
The Government Is Lying to Us About Cybersecurity - HeroicLife
https://fee.org/articles/the-government-is-lying-to-us-about-cybersecurity/
======
unabst
At the end of the day, when the police can't get into a room, they can break
the door down.

Same with guns. The police are okay with gun ownership because they have the
right to gun citizens down. Not to judge, but that's the balance.

Same with why we tortured. It counterbalances their vulnerability to secrets.
If torture didn't work, Kiefer Sutherland would never have gotten anywhere.
But if everyone were against torture, the show wouldn't have existed.

They have an answer to locked doors, suspects with guns, and terrorists with
secrets that -- at minimum -- make sense to them regardless of their
effectiveness or consequences to society or our ethical reputation.

The main problem with encryption is there is no workaround. There is no
counterbalance. The lock is unbreakable, and there is no one to shoot or
torture when all they have is the device itself (and no one to torture always,
if they're abiding by the law).

This scares law enforcement. This whole campaign is driven by fear, but they
cannot admit fear, so it's all rationalizations and confabulations -- which
work by the way -- hence they're keeping at it. And when those with power
empathize with this fear in between the lines, they will sign off on these
lies.

~~~
BlackFly
Of course there is an answer to unbreakable encryption, the same answer to in
person conversations at a private location: bug the location where the
communication takes place.

You don't need a back door on communications if you are "looking over the
shoulder" of someone as they type it in. If the person is a suspect, then they
can get a warrant to plant a bug.

~~~
LordKano
Their complaint about this is that it's _hard_ to do that.

Well, that's good. I think that law enforcement SHOULD be hard. It should be
hard and complicated and time consuming. One of the worst things I can imagine
is idle law enforcement officers. Bored cops will find something to do.
Whether it's going from car to car and ticketing anyone who is 12.1 or more
inches from the curb or ticketing people for spitting on the sidewalk, no good
can come from idle police.

Idle prosecutors are every bit as much of a potential nightmare. We see
District Attorneys being used as political weapons now. Just imagine if they
had the power to go fishing through the electronic communications of every
political rival.

If the work is difficult, they'll only do it when they have reason to believe
a serious crime has been or soon will be committed. It's easy to justify
overtime for surveillance on a suspected drug kingpin, organized crime figure,
rapist or murderer. It's not so easy to justify it to monitor some guy from a
TEA Party Group, BLM or Occupy just so find out what they're doing.

~~~
ironmagma
> Whether it's going from car to car and ticketing anyone who is 12.1 or more
> inches from the curb or ticketing people for spitting on the sidewalk, no
> good can come from idle police.

So... enforcing our existing laws? What's the point of having those laws if
they're never enforced?

~~~
LordKano
Reinforcing their role as revenue generators instead of peace officers.

------
Stefan-H
2 rebuttals listed from Schneier's post mentioned in the article linked here
are worth a read. [https://www.washingtonpost.com/news/volokh-
conspiracy/wp/201...](https://www.washingtonpost.com/news/volokh-
conspiracy/wp/2015/07/12/encryption-if-this-is-the-best-opponents-can-do-
maybe-jim-comey-has-a-point/?utm_term=.7905803eef7b) and
[https://www.lawfareblog.com/thoughts-encryption-and-going-
da...](https://www.lawfareblog.com/thoughts-encryption-and-going-dark-part-ii-
debate-merits#)

Neither are from security professionals, and both really downplay the risks
associated with <insert 3 letter agency> having escrow of keys. The number of
leaks and breaches across the various government orgs shows that it is near
impossible to maintain the security of keys held in escrow.

~~~
gtcode
The number of leaks and breaches shows there's a serious problem, but keeping
keys secret isn't necessarily implied to be near impossible by consequence of
this.

~~~
AnimalMuppet
Well, it shows that there is a non-zero probability of the key being leaked or
breached. And if the key can open _everything_ , that's a consequence big
enough that we need to think seriously about it happening.

"Trust us, we'll keep it secret" has been empirically proven to be not as true
as they want us to believe.

~~~
gtcode
Agree 100% about carefully considering consequences of crafting a skeleton key
into our most prized technologies. The tech community, at least the most vocal
subset in these parts, can keep pushing back against LE's cries for such a
key, and it's clear there is merit to such an argument. It just seems to be
somewhat provincial from a neutral perspective, however.

Taken from the "other side", it does not seem universally true that generally
deployed strong, unbreakable encryption built into "secure" general-purpose
commodity hardware is in the best interests of humanity going forward. It
seems to be an open question. It was nice to see rational/objective/neutral
discourse on HN in the past that considered all sides. But, such a universal
perspective seems to be missing of late, and the more recent parochial
attitude seems a natural form of pushback, given the current chaos. Hopefully
good comes of this.

"Snow Dawg" is currently partaking in thoughtful discussion arguing against
NSA's policies on his twitter, if anyone is interested.

~~~
nitrogen
What you describe as "neutral" is a false compromise between the reality of
technology and math, and the inanity of thinking a backdoor is a good idea.

~~~
gtcode
No, that's not true, the argument for a backdoor isn't purely technical. LE's
perspective is almost certainly predicated on a universal (amongst the good)
desire to reduce suffering. This part is downplayed or ignored.

Can you prove that there is no such thing as a "perfect" backdoor? Can you
show that the existence of a skeleton key introduces risk beyond losing the
key? Has this been formally proven?

That might be a good starting point, and I apologize if my understanding is
wrong, but can't one build a skeleton key into encryption that cannot be
broken with any greater likelihood than otherwise would be possible by
compromising the encryption itself? If the surface area of attack is doubled
at most, that seems a viable trade-off. Yes, it's potentially a huge SPOF if
designed sub-optimally (I'd suspect that there is a way to build something
akin to a one-time use set of segregated skeleton keys), but that risk needs
management like all risks.

(redact)

~~~
Stefan-H
"Can you show that the existence of a skeleton key introduces risk beyond
losing the key?" The fact that losing the key is a possibility is risk enough.
Once PFS is implemented, the only way (barring crypto attacks) you can break
an TLS session secured with it is to have compromised the systems at the time
of the communication. A skeleton key now means that there is a possibility of
offline decryption with just having a copy of the communication and the
skeleton key. This key is handled by humans now, instead of machines and a
protocol. That is far more than double the attack surface area.

------
aey
donate to the eff! the folks there are doing great work every day, and if you
donate they will send you an awesome hoodie :)

------
philipkglass
My personal guess about why federal law enforcement is obsessed with this
issue (if it's not just as irrational as it seems at first glance): secure
communications and devices are _really_ an obstacle in prosecuting crimes like
insider trading or trade secret theft. Prosecuting crimes that leave plenty of
physical evidence behind (like bombings or mass shootings) isn't really
hindered if you can't read an attacker's phone. But the difference between
"lucky timing" and "insider trading" might hinge entirely on the contents of
communications. The public and most legislators aren't going to be scared
enough of financial crimes to support backdoors, so LEOs tell nonsensical
scary stories about how they need backdoors to stop kidnappers and terrorists.

------
matt4077
The first supposed "lie" here isn't even mentioned. I guess the criticism fits
an (unmentioned) statement that the government is trying to improve
cybersecurity. But while I have heard that in general terms, I don't remember
it coming up in the crypto debate–and would be surprised, considering I can't
think of the logic that would connect the two.

The second supposed "lie" is possibly the closest to reality. Although there
are plenty of people who would agree that there is something of a difference
between "not encrypted" and "encrypted, but the NSA has a a separate key that
can decrypt it". Like everyone who thinks TLS isn't completely broken.

The third is simply a conspiracy theory. Don't be surprised if the press, and
anybody who isn't already on your side, laughs at you if show up with an
argument about how it's all a plan by the NSA/Congress/Disney to control
money/brains/Hitler's secret moon base.

Packaging such weak arguments in the language of "lies" _weakens_ your
position if you're trying to defend the public's right to strong encryption.
Because people will focus on your assumptions that they know to be wrong, such
as the government being on some super-secret mission to get your bitcoin or
whatever. And they will extrapolate from there.

Instead, start from shared assumption, and build good will, before making
actual, strong arguments. One such basis would be acknowledging that, yes,
some hypothetical, completely ethical, FBI agent may today have a harder time,
because where they would previously find lots of incriminating documents in
nicely labelled binders, today a search may often just result in an USB stick
with binary gibberish.

Once you've build some rapport, this would be a real argument: I don't trust
judicial oversight, because it has been abused too often by, for example, the
FISA court and national security letters. Moreover, the government's
surveillance powers were previously limited in two less-excplicit ways than
judicial oversight, namely the costs and manpower involved with physically
searching a place, and surveilling people, as well the nature of such actions
as being publicly visible. But these safeguards do not apply to electronic
surveillance, making it too likely that such powers will be used in massive
operations without probable cause.

~~~
aey
On the 3rd argument.

From
[https://en.wikipedia.org/wiki/ECHELON](https://en.wikipedia.org/wiki/ECHELON)

> In 2001, the Temporary Committee on the ECHELON Interception System
> recommended to the European Parliament that citizens of member states
> routinely use cryptography in their communications to protect their privacy,
> because economic espionage with ECHELON has been conducted by the U.S.
> intelligence agencies.[7]

My guess is that the real benefit that the NSA provides is largely economic
and military espionage. terrorism hasn't been reduced or increased regardless
of NSAs activity, and the folks that run the show are not stupid.

------
fhood
There are some valid points here. Too bad the author felt like taking the
least objective possible tone and liberally using half truths and false
equivalence was the way to present them.

~~~
HeroicLife
Can you give some examples of half-truths?

~~~
fhood
Sure,

>This is why the U.S. intelligence budget of over $75 billion did not prevent
most American’s personal details from being leaked

This was the one that most annoyed me. Why would you expect the US
intelligence budget to be spent on security for private corporations?

Edit: > There is nothing the U.S. government can do to improve “cybersecurity”
other than prosecuting criminal behavior.

Also ridiculous, there are many things the U.S. government could to to improve
cybersecurity including apparently protecting equifax from itself.

edit edit: > U.S. citizens who do not report foreign bank accounts (under
FACTA) can be fined $250,000 or 5 years in jail

What does the IRS prosecuting for tax evasion have to do with any of this?

