Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Encryption United States Technology

AG Barr Says Consumers Should Accept Security Risks of Encryption Backdoors (techcrunch.com) 582

U.S. attorney general William Barr has said consumers should accept the risks that encryption backdoors pose to their personal cybersecurity to ensure law enforcement can access encrypted communications. From a report: In remarks, Barr said the "significance of the risk should be assessed based on its practical effect on consumer cybersecurity, as well as its relation to the net risks that offering the product poses for society." He suggested that the "residual risk of vulnerability resulting from incorporating a lawful access mechanism is materially greater than those already in the unmodified product. [...] Some argue that, to achieve at best a slight incremental improvement in security, it is worth imposing a massive cost on society in the form of degraded safety." The risk, he said, was acceptable because "we are talking about consumer products and services such as messaging, smart phones, e-mail, and voice and data applications," and "not talking about protecting the nation's nuclear launch codes."
This discussion has been archived. No new comments can be posted.

AG Barr Says Consumers Should Accept Security Risks of Encryption Backdoors

Comments Filter:
  • Should? (Score:5, Insightful)

    by nospam007 ( 722110 ) * on Tuesday July 23, 2019 @09:03AM (#58971766)

    Maybe, but we won't.

    • Re:Should? (Score:5, Interesting)

      by Z00L00K ( 682162 ) on Tuesday July 23, 2019 @09:07AM (#58971782) Homepage Journal

      There's a quite considerable danger if we accept the risk of backdoors. Any compromised individual also is a risk for an organization.

      The day when a prominent leader gets to suffer from a backdoor is when the wind really will change.

      • Re:Should? (Score:5, Funny)

        by tripleevenfall ( 1990004 ) on Tuesday July 23, 2019 @09:08AM (#58971804)

        The wind coming out of those backdoors can definitely be a fearful thing.

      • Re:Should? (Score:5, Insightful)

        by Kiaser Zohsay ( 20134 ) on Tuesday July 23, 2019 @09:27AM (#58971950)

        The day when a prominent leader gets to suffer from a backdoor is when the wind really will change.

        The thing is that prominent leaders, military, law enforcement, and government in general will get to use uncrippled strong cryptography because of national security and whatnot. They can't have the enemy reading their communications.

      • Re:Should? (Score:5, Insightful)

        by anegg ( 1390659 ) on Tuesday July 23, 2019 @10:39AM (#58972484)

        Barr's risk assessment contains an implicit assumption that the value of the consumer's data is practically nil, as opposed to the government's extremely valuable data that needs to be protected with no backdoors, etc. Unfortunately, that is about the best we can expect from a government agent. The idea that the data of a citizen is valuable is apparently ludicrous. This is a stunning exposure of his attitude about the rights of citizens. I'm not so happy that this is one of the chief people charged with maintaining the 4th amendment of the US Constitution https://en.wikipedia.org/wiki/Fourth_Amendment_to_the_United_States_Constitution [wikipedia.org]. After all, if there is little of value to protect, it is fairly easy to minimize violations of that protection.

      • by raymorris ( 2726007 ) on Tuesday July 23, 2019 @11:56AM (#58973154) Journal

        first significant asset that I owned was my first car.
        A 1979 Toyota Corolla station wagon, which I purchased for $500. I did not hire a team of armed guards to protect it, because the cost of the security would be too high relative to its value. It is correct to consider the costs.

        Barr said:
        "The significance of the risk should be assessed based on its practical effect on consumer cybersecurity, as well as its relation to the net risks that offering the product poses for society.â

        Yes, it should be assessed. Losing the capability to do proper, lawful intercepts and search warrants based on probable cause has a real cost to society.

        Barr continued:

        "residual risk of vulnerability resulting from incorporating a lawful access mechanism is materially greater than those already in the unmodified product."

        Yes, a "lawful access mechanism" would indeed increase the risk of vulnerability - greatly.

        Where he's wrong is the judgement call between the two. Sorry, security is more important than search warrants. Also, there is an issue of freedom - my freedom to choose to use end-to-end encryption. Because this is supposed to be a nation of the people, for the people, by the people, and the federal government is, in the end, goons with guns threatening violence of I don't comply, government should force things on us only when absolutely necessary. "It's a good idea" is not a sufficient reason for government to force something on you, with the threat of violence if you refuse.

    • Absolutely not. I won't accept other individuals or companies deciding this for me.

    • Re:Should? (Score:5, Interesting)

      by mysidia ( 191772 ) on Tuesday July 23, 2019 @09:42AM (#58972070)

      Maybe we should, and maybe we should not. But this decision -- Is like deciding to abridge free speech,
      for example: "Accept a government backdoor to censor any news article; to ensure government officials can
      prevent a mass panic some story could cause, or protect national security."

      Decisions should at least be made by the public whose rights you intend to infringe at the marketplace, and not be
      argued by officials in authority such as justice department and law enforcement themselves who have an inherent
      vested self-interest in their own power and convenience.

      • But this decision -- Is like deciding to abridge free speech,

        More specifically, this is an attempt to criminalize whispering:

        "There must be no secrets!!!

      • by rsilvergun ( 571051 ) on Tuesday July 23, 2019 @10:22AM (#58972344)
        Of course we shouldn't. My God, the fact that we're even entertaining the discussion shows that the other side is winning. They're controlling the debate while we sit around trying to sound like the big rational adults in the room with crap like "Well maybe we should...".

        No. No. No. No. We need to stop this crap where we treat the world like a market place of ideas where everything gets help up and considered. Some ideas are so vile and reprehensible that they do not bear consideration. This is one of those. We've known this for hundreds of years. That's why the constitution says no unauthorized search and seizures. This is a hard NO.
    • "Encryption is a useless endeavor to begin with; information wants to be free. Unless it's information about what's going on in the White House - that is strictly forbidden."

      -William Barr
    • As a consumer I say AG Barr should bite me

      • Re: Should? (Score:5, Insightful)

        by leonbev ( 111395 ) on Tuesday July 23, 2019 @10:02AM (#58972202) Journal

        As an IT guy, I'd like to offer him a custom certificate that we can add to his keychain to we can spy on all of his encrypted communications.

        If he really thinks that backdoored security is not really a big deal, I can't see how he would mind us keeping an eye on his communications.

  • HAHAHAHAHA (Score:4, Insightful)

    by DarkRookie2 ( 5551422 ) on Tuesday July 23, 2019 @09:05AM (#58971776)
    No.
  • by Indy1 ( 99447 ) on Tuesday July 23, 2019 @09:07AM (#58971786)

    me telling him to fuck himself with a cactus.

    Just another fascist dickhead that fails to understand that we need strong encryption to protect ourselves from people like him.

    • by pgmrdlm ( 1642279 ) on Tuesday July 23, 2019 @09:21AM (#58971900) Journal
      Just like the facist dick heads from previous administrations. This is the same old song and dance that has been going on for years by the AG, FBI, NSA, and what other agencies want this. And all of us have replied the same way. NO
      • Were the idiots on the McLaughlin group during the whole iPhone/FBI encryption thing all agreeing we needed backdoors in certain situations. Pretty much demonstrating that like probably most other issues they basically knew nothing about it yet claim the be the brightest minds and the public should listen to them.
    • Just another fascist dickhead that fails to understand that we need strong encryption to protect ourselves from people like him.

      He understands perfectly, that's why he want to stop you from being able to protect yourself.

    • I doubt he fails to understand that you want to be protected from people like him, he is trying to convince enough people to make it illegal to be protected.
    • me telling him to fuck himself with a cactus.

      Just another fascist dickhead that fails to understand that we need strong encryption to protect ourselves from people like him.

      You are naive or blind if you believe that. They know perfectly well what the encryption is good for and that is why they want it broken by design. Talk of criminals, terrorists, and thinking of the children is just a smoke screen to placate the masses that don't understand the scope or implications.

    • we need strong encryption to protect ourselves from people like him.

      The "strong encryption" you refer to are known as firearms.

      "Yes, the Founding Fathers were smarter than you."

  • crypto farm (Score:5, Insightful)

    by dyfet ( 154716 ) on Tuesday July 23, 2019 @09:07AM (#58971790) Homepage

    Some animals are permitted more security than others...

  • ... he's the one who wants the access via the backdoors.
  • Who would have thunked it, the land of the free, the home of the brave.

  • by necro81 ( 917438 ) on Tuesday July 23, 2019 @09:08AM (#58971808) Journal

    The risk, he said, was acceptable because "we are talking about consumer products and services such as messaging, smart phones, e-mail, and voice and data applications," and "not talking about protecting the nation's nuclear launch codes."

    So...you're cool with volunteering your own device to be the first with a backdoor? You don't deal in the nation's launch codes, after all, and surely your own personal business is appropriate for consumer products.

    Oh, you meant it's just for us? No thank you.

    • by jythie ( 914043 )
      Yeah, this is a guy who has a history of flip-flopping on his interpretation of the law depending on which party is in power, so his idea of who this is ok for and who it is not is going to be VERY uneven.
  • Comment removed based on user account deletion
    • Not only that, but even if we assumed that the government wouldn't use their access maliciously (a HUGE assumption), then all it would take is one hack and suddenly malicious individuals across the world would have access to our systems. It's not like you can make a "Government Use Only" backdoor that's immune to hackers abusing it.

    • by Freischutz ( 4776131 ) on Tuesday July 23, 2019 @09:50AM (#58972128)

      Let me guess, Huawei will be the solution provider. yes?

      Seriously, this is asinine! It's tantamount to state-sponsored espionage at a national suicidal level!

      The funny thing is that the Trump administration just banned Huawei devices because they were afraid of spying ... then they turned around and came up with this genius chess move. I'm pretty sure that Chinese intelligence is competent enough that they don't need any help to hack the legally mandated back door Barr wants to put into every computer, mobile phone and tablet device in the US and if the Chinese do crack this back door they will have access to way more data than if they had planted backdoor in Huawei devices and they'll have Barr to thank for it.

  • That's the look of a man that says to himself every morning after his first cup of coffee, "Where am I? How did I get here? Is this my office?"
  • Noooope. (Score:5, Insightful)

    by RyanFenton ( 230700 ) on Tuesday July 23, 2019 @09:15AM (#58971862)

    AG Barr is a man utterly without integrity, openly acting as a purely partisan hack, working to undermine everything he can for crude private interests.

    That dude asking for us to literally turn off basic security on our computers is worth less than a spam-bot asking something similar.

    I mean, the effective algorithms aren't THAT complex - they're open, interesting and elegant packet coding/checking systems that don't need a method for third parties to break into.

    Replacing those basic tools with ones shunted with a channel for outside parties to see the raw data is just utterly mindless.

    Barr knows this, but again - no integrity.

    I understand - he's got relationships worth money to maintain though - gotta be worth more than everything else in the world I suppose in his mind.

    I mean, really, if anyone listens to a guy like Barr, he's got to figure they deserve the choice they made trusting him - at least that's what I see in the smirk he makes as he presents anything.

    Towards his ideals at least, he's proving you can't trust government, by representing governance in general in as horrible a light as he can.

    Ryan Fenton

    • Re:Noooope. (Score:5, Interesting)

      by jythie ( 914043 ) on Tuesday July 23, 2019 @09:27AM (#58971960)
      Yeah.. I suspect the first carve outs would be for 'job creators', 'religious leaders', 'people who love law enforcement and for whom law enforcement will vouch' and 'patriotic activists'.
    • he's proving you can't trust government

      Does this really need to be proven millions of times over??

    • by gtall ( 79522 )

      It was fun watching David Brooks on PBS, when Barr said he would look at the special council's report, tell us that Barr was a respectable lawyer and he was going to trust him. A week later, after Barr made his pronouncement that Trump was innocent of attempting to sabotage Mueller, Brooks dismissed him as merely a spokesman for the Administration. Barr had a chance to make a basically conservative guy have some faith in the Administration and by being a hack, lost that chance in a mere week.

  • by Billy the Mountain ( 225541 ) on Tuesday July 23, 2019 @09:18AM (#58971880) Journal
    Yeah, let's do this because it's 2019 and we've all forgotten about the Clipper Chip.
    • by jythie ( 914043 )
      Heh. Which actually kinda fits. If you look at the Trump admin, it is mostly made up of previous admin officials from the 80s and 90s who failed at something important to them and are hoping for an unsupervised try at the brass ring again. Just look at, say, the obsession with Iran and how many people in his admin are still bitter that their attempts to collapse the state in the Reagan era failed. This might be their last chance before they retire or die.
  • BULL SHIT (Score:5, Insightful)

    by shentino ( 1139071 ) <shentino@gmail.com> on Tuesday July 23, 2019 @09:19AM (#58971886)

    Like HELL am I going to accept the risk willingly.

    For one, I have the right per the 4th amendment to be secure in my effects, and that means that unless the government has a damn warrant they can kindly keep their big fat nose out of my private business. And by warrant, I mean one supported "by oath or affirmation" as specified in the 4th amendment, which probably means a police officer is in front of a judge and swearing to the justification for the warrant UNDER OATH, and that means they're sure enough of what they're telling the judge that they're willing to risk being charged with perjury if they're caught fibbing about it.

    For two, their paychecks come out of taxes on my income and property, and I am not about to bless them wasting government man hours on my dime rifling through information they don't need in the first place to do their jobs.

    For three, just because they're the government doesn't make them any more immune to being hacked than the private sector. Any information in government hands is information at risk of hack from both private hackers as well as enemy spies and the last thing I want is my personal information in the hands of the enemy, especially if the government doesn't need it in the first place.

    So fuck back doors with a rusty pitchfork for three very good reasons. The principle of the 4th amendment, I don't want them wasting my tax money, and I don't want my shit exposed to hackers.

  • by 110010001000 ( 697113 ) on Tuesday July 23, 2019 @09:20AM (#58971892) Homepage Journal

    From what I understand, there is already a computer called the WOPR, that can rapidly decode the launch codes. So I am not sure what he is talking about.

  • My social security number is my personal equivalent of a nation's nuclear launch codes.

    • What a maroon

      You'd have to be ridiculously stupid to think that [your enemy's attempts to enslave you] are born out of stupidity.

    • In which case, my personal nuclear launch codes were leaked (how I never found out) and someone used them. Luckily, the credit card they opened arrived at my doorstep instead of theirs, but still it's a horrible feeling to know that your entire identity has been stolen and won't ever be solely yours again. My credit is frozen so nobody - including me - can use my credit unless I first thaw it, but it's still a horrible feeling.

      So, no, I won't be willingly opening myself up to more of this just so the police

  • by Anonymous Coward

    Some crims get the private key and use it to steal his savings.

    Seriously, encryption backdoors are so bad. I see why they would want access to stuff for law enforcement, though that should always be gotten through the individuals right to disclose the key if required, and every country already has laws/etc for this already.

    Putting a deliberate backdoor into stuff (which is just going to creep into other stuff) *he* cannot possibly know what stuff is going to be used for - it could inadvertently be used for

    • In the USA you are NOT required to hand over passwords, unlock codes for a safe etc. The government can try to break into these thing with a warrant but they are not guaranteed success and you don't have to help them.

  • Take away all the pre-existing and yet-uncracked strong encryption and steganography tools we can use to hide our "illegal" encryption with? Those bits have already spilled outta the bucket folks.
  • AG Barr lobbying for a government backdoor is ridiculous given that the Trump Administration has consistently argued against the "Deep State" "wiretapping" their communications during investigations into Russian election tampering. Top Trump officials have used encrypted chat applications such as Confide and WhatsApp to avoid surveillance, even though such conduct violates federal laws requiring that official communications to be archived.

  • He can lobby for laws, but he's not going to put that genie back in its bottle. Anyone in power to make a statement like that who doesn't understand that modern encryption works because of the math, not because the source code is a secret needs to sit the f* down and shut up.
  • How many times (Score:5, Insightful)

    by nehumanuscrede ( 624750 ) on Tuesday July 23, 2019 @09:25AM (#58971934)

    How many GD times do we have to keep telling these people " NO " ?

    It's like they wait a generation, then ask the question again. Eventually, they'll find a generation of folks stupid enough to say " Yes ". :|

    As it stands today, I can't even trust a company to possess sensitive information of any kind due to the incompetence of the folks who store and hold it. Barr thinks their " magic backdoor " will be immune to this ?

    Do you think it likely the crypto the government uses will be subject to said backdoors ? ( Of course not ) So if they aren't willing to put their faith into the proposed system, why the hell would we ?

    The NSA can't even keep their hacking toys ( which were likely classified at the TS level ) a GD secret FFS.

    If anything, backdoors in crypto ( intentional or otherwise ) will be the PRIORITY TARGET because, once compromised, it gives you all the keys to the kingdom.

    • " He suggested that the "residual risk of vulnerability resulting from incorporating a lawful access mechanism is materially greater than those already in the unmodified product. [...] Some argue that, to achieve at best a slight incremental improvement in security, it is worth imposing a massive cost on society in the form of degraded safety." "

      In related news, Mr. Barr should probably familiarize himself with some of the oft quoted sayings of one Benjamin Franklin.

      Specifically the once concerning libert

  • by account_deleted ( 4530225 ) on Tuesday July 23, 2019 @09:26AM (#58971936)
    Comment removed based on user account deletion
  • There's a reason why they call "people" in the American justice and law enforcement system pigs.
  • I believe we are suppose to be protected from unreasonable searches. I have zero faith the government (any government) can be trusted to not abuse this.
  • We'll accept encryption backdoors just as soon as the Government accepts the responsibility of destroying trillions in revenue when those backdoors are compromised, which inevitably they will be.

    Let's stop pretending it's little Johnny Drug Dealer who is the only one affected by this kind of legislation. We're talking about all encryption here, to include encryption that every legal entity relies on to secure business.

    I can't believe we have such a hard time convincing lawmakers of this, as if they're no

    • And it's not only limited to that. There's criminal identity theft to worry about too. By that, I mean a criminal is arrested and gives a fake name/SSN/DOB. Suddenly, all police records list that YOU have committed a crime and any police interactions (like, for example, you're speeding and they run your plate) will begin with "this guy committed a major felony two states over." Also, good luck purging those databases because deleting one reference causes the data to just flow back in. (Here's an article det [libertyid.com]

  • by MobyDisk ( 75490 ) on Tuesday July 23, 2019 @09:30AM (#58971982) Homepage

    This discussion of US companies putting backdoors in their software is pointless: even if the US passed a law requiring backdoors, no one would do it. No only because security professionals would refuse to comply out of principle, but mainly because the *lawyers* won't let you do it. The legal implications of getting sued for non-compliance would be fewer than the legal implications of having a backdoor in your system. There's no way your software could be sold in China, Russia, or the EU with a known backdoor in it. And if a law was passed, there would be no path to plausibly deny that such a backdoor existed. Every competent security organization would be in a race to write the CVE indicating that the product had a known backdoor.

    An acquaintance of mine works for the NSA and tries to find backdoors in hardware chips (stuff like routers). I can't imagine how an organization like the NSA could ever purchase a piece of software or hardware knowing that some other 3-letter-agency could spy on the NSA. [wikipedia.org]

    Even the US's own regulations would be ripped apart. For example, I write software that has to comply with the FDA security directives. I can't imagine a reading of those directives that would allow a known backdoor in the software. My employer's legal and compliance team would have a meltdown trying to figure out how to comply with a US backdoor + FDA security directives + IEC 62304 + 21 CFR Part 11 + GDPR. It would probably be easier to disregard the law.

    So the US Attorneys General can talk all they want about backdoors. It was voted down in the Clinton era, and it will be voted down again because your own legal team doesn't support it, and not a lawyer in the country does either. If Barr really wants a surveillance state, his best path is to quietly shut-up about it and do what we do now: have the NSA find vulnerabilities in software and quietly insert backdoors. At least then the corporations can plausibly deny the backdoors. The only reason for Barr to bring this up publicly is if the NSA is panicking that vulnerabilities are closing and they are losing access.

  • .... is even *IF* you give the government every benefit of the doubt that the government's intention is benign, and they would *NEVER* use such a back door in any way that was somehow improper or to infringe on the privacy of any law abiding individual, and whether they deserve such a benefit of doubt being left aside for the moment and simply providing that assumption as a given, an encryption backdoor is *STILL* a problem, because it will only be a matter of time before someone with less benevolent intentions figures out how to exploit it for nefarious purposes, causing harm to entirely innocent people.

    And while certainly its true that this person would be a lawbreaker and have to be punished, the net result is that law enforcement's job is made *harder*, not easier, because it now additionally has to protect the public from such exploitation.

    If you throw in the dubiousness of trusting a government agency with such backdoor keys in the first place, it just goes downhill from there.

  • If America's AG has this frame of mind that is all the more reason to seek out another country to host your e-mail and data storage.

  • by nitehawk214 ( 222219 ) on Tuesday July 23, 2019 @09:44AM (#58972082)

    When quantum encryption is outlawed, both criminals and law abiding citizens will simultaneously have and lack quantum encryption!

  • Again, several billion around the world are living the dream of not imagining, but actually experiencing a boot stamping on their face -- forever (Orwell).

    And as usual, politicians in the west are more interested in notches on their belts for prosaic crime and ignoring the real reason encryption is needed -- the biggest crime of all, dictatorship.

    Stop enabling the tools of tyrrany. No censorship. No panopticons. And encryption for everything.

  • by hAckz0r ( 989977 ) on Tuesday July 23, 2019 @10:10AM (#58972256)

    Encryption and system software is obviously not AG Barr's area of expertise, if he even has one.

    The risk of doing what he suggests is a 100% probability of a compromised system. If a government organization holds a key that will unlock the door to every computer system, then every computer system will be compromised. If there are many keys, they will still be compromised, but it might take a little longer.

    Why? The logic to that back door will be embedded in the system software that is delivered and running on each system. Thus the algorithm will be published for all the adversaries to explore, reverse engineer, and utilize at will. Once the adversary understands how the code works its only a matter of time before they know how to defeat any protections built into it. The system itself then becomes a cyber weapon capable of being used against us.

    After this code publication, Russia, China, NK, and Iran will all have the secret weapon needed to disrupt any efforts to defend ourselves against attack. They can then devastate the economy, shut down all power, water, and emergency services whenever they choose. No system containing this back door will be safe to use during an emergency.

    AG Barr, be very careful what you wish for. I'm sitting here wishing you had a clue.

  • by account_deleted ( 4530225 ) on Tuesday July 23, 2019 @10:22AM (#58972348)
    Comment removed based on user account deletion
  • by JonnyCalcutta ( 524825 ) on Tuesday July 23, 2019 @02:03PM (#58974056)

    What has this got to do with Irn Bru?

    https://www.agbarr.co.uk/ [agbarr.co.uk]

Successful and fortunate crime is called virtue. - Seneca

Working...