Begun again, the Crypto Wars have
July 8, 2015 5:53 PM   Subscribe

Once again, the ability of ordinary people to use strong encryption is under threat from lawmakers. In the wake of the exposure of the Five Eyes spying dragnet, consumers have demanded encryption, while the FBI claims encrypted devices will prevent it from fighting crime (or will they?) While the FBI has its own solution, experts deride it as impossible. Meanwhile, online mercenaries sell spyware to anyone who will pay them.
posted by Lycaste (49 comments total) 27 users marked this as a favorite
 
certain uses of [strong encryption] — notably end-to-end encryption that forces law enforcement to go directly to the target rather than to technology companies for passwords and communications — interfered with the government’s wiretap authority and created public safety risks

Yeah, but if the NSA was just sticking to court-ordered wiretaps, then maybe there wouldn't be such a big push for end-to-end strong encryption. The US government chose to become the adversary people fear most. Of course we're going to engineer ways to make your eavesdropping less effective.
posted by ryanrs at 6:19 PM on July 8, 2015 [14 favorites]


Comey said American technologists are so brilliant that they surely could come up with a solution if properly incentivized.
Damn, that's chilling.
posted by ChurchHatesTucker at 6:21 PM on July 8, 2015 [3 favorites]


The 2015 Argumentum Ad Consequentiam award goes to FBI Director James Comey. Let's all give him a big round of applause!
posted by double block and bleed at 6:34 PM on July 8, 2015 [5 favorites]


I love how the FBI needs it to fight ISIS.

Funny, aren't they in Iraq and Syria?
posted by eriko at 6:48 PM on July 8, 2015 [6 favorites]


It genuinely baffles me that people can think that mandating broken encryption will in any way reduce the net sum of trouble in this world.

However, I do know that there are people in power who really, really, really want it to be true. And have done for a long time. Therefore, I suspect that there are other people who are telling them quietly that it can be true, and that if they'll just pay for the R&D, it will be true. I further suspect that the sums are far from trivial.

The trouble is, of course, that even if they do come up with something, it does have to be made public in order to be made compulsory, and at that point it will be shown not to work. And the difference between this and any other hideously expensive counter-productive public policy is that there's real maths at the bottom of the showing-not-to-work

Plus, there's the whole outlawing of mathematical research, open source systems, algorithms you can write on a T-shirt, actual numbers and the rest of the insanity. And what are they going to do with me if I insist on using strong crypto that I typed in from a standard textbook? Throw me in prison? Fine me? Label me an enemy of the state? Get a court order to get my keys every time I change my keys, when they know that it's merely the act of hiding, rather than trying to shield something illegal?

And what, exactly, do they think the real bad guys are going to do?

Baffled, baffled, baffled.
posted by Devonian at 6:50 PM on July 8, 2015 [26 favorites]


And what, exactly, do they think the real bad guys are going to do?

Well, for starters, everybody, bad guys included, is going to stop buying American pretty much instantly.
posted by fifthrider at 6:52 PM on July 8, 2015 [7 favorites]


Friggen WhiteBoy Merkin terrorist posted his shitty manifesto calling for a race war he was going to start, unecrypted and completely unhidden to the world wide open web and the behavioral analysts of the FBI/NSA/CIA were completely gobsmacked when 9 bodies hit the floor.

Comey couldn't find his own ass with two flashlights and a copy of Greys Anatomy.
posted by Pogo_Fuzzybutt at 7:10 PM on July 8, 2015 [55 favorites]


Just remember that in many cases the documents suggest that NSA is far more interested in metadata collection than content collection, and no amount of existing, good, end-to-end crypto will protect you from that.

The war on crypto is so stupid that it makes the other bad ideas the FBI is lobbying for look smart in comparison.
posted by yeahwhatever at 7:18 PM on July 8, 2015 [4 favorites]


I don't have the heart to look, has FBI Comey used the ol "If you have nothing to hide what are you worried about?" line?
posted by AugustWest at 7:46 PM on July 8, 2015


And what, exactly, do they think the real bad guys are going to do?

Testilie to Congress until it passes the P=NP Act of 2020?
posted by MikeKD at 8:07 PM on July 8, 2015 [9 favorites]


I don't think Comey even thinks he can win this argument, but he's likely continuing to ask for the impossible so he can make his next request -- massively expanded hacking powers -- seem more reasonable in comparison.
posted by RobotVoodooPower at 8:17 PM on July 8, 2015 [2 favorites]


So why doesn't our government do something about this? Oh ... right.
posted by ZenMasterThis at 8:18 PM on July 8, 2015


Well, for starters, everybody, bad guys included, is going to stop buying American pretty much instantly.

Aha. Ahahahaa. Ahahahahaa.

You underestimate the idiocy of client states.
posted by pompomtom at 8:19 PM on July 8, 2015 [2 favorites]


Comey said American technologists are so brilliant that they surely could come up with a solution if properly incentivized.

So James Comey is one of those dumbass managers.
posted by cosmic.osmo at 8:28 PM on July 8, 2015 [10 favorites]


The Keys Under Doormats paper discussed by the NYT article is delightful from the title to the end, and it's light on jargon since it's written for lawmakers and law enforcement. If you're interested in seeing the argument for "exceptional access" politely and ruthlessly torn apart by a who's who of smart crypto/CS people, I highly recommend it.
posted by skymt at 8:29 PM on July 8, 2015 [17 favorites]


“Maybe no one will be creative enough” to solve the problem, Comey said, “unless you force them to.”
The beatings will continue until ... oh, they'll just continue.
posted by RobotVoodooPower at 9:00 PM on July 8, 2015 [8 favorites]


I like to think the Snowden leaks are evidence that the NSA isn't competent to keep a repository of secret keys. Not because of any information contained in the leaked docs, but just the fact that Snowden succeeded in leaking secret NSA data.
posted by ryanrs at 9:13 PM on July 8, 2015 [5 favorites]


The OPM hack of 18 million federal workers and related people's data is further evidence. Weird that he's the one briefing the Senate on it. (Sorry, it's 32 million)
posted by RobotVoodooPower at 9:39 PM on July 8, 2015 [3 favorites]


Also, 22/7.
posted by blue_beetle at 10:02 PM on July 8, 2015


Strong encryption is regulated as an arms export. Doesn't that provide legal precedence for protection of personal use of strong encryption in the US under the 2nd Amendment?
posted by unknownmosquito at 10:04 PM on July 8, 2015 [10 favorites]


I like to think the Snowden leaks are evidence that the NSA isn't competent to keep a repository of secret keys. Not because of any information contained in the leaked docs, but just the fact that Snowden succeeded in leaking secret NSA data.

We proved incredibly fortunate that a hero like Snowden decided to make his knowledge available to the public. A man of lesser morality would have simply sold out for his own profit. So long as we punish whistleblowers in extrajudicial fashion, it is likely we'll suffer further leaks, suffering not at the hands of terrorists or other false bogeymen, but at those of the mafia and other criminal parasites who truly plague society.
posted by a lungful of dragon at 10:53 PM on July 8, 2015 [8 favorites]


Strong encryption is regulated as an arms export. Doesn't that provide legal precedence for protection of personal use of strong encryption in the US under the 2nd Amendment?

They'll argue it's more like nukes, less like guns. You don't get to own a nuke; you won't get to use encryption.
posted by five fresh fish at 11:00 PM on July 8, 2015 [2 favorites]


I adore articles like the CSAIL technical report. It's the difference between watching someone clumsily saw their way through a rump steak with a butter knife, and expertly dismantle a filet mignon into bites with a few deft strokes of a good sharp blade. I think the polite but firm tone makes all the difference; it adds elegance, somehow.
posted by The Zeroth Law at 11:56 PM on July 8, 2015


Legislating weak crypto for export hurts everyone. The commonly used tools and technologies on the web are free software. In the world of crypto free software is more trustworthy, but bad laws hinder fs development. We are already seeing the shitty consequences of forcing people to use bad crypto. Restrictions on encryption are bad for business, bad for personal privacy, and good for spammers, identity thieves, and political repression.
posted by idiopath at 12:55 AM on July 9, 2015


Hey, no one was forced to use Dual_EC_DRBG, they were just highly encouraged to.
posted by 7segment at 1:27 AM on July 9, 2015 [2 favorites]


Ugh. Exactly the same bad arguments they were making 20 years ago. FFS.
posted by whuppy at 3:40 AM on July 9, 2015 [3 favorites]


The FBI would have a much better case pre-PGP. As it is now, they're making an argument against strong encryption being easy to use, when the tools are already available and generally legal. What this means is most users will have weak security by design and sophisticated criminals will still have uncrackable encryption. Maybe the FBI hopes to catch mainly non-sophisticated criminals who would use weak or no encryption, but they're putting the general population at risk to more easily prosecute a small subset.

To continue the encryption as munitions legally recognized metaphor, imagine we're at the point where we have perfect guns that can be 3d printed for free anywhere. The FBI is acting like total disarmament is the best option. We're past the point where that's realistic, and trying to do so would merely disarm the general population while leaving criminals just as armed as they were.
posted by mccarty.tim at 5:18 AM on July 9, 2015 [4 favorites]


"The FBI would have a much better case pre-PGP. As it is now, they're making an argument against strong encryption being easy to use, when the tools are already available and generally legal. What this means is most users will have weak security by design and sophisticated criminals will still have uncrackable encryption. Maybe the FBI hopes to catch mainly non-sophisticated criminals who would use weak or no encryption, but they're putting the general population at risk to more easily prosecute a small subset."

Let's put it a slightly different way:

"What this means is most American users will have weak security by design and sophisticated American criminals will still have uncrackable encryption. Maybe the FBI hopes to catch mainly non-sophisticated American criminals who would use weak or no encryption, but they're putting the general American population at risk to more easily prosecute a small subset."

It's almost exactly like the twist at the end of the movie "Sneakers". And if somebody wants me to spoil it for them then let me know.
posted by I-baLL at 5:45 AM on July 9, 2015 [3 favorites]


Eh, I should probably explain though: This is only going to affect the encryption capabilities of Americans. Virtually everyone else in the world will have access to strong encryption (except for maybe the British) except for Americans thus making the whole country less safe overall. Smart thinking, FBI!
posted by I-baLL at 5:48 AM on July 9, 2015 [3 favorites]


What this means is most users will have weak security by design and sophisticated criminals will still have uncrackable encryption.

If I was running that department encrypted messages would be stored forever even if they can't be decrypted right now. You can always go after the keys with a warrant in a year or five.

As you say, strong crypto is already out there and it's not going back in the bottle. But if you can get the general population to use something (anything) else, strong crypto users will still stick out like a sore thumb. I think what they really want is an easy filter by which they can throw away most of the data they collect.
posted by Leon at 6:17 AM on July 9, 2015 [1 favorite]


"If I was running that department encrypted messages would be stored forever even if they can't be decrypted right now."

/me connects /dev/urandom to a TCP pipe.
posted by idiopath at 6:30 AM on July 9, 2015 [10 favorites]


It's a political song and dance. U.S. intelligence services have run multiple successful operations installing malware onto systems owned by foreign governments and organizations. They've also run multiple social engineering attacks for the same purpose. "Encryption" is just a buzz phrase to support throwing more money at those intelligence services.
posted by CBrachyrhynchos at 6:33 AM on July 9, 2015 [2 favorites]


If the FBI has the back door key to all our encryption, then the first criminal to momentarily outsmart the FBI gets access to everything. And on the off chance nobody notices it happened, they retain access to everything.

It could take millions of attempts, but all it takes is one attacker that is lucky, and we are all fucked. Security with a universal key simply isn't.
posted by idiopath at 6:37 AM on July 9, 2015 [6 favorites]


An amusing anecdote from these fronts. There is an encrypted communication app called Mujahideen Secrets, and getting beyond the fact that the naming of the app is absurd (does the same company produce a file encryption tool called "hide your kiddie porn"?), I'd be really surprised if it wasn't developed by some US agency as a honeypot app.
posted by idiopath at 6:48 AM on July 9, 2015


/me connects /dev/urandom to a TCP pipe.

I've been wondering why people or governments haven't been doing this since Snowden. Or maybe they have. I suppose the USG has more pipes than everyone else, but the effort of storing and analysing a fuckton of nothing would be amusing for others, if nothing else.

(Notionally I have a couple of months before all my browsing is legally logged, and most of my bandwidth is spare...("months before ... logged" HA! I crack me up...))
posted by pompomtom at 7:12 AM on July 9, 2015


...further to that: Where would you send the random data? The Aus govt seems very vague on precisely what they consider retainable "metadata" (aka: data). Is there a way to do this without simply DOSing my ISP's DNS?
posted by pompomtom at 7:18 AM on July 9, 2015 [1 favorite]


Asking for a friend.
posted by pompomtom at 7:25 AM on July 9, 2015 [2 favorites]


idiopath: remember to throw GPG headers in now and again. To be honest, throwing clogs in the works might be a very sensible strategy, if you can get enough people to join you.
posted by Leon at 7:56 AM on July 9, 2015 [4 favorites]


Leon: is the corollary claim that you can communicate unnoticed by using obfuscated headers?
posted by idiopath at 8:34 AM on July 9, 2015


Mr Comey, let N be the product of two unknown large primes. How do you plan to determine what they are? Are you going to arrest N? Have your goons embroil N in a terrorist plot that didn't exist until your goons concocted it? Are you going to put N on the no-fly list? You can't really use RICO powers against the prime numbers in question, claiming that they've criminally conspired to produce N, without knowing who they are. Rounding up N's friends and digging through N's garbage: not likely to be productive.

Your usual repertoire of coercion, intimidation, and sneakiness is inapplicable in this context, so now you are coyly not-proposing that the universe tell you the prime factors of N in advance, which you promise to keep secret? I guess I sympathize with your discomfort in the face of such impotence, but just give it a rest already.

The "crypto wars" remind me, at some level, of the Indiana state legislature's attempt to square the circle by legislative fiat.
posted by busted_crayons at 9:15 AM on July 9, 2015 [8 favorites]


"It's one thing to have dissatisfied customers. It's another to have dissatisfied customers with death squads. I don't think the company is going to survive this." - Bruce Schneier, on the Hacking Team Hack
posted by rustcrumb at 9:49 AM on July 9, 2015 [1 favorite]


From the first Schneier link:

It breaks so much of what our society has built. It breaks our political systems, as Congress is unable to provide any meaningful oversight and citizens are kept in the dark about what government does. It breaks our legal systems, as laws are ignored or reinterpreted, and people are unable to challenge government actions in court. It breaks our commercial systems, as U.S. computer products and services are no longer trusted worldwide. It breaks our technical systems, as the very protocols of the Internet become untrusted. And it breaks our social systems; the loss of privacy, freedom, and liberty is much more damaging to our society than the occasional act of random violence.

He does not get it or he isn't saying. The spooks do not give a shit about any of that. The only thing they care about is preserving and growing their own power.
posted by bukvich at 11:19 AM on July 9, 2015 [5 favorites]


The only thing they care about is preserving and growing their own power.

Indeed. What's so maddening about the spooks' lust for power in this case is the ridiculous hubris of it. Like: there is a whole software libre cryptography ecosystem. Anyone can do whatever the fuck they want, cryptographically (in principle), even apart from the huge infrastructural reliance on strong cryptography and its daily innocuous utility to many people etc. Any arrangement that gives the spooks a universal emergency peek -- only with a court order! -- is tantamount to telling people that they can't perform certain computations unless they involve the spooks according to some protocol (on which Mr Comey is too humble to elaborate). That's a comically thought-crimey proposal.
posted by busted_crayons at 11:33 AM on July 9, 2015 [3 favorites]


I don't think he's talking to the spooks there at all. The spooks know all of this. He's talking to the folks who (at least theoretically) have the power to fire the spooks, or set their agenda and operational constraints.
posted by idiopath at 12:26 PM on July 9, 2015 [2 favorites]


also, some twitter funnies related to all this going on right now
posted by idiopath at 12:29 PM on July 9, 2015


pompomtom The NSA has a facility to do just this, conveniently parked on top of major fiber backbones that cross the United States.
posted by msbutah at 12:29 PM on July 9, 2015


He does not get it or he isn't saying. The spooks do not give a shit about any of that. The only thing they care about is preserving and growing their own power.

I still think it's smoke and mirrors. Kaspersky last month revealed that they had been rooted by a government agency using sophisticated zero-day vulnerabilities and a memory-resident worm that propagated from system to system and forced the company to power down their entire office complex. Any noise that the spooks are making about iOS 8 encryption is just cover.

Bait and switch. Wave the terrorism stick to get Stingrays into the hands of state and local police for chasing down petty drug deals.
posted by CBrachyrhynchos at 12:48 PM on July 9, 2015 [4 favorites]


And a fair bit of election grandstanding, throw a bunch of shit at the news media to make it an "issue" without giving a shit about how it would actually work.
posted by CBrachyrhynchos at 1:35 PM on July 9, 2015 [1 favorite]


Operation Vula provides an interesting example of how important cryptography is for activism, journalism, etc.
posted by jeffburdges at 2:49 AM on July 29, 2015


« Older Georgian (?) Muscle Men. Dumplings.   |   They Deserve Better Newer »


This thread has been archived and is closed to new comments