"sounds kind of shady"
Because it is.
NSA director Admiral Mike Rogers has said it is vital Uncle Sam's crimefighters snoop on people – and that this should be possible even if citizens use strong encryption. The spymaster reckons Americans should secure their communications against all eavesdroppers – except, of course, those working for the police, FBI and the …
Indeed it is. The more recent revelations of "classic" spy successes of the NSA, etc to steal keys and compromise crypto are resulting in people's memory starting to fade.
Snowden original revelations were the use of BIG DATA analysis on METADATA by the three letters. People keep forgetting about that one. When you can figure out what going just by analysing the social graph and who talks to whom your need to break crypto is quite low. So as long as the No Such Agency (and its bretheren worldwide) are collecting metadata (as they are) and running it through a big data cruncher they do not need a wholesale encryption backdoor.
While we're letting the NSA to give us their opinions on IT security, why not allow someone from Anonymous, or Lulzsec, or that Shanghai-based PLA operation chat as well?
If we want to talk about SECURITY, then bring in the people who are actually working to improve cybersecurity and protect systems and data. If we want to talk about hacking or compromising security standards, THEN I would bring in the NSA to give us their point of view.
Its like inviting a fox to the poultry-judging contest!!
Both the NSA and GCHQ keep saying "we fully comply with the law".
I suppose this stonewalling is supposed to placate and/or reassure us, but to me, all this says is either they are lying, or the law is horribly broken. Both of which are deeply troubling scenarios.
"Look into my eyes, look into my eyes, the eyes, the eyes, not around the eyes, don't look around my eyes, look into my eyes ... you're under. We have not been doing anything illegal. Whenever you hear the phrase 'we fully comply with the law', even if we don't specify what we mean by 'the law', you are to ignore any misgivings or concerns and accept us as completely trustworthy in every way. Trust us. Trust us. Three, two, one ... you're back in the room."
...or the law is horribly broken.
I can't say that I fully agree with that. What I think is most likely is:
"We've got a room full of experts, and we've found a loophole in the law, or maybe a surprising use of technology, or even of the English language, and, provided that we are very careful with the exact words that we use, we can give you the impression that we are fully in compliance with the intent and the letter of the law, while only actually complying with one of the above. Or maybe even with something our legal eagles tell us is strictly allowable, but with which no one else agrees. Whatevs."
Of course, you might argue that, in practice, that is the same as 'horribly broken', but we have to be quite careful with wording here.
If I were to call Rogers an idiot, that would insult idiots everywhere. If ANYONE can break into encrypted communications, then it is NOT secure, and everyone can that wants to. Tell this a*hole to first put all of his communications in plain text online for all of us to read. If he is willing to do that, then maybe we'll bare our asses to his probing ministries.
It's very easy to call him and his ilk idiots. However, I think the truth is, they are not idiots but a lot smarter than we give them credit for. Maybe not in ways we'd think of. But in doing the bidding of the government (and thus ensuring they stay employed) takes a different kind of smarts. In some ways (many actually), these folks are like the denizens of the board room. They know their craft very well. Whether it's the exploitation of their own greed or the exploitation of their power... they're good at it or they would be where they are.
Do some reading on Sun Tzu along with Machiavelli and Sun Yat Sen (for starters) and you'll get an appreciation (or a deep dose of fear) about these guys... both governmental and boardroom. They may not have read them, but they practice an awful lot of what they preached.
I thought the whole point about the right to bear arms etc. was to do with US citizens having the power to overthrow a hypothetical corrupt government.
Surely, it follows that the same citizens should be allowed private communications, free from the prying eyes of the aforementioned hypothetical corrupt government in order to plan their revolution?
To follow that up, then the argument that encryption technology is equivalent to weapons would seem to imply that Americans have a right to it under the Constitution. To take the analogy a bit further, while it is fair to say that rights have limits, stipulating that any encryption must have a government-accessible backdoor is akin to requiring gun owners to only use guns that can be taken away by the government (and essentially anyone else) at any time.
Well there was that whole US government tizzy a while back regarding >40 bit cryptography being considered munitions until some guy named Phil wrote it out and it became free speech. It seems encryption technology falls doubly under the protection of the US Constitution.
Rogers quibbled with the term "backdoor," saying that it sounded "kind of shady."
I'm reminded of the one about rearranging deck chairs on the Titanic. Surely this is the kind of thing you 'quibble' about if you're far more concerned with making sure the PR doesn't make your agency's already lousy image worse, rather than the evidently more serious topic of whether your self serving proposed measures are going to completely bork everyone's security.
Anyone who was unsure if this bloke is an idiot should be clear enough now.
"They actually went after the WebKit engine"
a) - "Citation needed".
b) - WebKit is distributed under BSD and GNU and its source code is available for review by anybody. Not saying it's impossible to compromise it, just that it's orders of magnitude more difficult than compromising proprietary software, and any vulnerabilities in the engine have a far bigger chance of being discovered & dealt with by the developer community.
a) If you note my icon, I was playing Devil's Advocate. Playing along with the hypothetical scenario.
b) As recent open-source snafus have shown, open-source is no panacea. And as Stuxnet has noted, not everyone at the TLA agencies are stupid (it's not everyday someone can design a malware that can jump an air gap in a high-security setting). If someone were really clever, they can hide the malware code in plain sight, perhaps by (1) breaking the whole works down into a gestalt of tine little pieces scattered all over the code and (2) disguising each piece as an innocuous if not serious feature.
Your first counterpoint may be true, but I find your use of the Little Devil's icon a little bit too minoritary.
Your second counterpoint does nothing to prove or disprove my second point. I said already that "open-source is no panacea" though with different words. The methods you describe to corrupt open source are much more difficult (i.e. more expensive) than simply slapping some NSL on, say, Google or Microsoft, ordering them to add a backdoor in their -more or less- closed source products, and also imply bigger risks.
And before you say it, yes, I know they could bribe/blackmail/fool/waterboard some member of Opera Software's staff to surreptitiously include the backdoor in their product, but by doing that they'd be running a serious risk of exposure and of being arrested by the Norwegian Police or the EU institutions. This would be bad for NSA's business, wouldn't it?
Gah! Now have "Every breath you take" playing in my head...
"Every breath you take and every move you make
Every bond you break, every step you take, I'll be watching you
Every single day and every word you say
Every game you play, every night you stay, I'll be watching you"
To have a backdoor - any backdoor - is to have a weak spot.
End of story.
Whatever assurances are given, whatever 'frameworks' are constructed and whatever oversight is in place, these apply only to 'legitimate' access. Even with the very best intentions and practices*, you can't promise that no one else will ever be able to find and utilise the artificial weak spot that has been created.
Perhaps there is a leak somewhere. Perhaps, given these backdoors must be conducted with industry help (generally), the information gets out after a targeted corporate hack. After all, the NSA are more than aware that with the right application of funds, know-how, technology and social engineering, you can hack pretty much any corporate entity.
Encryption is either secure or it isn't. Fuck your legal frameworks and fuck your Commies and witches scare tactics - if it has a backdoor, it is not secure.
If he would at least just come out and say that I would have some respect because he can't possibly not understand it. They are making the decision that it is worth weakening security for every citizen of their country (and indeed many others) to help them accomplish their goals. So just bloody well say so - say straight that these methods reduce the security of the public and open them up to potential hacking and theft but that the NSA believes that that is an acceptable price for the people to pay for the secure he is asserting they provide.
* - In some bizarro world . . .
The spymaster reckons Americans should secure their communications against all eavesdroppers – except, of course, those working for the police, FBI and the NSA (to counter terrorism or something). Experts warn any backdoors allowing this to happen will be exploited by criminals.
Exactly. A system is either secure or it isn't. You can't make it selectively secure even if you wanted to because sooner or later the "bad guys" will get the keys to the door. And I'm being massively generous there by not adding police, FBI, NSA, alpabet alphabet to the "bad guy" list.
This post has been deleted by its author
"if you want security, don't put it on the internet."
Yes, perhaps we should all just stop doing business in the 21st Century. That's a solution. A shit solution, but a solution.
And thinkin' on how they're goin' after air-gapped boxes,
maybe you shouldn't put it on your fuk'n computer, neither!"
Are you going to write your deep, dissenting thoughts on some paper then? And maybe put it in a vault? That should stymie those nasty spooks.
I find myself at the point where I am obliged to apologize for the misbehaviour of my government. We did not and do not need an NSA. I am sorry that it has spied on you, but do realize that is spies on is own citizenry as well. I hope to see it abolished, but with the current crop of politicians, there is very little chance of that happening inside of a decade.
Is this another attempt to destroy US corporations that provide online services.
How soon after all US made browsers have 'backdoors' before we get an immense rise in the use of non-US made browsers.
These guys are idiots - people care about their own privacy, even whilst advocating the moronic belief that 'if you've got nothing to hide......' to imply that they don't mind other people having their privacy breached.
So, another way to destroy American online business.
Is this another attempt to destroy US corporations that provide ...
I don't think so. It is worse, it is an attempt to turn the Internet into a distrusted medium. The watchword of the current crop of governments all around the world is "control"; specifically control of all those who live within their borders. They know that (contrary to current edicayshun in skoolz) some people actually think, and that some of those thinking people distrust the propaganda pumped out through the "usual channels". Amongst other stuff, available on the internet is the information that counters the propaganda.
Therefore ... (but then you, dear reader, are capable of thinking that bit through for yourself.)
Who needs a backdoor when the authorities can demand the password on pain of imprisonment?
This happened in the UK a year or two back. An Islamist who had 'forgotten' his password realised he was facing prison, and then 'remembered' it. Too late though: the offence was committed when he refused the original demand, and to jail he went.
They can backdoor all they like.
1. The code is effectively all open source, and perfect for any amopunt of forks.
2. The smartest are not those working for the three lettered organisations.
3. The online world will migrate away from the five eyes domains of control.
4. Some suitable neutral territory will see the gap in the market and fill it.
"3. The online world will migrate away from the five eyes domains of control.
4. Some suitable neutral territory will see the gap in the market and fill it."
It's these last two that will be tricky. Try to migrate away from the five eyes and they'll just follow you. Try to find a neutral territory and you'll probably find it won't be neutral for long.
No, no, no. If there is a backdoor for "police", then the criminals will kill themselves trying to figure out how to get in it. And *when* they do, not if, NO ONE WILL KNOW for days/weeks/years while the bad guys steal logins, passwords, identities, credit card numbers, bank/retirement accounts, tax returns, etc etc etc.
How does this guy have this position and not understand this? Or is it just a matter of making his personal fiefdom bigger?
I'm all for finding/prosecuting terrorists and other criminals, but defeating security for everyone in pursuit of that goal is absolutely NOT the answer.
You have to ask yourself why Rogers bothers. No one at the conference is going to buy the story about the need to have backdoors to catch whoever-- the problem is that they can't catch anyone publicly now despite the deplorable state of Internet security. A cover story is needed for those remailer keys/SIM keys/TOR keys/pickyourfavecryptohardwarekeys stolen long ago... I have it! There is a backdoor for security purposes that we used and here is the evidence needed for conviction!
Yes, indeed, a framework is needed to provide a cover story about how we got the information without actually saying how we got the information; it came from the same place, just not from the so called backdoor. But it could have, and you can't tell it didn't now can you?
It works even better when, say, China installs backdoors everywhere (because the Americans are doing it)... only the Chinese backdoors are real and guess what? The NSA rubber hoses broke the Chinese back doors down before the code even properly compiled! The American back doors don't even have to work to put a torpedo in Chinese security... the NSA/GCHQ will gladly help all comers properly implement a back door.