FBI Official Reluctantly Touts Encryption Since US Telecom Providers Are Still Compromised By Chinese Hackers
from the oh-the-delightful-irony dept
Thanks to government-mandated backdoors in US telecom/broadband services, the FBI — at least in the form of an official who refused to identify themself — has had to recommend (albeit extremely half-heartedly) that encrypted communications are perhaps the only thing keeping phone owners from being actively surveilled by Chinese hackers.
The news of a massive breach linked to “Salt Typhoon,” a Chinese state-sponsored hacking group made at least one thing perfectly clear: the sort of encryption the FBI approves of — the one with all the holes in it — is a terrible idea. What was leveraged here were the backdoors created for law enforcement access. To facilitate wiretaps, telcos and broadband providers were required by CALEA (Communications Assistance for Law Enforcement Act) to proactively make surveillance easier for law enforcement. The law, passed in 1994, originally targeted phone companies. The law was amended in 2006 to cover broadband providers.
There’s no such thing as a “safe” encryption backdoor. That much has been made obvious by this hack, along with the disturbing fact that it appears — months after discovery — these systems are still very much compromised.
If there’s any good that might come of this, it’s that the FBI might finally stop bitching so much about what it calls “warrant-proof” encryption. That’s just encryption to the rest of us, but one without government-mandated backdoors a government — whether it’s ours or China’s — can exploit at will.
With no end in sight, government officials — including one representing the FBI — are telling people to keep their devices and software updated, to set up multi-factor authentication wherever possible, and, believe it or not, to utilize encrypted services.
In the call Tuesday, two officials — a senior FBI official who asked not to be named and Jeff Greene, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency — both recommended using encrypted messaging apps to Americans who want to minimize the chances of China’s intercepting their communications.
“Our suggestion, what we have told folks internally, is not new here: Encryption is your friend, whether it’s on text messaging or if you have the capacity to use encrypted voice communication. Even if the adversary is able to intercept the data, if it is encrypted, it will make it impossible,” Greene said.
It’s no surprise a CISA rep would encourage the use of encrypted services. No one actually involved in cyber security would ever say otherwise. The FBI — personified here by a nameless official — says pretty much the same thing, although it’s not quite as enthusiastic about recommending encryption.
The FBI official said, “People looking to further protect their mobile device communications would benefit from considering using a cellphone that automatically receives timely operating system updates, responsibly managed encryption and phishing resistant” multi-factor authentication for email, social media and collaboration tool accounts.
I would love to know what this person’s definition of “responsibly managed encryption” is. For those of us who aren’t on board with the FBI’s anti-encryption plans, that would be any encrypted service that hasn’t been deliberately weakened by service providers to serve government interests. For the FBI, I would imagine it means the opposite. Or, at the very least, “responsibly managing” encryption means willingly handing over passcodes to any law enforcement investigator that asks for them prior to performing a device search.
But even if the FBI can’t bring itself to wholeheartedly recommend strong encryption, this massive breach undercuts any arguments it might attempt to make in the near future in favor of weakened encryption, a.k.a., the “lawful access” it has tried to convince legislators for years would never result in EXACTLY THE SORT OF THING WE’RE SEEING RIGHT NOW.
Hopefully, this will bring a swift — if temporary — end to the FBI’s anti-encryption agitating. But with a new(ish) boss coming to town early next year, all the logic in the world likely won’t make much of a difference if the returning president decides encryption is just another obstacle (you know, like civil rights) law enforcement shouldn’t have to deal with when going after the baddies.
Filed Under: breach, calea, china, encryption, encryption backdoors, lawful access, salt typhoon, wiretaps
Companies: at&t, verizon
Comments on “FBI Official Reluctantly Touts Encryption Since US Telecom Providers Are Still Compromised By Chinese Hackers”
Well, if this doesn’t put some sense into agencies in the US, maybe the anti-encryption parrots in the EU can take this as a good example of that backdoors don’t differentiate between “good” and “bad” guys..
Re:
This is honestly pretty old news and it still hasn’t sunk in across the pond. Hell, I’m giving the FBI another week before they forget again.
Re: Re:
Well it better start sinking in, otherwise we can expect a bigger breach sooner or later.
Re: Re: Re:
It’ll sink in once the breach is big enough to affect the lawmakers themselves. Until then it’s just the a necessary sacrifice.
Re: Re: Re:2
I want a Constitutional Amendment that blocks any law from which authorities have exempted themselves.
I’m aware of the ramifications. I just don’t care. They’ve proven themselves too irresponsible with the power to exempt themselves.
Re: Re: Re:3
Maybe we’ll get one when the consequences of all this are finally over with.
However many years that’ll be from now.
Re: Re:
They’ll either forget, or go back to demanding the backdoors anyway, just so they can play “catch up” with the foreign agents.
Of course it’ll be embarrassing as hell, but it’s not like they cared before. If anything, they’ll be angrier that foreign agents have access to the data instead of them.
Re:
But they had such an example 20 years ago—the 2004 Greek wiretapping scandal—and apparently learned nothing, except that governments can collect tens of millions of euro when privacy laws are breached. Apparently, one still can’t even buy a SIM card in Greece anonymously (legally).
That’s a proverb in IT security:
If you’ve found a breach, someone is already exploiting it.
And like fucking clockwork, chat control is up for a vote again this thursday.
What the fuck
I am hoping that today’s encrypted email providers have learned the lesson from Lavabit, and have arranged not to hold any keys.
Re:
Won’t matter in the EU if they pass chat control this week.
Re: Re:
you haven’t proven a source no one else is talking about chat control
Re: Re: Re:
Wrong, Patrick Breyer himself, the guy who’s been reporting the most on chat control, posted this today: https://eupolicy.social/@echo_pbreyer@digitalcourage.social/113628566974737101
Re: Re: Re:2
and also stop doom posting
Re: Re: Re:3
Why do I bother providing you a source if you’re still not gonna take it seriously
Re: Re: Re:2
How’s the implementation on articles 15 & 17 of the copyright directive going? Lot of countries supported it, until they had to implement it.
Re: Re: Re:3
I’m not so optimistic about chat control ending up in a similair limbo.
At least not for my own country, current government seems to have a boner for surveillance and we can’t really do anything about it 🙁
Re: Re: Re:4
good news it got minority blocked in both chambers
'If we tell them to close the blinds then we can't peek in anymore either...'
The fact that even after a debacle like this the FBI still won’t officially tell people that encryption is a good thing that everyone should be using really shows their hand as to their priorities. Yes it’s a bad thing that someone else was caught snooping, but if companies close off and refuse to add encryption vulnerabilities then that would make it harder for them to continue snooping, and that’s just unacceptable.
Demanding ‘Good Guy Only’ encryption vulnerabilities is like insisting that lockmakers and homebuilders/owners have a key to the door hanging right next to it, with ‘Only for Good Guys’ etched on it.
If you create a vulnerability it does not care who you are, all that matters is that it now exists and will be exploited.
Re:
CISA: MFA-protected E2E encryption is the only thing keeping your data private.
CIA: MFA-protected E2E is the only thing keeping you (and us) private.
NSA: MFA-protected E2E is the only thing keeping national secrets private.
FBI: Er, you know, use MFA-protected accounts, and
encryptresponsibly.the unusual thing is this backdoor may have been left in on purpose when mobile phone network standards were being established before smartphones existed .For the benefit of the nsa to have easy acess to user data and text messages .
The problem is that russia or china will always find and exploit any backdoors in the network.
Now the fbi is telling people to use encrypted apps in a desparate bid to keep the mobile network secure .
Politicans and civil servants and the miltary use the same phones as everyone else .
i wonder if the eu mobile phone network has the same backdoor or is this just an american problem.
Re:
Not only does it have the same backdoor, the US has already been caught using it against the German chancellor. So yeah; same backdoor operated by the same US government — NOT the EU government.
Usually, the EU government likes it this way, because the US can spy on EU citizens and it’s not illegal — and then they can share any intelligence they gather with the EU government.
Re: Re:
Mandated and specified by the US government, but operated by many governments, including EU ones:
Re:
“May have”? It isn’t accidental, and no one claims it is.
Tim, we’ve done this song and dance before. To be honest it is a bit disappointing. We all know that as soon as someone says “squirrel!”, they will be back to their “bitching”. In fact I wouldn’t be too surprised if we later learned at the same time they were meeting with senators to complain about encryption.
Because we all know that critical thinking and honesty are never factored into the equation here.
Re:
When a squirrel dropped his nuts, an innocent tree got blown away by a cop who was convinced that the unarmed person he had in handcuffs was firing on him.
Re: Re:
ugh. We just hope the anti encryption bitching doesn’t turn violent…
The bar here is REALLY low… and I am sad to say I’m not sure it will be cleared
This comment has been flagged by the community. Click here to show it.
Wow, you find a way to make every article you write about Trump. We know already. You don’t have to repeat it every time. Everything’s Trumps fault…got it!
Re:
Why do you feel you have to defend trump? He doesn’t give a shit about you…
Re: Re:
I’ve got a new name for these guys.
Trumpophiles.
Re: Re:
How is that defending Trump? I don’t see anything to suggest that’s the case. They’re probably just tired of all the bias articles that just complain about Trump and blame him for everything wrong. I think a lot of people feel the same way. It doesn’t mean they’re defending Trump for anything. And do you really think that Biden or Kamala care anything about you?
Re: Re: Re:
Claiming that people are blaming everything on Trump is hyperbole. Speaking up because you think people are doing that is not only melodramatic, it’s also defending Trump against perceived attacks. If they were just tired of articles about Trump, they’d just say, “I’m tired of reading about Trump.” That’s true for some people who don’t like Trump. But Trump does have a significant amount of power and can and will make things worse for a lot of people to varying degrees of severity. That you bring up Biden or Kamala and assume other people desperately care about them the way Trump supporters idolize Trump and rush to his defense at perceived slights just shows you think it’s normal to be so parasocially slavish to a billionaire.
Also, you’d have to provide some convincing evidence for me to not believe that you aren’t the person who posted the first comment in the thread.