FBI Director Chris Wray Pitches Weakened Encryption At A Cyber Security Conference
from the piling-on-the-unintended-irony dept
On May 29, 2018, the FBI promised to deliver an updated count of encrypted devices in its possession. As James Comey and his replacement, Chris Wray, continued to advocate for weakened encryption, the number of phones the FBI couldn’t get into swelled from 880 in 2016 to over 7,800 by the time the FBI realized its phone-counting method was broken.
This number still hasn’t been updated. An early internal estimate by the FBI put the real number of locked devices at ~1,200. But the official number still hasn’t been released. This hasn’t stopped Chris Wray from continuing his attacks on encryption, painting pictures of a dark future that isn’t supported by the small number of encrypted devices in the agency’s possession.
The attacks continue. They’re more subtle than Attorney General Bill Barr’s aggressive pitches, but they’re still happening. Chris Wray spent his time at a recent cyber security conference in Boston making the case for strong encryption before (yet again) making a plea for tech companies to give law enforcement the encryption backdoors Wray still refuses to call backdoors.
Today we’re worried about a wider-than-ever range of threat actors, from multi-national cyber syndicates to nation-state adversaries. And we’re concerned about a wider-than-ever gamut of methods continually employed in new ways, like the targeting of managed service providers—MSPs—as a way to access scores of victims by hacking just one provider.
[…]
We’re also battling the increasing sophistication of criminal groups that places many hackers on a level we used to see only among hackers working for governments. The proliferation of malware as a service, where darkweb vendors sell sophistication in exchange for cryptocurrency, increases the difficulty of stopping what would once have been less-dangerous offenders. It can give a ring of unsophisticated criminals the tools to paralyze entire hospitals, police departments, and businesses with ransomware. Often the hackers themselves haven’t actually gotten much more sophisticated—but they’re renting sophisticated capabilities, requiring us to up our game as we work to defeat them, too.
These all sound like arguments for strong encryption. They’re not, I guess. Because the very next thing out of Wray’s mouth is this:
We’re having to fight these increasingly-dangerous threats while contending with providers increasingly shielding indispensable information about those threats from any form of lawful access—through warrant-proof encryption.
“Warrant-proof encryption” is just encryption. It’s protecting all the people Chris Wray says need to be protected from cyber threats. Just because it’s made gathering evidence slightly more difficult is no reason to portray encryption as an evil the nation needs to be saved from.
But Wray’s disingenuousness doesn’t stop there.
We are all for strong encryption—and contrary to what you might hear, we’re not advocating for “back doors.” We’ve been asking for providers to make sure that they themselves maintain some kind of access to the encrypted data we need, so they can still provide it in response to a court order.
It’s still a door — one that wasn’t there previously. Trying to dodge the “backdoor” term by asking service providers to leave themselves a key under the doormat is a weak and transparent effort to pre-distance Wray from any subsequent damage his desires might cause. Wray doesn’t want to be the villain if anti-encryption laws are ever enacted. But he won’t waste any time availing himself of the access it provides, even as it undermines the security of the nation.
Filed Under: chris wray, doj, encryption, fbi
Comments on “FBI Director Chris Wray Pitches Weakened Encryption At A Cyber Security Conference”
Here's the thing about criminals
Criminals break the law. Thus if they feel the need to have strong encryption, that is what they will use.
Arguing for weakened encryption is like banning guns and expecting that will magically stop criminals using them.
Re: Here's the thing about criminals
Exactly. Even in Wray’s "perfect world" where all the phone makers, app makers, service providers and websites implemented the "key under the doormat", he still runs into the first amendment when it comes to researchers investigating and publishing full "strong encryption" algorithms. People who want to be secure will simply go to offshore companies that aren’t bound by US restrictions, and the crooks will roll their own as usual.
And that doesn’t even begin to address the issue that these business organizations can’t even properly protect the information about us that they already have. There have been literally billions of user accounts and personal data records breached over the years. To think that hardware makers and service providers have a chance at preventing the extraction and sale or publication of these backdoor keys is insane. A cybercriminal would probably pay mid-6 figures or more for a backdoor from (say) Apple, or the Bank of America.
Re: Re: Here's the thing about criminals
Criminals rolling their own is about the best result he could hope for. It’s like the #1 way to get an insecure system.
Re: Re: Re: Here's the thing about criminals
Well, not necessarily. Sometimes the crooks can afford to hire experts, other times they’re nation-state actors. The average idiots are the ones who will get caught, just like the armed robbers who then go and brag on social media.
Re: Re: Re: Here's the thing about criminals
"Criminals rolling their own is about the best result he could hope for. It’s like the #1 way to get an insecure system."
The most secure encryption algorithms today are all open source. What it takes is for criminals to not employ an incompetent moron for them to be effective.
So in other words criminals will have the best possible encryption. The citizenry will have, effectively, none. At least after someone has used the 5 dollar wrench attack to obtain Apple’s master key from their lead technician.
Re: Here's the thing about criminals
No need to ban guns.
What if instead we had ‘weakened’ guns?
Re: Re: Here's the thing about criminals
All guns should have back doors … with good guy access only.
Re: Re: Re: Here's the thing about criminals
You jest, but that exact moronic idea has actually been seriously tried before – a mandate that all guns be hampered with electric fingerprint locks.
Re: Re: No Need To Ban Guns?
The difference being, encryption is a constructive technology with lots of useful, nonviolent uses (like securing your online banking), while guns are just destructive weapons designed only to blow holes in things. When a gun is causing destruction, injury and death, it is only working as designed.
Conflating the two is not helpful to the discussion. The fact that guns need to be controlled to minimize their harm cannot be used as an argument that encryption needs to be controlled.
Re: Re: Re: No Need To Ban Guns?
Lawrence’s law:
A conversation cannot mention guns without the troll Lawrence D’Oliveiro leaving a big, steaming pile of bullshit.
Re: Here's the thing about criminals
"Arguing for weakened encryption is like banning guns and expecting that will magically stop criminals using them."
Worse. It’s like banning math and expecting criminals to stop using it.
A gun still requires physical hardware. Encryption is essentially just information.
Re: Re: Here's the thing about criminals
Oh yah, forgot this bit;
Encryption is essentially communicating privately.
Something i believe to be implicitly guaranteed in every constitution around in the western world.
There are a few ways to increase cybersecurity but encryption standards aren’t as relevant as many people think they are.
Re: Re:
"encryption standards aren’t as relevant "
What is irrelevant about how people have defined encryption?
. The number of significant digits in the key?
. Method used to generate random numbers?
What specifically is it that people think is relevant but you think is not?
Re: Re: Re:
The major cyber problem can’t be solved by encryption.
Re: Re: Re: Re:
"The major cyber problem can’t be solved by encryption."
No, but it’s pretty much guaranteed we’ll never be rid of PEBKAC.
What we CAN do is to ensure that everyone has access to basic, simple to use communications which make use of a good encryption standard.
If some moron later on sees fit to use a password on the top ten dictionary attack laundry list to access his bank that’s no longer our problem.
Re: Re: Re: Re:
"The major cyber problem can’t be solved by encryption."
I do not recall claiming it can.
Golden Toilet Key
Anyone else surprised he’s not railing against the scourges of fire, paper shredders, or flushable toilets? Think of all the essential information to which these warrant-proof devices have deprived law enforcement access. Can these technologies possibly be worth the societal cost? We should all go back to shitting in a bucket. Yeah. For the greater good.
Re: Golden Toilet Key
What about private conversations in pubs, clubs and cafes? Will he require that the owners install microphones so that they can record all conversations? That is what he wanting the tech companies to do for any conversazioni that use their servers.
"Look, we can’t be expected to catch burglars if you don’t let us just walk into anyone’s house to search it at any time, so that’s why in order to combat the burglary epidemic we need to outlaw locks on the doors of houses!"
"we don’t want keys to everyone’s houses, we just want to require all door installers and lock makers to keep a spare key for every house for themselves and then give it to us whenever we want with no questions or restrictions whenever we want. Anyone who is against that must be a kiddie-porn terrorist who also sells drugs and is some kind of foreigner"
The FBI will get what it wants
Any Coronavirus relief bill will probably have a rider covering this stuff.
The government is so duplicitous in making those arguments. What they want is unrestricted access to everyone’s phones and data and the rest of the bullshit is just an excuse to justify it.
Next up...
FBI Director Chris Wray Pitches Partial Pregnancy.
Re: Next up...
"FBI Director Chris Wray Pitches Partial Pregnancy."
No he isn’t!
He’s very explicitly saying that he isn’t asking for partial pregnancy. He’s asking for sort-of-but-not-quite pregnancy.
What I really have to ask, at this point, is whether Chris Wray is so monumentally inept he doesn’t realize what he’s asking for, or he knows damn well what he asks for and keeps ignoring it because he doesn’t really give a fsck?
Re: Re: Next up...
It’s the latter, guaranteed. For the former to be even possible he’d either have to have a literal inability to remember things that he doesn’t like, or be so stupid that he would be incapable of doing any task that required even the most modest amount of thinking.
He knows that what he’s asking for is not only stupid but dangerous, he simple doesn’t give a damn as it’s a price he’s willing to have the public pay.
That’s like pitching reduced public education funding to a teachers’ union or net neutrality to a consortium of service providers. Only far less sensical.
Good fucking luck with that.
Kiss your credibility goodbye
Inviting someone with a demonstrable history of antagonism against encryption to a security conference is like inviting a known arsonist to a fire-fighters’ conference.
I’m sure there’s a better way to make clear that you care more about the spectacle than the actual subject of the conference than inviting someone known to be against said subject, but for the life of me I can’t think of it.
Re: Kiss your credibility goodbye
Personally I’d like to think of it as they needed something to laugh at and found a willing sucker to demonstrate his idiocy to all the experts…
Re: Re: Kiss your credibility goodbye
Huh. I’m not sure whether making Poe’s Law a utility is good, in the long run.
Even if it must have saved them a fortune on having to hire an actual comedian for the fifteen minute break.