
The battle to outlaw end-to-end encryption in the U.S. is heating up - spking
https://www.expressvpn.com/blog/the-battle-to-outlaw-end-to-end-encryption-is-heating-up
======
bb88
A few years back someone was writing software that did potentially illegal
things, like more than 40 bits of crypto, which was illegal when distributed
outside of the US (maybe still is).

Their response was:

"It's completely legal as distributed. Look at the header and you'll see:

    
    
        #define CRYPTO_LENGTH 40
    

"

~~~
bArray
I believe it was something to this affect that prevented us from implementing
decent crypto for vehicles. There was some rule about export (possibly to the
US or out of the US) that meant there was a limitation on how secure we could
make the software. As a result, everybody ended up getting the same shitty
low-security version of the product worldwide (they wanted to limit the number
of variations for test coverage).

~~~
jtbayly
That sounds like a win for vehicle owners, honestly, given that encryption is
often used for locking owners out of the ability to change things about their
car without paying the manufacturer more money.

~~~
bArray
You might think so, but the encryption used at the time was such that only
somebody with quite a few resources (such as a government actor) could
reasonably break the encryption. It wasn't a win for owners or tinkerers.

What's more worrying is that there are a bunch of vehicles out there with
security that is going to age * very * fast compared to that used every day
(SSH, certs, etc). Consider that the automotive industry might be under
similar constraints with regards to autonomous vehicles, something a bad actor
could really cause some damage with.

------
pmoriarty
I used to view steganography as a viable mitigation strategy for the outlawing
of encryption.

Over the years, I've come to consider steganography as inadequate as a means
of mass communication, as the more people know about how to receive a
stegonographic message the less effective it is at hiding the content.

Steganography is most useful in one-on-one communication where the means to
read the message is exchanged in a secondary secure channel of communication.
Sadly, this just does not scale well.

For this and other reasons, I've kind of become pessimistic about the security
and privacy of communication using computers, and even more so towards such
security and privacy being available to the masses.

~~~
behringer
The US is giving up it's supremacy in most areas, but that doesn't mean the
world won't have viable encryption. It will just come from a more reasonable
country.

------
jolmg
> To make things worse, the Act proposes the creation of a hybrid bounty
> program, giving third-parties financial incentives to extract encrypted data
> following a request from U.S. agencies. In short, if the tech companies
> won’t build a backdoor, the U.S. government will pay hackers top dollar to
> use whatever means necessary to get the data for them.

Is that worse?

~~~
JamesBarney
I think it's a better solution. Far safer for the government to employ expert
lock picks than to outlaw locks.

~~~
markovbot
Only if the government tells us when they find a back door, which they
obviously would not do.

~~~
jolmg
Even if they don't, I think it's still better.

------
mirimir
From a cynical perspective, this is a market opportunity for VPN services. As
were Snowdon's leaks, which hugely expanded the VPN service industry.

And indeed, using VPN services (let alone nested VPN chains and Tor) largely
obviates risks from these bills. Without cooperation from the VPN service,
gathering sufficient information for a warrant is problematic.

But I wonder. Might the US regulate using VPN services, as authoritarian
regimes already do?

~~~
downvoteme1
Doesn’t the language of this bill mean that US based VPN services will be
forced to provide their encryption keys to the government to allow to decrypt
their traffic ?

~~~
mirimir
Perhaps so. But then, nobody who seriously cares would ever use a US-based VPN
service ;) And even for US-based VPN services, I gather that a warrant would
be required, and that'd be hard with no information about what the VPN link
had been used for.

~~~
Reelin
Presumably a warrant can be obtained if criminal activity is traced back to a
specific VPN provider.

Of course that's already the case as far as I understand (ex LavaBit). I also
don't see how VPNs would be affected since they already have access to all
your traffic anyway - no backdoor is necessary.

~~~
mirimir
It depends who you mean by "they". VPN services certainly have access to
users' data. But it'd be commercial suicide to cooperate with authorities.
HideMyAss lost considerable market share after it came it that they had pwned
someone from LulzSec.

Still, it's prudent to assume that any VPN provider will give you up. And
that's why I recommend using nested VPN chains. With three different VPN
services, it'd be nontrvial for adversaries to obtain enough data.

~~~
throwawayway9
What is the best way to create the chains? Do you recommend spinning up some
Vbox images?

~~~
mirimir
Most secure would be Qubes VMs. I use pfSense VMs in VBox. So nested VBox
internal networks (yes, multiple NAT) leads produces nested VPN chains.

Also, you can include a Debian VM running Tor and OpenVPN in a chain. You
configure OpenVPN in TCP mode with "socks-proxy 127.0.0.1 9050". So you can
route through 2-3 VPNs, then Tor, and then 1-2 more VPNs.

Or you can include a Debian VM that crudely emulates Tor ( _very_ crudely) by
periodically switching among random chains of multiple VPNs.[0]

0)
[https://github.com/mirimir/vpnchains/](https://github.com/mirimir/vpnchains/)

~~~
throwawayway9
Thanks for the reply. Just a few questions:

It is necessary to connect to the VPN before Tor, correct?

Also, is your script essentially the same thing as multihop that some of the
better providers offer?

~~~
Reelin
The issue with multihop is that it's all from the same provider. In the event
that they were legally forced to log their network by an abusive local
government it wouldn't help you. It might be sufficient to frustrate an
adversary that only managed to compromise their operations at a single data
center though.

I question the wisdom of placing Tor in the middle of a VPN chain. By routing
your traffic back into a VPN account that's linked to you it seems like you
would lose most of the benefits that Tor provides.

* A single VPN means that the provider could link your primary ISP provided IP to your browsing history if they so chose.

* Chaining two VPNs means that neither provider can correlate your IP to your browsing history on their own. However the terminating VPN can obviously link your traffic to your payment details. Also obviously a criminal investigation involving warrants is still a serious threat.

* Chaining one or more VPNs into Tor means that you can rely on the above guarantees as a fallback in the highly unlikely event that an adversary manages to directly compromise Tor. It also hides the fact that you are using Tor from anyone that snoops your traffic at the ISP level. The latter might be very important in some jurisdictions.

* In the end, even if you only use Tor without a VPN the biggest threat to your anonymity is probably your own OpSec (or lack thereof). Ross Ulbricht is a prime example of the fact that you only have to slip up once. Related to that, it's important to be aware of all the ways that modern software and hardware leaks potentially identifying information (ie fingerprinting).

~~~
mirimir
Hey, that's pretty much exactly what I would have said :) And the language is
similar enough that we could be the same person ;) Except that I use sentence
fragments. And of course, the fact that we aren't.

That's a good point about using Tor in VPN chains. If you want to do that, you
must ensure that you're anonymized as well as possible from those VPN
services. When I do that, I use Tor (Whonix) via nested VPN chains. And I pay
with Bitcoin that's been mixed multiple times, using different mixing
services, and with each mix in a different Whonix instance. And I start with
Bitcoin that's not linked to my meatspace identity.

------
fanatic2pope
Looking at the other comments in here, I have to say Americans still seem way
too optimistic that the USA could not become a totalitarian state along the
lines of Russia or China.

~~~
mlazos
Idiotic legislation is proposed all the time. I can still call it idiotic and
say we need a new president. Can’t say that in either of those countries. Just
because our elected leaders suck doesn’t mean they’re totalitarian.

------
catoc
If government backdoors are really necessary, the government should be able to
provide an explanation without using the words 'terrorism' or 'child
pornography'.

------
coronadisaster
end-to-end encryption is the only way that you can keep democracy
alive/healthy

~~~
creato
Democracy has existed for hundreds of years without it.

Encryption is an interesting development. There has never been a time in
history when anything could be truly secured. Safes could always be defeated.
Communication was never provably secure.

I'm opposed to any mandated weaknesses in encryption, but I also think a lot
of the arguments opposing them are dogmatic and unconvincing.

~~~
adrianN
Communication used to be provably secure when you could meet with the person
you want to communicate with without being afraid of ubiquitous surveillance
tracking your every move and hidden listening devices (or just your phones)
recording your conversation. Until a few decades ago it was never possible to
do surveillance at scale. You had to first identify suspects and then start
surveillance.

~~~
parineum
I do all my business naked in a sound proof faraday cage.

~~~
adrianN
But how do you meet people without security cameras tracking your movement?

------
shmerl
These garbage attempts resurface periodically. Some just never learn.

~~~
DangitBobby
They have learned just fine, but the lesson is the opposite of what you want.
If the people don't want something, bring it up again and again and you can
still eventually make it law, despite the people's desires.

~~~
shmerl
Then they should be defeated again and again.

~~~
DangitBobby
It only takes winning once. It doesn't help that public opinion holds little
to no sway, and that it takes money from big players to fight it off every
time.

~~~
shmerl
Corrupt laws can be repealed. Something like DMCA 1201 looks set in stone, but
I have no doubt it will eventually be scrapped.

But I agree, if such kind of junk becomes law it's much harder to repeal it,
than to prevent it from becoming law in the first place.

------
Chiba-City
These bills are self-defeating. I suffer no affections for narcotics dealers
and human traffickers seeking anonymity, but I also suffer no affections for
"Western" bankers fixing LIBOR and NSA tapping phones of our NATO "allies." As
is, our USA "cloud" is already a Trojan Horse. At this point, Open Source and
strong encryption are already prerequisites of any imaginable national
sovereignty. If we can't "export" strong encryption, we'll just "export"
strong encryption engineers.

------
jjcon
Everyone should actually just go read the bill rather than just get news from
a bunch of sources that stand to gain or lose from aspects of it.

A ton of these claims are unsubstantiated if you look in the latest versions.
There is so much Fear slinging going on around the web it’s seriously just
bizarre to me after actually reading the bill.

~~~
michaelmrose
Lawmakers proposed a law that would allow them to eat babies. Since lawmaking
is a process eventually this eventually morphs into a law that only allows the
eating of teenagers and then only those who also have red hair or blue eyes.

Without infinite time lots of people only know that the bill allows eating
people and aren't entirely clear on the exact criteria of people allowed to be
eaten.

A process that starts in extremely bad faith is unlikely to be negotiated into
something reasonable. The best solution is to keep threatening lawmakers who
pass stuff like this with replacement in hopes that nothing lands because
there is no universe in which they are capable of producing good legislation
on a topic they know less than nothing about.

~~~
anticensor
How is E2EE related to cannibalistic eating of humans?

~~~
callalex
It’s called an Analogy. [https://www.merriam-
webster.com/dictionary/analogy](https://www.merriam-
webster.com/dictionary/analogy)

