Justice Department Revives Push To Mandate a Way To Unlock Phones (nytimes.com) 171
"FBI and Justice Department officials have been quietly meeting with security researchers who have been working on approaches to provide such 'extraordinary access' to encrypted devices," reports The New York Times (alternative source), citing people familiar with the matter. Justice Department officials believe that these "mechanisms allowing access to the data" exist without weakening the devices' security against hacking. Slashdot reader schwit1 shares the report: Against that backdrop, law enforcement officials have revived talks inside the executive branch over whether to ask Congress to enact legislation mandating the access mechanisms. The Trump White House circulated a memo last month among security and economic agencies outlining ways to think about solving the problem, officials said. The FBI has been agitating for versions of such a mandate since 2010, complaining that the spreading use of encryption is eroding investigators' ability to carry out wiretap orders and search warrants -- a problem it calls "going dark." The issue repeatedly flared without resolution under the Obama administration, peaking in 2016, when the government tried to force Apple to help it break into the iPhone of one of the attackers in the terrorist assault in San Bernardino, Calif. The debate receded when the Trump administration took office, but in recent months top officials like Rod J. Rosenstein, the deputy attorney general, and Christopher A. Wray, the FBI director, have begun talking publicly about the "going dark" problem. The National Security Council and the Justice Department declined to comment about the internal deliberations. The people familiar with the talks spoke on the condition of anonymity, cautioning that they were at a preliminary stage and that no request for legislation was imminent. But the renewed push is certain to be met with resistance.
Impossible (Score:5, Insightful)
This is basically impossible without banning general-purpose computing devices entirely. Even if phones have a backdoor, what's to stop someone from loading a Linux variant designed outside the US onto a laptop and using it for secure communications?
Entirely banning "unhackable" communication would require a walled garden that looks more like Alcatraz for every single compute device sold in the world.
Re:Impossible (Score:4, Informative)
Electronic Frontier Foundation laughed. 'There's no use trying,' she said. 'One can't believe impossible things.'
I daresay you haven't had much practice,' said the Justice Department. 'When I was your age, I always did it for half-an-hour a day. Why, sometimes I've believed as many as six impossible things before breakfast.”
Quite possible ... (Score:5, Informative)
Re: (Score:2)
Re: (Score:3)
What if you're running an OS where Apple/M$/Google/etc is not privy to your LUKS passphrase? Will this ban any OS that doesn't require a "cloud" login?
What I referred to is not a cloud login. Its a one-time archiving of your "passcode" when it is initially set or changed. Day-to-day passcode use would remain offline.
Is this a problem for open source, yes, but that is something separate from technical feasibility. Is this a problem for Linux users, possibly not for many. Red Hat, Canonical, etc could archive things just like Apple, Google, Microsoft, etc.
Again, none of this is desirable. I'm just arguing against the notion of "impossible". If you don
Re: (Score:2)
Sure, but Linux is open-source. What's to stop someone from writing, downloading, and/or installing an "unapproved" distro that doesn't archive passcodes? Or just disabling whatever is responsible for archiving the passcodes. Not all Linux variants are released by companies subject to US jurisdiction.
Unless they're willing to dictate that all hardware sold in the US (or worldwide!) has to be designed to only to run approved OS's.
Re: (Score:2)
Would the government care if there is a black market for hardware not implementing some sort of "secure boot", doubtful. Few criminals will have them and mere possession of them can itself be a criminal offense by which they can take you off the streets.
Again, not a desirab
Re: (Score:2)
Re: (Score:2)
For external testing kernel developers could register with Red Hat, Canonical, etc and submits their binaries for signing. The signing process could limit the key's use to the developer's and external tester's registered hardware. This sort of stuff already exists, Apple's Ad Hoc distribution for iOS works in this fashion. Apple signs the developer's binary via a web based process and now the developer and their exter
Re: (Score:2)
Re: (Score:3)
Unless the hardware with the VM running on it has a logger built in, what's to stop people from just running an encrypted VM?
Nothing. Just like there is nothing to prevent you from encrypting your data independently of OS supplied and automatic disk encryption/decryption, independently of your cloud storage provider's automatic encryption. So yes, you can still beat the feds, but that's a different argument than "its impossible" or "it will kill open source", a better argument to pursue.
Re: (Score:3)
They lost then and they will lose this fight also because the rest of the world know how to do maths and can't really prevent Americans getting access to the results.
This explains the stupidity [wikipedia.org] pretty well.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
The latter is de facto the former.
Not really. You confuse cryptographic strength with decryption key management. Two different things.
Re: (Score:2)
Re: (Score:2)
In the real world, a weak key is identical to an easily stolen key. They are the same, even if they are technically different.
Not really. With a weak key the encryption may be defeated by anyone with sufficient computational power. That is something quite different than a stolen key, the computational power being much more attainable.
Re: (Score:2)
Both are unacceptable and the internet will route around such requirements.
Re: (Score:2)
And a stolen key can be passed around just as easily as a broken weak key. Both are unacceptable and the internet will route around such requirements.
A stolen key can be easily invalidated and replaced. Quite different than a weak key.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
We're talking about an escrowed key service installed by a manufacturer as a backdoor, keep up. How would you know it was compromised?
Actually that is precisely NOT what we are talking about. Read start of thread, it specifically says this does not require a backdoor, merely one-time archiving of your "passcode" when it is initially set or changed. Manufacturer backdoor is a long debunked assumption.
Re: (Score:2)
So, We will end up with a block market selling older permanently lockable phones to those who do NOT wish to share their secrets with the FBI, KGB. NSA, local law enforcement and the weird kid down the street? Here's your chance to make a killing folks. Get in early. Business Plan? When a decsion is needed, just ask yourself -- "What would Uber Do?"
Re: (Score:2)
And if Apple/Google/Microsoft/etc don't have your passcode? There's lots of high quality encryption out there, freely available, for which the keys never leave your control.
Re:Quite possible ... (Score:4, Informative)
When you can offer any store clerk $20 you can easily find one (out of millions) who'll take it. The price goes way up when only a handful of people have access; but you know this to be true, so you approach them with a number with at least a couple of commas in it.
Think about it, we're talking the kind of person who willingly took a job policing encryption keys "to help bad guys get caught". Who here actually believes they wouldn't take 20 years salary to out someone accused of $random_bad_thing by a government official with an axe to grind and a $1mil check?
And the kicker is that person could be their ex, the guy who cut them off on the freeway that morning, or their daughter's new boyfriend; and $random_bad_thing could be completely fabricated.
But yes, the archives would be protected and access would be limited and audited. Surely someone making $50k/yr would never take 20 years salary in exchange for breaking the rules; after all, it takes so much longer than 20 years to find a new job.
Re: (Score:3)
These are politicians and career civil servants. They do not have any understanding of the concept of a "fact". There is also the little problem that as soon as a backdoor is implemented, nobody sane will store anything of value on phones anymore. But that is even worse than a "fact", it is a "deduction". The morons making laws do not even know that can be done.
In Future /. Article (Score:2)
"Today, Nancy Pelosi and Chuck Schumer have co-sponsored and introduced the Anal Probe Equality Act (APE Act). Pelosi was quoted as saying about the importance of the bill's passage; "With the passage of this APE Act, no more will some American be discriminated against by Right-Wing UFOs anal-probing only a privileged few!"
Strat
Re: (Score:2)
Re: (Score:2)
Wrong. It's the Trump Administration now requesting a back door into all our devices. Why are you trying to divert blame elsewhere?
BOTH Parties have been pushing this.
The one area where there is bipartisan agreement is that people have too much money, liberty, and privacy.
I simply expect the Democrats to jump in with both feet to beat the Republicans to the punch.
Strat
They want this (Score:3)
Re: (Score:2)
So how do we fix it? How do we get a government that respects its citizens' privacy?
Re: (Score:3)
Campaign finance reform, replace First-Past-the-Post (e.g. with Instant Run-off), draw districts mathematically (e.g. with the shortest split-line method), and make all primaries in every state open to any registered voter.
Right now we have a system where the incumbency rate is at (or near) an all time high while the approval of Congress is at (or near) an all time low, so why should they give a shit what citizens think?
Re: (Score:2)
I dislike open primaries, because it encourages spoilers. If there's, say, two strong Democrats in a primary (who I'll arbitrarily call Fraser and Short), and one Republican who is pretty well going to win (call him Durenburger), there's a strong incentive for Republicans to vote for the weaker Democrat in the Democratic primary. I don't actually know if Short won because of Republicans, but there was something of a push for them to do so.
Proportional representation is also a possibility. By my readin
Re: (Score:2)
You have to get ahead of your government.
Or... more likely a few heads.
Re: (Score:3, Insightful)
I donÃ(TM)t know the answer to how we fix it, but I do know that the attack on the second amendment makes taking the rest of our rights away easier for them.
Not really. When have 2nd amendment proponents ever done anything to protect people's privacy rights? I don't see them protesting data collection or the right to free thought, and certainly not using their weapons against any oppressor.
If anything, it appears to be the 2nd amendment riders who want panopticon state, with suppression of views and freedoms they don't like. Show me a gun liberty group that will pick up their weapons and stand up for rights of people like homosexuals, atheists or ethnic mino
Re: They want this (Score:5, Informative)
When have 2nd amendment proponents ever done anything to protect people's privacy rights? I don't see them protesting data collection
Actually, gun rights proponents are almost certainly the most successful lobbyists against data collection in modern America, which, depending on your views, may not be a good thing.
Mind you, it’s their own privacy that they’re interested in protecting, but they’ve lobbied Congress so we’ll that it’s currently illegal for the US government to create or maintain databases of gun owners, historical gun purchases, or even the guns themselves, despite massive efforts by people on the other side of those debates to collect exactly that information. And even the paltry records that do exist (i.e. records from private gun stores that went out of business), are not allowed to be computerized. If you’d like more information, it’s easy to come by because the ways that the ATF has been hamstrung by the NRA get re-reported every time there’s another major shooting. And it’s not just at the national level either. Gun enthusiasts are quite active in protesting locally as well.
https://www.bloomberg.com/news... [bloomberg.com] (paywalled)
https://www.informationweek.co... [informationweek.com]
http://www.heraldtribune.com/n... [heraldtribune.com]
https://www.usatoday.com/story... [usatoday.com]
I do agree with the overarching point you were trying to get at, but that particular argument you used to make your point was an extraordinarily poor choice.
Re: (Score:3)
Not really. When have 2nd amendment proponents ever done anything to protect people's privacy rights? I don't see them protesting data collection or the right to free thought,
I see it constantly, often literally in the same sentence (let alone paragraph, rant, or screed) as defense of the second amendment. Of course, they're usually misguided enough to believe that only democrats want to get their personal data and persecute them (for being rednecks) when in reality the republicans are also happy enough to get their personal data and persecute them (simply for being exploitable) but the point still stands.
Show me a gun liberty group that will pick up their weapons and stand up for rights of people like homosexuals, atheists or ethnic minorities...
Well, there was the Black Panthers... But the truth is that those gun libe
Re: (Score:2)
Re: (Score:2)
Some yes, but making this sweeping generalization is nuts. Have you actually talked to any pro-self defense people? The vast majority I know are against all forms of government surveillance and data collection.
Surveillance and data collection against them. Other people, collect away.
>90% of the ones I'm aware of have no problem with surveillance and data collection against, say, gun control advocates.
Re: (Score:2)
they just know that if the government doesn't know who has guns then the government will have a hard time confiscating them
Because a tyrannical government wouldn't be able to get the NRA membership list or donor list.
Re: They want this (Score:4, Informative)
The Black Panthers were supporters of the 2nd Amendment and utilized that right to protect their communities from police oppression. They would fill one or more cars with visibly armed members and then follow Police Patrol vehicles around town. They'd get out of the car and stand around at a safe distance whenever the Police had an interaction with a member of the community. The Police were still perfectly able to engage in performing their job duties, but didn't dare try abusing their position with the Black Panthers keeping a close eye on them. From my understanding this action by the Black Panthers was actually what precipitated a lot of the anti open carry and 2nd Amendment efforts by various localities, in our modern era.
Re: (Score:2)
In the history of the United States, guns in civilian hands have been used much more often to take away or suppress people's liberty than to preserve it.
Nobody knows whether that's true, because every gun interaction has never been reported.
The whole "Second Amendment keeps us free" myth is a complete crock of shit. The Second Amendment is a tool for tyrants - always has been.
The tyrants run the cops, and the cops don't need the second amendment to be armed.
Re: (Score:2)
In fact, you'd be hard pressed to find examples of times civilian citizens of the United States used their own guns to gain or ensure liberty for anyone.
Only if you don't believe civilian gun ownership has a chilling effect on fascism. But that's unmeasurable, except historically; when a people disarms, fascism against them tends to increase.
Re: (Score:2)
I don't believe civilian gun ownership has a chilling effect on fascism. I'm going to need to see evidence to change my mind. Most other developed countries have tighter gun regulations than the US, and they typically aren't sliding into fascism.
Re: (Score:2)
But that's unmeasurable, except historically; when a people disarms, fascism against them tends to increase.
Japan? Australia?
Australia was already locked down pretty tight legally, but they continue to be subjected to the usual stream of additional new regulations. Same for Japan, which oh by the way has probably the highest suicide rate in the developed world. (It's hard to tell, because they are deliberately underreporting.) In the UK they've built themselves a fine surveillance society, which is something else we don't want to emulate.
Re: (Score:2)
OK, now we're getting somewhere. If we say that surveillance state = fascism, then how exact
Re: (Score:2)
You can say it, but it simply is not true. Fascism (and Socialism) need surveillance to survive, but other governing regimes can benefit from it too — just as they all benefit from roads and electricity.
When the assumption is bullshit, the conclusions are inevitably tainted...
Yep. Just as I said. Bullshit.
Re: (Score:2)
When have 2nd amendment proponents ever done anything to protect people's privacy rights? I don't see them protesting data collection or the right to free thought, and certainly not using their weapons against any oppressor.
What about resisting various forms of gun registration?
Re: (Score:2)
Re: (Score:2)
Seems to me that the Second Amendment is the One True Amendment To Rule Them All, while they shit all over the rest every chance they get.
Re: (Score:2)
The problem is that the two party system has limited your choices already to those who are vetted by the elites. You dare not vote for a third party due to the spoiler effect.
Replacing First-Past-the-Post is the only way that your strategy works.
Re: (Score:2)
In every place in the US I know about, the candidate with the highest vote total gets elected. This actually doesn't apply to the Electoral College, since if no candidate gets a majority vote there the House of Representatives elects the President. I've seen lots of people elected without majorities.
Re: (Score:2)
The enemies of freedom have a really high level of persistence, so yes.
Why I buy Chinese import phones in the EU. (Score:1)
They do not givr a crap about EU rules. Yes they are probably bugged by China, but China does not give a crap about me either.
Let the Chinese and EU/US spies beat the crap out of each other If I can support them ruining each other, then as long as it happens without affecting me much, I'm all for it. They're all bastards, no matter the country.
And yes: If I had to move to China, I would probably buy a US/EU phone :)
Re: (Score:2)
They do not givr a crap about EU rules. Yes they are probably bugged by China, but China does not give a crap about me either.
That makes China slightly better - the government where you are tend to give a bigger crap, and not just about you but sometimes directly on you. China may at most be amused at what you do, but your local government can actually use that data against you or those you network with.
Re: (Score:2)
I'm actually hoping that Iran at some point in time starts assembling phones, I'd get one immediately.
No problem (Score:2)
This should be easy- just find a way to invalidate the basic laws of physics and mathematics, and voilà, you got it!
Talk to some mathematicians (Score:2)
Current crypto isn't good enough. No amount of talking to consumer tech / engineers / "security researchers" will make it work.
Like moving from symmetric key to asymmetric key, a whole new way of doing crypto mathematics will be needed to solve this. So get some mathematicians on super-magic-only-good-guys-can-spy algorithms.
Re: (Score:2)
The mathematicians already know that this is impossible. Remember that in Math, unlike Science, it is actually possible to disprove the negative. "New math" cannot destroy "old math" (provided the old math is proven).
The concepts of Perfect Secrecy and Information-Theoretic Security have been PROVEN. No matter what you do, introduction of a "master key" or similar idea will always make the scheme insecure.
It's like you're telling mathematicians to find a number which can be expressed as 2 different products
Re: (Score:2)
... and when they talk to the mathematicians, perhaps they'll give them the answer you gave ;)
Re: (Score:2)
Fair enough. :D
Re: (Score:2)
Re: (Score:2)
Information theoretic security is based on the idea of OTP/perfect secrecy, but they are not the same. I never said they were.
E.g. RSA is thought to be ITS, but it is definitely not a OTP.
Re: (Score:2)
Re: (Score:2)
To look at it another way, decryption is in NP. It has to be efficient (P) to decrypt given the key. Therefore, the hardest any crypto algorithm can be (except something like the one-time pad) is NP-complete. We don't know that large NP-complete problems are impractical to solve, although it sure looks that way, and I don't know of any crypto that's been proven NP-complete.
If you could prove that, say, AES-256 can't be solved without something more or less equivalent to trying all the keys, that woul
Re: (Score:2)
Re: (Score:2)
Sorry, I meant "Unconditionally Secure", not ITS. Again, RSA is only thought to be, not proven to be.
Re: (Score:2)
Just ask Facebook for the information (Score:2)
Re: (Score:2)
Re: (Score:2)
I think they do not have what it takes to understand. "We are the federal Government! We _define_ reality!" They pretty much belong into the loony-bin for the rest of their lives, because they are dangerously insane.
Re: (Score:2)
global risk (Score:2)
Re: (Score:2)
Re: (Score:3)
And those keys held in escrow will somehow magically be immune to loss by theft or coercion.
Look (Score:3)
There is no stopping it. Either side.
LE is going to keep pushing for it until they get it, Team FuckYou is going to keep writing workarounds to thwart it and the folks you want to catch with your new backdoor are simply going to cease using the compromised products altogether and find something else.
Kind of makes me wonder the real reasons for banning Huawei phones from the US markets. National Security or the fact they won't play ball with the DOJ. . .
Re: (Score:2)
Both. At least from the perspective of the DOJ.
Re: (Score:2)
It's more a legal issue. The government can listen in on telecommunications, because a law called CALEA says telecommunications systems must be designed so the government can. It would be technologically easy to make systems that couldn't be tapped, but illegal.
NAS picked some shining lights for this (Score:4, Insightful)
”They included Ray Ozzie, a former chief software architect at Microsoft; Stefan Savage, a computer science professor at the University of California, San Diego; and Ernie Brickell, a former chief security officer at Intel.”
I can’t speak to Professor Savage’s expertise; but just having these particular guys from Intel and Microsoft involved should scare the crap out of you.
BFFs Forever and Ever! (Score:2)
If our government can enter a backdoor for plain old crimes, Russia and China can for reasons why we have a 4th Amendment -- spying on and hassling all who challenge their power.
These are not things that disappeared 240 years ago. They are chronic problems that will exist forever, and if technology can perma-block bad governments, we should adopt it, not lament it.
Each notch in the belt of an FBI agent or local police officer represents over 2.5 billion worldwide who live, and don't have to imagine "If you
Privacy (Score:2)
A Golden Age of Surveillance. (Score:3)
Out personal information is widely available to multiple groups. The government has easy access to an almost endless amount of information about us. There is:
The 3rd party doctrine roughly states that we can only assert a privacy right over information we directly control. If the information is shared with a 3rd party, they we don't control it, and we can't assert a privacy right over it. As the 3rd party doctrine has expanded, we have lost privacy over any shared information.
Now, law enforcement wishes to move beyond the limits of the 3rd party doctrine. They advance the legal theory that we should not be allowed to control our own information/privacy AT ALL. They believe that the desires of law enforcement should always outvote an individual's desire for freedom, privacy or liberty. That we should never be allowed to be secret, private or alone.
The proposals for "Responsible Encryption" are a simple end-run around the 1st, 4th and 5th amendments to the US constitution. Instead of debating this crap, we should be demanding stronger privacy protections. We need to restrict the 3rd party doctrine. We need to penalize any lawyer or judge who participates in granting "General" warrants. We need to restrain the Intelligence community from conducting mass surveillance on the US public.
Going Dark... (Score:2)
We should also put listening devices in everybody's homes, just in case they are talking about a crime where the FBI cannot listen. (and no, I'm not talking Alexa, but who knows...)
In case they are somewhere that electricity isn't, such as camping, we should have a government agent accompany everyone so that we can hear what they are talking about.
Newspeak bullshit (Score:2)
Justice Department officials believe that these "mechanisms allowing access to the data" exist without weakening the devices' security against hacking.
Utter fucking bullshit. Because "Allowing access" is the bloody fucking definition of "weakening security". oh oh, but they claim "Against hacking". What they're trotting out is a system called "Symphony". It stores a copy of the keys. You want to send a secure message, you have to let symphony be able to read it. And everyone promises that these keys will only ever be read by police with a warrant. The vital question is "What if the symphony database gets hacked?" A whole hell of a lot of trading
Re: (Score:2)
Re: In other news (Score:2)
Trump: My surveillance state is going to be YUUUUUUUGE!
Democrats: No way. You're just taking credit for the surveillance state that Obama built.
Re: (Score:2)
You misunderstand the purpose of the law and the constitution: It is only to be used against citizens, it does of course not constrain the holy^H^H^H^H legal authorities, because they cannot do any wrong by definition.
Re: (Score:2)
So the US is becoming China-lite now? How soon before we get our own Great Firewall, too?
Oh, I'm sure that isn't far off. The stable genius just has to figure out which country he is going to get to pay for it.
But we're really not that far behind as it is. The data collection that's done on citizens, residents and foreigners in the US is probably not much smaller than what's done in China. Companies like Google and Facebook make it much easier to correlate all the data.
Re: (Score:2)
"Companies like Google and Facebook make it much easier to correlate all the data."
The irony being that almost all that data is actually quite useless. Sooner or later -- maybe next week, maybe a decade from now, folks will figure that out and there will be a massive market reevaluation.
Talk about emperor's new clothes...
Re: Holy police state, Batman! (Score:3)
So the US is becoming China-lite now?
Why compare them with China? Why not the UK? After all, UK courts have ruled that prisoners can be forced to hand over encryption keys, and can be held in custody indefinitely until they comply.
Where was your snarky comment when that was going on, BTW?
Re: (Score:2)
Why compare them with China? Why not the UK? After all, UK courts have ruled that prisoners can be forced to hand over encryption keys, and can be held in custody indefinitely until they comply.
That is not the same thing at all.
Additionally, your scenario can already happen in the US, if there is enough evidence for the police to get a warrant.
Re: (Score:2)
"Lite" now, and when China has had "great success in restoring morality" with their fascistic (yes, it actually matches here , look up the definition of fascism) "social score" system, then the US administration will implement that too. As the US population is deeply in coma and notices nothing, this is pretty much assured to happen.
Re: (Score:2)
It's my understanding (correct me if I'm wrong) that use of encryption is specifically banned on ham radio bands.
Your "solution" to the problem of obtaining strong encryption iis to use a medium that already band use of encryption entirely?
Re: (Score:2)
Hey, when disaster strikes you may again operate your radio to coordinate the effort to establish allowed communication.
Then it's time for you to shut up again.
Re: (Score:2)
... and running into Eighth Amendment issues...
Re: (Score:2)
They seem to be a non-issue, just look to the recent past for examples. They just have to make sure not to waterboard you on US soil and maybe remove your citizenship before.
Re: (Score:2)
Not quite [wikipedia.org]. The first sentence:
Information-theoretic security is a cryptosystem whose security derives purely from information theory. In other words, it cannot be broken even if the adversary had unlimited computing power. The adversary simply does not have enough information to break the encryption and so the cryptosystems are considered cryptanalytically-unbreakable.
Re: (Score:2)
Sadly it's not a war on freedom. If it was, and was about as successful as the other "wars on..." (terrorism, drugs, etc), I wouldn't worry so much.
Re: (Score:2)
The problem is that you won't get your easy way to track terrorists. Terrorists aren't dumb. This is like upping the police presence at some drug hub. What happens? Does the drug trade stop? No. The dealers just move somewhere else and a week later we're back at square one. Just with more police standing around uselessly and wasting taxpayer money.
This is exactly the same. If there was at least some effect, I'd even be game to try it. But all this accomplishes is a huge waste of taxpayer money and at least