back to article FBI Director wants 'adult conversation' about backdooring encryption

FBI Director James Comey is gathering evidence so that in 2017 America can have an "adult" conversation about breaking encryption to make crimefighters' lives easier. Speaking at Tuesday's 2016 Symantec Government Symposium in Washington, Comey banged on about his obsession with strong cryptography causing criminals to "go …

Page:

  1. Winkypop Silver badge
    FAIL

    Why have an adult conversation?

    When even a child can see that this is a very bad idea.

  2. frank ly

    Consider this

    "We want to lock some people up, so that we send a message ..."

    That's supposed to be the job of the court and it's not for 'sending a message'. Punishing people to 'send a message' is what the Mafia (etc) do.

    1. rdhood

      Re: Consider this

      Oh, it is way worse than that. the rest:

      " And if we can't lock people up, we want to call (them) out. We want to name and shame through indictments, or sanctions, or public relation campaigns – who is doing this and exactly what they're doing."

      Really? Is it the place of the FBI to "send messages", to use the legal system to harass, embarrass and ruin the lives of people that they have decided that they want to lock up, but can't? That is f'n scary. That it came out of the mouth of the man who pushed to NOT indict a connected political candidate who broke rules governing classified information should scare people sh**less.

  3. Christian Berger

    It's actually even besides the point

    I mean we are talking about crypto here, and cryptography can protect your secret against eavesdropping under certain circumstances...

    However that's not what the FBI claims to want, They claim to want to be able to extract data from telephones. Once you have physical access to that device, you are in a while different position, you can then extract every bit stored in Flash... and unless you have very special hardware, every bit in RAM. Of course you could encrypt that, but for that you'd need to enter a key. Of you only have a touchscreen, the best you can get is a 8 digit PIN... which is easy to brute-force.

    Yes, people have had ideas like having a special chip which only releases the key when given the right PIN, and yes those are advertised to have a "wrong tries" counter, but keep in mind that you can erase individual Flash cells easily when uncapping the chip, or you can just read out the internal flash of such a chip with a bit more effort.

    Even that is assuming that the rest of the software is flawless. Today we have mobile operating systems which seem like they were deliberately made more complicated to introduce new bugs. Even lock screens can often be bypassed by simple user interaction.

    Of course solving those problems is feasible, just make your mobile device a terminal to a server that sits somewhere safe. That would really get the FBI into trouble.... and that's what the device companies won't sell you. So in a way the interests of the FBI and the actions of the device manufacturers already seem to overlap.

    So essentially use ssh over Tor Hiden Services or mosh and authenticate via public key authentication, have your local key with a moderately strong password (of course a hardware keyboard helps) and have your sever remove that "authorized keys" entry once there has be no login for n days, and you would be moderately safe... if you could trust your operating system on your mobile device.

  4. MrDamage Silver badge

    Can we get Mr Torvalds to weigh into the discussion?

    I'm sure he won't change Comey's mind, but it will be a fucking entertaining read for sure.

    1. Anonymous Coward
      Anonymous Coward

      Re: Can we get Mr Torvalds to weigh into the discussion?

      Speaking of computing/OS experts, maybe Theo de Raadt (founder of OpenBSD) could attend as well. Although neither might be interested as I suspect they understand the point of such a meeting would not be to change Comey's mind but rather convince to weaken cryptography.

  5. simonb_london

    This is great news for non-commercial open source projects

    Only commercial entities can be forced to comply with ridiculous laws resulting in open source software that is far more reliable, versatile and capable than crippled, non-competitive rubbish from US companies. Party like its ffmpeg, VLC and mplayer all over again!

  6. wolfetone Silver badge
    Thumb Up

    Here's your adult conversation...

    Fuck off.

  7. Anonymous Coward
    Anonymous Coward

    Adult conversation? Become an adult, first...

    Go back to school, repeat your math courses, because you look really lacking proper knowledge, stop going after magic unicorns and spells to open treasure chests... once grown up, you'll understand yourself criminals will have more advantage from borked cryptography than law enforcement agencies. And that FBI needs to change its approach to investigations, not ask to change cryptography.

  8. Anonymous South African Coward Bronze badge

    10 PRINT "Bad idea."

    20 PRINT "Very, very bad idea."

    30 GOTO 10

    1. Anonymous Coward
      Anonymous Coward

      Extra upvote for doing that in BASIC (shudder), using GOTO (aaaaaaargh).

      :)

  9. Peeeeter

    Sigh...

    Does he really think that if he forces tech companies to provide a backdoor, criminals won't start encrypting messages themselves?

    Encryption with a backdoor is useless. If the police can use it, anyone can use it.

    It's worrying people that don't understand the matter have these decision making positions.

  10. Milton

    Adult, as in rational and evidence-based?

    Comey seems determined to make a fool himself. It is not possible to have an adult conversation with someone who refuses to understand the topic at hand, rejects evidence and thinks irrationally.

    Ok, Comey doesn't have to understand the math of crypto—though it isn't that difficult to understand the principles, and we might have dared to hope the Director the FBI would be intelligent enough to pick it up in half an hour, assuming a college education.

    No doubt he employs some people who do understand it, but appears, like many politicians and political appointees, to be ignoring the knowledgeable and intelligent folks and hearing instead the idiots and those with an agenda. It's a dire weakness of a certain kind of person that they only hear what they want to. Perhaps Comey would have been one of those idiots who tried to legislate π as 3.0?

    I don't really know why else politicians, and other jackasses like Comey, don't sit down with a crypto guy and say "Make me understand why all the smart people say it is literally impossible to do what I want". Because then we could stop wasting everyone's time on a pointless debate. Crypto is never going away.

    1. Anonymous Coward
      Anonymous Coward

      Re: Adult, as in rational and evidence-based?

      One of the reason, is in the past years many law enforcement agency became complacent. Large scale interception made many investigations easier requiring little effort, just tap, sit down, listen, and record. Inspecting PCs or mobes became far easier than looking for evidences hidden who knows where, maybe in an hidden safe somewhere, and maybe "encrypted" somehow too.

      They are now afraid they have to work harder and smarter again.

  11. TheProf
    Big Brother

    Meanwhile.....

    ....in a dark underground lair the villainous Doctor Laszlo Von Stranglehold has finished writing in lemon juice instructions to his twisted minions.

    "Ah, Boris. Take these letters to the post office. It's not safe using email any more but the fools have left the postal service unguarded. Bwah ha ha ha!"

    To be continued.

    1. Anonymous Coward
      Anonymous Coward

      Re: Meanwhile.....

      "Ah, Boris. Take these letters to the post office. It's not safe using email any more but the fools have left the postal service unguarded. Bwah ha ha ha!"

      See also RFC 2549:

      https://tools.ietf.org/html/rfc2549

  12. W4YBO

    Fourth Amendment to the United States Constitution

    The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

    'Nuff said.

  13. simmondp

    If you don't learn from history, you are doomed to repeat it.

    "If privacy is outlawed, only outlaws will have privacy" [the original quote] often bastardised as "If encryption is outlawed, only outlaws will have encryption".

    https://www.philzimmermann.com/EN/essays/WhyIWrotePGP.html

  14. Bernard M. Orwell

    Let me fix that for you...

    "We want to lock some people up, [We don't care who], so that we send a message that it's not a freebie to kick in the door [Unless it's us doing the kicking], metaphorically, of an American company [especially if they don't get on board with us right now] or private citizen [, it could be any activist, of course, which is good for the state] and steal what matters to them [, you know, like private or personal information, for example]. And if we can't lock people up [like big corporations, who are legal persons], we want to call (them) out [until their lobbyists turn up the heat[. We want to name and shame through indictments, or sanctions, or public relation campaigns – who is doing this and exactly what they're doing. [perhaps we should start with us...]"

  15. Neil Alexander

    Non-technical people in Government trying to rule on technical matters, sky still blue, etc.

  16. Anonymous Coward
    Anonymous Coward

    > "...so that we send a message that it's not a freebie to kick in the door, metaphorically, of an American company or private citizen and steal what matters to them."

    There is a certain irony in the head of the FBI saying that people shouldn't be kicking in doors.

    > "And if we can't lock people up, we want to call (them) out. We want to name and shame through indictments, or sanctions, or public relation campaigns – who is doing this and exactly what they're doing."

    This is even more terrifying. If he can't build a legal case against someone legitimately he wants to be able to punish them anyway with innuendo, extra red tape and bad publicity.

    The adult conversation here should be "Go to your room Jimmy and think about what you've done"...

    1. Dave 15

      Perhaps we should employ him in the UK

      Then he can issue 'orders' on people and have them report what they are going to use their computer for 24 hours in advance.

  17. amanfromMars 1 Silver badge

    Pussies are what pussies do and don't do

    Here's a tale which doesn't need any fancy snooping and decryption to out miscreants, but which Justice and the FBI, [as well as a whole host of other right dodgy entities] are deliberately ignoring and failing to act upon, even though the consequences of their inaction, which is tantamount to complicity and remote virtual support of grave practices, is fueling revolution and insurrection? ..... http://www.independent.co.uk/news/business/news/dishonest-bankers-threaten-new-financial-crisis-says-mark-carney-a7218156.html

    Some would say that is criminal and invites terrorism.

    1. amanfromMars 1 Silver badge

      Re: Pussies are what pussies do and don't do

      And now that it is being so widely specifically pointed out to authorities and bodies presumed to be in charge of maintaining and enhancing law and order facilities and capabilities, is continued inaction a sure sign that corruption and the perversion of natural justice in support of a criminal minority and an elite majority, is endemic and systemic.

      And that requires radical root and branch surgery to excise the cancer. And if the patient dies in the process, so be it. Such is only natural , is it not? Doing nothing in a dire set of catastrophic circumstances, is not a smart option any sane soul would take, ergo, to not take such drastic actions as are necessary confirms an all pervasive madness rife and running riot and amok in the system?

      Or do you see it all and think quite differently?

  18. Brangdon

    As we saw with the Microsoft Secure Boot fiasco...

    Also the NSA had some of their hacking tools leaked. There's no reason to think the FBI would have better security than the NSA.

    https://www.schneier.com/blog/archives/2016/08/major_nsaequati.html

  19. Teiwaz

    Adult Conversations on Encryption are...

    Unlikely to result getting what you want as outside the realms of Tooth Fairy, Santa Claus, Fairies, Leprechauns or Harry Potter, you don't get what you want if it's contrary to maths and physics.

  20. DerekCurrie
    FAIL

    Disingenuous Mr. Comey Is Not Interested In A Real Adult Conversation

    Mr. Comey is not capable of a real adult conversation about US citizen privacy rights or computer security.

    A) He continues to ignore the US Constitution. That's what disingenuous people do when they find the Constitution inconvenient.

    B) He is technology illiterate to a considerable extent, incapable of coherence regarding computer security. He chastises poor computer network security while proselytizing for backdoors in everything as a convenience to law enforcement. That makes no sense.

    C) He treats citizen privacy and computer security as emotional subjects, using elements of FUD (Fear, Uncertainty and Doubt), that ancient method of propaganda, to push his inept opinions upon others.

    D) He talks down to others as if he knows better, is the bigger adult, has the superior authority, when in fact he is the foolish person in the room. He stubbornly refuses to listen to those who actually know what they're talking about, specifically because he doesn't want to hear and accept the information experts provide. This of course is reminiscent of a pouting child who sticks his fingers in his ears and hums loudly to himself in order to block out what others are attempting to explain to him.

    It's time to fire Mr. Comey and replace him with someone more competent. Sorry Mr. Comey, but you're out of touch.

  21. Stevie

    Bah!

    The problem is that these chaps don't "do" math and when a tech-savvy person blithers about keys, the non-techy is thinking mechanical key. Mechanical locks can be re-keyed easily in the event of a key loss, and skeleton keys are ubiquitous.

    The problem, in part, is that the key metaphor has been pressed into service a lock too far.

    Also, we are talking a country founded in a real sense on tech innovation. The idea that "it can't be done" is foreign to the American psyche which runs with the thought that if a problem concerns technology, it can be solved if enough money and effort is available.

    Talk of mathematical impossibilities cuts no ice.

    Another issue is that there simply isn't enough interest in a national discussion of the issue (or indeed, any issue) in an "adult" fashion. The only way you get people invested these days is to fire 'em up emotionally over some issue. Adult debate is a non-starter.

    And before anyone laughs at the dumb Yanks, let us cough and flick our eyes on the "debate" that occurred before the Brexit Referendum, for there, in general terms, is the script for backdoored security discussions Blightside.

    1. patrickstar

      Re: Bah!

      Actually, to stretch the mechanical key metaphor much too far, there are some interesting vulnerabilities that arise when a mechanical lock is master keyed, i.e. able to be opened by two different keys (sound familiar?). See http://crypto.com/masterkey.html

  22. Anonymous Coward
    Anonymous Coward

    not really an adult conversation here

    Of the 101 previous comments, there was only one particularly thoughtful response. The rest were mostly snarky ad hominem responses, which are fine and amusing but only go so far.

    The 'adult' conversation can and should be around the question "are secure devices and communications worth it?". Despite the loss and chaos around the loss of use of the internet and privacy with devices that connect over it, it still is a serious question to ask. The technical discussion over how to make a secure system with backdoors is likely over with a "no, that just won't work" answer. That obviously moves the discussion to a different space.

    1. Mephistro

      Re: not really an adult conversation here

      "are secure devices and communications worth it?"

      No, they aren't. If we lose them, we only need to sacrifice very minor things like security, privacy, e-commerce, free speech in the web, banking -including teller machines and credit cards-...

      </sarcasm>

      FYI, your debate was probably carried out more than two millennia ago, and there was a clear winner.

      Seriously now, this stupid debate would also be a massive exercise in futility, as the bad guys won't give a flying fuck about the outcome. They'll simply keep using cryptography themselves and robbing blind anyone who doesn't.

    2. Anonymous Coward
      Anonymous Coward

      Re: not really an adult conversation here

      That conversation about whether it was worth it actually happened in the 90's. That was when the Clipper chip was introduced, and failed. However, I don't believe it's the responsibility of citizens to prove why they need crypto any more than it's their responsibility to prove why they need personal computing devices, motor vehicles, personal firearms, pesticides, air conditioning, or birth control, especially when the government official they are required to prove it to is feigning ignorance regarding the obvious utility of those things.

  23. SnakeChisler

    Backdoor / Frontdoor for 1?

    Lets start at the 1st hurdle Only the good guys get the key?

    As far as I can see we've stopped at this point, no matter how good Comey thinks he's been I would bet Santa disagrees.

    So we have only those perceived by the state (any state) to be worthy of getting the key?

    Given the fact that any key will open up our digital life which includes Banking, Finance etc.. what he's proposing we have a conversation about you have to be virtually brain dead to think it was a good idea or have no online presence at all.

  24. Anonymous Coward
    Anonymous Coward

    Here is the adult version of the situation...

    The FBI wants a defeat in all commonly used communication products which are likely to be sold to civilians, via a method which only the FBI knows. However, it is not only physically, but legally impossible to prevent agencies outside the FBI from knowing the method. Furthermore, once the method is known, the most efficient method of conducting intelligence for law enforcement purposes will be precisely the same as for the IC; simply do automatic full-take on all communications and create a paper trail for access to the database (since their view is that a "search" doesn't occur until a human is involved). This is a technical necessity because doing a search of a lot of comms requires indexing to occur beforehand; waiting until you need something to do the decrypt often takes too long. We are supposed to believe that a) this system won't be abused for personal benefit, b) they won't lie about sources of their leads in court cases, c) only the FBI will retain access both to the escrow key and the full-take, d) the manufacturers will have proper security controls in the presence of an escrow system, e) future policy changes will not weaken things further after the escrow key system is in place. These assumptions are naive at best, even given the FBI's own experience.

    Furthermore, this assumes manufacturers cannot be legally compelled to provide the same escrow key to foreign governments who have jurisdiction over some part of their operation, such as China, UAE, Russia, Qatar, France, New Zealand, South Korea, Turkey, Morocco, Brazil, etc. That assumption is also false.

    Third, even the NSA made mistakes handling their exploit tools, resulting in leaks of code to the media. These leaks were passed off as being "from 2013", as though that is ancient history and equipment made in 2013 is no longer in service. In fact, many of those exploit tools are still usable. We are fortunate that software upgrades are possible on affected devices. As IoT products become cheaper and more widespread, patching problems with crypto will be less feasible (as we have witnessed in the case of Android smartphones).

    Fourth, this measure would require that systems used by law enforcement or government agencies themselves would require specialized software that is not available to civilians, because government policies would not permit use of escrow key systems within an agency, for the reasons mentioned above. That means manufacturers would still be making unbreakable systems, but would bear the responsibility for vetting clients to determine which were entitled to non-crippled versions of their products. However, to maintain compatibility with crippled versions, you would need to permit escrow key protocols on even government-issued equipment, which opens the door to breaks resulting from misconfiguration (accidentally leaving escrow encryption enabled) or downgrade attacks (like the export cipher downgrade attack). This is the reason why stuff like export-grade DES is now completely disabled in a lot of production code, because the dangers of misconfiguration are too high. You are asking people who obviously don't understand the problems with escrow to understand the problem with accidentally leaving escrow turned on in a sensitive system.

  25. Anonymous Coward
    Anonymous Coward

    Well, when he grows up

    - then he can have one. Until then, he should keep his nose out of grown-up matters he clearly doesn't understand.

  26. fishbone

    I'm sure this will work as well as gun laws in Chicago have stopped gangbangers from shooting other gangbangers, never mind the innocent bystanders I'm sure they'll only hit their targets.

  27. nilfs2
    FAIL

    This is what happens...

    ...when a suit with zero technical knowledge and a huge ego is in charge of taking technical decisions.

  28. g4ugm

    We have seen the fiasco with TSA locks

    So a photograph of the keys has been published and many people can now 3D print copies. Now no one with any sense would ship anything valuable in checked in hold luggage, si its just about livable with. With Internet encryption its not the case, we entrust many valuables to SSL and other encryption systems

    Basically what he wants is TSA keys for our internet security. If he asks for it I am pretty sure we would soon see front end add-ons that add an extra layer of encryption.

    https://www.schneier.com/blog/archives/2015/09/tsa_master_keys.html

    1. nichomach

      Re: We have seen the fiasco with TSA locks

      On the TSA side, there's almost an unintended canary effect, since every time my other half travels over the pond, the TSA don't bother using their keys, they just destroy the lock, so if your luggage makes it through with the lock intact, it's almost a racing certainty that it has been opened, but by a nefarious (or more nefarious than the TSA) party...

  29. Howard Hanek
    Happy

    Adults

    Invariably the most corrupt, dishonest people are 'adults'. Take Director Comey for example........

    As long aa governmment dishonesty and corruption runs rampant you would HAVE to be the worst kind of fool to fall for national seccurity ploys. The evil that walks our government halls are harming us much worse than sporadic terrorrism and will only be emboldened by giving it carte blanche.

  30. amanfromMars 1 Silver badge

    Cheap at the price whenever one knows what one is doing and what needs to be done ...

    Would you choose to freely help and work for a nation and organisations that field and protect presidential candidates like Donald Trump and Hillary Clinton, without at least an eight figure salary, homes in California and Europe and TS/SCI identities. Well, things have moved on quite a bit from ye olde days of yore, haven't they? .......

    Despite his public transformation, he was barred from entering the United States, which he found hypocritical. . .. Partly to blame, he said, was his refusal to work for the CIA with the promise of a seven-figure salary, a home in California and a fresh identity. ...... Anonymous Coward

    And the always abiding danger is that ones secret worth be so valued and recognised by the competition and/or opposition stationed elsewhere, and a mutually beneficial rewarding partnership be established to create a whole new leading paradigm and Greater IntelAIgent Game servering Global Operating Devices. Uncle Sam is but one struggling player in that which is unfolding. The world is awash with such actors in search of an authorised mega metadatabase script.

  31. steve 124

    INQ must be losing visiters

    127 comments on this article here. Same article over at Inquirer... 3 comments.

    I guess redesigning their site to look like ass hasn't helped. lol

    BTW, admins, I love the layout here at El Reg, so please don't make the mistake of your sister site.

    And... of course... Comey is an asshat who wants to clog up the intertubes. Sigh.

  32. Dave 15

    Adult conversation?

    In America? About security? No chance (theres no chance here either).

    Back door means a way of breaking the encryption, that means it is NOT secure.

    And frankly I may be honest and upright etc etc etc (may be) ... but that doesn't mean I want the FBI or anyone else having the ability to spy on me. I will take my chance with the terrorists etc. rather than that. The land of the free? liberty? Words that the FBI and our own government have long since stopped thinking about.

    TBH there is more chance of me being killed by a car on my way home than a terrorist with a gun or bomb so just get a grip on reality folk.

  33. splodge

    "...send a message that it's not a freebie to kick in the door, metaphorically, of an American company or private citizen and steal what matters to them..."

    I assume he means people who dont work for a TLA security organisation

  34. Rob D.

    US U-turn

    When it becomes illegal to import strong cryptography in to the US. Americans will use broken encryption while by virtue of American regulation, the rest of the world (plus US-based bad guys) will choose to use something else.

    (And the FBI were harping on about the same ideas back then as well, although I do feel that Comey seems to be making a much better job of looking like a complete moron than his predecessors.)

  35. Saatdhann

    Backdoor encryption a pointless public fund wasting exercise.

    How do they expect to catch any criminals if they are so dumb?

    An adult conversation about backdoor to encryption?

    No adult is going to discuss backdoor encryption because it is over, past, done, finito, the horse has bolted, the end.

    We don't need evidence, we know why they want it so why have these fools been wasting public funds looking for it?

    We all have programmes with no backdoor that are beyond the capacity of anything but quantum computers to decrypt.

    What does the FBI want or think is going to be done? We'll all dump our current programmes and buy a new one with a backdoor? Maybe they should consider putting the drugs they collect into evidence instead of using them?

    Something like CipherShed is free Open Source and if the FBI want to backdoor it all they'll do is shift it offshore, keep it going and there's nothing the FBI will ever be able to do about it.

    The FBI can't control overseas programmes.

    What's more is that the main thing they want to stop is terrorism, no terrorist is going to buy a backdoor encryption programme to help out the FBI, that's why they use encryption. They may as well have asked the Germans to given them the plans to the enigma system.

    Even if they tried to ban everything encrypted by scanning emails, they'd still fail because people would simply write the encrypted document and hide it in a photo using stenography

    If the FBI had any brains at all they would have tried to do something before AES but they didn't. Now they are going to have to live with it forever.

    But seriously, with the advent of computers encryption was inevitable and that it would defeat the FBI without them having any hope of defeating it was also inevitable.

    My advice to the FBI: Stop wasting public funds on a fruitless exercise, there's nothing you can achieve.

  36. Daniel B.
    Boffin

    Dear Mr. Comey

    We already had this adult conversation. Secure backdoor is an oxymoron. We've shown the math and science behind it. Give it up.

  37. dwonk786

    Simple logic

    Encryption = Privacy

    Privacy = Basic Human Right

    therefore

    Encryption = Basic Human Right

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like