FBI Director Claims That The World's Most Knowledgeable Cybersecurity Experts Are Not 'Fair Minded' About Encryption Backdoors
from the oh-really? dept
Earlier this week, we noted that a huge list of companies, non-profits and cybersecurity experts had signed a letter to the White House about the stupidity and danger of trying to order backdoors into encryption (disclaimer: we signed the letter as well). While many in the press focused on the companies that had signed onto the letter (including Google, Apple, Cisco, Microsoft, Twitter and Facebook), as we noted, what was much more interesting was the long list of cybersecurity/encryption experts who signed onto the letter. Just in case you don’t feel like searching it out, I’ll post the entire list of those experts after this post.
It’s a who’s who of the brightest minds in encryption and cryptography. Whitfield Diffie invented public key cryptography. Phil Zimmermann created PGP. Ron Rivest is the “R” in “RSA.” Peter Neumann has been working on these issues for decades before I was even born. And many more on the list are just as impressive.
So how do you think FBI director James Comey — who has been leading the charge on backdooring encryption — responded to these experts?
I wish I was joking.
A group of tech companies and some prominent folks wrote a letter to the President yesterday that I frankly found depressing. Because their letter contains no acknowledgment that there are societal costs to universal encryption. Look, I recognize the challenges facing our tech companies. Competitive challenges, regulatory challenges overseas, all kinds of challenges. I recognize the benefits of encryption, but I think fair-minded people also have to recognize the costs associated with that. And I read this letter and I think, ?Either these folks don?t see what I see or they?re not fair-minded.? And either one of those things is depressing to me. So I?ve just got to continue to have the conversation.
First of all, it’s kind of hilarious for the FBI director to be arguing that the people who signed that letter haven’t done a cost-benefit analysis, since we’ve noted that the intelligence and law enforcement communities almost never do such an analysis. They always insist “more surveillance” must be better, without considering the costs involved.
And then there’s this, showing that Comey still doesn’t understand the letter at all:
We?ve got to have a conversation long before the logic of strong encryption takes us to that place. And smart people, reasonable people will disagree mightily. Technical people will say it?s too hard. My reaction to that is: Really? Too hard? Too hard for the people we have in this country to figure something out? I?m not that pessimistic. I think we ought to have a conversation.
Hey, Comey! No one is saying it’s “too hard.” They’re saying it’s IMPOSSIBLE to do this without weakening everyone’s security. Impossible. It’s not a “hard” problem, it’s an impossible problem. Because if you weaken security to let the FBI in, by definition you are weakening the security to let others in as well. That’s the point that was being made.
And this is important. For all of the ridiculous claims by Comey and others that we need to “have a conversation” on this, we do not. A conversation is counterproductive. All of these people can and should be working on systems to make us all more safe and secure. But if they have to keep explaining to ignorant folks like Comey why this is a bad idea, then they are taken away from making us safer. You can have a discussion over things that are hard. But there is no point in having a discussion over things that are impossible.
Security and Policy ExpertsHal Abelson, Professor of Computer Science and Engineering, Massachusetts Institute of Technology
Ben Adida, VP Engineering, Clever Inc.
Jacob Appelbaum, The Tor Project
Adam Back, PhD, Inventor, HashCash, Co-Founder & President, Blockstream
Alvaro Bedoya, Executive Director, Center on Privacy & Technology at Georgetown Law
Brian Behlendorf, Open Source software pioneer
Steven M. Bellovin, Percy K. and Vida L.W. Hudson Professor of Computer Science, Columbia University
Matt Bishop, Professor of Computer Science, University of California at Davis
Matthew Blaze, Director, Distributed Systems Laboratory, University of Pennsylvania
Dan Boneh, Professor of Computer Science and Electrical Engineering at Stanford University
Eric Burger, Research Professor of Computer Science and Director, Security and Software Engineering Research Center (Georgetown), Georgetown University
Jon Callas, CTO, Silent Circle
L. Jean Camp, Professor of Informatics, Indiana University
Richard A. Clarke, Chairman, Good Harbor Security Risk Management
Gabriella Coleman, Wolfe Chair in Scientific and Technological Literacy, McGill University
Whitfield Diffie, Dr. sc. techn., Center for International Security and Cooperation, Stanford University
David Evans, Professor of Computer Science, University of Virginia
David J. Farber, Alfred Filter Moore Professor Emeritus of Telecommunications, University of Pennsylvania
Dan Farmer, Security Consultant and Researcher, Vicious Fishes Consulting
Rik Farrow, Internet Security
Joan Feigenbaum, Department Chair and Grace Murray Hopper Professor of Computer Science Yale University
Richard Forno, Jr. Affiliate Scholar, Stanford Law School Center for Internet and Society
Alex Fowler, Co-Founder & SVP, Blockstream
Jim Fruchterman, Founder and CEO, Benetech
Daniel Kahn Gillmor, ACLU Staff Technologist
Robert Graham, creator of BlackICE, sidejacking, and masscan
Jennifer Stisa Granick, Director of Civil Liberties, Stanford Center for Internet and Society
Matthew D. Green, Assistant Research Professor, Johns Hopkins University Information Security Institute
Robert Hansen, Vice President of Labs at WhiteHat Security
Lance Hoffman, Director, George Washington University, Cyber Security Policy and Research Institute
Marcia Hofmann, Law Office of Marcia Hofmann
Nadim Kobeissi, PhD Researcher, INRIA
Joseph Lorenzo Hall, Chief Technologist, Center for Democracy & Technology
Nadia Heninger, Assistant Professor, Department of Computer and Information Science, University of Pennsylvania
David S. Isenberg, Producer, Freedom 2 Connect
Douglas W. Jones, Department of Computer Science, University of Iowa
Susan Landau, Worcester Polytechnic Institute
Gordon Fyodor Lyon, Founder, Nmap Security Scanner Project
Aaron Massey, Postdoctoral Fellow, School of Interactive Computing, Georgia Institute of Technology
Jonathan Mayer, Graduate Fellow, Stanford University
Jeff Moss, Founder, DEF CON and Black Hat security conferences
Peter G. Neumann, Senior Principal Scientist, SRI International Computer Science Lab, Moderator of the ACM Risks Forum
Ken Pfeil, former CISO at Pioneer Investments
Ronald L. Rivest, Vannevar Bush Professor, Massachusetts Institute of Technology
Paul Rosenzweig, Professorial Lecturer in Law, George Washington University School of Law
Jeffrey I. Schiller, Area Director for Security, Internet Engineering Task Force (1994- 2003), Massachusetts Institute of Technology
Bruce Schneier, Fellow, Berkman Center for Internet and Society, Harvard Law School
Micah Sherr, Assistant Professor of Computer Science, Georgetown University
Adam Shostack, author, ?Threat Modeling: Designing for Security?
Eugene H. Spafford, CERIAS Executive Director, Purdue University
Alex Stamos, CISO, Yahoo
Geoffrey R. Stone, Edward H. Levi Distinguished Service Professor of Law, The University of Chicago
Peter Swire, Huang Professor of Law and Ethics, Scheller College of Business, Georgia Institute of Technology
C. Thomas (Space Rogue), Security Strategist, Tenable Network Security
Dan S. Wallach, Professor, Department of Computer Science and Rice Scholar, Baker Institute of Public Policy
Nicholas Weaver, Researcher, International Computer Science Institute
Chris Wysopal, Co-Founder and CTO, Veracode, Inc.
Philip Zimmermann, Chief Scientist and Co-Founder, Silent Circle
Filed Under: backdoors, cybersecurity, encryption, fbi, james comey, phil zimmermann, ron rivest, security, whitfield diffie
Comments on “FBI Director Claims That The World's Most Knowledgeable Cybersecurity Experts Are Not 'Fair Minded' About Encryption Backdoors”
It just shows the lack of intelligence/integrity/moral values we have at the top levels of our government.
Re: Re:
of course they couldnt be THAT stupid, so it must be a integrity/moral issue.
Re: Re:
Too true, rw. Personally speaking, I have but one question for James Comey and his ilk: If we could ask the founding fathers of America, particularly those whom had a hand in drafting the United States Constitution, what their feelings are regarding this matter, what do you think their answer would be? Knowing their motivation and truly incredible foresight insofar as governing is concerned, it’s not at all hard to guess.
Because their letter contains no acknowledgment that there are societal costs to universal encryption.
And pervasive surveillance has zero cost in his mind, it seems. I’ve seen and talked to people like him. They don’t give a fuck about rights and the well-being of others as long as their narrow view of what is right is implemented.
I’ve been in discussions with people that advocate dictatorships are good because people are too ignorant to be left free and allowed to choose things and otherwise live without some totalitarian ruling them. And I don’t mean some crazy ass out there, oh no. One of them was in his 25’s, about to become a father and is generally a good person. This is scary.
He may actually be genuinely ‘depressed’ even if it’s a consequence of his total ignorance of how encryption works. This is scary. And it’s even scarier when you think that people have been trying to explain those types about encryption and why a ‘golden key’ destroys it for a while now and he simply refuses to learn. As I said, he is not alone out there.
Re: Re:
Well of course. When Saddam and Assad and Mubarak were running things, (and the Shah) people could ignore the clerics, women could dress nice and not wear headscarves and go to school and even universities in the same classes with men.
If the occasional person disappeared or got fed through a woodchipper, isn’t that an acceptable price to pay for being able to embrace western fashion?
The trouble with back doors, is as experience with XP and other software has shown, once the hole is deployed, it’s there for a decade or more. In order to deploy a back door, the compromised security is distributed widely; some people know the back door, some know how it was done, etc. If it’s a common set of keys, that information would be worth a fortune. Once the “other side” knows it, you would have no way of updating everyone. Plus, if it’s not subject to wide peer review, then just how good is it?
Remember DVD encryption? All those crazy music DRM schemes? Blurray? How long did any of those take to break – and once the genie is out it was too late.
Plus, what are you going to do? Make it illegal to use a Swiss Skype-like service? Make it illegal for your browser to download a foreign encryption add-in? Possession of TrueCrypt will land you 5 years in jail?
Re: Re:
“I’ve been in discussions with people that advocate dictatorships are good because people are too ignorant to be left free”
Tell them to read a history book. There are a lot of idiots, but “absolute power corrupts absolutely”. I’d rather take my chances with the idiots.
A failure of wishful thinking
Comey, paraphrased:
Re: A failure of wishful thinking
This is the whole thing in a nutshell – they have NO UNDERSTANDING of whatever the subject is, so they truly believe that something may be possible when it is not. They simply claim you aren’t trying hard enough, or thinking about it enough, or willing to spend the money.
Re: Re: A failure of wishful thinking
It seems that the security agencies are pitching the golden key idiocy to move the target later.
Any compromise of his “conversation” will likely result in a ban on some types of encryption.
Welcome to the encryption wars 2.0!
Re: A failure of wishful thinking
No, I can’t think that anyone can be this blatantly thick headed stupid. An imbecile could understand this. I’m going with evil asshole on this one. He must know what he’s asking, and is somehow hoping to actually eventually get it if he just keeps on whining about it.
Re: A failure of wishful thinking
This is the world view of a five year old mentality. Not very broad but extremely self oriented.
Re: A failure of wishful thinking
This is probably off topic a tad, but maybe not.. “There are more morons living in Ohio than Texas and Arkansas combined. And that might really be saying something about Texas and Arkansas, but probably not.
Being Fair Minded
Experts say the sun rises in the East.
Others say that:
I’m no expert on where the sun rises or where it shines but there are a lot of smart people in silicone valley and if they put their mind to it, the sun could rise in the West.
Those narrow minded people who say the sun rises in the East are not being Fair Minded.
Re: Being Fair Minded
It’s actually a pretty good metaphor.
The sun could rise in the west if:
a) “West” was redefined to mean “East” (the US Gov’t is good at this one)
b) The earth is flipped on its axis. Of course, the process of doing this would likely destroy all life on earth, but the goal of making the sun rise in the West would be accomplished.
Likewise, giving the US government a “golden key” is not impossible like Mike stated it was — it is just “less desirable to the human race and specifically US citizens” than pervasive uncrackable encryption.
The security industry and Comey are talking at cross purposes here: anyone with half a brain knows that compromising security compromises security, full stop. Comey isn’t talking about that really; he’s talking about accepting a compromised state of encryption and depending on other mechanisms to prop it up.
Of course, at the end of the day, this is also impossible. Something is either known or it isn’t. Copyright, DRM and patents have shown us what happens in this arena.
Re: Re: Being Fair Minded
There are no societal costs to flipping the Earth. However, letting the Earth remain in its current state allows the terrorists to terrorize.
Re: Re: Re: Being Fair Minded
And dooms us to a universe without cats.
Re: Re: Being Fair Minded
Re: Re: Being Fair Minded
Assuming that the same magnetic compass is used to determine west, just wait until after the next reversal of the Earths magnetic field and the sun will rise in the west.
This is exactly why I was hoping the letter would have addressed the impossibility of what was being asked. It probably wouldn’t have helped, of course, but apparently it needs all the extra emphasis that it can get.
I suppose there’s always the possibility that Comey considers all of that to be a feature anyway.
Comey: “I want a backdoor inserted into all strong encryption.”
Every cypto expert ever: “That’s impossible! It would irrevocably weaken everyone’s security!”
Comey: “Then it’s not impossible.”
Re: Re:
I think that’s the key – for Comey it’s not about how strong the encryption is, it’s about how weak it is.
And the weaker, the better… that’s what he’s arguing for here.
Re: Re:
They should do a trial run with his bank account. Put a backdoor on it and see how long it takes to empty the account.
Technology clueless person calls out world’s best cryptographers on being clueless about encryption.
Umm okay. I think I know who I’m going to believe. Wake me up when the White House stops appointing morons in charge of tech-related policies.
Re: Re:
Are you challenging Sleeping Beauty’s record?
This is not a discussion sort of issue. This is not a matter of opinion. This is a matter of fact. There is no gray area. There is no middle ground. There are no compromises to work towards. There is no debate to be had. There are no terms to redefine to meet your needs. It’s black and white, all or nothing.
Either it’s protected from ‘good guys’ or it’s vulnerable to ‘bad guys’.
But good luck telling people no who have redefined ‘no’ to mean ‘yes and’ and are allowed to get away with anything without repercussion.
Re: Re:
It seems like you are calling US government political appointees ‘good guys’.
Re: Re: Re:
I use the term loosely, because unlike encryption security, ‘good guys’ is apparently up to debate.
Re: Re: Re: Re:
We can be Bob and Alice, .gov is Chuck, Eve or Mallory, telcoms are obviously Walter and maybe Peggy. Luckily we have Oscar, Trent and Sybil for support. And of course, Wendy…
Re: Re: Re:2 Re:
I don’t know if I’d consider Trent to be on our side here, given the problems we have with CAs and whatnot.
I’m not familiar with Walter, Sybil, or Wendey; it’s been a long while since I looked at the literature.
I like the half-assed call to patriotism there: the people in this country.
Giving me money is too hard? For the people who read this comment section? Hah. They’re far to resourceful and intelligent to call it too hard.
Idiot's logic
They could do it if they really wanted to.
Sorry I missed signing this one
But I’ll point out here that no amount of “conversation”, as Comey would label his interminable demands for the deliberate weakening of security, will alter mathematical reality. Algorithmic complexity is not subject to wishful thinking nor expediency nor policy.
I suspect that he knows this, but is hoping that sufficient repetition combined with the usual pounding on the drums of fear will convince enough people otherwise.
Re: Sorry I missed signing this one
The government isn’t too good at math. 1+1=3.
The government is doubleplus good at math.
“…that I frankly found depressing. Because their letter contains no acknowledgment that there are societal costs to universal encryption.”
Comey must be on some heavy anti-depressants if other aspects of reality depress him as much as encryption does. There are societal costs to the fact that we can’t read each other’s minds or that people are able to tell lies, but you don’t see people lamenting that and calling anyone who says those aren’t possible/practical to “solve” uninformed.
I'm so glad to be called uninformed...
I’m so glad to be part of this “uninformed or not fair minded” group.
Considering that, just yesterday, I spend my morning writing a non-technical explainer on the latest UXO from the first crypto war that just blew up in our faces…
Re: I'm so glad to be called uninformed...
You didn’t get the memo?
According to Comey, encryption is not supposed to be strong, it’s supposed to be easy for government subversion.
Sounds like you’re indeed uninformed.
Re: I'm so glad to be called uninformed...
That’s a great point. “logjam” is an existence proof that deliberate downgrading of crypto (a) has consequences (b) that are unpredictable (c) but uniformly bad and (d) will show up at inopportune times.
Re: Re: I'm so glad to be called uninformed...
Hey now, the only thing “inopportune” about logjam and heartbleed is that the NSA is embarrassed about not finding them before we did.
Unless of course they did find them, in which case it’s the revelation that’s inopportune.
James is not being fair minded about privacy.
The technical term
The technical term for this is NP-hard. Whether or not it is impossible to accomplish before the heat-death of the universe may be in question. That it is impossible before the sun goes nova is not…
Re: The technical term
Actually, I think it is literally impossible, not just NP hard. As in “DRM” impossible. As in “P = !P” impossible. In fact, I think this reduces down to DRM – how do you share a piece of information (e.g.: the magic golden key, or knowledge of a backdoor) with a party in such a way that it will never be used for a purpose that was not intended?
Re: Re: The technical term
Simple, just encrypt it.
Re: Re: The technical term
‘P = !P’ isn’t impossible! Just set P = 5, then read it in a mirror. Simple.
Re: The technical term
Not really, the math for what he wants is in fact fairly simple, but suffers the ‘lead pipe’ problem.
Any crypto key could be encrypted by a second public key with the corresponding private key being held by a third party. That encrypted key is sent to the government. If they want to get the key back they just need to ask the third party to decrypt it.
If a criminal on the other hand wants to decrypt that key they just need to catch the encrypted key on the wire (trivial) and then take a lead pipe and ‘ask’ the third party to decrypt it in exchange for keeping their kneecaps.
Re: The technical term
No, the technical term for this is ‘Dunning–Kruger effect’.
Encryption is inherently racist and promotes the patriarchy, people. Not to mention terrorism. Get with the program. Really, don’t mention terrorism though.
If I leave the back-door unlocked for my son who is working late, then by default I’ve weakened the security of my home. Why is that so easy to understand but software back-doors are completely incomprehensible for people?
Re: Re:
But your Son will be able to get in out of the big scary world without having to pause, so it’s a good thing!
Re: Re:
But that’s not what he’s arguing for.
More appropriately: he wants you to leave an extra key under the mat where only your son can find it. Still not exactly how it might work, but more along the lines of what he’s asking for.
Re: Re: Re:
Even more appropriately: he wants a legal mandate for everyone to leave a spare key under their doormat.
“Just in case.”
Re: Re: Re: Re:
Even more appropriately: he wants a legal mandate for everyone to leave a spare key under their doormat.
Even more accurately, to mail the police a spare key.
Comey's right, of course.
We are talking about a consensus among top mathematicians about computationally hard problems.
That’s a soluble problem: you narrow the gap from two points: first you throw money at “computationally hard”. Idiotically much money, but that’s what the NSA steals from the government anyway, using blackmail and other threats.
And then you work on the consensus using blackmail, threats, torture and bribes.
That’s the manner in which the NSA bought itself elliptical curve constants from standard committees and RSA.
It’s not that those opposing groups are uninformed or not fair-minded about the mathematics. They are uninformed or not fair-minded about the depravity and recklessness that the NSA is capable of employing and about its means for corrupting experts.
The NSA clearly did manage to corrupt encryption for their own use in NIST standards and RSA protocols, in areas which were pretty safely encrypted if you had no information of the skeleton keys used for creating the published elliptic curve cryptography constants. So basically turning the mathematical problem into one of keeping the underlying general keys hidden. Which is not particularly torture-and-bribe-safe. But puts the game in the ballpark they are comfortable with. And if it blows up, they get to blame the mathematicians.
They do know what they are talking about here. Criminal depravity. They are experts in that.
Re: Comey's right, of course.
The only reason no one really knows the backdoor sauce for the NSA NIST EC curves is that the standard was never widely used. (My theory is that there really isn’t a backdoor, but they created the algorithm and points to look like there could be (or they destroyed the secrets after creation) so they could refine their techniques at slipping shit past the standards body…)
If it had actually come into widespread use, more people would be looking at it. It’s not an easy problem (like FEAL was), so there would have to be more incentive into finding the backdoor. I imagine some of the experts would have pooled their money and offered a prize to add even more incentive.
Re: Re: Comey's right, of course.
“no one really knows the backdoor sauce for the NSA NIST EC curves”
Everyone knows the “backdoor sauce.”
The ECC issue was not that it introduced a backdoor as such, it’s that it introduced a flaw in the random number generation that dramatically reduced the search space for keys. Even with the reduced search space, factoring those keys is still a huge computational task. The weakness just moved the task from “effectively impossible” to “possible”.
The NSA’s hope was that the crypto would still be strong enough that only the resources of nations or major corporations could pull that off. Which is a crazy hope, considering that you can get supercomputer-level computing resources very cheaply nowadays. if you want to own the hardware yourself, it’s about on par with buying a house. Or you could use cloud computing services.
Re: Re: Re: Comey's right, of course.
There were two separate issues that get conflated. One is the possibility that the NSA provided NIST constants for use with ECC that were derived from a magic number that would drastically reduce the computational cost of breaking encryption using those curves. The second is that NIST likely at the behest of the NSA included Dual_EC_DRBG in a standard after it was know to be of low quality, and then the NSA paid RSA to make it the default in their libraries.
The OP mentions curve constants so I assume he meant the first issue, and it does entail a genuine back door. Knowing the magic number that is the precursor to the published constants reduces the time it would take to break a message encrypted using a NIST curve from ‘functionally never’ to ‘next week, maybe sooner’.
Re: Re: Comey's right, of course.
The backdoor in the EC curves was not known outside of a few people, so there was no a concerted effort to obtain it by research, spying or bribery. A mandated backdoor on the other hand will be known to exist, and every technique will be used to find it or obtain it. Guess who will have to pay when it is found and banks are robbed blind; (hint it won’t be the banks).
Re: Comey's right, of course.
And yet in one stellar moment of stupidity, the NSA actually made DES better.
“these folks don’t see what I see...”
I believe the technical term for what your suffering from is ‘Cranial Rectal Inversion.’
Of course they don’t see what you see. I’m impressed that you got your own head in there, I don’t think there’s room for anyone else.
Re: “these folks don’t see what I see...”
To paraphrase some of the FBI’s arguments:
“Could you please just give me your password?”
“Don’t worry, I work for an important agency, your password is safe with me.”
“If you don’t give me your password, you’ll get in trouble.”
“If you don’t give me your password, bad things will happen to someone else!”
“Your boss said not to share your password? They must have forgot to let you know that I can have it.”
The FBI knows that if you can’t attack the encryption, finding a way to weasel in through social engineering is plausible and often effective tactic. It’s often easier to fool people than a computer.
7 perpendicular lines
All I can think of reading this trash is this
https://www.youtube.com/watch?v=BKorP55Aqvg
That’s ok. Obviously the experts must be wrong because you can do ANYTHING if you just try harder!
Re: 7 perpendicular lines
if you relax the definitions a bit, you end up with this:
https://www.youtube.com/watch?v=B7MIJP90biM
I am confused
I am not by any stretch of the imagination an expert on anything of this nature, however would in not be counter intuitive put a back door into an encrypted anything? Doesn’t that make ti more vunerable to attacks and perhaps somebody else finding the backdoor and letting themselves in to do whatever? I could just be incredibly ignorant on the situation, but its just seems like a bad idea.
Re: I am confused
You’re not confused at all. In fact, you already know more about it than James Comey appears to.
We have already seen this in play, in the wild, right now:
http://www.phoronix.com/scan.php?page=news_item&px=HTTPS-Logjam-Vulnerability&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+Phoronix+%28Phoronix%29
Let’s be clear: Logjam exists as a direct result of forcing weaker encryption on export in the 90s, thus allowing people to use lesser SSL encryption for compatibility sake. That allowable downgrade is exactly the vector this attack uses.
To quote the article:
Another HTTPS vulnerability has started to make its rounds earlier this morning. Dubbed Logjam by its researchers, the vulnerability stems from the US’s encryption export mandate back in the 1990s. This particular vulnerability, in the transport-layer security layer protocol, breaks the Diffie-Hellman perfect forward-secrecy. Susceptibility to the vulnerability is depended on servers and clients supporting the DHE_EXPORT encryption scheme, or using a key less-than-or-equal to 1024 bits.
Re: Re:
So basically, a backdoor being a security threat to everyone isn’t a hypothetical concern: It is one directly stemming from existing problems in real life, right now, based on the last iteration of this bullshit argument.
You are missing something here...
People are being way too hard on Comey. Read his statement more carefully:
A group of tech companies and some prominent folks wrote a letter to the President yesterday that I frankly found depressing.
…
James Comey is suffering from depression. This is a cry for help. He REALLY needs to have the conversation… with his therapist. Really.
It’s okay. James, we understand. Go talk it out. It will make you feel better. In the meantime, leave the policy making to people who actually know what they are talking about.
One Example. .
The example people should try to understand is J. Edgar Hoover, while it is trivial when compared to the pervasive surveillance that is happening today, it demonstrates how just the belief that someone has dirt on you, has already been used to influence policy decisions at the highest level!
Unless you believe he remained FBI director for so long, based on his charming personality and how he looked in an prom dress!
The funny thing to me is....
…All it takes is to read the news to figure it out. People find holes that no one knows about, much less ones that people are given instructions on how to use?
What’s ridiculous in the first place is that we are discussing the possibility of backdoors in [insert anything related to security here].
I wonder if Director Comey would be OK with putting the same front door/back door/golden key/whatever into the encryption that protects the FBI’s systems and network. After all, it’s safe and no one but the right people will be able to use it, right?
They don't want a conversation.
We had a conversation. It didn’t go the way they wanted. So now they want a monologue.
Not Unfair ...
Just unwilling to lie.
I wish someone would connect the dots once and for all
Every minute of this presentation ask yourself why encryption is so important to them… (Please disregard the title of the video. Focus on the bigger picture)
They’ve long realized that’s the ONLY thing that can defeat surveillance and by proxy the only real threat to the Status Quo.
Reflect deeply on this
The Real Issue IMHO Is Financial Loss
Good encryption equals less money. Spooks hack governments, government leaders, telcoms, corporations, Darknet, and financial institutions so they can make bank. Sewing up the holes equals loss of income.
We all know that a person is only open minded if they shill for whoever pays them off the most in bribes and traitorous acts.
Here’s a question to ask anyone who says it’s only “hard” to let only the FBI in through the back door: what’s preventing an Edward Snowden with less benign motivations from getting a job at the FBI?
Technical people will say it’s too hard. My reaction to that is: Really? Too hard? Too hard for the people we have in this country to figure something out?
He is claiming: if all the smart people get together and try really hard, they can make back-doored encryption that all the smart people can’t break.
How does he know it stops there? Maybe if they try even harder, they’ll find a way to break it.
Don’t sell them short! They’re really smart!
Re: Re:
See “Chess”, by Spencer Holst.
Or sit down at home, like this guy, and try to deduce from a-priori platitudes whether the Irresistable Force is stronger than the Immovable Object.
Re: Re:
Because the U.S.A. specializes in making the next generation so much more dumb that they don’t stand a chance to figure out what the current generation has been thinking.
Re: Re: Re:
How American, the rest of the world does not matter, and may as well not exist.
I don't remember ...
All other issues aside I don’t remember voting for this FBI director. I don’t think his name was on the ballot.
We NEED protection against the bad guys
But we most certainly do not need a backdoor for the FBI et al. After all, they have proved to be in that group called bad guys so it would be incredibly counterproductive to make a backdoor specifically for those.
Thus we need encryption.
let's change math and reality through laws
> Comey James – FBI Director
this is totally Ayn Rand’s Atlas Shrugged:
Morons in power trying to manipulate reality (MATH?) through stupid laws.
FBI:worlds best security experts are not following our fantasy unicorn wishfull thinking, they insist on something called “reality”
could somebody please give Comey a laptop so that he can code a working example of the unicorn key?
These So-Called "Expets" Are Obvouisly Lying
I mean, come on. Their smart enough to come up with these UNBREAKABLE codes, yet their not smart enough to figure out how to get around them?
Thats a very one-sided and HIPPOCRITICAL form of “expertise”, if you ask me.
let's change math and reality through laws
yes, let’s make a law to force, I mean,
to put a gun on every security expert’s head until they create our wished “unicorn front door” with our “pure soul unicorn key”… or else! Comey James – FBI Director
this is totally Ayn Rand’s Atlas Shrugged:
Morons in power trying to manipulate reality (MATH?) through stupid laws.
They're not stupid- you're missing the forest for the tree's.
When you assume these people are stupid- you’ve irreparably veered off of a logical track. Articles like this are very frustrating for me to read- So many glaring flawed assumptions. it’s a failure not just of seeing the (leaked) technical writing plastered all over the wall (thx snowden), but of humanizing, empathizing, and reading between the lines. You don’t have to like or agree with these people to understand better why they say what they say. If you are prejudice from the start to the idea that ‘knowing what they know- and having their goals/duty’ you’d never agree with what they say or do, then your bias and conceptual belief is limiting your view. Idealism is great and all, but too often it’s like a big set of blinders. What they’re saying to the public is not as detailed as what they’re selling congress behind closed doors- relatively speaking it’s probably not complete bs either. Ask- how would this solution be more fair? -Then go read the leaks again and again until you get a better sense of where we’re really at NOW years and many billions spent later… Their progress was accelerating exponentially… While your at it, read some cve’s, and refresh on heart-bleed, beast, poodle, shell shock… etc… etc… etc… My point: Endpoint security implementation is atrocious- far and away weaker and easier to compromise then encryption. All this talk of how awful a deliberate backdoor would be- it feels like it’s… overblown and lacking realistic relative context. It’s the principle of the matter that upsets people (rightly so). The thing is, if history is any indication, there are presumably hundreds if not thousands of much easier to find/use known/unknown functional (deliberate/purposeful or not) back doors, along with an established highly automated architecture to implement them- and many major players are incentivized to keep these exploits from being found and fixed. Hell- they might even be incentivized to create new ones. It’s extremely unlikely they will ever all be fixed. So here’s my point: If hell froze over, and the Feds where somehow allowed, and able, to subvert encryption, they’d no longer have to subvert implementation- they could go back to improving implementation and general security rather then spending untold fortunes collecting and hording 0days, trojans, virus, worms, malware, MITM/MOTS exploit injection networks…etc. If you’re solely focused on the ONE backdoor they’d implement, you might miss that it ends their reliance on hundreds or thousands of present and future exploits. -I truly hate how doublespeak that sounds- but is it not pragmatically accurate? So- then imagine then the real weight of the intel community thrown behind CLOSING EXPLOITS, so that others couldn’t use them… Sounds like a great idea to sell to congress eh? Overall expected Results: -Security (monumental) net gain… -Honesty, (monumental) net gain… -Transparency, (monumental) net gain… Perfect? Hell no- IMO (I’m sure 99% here agree) it’s not remotely acceptable- nor reasonably implementable, it’s unconstitutional, and unconscionable. Regardless, for the sake of understanding, I hope you’ll stop and seriously consider “Is it better then where we’re at now?” or at least review the leaks to have an informed opinion. Perhaps the value they’re reaching for is in having said “we tried”. Perhaps they’re testing the waters to see if people take control of their computers as seriously as their guns… Perhaps this is just another lever to pull to show why since they can’t have this they need even more resources to dominate without it… Perhaps there’s value in making some people believe they actually have enough control to implement something like this. (If they did- I doubt they’d suggest it- but who knows- it’s not completely impossible.) Anyway, if you take only one point from all this, let it be that subversion of encryption can be logically viewed as an improvement- arguably so, with cold pragmatic rational- as the lesser of evils- the same way so much else in this f’d up world is rationalized. I don’t have to agree to understand, neither do you. And yea- I know it wouldn’t play out like that; I’m just trying to shed light on the potential argument itself.
Re: They're not stupid- you're missing the forest for the tree's.
I agree with you on one point–you’ve mastered DOUBLETHINK
Re: Re: They're not stupid- you're missing the forest for the tree's.
If only he could’ve mastered line breaks.
doublethink, linebreaks
Not sure how to take the “mastered doublethink” comment- would be nice if you pointed out where/why you disagree with my other points. Keep in mind my goal was to shed light on potential rational arguments, not actually to make those arguments. I don’t feel I’ve “mastered” much of anything- I do my best to learn and understand things. Doublethink is rather common in gov and politics- I don’t have to agree with it to try and understand it.
TD has often refused properly formated posts for me- maybe this is fixed now. In any case lack of line breaks was deliberate.
Re: doublethink, linebreaks
It doesn’t matter what you agree with or understand, because the underlying point is that what is being asked for is an impossibility.
No amount of understanding or trying to see it from the misguided point of view is going to start making rational people empathize, or suddenly convince Comey to stop being a dumbass.
And really, if your whole aim was to be taken seriously, annoying people by refusing to use line breaks was a stupid move.
Re:doublethink, linebreaks
I didn’t wish to annoy anyone, only to have my post go through.
What’s being asked for is most certainly possible- it also has the major ‘no f’n way’ caveats of introducing potentially fatal security flaws, and generally turning the entire concept of property ownership and human rights on it’s head (and numerous other things, but I digress). Yes, they could certainly have a backdoor that was ‘only for the good guys’, until either a human issue or a bug/exploit opened it much wider, and they could have something update-able that could fix that, until it couldn’t under some circumstance. It’s history that makes it clear that this wouldn’t work, not a rational theoretical measure of what’s technically possible. I’ll come back to this.
The central point I’ve tried to make is this could be rationally viewed in many ways as an massive improvement over what is currently going on.
Comey is not dumb- he wants people to be secure from everyone except the government, and he surely recognizes that what’s going on now is significantly hurting security far more then a mandated crypto backdoor would.
You don’t get to a position like Comey’s unless you are very intelligent, believe in authoritarianism, and have peoples best interest at heart under that context. ..maybe that’s a can of worms to say here- but I stand by the statement- road to hell paved with best intentions and all that. power grows and corrupts. all tyrants start out as (and usually believe they are) protectors. (not saying he is a tyrant… just a general observation- Plato’s actually)
Most people seam to have missed that a lot of tech has been going in this direction already anyway. Cellphones are a perfect example with how people seam to be (blissfully ignorant of or) quite fine with an a carrier controlled CPU and OS (the baseband) operating below the users OS, and having unrestricted access to network, ram, and user files. That’s a backdoor in all but name- watch what the blackhats can do with it on youtube. EFI/UEFI could (probably does in some cases) easily implement something similar.
Existing POC’s (proof of concepts) have shown hardware backdoors can be hidden directly in CPU architecture during manufacture- disguised to look like manufacturing errors. Additionally, POC chips have been made which will self destruct if subjected to requisite testing procedures for discovery of such. POC’s such as these cost a monumental amount to achieve- it’s doubtful the designs wouldn’t be put to use at whatever scale can be achieved. These manufacturing processes where conceived to control exported weapons platforms- not much of a stretch these days (from an authoritarian perspective) to include general purpose computers in that category. Implementation of such could be explained away as a means to protect IP on device design to stop counterfeiting.
Take a moment to search, and see how many examples (if any) of people physically disassembling processors to check for malfeasance you can find. The number of people with the equipment to do so, let along the requisite knowledge is extremely limited- factor in self destructing chips… See where I”m going with this?
People often make the valid point- that a software backdoor would be easily discoverable, defeatable, exploitable..etc…while ignoring the 800# hardware backdoor gorilla in the room.
It’s societal pressure that will keep something like this from happening (in the open)- not a technological barrier. Regardless of whether it happens in the open- it’s going to happen behind closed doors; it’s the long term path of least resistance, and there is little I can think of that would stop it- the current consolidation of power/control is too great. There are very few chip manufacturers, very few engineers in a position to oversee relevant areas.
I would honestly love to hear others contrasting thoughts on any of this though, really- please, change my very open mind- I’m begging you… at least help me feel more at ease with the people running this shit… That’s honestly most of the reason I make posts such as this.
So yes- a crypto backdoor is dumb idea, which would further totalitarian potential, and restrict autonomic democratic potential; It’s much less dumb then what’s currently going on, and what’s likely to go on in the future.
While most commentators here seam to be painting Comey in a little box labled ‘dumbass’ and dismissing out of hand that he might have anyone’s best interest at heart regardless of his belief structure; I feel a beguiled respect for a move that seams almost ethical, relative to the ocean of putrid shit the intel community has nearly drowned the very concept of a constitutionally bound government in. If he wants it, the 800# gorrilla is gonna have your ass whether you like it or not- is it not better to let people know?
Take me seriously- or better yet, show me exactly why I’m ignorant; I’d love to know that- I’d much rather be foolish and wrong then the bearer of such dismal perspective.
Re: Re:doublethink, linebreaks
He is being extremely dumb, as every society that has been heavily monitored and controlled by a government has also bee extremely fragile. Let the government control over such a society slip by the smallest fraction, and it explode into chaos, as different faction fight to establish their flavor of autocracy over the remainder. The USSR exploded, the Middle east has not recovered from the collapse of the Caliphate, … need I go on.
Re: Re:doublethink, linebreaks
You don’t seem to be getting it. The point isn’t whether or not ordinary people can be fooled into thinking that backdoors don’t exist – the point is that if you introduce backdoors for the government, anyone with the tech, the expertise, the motivation to do all sorts of unscrupulous things, will also be able to use these backdoors. The societal pressure exists because people like Comey – and you, evidently – either can’t see or refuse to see that the technological barrier exists. If a backdoor exists and someone can access and use that backdoor, there’s nothing stopping someone else from doing the same thing.
It’s like leaving the key to your front door under your doormat because it’s convenient for the police. What if a burglar gets that front door key, then? Are you going to somehow magically make a key that only works for the police but not anyone else? What if the key lands in the wrong hands? It’s going to suddenly stop working?
And seriously, ethical? Constitutionally bound? Things like LOVEINT are precisely why people don’t trust the government with backdoors. Sure, you can argue that Comey’s hands might be tied. The problem is, the current people in power have proven that they’re not interested in the responsibility that comes with said power.
S.O.P.
Simple truth is, the Commie keeps having this “conversation”, because the Fascists running the spy agencies already have a couple of secret working programs that are establishing backdoors in every possible communications device made in the USA, “as he speaks”.
As long as he keeps saying “We must establish backdoors…”, he keeps his willingly gullible audience thinking that the backdoors will not be installed until after the “conversation” ends.
The reality is that when he stops having this conversation, the deed will have been completed and all American communications will have a hole through which every criminal organization on earth can drive a truck, in both directions.
I mean come on guys, this is the American Spy Agency.
Everything they do is secret and behind the scenes.
There is no way in hell the CIAF BINSA are ever going to “have a conversation” with the US public over whether they should or should not do something nefarious and stupid TO the US public. They just do it, secretly, with legal lubrication, and the tax payer pays for the damage inevitably done.
Standard Operational Procedure.
They did something similar with Wall Street – telling them that the non-member Wall Street Tycoons should welcome the NSA’s surveillance of all their dealings by willingly installing all sorts of technical stuff that would allow the NSA easy access, when in reality, the “stuff” was already installed and the NSA was already sucking up all Wall Street’s paperwork and has been for years, and of course, still is.
The notion that Comey wants a conversation with the US citizens over whether they should welcome backdoors in their communications devices, is as far fetched an idea, as believing that Comey is an imbecilic buffoon who knows nothing about encryption and/or technology.
When it comes to government, never attribute to incompetence that which is better explained by malice.
—
Re:doublethink
I agree. The difficulty is, we’re already monitored and controlled far more then any civilization in history- and they’re doing a better job of it then ever before. That frailness exists non the less, and is a motivating factor for the surveillance state, and general increasing authoritarianism. The concentration of media ownership and obvious collusion that exists to push various (mostly) gov and corp friendly viewpoints, and minimize the unfriendly ones is so common it’s even been a major topic of popular news satire shows. For propaganda to work long term, people must not realize it’s propaganda- judging from polls measuring trust in news, they are remarkably successful at this, though it’s slipping somewhat. People are slowly becoming more wise to ‘think tanks’, spinmasters, pundents and the game and true cost of ‘exclusive access’, sources and what are essentially planted stories and framed spins taken at face value without question.
I do get that. This is absolutely correct; and not a fact I’ve tried to diminish. I’ve attempted to bring the context to light, that the way things are done now is more dangerous, more subject to abuse and even more unethical. The reality of how things would play out- where they to get this known back door, is that it’s not really a choice between one or the other- but the idea that it IS can be leveraged as a strong argument point regardless. Thus a backdoor can rationally be viewed and pushed for as the lessor of evils, and far more inline with the stated goals of the organization. That doesn’t make it right- and doesn’t mean I’m advocating for it.
You’re right- a backdoor could not conceivably be done without significant risk, and IF lack of risk is a requisite qualifier to whether it’s “possible”- then yes, it can then be considered “impossible”. However, there is NO technological barrier to implementing a backdoor- one which would conceivably be 1000x harder to abuse then what they use currently. Nothing is immune to compromise when it comes to tech- Even if there were perfect tech, we’d never have perfect humans to implement it… Expecting perfect is unrealistic; the best we can do is minimize the potential for compromise.
The current system relies on nothing but vulnerabilities that anyone can use- many many of them, so that when they lose one, they don’t lose access. There is little effort to stop security holes, because making people more secure is equivalent to them losing access. The incentive structure is fucked. At face value- what they’re suggesting would be far less complicated and far less prone to compromise then the existing system, it would also improve the hideous side effects that the current system has. At face value- It is the difference between a system that attempts to control who has access, and one which fervently ruins security for everyone, against everyone, to maintain access. Stating this does not mean I am advocating for such a solution- I only advocate for a wider viewpoint.
The solution I would advocate for is that people need to get much much more serious about security, and authority over their devices- We need to support companies and people that enable that security and authority; and boycott companies and technologies that enable the surveillance state. That means ditching google (use ixquick or startpage) and facebook, adobe, windows/mac- embrace open source software, open hardware, tech such as Tor, Tails, PGP, TOX, and Cryptostorm; hardware like gluglug thinkpads with coreboot, grsec foss linux or openbsd, and neo900 phones… (the only phone currently made that gives you genuine authority over the device) It’s a hard pill to swallow right now- but if market forces could sway to show that security, autonomous authority and technological freedom mean more to people then flashy features and the latest and greatest specs- soon things would change for the better.
I may have worded things poorly and in excess, reaching for prose. The statement was:
I can see how that’s hard to decipher, it’s an over-complicated sentence; it’s meant to be read as- not ethical, and not remotely constitutionally bound- also beguiled= conned into, or mislead.
The government has “backdoors” (air quotes to indicate functional equivalence) already, many of them; it’s kind of an open secret. Those backdoors are open to everyone who can find them, already. They shouldn’t have these- they should be working to close them and help us all be secure.
I don’t believe Comeys hands are tied- I believe he’s an authoritarian who believes the government needs to have ultimate power and control/authority over technology in order to fulfill their responsibility- Further I believe this stems not from any sort of malevolence, but from a genuine drive and desire to help and protect people by any means necessary.
Re: Re:doublethink
“However, there is NO technological barrier to implementing a backdoor- one which would conceivably be 1000x harder to abuse then what they use currently.”
That’s pointless. A backdoor that’s difficult for outsiders to abuse would have to be harder for “the good guys” to use, because technology is impartial that way. Think of the Sony hacks. The information was easily hacked into and disseminated precisely because the original information was poorly protected – because tech-illiterate executives don’t understand that making things easier for them to access makes it inherently easier for outsiders to access.
Any anti-abuse measures implemented would be quickly overridden because that’s what the people in power want. They want personal security but they don’t want to go through all the trouble that would require. So what you end up with are backdoors with backdoors, vulnerabilities on vulnerabilities. And when shit hits the fan, the tech guys get the blame.
“The solution I would advocate for is that people need to get much much more serious about security, and authority over their devices- We need to support companies and people that enable that security and authority; and boycott companies and technologies that enable the surveillance state.”
But that’s precisely what people like Comey don’t want. More citizens are in fact getting serious about security, encryption and privacy over their communications and devices – to law enforcement and people like Comey, that makes their job harder, so they absolutely hate it. You can claim Comey isn’t malevolent all you want, but that’s not going to change anything.
I am always amazed how they can pretend that it would be a american solution which the whole world would gladly accept.
Why wouldn’t your financial institution or R&D division like this new security module with a “trusted” flaw imposed by the US? They would never misuse it and no one else would have any interest in this mandated flaw. And why not accept these other “updates” from russia, china, (nation to be named)? It’s the law in the US so it shouldn’t be a problem, am i rite?