Hacker News new | past | comments | ask | show | jobs | submit login
CIA Director John Brennan Pretends Foreign Cryptography Doesn't Exist (schneier.com)
268 points by CapitalistCartr on June 21, 2016 | hide | past | web | favorite | 98 comments



As commented somewhere in the Schneier thread:

Presumably Brennan refers to the big players, Apple, Google, Microsoft, Facebook, Intel (ME) et al. These companies are delivering crypto and/or hardware for the masses and could be subverted maybe with small short term effect.

Of course, the terrorists will switch. And Mr. Brennan knows that. This is the revealing part: It's about mass surveillance of people who are not terrorists by any means.


Schneier made an interesting point at his talk at DEFCON last year. He suggested people use encryption from the big players, rather than more niche crypto products. He said he thought the NSA etc. monitor users of those niche software closely, essentially getting lots of metadata about them. He suggested "hiding" in the mass of other people using big player products.

Maybe the NSA wants terrorists to switch, since it would make them stand out from the crowd, creating a much smaller pool of people (terrorists and crypto geeks) to watch.


Sounds like the best solution is to use the niche encryption software to encrypt your data, then wrap it up in encryption by the big players, so you keep your everyday activity under wraps, but if they can break the big-player encryption, you have another layer of protection.


The best solution is probably to communicate via encrypted stetanography in open channels. For example a Twitter account posting a bunch of cat pics with (encrypted) messages encoded in them. This way your first layer of protection is the steganography (nobody knows the message even exists), and the second layer is the encryption.

I've got a side project about 10% complete that's a "stegonographic social overlay network". Fully client side JS steganographic encoding of images that are then uploaded to a choice of social media sites, and then subscribed to like RSS feeds. I think it's a cool concept.


Maybe, but how hard is it to derive suspension of stenography in an image for some useful level of confidence (e.g 20%, 50%, 75%)? Not crack it, but know that there's perhaps something up?

Surely, just knowing which accounts are posting "suspicious" communications is valuable enough in and of itself.


Every picture contains some amount of noise. It should at least in theory be equivalent to the Halting problem to decide whether this noise was generated by an algorithm or truly random.

But there's a lot of practical issues here. If you just add noise then it may raise suspicion merely by there being more noise than expected. So you may need to "move the existing noise around" or remove the existing noise which gets more problematic to do without leaving artifacts. And of course most of the noise may actually be following some patterns that means that the added/substituted noise must also correctly follow as not not raise suspicion.


Couldn't you in theory solve it by using high quality originals and manipulate the compression algorithm to introduce controlled noise that then decodes to your message? That way you can make the noise look more natural than with approaches like modifying existing compressed files.


Exactly. I don't know enough about the topic personally, but I'm genuinely curious if stenography is detectable enough to provide a viable list of targets.


Yes, steganalysis is used to flag material is irregular based on a number of factors:

https://en.m.wikipedia.org/wiki/Steganalysis


Thanks!


This [0] research paper sounds relevant to your "stegonographic social overlay network."

[0] F. Beato, I. Ion, S. Capkun, M. Langheinrich, and B. P. (2013). For Some Eyes Only: Protecting Online Information Sharing. In ACM Conference on Data and Application Security and Privacy.


this sort of hiding sounds a bit like desperate attempt to save a lost battle of credibility of major US IT companies... no, thank you


Hard to believe Schneier would say something like that, are you sure that's what he said?


The talk is here:

http://www.securitytube.net/video/14656?utm_source=feedburne...

He makes the point I was referring to at 12:53. The question starts about 11:45.


I'm going by memory, but I'm pretty sure he made that point (that I'm paraphrasing, of course). Anyone else here his talk that would care to comment?


Of course, the terrorists will switch

Not only terrorists will switch. Everyone who has the option will switch. This is just another nail in the coffin for US technology companies.

I'm pretty sure that when this gets through, the non-US companies will be bought en-masse by US companies, like Microsoft did with Skype.


Open source encryption has been available for decades. Yet, whatsapp got a billion users before they enabled end-to-end encryption.

The data shows you're wrong: lack of encryption does not prevent a significant number of people from using a product.

I'm mostly repeating what I said in https://news.ycombinator.com/item?id=10580829. Further down I had several links supporting the claim that even people who have a lot to gain from encryption will often not use it if it's not enabled by default.


+1. Most users don't care about encryption. They don't care about privacy. Hell, they don't even care about democracy, as long as it doesn't have any bad effect directly applied to their life right now.

They start cary about privacy if a picture of them naked is exposed or if somebody "pirate" their social accounts, then they will ask for someone to blame, and then go back to business as usual.

You can't expect the average population to be proactive on this.


It's not that they don't care, it's that they are asked to give up a lot for fairly vague risks. I have friends who don't use social platforms and go trough the effort to use encryption and deploy their own systems. They loose more freedom not expressing themselves than they gain, especially since intelligence agencies can still target you. Not only can they correlate things with all your friends that use social platforms, they will get much more targeted profile from the data you inadvertently leak.

I don't think technologists who ask users to do complicated things or blame them when things go wrong care about privacy Especially when large tech companies make bank by not standardizing things that should be fundamental rights in communication. To me a lot of this (but not everything) is banker level arrogance similar to pension funds or housing markets where "people should have known we were selling them crap".


I agree the trade off is not in favor of privacy and tech saavy users tend to live far away from the regular users needs.

But it's also that people value most things over privacy. To me, valuing the hability to express yourself on facebook over freedom is not a good bet. Just like valuing the hability to smoke over your health is not a good one.

I do understand why people do it. I have my share of similar self-destructive behaviours.

Still it's commun that important things like ecology, freedom, health are discarded over confort, convenience and quick rewards.

And privacy falls exactly in that category.


> They start [caring] about privacy if a picture of them naked is exposed or if somebody "pirate" their social accounts, then they will ask for someone to blame, and then go back to business as usual.

This isn't just a consumer encryption problem, this is the infosec community's fight in a nutshell. To put it simply: risk is invisible.

This is why projects such as the EFF's scorecard ( https://www.eff.org/secure-messaging-scorecard ) are incredibly important, possibly more-so than the actual code various applications implement. Because without public awareness there is no incentive for companies to implement non-trivial encryption features.

To look at it another way, we're fighting a public health battle here and we should borrow the lessons they've learned. You don't eradicate Dracunculiasis by assigning a doctor to look over every person's shoulder -- you educate people that {behavior} causes {invisible thing} causes {problem}. And once people know why, they're empowered to help themselves.


I agree. Although this generally cause another problem: people start reacting over fear or habits, not because they become conscious of the problem. Which means:

- if the problem take another form, they won't act;

- if the solution needs to be adapted, they won't do it;

- when the problem doesn't exist anymore, or your understanding of the problem is very different and you realize you fought the wrong battle, it will be impossible to realocate the ressource to it. Worst, you will get discriminated if you do.

All in all, education is good, but as long as people don't generally care about the way the world works, no matter the specifi subject, it will be fighting a never ending battle.


Actually, we have an example of this happening with messenging apps. No one used to care about end to end encryption, until Telegram and Signal became popular and WhatsApp followed up. The result is that today, consumers demand it in any messenging app.


No one cared about encryption even when WhatsApp rolled out their E2E, most users still don't understand or know what it is. WhatsApp decided to roll it out but and it's good for them, but I personally think it was a combination of an internal ideology as well as the ability to spin it off and sell it as hey look at this new feature. And of course it offers them protection from future leaks as well as gives them something to leverage if the Intercept publishes another snowden leak this time aimed at WhatsApp specifically and say hey we knew about this, we fixed it, don't worry keep using our app!


I don't quite understand your argument. You're saying they didn't do it to satisfy tech savvy users, but they did it because they might need to satisfy those users when they're hit up about it in the future?

There are plenty of us that do care about it. Sure, they didn't have to do it, they still would have had plenty of users - but they chose to do it.


The argument is that knowledge and understanding of encryption is limited to a very small audience even amongst "tech savvy" users. Even if you only take software developers the vast majority of them does not understands or "cares" about encryption, it's just the hard truth of the matter.

WhatsApp did it because they could do it in a way that was beneficial to them coupled quite likely with internal ideological reasons to roll it out. It's a positive spin that can be spun in the tech and non-tech media and could be coupled to improve their reputation as long as it's being run with the overall privacy / encryption debate stories. It also future proofs their platform that when they do come under direct fire they don't have to be seen as reactive.


I don't think consumers demand it. Whatsapp became popular before it got encryption, and I don't see any evidence that people are switching in large numbers based on this feature.


I think whatsapp is rolling up encryption to avoid a new scandal later, that locally creates bad PR, not because it is a feature requested by users.

To have a good grasp of what matters to the public, remember that Apple once did a whole ad campaing over the fact that the new iPhone could copy/paste. We mocked it. And the joke is on us, cause it worked briantly. This is what people cares about, and more over, this is what people knows about.


Which returns to the top commenter's point: Brennan is well aware that this won't end usage of newly-unencrypted US products. It will drive away foreign companies, and those with something to hide, but it will still expand CIA access to the bulk of everyday, non-criminal users.


My point is that "the terrorists/people with something to hide will switch" is incorrect, and so the claim that this isn't about catching them is unsupported. Data shows that even terrorists or other people committing high profile crimes won't always make sure to use encryption. It's very possible preventing encryption by default will help catch a couple of those.


It's very possible preventing encryption by default will help catch a couple of those.

I doubt that. I agree with you that many use unencrypted products though, so you have a point. However in almost all events I can remember the people committing terrorist acts where already known to at least some agencies. The agencies already drown in false positives. There is no indication that this will change. This strengthens my point: it is not about terrorists.


Notably, the Orlando shooter was even more known to security agencies than usual. He had been investigated twice and 'cleared'. After that, he was turned away from a gun store before the shooting for suspicious requests, which led to a tip the FBI didn't follow up on! Somehow, James Comey spun that as "we did everything we could".

If even that level of prior knowledge is being ignored to push for yet more data (and more false positives) it becomes really hard to believe that this request is being made on the level.


Don't forget the time that the Russians(!) put the name of two brothers in the Boston area on a list of "people we think are up to no good" and sent that list to one of the three letter agencies.


Once you have an active lead, investigation is easier if they aren't using encryption. You're focusing on the successes, which necessarily are the cases where the agencies failed.


WhatsApp has made encryption easy, easy to use and easy to understand. Just the day before my mother received a notification saying her WhatsApp messages were now encrypted. And she understood right away.

Sending a GnuPG encrypted email on the other hand is way too much to ask for the layperson.

Getting the message sent and successfully received is of more importance. It's better if its also encrypted. It's best if the messaging and encryption work together, seamlessly.


> the non-US companies will be bought en-masse by US companies, like Microsoft did with Skype.

I'm glad I'm not the only one having that opinion about MS's acquisition of Skype. There's this article from July 2012, after the MS acquisition and before the Snowden leaks: https://www.washingtonpost.com/business/economy/skype-makes-...

> The FBI, whose officials have complained to Congress about the “going dark” problem, issued a statement Wednesday night saying it couldn’t comment on a particular company or service but that surveillance of conversations “requires review and approval by a court. It is used only in national security matters and to combat the most serious crimes.”

and most importantly

> But changes allowing police surveillance of online chats had been made since late last year, a knowledgeable industry official said Wednesday.

As an anecdote, just wanted to add that I live in an Eastern European country which has started to at least try to put up a fight against endemic corruption, with the help of some Western countries (i.e. the American and the UK ambassadors issuing worrying statements from time to time saying "corruption is bad" and meeting the head of the Anti-Corruption body).

Anyway, in a couple of anti-corruption cases investigated by our local anti-corruption prosecutors there were mentions of the authorities having access to the corrupt people's Skype conversations. Now, our NSA-like structure is no way as powerful as the real NSA, computationally speaking, so I don't see them breaking Skype's built-in encoding all by themselves, unless given that information on a silver plate by our friends from across the Atlantic Ocean. In exchange, we might help them with keeping nasty terrorists locked in an improptu prison, because that's how friends help each other out. (http://www.independent.co.uk/news/world/europe/inside-romani...)


Everyone who has the option will switch

This might be difficult. With iOS, Android or Windows you have to trust the OS Vendor. I assume especially on iOS it might be difficult to supply any meaningful encryption at all if Apple decides to not supporting it.


Android is open source so if an OS vendor outside of the United States decides to use it and provide strong encryption there is very little stopping them from doing so. A lot of the hardest work has been done already.

There is a small but growing market for strong encryption. US companies will find themselves losing some amount of market share due to encryption restrictions. We already saw this once with the previous crypto wars. The U.S. thought that they could corner the market on good crypto and instead ended up losing a good portion of the market. The U.S. lost that war and they can totally lose this one for the same reason. We don't have a monopoly on good crypto in the U.S. and if they have their way we'll end up with only bad crypto.


> This is just another nail in the coffin for US technology companies.

What are the other nails in your opinion? To me it seems that the Silicon Valley is doing quite well.


Yes, but they could be doing a lot better. There is a whole raft of companies out there that would have been happy customers of Google, MS and Amazon cloud services that is now doing business elsewhere.


I'm sure they could be doing better, but I notice that Amazon has a region in Frankfurt specifically to address German data protection concerns.

There are Amazon employees who could be ordered by the US of A to break German law and extract data from customers at the Frankfurt site. In my judgment, the chance of their being prosecuted in Germany would be indistinguishable from 100%, so the real question is, has Amazon set up its organization such that people who are safely in the US can access such data.


They'd immediately lose a large chunk of the EU customers that stored data in Frankfurt just because of EU data protection concerns. So I don't think AWS would take the risk of the USA being able to force an employee to disclose data.

I wonder if they already separate privileges between regions so one rogue employee can't take down all of their regions.


An Amazon employee told me that people outside govcloud (Amazon's special region for the US government) are/were technically prevented from accessing it, so the technical ability appears to be there.


Ditto for Amazon Ireland.


The other big nail is surveillance itself, especially when coupled with the fact that foreigner's data in US' corporations hands is a free-for-all for everyone.


Hardly a nail. More like a crooked little staple. In the large scheme of things, nobody cares - and this is unlikely to change.


>> "non-US companies will be bought en-masse by US companies"

Sounds like an "exit strategy" - TrueCrypt might even be an example of this.


What's the motivation for mass surveillance of people who aren't terrorists in the US?


Perhaps not using the ubiquitous products makes you a terrorist?

It's a tradeoff, if you really believe that the government are motivated solely for your protection then of course you would allow them unlimited access into your personal life (as long as it was invisible to you, via your phone/computer, why would you care? They only use that information to help you. Think Doctor and seeing you naked, you trust that they don't care about seeing you naked, they just want to help you.)

If you're the director of the CIA maybe you really believe that the government having unlimited invasion of privacy is the correct way to keep everyone safe.


I said this and reply to another user, but I'll say it here. I really do think that some or most of the people at the top believe, or at least have convinced themselves, that they are doing the right thing for the American people. I also think that they know more about the world than they will ever let on, and there are things that go on behind closed doors and off the record that we will never learn about, so it's tough to say what they really do and don't understand.


1) Money. As William Binney revealed, they scrapped his multi-million dollar system that protected privacy (I still disagree with him that the collection was constitutional in the first place) for a multi-billion dollar system that wasn't nearly as effective. So in essence, one motivation would be to line the pockets of various entitles around McLean, VA and other good ol boys.

2) Control. This level of surveillance is key in the primary purpose of dissident control. This is why they are harping so much on "lone-wolf radicals" who are "radicalised by the internet". Because they want to say wolf so loud and so much that nobody has the chance to remind them about the constitution. This is also part of why you will see a huge increase in bad legislation written and passed by corrupted good ol boy house/senate. The internet is a threat to the global order due to it's decentralized nature and it's encouragement of anarchistic freedom of thought. The oligarchy are moving against the internet.

3) Fall-guys. The more sinister, grander chessboard for the supranational oligarchs is one of de-legitimizing American power and principles. I'll let you digest the details of this.

Always remember where the Company got it's start. Wall Street international lawyers. I'm pretty sure McCarthy, despite his unconstitutional antics, was actually on to something... but he just didn't aim high-enough in the chain. Corruption in the three-letters is top down.

http://www.maebrussell.com/Prouty/Harry%20Truman%27s%20CIA%2...


Identifying the transcendent people and activities that could undermine the status quo the CIA works to defend.

Now we could argue if the CIA works for the well being of the majority of US citizens, or to defend the obscure interests of some minority. And discuss the historical role of the CIA "fighting terrorism".


Control. Power. Authoritarianism. Corporate paternalism.


Money. It's all subcontracted out. It costs tons to do a full nation the size of the US and it's dramatically cheaper than a foreign nation.

There are also the conspiracy type reasons but I think it's just a jobs program for white upper middle class men.


The commercial surveillance complex is just a special case of the military industrial complex. No conspiracy is necessary to explain the greed in traditional defense contracting; surveillance tech is just the latest variation.

Also, the current obsession with machine learning is amplifying the problem. It's easy to misuse data analysis (e.g. overfitting the model until it says what you want it to say). Data is seen as valuable on it's own even if it isn't useful "now". This produces an effect similar to tulip-mania where everybody wants as much data as possible even if it isn't currently useful.

Finally, add in bad incentives where failure is rewarded with more contracts. As Mudge (Peiter Zatko) gave a very good description[1] of this problem which he called "game theory is a bitch". The solution is to make retaining data toxic with liability.

[1] https://www.youtube.com/watch?v=h9wXq6oRBnI#t=1173


This. But I think there is an aspect of misguided "we're doing the right thing" doublethink layered on top of it.


This can't be overstated. "Terrorism" is HUGE business.


Control I'm guessing.

If massive financial fraud, corruption and widening inequality continue to get worse, there is going to be a lot of unrest in the western developed nations.

There's only so much shit people can take, so much of their shit that can be taken from them before they realise their entire financial system and wars waged are a giant ponzi scheme set up to suck resources from the many up to the few.

This shit happens in cycles. The upper echelons of society know this is coming again.


You have heard of the concept of 'three felonies a day'.

Well, combine that with knowing almost everything about everybody, and you can use the threat of charges or actually having them charged to deal with dissidents.

I once knew a gun rights' activist in the US. He has friends who were targeted this way by the Federal gov't. It's not just a theoretical thing.


They're all terrorists until proven otherwise!


Knowledge is power.


https://en.wikipedia.org/wiki/File:IAO-logo.png

From the logo of the former Information Awareness Office (under the pyramid-with-eye, of course):

    scientia est potentia


But these have often bought solutions from foreign companies and integrated them. One example would be Skype. The question is with the kind of regime CIA envisions would Skype ever have gotten bought by Google?


How is Facebook, a company which has probably almost since the start operated as a data collection system for CIA (see http://www.abovetopsecret.com/forum/thread291893/pg1 ) .. in the busienss of providing crypto?


Interestingly it seems that GPG is originally from Germany [0] (a headline act from the first crypto war, I expect there are many other examples!)

[0] https://en.wikipedia.org/wiki/GNU_Privacy_Guard


Practically all public visible encryption had to come from overseas during the crypto wars, because US crypto was not allowed to be exported. So everybody used european or australian crypto, and we still do. gpg, openssl, gnutls, truecrypt, ssleay, ...


Calling it a "crypto war" is missing the point - and the solution for that matter.


"Crypto Wars" is a historical term, not slang or embellishment: https://en.wikipedia.org/wiki/Crypto_Wars


Yes, I know, and it is an embellishment if you believe crypto was/is the solution.

Calling it a crypto war is missing the point and the solution; in fact, the link you provide shows that the focus on crypto was a mistake.


SSH is originally from Finland. Unlike GPG, it's not an implementation of a pre-existing spec, so it might make a somewhat better example.


And AES was developed in Belgium...


GPG is an implementation of PGP (via the OpenPGP specification). PGP was developed in the US, and was, in many ways, the opening salvo of the "first crypto war".


PGP was also printed in book form and exported (to get around the fact that "software" was considered arms, but books not).

I remember wanting an RSA t-shirt at the time (A t-shirt with the RSA algorithm on it, which is/was considered "munitions" - and not for export).


He is not dumb, he is deliberately lying.


Always possible that he is dumb and deliberately lying.


"Never ascribe to malice that which is adequately explained by stupidity"?


Sounds like a quote from someone who is engaged in malicious activity.


Sounds like a something said by someone that understands people, that being "misunderstandings and neglect create more confusion in this world than trickery and malice. At any rate, the last two are certainly much less frequent."


Isn't this guy whose AOL account (yep, AOL) was breached?


you don't become a CIA director while being that ignorant of SIGINT


Tell that to Petraeus.


Which one is worse?


> US companies dominate the international market as far as encryption technologies

When do people turn to "companies" for encryption instead of using publicly available libraries or applications?


-Most people(tm) probably couldn't care less and definitely wouldn't be willing to put up with the hassle of making their friends switch from iMessage, Google Talk, Skype, Facebook Messenger or whatever it is called - in order to use an encrypted solution.

If end-to-end crypto is going to become the norm, it needs to be supported by the clients people have chosen to use - not by some obscure (to Joe Q. Average) app.

Brennan obviously knows this - it doesn't matter all that much if .01% of the web population use a client outside US control if the remaining 99.99% do use crippled, US-controlled apps.

Heck, it would probably save them lots of time, as being among the .01% would immediately flag you as a crank, terrorist or both.


E.g. when they use messengers which claim that they are end-to-end encrypted.


At this point, Brennan knows that there are no consequences to lying to Congress, so why wouldn't he do it?


Really strange. Surely Keccack (SHA-3, among other things) is "foreign" encryption? Although, I suppose it might be a bit theoretical in the sense that no one yet has a product that uses it in a configuration for encryption, rather than just hashing?

I suppose SSH doesn't exist, and isn't from Finland either.

http://keccak.noekeon.org/


Really depends on the requirements for encryption. Unbreakable encryption is easy to do with basic math.


Surprisingly tough to get a good implementation of basic math going, though.

It is irrelevant if your cipher is sound and for all intents and purposes unbreakable if you, say, leave the key vulnerable to some side-channel attack.


Well, if he's talking about consumer products, he's absolutely right — Telegram is about the only widely popular non-US consumer product offering encrypted communication I know.


Isn't Open Whisper Systems Signal open to foreigners as well?


This is SOP for this administration. If you deny a problem exists it does not exist. The same state of denial exists when they refuse to use the words Islamic terrorists.


The limited use of the words Islamic Terrorism is more of Obama walking a tight-rope than denial. It may be futile, but it's not malicious.

> Obama and his secretary of state, John Kerry, have said that they don't use terms like "Islamic extremism" or "radical Islam" because they believe doing so would grant undeserved religious legitimacy to terrorist movements such as the Islamic State. Citing Islam as a factor risks framing counterterrorism as a war between the West and Islam, they have said.

> "They are not religious leaders -- they're terrorists," Obama said in February. "And we are not at war with Islam. We are at war with people who have perverted Islam."

http://www.nbcnews.com/storyline/orlando-nightclub-massacre/...


This hysteria about Obama not saying the correct incantation to defeat terrorism is pretty amusing coming from the anti-PC crowd.. Or don't they realize that forcing someone to say a certain phrase is a perfect mirror image of forcing people to avoid certain phrases?


Yep. That and the willingness of some people to abandon parts of the Bill of Rights to 'solve' this problem is frightening. Not subtle, mass surveillance, arguably constitutional things, but massive profiling and harassment.

"The government is totally inept and can't be trusted, but if we granted it all these absurd powers to interpose it between a man and his religious beliefs, it won't at all be abused."


Even if they did say ".sl.m.c t.rr.r.sm" it'd probably be in front of a gold-fringed flag and wouldn't count.


It would also grant undeserved legitimacy to those Americans who have never encountered a Muslim in their life who really want to reframe the whole conflict as Islam vs. Christianity, and have convinced themselves that the US stands for Christianity in that conflict. I don't know if this is a failure of the educational system to teach them the actual principles on which the country was founded, or a willful denial of those principles, or just plain willful ignorance, but it's pretty disturbing.


I take it you don't like the historical revisionism that Texas is doing to their textbooks. "Some slaves were treated excellently by their masters..."




Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: