
The Encryption Meltdown - chmaynard
http://on.wsj.com/1ZuzJHA
======
droopybuns
I wrote letters to my Congress critters arguing essentially the same point

It is disqualifying that a "leader" like James Comey would argue that the
government can reasonably demand that private companies can protect customer
secrets and give the government a secret path to access those secrets, in
spite of everyone's failure to properly protect secrets (ala home depot,
target, opm, et. Al.).

This is not the argument of a serious, honest man. It advertises his ignorance
of reality and utter incompetence of judgement.

~~~
ars
So if Apple really did make an unbreakable phone then would (should) they have
the right to make Apple break it?

Let's legislate this issue now, and ignore the fact that they might be able to
break it some other way. That's a side point and not very relevant.

~~~
droopybuns
I have a mental tool that I rely on to help avoiding indulgence in silly
thoughts. I want to share it, but it sounds kind of harsh, so I want to make
sure that I am forcefully communicating the spirit of it's intention. It's a
tool that helps me- not a judgement of your comment.

"If" is for children.

The scenario you are describing is a hypothetical which is not based on the
state of software development today. We are not likely to be dealing with the
ability to build an unbreakable phone any time soon. We are certainly dealing
with the condition of failure- companies can't seem to keep data secret, even
when they want to.

Your question is built on a flawed premise. Show me a way to reliably
constrain a developer so that when they compile, the data you want to keep
secret reliably stays secret, and then I'll be happy to indulge in this
scenario. For now, we are just too shitty at developing bug free, let alone
secure software.

~~~
cortesoft
That is a silly notion... 'if' is not for children, 'if' is for conditional
statements. As software developers, we use 'if' every single day of our lives.
Stating things in the form of conditionals is very important when talking
about the future (since the future is full of conditionals).

Also, as far as 'showing you a way' that 'the data you want to keep secret
reliably stays secret'... well, that is the definition of encryption, and we
are pretty good at encryption. In fact, if we weren't, then this entire case
would be a moot point.

~~~
droopybuns
If you think we are pretty good at encryption, I'm worried that you're not
paying attention.

Matt Green captures the spirit of what a lot of us feel who are on the front
lines of infosec defense:

[https://twitter.com/matthew_d_green/status/70991989500204236...](https://twitter.com/matthew_d_green/status/709919895002042368)

"We can barely encrypt."

This problem is not new. Put some time in and read Matt Blaze's paper "Why
(Special Agent) Johnny (still) can't encrypt."
[http://www.crypto.com/papers/p25sec.pdf](http://www.crypto.com/papers/p25sec.pdf)

>>Also, as far as 'showing you a way' ...

My point is apparently poorly made, so let me try improving. Encryption is a
feature- but our ability to properly implement it is woefully inadequate. Many
developers think very much like you seem to be- I have a secret, so I need to
encrypt. But they forget about (or have no awareness of ) offensive methods
for intercepting a secret with a debugger. They think in terms of network
transport or file system objects.

So many a developer says "I'll just take out my copy of applied cryptography
and go to work." And then security experts get more fuel for yelling about the
danger of rolling your own crypto (even if you're just implementing what you
see in Applied Crypto).

Finally- I was obviously not talking about conditional statements. Read it
again and pay attention. Hypothetical "if only" scenarios are great and
amusing way to burn brain cycles with no real application. It is also a
tactical error, because it indulges people in considering things that don't
exist as potentially real.

------
ra1n85
Does this surprise anyone?

Nevermind that this all an exercise in charging windmills. How woeful it is,
too. Billions of tax dollars spent in trying to defeat the inevitable. All
with a "constitutional scholar" as a president.

It's like the Prohibition of the 21st century, just tinged with free speech
and notes of a surveillance state.

~~~
cmurf
The alternative view is the president is giving FBI enough rope to hang
themselves. The president doesn't need to get into every single battle.

~~~
studentrob
> The president doesn't need to get into every single battle.

True. But there's some debate over whether this is about one phone or about
all phones. And the President did weigh in on the wider issue, which is, how
to keep people safe in a world with strong encryption. He discussed it at SXSW
and also in follow up comments by his Press Secretary [1]. He is convinced
there is a way to guarantee warranted access to decrypt data. He does not
understand that encryption technology is words on paper that anyone could
write or make use of through free and open source software and apps.

[1]
[https://youtu.be/LRR2B5f82e0?t=38m25s](https://youtu.be/LRR2B5f82e0?t=38m25s)

~~~
mike_hearn
I think there's a lot of assumptions about the Prez being dumb here that
aren't warranted.

From the perspective of the FBI, free encryption tools like PGP have been
around a long time, but they only started having investigations blocked by
encryption very recently, as Valley tech firms started integrating it and
enabling it by default. Even if the Prez knows that encryption tools have been
available for decades, and I suspect he does, that isn't the cause of the
current problems they're having.

With respect to getting warranted access to encrypted data, key escrow is an
old concept, so of course there is. Just because we in the tech community
don't like it doesn't mean it doesn't exist.

~~~
studentrob
> With respect to getting warranted access to encrypted data, key escrow is an
> old concept, so of course there is. Just because we in the tech community
> don't like it doesn't mean it doesn't exist.

Okay, let's say key escrow is used. There will be a lot of debate and new laws
passed by Congress. After this, who in the public do you think will sign up to
use the products Apple admits has been weakened by government?

I think the public will just become more informed about encryption and more
people will end up using various encryption apps that circumvent whatever
measures the government puts in place with Apple. In other words, it'll be a
big waste of time, and the main target, terrorists, will be the first ones to
figure out the right ways to hide their communications.

~~~
aptwebapps
> After this, who in the public do you think will sign up to use the products
> Apple admits has been weakened by government?

Nearly all of the people who would have otherwise bought those products.

~~~
yaur
While that's undoubtedly true domestically, I have to belive that openly
requiring a backdoor is going to hurt Apple and the rest of the US tech sector
in the rest of the world.

~~~
794CD01
Why is that? Other countries want their own law enforcement to be able to
break the encryption used in their countries just as badly as the US does.
That's close to 95% of the reason Blackberry still exists.

------
matthewaveryusa
For me the interesting thing happening here isn't the encryption debate
itself, but the fascinating friction between politicians and engineers. It's
the juxtaposition between individuals whose profession relies on using
rhetoric to convince others on an agenda regardless of logic versus
professionals that rely on sound logic regardless of rhetoric. If logic
doesn't prevail, Orwellian statements like "All animals are equal, but some
animals are more equal than others" can conceivably be truisms (If it's not
already the case now.)

~~~
DickingAround
Their whole world is part of why we don't have the GDP growth we want. People
fighting each other over things instead of fighting nature. They don't build
and invent anything other than more actionless words and sentences. Their
greatest battles result in people being swayed to one view or another but
never something being invested in and grown to produce value. And that's why
they're just a waste.

~~~
forgetsusername
> _People fighting each other over things instead of fighting nature._

It's easy to criticize the endless debates (and it's often over subject matter
that looks silly), but this sort of debate is a big part of the success of a
country like the US. It prevents leaders from moving too quickly in a
direction which may have negative consequences. The trade-off is that
everything takes forever to get done.

> _but never something being invested in and grown to produce value._

The US and its underlying political system has possibly created more value
than any society in the history of the world. It's hard to argue that the
system doesn't work.

~~~
DickingAround
It's a good point that solid debate at the federal level prevents them from
moving too quickly. But I would counter by saying that if their debate is
consuming a large portion of our GDP, the infighting alone holds us back and
I'd prefer they just went home and did something else: 3.8T fed budget / 16.8T
US GDP ~= 22% being consumed by them. If 10% of that is waste (~2% of GDP) and
we're growing at 2% GDP/year, the difference is doubling in 30 years (which
might not even show in GDP/person due to population growth) vs a 3.7X increase
in 30 years, which is a strong and innovative nation. In short, even just a
10% waste on their part might be holding back the whole nation. I bet the
overhead waste of the feds is 10%. I don't even want to think about how much
the military waste is holding us back.

~~~
sdenton4
Yeah, we should have some kind of central authority figure to just make the
right decisions instead of wasting all this time and effort on debate. What
could go wrong?

~~~
criddell
If the central authority figure is an algorithm, I could be persuaded to
support that.

It's probably too soon, but I think one day having near real-time information
on the state of the economy could enable a central controller that is more
efficient than the markets.

In any system, every decision is about trade-offs. I could see elections being
created where individuals vote for algorithmic priorities (ie rank education,
law enforcement, r&d spending, etc...).

------
iancarroll
The FBI (very briefly) responded at [http://www.wsj.com/articles/the-fbi-is-
trying-to-crack-the-s...](http://www.wsj.com/articles/the-fbi-is-trying-to-
crack-the-san-bernardino-case-not-set-a-precedent-1458765774).

~~~
dcw303
Nobody buys the Fed's story. It's clear that it was never about a specific
phone and only about setting a precedent.

Which is all well and good, but it begs the question why _did_ they back out
now? Public opinion was divided from the start, and it didn't change
dramatically from when the story broke to when they dropped the case. They got
a lot of mainstream media exposure, but I would have thought that would have
been expected at the least (and probably desired).

It's been reported that the other three letter agencies don't share the same
view. Did Comey get too much unwanted heat? Is it just a temporary retreat to
regroup and fight again another day? Something else? I can't believe that they
just expected Apple to roll over.

~~~
eps
> _why_ did _they back out now?_

Because it's a part of an orchestrated campaign to try and restore
international trust in the US companies? Their credibility was decimated by
Snowden revelations. This includes Apple who jumped into the bed with NSA as
soon as Jobs was out of the way.

So Feds cook up a case to challenge Apple on something crypto, scream their
lungs out how they can't get in, but then bail out on technicality. The net
effect - everyone now thinks Apple is a bastion of privacy and iPhones are
Fort Knoxes of quality encryption.

What will come next is another case with a major telco vendor (cisco, juniper,
etc) that will work to the same effect. Just grab your popcorn and see.

~~~
TheSpiceIsLife
You're probably correct, in my opinion. Don't forget the bit where they
(Apple) have been issued an NSL, so while the public is distracted by the
smoke and mirrors the G-men get what they want.

~~~
kuschku
Apple even said they’d have complied if the FBI had asked secretly – not
publicly – like the last 27 times.

~~~
macintux
As best as I recall, in that paragraph they did not say they would comply,
just that they would make every effort to assist.

I believe the subtlety was lost on those who want to believe Apple is being
hypocritical.

~~~
kuschku
The difference is still the same: Apple isn’t resisting out of good faith, but
because they don’t want to risk a public precedence case.

~~~
macintux
Thanks for proving my point.

------
zeveb
This is actually huge: when the government has lost the Wall Street Journal
then it's truly lost its constituency.

And of course the article is correct: this was all absurd from the get-go.

------
rz2k
>The Justice Department and FBI insist the encryption debate is critical to
national security, and they’re right. The problem is that—amid another terror
attack in the West—they continue to supply more reasons to doubt their
credibility and even basic competence.

Which way is this about to go? Does this justify more funding and more legal
power?

>Instead, Justice rushed to legal war with dubious theories. As it escalated
its rhetoric, it even threatened to confiscate Apple’s source code and
electronic signature: “The government did not seek to compel Apple to turn
those over because it believed such a request would be less palatable to
Apple. If Apple would prefer that course, however, that may provide an
alternative that requires less labor by Apple programmers.”

>Even Justice concedes that the source code and signature are the “keys to the
kingdom,” that, if stolen, would let hackers and spies enter millions of
devices world-wide. So the same pros who can’t defend Office of Personnel
Management records should get custody of Silicon Valley’s most dangerous
intellectual property.

Ideally, the signature is far more dangerous to security than the source code,
but anyway it is reassuring to see more writing that fails to see all sides of
every debate equally valid regardless of consensus opinion among experts in
the relevant fields.

~~~
girvo
> _reassuring to see more writing that fails to see all sides of every debate
> equally valid_

I'm not passing judgement on this particular case; but that's a complete
fallacy. "All sides" of every given debate are _not_ equally valid in all
cases, and in certain cases it is disingenuous to imply that they are.

> _regardless of consensus opinion among experts in the relevant fields_

I can't understand this opinion? Could you clarify what you mean, because from
what I'm reading, it seems you're implying that someone who is uneducated in a
given topic's "side" in a debate is as equally valid as someone who is? That
seems incorrect to me on the face of it, but I'd love some clarification,
because it's likely I've missed some nuance here

~~~
TheSpiceIsLife
> it seems you're implying that someone who is uneducated in a given topic's
> "side" in a debate is as equally valid as someone who is? That seems
> incorrect to me on the face of it

That's a pretty good argument against democracy.

~~~
studentrob
Not really. Democracy is about having the right to an education. It's about
free speech and allowing both good and bad ideas to be discussed openly so
that we can all decide together which are good and which are bad. Without the
power of voice and vote combined together, you don't get the combined strength
of a collective conscience. Just because some people who have unpopular ideas
have the same value and power (one vote, one voice) as other people does _not_
mean that the bad ideas get implemented. Actually, it is almost by definition
that a democracy yields ideas with which most of the country agrees. It's not
perfect in practice because we can't all be informed and vote on everything,
but I believe in the States it is nearly as close as you can get.

------
a_imho
"an outside party demonstrated to the FBI a possible method for unlocking
Farook’s iPhone."

do we have any idea who is this outside party and how are they connected to
Apple if at all? Could this be a case of having a cake and eating it too?

~~~
sathackr
News articles from a week or so ago reported that Cellbrite was assisting
them.

[http://www.reuters.com/article/us-apple-encryption-
cellebrit...](http://www.reuters.com/article/us-apple-encryption-cellebrite-
idUSKCN0WP17J)

------
banku_brougham
I'm pretty upset about this.

------
dang
Please don't rewrite titles to editorialize. The HN guidelines ask you to use
the original title except when it is misleading or linkbait. (Submitted title
was "WSJ: FBI lacks credibility and basic competence".)

~~~
chmaynard
I posted this link several days ago and there were no comments. I decided to
post it again with a title that attracted more attention. Is there a better
way to re-post a link?

~~~
dang
Not really, but a small number of reposts are ok if a story hasn't had
attention yet:
[https://news.ycombinator.com/newsfaq.html](https://news.ycombinator.com/newsfaq.html).

