White House Takes The Cowardly Option: Refuses To Say No To Encryption Backdoors, Will Quietly Ask Companies
from the ridiculous dept
Last month, we wrote about a document leaked to the Washington Post that showed the three “options” that the White House was considering for responding to the debate about backdooring encryption. The document made it clear that the White House knew that there was zero chance that any legislation mandating encryption backdoors would pass. But the question then was what to do about it: take a strong stand on the importance of freedom and privacy, and make it clear that the US would not mandate backdoors… or take the sleazy way out and say “no new legislation for now.” As we said at the time, option 1 was the only real option. You take a stand. You talk about the importance of encryption in protecting the public.
However, it appears that the White House has taken the cowardly approach. Yesterday, the leading voice in favor of mandating encryption backdoors, FBI Director James Comey, announced that the administration would not push for legislation to mandate backdoors… for now. But it will still push for backdoors quietly behind doors with companies.
After months of deliberation, the Obama administration has made a long-awaited decision on the thorny issue of how to deal with encrypted communications: It will not ? for now ? call for legislation requiring companies to decode messages for law enforcement.
Rather, the administration will continue trying to persuade companies that have moved to encrypt their customers? data to create a way for the government to still peer into people?s data when needed for criminal or terrorism investigations.
?The administration has decided not to seek a legislative remedy now, but it makes sense to continue the conversations with industry,? FBI Director James B. Comey said at a Senate hearing Thursday of the Homeland Security and Governmental Affairs Committee.
This is a totally bullshit response. Of course the administration isn’t asking for legislation: because everyone knows (1) it couldn’t pass and (2) it would be a really, really stupid thing to ask for. In that leaked document last month, the administration noted that with this option public interest groups “would likely see this outcome as a solid win.” They’re wrong. This option is bullshit. It’s one notch up from literally “the least they could do.” It doesn’t help anyone. It provides cover to countries that do want to undermine the tech industry and mandate backdoors. It leaves open the ways to pressure tech companies to secretly include backdoors that undermine everyone’s safety. And, worst of all, it takes away any and all “high ground” positions for the administration to point out that it doesn’t want to undermine the safety and security of the American public.
In short, the administration didn’t take the strong stand when the strong stand was the only feasible path. There are enough people within the administration who know this is the stupid choice, and yet they still took it. A very weak move from an administration that should know better (and does know better), just to please some technologically-clueless law enforcement folks.
Filed Under: cybersecurity, encryption, encryption backdoors, going dark, james comey, obama administration, white house
Comments on “White House Takes The Cowardly Option: Refuses To Say No To Encryption Backdoors, Will Quietly Ask Companies”
"Safety? Please, our ability to spy on you trumps your right to privacy and security."
“The administration has decided not to seek a legislative remedy now, but it makes sense to continue the conversations with industry,” FBI Director James B. Comey said at a Senate hearing Thursday of the Homeland Security and Governmental Affairs Committee.
One more time with feeling:
The ‘conversation’ is over, and has been for decades.
They’re asking for the impossible with ‘secure’ broken encryption. Not ‘difficult’, not even ‘extremely difficult’ but flat out impossible. Encryption with a baked in vulnerability is by definition not secure. They know it, the tech companies know it, anyone with even the slightest bit of knowledge regarding any form of security knows it.
That they continue to push for breaking encryption like this is just another piece of evidence showing that they don’t give a damn about the public’s safety, all they care about is that they be able to do whatever they want with the least amount of interference. Put the public at risk by intentionally sabotaging the security that protects their private information, from emails to banking? Why should they care, it’s not their data at risk, and so long as they can grab as much data as they want, so what if others do the same?
Re: "Safety? Please, our ability to spy on you trumps your right to privacy and security."
Oh but you just need a bit of magic and you’ll get a perfect golden key, surely the bright technical minds can do it!
Remember, magic!
time to burn my windows machine and start trying to find microchip developers who don’t bake vulnerabilities into their firmware
Re:
Almost anything that predates Vista [2005?] should be safe,
and they’re not too slow for most uses other than the newest
games. Look for ACPI motherboards without UEFI, max out the
RAM and the CPU speed and it should last you quite a while.
Re: Re:
And if you use Windows stick to XP pro or Server 2003.
Anything after that is not as trustworthy.
Re: Re: Re: Re:
Nothing is safe. Not Windows XP (still better then 8 & 10, do to the lack of DRMed software and spyware), not Linux, no Mac OS X, not anything. The NSA as security vulnerabilities on all popular operating systems, whether, they wore put the on purpose or not. There more, they have a program that brute forces anything they don’t have vulnerabilities for.
Re: Re: Re:
Almost anything that predates Vista [2005?] should be safe
Really?
Re: Re: Re:
That NSAKEY oddity never amounted to anything.
My point is that pre-UEFI motherboards are far
less vulnerable to BIOS infection and offer no
obstructions to installing an operating system
of your choice and your choice alone; even if
you built it from scratch.
It’s a bonus that they still perform well enough
for most uses, partly why PC sales are down lately. ;]
Let’s hope we can get Bernie Sanders to kill any left-over attempt to backdoor American technology when he becomes president – and this time for good (by supporting legislation that achieves that, too, not just new policies – right now Obama/NSA/FBI/DEA/etc are all actively fighting against any serious privacy/anti-spying legislation).
Re: Re:
He is a BIG Government guy. What makes you think he will roll anything back. If he were to get elected it would be expansion and growth of these types of things.
Re: Re: Re:
Because his voting record is consistently against things like gov spying?
Re: Re: Re: Re:
Will he oppose Big Brother when he is Big Brother?
Re: Re: Re:2 Re:
We can only hope. Let’s give him a chance, shall we?
Are you suffocating there James?
James B. Comey – I know you’re all about putting it to the backdoor, but seriously, pull your head out of your ass before you die from asphyxiation. You’ve already had your head there so long that you’re nearly brain dead. If you want to continue to “exist” as a mental vegetable then do yourself a favor and remove your head from your ass.
The entire world KNOWS that there is absolutely no way to backdoor encryption without breaking it.
In other words, “we tried having a public debate, but we disagreed with the public, so moving forward, we’re going to exclude the public from the debate.”
Obvious Obama Administration Position
And the American people will pay the backroom bribes for the backdoors to their stuff.
open-source
Don’t expect the open-source communities to comply
Re: open-source
Yes, and this means now more than ever you can no longer trust anything closed source from America.
Re: open-source
you are assuming the ‘open source’ hive mind would know…
they may very well not, for all kinds of reasons…
moles, social engineering, bribery, threats, or other means of injecting the alphabet spook’s code could/would be used…
how would 99.999% of have any knowledge of such sophisticated attacks ? ? ?
zey haf vays uf maching you sprech…
Re: Re: The Open Source Hive Mind has been pretty forthright before.
When the NSA was pushing the Eliptic Curve Random Number Generator (allegedly at the time to improve crypto strength), plenty of people saw that it could be a flawed algo that might have an exploitable weakness. Jokes were even made about the NSA baking in a backdoor.
So the Open Source sector has detected these things before, and were distracted by social politics within the project. Now they have cause to be paranoid about it. I suspect they’ll jump on any discovered exploit like Americans on a disruptive airline passenger.
Initially, in a democracy, the government looks out for the people. In the end, the government looks out for itself.
Re: Jerry Pournelle's Iron Law of Bureaucracy
In truth it applies to specific agencies, not the government as a whole (as it’s too big and will go through changes and reforms).
But yeah, future administrations are going to have to be engineered to curb this problem.
But long before Bush and Obama have our administrations been looking out for themselves, or their plutarch masters before their alleged bosses, the American People.
Also...
How secret will a secret back door be? After all, it only takes one person in the know to blab. Unless the backdoor software is handed to by the NSA, there will be a decent sized contingent of people who know of the project. All it takes is one to blab – and what are the odds one will develop a conscience, or find themselves with cancer and 4 months to live, or move home to and willingly tell the world since they can’t be punished. Once the cat is out of the bag, the hunt will intensify for the elusive code. Plus, if there’s a technique for “unlocking” then the key code will be platinum – would make a good basis for a spy thriller, no doubt.
Plus, any critical code is obviously torn apart by every major country’s version of the NSA, just looking for such back doors. Suggesting they may appear will simply make those foreign agencies more paranoid.
I don’t give the white house credit for this being a clever fake-out to make foreign agencies work overtime looking for nothing. More likely, I expect it to be a version of the old Law & Order tactic – “you can give us what we want, or we’ll call the Health Inspector and every other regulatory agency and tie you up in knots for the next 5 years…”
This is how it's going to go down.
Someone is going to say yes, and bake in their secret backdoor and probably get paid big bucks.
Someone within that company is going to leak that there is a secret back door, and probably a couple of clues as to how to crack it.
Someone will crack it. If they’re smart, since whitehats get prosecuted these days, they’ll go totally blackhat and use it for their own exploits.
Someone will realize they got hacked
The company will dismiss it as a aberration, probably human error.
More people will get hacked. The backdoor will seep into the cracking community.
At that point, with no way to trace it back to the leaks or the original cracking research, the backdoor will go public. Whitehats will quickly determine the back-door is not an exploit, but was willfully baked in.
The company will lose all its user trust, as will the United States. As will any software exports from the US.
Re: This is how it's going to go down.
Then those involved re-incorporate under new names and repeat the cycle.
This looks like a punt to me. They’re trying to keep the FBI and NSA happy so they’ll do this. But it’s obvious they don’t really care about it.
State Actors
Don’t forget everyone they are no longer 3rd parties once they begin working with the government to circumvent your rights.
Bend over America, the Chinese have found your back door.
Backdoor access to cellphones is what everyone’s after. The government administrations wants to be able to defeat cellphone encryption so they can spy on voice and text conversations.
Cellphones will never be secure so long as the baseband radio transceiver’s processor remains a black box full of secret closed-source backdoor exploits.
The best privacy advocates can do is to connect separate hardware devices to their cellphones for handling the encryption process. Hardware encryption devices such as JackPair (http://www.jackpair.com).
This way cellphones can be completely compromised and it doesn’t matter. The cellphone is simply being used as a modem to the internet. Leaving the end-to-end encryption task to the uncompromised hardware device running free software.
Re: Re:
If it were impossible to effectively encrypt things on your cellphone, then the US would not be freaking out about cellphone encryption.
People are already looking for alternatives to American companies for anything where data security is essential. If a company is subject to national security letters, they can’t be fully trusted. Now, this. This move will only ensure that security companies under the jurisdiction of the US government suffer while overseas companies increasingly secure American business.
Predictable as flies finding turds
“Rather, the administration will continue trying to persuade companies that have moved to encrypt their customers’ data to create a way for the government to still peer into people’s data when needed for criminal or terrorism investigations.“
An excerpt from my response to the techdirt article:
Former NSA Directors Coming Out Strongly *Against* Backdooring Encryption – October 8
“Tell the public that back doors are not cool and that we’re dropping that whole idea in the waste basket, then secretly add back-doors to everything the public touches, using public money to bribe companies where possible, and when necessary, secret legislation to force the issue with the companies that balk at the idea.“
Looks like the Admin has decided to go back to doing things the old way, like the spy bosses want – secretly, behind the backs of Americans, using tax payer money for bribes and secret laws to make the criminal activities of the agencies legal and to force the companies that refuse to play ball, to assist in the crimes, or pay the price.
Its obvious that the “persuasion” is already underway.
Wonder if the secret legislation is already in effect.
—
Re: Predictable as flies finding turds
It does make for a fantasy that open source options will get better funding, because there won’t be any secret back doors in code you compile yourself.
Re: Re: Predictable as flies finding turds
To be technical, it is less likely that there is a backdoor in code you’ve personally examined, but there’s no guarantee of it. It’s possible to backdoor things in a way that requires so much examination to find that it can remain effectively hidden.
The canonical example is Ken Thompson’s login hack: http://scienceblogs.com/goodmath/2007/04/15/strange-loops-dennis-ritchie-a/
Re: Re: Re: Compilers that are compiled by the previous iteration
This is a really dangerous practice, using the previous compiler to compile the next. What stops bugs from endlessly being inserted during compilation this way?
I’d think if you wanted a clean compile you’d need it run by an original, assembler-written compiler, yes?
And then the base compiler is sustained on its own and used only to compile the C-Compiler.
A really bad case scenario: The NSA inserts their backdoor scheme into a commonly used C-compiler, and gets away with it for years. Then China gets a hold of the backdoor scheme (which is now in everything used in the US and much of Europe) and disseminates it to black-hat channels for maximum damage.
Then, not only is everything exposed, but it can’t be easily fixed without going back to a way outdated iteration.
It’s pretty scary.
Re: Re: Re: Predictable as flies finding turds
“…less likely that there is a backdoor in code you’ve personally examined…”
And it will behoove the snoop and scoop agencies to use more secret laws and whatever amount of tax-payer and drug-sale money necessary to insure that open source is at least partially compromised, since it will soon be the only choice left.
What good is paying/forcing companies to put back-doors in their communications devices if the public can just switch to open-source coded devices?
I see a huge agency-driven anti-marketing scheme in the future – a massively covered media scandal – where a well known open source product line will be “discovered” to be “evil”.
The best way to prevent open source from becoming the choice of a nation, is to scare folks away from it and make it look dangerous or criminal.
A cheaper method than trying to find ways to add hidden back doors in user compiled software and a tried and true means of misdirection that has regularly proven effective in making Americans avoid something beneficial in the past.
—