Congrats, FBI, You've Now Convinced Silicon Valley To Encrypt And Dump Log Files
from the a-victory-for-privacy dept
Soon after the original Snowden revelations, I went around talking to a bunch of startups and startup organizers, discussing whether they’d be more willing to speak out and complain about excessive government surveillance. Some certainly did, but many were cautious. A key thing that I heard over and over again was “well, our own data privacy protections… aren’t that great, and we’d hate to call attention to that.” Every single time I’d hear that I’d point out that this should now be their first priority: clean up your own act, now and fix your own handling of people’s data, because it’s an issue that’s going to become increasingly important, and you’re being foolish and shortsighted to ignore it.
While the Snowden revelations certainly did get some companies to improve their own practices, it looks like the FBI’s decision to go after Apple over encryption, has really galvanized many in Silicon Valley to take action to truly protect their users from snooping government officials — meaning making use of real (not backdoored) encryption and also diong other things like dumping log files more frequently.
?We have to keep as little [information] as possible so that even if the government or some other entity wanted access to it, we?d be able to say that we don?t have it,? said Gadea, founder and chief executive of Envoy. The 30-person company enables businesses to register visitors using iPads instead of handwritten visitor logs. The technology tracks who works at a firm, who visits the firm, and their contact information.
The article is full of such stories — including one of a company called Stealth Worker that is basically helping lots of startups build in better security from the start:
Stealth Worker ? a start-up funded six months ago by the prominent incubator Y-Combinator ? provides contract cybersecurity experts to early-stage start-ups, which often operate on a shoestring budget. Stealth Worker chief executive Ken Baylor said that in the past month he had been approached by a half-dozen companies looking for ways to build tougher encryption and other secure technical architectures.
Because it’s the Washington Post, and they feel the need to be “balanced” the article does include the one ridiculous contrarian quote from our old friend, former NSA General Counsel Stewart Baker, who basically dismisses reality as a myth in the heads of some engineers:
?This is a Silicon Valley delusion that the government wants to outlaw encryption,? Stewart A. Baker, a former National Security Agency general counsel, said in an interview. ?I grant that there is a radicalized subculture of engineers that is very prone to that delusion, but it is a delusion.?
This is classic Baker: saying something that avoids the actual truth by saying something that’s nominally true, but not what people are actually discussing. The claim of “outlawing encryption” is really shorthand for “outlawing effective encryption that is less vulnerable to attack.” And that’s absolutely what many in the government are trying to do. I mean, there’s no delusion necessary when you can just read the bill put forth by Senators Dianne Feinstein and Richard Burr, that absolutely would make real encryption illegal. Sure, it says you can keep encryption, but only if it includes a way for 3rd parties to decrypt it. And the only way that’s possible is to introduce serious vulnerabilities into the encryption.
The thing that Baker and many others truly don’t get about Silicon Valley is that when you give techies a challenge that involves making “the best” of something, they like solving the challenge. The suggestions to backdoor encryption undermine that philosophy. They’re saying that techies would need to deliberately cripple their own solutions. And the more that the FBI and clueless Senators push for such a solution, the stronger Silicon Valley will dig in and keep building better overall solutions that are less prone to government snooping.
Maybe, just maybe, if the likes of the NSA and FBI hadn’t regularly abused their snooping powers, folks would be more willing to give them the benefit of the doubt. But it’s a bit late for that at this point.
Filed Under: doj, encryption, fbi, silicon valley, startups, surveillance
Comments on “Congrats, FBI, You've Now Convinced Silicon Valley To Encrypt And Dump Log Files”
Until forced to keep logs
The Govt can ban the deletion of logs. And they can require logs be created, archived, and surrendered to any Barney Fife LEO who darkens their door.
Re: Until forced to keep logs
I never delete my server’s log files. They are all right there in /dev/null
Re: Re: Until forced to keep logs
Yes; storing them with 100% compression is always a viable alternative — saves on disk space as well.
Re: Until forced to keep logs
So save your logs to crappy old drives, and store them in an worse conditions available, tossed into random boxes, with raid sets spread across the boxes. Bonus points for lack of any external labels.
Re: Re: Until forced to keep logs
I have an rack of 8″ floppy disk drives and boxes of blank 8″ disks that are so old that they are about as reliable as a firefighter made of chocolate. They’d be perfect!
Re: Re: Re: Until forced to keep logs
they will just open them using the nuclear launch computers
Re: Re: Until forced to keep logs
I think it would be better if you pointed your logs to /dev/serial and had an old TTY printer hooked up to it. You could use a continuous loop of paper if you want, and nobody needs to bother re-inking the printer ribbon.
Re: Re: Until forced to keep logs
Oh, no, they have to be labelled! But no one said that the labels have to be correct.
Re: Until forced to keep logs
Didn’t you get the memo? The implications created by this https://www.techdirt.com/articles/20160518/07232434473/judge-taking-your-facebook-account-private-during-litigation-isnt-exactly-preserving-evidence.shtml most certainly indicate that you can’t delete log files. After all, those log files are evidence relevant to “foreseeable investigations” given that every investigation is foreseeable after the fact.
Re: Re: you can't delete log files
What if they were never kept in the first place?
Re: Until forced to keep logs
If you do not have them in the first place, they cannot be deleted.
Re: Until forced to keep logs
When I worked local county IT in PA, there was a state rule that they couldn’t delete retirement data from their system until the person was dead for 15 years. Since they never got any info regarding death of a person, they just kept everything less than 120 years old.
Re: Re: Until forced to keep logs
Which sucks for anyone 121 years old and older…
understatement
I’ve felt that way from the beginning. If they (pick whatever “they” is appropriate to the context) would have been up front about what they wanted to be able to do, convinced people it was necessary, had proper safeguards and oversight, and was proportional to the problem that was trying to be solved—gone about it through a normal democratic process, one could almost say—then a whole lot of the crazy mess things are in right now might have been completely avoided.
Re: understatement
They got caught in their own propaganda.
They made the mistake of initially framing the discussion in terms of “we conduct mass surveillance to keep you safe”. But as is the case with a whole lot of propaganda, the framing begins to fall apart when you hold it up to reality.
Sure, they can use domestic mass surveillance to catch some baddies (although they certainly do not have a huge number of examples of it doing that – but whatever, let’s pretend it does that to some degree). Where their “keep you safe” arguments start to fall completely apart is when we hold them up to the reality of all the ways it makes us “less safe” and what nefarious uses all that private data will certainly be put to by unscrupulous private, corporate, government, and criminal actors.
When framed in those alternate terms, the benefits proposed by law enforcement/intelligence community become highly improbable. Especially in light of the obvious detriments. And as they’re a group of smart people, I can only assume they are very aware of these facts.
So that begs the question, what is their actual intent (vs their stated goal)?
Re: understatement
They got caught in their own propaganda.
They made the mistake of initially framing the discussion in terms of “we conduct mass surveillance to keep you safe”. But as is the case with a whole lot of propaganda, the framing begins to fall apart when you hold it up to reality.
Sure, they can use domestic mass surveillance to catch some baddies (although they certainly do not have a huge number of examples of it doing that – but whatever, let’s pretend it does that to some degree). Where their “keep you safe” arguments start to fall completely apart is when we hold them up to the reality of all the ways it makes us “less safe” and what nefarious uses all that private data will certainly be put to by unscrupulous private, corporate, government, and criminal actors.
When framed in those alternate terms, the benefits proposed by law enforcement/intelligence community become highly improbable. Especially in light of the obvious detriments. And as they’re a group of smart people, I can only assume they are very aware of these facts.
So that begs the question, what is their actual intent (vs their stated goal)?
Mispelling
Please search this article for the word “diong” and correct, then feel free to delete this courtesy comment. Great article otherwise.
Re: Mispelling
What’s wrong with diong things?
Re: Re: Mispelling
Do two wrongs make a diong?
Re: Re: Mispelling
I hear you can get a good and cheap dionging over in south east Asia.
Re: Re: Re: Mispelling
Only if you want to get a nasty sode of the calp.
Re: Re: Re:2 Mispelling
at least he added the i.
Imagine if he left out the i.
Re: Mispelling
Re: Re: Mispelling
That is correct.
OMG, they just denied it! That means the government DOES want to outlaw encryption…!
Now that the FBI is operating as an espionage agency
It’s teaching companies to act as security firms…or espionage firms…or organized crime.
Which is poetic, since the FBI really got started to combat the Mafia.
Re: Now that the FBI is operating as an espionage agency
Anyone that is willing to commit evil to stop evil becomes the evil they destroy.
Re: Re: Now that the FBI is operating as an espionage agency
Plus, there’s a couple more fundamental human tendencies in play here. People tend to become what they hate, people tend to think that their personal experiences are representative of the greater reality, and people tend to resemble the folks that they spend a lot of time with, even when that time is spent in opposition to them.
Apparently Stewart Baker wants a little backdoor. A “just the tip” kind of guy.
Re: Re:
Or he just wants you to open your front door, just a little bit. Just a crack, really.
Re: Re: Re:
Sounds like the fable of “The Camel and the Tent”.
“I grant that there is a radicalized subculture of engineers that is very prone to that delusion, but it is a delusion.”
A radicalized subculture consisting of.. more or less everyone who has any skill or knowledge to contribute to the subject.
Re: Radicalized
You’re the only commenter so far to even mention this quote and you said nothing about the use of the word Radicalized.
The choice of this word speaks volumes about the mindset of law enforcement and the Senators supporting them. They DO see it as Gov versus Tech. They aren’t looking for amicable solutions, they want blind obedience or you’re equal to a terrorist in their eyes.
Re: Re: Radicalized
We’ve got to do something about those radical engineers. I’ve heard they even practice math.
Re: Re: Re: Radicalized
Math would be bad enough, their real crime is practicing non-government approved math!
If the government says that 2+2 equals 5 then that’s the new mathematical reality, yet those commie terrorist pirates continue to insist that it equals 4, in clear contempt of their betters, and despite assurances from the governments(which is always right of course) that if they’d just try harder they’d be able to change the old, non-government approved math to meet the new, government approved version!
Re: Radicalized
Is it radical to have an extreme polarized view? For example: the sun rises in the east. Not in the west. Not somewhere in between the two. There is exactly one correct viewpoint. A radical idea, I know. Yes, I suppose I am ‘radicalized’ about whether the sun rises in the east or in the west.
Re: Re:
I believe there’s a radicalized subculture of aeronautic engineers who believe you need to generate lift to fly.
What nut cases they are!
This is great! Finally we have members of Congress and the FBI working together to make sure tech companies keep Americans safer in the digital age.
/dev/null logging is common practice for a number of different types of providers.
The problem with that, is logs are generally diagnostic tools. Their purpose is to help you fix things when they break.
MTTR increases when you can’t keep them. So the fact that judges completely disrespect indirect composition (meta data) as a form of speech under the first amendment, has real world expenses that are reflected in poor customer service, and higher maintenance costs.
Judges need to stop regarding digital composition as less worthy of protection than other speech. Yeah the volume is WAY higher, and yes it is often multiplexed and easier to get to. No that doesn’t make the first amendment less relevant, it makes it MORE relevant.
Meta data, is indirect digital composition. The fact that it is accidental (from the original communicators perspective) does not make it less worthy of protection. Both antibiotics and vulcanized rubber were accidental composition. Would the same judges, play diddle-nuts with the rights of the composers in THOSE cases?
This double standard is progressing more and more into the lives of normal every day people. They will resent it. And eventually they will rectify it. From the states perspective, fixing this sooner, will be cheaper.
Forgetting for a moment that their actions and lack of oversight in the last 15 years, have raised them from “be wary of” to “not sure who the terrorists are here” in my book; the insanity of their objectives and the very likely probability of extreme misuse, should be enough for anyone to call them out as enemies of the public.
The mere mentioning of this should be laughed out of the room together with those who proposed such a thing.
Here is an equally crazy suggestion: Put bombs on every plane, train, bus and other transportation so we can blow it up before the terrorists can hit anything if there is a suspecion of someone on board. This is basicly what holes in encryption are: bombs just waiting to be misused.
Download book Applied Cryptography while it is still legal to do so
I mentioned this one other time. I’ll mention it here again . . .
http://cacr.uwaterloo.ca/hac/
See this copyright information before downloading:
http://cacr.uwaterloo.ca/hac/about/copyright-notice.html
CRC press has granted the following specific permissions for the electronic version of this book:
Permission is granted to retrieve, print and store a single copy of this chapter for personal use. [ . . . rest omitted . . . ]
It's called blowback.
The FBI has looked into the abyss. The abyss has looked back, and punched it in the face.
The last time they had a “radicalized” engineer attack, we came up missing the Twin Towers and a chunk of the Pentagon. Take note: Don’t pass off engineers.
s/a nuclear/crypto cleared multi-engineer
Meanwhile in Bizzaro world...
A government official was quoted calling those in the tech industry who continued to call for weaker encryption a ‘radicalized minority’, who ‘put the security of everyone at risk with their absurd insistence that weaker encryption was needed to stop crime.’
“The government’s position on this is the same today as it was yesterday, and will not change. Weakening encryption is a foolhardy idea that puts everyone at risk, and is something that only criminals and those that wish to aid them would ever push for, as criminals stand the most to gain from it. The tech sector’s demand that all encryption be deliberately flawed is completely absurd, and I honestly have no idea what could have led to such an insane idea.
Numerous individuals in law enforcement have urged us to push back strongly against this dangerous idea, making it very clear that weaker encryption, far from decreasing crime as various tech companies claim will instead lead to an explosion of crime, as countless devices and services become easy targets for malicious individuals.
Weakened encryption is a dangerous idea, and any crimes that it would allow to be stopped would be vastly overshadowed by the countless crimes it would enable. I can only hope the tech sector realizes this before it’s too late.”
Australia has forced log retention
The Australian government has laws forcing ISPs, web hosts etc to keep logs for 2 years, but exempted overseas companies. Guess where businesses are taking their operations? Out of the country where possible, as it reduces the compliance cost of doing business. I wonder in 5 years time, whether the US government will pass a bill preventing US businesses from moving off shore in order to save Silicon Valley.
Techies are selective about crippling things.
Sadly, techies are actually very selective about whether they’ll cripple their own work product. They won’t do it for the G-man, but they will for the guy in the suit and tie who pays their salary, as evidenced every time something on the internet is intentionally broken to generate revenue.
The most common example of this being sites gratuitously coded to be unnavigable or, increasingly often, unreadable, if you turn off Javascript. Try it. Turn it off and see how many of your favorite (noninteractive! I mean sites where you go, read something, and leave, not Facebook and Twitter and the like) websites render as a blank page, or a blunt message saying “turn on Javascript or we won’t show you anything”, and how many more are readable but the links don’t work and/or all of the images on the page are missing.
Of course it’s perfectly technically possible for such sites to work without JS. A div element with some text in it inside the body element. An anchor element with an href attribute. An img element with a src attribute. These have been around since the 90s and work just fine with JS switched off. So what’s the deal here?
The only answer that makes any sort of sense is that the site is deliberately broken to force people to switch JS on, and the only answer that makes sense as to why they want to force JS on is that they want to run a script on your computer to do something you’ll find annoying rather than a value-add. This tends to mean advertising — and not just display advertising, which is easily done with img tags and server-side scripts to determine what ads to serve, or even targeted display advertising, since 1×1 transparent GIFs and tracking cookies also don’t need JS. No, they want to do obnoxious advertising that is deliberately crafted so as to obstruct the visitor from doing what the visitor wants to do until they’ve acknowledged the ad in some way. That’s the only motive that makes sense for trying to force people to turn on JS.
Of course, that just drives people to turn on both JS and an ad-blocker, which in turn drives the suits to demand the engineers cripple the site even more by adding anti-adblock boobytraps, which of course also require JS enabled in order to function, adding more motive to force visitors to turn on JS to see content.
So the engineers have shown that they are perfectly willing to degrade and cripple their own product, making it less useful and more annoying to users, if their paycheck depends on their doing so. Just not for random G-men who aren’t their bosses.
Re: Techies are selective about crippling things.
I think you are confusing code monkeys with dedicated hackers. The first are in software to make money, the second because its their passion. Indeed the ability to do the right thing is one of the attractions of free and open source software for real hackers, as their peers and not any managers are the ones who decide whether or not something makes into the release.
Re: Re: Techies are selective about crippling things.
I think you are confusing code monkeys with dedicated hackers.
And code monkeys aren’t exactly the one’s leading innovation.
Re: Techies are selective about crippling things.
So you found the switch to turn off javascript, and that constitutes an international conspiracy?
In your particular case, there is a solution. Download and put up a crawler, and then write a patch that detects and ejects sites with development practices you disagree with. Then post a couple of years later, IF you’ve finished. I’d love to see YOUR solution. Hell, kickstart it and I’ll help fund it for christ’s sake. Note that all the software required to complete such a task, is FREE, and was written by the same kind of people that you are bitching about.
Please stop being a minion for an aristocracy that is trying to focus fear and bigotry on technicians and scientists. They spread this meme to maintain control. You, by bitching instead of contributing, are helping create the leverage that results in the shit code you are talking about.
BTW if you put up with the shit we put up with, you would have already gone postal. The people your complaining about are on your side.
Re: Techies are selective about crippling things.
I’m a techie who works for a company that builds a framework for building web applications. I don’t disagree with the underlying point you are making, but JavaScript (specifically) is actually essential for certain approaches – static HTML plus links to navigate simply can’t provide certain user experiences. Think of things like providing a list of records which automatically loads more data as the user scrolls down, or sorts instantaneously when the user clicks on a header rather than having to reload the entire web page.
There are plenty of sites that deliberately make their pages non navigable when you have ad-blocking software, etc, but the requirement for JS is real for many scenarios.
(Of course a company could write a less capable version of the site in static HTML in addition to the more interactive version, but it’s twice as much work for something which will only impact a tiny fraction of users who are disabling JS in their browser).
Having said this – I personally recommend using privacy tools to minimize third-party tracking across sites, and ad blocking software. There are lots of options out there. I use Privacy Badger myself, and AdBlock Plus.
Re: Re: Techies are selective about crippling things.
“but JavaScript (specifically) is actually essential for certain approaches”
This is true, but in practice (in my experience), 90% of the time that those approaches are used are in situations where they are not necessary.
I will continue with my current practice: disable Javascript by default. If a site doesn’t work that way, and the site is not in some way critical to me, then I just won’t go there anymore. If the site is critical to me, I’ll take the time to determine which pieces of Javascript I will allow to run and which I won’t. Usually, there’s only one or two really critical bits.
Re: Last I checked, especially regarding telecoms...
The G-men usually offer companies monetary incentives to cooperate in the first place. AT&T and Verizon are notorious for taking huge payoffs from the United States for cooperating with the NSA mass surveillance program.
So yeah, some companies will sabotage the integrity of their product for sake of the government when the price is right.
Really, it’s a short term gain for a long term loss.
Re: Re: Last I checked, especially regarding telecoms...
Really, it’s a short term gain for a long term loss.
Unfortunately, the “long term loss” is for society, not the companies involved.
Re: Techies are selective about crippling things.
There’s a world of difference between “purposely crippling functionality” and “just can’t be assed enough to fix a bug”.
And yes, page’s being unreadable when JS is turned off is just that – a bug. There are plenty of fallback strategies for everything you can do in JS, however they take time and effort to code. Doing that coding for the quite small number of users that this applies to is not sound business practice.
Re: Techies are selective about crippling things.
I want to introduce you to a program called NoScript. Selectively disable javascript to stop the insecurity.
Re: Re: Techies are selective about crippling things.
Already use it. Even then:
1. There’s a slight security risk in activating scripts, even just for the domain serving the page you’re viewing. If they get hacked and a script that loads an exploit kit gets added to their pages, boom.
2. The typical case doesn’t work if you just enable the site’s own scripts. There will be dozens of other domains with scripts listed in the unblock menu, and a lot of them will have really dodgy names, and one of the dodgier ones will often turn out to be the one that’s needed to unlock the functionality of DISPLAYING SOME FREAKING STATIC TEXT.
For example, “d9f23ab948c01f3b.cloudfront.net”. What the fuck is that? Malware domains often have large amounts of nonsense gobbledygook in them, just like that. At best it’s a legitimate cloud hoster, in which case allowing scripts from it means allowing not just the scripts for example.com whose site I’m trying to browse but every other script hosted at that cloud hoster as well, including, in all likelihoods, some malicious ones.
forced retention
are erasers still ok on #2 pencils? or does govt want to see our work?
X
Right on! When the government makes laws that completely change the constitution in secret, which is what they have done prior, that snowden revealed. It is illegal. It is beyond the scope of their power. Those legislators should be brought up on charges. Companies that stand up to this corrupt government, will be remembered as heroes, just as snowden will be remembered.
Of course only domestic terrorists refuse top let corrupt government agencies look through their data unencrypted
/s
pula
“A key thing that I heard over and over again was “well, our own data privacy protections… aren’t that great, and we’d hate to call attention to that.”
I suspected as much, the silence is deafining
I seriously doubt that very MANY companies in ALL fields take it as seriously as they should be, yet their quite willing to stipulate that a service or good only be purchased/exchanged for the ever growing list of our personal private data
Data protection laws are obsolete, outdated, and pitifully weak, and im sure there are those who want to keep it that way
Encryption is a must
I am surprised that after so many news about data breaches etc. most of businesses are still not focusing on adding encryption to their apps. Now there are tools like http://www.qredo.com that enable people without any cryptography knowledge to add high level of security/protection to their apps. I recommend all to checkout http://www.qredo.com as it seems that it might be game changer.