
FBI renews broad Internet surveillance push - d0ne
http://news.cnet.com/8301-13578_3-57518265-38/fbi-renews-broad-internet-surveillance-push/
======
luu
Even if we (dubiously) assume that the FBI's proposed solution is technically
impeccable, and can't be comprised, what solutions exist to prevent people
from social engineering their way to the data? Heck, what prevents corrupt FBI
agents and federal IT staff from just accessing the data themselves?

Of course, the same worry exists for the data at each individual company, but
at least those breaches are limited to a single company's data. And, from what
we've seen, externally, it seems like at least some companies are more
interested in protecting privacy than covering things up. When Google found
that an engineer was using his access to stalk someone, he was fired, and the
indecent wasn't covered up. It's not uncommon for companies to tell users
about security breaches in their own product that would otherwise have gone
completely unnoticed (e.g., Pinterest announced a security flaw they had
rather than just silently fixing it).

Conversely, in most cases of police and government corruption I hear about,
the news breaks after a failed cover-up. No doubt I don't even hear about most
cases, because they're swept under the rug. I don't have a particular fondness
for Google's employees or process, but, given their track record, I trust them
with my data a lot more than I trust some random government employee.

Moreover, if this law gets passed, why would serious criminals continue to use
any of these services? This strikes me as having the same impact as most anti-
piracy measures: highly inconvenient to non-criminals (in this case, when data
gets leaked to actual criminals), but completely ineffective against real
criminals. Not to mention the effect on the companies themselves -- I'm
certainly not going to use a Chinese email service, because I don't want the
Chinese government reading my email. What's an EU citizen going to do if this
law is passed?

~~~
mtgx
This is why I always laugh at NSA or FBI proposing ideas such as this because
they _need_ this to defend the country against "cyber threats". If anything a
centralized solution like this where NSA has access to a lot of private
companies's data would only make national security weaker and the country more
vulnerable to attacks because of such single points of failure.

~~~
bediger4000
Yeah, me too with respect to laughter.

On the other hand, the FBI and NSA aren't full of total idiots. They must
realize that centralized solutions have these huge problems. Do they believe
they can secure against the potential universal data breeches, or do they have
some overriding ulterior motive that allows them to accept the risk?

~~~
kabdib
But it doesn't take much idiocy to make a mistake (keep passwords in cleartext
in a database, leave unpatched machines open to the wild, allow SQL inject
attacks, etc.).

Security needs to be taken seriously at a practically fractal level.
Historically the FBI has not been good at this.

------
jevinskie
This is why strong, asymmetric crypto is necessary. I'm worried that the US
government will try to put the genie back in the bottle and go back to the
90's where strong crypto was considered a munition not suitable for export [0]
and when they wanted all "secure" telecommunication to include an NSA backdoor
[1].

[0]:
[http://en.wikipedia.org/wiki/Pretty_Good_Privacy#Criminal_in...](http://en.wikipedia.org/wiki/Pretty_Good_Privacy#Criminal_investigation)
[1]: <http://en.wikipedia.org/wiki/Clipper_chip>

~~~
jonmrodriguez
Also use much much much longer keys than even a dedicated ASIC manufactured
with a futuristic 3 nm technology could crack. Since these spooks are storing
the data forever (e.g. at the Stellar Wind facility in Utah), then in a scary
future where the USA no longer represents freedom but is instead arresting
citizens for political reasons, they could use faster future hardware (even
quantum if that's possible) to crack your current data and get you for
30-year-past misdemeanors. I wish the founding fathers were still around to
talk some sense into the current "big surveillance" faux-patriots.

~~~
harshreality
Protecting symmetric crypto against quantum computers in the future requires
doubling the key length. AFAIK that's the main reason for 256 bit symmetric
crypto today.

Protecting commonly deployed asymmetric crypto against quantum computers [1]
in the future is AFAIK impossible. Shor's algorithm and the ecc/dlp variants
turn factoring, dlp, and ecc dlp, into BQP problems. Key lengths to protect
against quantum attacks would render rsa, ecdsa, dh, and ecdh much too
computationally expensive.

There are some alternatives like NTRU (lattice-based crypto) but none are in
wide use, and patents don't help that situation.

[1] _real_ quantum computers... there is still plenty of skepticism about the
capability of d-wave's devices. <http://www.scottaaronson.com/blog/?p=954>

------
zoowar
One person's backdoor for police is another person's backdoor for criminals.

~~~
randomchars
Well said. I'd love to see how would the FBI react if "terrorists" used the
same backdoors to get into their systems.

~~~
ihsw
That is the last thing the FBI would let you see. It would be so damning that
immediate removal will be the only perceived option and the solution would
unequivocally to re-double security efforts while maintaining security holes
as much as possible.

Or switch old security holes out for new ones.

------
DanBC
It's not clear from the article what the FBI wants.

But it's important to note that most services will cooperate fully with law
enforcement when provided with valid legal documentation. (Probably a warrant
or other court order.)

See, for a good example, Hushmail. (<http://en.wikipedia.org/wiki/Hushmail>)

I guess it's better that they're asking for transparently weakened services,
and access with warrants, rather than just hiring grey-hats to hack the
systems.

------
jasonkolb
The fbi sounds like the product manager from the deepest circles of hell. I'm
sure this will do wonders for innovation in the economy.

------
3pt14159
How the hell are they going to do that?

Even if it were possible, and legal, and secure, what about the other 95% of
the world's population that can make apps outside of the US?

~~~
tijs
Interesting point. It could actually hurt american companies. With privacy
becoming a more mainstream concern people might well steer clear of companies
that have to give access to the FBI and go for european alternatives. Not that
the EU doesn't screw up but at least they seem to hold privacy in higher
regard.

------
Ntrails
Is it so unreasonable for the FBI to want to be able to 'wiretap' a facebook
conversation, with a warrant, as easily as they can do so to a traditional
phone line?

This is not to say I approve of the idea of an insecure back door into my
online behaviours, more that I wonder whether there is not at least some
validity in their desire to replicate land line style monitoring for currently
untraceable online communications.

~~~
bediger4000
Yes, it's unreasonable. Asking to make a TCP/IP/SMTP communication traceable
in the same sense as a land-line is traceable ignores the underlying
technology. It's like trying to schedule automobile rides the same way that
steam-engine trains got scheduled in 1905. I suppose that a very powerful,
very organized agency could accomplish such scheduling, but at a very large
cost, and by making automobile rides far less convenient and efficient.

~~~
Ntrails
I thought this was about monitoring rather than tracing?

~~~
bediger4000
Agreed. I got thrown by the use of "traceable" in the parent to my comment.
But I think the point still stands. Asking to monitor cross-country TCP/IP
connections (multiple routes, relaying, etc etc) is still ignoring the
underlying technology. Not to mention ignoring the market. Where "The Bell
System" used to be a nearly monolithic phone company (with pockets of GTE),
anyone can make an app. And you really can't tell well-compressed data from
encrypted data without a lot of effort.

------
alttag
Part of this push by law enforcement is likely due to the increasing
recognition of courts regarding the privacy expectations of email. Until
recently, for example, U.S. courts have considered a service provider a
"third-party", thus certain privacy protections were not available. However,
the increasing ubiquity of electronic messaging has caused courts to rethink
their position. It is natural law enforcement agencies would want to "push
back" to effectively maintain the level of access they've enjoyed previously.

------
smoyer
I won't echo everyone else's privacy concerns, though I agree wholeheartedly.
But does anyone else think it's ironic that the FBI's internal policy is named
the "National Electronic Surveillance Strategy"? That's abbreviated NESS and
has to be an homage to one of the FBI's more controversial lawmen.

Ness started his career trying to enforce prohibition ... 80 years later our
privacy is being prohibited.

------
linuxhansl
It's interesting how it is assumed that the criminals cited here are not smart
enough to find alternate ways of communication.

------
jayfuerstenberg
If this succeeds I suspect criminals will just resort to sneaker-net and
carrier pigeons.

------
Zigurd
The shortsighted aspect of this is that our government wants to order
businesses to become spy-friendly to foreign governments that have a track
record of stealing economic, industrial, and scientific data. Foreign
governments will model their laws after ours, and specify the same interfaces.

------
bashzor
This article, uncached: 237 requests, 934.01KB transferred, 8.96s (onload:
6.02s, DOMContentLoaded: 2.36s)

This article, cached: 223 requests, 75.66KB transferred, 4.84s

<http://lucb1e.com/rp/randomupload/thatnews.html>

Uncached: 10 requests, 163.10KB transferred, 0.54s

Cached: 6 requests, 0.16KB transferred, 0.19s

The only thing I did was remove html. The article looks identical, the menu
and site structure is intact, and there is a lot less clutter on the page.

Fun fact: CNET has todo comments in their production code.

