Washington Post's Clueless Editorial On Phone Encryption: No Backdoors, But How About A Magical 'Golden Key'?
from the golden-key-cryptography dept
The Washington Post editorial board has weighed in on the recent “controversy” over Apple and Google’s smart decision to start encrypting mobile devices by default. The “controversy” itself seems pretty hyped up by law enforcement types who are either lying or clueless about the technology. Throwing a bunch of technically ignorant newspaper editors into the mix probably wasn’t the wisest of decisions.
Much of the editorial engages in hand-wringing about what law enforcement is going to do when they need the info on your phone (answer: same thing they did for years before smartphones, and most of the time with smartphones as well, which is regular detective work). It even repeats the bogus use of the phrase “above the law” that FBI director James Comey bizarrely keeps repeating (hint: putting a lock on your stuff isn’t making you above the law). But the real kicker is the final paragraph:
How to resolve this? A police ?back door? for all smartphones is undesirable ? a back door can and will be exploited by bad guys, too. However, with all their wizardry, perhaps Apple and Google could invent a kind of secure golden key they would retain and use only when a court has approved a search warrant. Ultimately, Congress could act and force the issue, but we?d rather see it resolved in law enforcement collaboration with the manufacturers and in a way that protects all three of the forces at work: technology, privacy and rule of law.
Did you get that? No “back door,” but rather a “golden key.” Now, I’m not sure which members of the Washington Post editorial board is engaged in mythical “golden key” cryptography studies, but to most folks who have even the slightest understanding of technology, they ought to have recognized that what they basically said is: “a back door is a bad idea, so how about creating a magic back door?” A “golden key” is a backdoor and a “backdoor” is a “golden key.” The two are indistinguishable and the Post’s first point is the only accurate one: it “can and will be exploited by bad guys, too.” That’s why Apple and Google are doing this. To protect users from bad guys.
In the meantime, just watch, and we’ll start to see ignorant politicians and law enforcement start to echo this proposal as well, talking down “backdoors” and talking up “golden keys.” The fact that we already had this debate in the 1990s, when the “golden key” was called “key escrow” and when having the government lose that was was fairly important in allowing the internet to become so useful, will apparently be lost on the talking heads.
Still, a small request for the Washington Post Editorial Board: before weighing in on a subject like this, where it’s fairly clear that none of you have the slightest clue, perhaps try asking a security expert first?
Filed Under: backdoors, editorial board, encryption, golden key, mobile encryption, privacy, security
Companies: washington post
Comments on “Washington Post's Clueless Editorial On Phone Encryption: No Backdoors, But How About A Magical 'Golden Key'?”
Still, a small request for the Washington Post Editorial Board: before weighing in on a subject like this, where it’s fairly clear that none of you have the slightest clue, perhaps try asking a security expert first?
I love how you hold others to such a high standard when you yourself don’t meet that standard. Recent example: your silly post about how a design patent is invalid even though you demonstrated no such thing: https://www.techdirt.com/articles/20141003/06500028716/design-patent-granted-toothpick.shtml Do as you say, not as you do, right?
Re: Re:
I love how you do exactly the same you criticize.
I’ll leave this to your entertainment (please follow the link in that comment, it might make you slightly less dumb):
https://www.techdirt.com/articles/20141003/06500028716/design-patent-granted-toothpick.shtml#c485
Re: Re: Re:
I love how you do exactly the same you criticize.
How is that linked-to comment an example of me doing the same thing? At least that person acknowledged that it’s the “ordinary observer” test–something Mike didn’t even do. Mike didn’t give us any legal analysis before reaching his legal conclusion. He just posted a picture of toothpicks that had three grooves with the implication that they’re substantially similar to ones that have two painted-on stripes. My point is that the IP reporting on Techdirt is often laughable–such as that post. It’s not just Mike. His flunkies are guilty of shoddy IP reporting even more so than he is. It’s just funny that he criticizes others so much when his own house isn’t in order.
However, with all their wizardry, perhaps Apple and Google could invent a kind of secure golden key they would retain and use only when a court has approved a search warrant.
Really, why are we reading some ignorant piece of crap like WP when not happy with being clueless they display said lack of clue in all its glory by treating science as wizardry?
Perhaps they could actually study what they call wizardry and notice it’s highly complex science and that they just proposed exactly what they said it’s not desirable?
Re: Re:
That’s what struck me too. Whoever wrote this sees technology as nothing more than modern day magic. They don’t understand it but somehow it works. POOF Magic!
Re: Re: Re:
Any sufficiently advanced technology is indistinguishable from magic.
http://en.wikipedia.org/wiki/Clarke%27s_three_laws
Re: Re: Re: Re:
The sad thing is we’re already kind of at that point, but not so much because technology is so wondrous, but because so many people are willfully ignorant, if not outright stupid.
Re: Re: Re:2 Future Shock
I don’t know if that’s completely fair. With the rate of growth and progress for technology, I do think that there are some people who would love to know more, but have no clue where to start. The solution of course is to ask for help, but if you have no clue where to start, then how do you even know what to ask?
I’m not saying that there aren’t bad actors. However, we should also consider that in less than a decade we went from moble phones to a universe of powerful internet-connected devices capable of storing and doing so much more than that.
I think today that there is a valid argument for the growth of an excluded middle between the clued-in, and the willfully ignorant, and thanks to Alvin Toffler there’s a name for the cause – Future Shock.
Re: Re: Re: Re:
Any technology is indistinguishable from magic to stupid people.
FTFY
Re: Re: Re:
“And you can’t get it down from the Cloud?”
“No one understands the Cloud, it’s a fscking mystery!”
Re: Re: Re: Re:
If the cloud collects enough condensation it starts to cause rain storms and when that happens the terrorists win.
When law enforcement and government become the bad guys worried about their precious being taken away it tells you why such is needed.
The Golden Key will be provided by the Golden Sheep with a Golden Ticket (warrent). After a time, everybody will realize it’s just a Golden Goose Egg.
Re: Response to: Baron von Robber on Oct 6th, 2014 @ 9:24am
At which point everyone gets a Golden Shower. Yes, I went THERE.
Re: Gold Key
Perhaps this was all written up in comic book form in Gold Key Comics back in the ’70s?
This is Magical Golden Journalism
Personally, this kind of crap is why I read the papers.
I mean, “David Brooks”? C’mon, he’s no better than that Krauthammer moron, or Thomas Sowell. They’re just low blood pressure medicine.
I live for the inane mistakes, like when the text of an article includes the literals “START ITAL” and “END ITAL”. Or some half-drunk city desk guy gets to opine about Magic Golden Keys. It’s priceless, i tell you. You give a sinus-clearing snort, and resign yourself once again to a newspaper written and edited by posturing pieces of wood, and you laugh and get on with life.
newspeak
It’s not torture, it’s “enhanced interrogation” 🙂
Re: newspeak
You mean the WP is now involved in enhanced interrogation techniques on the English Language?
OK, so we don't want any magical Golden Keys
How about a special master key cut from pure Unicorn horn?
We would only need one such key, so creating one such key would not put the population of unicorns in any danger.
Re: OK, so we don't want any magical Golden Keys
Au contraire mon ami – to cut a key from unicorn horn would require the demise of every unicorn in existence – and then some! How could this NOT cause the extinction of the species?
I'm going for funniest techdirt comment of the week
“However, with all their wizardry, perhaps Apple and Google could invent a kind of secure golden key they would retain and use only when a court has approved a search warrant.”
Re: I'm going for funniest techdirt comment of the week
Well played. I voted for you!
Singalong Time
[Tune: “I Got a Brand New Pair of Roller Skates”]
I got a safe encrypted telephone.
I hacked its golden key!
Wonder what other uses that master key might have for me?
Is this megalomania?
Can I rule the world?
‘Cause I got a safe encrypted telephone
I hacked its golden key!
Perhaps is it wise to allow them a `golden key’… As long as we make sure there is no backdoor that can be opened by it.
(Yes, I know, but playing wordgames is all the rage at the moment.)
Re: Re:
Hmmm… that might be an interesting Emperor’s Clothes type situation. Tell them there is a Golden Key, even though is doesn’t work, but that they’re never allowed to use it.
Sure, they’ll be pissed off when they realize it doesn’t work, but we’ll be pissed that they so readily abused the power they thought they had.
anyone able to explain to me how the hell these people ever get employed in the first place, let alone have the go-ahead to write and print something like this?
Re: Re:
Because the people hiring them, the people employing them, and the people telling them ‘Write an article on the new encryption mess’ are all equally clueless when it comes to the subject at hand.
The most insidious idea in all of this is the notion that a manufacturer should maintain control of something after it’s been sold.
Does this apply to components? If a Chinese supplier of say, wifi chips doesn’t like what Apple is doing, can they just brick every device with their chip in it?
Yes old people tell us more about backdoors that don’t have backdoors.
#popcorn
Playing devil's advocate
A “golden key” is a backdoor, but a backdoor might not necessarily be a “golden key”.
A “golden key” implies a key, contrasting with other kinds of backdoor which do not use a key.
For instance, a backdoor where turning on the phone while shorting a couple of test points in its main board were enough to bypass the phone encryption would not be a “golden key”.
You do realize that what is proposed is actually supported in both Microsoft BitLocker and Apple FileVault. It just simply storing your private key with the company or on your own server. Replace “Magic” with “Private” and you don’t have unicorns and rainbows anymore, but irl they should give the end-user’s the choice as they do currently.
Apple File Vault 2: http://support.apple.com/kb/ht4790
For Microsoft in a business situation: http://technet.microsoft.com/en-us/library/dd875531%28v=ws.10%29.aspx
For Microsoft in a home situation: http://windows.microsoft.com/en-us/windows-8/bitlocker-recovery-keys-faq
Re: Re:
“Replace “Magic” with “Private” and you don’t have unicorns and rainbows anymore”
Yes you do. If a third party is holding your private key, then it isn’t private anymore. Functionally, doing so is exactly the same as having a universal key and it has all the same problems and all the same unicorns and rainbows.
Re: Re: Re:
John,
I hate to tell you, but almost every FDE product out there has something like this. I used Apple and Microsoft as examples, but CheckPoint uses an EndPoint Policy Manager. Do you think the average consumer is going to have a server to backup the private keys to? Most that I know will end up using DropBox, iCloud, OneDrive, et al which is basically the same thing. You can’t store the private key for decryption on the same device for recovery, so it’s either purchase a server to run your own and make sure you have backups or lease cloud space which basically makes the key public to someone else.
Actually, this whole argument sounds like a good KickStarter project, some cheap Arduino boards to basically do a password/key manager and I would integrate OAuth with a mini lcd display.
Re: Re: Re: Re:
“almost every FDE product out there has something like this”
I’m not sure what you’re talking about here. I’ve used several FDE solutions for Windows and Linux, and have yet to be required to store my keys on a server of any sort, let alone a third party server.
“You can’t store the private key for decryption on the same device for recovery, so it’s either purchase a server to run your own and make sure you have backups or lease cloud space”
Or do what I do: store the keys on a memory stick. They’ll also fit on floppies if you are really old-school.
Didn’t RSA build a “Golden Key” into the it’s elliptical curve random number generator. Then NIST made this golden key the default encryption option.
Where has the Washington Post been for the last year? I’m sure China’s gonna want it’s own “Golden Key” too, so they can crack down on all the unruly young people protesting in Hong Kong.
The Washington Post is advocating for repression and tyranny. Shame on them.
Re: Re:
“Didn’t RSA build a “Golden Key” into the it’s elliptical curve random number generator.”
Not quite. The ECC problem was not a golden key, it was an intentional weakening of the random number generator. This by itself did not remove or bypass encryption. It made it possible to break the encryption, but doing so still took nontrivial effort.
The magic key would not be made from gold but from unobtainium.
Re: Re:
Bullshit, it’s made of elvish steel forged by dwarfs using the light of the Silmarils. And it only opens during the full moon of the solstice. Or when some random judge says so.
Re: Re: Re:
Bullshit, it’s made of elvish steel forged by dwarfs using the light of the Silmarils.
Please, you couldn’t get Dwarves to work elvish steel. That’s how I know your claim is made up.
Encryption security
It is comforting that there is this reaction to Apple’s encryption system. Seems it is highly resistant to prying eyes. Most important it encrypted all the way through which means there is no clear text or voice in the server’s hands that can be read with only a subpoena.
Intercepting US mail and reading it requires a court order. The public should expect no less for private phone conversations. Unfortunately official snoopers consider all communications their business even without probable cause. Justice prevails.
Re: Encryption security
“Most important it encrypted all the way through which means there is no clear text or voice in the server’s hands that can be read with only a subpoena.”
Perhaps I misunderstood what Apple & Google have done here, but my understanding is that they’re encrypting the contents of the phone itself and not keeping a key for themselves. This has nothing to do with whether or not the data is encrypted outside the phone (is the server’s hands).
Re: Re: Encryption security
As someone well versed in this, from an end user perspective, my understanding is the same as yours.
They are encrypting by default the contents of what is on a phone itself, with only the end user/owner being able to decrypt it.
Anything outside the phone (text messages, call logs, emails, etc.) is still subject to subpoena through a proper warrant. And that’s what really drives home the point about the lack of understanding on the part of many complaining about the encryption coming to these devices pretty soon. That data is still legally accessible through the proper channels. All this means is you can’t just grab a phone and go through it down the line.
Re: Re: Re: Encryption security
“Anything outside the phone (text messages, call logs, emails, etc.) is still subject to subpoena through a proper warrant”
And we need to keeping pointing out that anything on the phone is also still subject to subpoena. The only change is that the subpoena must be issued to the owner of the phone instead of to Apple or Google.
Re: Re: Re:2 Encryption security
I guess if the owner of the phone refuses to turn over the decryption key …
Re: Re: Re:3 Encryption security
Then the owner sits in jail for contempt of court until he does provide the key.
It works...
Just to let you know, the Golden Key does work. I use it all the time on Borderlands. No key, No open. Easy as that. And it is really cool cause I can use cheat engine and give me unlimited keys for unlimited weapons… But without the key you can’t open the chest. Fool Proof.
Re: It works...
And it is really cool cause I can use cheat engine and give me unlimited keys for unlimited weapons…
So… that would be a back door, right? Although the chest is right up against the wall so you’d have to scoot it out to get to a back door. Or is it metaphorical? Hm…
Encryption security
Then it’s a self incrimination rather than a privacy issue.
The owner of the phone may be someone else than the person whose name is on the purchase invoice or who pays the monthly bill.
Or the phone may have been shared among a large group of persons or it may have been acquired through second hand sale by the most recent user.
One great reason for officially refusing to hand over any password is that you by admitting knowing the password implicitly convey that you likely are aware of any potentially incriminating contents of the phone including contents planted by the police to frame you.
Loudly refusing gives the government more work and forces the issue into court where the self incrimination argument can be determined.
If asked by the police if you are the sole user of the phone just plead the Fifth and state politely that you only answer questions after assistance of counsel.
Answering that you are the sole user of the phone likely makes knowledge of the password a foregone conclusion and effectively waives any Fifth Amendment protection.
The government should have to work hard to establish that you are the sole user of the phone.
The real problem for the government in using the subpoena power to compel a suspect to turn over a password is proving ownership and the other elements sufficient to make the testimonial implications flowing from disclosure of the password a foregone conclusion.
Subpoenaing the information from a person involved in a crime may be possible, but the government doesn’t like it because it may compromise the secrecy of an ongoing government investigation.
If Bob’s phone is seized by the police, and they can get a subpoena compelling Bob to turn over the password, the investigation is no longer a secret and Bob will be on notice that he is under investigation.
If he is not immediately taken into custody,he can arrange a covert signal with his accomplishes alerting them to the fact that his phone has been seized and that everyone must immediately dispose of their codes.
Tip of the Iceberg
Regretfully, this impractical solution by the Post is only the tip of the iceberg, that just happened to be tech related.
But the world is bigger than tech. Recently, Biden made (truthful) remarks critical of Turkey. Now Biden has been forced to apologize for his supposed “gaffe”. We are living in the world of Orwell’s NewSpeak.
Social Engineering
Its already started and its a pretty big campaign actually.
This morning’s news had a long piece about a cop who “pimped out his wife” and sold drugs, among other crimes, and was caught ONLY because investigators had the use of “the backdoor” to read his incriminating emails.
The spokesman (I missed his name) claimed they “would never have caught the guy” if his cell phone had the new full encryption that was planned to be put in place by Google and Apple and other manufacturers soon.
It really does seem to be that the cops are going to claim repeatedly that lack of encryption is essential to the capture of criminals. I guess before cell phones, criminals had to arrest themselves and confess on paper before the cops could catch them.
You can’t really blame the bad guys in white hats for trying to prevent encryption though. After all, they’ve spent millions of tax payer’s dollars and many years making sure that Americans have the least secure communications on earth.
A step forward for the public is a step backwards for the folks in law enforcement, because then they would have to go back to using barbaric detective work, savage investigation analysis and old fashioned common sense.
Techniques which apparently, never worked and never caught any bad guys.
—
Re: Social Engineering
Techniques which apparently, never worked and never caught any bad guys.
Don’t you remember the headlines in 1983? “Cellular phones go on sale; police predict some crimes can now be solved”.
Phone Encryption
You could always really frustrate the feds by not having an idiotPhone in the first place.
Between the backdoors, the DRM, the camera, the microphone and the GPS you couldn’t possibly be expecting privacy anyway.
Encryption securityf
No, the Fifth Amendment allows you to refuse to disclose information that may furnish the link in the chain of evidence if the evidence may either incriminate you directly or indirectly lead to incriminating evidence.
The only exception to this rule is if the government already can establish from an independent source that you knows something.
Also remember that the civil contempt power is time limited because it’s not intended to be punitive.
Criminal contempt is an entirely different beast and you can in fact be sentenced to real punishment for criminal contempt.
But criminal contempt requires proof beyond a reasonable doubt.
I want Google and Apple to provide magic gold.
Not exactly equal
While true that no back door or golden key is needed for a number of reasons (some of them you also mention), the two solutions are not equal.
A back door, while it could mean anything, conventionally would be a feature implemented in the software on the phone, that would allow anyone knowing it get around the encryption. It could be anything like a hidden key on the phone, a software service that would leak a few bits of the encryption key, etc. The point is that all the info is on the phone and thus can be found out by only looking at the phone OS and, once found out, can be utilized by having only the phone.
A golden key, on the other hand, is controlled by the phone manufacturer, so utilizing it means their help. Now true, that by a golden key, the WP authors probably really meant a single key, so if that leaks that would make the two equal. The ‘golden key’, could however be a per phone one (stored or generated on demand at the manufacturers) which would mean that just because the law enforcement guys got hold of a key, they cannot pass it on two the criminals or the other agencies to use it to unlock other phones. Of course, criminals could still steal these from the phone manufacturers which is a real danger.
I agree with you that phones (AND clould storages!) should be encrypted, just saying that the threat level is not 100% equal in both cases.
Also, even if google and apple give in, criminals and privacy aware citizens will still be able to get around this with custom ROMs. At least in the case of android.