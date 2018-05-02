Tech Giants Hit by NSA Spying Slam Encryption Backdoors (zdnet.com) 35
A coalition of Silicon Valley tech giants has doubled down on its criticism of encryption backdoors following a proposal that would give law enforcement access to locked and encrypted devices. From a report: The group, which focuses on efforts to reform government surveillance, said in a statement that it continues to advocate for strong encryption, and decried attempts to undermine the technology. "Recent reports have described new proposals to engineer vulnerabilities into devices and services -- but they appear to suffer from the same technical and design concerns that security researchers have identified for years," the statement read. The renewed criticism follows a lengthy Wired article, in which former Microsoft software chief Ray Ozzie proposed a new spin on key escrow. Device encryption has hampered police investigations, and law enforcement officials have pushed tech companies to fix the problem -- even by way of suing them.
The criticism might be the only canary in the coal mine that we have. They have limited options if they don't want to just shut down operations (and somehow explain that to shareholders without violating their national security letter).
We really need more heroes in Congress, like Senator Ron Wyden who both voted against FOSTA/SESTA (because it's stupid and makes the problem worse) and lost his shit at Christopher Wray for asking for backdoored encryption [senate.gov]. Representatives with the integrity to stand for what's right even if it's a losing battle and politically unfavorable.
I'm hoping to see Rikki Vaughn replace Cardin this term; and I'm going for Elijah's seat, so there's that. We need legislation putting a stop to the overuse of power
They could have had backdoors (Score:3)
They already could have had backdoors, but noooo, they had to forbid Huawei to enter the US market.
Oer perhaps Huawei did not have any backdoors and they knew it would be unpossible to convice them to have backdoors and they thought they at least had a shot with the other players. (Or all the rest already HAS NSA backdoors)
Or the backdoors are already in placve and this is to both safe face for the companies AND to let people believe their data is safe.
I remember a time when I was innocent and thought that all those people with tinfoilhats where crazy. Times have changed.
Also remember that it is only paranoya if you THINK you are being followed, not when you actually are.
This is the fight that will define the future (Score:3)
If the anal-retentive, power-grubbing law-enforcement and politician types get their way, then there will be no such thing as 'private communications', 'secure data', or for all intents and purposes 'privacy' -- unless you're law enforcement, a politician, or (of course) The Rich. There will also, ironically, be less of things called 'justice' and 'law and order', because in their mad, foaming-at-the-mouth dash to have access to all things at all times, bar none, they will open the door for criminals to freely and easily take whatever data or communications they want; even your average script-kiddie would soon enough be able to break into whatever data-store they want. Your financial accounts? Your very identity? Up for grabs -- unless you're a cop, are a politician, or have money.
THAT IS WHY THERE HAS TO BE A LINE DRAWN IN THE SAND; HERE, AND NO FARTHER.
If I'm the only one with access to my encryption key then you can be sure that everything signed with it is from me.
Oh, no, you don't seem to understand: Unbreakable encryption will be illegal if they have their way; you'd have to obtain the software from illegal sources (even if you wrote it yourself), and you'd be arrested, tried, and convicted as a cybercriminal for posessing and using it. Furthermore your entire life would be turned upside down, as they sift through it trying to find your connections to terrorism. That 'investigation' would include your family, your friends, your employer, and everyone you know, and
Here's the problem, feds, listen up (Score:4)
Unlike these companies I can speak easily to you since I have no horse in that race. I don't have to bullshit you so you keep buying my software and so you don't send the IRS down on me to keep my finance department in enough red tape to ensure they don't do anything sensible anymore this decade.
Here's the problem: If you mandate a backdoor into software, nobody with at least a hint of sanity will use that software. If you mandate that all software used within your jurisdiction has to have that flaw, you put your domestic industry at a severe disadvantage over every other on the planet, because you open them up to industrial espionage.
"Government only" backdoor keys are much, but not government only for long. Such keys are valuable. They offer entrance to all the sweet, juicy R&D details that every company and some governments on this planet want. Do you think that such keys have a price? You bet. Do you think that "give me the key or your little baby girl gets a bullet through her head" is too high a price for some governments? Think again.
People have weaknesses. Everyone has them. Even if they can't be bribed, they can be bullied, coerced, threatened or simply blackmailed. Works with everyone. I have not met a single person that had no weak spot you could exploit to get them to do anything, literally anything, you wanted. For most it's family. People do a hell of a lot of things if you offer them the life of their children in return.
Even China, one of the most restrictive countries with a surveillance state that would make Orwell wonder whether they used his books as manuals, wasn't foolish enough to demand something like this from its industries. That alone should tell you just how bad an idea it is.
They don't care that the bite the hand that feeds them, i.e. the industries that send them their fat donation checks? Wow, that's rough. Other whores I know at least have that much of a work ethic to at least perform their duties once you paid them...
A panopticon what? (Score:2)
The biggest problem isn't crime but dictatorship. We should not be giving dictatorships free reasons to force backdoors just so some agents can get brownie points catching crooks. For each crook caught, how many millions continue to live with a boot on their neck?
Stop building the tools of tyrrany.
The same google that is pushing Chat? (Score:2)
You know the end-to-end text messaging replacement that doesn't include encryption?
Well-known "security" guy Ray Ozzie (Score:2)
As I recall, Ozzie was at Microsoft during the heyday of remote SQL ports being open by default, IIS 4, IE 6... basically back when Windows security was a laughingstock. Why anyone would take anything he says regarding security seriously is beyond me.
Let's call this what it is. (Score:2)
You can't have security and backdoors. Let's just say, for the sake of argument, that Ray Ozzie's approach - assuming it worked perfectly (heh) - of vendor-held key escrow was legislated and implemented. This is a huge leap for the industry, but they could do it. It would never be reasonably secure, and it would be near impossible to fix the flaws, but let's say it was done. The next step would be Fed-held key escrow. This is an almost microscopically tiny incremental step - just moving some boxes, folks -
that won't be abused like an underage Congressional intern.
How exactly do you abuse an intern? They're not exactly treated as employees anyone intends to keep to begin with.
The problem with Ozzie's system (Score:3)
In the article Ozzie proposes a slight modification to the golden key solutions previously proposed. Instead of a single master key that would unlock every single device or system, his system relies on the manufacturer or creator to create specific asymmetric paired keys. When law enforcement requires a device or account to be unlocked, the manufacturer can unlock with their private paired key. In the case of San Bernandino, Apple would unlock only that particular iPhone.
The problem with this is that it requires the creator or manufacturer to be the stewards of these keys for an indefinite amount of time. In the case of Apple, they have to maintain keys for as long as an iPhone could exist which could be decades. It is also going to be problematic for companies or organizations that no longer exist. When companies go bankrupt, one of the few remaining assets they could sell is their data.
It doesn't shift the problem of risk to the stewards. It is still possible that the keys could be stolen; it just means hackers do not have to steal a single key.
Practically how will this work with independent developers? Open source developers would never follow this system.
Frankly, that isn't much of a problem as far as I'm concerned. Ozzie's proposal is that both the government and the manufacturer must independently agree to unlock a phone in the government's possession, a phone which the government irretrievably bricked in the process of making its request.
I like this idea. The government has no ability to decrypt without specific, limited permission from the device manufacturer. The manufacturer is not forced to grant their request. The device first has to come in the pos