

House Passes Amendments Blocking Funding for Undermining Encryption - randomname2
http://massie.house.gov/press-release/press-release-house-passes-massie-amendment-strengthen-privacy-and-security

======
dooglius
The summary at [https://www.congress.gov/amendment/114th-congress/house-
amen...](https://www.congress.gov/amendment/114th-congress/house-
amendment/342), and the bill it is attached to, imply that only funding from
only NIST to consult with the NSA/CIA is blocked. Wouldn't this sort of thing
be coming out of the NSA's budget anyway? Seems like an easy loophole.

Edit: the loophole is even bigger than that! I listened to the discussion
([http://www.c-span.org/video/?326244-2/us-house-debate-
fy-201...](http://www.c-span.org/video/?326244-2/us-house-debate-
fy-2016-spending) around 3:16) where Massie says that the bill doesn't prevent
collaborating with the NSA to strengthen encryption, only to weaken it. But
the NSA can just claim they are helping to strengthen encryption... in fact
that's probably exactly what they did when they first introduced DUAL_EC_DRBG
to NIST in the first place.

~~~
mpyne
This is actually (as far as I can tell) the normal way that Congress buts into
the actions of an agency.

NSA would be covered on a separate budget, and in any event there are at least
theoretical reason why you'd want the foreign intelligence arm of the nation
to be able to weaken encryption abroad, especially when that foreign
intelligence agency has the statutory _duty_ to be able to break the codes of
the U.S.'s adversaries.

NIST has no such statutory duty, and their budget is handled as part of the
normal public Congressional budget process. So what this would do is to
prevent the use of NIST-funded activities (e.g. crypto competitions, labor
time of NIST employees, etc.) to consult with NSA to deliberately weaken
encryption standards.

Even though NSA _could_ fund such actions internally to them, they wouldn't be
able to publish such a subverted standard under the imprimatur of NIST the way
that Dual EC DRBG was done.

As far as the loophole, the option "Agency A could just _claim_ to be doing
legal thing X instead of illegal thing Y" applies to almost all agencies for
nearly all illegal things. Fraud is still a crime, even for the NSA; if you're
going to assume that NSA will simply break the law then legal changes as a way
to stop NSA are irrelevant anyways.

In the case of Dual EC DRBG it appears to have been obvious early on that it
was weak and even probably backdoored. Schneier wrote as much about it in a
Wired article back in 2007. It's notable that NIST complicity was evident
here, which is why something like this amendment is needed. But I can't find
anything that claims NSA flat-out lied either, and much of Snowden's own leaks
have revealed an NSA studiously trying to stay within (but only barely within)
the lines.

~~~
spacemanmatt
> Fraud is still a crime, even for the NSA; if you're going to assume that NSA
> will simply break the law then legal changes as a way to stop NSA are
> irrelevant anyways.

You said it all right there.

------
derefr
This seems to imply that the following could be a plausible chain of events:

1\. some of the NSA Suite A ciphers get reverse-engineered by foreign
citizens;

2\. isomorphic algorithms with equivalent guarantees to those Suite A ciphers
are developed, again out-of-country;

3\. those algorithms are put into a piece of open-source software and posted
online, allowing _anyone_ to use them;

4\. industry across the world decides that these "new" ciphers are _really
good_ and widely adopts them (e.g. incorporating the code into OpenSSL et al),
to the point that they become a de-facto standard;

5\. flaws are found in other current ciphers, such that the isomorphic-to-
Suite-A ciphers we now have access to become the only conscionably
recommendable choices;

Then, at that point, it seems like NIST could now choose to put these
isomorphic-to-Suite-A ciphers into a standard, and the NSA couldn't say no. Is
that right?

~~~
Zigurd
That would be nice. But it seems like US diplomacy has been deployed against
anyone claiming to be more secure than US tech companies. It's just crickets
out there. Certainly all the Five Eyes's tech companies have been nailed down.

It might happen, but it won't come from a major established tech company in
the Americasphere.

------
dcre
Like I said in a reply to another comment, see the list of No votes here:
[https://www.govtrack.us/congress/votes/114-2015/h290](https://www.govtrack.us/congress/votes/114-2015/h290)

~~~
belovedeagle
Too bad this contradicts the favorite talking point of "it's Republicans who
hate sound technology decisions"...

~~~
dmix
That's not as true anymore, plenty of news coverage in the past month of the
last NSA limiting bill mentioned how the younger republicans are now more
libertarian leaning and anti-surveillance. While the older republicans are
still the hardcore national security hawks.

There is some hope for the younger generations it seems, The people who have a
better grasp of technology than the older crowd.

~~~
spacemanmatt
> There is some hope for the younger generations it seems, The people who have
> a better grasp of technology than the older crowd.

While I agree there is reason for hope, the younger more Libertarian crowd
concerns me more, even if I agree with them on surveillance.

------
mindslight
And what is the penalty when NSA continues to do so, assuming they're even
found out? Especially when they can just retroactively claim that the people
doing so were on overhead for other projects. Or if they simply fund those
type of projects through shell companies with reserves from drug running /
insider trading?

The only way to fix this mess is to defund and dismantle the whole damned
agency.

------
hellbanner
Who are the 43 people who voted against and why? Are there any good sites for
public discourse with house & senators about why they vote a certain way?

~~~
dcre
Here are the votes:
[https://www.govtrack.us/congress/votes/114-2015/h290](https://www.govtrack.us/congress/votes/114-2015/h290)

~~~
hellbanner
Wow, that's a great site. Wish there was an open community discussion where I
could say.. send messages to my representative who then sends them to the
Congress person after filtering messages from a voting group.

I understand that's what representatives are supposed to do, but there's an
awful lot of people with opinions..

------
siliconc0w
It was a fairly hair-brained scheme to begin with...

NSA: Hey guys - you should totally use this suboptimal encryption standard
with these constants we somehow created.

Everyone: Uh... we're good. Thanks...

------
fredleblanc
Bah, one of the No votes was my house rep. Time to set aside an hour to write
some letters of disappointment on Monday.

------
greenyoda
The posted URL gives a 404 error. It looks like the intent was to point to
this press release:

[http://massie.house.gov/press-release/press-release-house-
pa...](http://massie.house.gov/press-release/press-release-house-passes-
massie-amendment-strengthen-privacy-and-security)

Excerpt:

 _The 383-43 vote represents a victory for electronic privacy advocates.
Massie 's amendment would prevent the National Institute of Standards and
Technology (NIST) from cooperating with the NSA to weaken encryption standards
for the purpose of facilitating electronic surveillance.

“When our government weakens encryption software to spy on citizens, it puts
everyone at risk. Hackers can exploit weak encryption to gain access to
Americans' confidential health records and financial information," said
Congressman Massie. "The NIST charter is to establish dependable standards,
not to compromise standards for the purpose of spying."_

~~~
dang
Thanks. Url changed from [http://massie.house.gov/press-release/press-release-
house-pa...](http://massie.house.gov/press-release/press-release-house-passes-
massie-amendment-strhttp://massie.house.gov/press-release/press-release-house-
passes-massie-amendment-strengthen-privacy-and-securityengthen-privacy-and-
security).

------
GunlogAlm
You borked the URL a bit there. :)

[http://massie.house.gov/press-release/press-release-house-
pa...](http://massie.house.gov/press-release/press-release-house-passes-
massie-amendment-strengthen-privacy-and-security)

