Both Michael Hayden And Michael Chertoff Surprise Everyone By Saying FBI Is Wrong To Try To Backdoor Encryption
from the going-dark? dept
Well, here’s one we did not see coming at all. Both former Homeland Security boss Michael Chertoff and former NSA and CIA director Michael Hayden have said that they actually disagree with current FBI director Jim Comey about his continued demands to backdoor encryption. Given everything we’ve seen in the past from both Chertoff and Hayden, it would have been a lot more expected to see them both toe the standard authoritarian surveillance state line and ask for more powers to spy on people. At the Aspen Security Forum, however, both surprised people by going the other way. Marcey Wheeler was the first to highlight Chertoff’s surprising take:
I think that it?s a mistake to require companies that are making hardware and software to build a duplicate key or a back door even if you hedge it with the notion that there?s going to be a court order. And I say that for a number of reasons and I?ve given it quite a bit of thought and I?m working with some companies in this area too.
First of all, there is, when you do require a duplicate key or some other form of back door, there is an increased risk and increased vulnerability. You can manage that to some extent. But it does prevent you from certain kinds of encryption. So you?re basically making things less secure for ordinary people.
The second thing is that the really bad people are going to find apps and tools that are going to allow them to encrypt everything without a back door. These apps are multiplying all the time. The idea that you?re going to be able to stop this, particularly given the global environment, I think is a pipe dream. So what would wind up happening is people who are legitimate actors will be taking somewhat less secure communications and the bad guys will still not be able to be decrypted.
The third thing is that what are we going to tell other countries? When other countries say great, we want to have a duplicate key too, with Beijing or in Moscow or someplace else? The companies are not going to have a principled basis to refuse to do that. So that?s going to be a strategic problem for us.
He’s right on all accounts, and does an astoundingly good job summarizing all of the reasons that many experts have been screaming about ever since Comey first started whining about this bogus “going dark” claim. But then he goes even further and makes an even more important point that bears repeating: it’s not supposed to be easy for law enforcement to spy on people, because that has serious risks:
Finally, I guess I have a couple of overarching comments. One is we do not historically organize our society to make it maximally easy for law enforcement, even with court orders, to get information. We often make trade-offs and we make it more difficult. If that were not the case then why wouldn?t the government simply say all of these [takes out phone] have to be configured so they?re constantly recording everything that we say and do and then when you get a court order it gets turned over and we wind up convicting ourselves. So I don?t think socially we do that.
On top of that, he points out, as we and many others have, that even if you can’t figure out what’s in an encrypted message it does not mean you’ve really “gone dark.” There are other ways to figure out the necessary information, and people always leave some other clues:
And I also think that experience shows we?re not quite as dark, sometimes, as we fear we are. In the 90s there was a deb ? when encryption first became a big deal ? debate about a Clipper Chip that would be embedded in devices or whatever your communications equipment was to allow court ordered interception. Congress ultimately and the President did not agree to that. And, from talking to people in the community afterwards, you know what? We collected more than ever. We found ways to deal with that issue.
Soon after that, at the same conference, Hayden spoke to the Daily Beast and more or less agreed (it is worth noting that Hayden works for Chertoff at the Chertoff Group these days). Hayden’s denunciation of Comey’s plan is not so detailed or thought out, and he admits he hopes that there is a magic golden key that’s possible, but recognizing it’s probably not, he thinks the damage may be too much:
?I hope Comey?s right, and there?s a deus ex machina that comes on stage in the fifth act and makes the problem go away,? retired Gen. Michael Hayden, the former head of the CIA and the NSA, told The Daily Beast. ?If there isn?t, I think I come down on the side of industry. The downsides of a front or back door outweigh the very real public safety concerns.?
As the Daily Beast notes, this is — to some extent — a roll reversal between Hayden and Comey who famously clashed over Hayden’s original warrantless wiretapping program after 9/11, with Comey actually arguing against some of the program (though what he argued against wasn’t as complete as some believe). Still, it’s quite amazing to see both Chertoff and Hayden point out what the tech sector has been telling Comey for months (decades if you go back to the original “crypto wars.”) This isn’t a question about “not wanting to do the work” but about the fact that any solution is inherently much more dangerous for the public.
Filed Under: encryption, going dark, james comey, jim comey, michael chertoff, michael hayden, mobile encryption
Comments on “Both Michael Hayden And Michael Chertoff Surprise Everyone By Saying FBI Is Wrong To Try To Backdoor Encryption”
Part of me is banging my head vigorously on the table right now but the other part seems to think he has seen this in the past: once out of the power chain and with their retirements guaranteed there’s no need to maintain the dissonance any further. Would that apply to Hayden and Chertoff?
Re: Re:
probably a dont shit where you eat kind of argument. they have different customers now.
whos going to buy security consulting from someone with same views as Big Brother
Hm... this is suddenly relevant?
Love this quote:
The third thing is that what are we going to tell other countries? When other countries say great, we want to have a duplicate key too, with Beijing or in Moscow or someplace else? The companies are not going to have a principled basis to refuse to do that. So that’s going to be a strategic problem for us.
Gee… this is suddenly relevant NOW?! Cripes…
Maybe this is what it means . . .
Follow this line of assumptions / conspiracy theory.
Former NSA and CIA director Michael Hayden knows that NSA can get what it needs (maybe not all it wants) using other techniques unavailable to the FBI.
Similarly, former Homeland Security boss Michael Chertoff might know that what the NSA has, homeland security has.
Since they can both get what they need, they see no reason to support the FBI. Maybe due to behind the scenes in fighting between competing bureaucratic fiefdoms, they would be happy for the FBI to be beholden to the NSA and/or homeland security and/or CIA for intelligence in exchange for other favors.
Hayden was also former CIA head honcho. According to this he was at NSA before he was at CIA. But maybe being at CIA he also has something against the FBI.
Okay, now I’ll take off my conspiracy theory hat.
I’m sorry, can someone check the temperature in hell please?
Re: Re:
Right? I totes missed the plate on THAT bus!
Translation: we already have the means to break encryption, so go ahead and implement it. We didn’t spend $3 billion on a secure building to store text messages, after all.
Re: Re:
Substitute “Break” with “Bypass” and you’ve pretty well nailed it.
No need to “break” encryption if you can get the cleartext by other means.
Re: Re:
Being able to break all widely used encryption is hard to believe.
More believable is the idea that when the NSA wants to target specific computers, it can hack them. It’s not as far fetched to believe that all commonly used operating systems are already so completely, so utterly compromised that NSA can implant software agents into targeted computers. By ‘compromised’, the NSA may have had back doors that are built right in to commercial software at manufacture. This may be known or unknown to the manufacturer of that commercial software.
Think about that. Isn’t this the kind of thing NSA does? There are probably only a few organizations that NSA would have to penetrate with one of their own human agents as an employee, in the right position, to be able to get such back doors into widespread use. And there’s the possibility of forcing software manufacturers to do it. Or even simply forcing certain individuals already employed there to do it without the knowledge of people higher up in the organization. I’m a bit skeptical of this, because someone, somewhere who is approached, pressured, blackmailed, etc to try to implant a back door into their employer’s software, might decide to go public with it.
It is also believable that a software agent implanted into a targeted computer could monitor all commonly used cryptographic libraries and obtain the key material being used.
I don’t think this sounds as far fetched as the idea that NSA can break all encryption. There are other ways to compromise cryptogrpahic systems.
NSA’s ability to hack computers is a technology race. Just like the US Mint is in a technology race with counterfeiters of US currency.
Re: Re: Re:
“By ‘compromised’, the NSA may have had back doors that are built right in to commercial software at manufacture. This may be known or unknown to the manufacturer of that commercial software”
Don’t forget hardware. Hardware’s even more difficult to suss out than software.
Re: Re: Re: Re:
Yeah, that assumption is so basic. I take it for granted that hardware does what it is supposed to do. Also the firmware. But you’re right. I should have thought of that.
OTOH, consider.
It would be difficult enough to modify firmware to compromise one of several well known OSes. Difficult to impossible to compromise an unknown OS.
It would be much harder to modify hardware to compromise even a well known OS. Although hardware could substitute in different firmware momentarily. Or have something like a ‘micro firmware’ that recognizes when a known OS is being loaded. Such compromised hardware would need a fair amount of storage built in.
Which hardware component would be compromised? The motherboard? The microprocessor? Maybe a major chipset that handles much of the IO? As I think about it, a chipset that is used across many major motherboards, and might easily have room for a bit of extra storage, might be an ideal location to sit in between the processor, memory and IO.
Open hardware has not gained nearly the traction as open source software.
Alternate reality
what sort oft alternate reality have I been transported to? Actually this might be the start of a real factual discussion on privacy. I tip mt wvirtual hat to these gentlemen
“We often make trade-offs and we make it more difficult. If that were not the case then why wouldn’t the government simply say all of these [takes out phone] have to be configured so they’re constantly recording everything that we say and do, and then when you get a court order it gets turned over and we wind up convicting ourselves?”
It would pretty much make a nonsense of the Fifth Amendment is why. Why the hell does an Englishman need to point that out to an American? *facepalms*
>>”We often make trade-offs and we make it more difficult. If that were not the case then why wouldn’t the government simply say all of these [takes out phone] have to be configured so they’re constantly recording everything that we say and do, and then when you get a court order it gets turned over and we wind up convicting ourselves?”
>It would pretty much make a nonsense of the Fifth Amendment is why.
>Why the hell does an Englishman need to point that out to an American? *facepalms*
That was a rhetorical question. Presumably the writer was thinking that Americans (other than Sekurity Apparatchniks) wouldn’t need the answer spelled out. (The S.A. critters are probably already thinking “why didn’t I think of that? Do I have a security letter that I can pretend covers it? And whom do I have to strong-arm to get it implemented?”)
Re: Re:
Rhetorical question or not, it still contained a logical fallacy that needed to be addressed.
“I’ve given it quite a bit of thought and I’m working with some companies in this area too.”
There’s your explanation: They are being paid by different people now.
I guess that means Chertoff and Hayden wouldn’t benefit financially from backdoor encryption.
Re: Re:
Translation: Their current financial interests are vested in options (Van Eck phreaking, bug planting) that are too expensive to be competitive if the Feds have push-button backdoor access.
If so, good for them. Chertoff is quite correct that it should be difficult to snoop, thus imposing limits on the amount of snooping.
Who gives a rat’s ass if two of the biggest national security state profiteers agree with ‘the little guy’ for once? Did they run out of caviar at their little Asoen group therapy session or something?
Alternate reality
It’s not an alternate reality.
It’s just a tacit admission that our telecommunications infrastructure – down to and including mobile handsets – is so thoroughly owned that there’s simply no need to focus on encryption in the vast majority of cases.
I can see the NSA director saying this. They understand the value of good encryption. They’ve also already compromised many systems out there and saying this publicly is probably a good strategic move.
Hayden and Chertoff
And you think these two Klowns are telling the truth ?? THEY BOTH WORKED FOR CHEEEENEY !!! NOTHING could be further from the truth.
No one is using cryptography
The NSA doesn’t need to break cryptography because: NO ONE IS USING IT.
If the Clipper chip worked as proposed without the design bugs that plagued it, so that only law enforcement could listen in on conversations (with proper oversight from a judge), I bet we would have more safety and privacy than we have now in our curently unencrypted world.
This is the data they’re collecting.
“Both former Homeland Security boss Michael Chertoff and former NSA and CIA director Michael Hayden have said […]”
No, really; the key word to look for here is former.
As soon as something puts food on someone’s table, even if it’s evil or lacks any measure of evidence, that person will arduously defend it.
Follow the Money
Most likely, they think they can make more money with encryption in place, Either by selling encryption, selling access to encrypted data or by selling access to encrypted PCs or something else completely.
The other alternative is that they did a cost/benefit analysis and concluded that encryption (either way) does not affect their bottom line.
Re: Follow the Money
“Most likely, they think they can make more money with encryption in place..“
Or because they have finally (secretly) cracked all of the currently used standard encryption codes, using a brand new secret program, that they have absolutely no intention of ever telling anyone about.
—
I know why..
“Both former Homeland Security boss Michael Chertoff and former NSA and CIA director Michael Hayden have said that they actually disagree with current FBI director Jim Comey about his continued demands to backdoor encryption.“
They’ve been reading techdirt an awful lot lately. 🙂
—