NSA only keys?
Then any US ex staff and former gov/mil staff could sell access or give access to... their faith, cult, the media, other nations, competing corporations, any monarchy or theocracy who can pay for information on dissidents or people suspected of blasphemous acts?
The other cost
Trump to say WRONG! in 4...3...2... (Score:3, Funny)
Because to hell with the experts, he knows more than the experts. SAD!
Re:Trump to say WRONG! in 4...3...2... (Score:5, Informative)
Well....all the experts did say he'd never get nominated. Then they said he'd never get elected. Experts are often wrong.
Re: (Score:1)
Experts are often wrong.
That's what happens when they don't study animal psychology. They expect people to be logical and reasonable when nothing could be further from the truth. They would learn more by observing chimpanzees and hippos. Or they can do the math [wikipedia.org]...
Re: (Score:2)
There are no experts when it comes to predicting an election, just pundits.
But But But! (Score:2)
This was argued long before (Score:2)
The NSA has argued for a very long time that good encryption is overall better for national security. If there had been
Re: (Score:2)
The NSA has argued for a very long time that good encryption is overall better for national security.
That is certainly their public position but it is undermined by their known activities in subverting encryption including subverting IPSEC. I believe their real position is that they want everybody to rely on flawed encryption without believing it is flawed.
Common sense in Washington? HOLY SHIT! (Score:2)
To say that I'm stunned is pure understatement!
Re: (Score:2)
Well, it was just a working group. We have no idea whether what they concluded will have any effect on Congress as a whole.
Additionally, they seem to want the companies themselves to have keys... At least that's how I read the bit about law enforcement working to maintain good relationships with tech companies.
So I'm going to hold off on rejoicing, for the time being.
Re: (Score:2)
I know. But even THIS level of common sense is just jaw-dropping.
I'm just afraid I've been dropped onto Bizarro World or into the Mirror Universe or something...
Backdoors? No... (Score:1)
What will happen instead is that only state licensed encryption will pass through your ISP's mandatory deep packet inspection (goodbye TOR, Freenet, and VPN). All other types will be dropped and reported to the proper authorities.
Re: (Score:2)
Steganography. You can't examine every cat video.
Re: (Score:1)
When it's automated you most certainly can, and they will...
Re: (Score:2)
What's the difference between a cat video with a concealed message using unapproved cryptography and one with random noise added if they all have one or the other?
Actually, government should... (Score:2)
...fuck off, and rediscover traditional investigative techniques, instead of relying on the fascist relationships it has with corporations to get the easy access to illegal surveillance it's been reliant on for too long.
We have reached a decision ... (Score:2)
... Hobbits are not Orcs.
(apologies to all the Ents out there. You are not as slow as congress.)
What?! (Score:2)
Well (Score:2)
Actually seems like the right answer (Score:2)
This seems to be the right answer. My theory is that their ignorance has clouded their poor judgement.
Wow. (Score:3)
I guess I got my Christmas wish granted. A government finding about "computer stuff" that not only makes sense, it even seems they finally got it.
They ... they might really have understood the problem. I still cannot believe it, it really sounds like they not only went by some hunch or an "expert" recommendation without buying into it, it really seems they finally, FINALLY understood the underlying problem.
I ... I'm kinda scared, government understanding computers, what comes next? If we're not careful, they might even stop wasting taxpayer money. And what kind of government would that be? And more important, what could we ridicule about them and what should we then complain about? Did anyone think about that? What should we feel superior about anymore if the government starts to understand computer problems?
Won't somebody PLEASE think of us professional smug know-it-alls?
Congress switched to bottled water (Score:2)