
NSA Chief Stakes Out Pro-Encryption Position, in Contrast to FBI - sinak
https://theintercept.com/2016/01/21/nsa-chief-stakes-out-pro-encryption-position-in-contrast-to-fbi/
======
exelius
The NSA chief should be pro-encryption: the presence of backdoors in
encryption (as demanded by some US law enforcement officials) creates a
national security threat. Period.

If law enforcement needs access to encrypted data, they already have a few
different ways. They can subpoena the data and throw the person who controls
the key in jail until they release it, or they can just brute-force the
encryption in cases of extreme national interest (it's too expensive to do for
run-of-the-mill crime, but they have the capability if they really need it).

IMO the entire goal of encryption tech should be to make the government incur
significant costs for every invasion of privacy they feel they have to
perform. That way, they have the power to invade our privacy (and I don't
think we as a populace can really stop them from having that power) but it's
so expensive / cumbersome to use they really only use it in extreme cases. I'm
fine with privacy being broken by the government on a case-by-case basis; the
danger is when the government does a dragnet on everyone.

~~~
derefr
> They can subpoena the data and throw the person who controls the key in jail
> until they release it

I think, a lot of the time, they want to read data from a device owned by
someone who's not jailable any more—i.e., dead people.

Reading data off the phones of murder _victims_ —the activity you'd expect
"digital forensics" to properly refer to—would be pretty useful, if it were
possible. I imagine a lot of police work has gotten harder in the move from
"little black books" and feature-phone contact lists to everything about a
person's contacts/calendar/call history/etc. being on an FDE-ed smartphone.
Manufacturer key escrow services seem _almost_ sensible in this light.

The other use is in reading data off devices of someone who's already dead
because law enforcement just killed them. I can see both good and bad outcomes
of that: if it were quick to do, it would help to map e.g. a hired hitman to
their client, or a gang-member to the gang-leader. But it would also
encourage/enable "shoot first, ask questions [to devices] later" tactics,
which is just plain horrible.

~~~
batbomb
You can subpoena google for the calendar and email, Apple for iMessage
routing, and the phone company for phone calls and texts. You can even get
emergency warrants for that kind of thing. Then you subpoena all those
contacts.

This idea that the immediate access to all of an individual's information is
necessary for law enforcement to do their work is a farce, especially
considering the propagation of private and public security cameras. The same
logic is used to justify torture, expand SWAT and procure urban assault
vehicles. These things are almost always unnecessary, impractical, or
unreliable.

Yes, people can be extremely careful to avoid police. That's not the average
case, and we shouldn't optimize our law enforcement for it.

~~~
derefr
Aren't _active criminals_ generally extremely careful to avoid police (by,
e.g., using burner phones?) And isn't law enforcement mostly _about_ catching
criminals? I don't see why law enforcement would be about anything _other_
than figuring out how to catch people who are extremely careful to avoid
police.

I don't disagree with your first two paragraphs. I just think the average
criminal of this generation is well aware of the idea that they need to avoid
putting incriminating data "in the cloud", to about the same degree that
they're aware of the idea that you have to wear gloves to avoid leaving
fingerprints.

~~~
khuey
No, most criminals aren't that smart.

~~~
alaaibrahim
You mean criminals that get caught.

~~~
Laaw
We know basically nothing about the ones who don't get caught.

~~~
Jach
Though we do know some things about what people have done to evade (and
continue to evade) capture. I link this story around and wish politicians knew
of it:
[https://web.archive.org/web/20130119025623/http://dee.su/upl...](https://web.archive.org/web/20130119025623/http://dee.su/uploads/baal.html)

------
micah94
I would hope so. It's kind of their job. They've also published guides for
strong encryption and best practices for operating systems for years. You
dismiss their wealth of knowledge at your peril.

The FBI just wants to throw you in jail. What do they publish? Lists of people
they want to throw in jail. Anything that stands in their way of throwing you
in jail is bad, including your encrypted phone.

~~~
spacecowboy_lon
That is the problem with the FBI doing ordinary police work and secret
squirrel stuff the two roles get in each others way.

~~~
mst
Right. When I try and figure out how to compare the FBI to british law
enforcement I end up with "MI5 smashed together with Special Branch plus SOCA
plus a bunch of other specialist bits" ... and I'm pretty sure if we'd done
that it'd've been an unmitigated disaster just the same.

It was notable that there was a very brief "scandal" that MI5 had found
evidence of child molestation but ignored it because they'd only found it via
their ability to ignore due process in the name of national security and
therefore since the information wasn't a national security issue it was filed
under "not usable".

Cooler heads pointed out repeatedly that that was how it had to work to
preserve due process, and it didn't stay news for long; this was, to me, the
correct outcome.

(of course GCHQ is a whole different kettle of fish)

~~~
walshemj
And if you read the official history of MI5 the one time an ex police man was
put in charge didn't go well - and that's the official history which is going
to be circumspect.

The FBI should have been reorganised along with the secret service and BATF
after hoover died into two organisations one doing MI5 s role and one as a
federal police force.

~~~
fnordfnordfnord
I think the FBI should have been burned to the ground after what Hoover used
it for.

------
nickpsecurity
NSA chief can easily be pro encryption in public while breaking, subverting,
and bypassing it in private as they always have. So, it's a smart position
from a political standpoint. Action movie equivalent of being perceived as
James Bond while pulling off super-villainy at the same time. Win win!

------
laotzu
If the number one security vulnerability is the human element, then shifting a
system's security from autonomous unbiased code to the human element is
necessarily decreasing security.

Advocates for such are either deliberately malicious or grossly negligent.

------
jostmey
A play for political power. The NSA probably doesn't care if data is encrypted
---they most likely already have a back-door to take data before its encrypted
or after its decrypted. So if encryption is used, the FBI will be dependent on
the NSA.

~~~
nickik
I disagree. While they try to build backdoors its not that simple. Even if you
have backdoor to every laptop in the world, its not an easy thing to smuggle
out lots of data without people noticing.

We know from Snowden that they do not have backdoors into everything.

Its about economics, if they can listen in on the exchange its essentially
free. If they have to backdoor every end user device, its gone cost a literal
shit ton of money.

~~~
throwawayaway
[http://tech.slashdot.org/comments.pl?sid=8623643&cid=5131565...](http://tech.slashdot.org/comments.pl?sid=8623643&cid=51315653)

It's really pretty damn easy.

[http://tech.slashdot.org/comments.pl?sid=8623643&cid=5131356...](http://tech.slashdot.org/comments.pl?sid=8623643&cid=51313569)

Win 7, 8 and 10 are done. OSX has spotlight upload to microsoft in plain
sight. What else does OSX have under the hood? Phones are pretty much a
foregone conclusion in my estimation, with the exception of cyanogen mod or
something.

------
barkingcat
They are pro encryption because they can already crack the algorithms (or
already have funding to bruteforce them). Of course they'd be Pro-encryption.
It's their job. They are also a state-actor.

~~~
deelowe
> They are pro encryption because they can already crack the algorithms

Got proof of that?

~~~
exelius
Nobody has any proof, but it's strongly suspected. The NSA wrote or had a hand
in writing every widely-supported encryption algorithm, and they have a
military-scale budget (seriously; the NSA's non-clandestine budget is larger
than the entire military budget of every country except the US and China) to
spend on hardware to brute-force encryption. Cyberwarfare is a top strategic
priority of the US Military, and cyberwarfare is made much easier when you can
break encryption.

They have the motive, the resources, and the knowledge to break encryption
routinely. It's also standard tradecraft for a spy agency to hide any proof
that they have a capability to create uncertainty among their enemies whether
or not they do. So no, nobody has proof that the NSA can break encryption, but
we do have proof that they have everything they would need to develop that
capability.

~~~
deelowe
So, no?

Brute forcing the strongest forms of modern crypto theoretically would take
unfathomably amounts of energy and/or time. It's not a matter of bigger
datacenters or faster hardware. Without discovering a flaw (which we have no
evidence of) or inventing completely different computing paradigms (which
don't exist) there's no reason to believe this is possible today.

Sure, some cryptography is weak and it's well documented. Others, well, we'd
need a Dyson sphere to brute force...

~~~
noir_lord
> Others, well, we'd need a Dyson sphere to brute force...

Not that I'm disagreeing with you but the German High Command thought much the
same about the Enigma.

The only rational response in the face of the Snowden leaks is to assume
everything is compromised and either defend in depth or simply not commit it
to a computer (under the assumption what you are keeping private is _that_
important).

If I was a high end cryptographer or someone in that sphere I'd also likely be
(if they aren't already) be using an air gapped machine, the threat is that
pernicious.

~~~
deelowe
Snowden has stated that he doesn't think modern encryption algorithms have
been compromised.

~~~
noir_lord
Which is reassuring but not absolute, if the NSA did have the ability to break
that stuff the strategic advantage would be so high it might be classified at
an entirely different level.

It is of course impossible to say without evidence.

------
JustSomeNobody
I am glad to hear someone making sense. All this handwavy let's just outlaw
encryption babble is getting old. There are serious consequences to outlawing
encryption.

Oh, and if terrorists are hell bent on attacking, they will do so with or
without encryption. And no amount of data collection is going to stop them if
they plan well enough.

------
o0o0_ooo
Wasn't this the whole situation with Dual_EC_DRBG? As far as I understand
(which may not be that far when it comes to cryptography, admittedly), the NSA
has already been caught intentionally weakening cryptographic standards via
its influence over the NIST and by paying RSA.

[https://en.wikipedia.org/wiki/Dual_EC_DRBG](https://en.wikipedia.org/wiki/Dual_EC_DRBG)

 _RSA makes Dual_EC_DRBG the default CSPRNG in BSAFE. In 2013, Reuters reports
this is a result of a secret $10 million deal with NSA._

 _According to the New York Times story, the NSA spends $250 million per year
to insert backdoors in software and hardware as part of the Bullrun program._

------
jlarocco
I'm not sure this means much.

Several popular encryption schemes have been developed by or heavily
influenced by the NSA (including algorithms mandated by FIPS and other
government organizations), and there has been a lot of speculation that they
added backdoors to AES and other algorithms.

So in reality they've had the ability to add backdoors all along, and it's in
their best interest to keep it a secret whether they've added one, so it makes
complete sense that their chief would say this.

------
mariodiana
There are two main points in this debate. Number one, we cannot abide having
encryption weakened with back doors. Modern society relies on strong
encryption. Number two, no amount of "magical technology" is ever going to
replace human intelligence. The front lines in the war on terror is made up of
human infiltrators and turncoats, not ones and zeroes.

------
nickik
He is most definitely not pro encryption. He is just against legal access by
other agencies. He wants the NSA to have a backdoor into every possible crypto
system and make them the organization every else has to come to for their
data.

------
Golddisk
Not particularly surprising, the government has ways to get around the
encryption anyways, it just takes longer than if they had the backdoors to go
through.

------
kriro
Guess we know which agency has the working quantum computers ;P

~~~
ytdht
that should be considered a backdoor, unless they make their findings about
quantum computing public (the same goes for undisclosed "0-day" bugs that they
discover).

~~~
caskance
In the house analogy, it's less of a backdoor and more like just walking
through the wall.

~~~
ytdht
I'm not sure about that, but if you are right, that would be even worst ...

------
multinglets
wait so which department is the FBI under and which department is the NSA
under again?

... ah nevermind, I'm sure that doesn't mean anything.

------
njharman
Probably because NSa can break most encryption.

------
macawfish
maybe that's cause the NSA has secret algorithms to factor large numbers with
quantum computers 0_0

:p

~~~
informatimago
I would think so too.

But it should also be noted they have the mandate to protect thru encryption
and system security the data and secrets of the US government.

On the other hand, the job of the FBI is to catch (some) criminals; they don't
care much about anything else.

