
FBI drives for encryption backdoors - Goronmon
http://arstechnica.com/tech-policy/news/2010/09/fbi-drive-for-encryption-backdoors-is-deja-vu-for-security-experts.ars
======
zacharypinter
With Twitter, Facebook, Foursquare, GPS transmitters, satellites, Google,
upcoming facial recognition queries, DNA, fingerprint databases, and more law
enforcement has more tools at their disposal than any other time in history.

It seems rather lazy and short-sighted of them to be pushing to compromise the
security of all forms of encrypted communication just to make one aspect of
their job a little easier. Besides, the Internet is global, so even if they
succeeded, they'd simply push the innovative technology to other countries
where it's still easily accessible to everybody except U.S. based businesses.
How does that make our country more secure?

------
mortenjorck
_In the New York Times story that unveiled the drive, the FBI cited a case
where a mobster was using encrypted communication, and the FBI had to sneak
into his office to plant a bug._

Why is this referred to in a way that suggests it is somehow not a routine
part of serious police detective work?

~~~
kaiuhl
Good question. What's wrong with serious police, detective, or spy work in
these extreme edge cases where encrypted communication is a crucial piece of
evidence?

This seems incredibly lazy and irresponsible.

~~~
grandalf
That's what they're trying to avoid needing to do.

------
jdavid
This is so lame. It means the end of encryption for honest people. This is
dumb for 2 reasons.

#1 the backdoor secret will FAIL, as it has for every DVD, BLU-RAY, XBOX, PS3,
etc... DRM device. So criminals will be able to read all encrypted
(obfuscated) data.

#2 people who want to hide illegal data will.... use real encryption.

This is like banning guns. Which oddly has the opposite effect in reducing
crime. I wish Lawyers and Politicizations had to pass engineering school
first. I swear, passing the LSTAT doesn't seem to prove anything about ones
actual logic skills.

~~~
eru
Are you sure about the guns? Britain doesn't seem too bad in terms of crime to
me, despite not having a lot of guns around here.

~~~
b-man
The same argument could be made for the reverse side and against your
proposal. For instance, Canada and Switzerland have a liberal gun policy, and
Brazil has a somewhat restricting policy. [1]

[1] <http://en.wikipedia.org/wiki/Gun_politics>

~~~
eru
Indeed. So maybe there's no correlation whatsoever? I guess it does not matter
to the argument about encryption, though.

------
vault_
Backdoors for the government into all encrypted services required by law? I
don't see what could possibly go wrong.

~~~
jjcm
Here's the outcome that I see happening:

The general public won't notice/know about a difference; the people who use
encryption and those who have something to hide will switch to something that
doesn't have a back door, thus defeating the entire purpose of the law; and
black hats everywhere will smile like it's Christmas morning.

------
wheaties
This, unfortunately, is a losing war. With no mechanism in place for the
"winning" side to stop the "losing" side from trying again, often with the
same arguments but different ears, eventually the "loser" will turn into the
"winner." More to the point, even if the larger picture remains the same, the
losing side will continue to attempt to chip away piece by piece any such
protections.

Don't believe me? Look at our park system. We've come out and said time and
again that the trees in our parks are important. That is, until we sell 30
acres here to pay for this. Then 30 acres there to sell to pay for that.
Eventually some of the parks are half the size they used to be. God help the
redwood trees.

~~~
jrockway
I think regardless of the laws that the government passes, people will still
be able to use secure crypto. Look at the war on drugs -- anyone that wants
drugs can easily get them, they just cost more than they would otherwise, and
the taxpayers have to pay billions of dollars a year to provide free room and
board for anyone that keeps too many drugs in one place.

If you are committing treason, or something, the price of going to prison for
using PGP is much less than the death sentence you'd get if you sent the
messages in the clear.

I also don't see laws against crypto (and steganography) really being
effective. A law is one thing, convicting people for violating them is
another.

Think about what a tough time the government has in bringing cases against
criminals. It's 50/50 as to whether or not they can convince a jury to convict
when they have a security videotape of the accused gunning someone down. "And
here we see the defendant discharging his handgun into Ms. Smith."

Do you really think they're going to be able to get convictions for people
alleged to be hiding encrypted data in normal streams? "It's clear from the
noise pattern in this image that there is a hidden bitstream in the low-order
bits. This means that anyone exchanging this image is probably forwarding on
encrypted terrorist communications. We can't actually prove this beyond a
reasonable doubt... it is possible that they used a buggy version of Photoshop
when they were resizing it for their lolcat blog. But probably terrorism!!"

I am not losing much sleep over this.

~~~
makmanalp
If you posses drugs, you're following illegal conduct, and you can be fined or
imprisoned. Similarly, if we end up with a government OK'd list of crypto
schemes, those of us who use strong crypto legitimately will be criminals.
Also, in the UK, you can get charged for not handing over encryption keys.

~~~
jrockway
_If you posses drugs, you're following illegal conduct, and you can be fined
or imprisoned. Similarly, if we end up with a government OK'd list of crypto
schemes, those of us who use strong crypto legitimately will be criminals._

Well, yeah. But you have a right to be tried by a jury of your peers... who
probably won't understand crypto. (The "drugs are bad... except coffee and
cigarettes and high fructose corn syrup" propaganda caught on pretty well, so
you are probably stuck there. But there is no "strong cryptography is bad"
rhetoric out there, and it will be hard to argue for -- the opposite is "the
government is trying to steal your credit card number".)

Anyway, the whole point of the Constitution was to allow people to do things
that the government didn't want them to do. Using strong cryptography is the
modern way to for one to "be secure in their persons, papers, and effects,
against unreasonable searches and seizures".

Finally, it seems that this round of laws is directed at service providers
that store encrypted messages; the government wants you to be able to read
everything passing through your network. Of course, you do not control the P2P
network that your movies and phone calls pass through, so this law has limited
effect. Even then, if end users provide their own encryption, that's out of
the scope of this law.

The government cannot read every packet that passes over the Internet.

~~~
poet
_But there is no "strong cryptography is bad" rhetoric out there..._

How about Tor being used for CP? That's a pretty prevalent and well known
argument. Any competent lawyer is going to be able to spin the same argument
for strong crypto.

~~~
jrockway
And competent lawyer on the other side is going to say, "online banking".

I mean, guns are still legal right, despite the fact that people murder each
other with them.

~~~
poet
I agree with you on a logical level, I just don't think that's how it plays
out in the average voter's/politician's mind. The logical leap between guns
and Tor just isn't made in practice.

~~~
jrockway
I feel that this is an issue for the courts rather than the representatives,
and the courts are less influenced by Joe Gun-nut than the elected officials
he directly elects.

So while surely there will be some new law censoring the Internets, the courts
will probably strike it down.

(I mean, are we really going to send people to prison for not upgrading their
ssh servers? I doubt it.)

~~~
niels_olson
I just want to be clear: you're not arguing about the merits, just that you
shouldn't care? Is that an efficient use of time?

------
loewenskind
I hope the internet wins this "government vs. internet" fight. This kind of
thing is so ignorant as to be insulting. The best DRM the industry has been
able to come up with so far was broken before it was even released. Does the
FBI seriously think that if they put in back doors that people wont get them?
At that point all internet communications may as well be plain text.

~~~
bincat
Unfortunately most people don't care or don't care to know.

On a side note, why not to have our own separate internet? I've been thinking
about OpenVPN tunnels between dedicated servers and letting users connect to
them over vpn links, of course. This would form a closed network with services
inside. It's a sad commentary, but having privacy friendly network sounds like
a breath of fresh air just 20 years after the Internet took off.

~~~
CountHackulus
What you're proposing there sounds a lot like the Xnet in Cory Doctorow's book
Little Brother [1]. But I do agree with your comment that it's a sad
commentary about the state of government and regulation, that a private
network like this sounds like a pretty good idea.

[1] Available for free straight from Cory Doctorow:
<http://craphound.com/littlebrother/download/>

~~~
bincat
Thank you for the link. Looks like a good read.

My idea of the network like this is more about privacy than anonymity. And it
shouldn't be too hard to set it up. I am just bouncing the idea around to see
what others think of it.

------
Jach
Does this include whatever communications systems the government uses?
Wikileaks' job could get even easier.

------
RK
Here's what I really think

\-----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.10 (GNU/Linux)

hQQOA1epHOklxC8KEBAAgPQJPDfmOM2CuU0aOXwRRmwejm/5zYGK4dhyh0B6W6/J
0KQ3trcF1O0MvLFAWtOJAS9WweGD/nvpBRWtyXKQh/xdP0uHtbLQExLPuSRffkhR
/oldEh5kkqroIXF5w2cEmEjnOv3VdVHeJRo2mMx4kwMwy8P7nUdut2fj77njVfVF
MVy0p0svdzSRVx+NIrbS9+dTVoQPXt4HBFmSb+kPoKTsc2KlobKSKC3J/VeVvtJE
KHWVbh48fqJkfcxgY7C6B2PH+N1PwnfmlPKgORII0jv5CZDdJWuw37lip8SbVtzo
7B5QSTHrRZqw/lcB+kPkny9cPhNbvN7lYKUUxpmPh4IKT6zD5EGex64Uq2uAxk7K
MdIwIz6nkzAbLWJl2CEr4wj1bVB3cp2Il5AvCHWo0eTbNeG1rrK1NqBPwh0X3ySy
jJl81q7x8huuo1lykPu4SMEazCHvQLgLcFRE8lTYyHMi96zuT/vQI2aXWlg2Ttjx
9Vnmk/iObd+aRpAHrtRWO3jpOelhdEcHzYe0Uyao2Itc/h4JKOkqQAq/V/ijbL2U
12Upb230DIgpL1N0pbtAtGkulGMPOkMQ3Exe8CIaey3Ofp+awB4Q0jdQEkI86XX8
cOdpMV8vN5Oqf+yXPblYlUpoJIOiuly9Caj7/pN+zG1MRSO14F2mCdAReJyAg7kP
/0/g/flbC9AO5qwfw+yKbN+G8FmqCPX7JUrUbkfGtNUb/kwPHTyDh1U7XF8D06z8
11NxMNUMOcTEFHS1OQrFh/oIAy37dz6MbNkdzHPoLOG8FS/s+RBH2YoODKSjECyE
Mh56cesofNt47wIimz1Z/TRag2zr0A7gOgdM3Kh9Sd3rlEU7WEJTCisXJkYqVREi
HTnMXfPcNxC9U/UxubeDVY1AGavDQDYrqSDk8ZRljZ3VfvFUYBx0AKPp1mkAPVAS
vVe6YpPvxoKttgcmFG6Fe7X2JJvkbE2KhXraG8I4kxACzhPy0ENFA//hyxIIz+en
fvKYxDIufYYvOiPbnTwBsWXFbS8JXXdAecML/loIy0DYWTq13yiKOz4ahzxWBZGP
4JrZnCsFxvjdmopxSQ6WZbHGWcdOFdv3lecVeybp8Aq40ViMf6NYO1wdG3u4Krrx
uX6J2nlU50utl9P03VofuWLTL5909b86g8lhdTFtn7pOBsVDD0WPmYI7Xf3zFDav
qWcF+kbwOTFMaa1UDIIbBtpBQBoEpLDn8ajDhrfuhPUzN6Qwlu6vQhIJFPwCj4VY
rUiUIo5oXi72OEB0jWOVvPS43JVHSyrzuEAdSMcoYp7Iwd22gILOe0saf/VOIgCX
TLNtgqEK07eUdiucS2wFXKYVbHDKDR+2Wsckcn5BGQX00kMB6CFmhwAQs8n3Fep+
BtizYTn+IFWSP7gkTpYuOA4ap+QBlx1bXssBHfrFzsEZu4i3yU64GyxeejIKyfjE JWSAkytZ
=uUi8 \-----END PGP MESSAGE-----

~~~
calloc
Can I borrow the private key for the public key that was used to create this
message?

------
rbranson
As cliche as it is, the old saying "If X is illegal, only law-breakers will
use X" applies here.

~~~
memetichazard
That's a tautology. And the set of law-breakers is neither a subset nor a
superset of the set of immoral/unethical/bad/evil people.

~~~
hcurtiss
That may be, but I think most would agree that law-abiders should not be, ipso
facto, barred from activity that is not necessarily
immoral/unethical/bad/evil.

------
waterhouse
I have implemented RSA encryption and key generation in DrScheme while sitting
in my computer science class in high school. (Well, probably I did some of the
work at home.) Please don't tell me that's supposed to be illegal.

On the other hand, if the article is to be interpreted strictly, as only
making it illegal for _online service providers_ (is that supposed to mean
ISPs, or anyone who provides a service online?) to _offer_ encrypted
communication, then it will make it more inconvenient but by no means
impossible to encrypt everything that you do. In other words, it'll be totally
ineffective against serious criminals; but I thought stopping them was
supposed to be the justification for a law like this.

I am mad.

------
jbarham
Don't they simultaneously also have to ban all forms of encryption without
backdoors?

~~~
redstripe
There is some value in just forcing a backdoor on manufacturers without a ban.
Plenty of people only get the benefits of encryption because it is on by
default.

However, to be truly effective, yes they would have to ban other forms on
encryption - this obvious inference was totally ignored in _all_ news I read
or saw of the clipper chip in the 90s. A sad illustration of the prevalent
shallowness in mainstream tech reporting.

~~~
iuyfgtrghjk
The real problem with the clipper chips was the start of international
communication - which meant the USA had to agree with Europe, Japan, China etc
to share the keys.

Same thing here, if the US has a backdoor into https/ssh, then the Eu will
also want one, and Russia, and China, and India and the middle east. How long
is your online shopping going to be secure when Nigeria or Somalia has the
official government backdoor into your bank login.

SO we can thank Amazon/Visa/Apple for quashing this one.

------
tptacek
You don't come to HN just to hear what you already think, so in that spirit
here's what I think.

First, from what I can see, everything we know about this proposal was
filtered through an NYTimes reporter. In other words, we have no idea what the
specifics of the proposal are. The issue that's lighting everyone up is the
"likely" requirement that "Developers of software that enables peer-to-peer
communication must redesign their service to allow interception."

This, to my eyes, could mean one of two things: either (a) the DoJ expects
independent developers to backdoor any voice app implemented with encryption,
or (b) the DoJ wants a lever to use to get Skype to comply with law
enforcement investigations.

Option (a) is crazy-talk and won't happen, if only because there's already
judicial precedent for the idea that source code is a protected form of
speech; you can't ban encryption in the US, and we're epsilon from overturning
the idea that you can even restrict its realization in an actual product from
international commerce. A more pragmatic reason this could never happen is
that industry wouldn't allow it, and contrary to the notion of the government
as a big clumsy untethered gorilla that can run wild, it actually is difficult
to pass and enforce laws that incur 8-figure costs at Fortune 500 companies.
It's also too easy to lobby against.

Option (b) is where I will annoy the hell out of you, because I don't think
this is a totally unreasonable thing for the DoJ to pursue (whether they
should actually _get_ it is a separate issue).

In the United States, we don't actually have a right to be free from
investigation. We don't even have an enumerated right to privacy! We're free
from unreasonable searches and seizures of property, and court-authorized
wiretaps simply aren't unreasonable in our jurisprudence (or even our common
sense understanding of the law).

My crypto-fan acquaintances on Twitter are fond of pointing out that this
proposal would do nothing to catch Bin Laden, which is of course true (no law
will). But I don't think this is about Bin Laden; I think it's about garden-
variety prostitution rings, racketeering investigations, drug and weapons
smuggling, and other day-to-day law enforcement issues. As I understand it,
wiretaps are an integral part of these kinds of criminal investigations, and
it is a bona fide problem for LEO's that voice communication is moving to
encrypted IP networks.

The reality, again as I understand it, is that 80% of criminals are simply too
stupid to migrate from Skype to something more secure to avoid wiretaps. So if
this is a law that basically says "people should not be immune from wiretaps
_by technological default_ ", well, that seems sensible. If you care about the
security of your voice comms, set something more secure up.

It's hard for me to get too up-in-arms about the idea that the FBI wants to
tap Skype, since they can already tap GSM and they can already tap my land-
line phone.

Some people, I think, feel intruded upon since this represents the FBI
treading on their own personal technology. But remember, with a court order,
the FBI is already capable of backdooring your machine with surreptitious
keyloggers and all manner of other doohickeys. This rather moots any "P2P
encryption" you might be relying on.

~~~
joe_the_user
_We don't even have an enumerated right to privacy!_

The right to privacy is made explicit in many places, especially judicial
precedent. It just isn't explicitly stated in the constitution.

<http://en.wikipedia.org/wiki/Griswold_v._Connecticut>

"While the opinion in Lawrence was framed in terms of the right to liberty,
Kennedy described the 'right to privacy' found in Griswold as the 'most
pertinent beginning point' in the evolution of the concepts embodied in
Lawrence..."

That would qualify as "enumerated" to me.

~~~
tptacek
Let's avoid a rathole, stipulate that privacy is a Constitutional objective
recognized by the Supreme Court, and re-focus on the fact that you clearly
don't have a right to be free from wire taps.

~~~
joe_the_user
Well... in the process of investigating and punishing people, the justice
system pretty much inherently must negate many otherwise recognized rights.

You do have the right to be free of wiretaps - except in the course of a
court-ordered investigation. You have a right to not be a slave - except when
you violate the law and the state forces you to work, etc..

This is why its important to limit the purview of government, why even if we
allow prosecutors to spy on people, we might not want them to _easily_ spy on
people, etc.

~~~
tptacek
We don't want them _easily_ spying on people, but we might not want it to be
_virtually impossible_ for them to spy on people _by default_. I use the word
"might" because I myself am not sure. But I definitely see the dilemma they
face, and my reaction to it is not knee-jerk.

------
mcantelon
Bad idea. CALEA mandates this with normal telephony. This, in part, led to
Israel getting the power to wiretap US calls as they sold America intercept
gear:

<http://www.antiwar.com/orig/ketcham.php>

------
d2viant
This will just push the encryption down from the service provider to the
application layer.

~~~
gregory80
true, but from the phrasing in the story, it appears any company encrypting
data will be required to provide the FBI a backdoor, including the application
layer.

What I find interesting / related is Google, Yahoo and other internet
companies and ISPs are pushing for less invasive probes from the DOJ
(<http://news.cnet.com/8301-13578_3-20002423-38.html>), maybe the Feds need
some draconian laws to bargin with.

------
simonw
How would this affect SSH? SSH is a great tool for encrypted communication -
using tunnelling, obviously - but I can also SSH in to a server and edit a
text file there, then tell my friend to SSH in and read it.

~~~
jasonjei
Even greater is the use of VPN. VPN tunnels your entire Internet connection to
the gateway of the VPN gateway/server.

------
onedognight
_I was at meeting of the White House and the very same officials backing this
were talking about the rollout of DNSSEC._

Of course they were. DNSSEC has a centralized key and therefore already has
the proposed backdoor.

~~~
rsingel
DNSSEC is signed, not encrypted.

------
holychiz
I'd support an encryption backdoors if they implement it similar to the
backdoors in the existing telephony system. They must get a warrant to tap
your telephone line and by law, the telecom company must comply. That's why
all telephony switch have these "features" that can "copy/record" telephony
packets for law enforcement purposes. If people don't have a problem with the
existing system, I don't see why they would have a problem with data
encryption backdoors.

~~~
gergles
"Lawful intercept" backdoors like the one you described have been abused in
countless cases (google it, you'll see - the example that comes to mind is the
Greek olympics scandal). People are fighting this because the existing system
is rife with potential for abuse, and anything else that opens up more
potential for abuse/intimidation/corruption is a bad idea.

------
anonymous236
I wonder what implications this could have for PKI systems. Forcing OS vendors
to include trusted FBI CA certificate to enable forging SSL certificates on
the fly would seem like a logical thing to do... if it's not being done
already.

~~~
dfranke
Considering that vendors already include Chinese government CAs _voluntarily_
, I don't think they'll have to be forced into much.

------
stavrianos
Check me on this, but isn't encryption basically a solved problem? In which
case, isn't it a little late for this? We have the encryption, there is no
backdoor, and legislation won't make it so.

------
nkassis
Someone should organize a viewing of this film in DC:
<http://www.imdb.com/title/tt0427461/> Maybe then they would get the point.

------
pilom
After reading the Times article, I don't see how TOR would be affected. Tor
ensures Annonimity not Privacy. Tor just obfuscates who you are talking to,
not what you are saying. A warrant to your ISP will get everything you say
over TOR (assuming you aren't then encapsulating inside one of the other
encryption mechanisms listed).

~~~
bincat
Correct me if I am wrong but I think all communication between the TOR nodes
is encrypted. So if you run a node locally (as you should) nothing is
revealed. However if you just configure your browser's proxy settings to use
outside node all bets are off. Everything should be encrypted from entry node
to exit node.

~~~
jdavid
It depends on how many nodes the listener has ownership of. Just as a point,
the Military started TOR. So how many TOR nodes do they have?

At DEFCON I have seen several man in the middle attacks on TOR, the most
successful of which required only 50% of the nodes.

~~~
uxp
If you own and operate a node of which someone is using to route their packets
through, you can effectively listen in on that communications. TOR does
encrypt its communication between nodes, but it is decrypted, inspected, then
encrypted in order to pass through a node, so any packet on a node is for a
moment, unencrypted, if the original communication did not have any secondary
encryption applied to it.

~~~
bincat
I am not sure it works like this. You can only listen on communication if you
are the first node (you will know the contents, where traffic comes from and
the destination) or the last node (you will know the contents and the
destination but not the source). And onion routing should mean that encryption
layers are peeled off as communication travels through the nodes.

[https://svn.torproject.org/svn/projects/design-paper/tor-
des...](https://svn.torproject.org/svn/projects/design-paper/tor-design.html)

~~~
zargon
You are correct about the last node. But the first node knows neither the
contents nor the destination.

------
DannoHung
Sure, as long as all government encryption has to use the same setup.

------
lzw
The enumerated powers clause of the constitution does not give the government
the power to mandate standards for communication. Further, the first amendment
makes it clear that such a law is a violatiin of rights.

Finally, it is worth noting that the fourth amendment requires a warrant, and
existing wiretaps are done without warrants, just with "court orders" because
getting a warrant was too much of a burden.

The inclusion from all of this is that the act of enforcing this law, if
passed, would be itself a crime as there exists a federal law against
violating constitutional rights under color of law. Further, passing the law
jugs shows who illegal our government has become. If the government is not in
comolaince with the document that authorizes it's existence, then it is not a
legitimate government.

~~~
olefoo
"The inclusion from all of this...", I think you meant "The conclusion to be
drawn from this...".

And while I do think the proposed law is shockingly broad and overreaching; I
find your grasp of american jurisprudence to be lacking in several important
respects.

~~~
sdp
Which important respects?

~~~
kgo
For one, at least since the New Deal, the strict constructionist
interpretation of enumerated powers doesn't hold water. The federal government
has a pretty broad interpretation of 'interstate commerce' which supersedes
the list of 'enumerated powers' Since the internet crosses state lines, it's
interstate commerce.

For example, it the government can't constitutionally control communications,
the FCC is illegal. And yet it hasn't been shut down by the Supreme Court or
Congress.

~~~
aswanson
Perhaps it should be.

------
barnaby
I rarely get outraged by political news anymore because I'm so jaded, but THIS
story makes my blood boil!!!! GGGRRR

If we outlaw encryption then only criminals will be able to talk covertly,
while good citizens will be abused. EPIC FAIL!

