They're back! 'Feds only' encryption backdoors prepped in US by Dems (https://www.theregister.co.uk/2018/04/09/us_encryption_backdoors/)

Feinstein, Vance to try yet again to create magic math


US lawmakers are yet again trying to force backdoors into tech products, allowing Uncle Sam, and anyone else with the necessary skills, to rifle through people's private encrypted information.

Two years after her effort to introduce new legislation died (https://www.theregister.co.uk/2016/05/27/backdoor_bill_dead/), Senator Dianne Feinstein (D-CA) is again spearheading an effort to make it possible for law enforcement to access any information sent or stored electronically. Such a backdoor could be exploited by skilled miscreants to also read people's files and communications, crypto-experts continue to warn.

Tech lobbyists this month met the Senate Judiciary Committee to discuss the proposed legislation – a sign that politicians have changed tactics since trying, and failing, to force through new laws back in 2016.

New York District Attorney and backdoor advocate Cyrus Vance (D-NY) also briefed the same committee late last month about why he felt new legislation was necessary.

Vance has been arguing for fresh anti-encryption laws (https://www.theregister.co.uk/2015/11/24/perspectives_on_encryption/) for several years, even producing a 42-page report back in November 2015 that walked through how the inability to trawl through people's personal communications was making his job harder.

Tech lobbyists and Congressional staffers have been leaking details of the meetings to, among others, Politico (https://www.politico.com/newsletters/morning-cybersecurity/2018/03/28/mc-exclusive-manhattan-da-takes-encryption-breaking-plea-to-congress-152422) and the New York Times (https://www.nytimes.com/2018/03/24/us/politics/unlock-phones-encryption.html).

Magic roundabout

The meetings have also prompted cryptography experts and privacy pit bull Senator Ron Wyden (D-OR) to write letters outlining their concerns, including asking for details on a FBI program to devise a technical solution.
READ MORE (https://www.theregister.co.uk/2018/03/27/fbi_encryption_showdown/)
The US Department of Justice and the FBI have apparently been working together with three unidentified researchers to come up with a secure way to allow only law enforcement to access encrypted information. The FBI official seemingly in charge of that program – Valerie Cofield – was present at the Vance briefing, which also boasted a large number of Congressional staffers in attendance.

Earlier this year, the FBI was formally asked (https://www.theregister.co.uk/2018/02/14/cryptography_experts_fbi/) to disclose who the experts are that are telling the agency it is possible to create a secure Feds-only backdoor. It has so far refused to do so.

The argument by politicians and law enforcement that there is some way to create a backdoor in a strongly secure system that only the "right" people can access has been put forward so frequently for so long that it even has its own term: "magic thinking."

But the constant reminder that mathematics does not discriminate has been purposefully ignored (https://www.theregister.co.uk/2017/08/01/amber_rudd_on_encryption/) for years on both sides of the Atlantic, with occasional speeches from senior politicians and law enforcement personnel parroting the same line that they are sure the "brilliant brains" at tech companies can come up with a solution that will work.

In January, FBI director Christopher Wray told a conference in New York that there was an ever-growing backlog of devices that it could not access. He also made the same arguments as his predecessor made repeatedly: that the FBI was only interested in the contents phones used by terrorists and criminals; that not having access to phone data was a "major public safety issue"; and that the FBI wanted to work with tech companies to come up with "thoughtfully designed" solutions.

And again

Wray then reiterated the exact same message (https://www.theregister.co.uk/2018/03/08/fbi_director_cryptography/) last month at a difference conference. "This problem impacts our investigations across the board – human trafficking, counterterrorism, counterintelligence, gangs, organized crime, child exploitation, and cyber," he said. But, of course, failed to put forward a solution, noting only that he is "open to all constructive solutions."

Meanwhile the spy agencies of the US, Canada, UK, Australia and New Zealand – the so-called "Five Eyes" – have been meeting repeatedly (https://www.theregister.co.uk/2017/06/13/five_eyes_stare_menacingly_at_encryption/)about how best to bypass encryption.

The last big push for new backdoor powers came when the FBI engaged in a very public legal fight with Apple over the iPhone used by San Bernardino shooter Sayed Farook: a fight that the FBI ultimately backed down from.

A recent report (https://www.theregister.co.uk/2018/03/27/fbi_encryption_showdown/) by the Department of Justice strongly suggested that the FBI used the shooting as a pretext to get a legal precedent forcing Apple to unravel its encryption systems.

Pro-backdoor advocates have presumably been waiting (https://www.theregister.co.uk/2018/01/25/uk_prime_minister_encryption/) for the next terrorist attack in order to relaunch efforts but their patience appears to be running thin, sparking the fresh round of meetings and new legislative proposals.

So far, actual details are limited, although according to one set of leaks, the plans are focused on hardware and operating systems, and not application software, ie: the ability to commandeer a device, by seizing it or remotely over the air, to read a target's messages, rather than break the encryption protocol of, say, Signal.

In other words, if you can break into someone's phone and pretend to be them, you don't have to bother with intercepting network traffic and forcibly decrypting the in-transit data.

And it sounds as though that's the route snoops want to go down: unlocking and accessing locked encrypted devices via a low-level software backdoor, remotely or with a physical connection. ®

Biggest pack of liars in the world.

where's the liberal call to ban electronic devices? [emoji19]


Sent from my iPhone using Tapatalk

Combined with this potentially lovely bit of "legislation"... hmm.. at least in Cali.

http://www.thegatewaypundit.com/2018/04/it-begins-california-senator-introduces-bill-to-kill-free-speech-requires-state-sanctioned-fact-checkers-to-approve-online-content/


The bill is titled “SB1424 Internet: social media: false information: strategic plan.”

It targets social media based in California. But as you read the bill, you see it appears to define social media as any Internet blog, website, or communication.

SB1424 is brief. Read it:

This bill would require any person who operates a social media, as defined, Internet Web site with a physical presence in California to develop a strategic plan to verify news stories shared on its Web site. The bill would require the plan to include, among other things, a plan to mitigate the spread of false information through news stories, the utilization of fact-checkers to verify news stories, providing outreach to social media users, and placing a warning on a news story containing false information.

(a) Any person who operates a social media Internet Web site with physical presence in California shall develop a strategic plan to verify news stories shared on its Internet Web site.

(b) The strategic plan shall include, but is not limited to, all of the following:

(1) A plan to mitigate the spread of false information through news stories.

(2) The utilization of fact-checkers to verify news stories.

(3) Providing outreach to social media users regarding news stories containing false information.

(4) Placing a warning on a news story containing false information.

(c) As used in this section, “social media” means an electronic service or account, or electronic content, including, but not limited to, videos, still photographs, blogs, video blogs, podcasts, instant and text messages, email, online services or accounts, or Internet Web site profiles or locations.

Why should the FBI care about people losing their privacy?

If you participate in this thread you get put on their list.

I'm probably already on like 18 lists. At this point, my goal is simply to give their DBAs carpal tunnel.

Quoted from the article...


"Pro-backdoor advocates"

Quoted from the article...


"Pro-backdoor advocates"

Isn't it queer how the (D) always want to backdoor their policies?

If you participate in this thread you get put on their list.
I started the thread, so I must be on all the lists.

Quoted from the article...


"Pro-backdoor advocates"
I think that's one of the planks for their party platform.

You guys really think that the NSA, CIA, FBI, etc can't already crack any encryption used by the general public or businesses???

Are you suggesting it's a false narrative just to get the public to openly agree?

You guys really think that the NSA, CIA, FBI, etc can't already crack any encryption used by the general public or businesses???

They can pick a lock too, but I'm not into the idea of just giving them a key to the door.

You guys really think that the NSA, CIA, FBI, etc can't already crack any encryption used by the general public or businesses???
I'm sure the .gov can. They likely could easily decrypt military grade encryption in a war-time scenario. I think they've been looking for cover so that they don't have to admit that they can already crack the devices.

I don't think this is well known but when companies sell products that generate encryption they MUST give their encryption process and algorithms for deploying encryption to the FCC to legally sell it. Any "Off the Shelf" encryption products or services consumers can buy have already been circumvented by this FCC requirement. Rest assured that pretty much any encryption currently being used in a commercial product manner can be cracked by the government by either brute force number crunching or having the bulk of the equation spoon fed to them by the FCC.

Encryption used by consumers is pretty much like the TSA. A weak attempt at pretending like some kind of security is going on.

I'm probably already on like 18 lists. At this point, my goal is simply to give their DBAs carpal tunnel.

I have to go back to my SF86 when I need to learn about myself... I wish the Chinese would just have it indexed by Google to make it easier.

https://www.techrepublic.com/article/tls-1-3-is-approved-heres-how-it-could-make-the-entire-internet-safer/

I have to go back to my SF86 when I need to learn about myself... I wish the Chinese would just have it indexed by Google to make it easier.

Yeah, I looked up an old clearance while doing my current one. I'd completely forgotten I'd lived in 2 places until I read it on my SF86. Lol.

It's already been said, but the .gov can already crack all of this, they just can't legally use it in a court of law like the San Bernadino case.

The only thing that encryption does is buy you time. Kind of like a gun safe.

Good encryption? Having a TLTR-30 rated safe in your house. It takes a higher class of criminal to get into it, and it takes them time. But they're getting into it.
Nearly ALL SOHO encryption? LOL. The Stackon Gun cabinets with the key taped to the back... Any half assed criminal is going to walk off with your crap if they want it.

Once you've taken products through FIPS certification, you start to understand just what encryption is for. It's there to keep the lowest common denominator out of whatever is encrypted.

Don't delude yourself either. The .gov/.mil/etc all use the same "good encryption" that can be broken into by that same higher class of criminal. Hence why most rely on the SCIF mentality to actually protect sensitive/important information. (Denying access in the first place)

We should all be against the legal precedent that they can decrypt our information and use it in a court of law. It's called the 4th Amendment.

Christopher Glenn used Truecrypt, and the feds still got into it.

There is speculation among those that have followed it that he gave up his password, but the reality of it is that no encryption is "unbreakable".

Encryption is like a cheap padlock: It'll keep honest people honest, until they get curious about what's inside. Mandating a back door is just begging someone to find it and pick the lock.

Certain forms of encryption are not breakable with realistic levels of hardware or in short time frames.

In that case, they will simply use an alternate method to get the data.

https://imgs.xkcd.com/comics/security.png

You can always opt-out.


https://www.youtube.com/watch?v=lMChO0qNbkY

The FCC does not regulate encryption algorithms in general. They do regulate the forms used in wireless communication over regulated entities like cellular phone systems.

The NSA has the mandate to help US companies develop encryption algorithms that protect things like financial transactions, and its widely accepted that they have worked hard to cripple such encryption methods to protect their own ability to decrypt communications. The most heavy-handed of the NSA's attempts was the notorious and truly stupid Clipper Chip. The concept was introduced in 1993 and dead within a year or two.

What is the subject of great debate is whether or not the NSA has either found algorithmic methods to crack the large key encryption methods in the public domain or whether they have the computing power to brute force crack such methods. Usually the easiest routes to break into such communications involve human error in exposing keys rather than attacking the encryption algorithm itself. Or a $5 wrench from the Randall Monroe comic that Justin links.

The Dept of State claims the authority to control the export of encryption technology, as its classified as a munition under ITAR regulations but that's pretty much horse and barn door time. Open source Public key crypto systems like PGP are well distributed.

Amusingly, there is a theoretical way to use "backdoored" encryption systems - where the government has the ability to read all plaintext messages - to still have an encryption communication. Discussed here https://www.schneier.com/blog/archives/2018/04/subverting_back.html

Bruce Schneier's blog has some other encryption related discussions and he has one of the better overview texts on the topic.

Large state military encryption systems are broken using ordinary old-fashioned espionage - see the Walker family espionage ring. Real terrorists use more primitive methods of just hiding their communications such as sharing a web based email or forum and leaving messages in draft folders. Other unsophisticated techniques, one of which actually appears in a Netflix TV series "Occupied" are to use things like multi-player online games to meet and chat in agreed game servers.

Most people who are concerned about their privacy willingly/naively give up access to their "private" conversations and more. Not to sound like a luddite or a hipster but it seems like an "analog" conversation is probably more simple to keep private than any digital one. Maybe being esoteric on top of it is even better. Who can read smoke signals or understand Sanskrit these days anyways? Time to brush up on my cuneiform lol

Most people who are concerned about their privacy willingly/naively give up access to their "private" conversations and more. Not to sound like a luddite or a hipster but it seems like an "analog" conversation is probably more simple to keep private than any digital one. Maybe being esoteric on top of it is even better. Who can read smoke signals or understand Sanskrit these days anyways? Time to brush up on my cuneiform lol

Absolutely true.

The reason that social engineering is still used....is because it continues to work. People never learn.

Many decades ago, a bank was hacked for very large sums of money via wire transfers. The vice presidents who had the authority to make such transfers had elaborate methods of bonded couriers carrying the daily authorization codes to each VP, secure methods of holding those codes for the VP to access and elaborate methods of verifying the identity of the VP when they called in the transfer to the bank's operation center.

Then the operators at the operation center wrote the daily authorization code on a giant whiteboard in view of a glass window to the hallway.

I did that as a project in college. Could encrypt anything into the header of an image. At the time it was pretty unbreakable these days I'd guess the average cellphone has the power to crack it.

Now I'm trying to find the code. It's going to drive me crazy because I know there is about a 0.0000001% chance I still have it but I'll probably spend all day looking.

Bruce Schneier's blog is worth cruising at least once a week. Most of his stuff is pretty readable for the average person and a lot of the information can be pretty useful.

The comment section is a pretty amusing cross section of computer security experts, tin foil hat enthusiasts and occasionally people larping (?) as spooks.

The comment section is a pretty amusing cross section of computer security experts, tin foil hat enthusiasts and occasionally people larping (?) as spooks.

Shhhh, Justin. Don't blow my cover.