back to article Non-US encryption is 'theoretical,' claims CIA chief in backdoor debate

CIA director John Brennan told US senators they shouldn't worry about mandatory encryption backdoors hurting American businesses. And that's because, according to Brennan, there's no one else for people to turn to: if they don't want to use US-based technology because it's been forced to use weakened cryptography, they'll be …

  1. Youngone
    Black Helicopters

    What's all this then?

    I'm not sure what Brennan's game is. For a smart guy he sure seems stupid.

    Does he not know how maths works? If US encryption is broken, someone else will sell a non-broken alternative. I'm pretty sure he's worked that out, so why say something so patently dumb?

    I want to know what's really going on here.

    1. RIBrsiq

      Re: What's all this then?

      A person I rather respect once said that if you ever find yourself considering what politicians are doing and thinking "now, that's stupid!", then know that you do not know all that is going on.

      Of course, it's not exclusively correct, obviously: sometimes it's the politicians who are lacking critical information and/or understanding, and sometimes they are indeed just being plain stupid. But it's a world-view that's useful to keep in mind, I find.

      1. Ken Hagan Gold badge

        Re: What's all this then?

        @RIBrsiq: But Occam's Razor applies and on any matter requiring understanding of law, economics, science or technology, the politician is out of their depth and probably motivated far more by what they want to be true than by any advice they might have had from experts.

      2. Someone Else Silver badge

        @RIBrsiq -- Re: What's all this then?

        Well, then, how do you explain Louie Gohmert?, Todd Akin? Tom Tancredo? Joni Ernst? Steve King? (Among others, of course...)

    2. Bill Gray

      Re: What's all this then?

      "He may talk like an idiot and look like an idiot. But don't let that fool you. He really is an idiot."

      -- Groucho Marx

      I don't really think Mr Brennan is, generally speaking, an idiot. I suspect that there really is something deeper going on here. But I'd not rule out the possibility that he really is an idiot.

      -- Bill

      1. Tom 35 Silver badge

        Re: What's all this then?

        Maybe he as stock in all the companies that will make a killing replacing all the backdoored kit.

    3. Voland's right hand Silver badge

      Re: What's all this then?

      Encryption itself can be designed and produced anywhere. In fact, AES has non-USA origins. So do a few other encryption algos.

      Encrypting gear, however - not so much. You have a choice of USA or China (I am deliberately ignoring Ala-Lu-No or whatever it is called today out of the equation for now, it is constantly shooting itself in the foot so I cannot see it leveraging a market opportunity even if it hits in the face). In some areas, like authentication, there are a couple of smaller players like Israel, but in general that is about it.

      So, he has a point - if you are trying to use a product which bundles encryption you have to make a choice between USA and China today and you will probably have to make that choice tomorrow. You are already assuming it has backdoors (not like it did not happen recently with equipment "infected" in transit). Adding them openly does not make a lot of difference commercially.

      1. Anonymous Coward
        Anonymous Coward

        Re: What's all this then?

        The effect is to create a market opportunity that will quickly be filled, US kit replaced.

        The same effect (forced decryption of customer data) in Snoopers Charter that means that every conversation between customers has to be intercepted by the vendor.

        Communications product vendor Charlie has to include himself in the encrypted discussion between Alice and Bob, because as the vendor of their comms software and being a British company (regardless of where Alice and Bob are) Snoopers requires he decrypt their comms.

        Belgacomm spings to mind as an ex customer of any UK kit, or kit from UK companies. For UK that is only communications satellites affected I think?? Cloud services, data processing, and a few others will be hit.

        So your private Alice-Bob comms also include Vendor Charlie, his friend GCHQ, their friends abroad (=5 eyes), UK police (via info sharing), and everyone from traffic wardens to animal charities via the UK's slack data protection system. Shared with everyone but courts and judges to avoid any kind of legal process or privacy right. Natch.

        But I'm sure their chief will explain that their backdoors won't affect business because nobody has a choice!

        Wishful thinking.

        But Brit Kit, not with a free extra account.

        1. Voland's right hand Silver badge

          Re: What's all this then?

          The effect is to create a market opportunity that will quickly be filled, US kit replaced.

          The world is a small village. You will find that getting funds to work on such an opportunity off the ground is virtually impossible (just ask the OpenBSD guys on how difficult it is to get encryption related non-USA funding). Investors will tell you to sod off if you deliberately exclude USA and all American companies out of your customer base day one. Treaties like TTIP and Co will also make it even harder for you to build such a thing tomorrow.

          This leaves you the only option to go hat in hand to the hill above Москва река, but that has its own issues. Ones we should probably avoid discussing as none of us would like to hear "Mr Chrisoprase is very unhappy" somewhere in a dark alley way.

          That is something Mr Bremnan understands very well by the way (he is not being an idiot here, he is in fact being brutally honest about it - something most USA politicos prefer to avoid).

          1. This post has been deleted by its author

          2. Anonymous Coward
            Anonymous Coward

            Re: What's all this then?

            Investors will tell you to sod off if you deliberately exclude USA and all American companies out of your customer base day one

            Ah, but herein lies the irony: IMPORTING high grade crypto kit isn't illegal (although paranoia suggests the US would quickly slap an import tariff on it if you were to start affecting the revenue of the government's paymasters). So you could still sell to US businesses, and I have a feeling that it's not the US businesses who want backdoors (well, OK, except the IT outfits who probably make a mint selling access to the agencies).

            There's also the little issue that "US" crypto isn't actually of "US" origin at all. AES was originally called Rijndael, but that obviously sounded too foreign, and was developed in the country that once gave us techno, Belgium. This suggests that it's not actually going to be spectacularly difficult to obtain another cipher without the US having a foot in the door, but validating it is where the costs lie (as a matter of fact, a number of governments, amongst which the UK, do maintain other ciphers as well).

            IMHO, given the continued behavioural problems of the US government it becomes more and more commercially feasible to develop a non-US cipher - as a matter of fact, I personally think we've reached the point where you could probably get an EU grant for it, the trick is to keep the whole thing as open as possible because that makes subverting it hard (sunshine works)..

            1. Bronek Kozicki Silver badge

              Re: What's all this then?

              I guess that's the crux of the matter: IMPORTING high grade crypto kit isn't illegal ... but it could be made illegal. And if you think that such theoretical ban would only catch US-based companies, look at FATCA and then think again.

          3. Anonymous Coward
            Anonymous Coward

            @Voland "getting funds ... nearly impossible"

            Sure, now. If the US mandated backdoors, that would not be so.

            1. tom dial Silver badge

              Re: @Voland "getting funds ... nearly impossible"

              I suggest that there is another possibility: If the US were to make such a requirement stick (I think the last version of Burr-Feinstein that I saw is pretty unlikely to pass), it is likely enough that it would be followed by similar legislation in quite a few other countries, with China and Russia in the mix but not necessarily the first.

      2. Paul

        Re: What's all this then?

        Thales e-Security are pretty big, part of the huge Thales organisation, and sell hardware security devices, trusted by many household names.

        Based in Cambridge (England).

        I'm sure they'll be happy to pick up lots of customers fleeing from the US mandated backdoors.

        Disclaimer: I work there.

        1. Daniel B.

          Re: What's all this then? @Paul

          I was thinking of Thales as soon as I read this article. Though I thought Thales was a French company?

          But yeah, I even remember reading that the French president uses a Thales secure smartphone because the French also don't trust US hardware.

          1. Anonymous Coward
            Anonymous Coward

            Re: What's all this then? @Paul

            Thales is a French company. They took over NCypher which was set up in Cambridge by two Dutchmen as I seem to remember.

        2. Paul

          Re: What's all this then?

          p.s. Thales are a French company, partly owned by the French government.

      3. energystar
        Holmes

        Encrypting gear, however - not so much.

        This is a very, very short term situation.

    4. Anonymous Coward
      Big Brother

      Re: What's all this then?

      It's called disinformation.

      He's quite deliberately speaking hypothetically about his vast governmental espionage agency "needing" the hapless consumer crap weakened - Thus implying (confirming - to all those who think he's "stupid") that the existing US crapto presently in use is most awesomely doubleplustrusty.

      It is not.

      Obviously.

      Perhaps the San Bernardino fiasco broadcast that fact widely, loudly and convincingly enough to necessitate this spot of disinformation?

      Hypothetically: The CIA doesn't really need any such thing. Doesn't really want any such thing. Isn't really asking for any such thing.

      Equally obviously.

      It's a show.

      It's a fucking spy agency for Christ's sake. He's a spook. The real deals are done in secrecy. Next time the politicians pluck some deranged Orwellian crap "from thin air" and shove it into law before anyone can bat an eye, it was probably him wot wanted it.... but... whenever he spews shit at you via the world's media: HE'S LYING AT YOU.

      No animosity to the man: IT'S HIS JOB

    5. Smooth Newt Silver badge
      Facepalm

      foreign encryption is a 'theoretical' capability

      Wasn't the U.S. National Institute of Standards and Technology's very own Advanced Encryption Standard algorithm invented by two Belgians?

      1. G.Y.

        Re: foreign encryption is a 'theoretical' capability

        ditto SHA-3

      2. Bill Stewart

        Re: foreign encryption is a 'theoretical' capability

        NIST knew that if they wanted anybody to trust their replacement crypto, they'd have to run an open international competition for it, with all the design rationales published, not just hand us a shiny updated version of the Clipper Chip or something. And yes, AES is Rijndael, from Belgium. And OpenSSH is managed by a Dutch/SouthAfrican who lives in Canada, and OpenSSL by a New Zealander. Shamir of RSA is an Israeli.

        "A cryptographer, a Eurocrat, and a normal person walk into a bar. What do they order?" Three Belgian beers, and maybe some Club Mate' if it's available. (Cryptography seems to be one of the Belgian national sports these days.) But it's not just the Belgians and the Dutch and the New Zealanders and the Israelis and Canadians and the Russian Mafia writing computer security software - lots of other places do it too. And while a lot of the Cypherpunks group activities were in Silicon Valley and Berkeley in the 1990s, it's not like everybody attending were Yankees; we had Canadians and Russians and Dutch, and there was a lot of academic work back and forth between US and European and Aussie and NZ universities.

        1. Anonymous Coward
          Anonymous Coward

          Re: foreign encryption is a 'theoretical' capability

          And yes, AES is Rijndael, from Belgium. And OpenSSH is managed by a Dutch/SouthAfrican who lives in Canada, and OpenSSL by a New Zealander. Shamir of RSA is an Israeli.

          And a lot of it is run on X86/64 hardware featuring Intel CPUs with their embedded micro running some Intel firmware blob that has access to all of memory and the Ethernet port...

          So whilst your software list might be Non-American, the hardware and underlying firmware most definitely is American, and it's very opaque too

    6. NoneSuch Silver badge
      Facepalm

      Re: What's all this then?

      "Not that we should be worried about the CIA snooping, Brennan said. In the past three weeks, the CIA has appointed a privacy and civil liberties officer as a full member of senior staff. The person will review all CIA activities to ensure they are legal, Brennan said."

      A den of thieves has hired a thief to make sure they stay honest.

      Well, I'm satisfied.

    7. Anonymous Coward
      Anonymous Coward

      Re: What's all this then?

      Its a good thing none of the foreign countries like say Belgium understand encryption. Oh wait.

      1. bombastic bob Silver badge

        Re: What's all this then?

        "Its a good thing none of the foreign countries like say Belgium understand encryption. Oh wait."

        don't rule out Finland, either.

        that and libertarian-minded Americans who'll do it on the "dark net" and not tell anyone they did it. HELLO "underground economy".

        Making drugs illegal - that really stopped THOSE, didn't it? And how about that 'prohibition' thing back in the 1930's? How'd THAT work out?

        All I can say is, "they" (politicians, D.C. insiders, "the establishment") must think WE are IDIOTS.

        1. Anonymous Coward
          Anonymous Coward

          Re: What's all this then?

          Making drugs illegal - that really stopped THOSE, didn't it? And how about that 'prohibition' thing back in the 1930's? How'd THAT work out?

          You may accidentally have hit on the real reason for these shenanigans: a repeat of exactly that. The reason the whole drugs market still exists is because it makes a shocking lot of money for a small group of people by being illegal. Like the prohibition, many a billionaire was made on the back of something that is banned because it creates a supply shortage which can drive up the price.

          The only thing missing here is the addiction part, but that's backfilled by the fear of the presence of many evil hackers and even the government itself.

          It's really just about money. Lots of money.

          1. Uffish

            Re: Prohibition in the United States

            I quote from the United States Prohibition article in the ultimate online cribsheet "Within a week after Prohibition went into effect, small portable stills were on sale throughout the country".[

  2. veti Silver badge

    Diversion

    This is a trial balloon. Nobody thinks "mandatory backdoors" is going to pass. Brennan and Wyden are both going through the motions because it's their job, but there's no point getting excited about it.

    We're being distracted from something, the question is: what? TTIP? Safe harbor?

    1. asdf

      Re: Diversion

      Syria, Russia, South China Sea buildup etc.

  3. RIBrsiq

    "US companies dominate the international market".

    The question, kind sir, is "would you like that state of affairs to continue?"

    Because I personally doubt that it would for long. Even without artificial incentives for people to jump ship.

  4. Anonymous Coward
    Anonymous Coward

    Ohh John, I admire your naïvety…

    …but if they ever were "theoretical", they'll be reality very quickly for those who care about such things.

    Not everything revolves around Corporate America. Ignore that fact at your peril.

  5. elDog

    Hog wash.

    Most of the rest of the internet-savvy world has perfectly good resources for developing and deploying kit that is as-good-as or superior to the US Gov't stuff.

    Many of the recent advances have been made in Europe and Russia. They have also been at the forefront of pointing out the US-sponsored deficiencies. Of course this group (and including increasingly active ones in China) are more than capable of breaking US algorithms and introducing their own.

    Massive fail for the old hat CIA/NSA/etc. All you're trying to do is to scare your minions/taxpayers.

    1. tom dial Silver badge

      Re: Hog wash.

      A reference, please, to a source as to breaking of AES or RSA with high bit length. Strong claims require strong evidence.

      Not that either of these algorithms really is "US Gov't stuff."

      1. Anonymous Coward
        Anonymous Coward

        Re: Hog wash.

        Well, he did write "US algorithms"; neither Rijndal nor Keccak are of US-origin. (One could argue that IF and DL cryptosystems are "US algorithms" -- pace Adi et Taher -- but then the NSA claims all those will be blown away in due course.)

  6. mIRCat
    Black Helicopters

    It's okay!

    I just finished reading through Brennan's private emails and it's clear the man doesn't have a clue about encryption. If the head of a security organization can't form a coherent idea on the topic, I don't expect anyone will actual place any value on his opinions.

    If those are 'copters I hear outside, we'll know that reading his work emails may have been a step too far.

    1. Anonymous Coward
      Anonymous Coward

      Re: It's okay!

      You're mistaking a public position for a private belief. He's not saying that because he believes it, he's saying that because that's what he wants others to believe.

  7. channel extended

    Layered Options...

    If you encrypt a message with unbreakable security and then send it over a weakly encrypted network it is still unbreakable. Clearly he has no idea of PKI or encryption.

    I only trust a one time pad (OTP).

    1. Dazed and Confused Silver badge

      Re: Layered Options...

      > I only trust a one time pad (OTP).

      But how was your OTP generated?

      Unless your random OTP generator is really random then your message can still be decoded.

      And that before we get into the thorny subject of exchange and security of the OTPs themselves.

    2. Anonymous Coward
      Thumb Up

      Re: Layered Options...

      Was with you (and thinking "Truecrypt") right until you said OTP.

      Not typically practical and horribly vulnerable to catastrophic "side channel" failure.

      TRUECRYPT

      (Use your "OTP" as a permanent keyfile, to augment/"salt" your session passcodes/keyfiles, if you like ,)

  8. Anonymous Coward
    Anonymous Coward

    Oi John!

    This is what happens when you make silly bets on a game of golf with the chief of staff - you get put on the "make yourself look stoopid to distract and amuse the proles" rota,

  9. allthecoolshortnamesweretaken

    "Not that we should be worried about the CIA snooping, Brennan said. In the last three weeks, the CIA has appointed a privacy and civil liberties officer as a full member of senior staff."

    A mere 68-and-a-bit years after it was formed (1947-09-18). My, that was quick. I'm getting dizzy just watching from the sidelines.

  10. Anonymous Coward
    Anonymous Coward

    Elitist Delusions of Grandeur

    -- This has the delicious stench of American-Exceptionalism written all over it... If its not American it doesn't exist... Yeah <cough> right!

    -- Americans are not known for their studious attention to history, but there are warnings about the fall of great civilizations (Rome etc)...

    -- If there was a scale where US opinion and power mattered its probably down from 9/10 in the 80's to about 3/10 now. Own goals like unwise ME wars, the Bush years, Obama empty promises, China rising, and revelations from Edward Snowden have all seen to that. So great job. Go Team USA!

  11. amanfromMars 1 Silver badge

    To XSSXXXX, is Creative IT Command and Control in Computers, a Brave New Orderly AI World Order

    Well, I think nearly all, at the time of this posting, are in agreement here, and have recognised that Uncle Sam has lost the leading plot and are catastrophically vulnerable to being ruthlessly exploited for both personal and personnel and foreign state and non state actor gain.

    And that title can also be written thus .....To XSSXXXX, is Creative IT Command and Control in Computers, a Brave New Orderly AI World Order to Program with Novel Programming and Heavenly Projects delivering Noble Projects in Immaculate Pursuits ..... and/but of course, and one is well warned here and is hereby again advised to remember to never ever forget, for some things are final and vital and fatal and strike without any sort of prior warning, should its Advanced IntelAIgent Systems and Virtualised Administrations Executive[s] be proposed opposed, at any time in any space or place, and be the subject of objectionable attack and/or abuse, are Hellish Schemes and Crazy Operations also always readily available to crush both wayward opponents and competitive rogue renegade elements alike.

    To XSSXXXX is IT no Fools' Tool and Perfect Attacking Defence Weapons System. Take care out there, IT is dangerous in the wrong hands, hearts and minds, and can and will kill you if you choose to abuse and misuse it.

    Have a nice day, y'all.

    1. Lyndon Hills 1

      Re: To XSSXXXX, is Creative IT Command and Control in Computers, a Brave New Orderly AI World Order

      the above shows just how effective non-US encryption can be, even if we have to go to Mars to get it.

      1. amanfromMars 1 Silver badge

        Re: To XSSXXXX, is Creative IT Command and Control in Computers, a Brave New Orderly AI World Order

        the above shows just how effective non-US encryption can be, even if we have to go to Mars to get it. ... Lyndon Hills 1

        Hi, Lyndon Hills 1,

        It would be a monumental folly to discount and dismiss home delivery whenever Martians realise takeaway is more than a number of steps too far for Earthlings to make and/or take.

        It is neither wise nor practical to expect a primitive species to exercise quantum leaps and revolutionary actions they have no offence or defence against, so please expect something quite extraordinary to be rendered and presented currently for continuing disbelief and terrifying consternation.

  12. Ken Hagan Gold badge

    What's an encryption product (in this context)?

    Because I'm pretty sure that things like OpenSSH would be Hard for the US to stick a back-door into. (Not impossible, looking at recent history of subtle bugs, but certainly Hard.) IOW, the man is clearly an idiot who thinks the people he is trying to talk to are also idiots. (If I were one of the people he was talking to, I might take umbrage at that.)

    1. SolidSquid

      Re: What's an encryption product (in this context)?

      Bugs in OpenSSH would be more bypassing it rather than backdoors, as far as I was aware what they're after is people building in ways to bypass which they notify the CIA etc about and then keep there, rather than rightly fixing it as a bug

      1. Ken Hagan Gold badge

        Re: What's an encryption product (in this context)?

        I was thinking a bit more tinfoil than that. I was wondering to myself if a sufficiently clever intelligence organisation couldn't sneak in a bug in a FOSS offering that would weaken the product in ways that only they were aware of, for however long it took before others spotted it. No, it's not a back-door, but it might be worth the effort anyway.

        Note also that it wouldn't have to be in an obviously sensitive place. It might suffice to fiddle with the memory allocator (which may not seem like it is even part of the product) or make a trivial patch to remove a compiler warning.

        But although this will probably be upvoted by the paranoid wing of El Reg's readership, I must say it seems a bit unlikely to me.

        1. Dadmin
          Go

          Re: What's an encryption product (in this context)?

          The problem there is that you are working on community software and the community will review it, question your "weird code" then dismiss you from the project. You are coming from the angle that a "secret CIA/FBI coding operative" is going to be more clever than any single person already well versed in their own codebase. It most likely will not happen at that level, much easier at the hosting side, but then the community will notice your "additives" and kick you down the road. You could hijack the downloads with your "special package" for a time, I suspect. but not long.

          To expand to the comments in general; WHY ARE YOU WAITING SO LONG?! People, people, people! Ed Snowden gave up the info several years ago; the NSA/CIA/FBI spies on ALL data routed through the US and world. Every single entity that gives more than two shits about real, honest, Internet, and general computing, security should have been working 24/7 to get out this trap laid down by those above mentioned Acronyms. It's been three whole years and you're still taking about "if" and "someday" "we'll get a fucking clue and divorce any products hosted in a known spy zone"; the USA and all connected networks therein. There should have been a Euro-version of every major web site online by now, so that I, and a US Citizen, can get out of the fucking trap too! God fucking dammit, get your shit together and get this working already!!1! Your personal data in a US cloud, or routed through a US access/peering point, or on a major US crap site (twitter, farcebook, Goopal, etc) is not personal anymore. There are plenty of good projects not hosted here that can be leveraged to make a stand and build a nice Internet zone that will not allow snooping or other decryptions. Come ON!

          Three years...

  13. Anonymous Coward
    Meh

    Really?

    "they'll be out of luck because non-American solutions are simply "theoretical.""

    As many have said about open source stuff above +

    Email

    Protonmail

    Phones

    Most Chinese and South Korean manufacturers

    Networking Kit

    Huawei

    Intel Chipery

    ARM

    1. SolidSquid

      Re: Really?

      OX App Suite is another option, it's available for free and can be hosted on any Linux box, provides the same kind of functionality as Microsoft Exchange and their HQ is in Germany

    2. Anonymous Coward
      Anonymous Coward

      Re: Really?

      Protonmail

      AFAIK, Protonmail has US involvement.

      1. Anonymous Coward
        Anonymous Coward

        Re: Really?

        "AFAIK, Protonmail has US involvement"

        Is that because of the MIT collaboration, or the fact that Andy Yen, Proton Tech's registered CEO, is a US passport holder? Why would that be a problem?

        1. Anonymous Coward
          Anonymous Coward

          Re: Really?

          Is that because of the MIT collaboration, or the fact that Andy Yen, Proton Tech's registered CEO, is a US passport holder?

          Both, actually.

          Why would that be a problem?

          It's called leverage. Especially post Snowden we received reports of quite a number of reports of US sysops of multinationals being asked to "have a chat" when they were about to enter data centres abroad. On examination, ProtonMail is further exposed to that by having a branch office in the US.

          There are various ways in which "collaboration" can be organised, the simplest one being the assistance with anti-terrorism - let's not forget that there are bad people out there.

          The good news (and just about the best move they could have made in this context) is that their code is open source. There's still a gap there but it lessens the exposure to subversion as it becomes too easily visible that something isn't right. So, from a security perspective it's done well.

  14. Anonymous Coward
    Anonymous Coward

    *** The word he missed is "now." ***

    Exactly. Since US relaxed encryption export rules, nobody really cared about not using US made encryption product - but the same product often used algorithms developed *outside* the US. AES was developed by two Belgians.

    And back then, the situation was quite different, and there was no Snowden. Then US were able to upset even long-time allies, because of their bulimic STASI-like information gathering handled by greedy gnomes.

    So what will happen?

    1) US will have to develop their own backdoored cryptography. Bright minds abroad, instead of helping, will look at how to exploit that backdoors, while still developing useful cryptography.

    2) Company outside the US will switch to cryptography without US backdoors

    3) US-based companies will have legal/commercial issues outside US. "Privacy shield"? Good luck with that.

    4) A new commercial market for non US companies opens.

    5) Brennan will become the next Trump, blaming those "evil foreigners" for US economy issues.

  15. Anonymous Coward
    Anonymous Coward

    You know that canard about history ...

    Suggest this guy googles "Enigma" and "German belief it could not be broken".

    Actually, IIRC even the Nazis weren't so far up their own arses they believed their encryption was unbreakable. They assumed it was, and their compensating control was daily key changes.

  16. Anonymous Coward
    Anonymous Coward

    Does this guy...

    Does this guy think terrorists go out and buy Cisco or Fortinet VPN gear for their corporate interconnectivity needs?

    1. Anonymous Coward
      Anonymous Coward

      Re: Does this guy...

      I wouldn't be surprised to learn that terrorist networks are better configured than most corporate networks. Terrorists tend to give a shit about their cause and however misguided, seem to put their hearts and minds into it. Corporate IT types on the other hand, at least where I work, do as little as possible and give few shits about the company they work for.

  17. Anonymous Coward
    Anonymous Coward

    Even if you trusted the US Intelligence agencies, you'd need to trust all the agencies they trust, plus the inevitable fact that it would be broken into by less desirable governments within months and criminals soon after. Not to mention competitors.

  18. Christoph Silver badge
    Boffin

    Has anyone told Ross Anderson?

    I'm sure he'd be very interested to know that there are no encryption experts outside the USA.

    When they issue those backdoored encryption products he'll probably set breaking them as an exercise for his students. It might take them perhaps a couple of weeks?

  19. Norman Nescio

    Hardware

    Brennan is not completely wrong.

    It's all very well having the option of using different software vendors, but whose processor and associated chipset will you run the software on? Both Intel and AMD current x86 chipsets are backdoored, and the embedded ARM processors in peripheral devices such as network cards, cellphone modems, and disk drives, if not already doing so, can also be running subverted code.

    Open hardware projects, where you can demonstrate no real-estate on the chip is dedicated to back-dooring, and you can show you are running non-backdoored code, have almost no backing. Very few people take the requirement seriously. If you want to be paranoid, you can also posit there are vested interests in making sure such projects fail.

    Lets say you run some non-USA originated encryption code on your PC. The key is in memory. But the network interface has a processor that has full DMA, and can quite happily run an instance of another O/S while pushing packets merrily on their way. You can see where this is going. And this is NOT theoretical. Compromised hard disk firmware is also out there in the wild. SSDs have pretty powerful processors in place to do wear levelling etc. They too are compromised.

    For the most part, the security and intelligence agencies don't care that you can run OpenBSD and PGP and whatever independent software you like: they already have full access to the compromised hardware you have to run it on, because you cannot now buy non-compromised general purpose PC hardware. Separate encryption devices, usually used for encrypting point-to-point communications are different.

    1. Anonymous Coward
      Anonymous Coward

      Re: Hardware

      Then Brennan should be more worried about how much of that hardware is manufactured in China...

      BTW: adding hardware-based full snooping capabilities has a cost. While it can be done for "valuable targets", I can't see US companies doing it full scale in their products and pay the costs just because CIA likes it.

      1. Norman Nescio

        Re: Hardware - cost

        I agree it has a cost. But it has been done.

        Read this (very) recent BoingBoing article:

        https://boingboing.net/2016/06/15/intel-x86-processors-ship-with.html

        The point being that the Intel Management Engine and the AMD equivalent have legitimate commercial uses in remote management of servers and desktops. It is convenient to be able to send a Wake-on-LAN packet to wake up a desktop at night, apply patches, do a hardware inventory etc. But the very same system can be used to subvert the PC. As has been pointed out, Intel are very cagey about the Management Engine, firmware is cryptographically signed, and the processor it runs on is (a) separate to the x86 CPU, but on the same chip and (b) has full memory access without the x86 chip knowing about it.

        So it is not as if there is an extra development cost for the hardware now. It has been done. 'All' that is needed is the modified firmware that does what the intelligence community wants.

        I do not think for one minute that the NSA is bugging every modern PC on the planet. I'm not that stupid. But with this, they have the capability to choose to exfiltrate information from any one of pretty much all modern PCs that get connected to the Internet. Yours probably has not been targeted. Mine probably hasn't. But key PCs of interest almost certainly have.

        Feel free to dismiss me as a wild-eyed loon. But please do read the articles I link to, and have a think about the technical issues around this. Ask, "Is it possible?". And ask "If it is possible, would the NSA do this?". The intelligence budget the USA have is not small.

        The technology of hardware backdoors is fascinating. How about dopant level backdoors:

        http://www.extremetech.com/extreme/166580-researchers-find-new-ultra-low-level-method-of-hacking-cpus-and-theres-no-way-to-detect-it

        http://thehackernews.com/2013/09/Undetectable-hardware-Trojans.html

        "Despite these changes, the modified Trojan RNG passes not only the Built-In-Self-Test (BIST) but also generates random numbers that pass the NIST test suite for random numbers.”

        The US military and intelligence community do worry about this sort of thing, which is why they have 'Trusted Foundries'

        https://www.nsa.gov/business/programs/tapo.shtml

        The list of trusted suppliers is publicly available if you follow a couple of links from the above.

        "A key part of the DoD Trusted Foundry program is that it uniquely provides the US Government with guaranteed access to leading edge trusted microelectronics services for the typically low volume needs of the US Government. DMEA and NSA co-fund the Trusted Foundry program to facilitate this. The Trusted Access Program Office (TAPO) facilitates and administers the contracts and agreements with industry to provide US Government users with:

        Leading edge foundry services including multi-project wafer runs, dedicated prototypes, and production in both high- and low-volume models"

        A library of standard IP blocks

        Limited packaging and test services"

    2. Ken Hagan Gold badge

      Re: Hardware

      "Both Intel and AMD current x86 chipsets are backdoored"

      Let's assume that is true. Does it matter? If the chips continue to give the right answers to numerical problems, they can still be used to break your encryption, and they can still be used offline to encrypt stuff without you ever knowing. (Yes, you don't *have* to be connected to the internet to perform arithmetic.) IOW, that back-door opens out onto a brick wall built by your enemy.

      Back-dooring a chip to the extent that it gives all the right answers *except* when fed problems that you don't want your enemies solving sounds like it will take more transistors than Intel have ever manufactured -- and I don't mean on a single die.

  20. Olius

    Can anyone help jog my memory?

    I seem to remember that a rather popular encryption tool from the 90's being developed by a US company/person/team but the algorithms for the encryption itself being written in Finland or Sweden or somewhere, specifically to get around needing a license to export a US product containing "strong encryption" by making sure it wasn't a "US product". There was some media hysteria about this, and the CIA were particularly annoyed.

    If I'm right remembering this, it kinda blows this chap's rather weak argument out of its already quite shallow water.

    Can anyone remember the specifics of what I'm blathering about? :-)

    1. Anonymous Coward
      Anonymous Coward

      Re: Can anyone help jog my memory?

      There were US-origin products that included stubs for RSA/DES. Non-US customers were supposed to link in rsalib, then hosted on a Finnish server. Sorry, but the names are lost to me.

      There are a lot of non-US companies that sell cryptio chips and boxes (Infineon, for example). The sticky point is whether they have a US presence that can be held hostage.

      1. Olius

        Re: Can anyone help jog my memory?

        Aha, thanks Anon :-)

        Yes, that sounds about right.

        I find it hard to understand how that was >20 years ago, yet we're still having this global debate about encryption.

        1. energystar
          Holmes

          Re: Can anyone help jog my memory?

          Quite fresh commentary around here. Not pondered -and should- is that of resistance to change.

          First, a huge cultural 'building' trying to keep things being done according to 'cold war' customs. Any change at this area having tremendous adaptive costs.

          Second, bringing those mechanisms to a more civilian ground -from mil|intel to civilian- will represent opening to competence, even in price.

          The mistake here is that INTERNET Technology [and encryption tech] is no more Strategic or Complex, in any way, and creating artificial scarcity will end by-siding the same Industry [that is whining].

        2. amanfromMars 1 Silver badge

          Re: Can anyone help jog my memory?... @ Olius

          I find it hard to understand how that was >20 years ago, yet we're still having this global debate about encryption. ... Olius

          That's because it's politically charged, Olius, and all about mass remote power and virtualised control of natives Earth species, which is defaulted in the crashing flash supply and spending of fiat paper/currency. Knowing what's being planned for the future allows one to prepare attacks/defences against it, but that does involve one in talking around hot subjects rather than answering clearly and truthfully questions posed to one about one's efforts in it. Slippery tongued politicians thinking their replies are super clever whenever nothing is answered and all is deflected tell you everything you need to know about anything you ask them?

          All secrets surely hide thought advantageous unpleasantnesses which tell a real different tale of existence from the stories spun for realities fed to the masses. And such surely indicates and proves that life on Earth is a virtual reality which is presently being extremely badly programmed to server corrupted drivers.

          Time for a change, methinks. What think ye? Or do you doubt and believe things are not so simple and therefore will be just as a paying spectator to Greater IntelAIgent Games Play with no input provided for future consideration and inclusion? That is your fate in such a scenario/virtual reality/future existence.

          1. Olius

            Re: Can anyone help jog my memory?... @ Olius

            Indeed it is all of that.

            "Time for a change, methinks. What think ye? Or do you doubt and believe things are not so simple ..."

            I'm a techie - so I believe anything is straightfoward, and it takes great effort on top of a good dose of politics and paranoia to make the world appear to be so complex :-)

            1. amanfromMars 1 Silver badge

              Re: Can anyone help jog my memory?... @ Olius

              :-) And then there were at least two, and their powers were squared. Keep watching these Registering spaces, Olius ...... Things aint what they used to be, for future builders are transparently internetworking secrets and solutions over invisible, intangible webs of intriguing innovation and invasive invention/immaculate conception with perfect formations.

              In some sad and bad and rad and mad intellectually challenged minds and corrupt perverse systems will that equate and be treated as Cyber Terrorism and Virtual Warmongering ....... and such rantings will identify the lead fool which be a blunt tool.

  21. Anonymous Coward
    Anonymous Coward

    What is he actually saying

    We need to look at what he is actually saying before we get all excited. Consider the following.

    The US spying agencies, including the internal ones, want to be able to have backdoors in anything that they look at.

    The US political establishment likes that idea.

    The US tech industry says that idea is a no no.

    The US tech industry actively sticks it to the man.

    Now we have a guy the really really wants to be able to look at everyone's communication so he comes up with an idea.

    If no one else can do the encryption as well as the US then the US tech industry does not have to worry about losing sales if the put in the required backdoors because no one else can do encryption like they can.

    What he is saying is what he hopes the tech industry and people will believe and thus approve the introduction of backdoors or watered down encryption.

    1. Anonymous Coward
      Anonymous Coward

      Re: What is he actually saying

      It's all very nice but the maths still don't add up. Anyone who deliberately weakens encryption will negate their encryption, if not immediately, then sometime soon.

      To me this sounds more like an elaborate re-hash of the "there must be some way to do it" school of thought. Now it is being trotted out by a guy whose business is to keep secrets. I suspect he is trying to keep the more rabid Alzheimer sufferers in Congress happy (a certain California senator comes to mind) until either he or they can retire on their government pensions.

      So sad that the informed reasoning of the few can be so easily sidetracked by the uninformed reasoning of the many.

      If American companies do attempt to impose global (HW or SW) back doors on the world, then the stampede to produce alternatives to American products will be deafening. This is precisely why it won't happen, grand-standing politicians aside. Brennan clearly knows this but can't say so. His is a smoke blowing exercise because economic suicide is not the answer.

      1. Norman Nescio

        Re: What is he actually saying

        "If American companies do attempt to impose global (HW or SW) back doors on the world, then the stampede to produce alternatives to American products will be deafening. "

        It has already been done, and there is no stampede. Yet.

        Look up Joanna Rutkowska and her publicly available talks.

        http://blog.invisiblethings.org/2015/10/27/x86_harmful.html

        AMD have an equivalent technology (PSP) to Intel's IME.

        Compromised hard-drive firmware: http://www.theregister.co.uk/2015/02/17/kaspersky_labs_equation_group/

        and

        https://www.wired.com/2015/02/nsa-firmware-hacking/

        Compromised network interface firmware: http://www.theregister.co.uk/2010/11/23/network_card_rootkit/

        Compromised USB firmware: https://www.engadget.com/2014/10/02/badusb-released-github/

        Compromised SD cards: http://www.bunniestudios.com/blog/?p=3554

        Compromised SSD firmware: https://downloadcenter.intel.com/download/18363

        If Intel can offer firmware upgrades, then you can treat SSDs just like hard disk, above.

        I can't be bothered to find the link, but Graphics cards also run firmware that can be reconfigured to surveil the main computer.

        Firewire interfaces are great - older versions allow unrestricted remote DMA to the main processor

        http://security.stackexchange.com/questions/49097/protecting-against-firewire-dma-vulnerabilities-in-linuxmemory.

        https://www.jwz.org/blog/2013/01/bypass-full-disk-encryption-and-passwords-on-any-powered-on-computer-via-firewire/

        More general information on hardware backdoors:

        http://resources.infosecinstitute.com/hardware-attacks-backdoors-and-electronic-component-qualification/

        Fun, isn't it?

        1. energystar
          Headmaster

          Re: What is he actually saying

          Not to forget that in ancient times NetCards used to generate 'additional' traffic...

  22. Anonymous Coward
    Anonymous Coward

    Does everyone here have bad memories.

    Or are they too young to remember Al Gores Clipper Chip?

    http://www.nytimes.com/1994/06/12/magazine/battle-of-the-clipper-chip.html

    Way back in 1994

    1. Anonymous Coward
      Anonymous Coward

      Re: Does everyone here have bad memories.

      Not sure if he wants key-escrow or something easier.

  23. Mahhn

    Counter Intel Agency

    Him and hilldog are sucking each others dicks.

  24. Anonymous Coward
    Anonymous Coward

    Their Own President Doesn't Use US Encryption!

    He uses Canadian made.... and we're very proud of that!

    1. bazza Silver badge

      Re: Their Own President Doesn't Use US Encryption!

      Sadly if seems he's now on a Samsung...

  25. Anonymous Coward
    Anonymous Coward

    To my knowledge, all of this spying on the American public has stopped maybe one terrorist incident. The real purpose of all of this spying on the people is to locate dissidents and those who oppose the government's stand on issues

  26. ma1010 Silver badge
    Facepalm

    Is this man a cretin?

    I'm an American, but I can't even begin to imagine this guy's attitude. Is he a total cretin? Does he really think the rest of the world are cretins?

    If this guy is in charge of our SECURITY, and he thinks the rest of the world can't even cobble together working encryption, I'm really afraid for the US. This reminds me of some of the bollocks spouted by the worst of the pukka-sahib types at the beginning of WW II who couldn't even imagine the Japanese posing any actual threat. They didn't do too well, either, as I recall. With guys like this in charge of our security, the U.S. will likely be conquered any day now.

  27. Mike 16 Silver badge

    The CIA has changed (will change)?

    When I read that I recalled Tom Lehrer's "MLF Song". Specifically:

    "We taught them a lesson in 1918, and they've hardly bothered us since then"

    I won't say "Once a thief, always a thief", but when hiring an armored car driver, or even a valet-parking attendant, the applicant with a long record of thievery is probably not the best choice.

    1. Alistair Silver badge
      Windows

      Re: The CIA has changed (will change)?

      Upvote for the reference to TL.

      Personally think that we need to force Weird Al to redo all his stuff. Its almost all still relevant. And that fits with Hollywood's current mandate.

  28. Bucky 2

    What it means to me is that whether foreigners have high-grade encryption or not is uninteresting to them. It's a "theoretical" capability that may be true; it may not be true; it doesn't really matter.

    It's their own citizens they want to listen in on. It's their own citizens they're trying to exert control over.

  29. energystar
    Windows

    "they'll be out of luck because non-American solutions are simply "theoretical.""

    With all due respect, It ¡s PR spin. US Senate has educated men & women. Surely they would prefer an honest assessment. [Maybe that They're looking at the wrong side?].

    Director John Brennan doesn't have a problem. [He is at another frame]. Maybe that's the reason of so short answer.

    Software Industry could consider -among many other- applying strong 2-pass encryption & get hold of anything required by law to get hold of, even if up to now locally stored.

    Hardware Industry has to get rid of [actual] dangerous back-doors, diligently walking toward a safer, stronger Global Village. [And to prevent Western Technology to be slowly and progressively by-sided. Which plausibly is the reason of the hearing].

    1. energystar
      Childcatcher

      Last but not least...

      Strong One Pass Encryption, if well technologically not a feat, shouldn't be worth the consideration of Civilian Law Frames. Leave it to the Pros.

  30. W. Anderson

    encryption technologies now moreinternally developed

    There are many aspects of John Brennan's testimony, and the technical background to encryption that need to clarified in more detail to know the veracity of his claims, since I am aware of world class encryption technology not developed in USA or owned/controlled by US entity, and there are dominant Operating Systems (OS) and Networking software - not from Microsoft or US companies that included capability for extremely strong encryption for data transmission and storage.

    Unfortunately in 2016, the technology environment for security, especially regarding encryption has substantially more internationally development and innovation base, so there very little "fact" than can be attributed to Mr. Brennan's wishful thinking.

  31. x 7

    stupid argument

    we all know all American kit is designed and built in China nowadays, or made using Chinese parts......

  32. Someone Else Silver badge
    Angel

    Amen, Brother!

    "Requiring companies to build backdoors in their products to weaken strong encryption will put the personal safety of Americans at risk at a dangerous time and – I want to make this clear – I will fight such a policy with everything I have."

    Although that was said by Senator Wyden, I'll sign on to that, too.

  33. John Savard Silver badge

    The CIA's Budget

    ...may be in line for a big increase. After all, if nobody outside the U.S. knows how to encrypt anything, obviously they can shut down the NSA, and give the money they're wasting on it to the CIA.

  34. DerekCurrie
    Facepalm

    So much for the CIA's tech savvy

    I have a hashmark I've been posting for a couple years now. Every year it becomes more factual and urgent: #MyStupidGovernment

    Here we have more of the same.

    I use encryption NOT controlled by the US government or any company. I use it every day. Big surprise. Sheesh. ;-P

  35. Dave Bell

    Bring back the sealed envelope.

    I have a copy of The Codebreakers by David Kahn, and. partly though the timing of original publication, it sets up the myth of super-competent US cryptography. They had talked about breaking the Japanese codes and ciphers. The Ultra secret had not yet been revealed. But it mostly deals with earlier generations of cryptography, stopping with the development of teleprinter-based systems that read a key from a punch-tape.

    One thing is apparent. If the skilled hands could be applied (and paid for), by the 18th Century anything in the mail could be tracelessly read. But the process was so expensive that for most people a sealed envelope was all the security they needed.

    And then the telegraph came along, and just ordinary commercial communications started using codes. The codes deterred casual reading by a telegrapher but also replaced long words and phrases by fairly short code groups. And they reduced language problems: London or Londres, it was the same code group.

    Everything has changed in the last twenty or so years. The internet has destroyed the economic protection of the sealed envelope. As Edward Snowden has revealed, the intelligence agencies are indiscriminately reading everything, because they can, and smothering themselves with irrelevant data.

    For most of us, good encryption is a tool: what we're really looking for is the security of the sealed envelope, something that costs enough to bypass that the intelligence agencies have to think about just what their targets might be.

    It's very apparent that thinking is optional in the modern CIA.

  36. Huns n Hoses

    So let them have their cake

    Their arses will be soon after handed to them on a plate, no?

    No better lesson than life.

  37. Chris 211

    What a fucking retarded moron of epic fuckwittery he is indeed a cockwomble. I am truly amazed how someone could reach his position and have such insane thoughts.

  38. Daniel B.

    Thales

    Brennan seems to have missed them. Because they aren't based in the US and are definitely not theoretical.

  39. Jagged

    Remember when the US tried this before?

    'Merica band the export of anything above 48bit encryption back in the 90s.

    Which was odd because 128bit encryption was already from Europe :/

  40. herman Silver badge

    Well, with a misinformed CIA leader like that, as a non-USA citizen, I can sleep much better at night.

  41. GraemeKilshaw

    CIA Director Mr. Brennan and I share a common interest and purpose in encrypted cyber technologies. I designed and built the FCG Computer at 51 Astor Place in New York, New York. IBM, the NSA, the CIA, the FBI, the IMF, and the FCG collaborate, co-develop, and co-promote for US interests.

  42. DrM
    Devil

    Amazing

    Amazing how someone can be so full of shit?

  43. CheesyTheClown

    From 55 Countries?

    Let's be fair for a moment. Encryption standards as they stand today originate in the US. There are many many good encryption techniques, many which are likely stronger and better than AES, RSA and DH. The issue however is that nearly every product in the report about encryption coming from 55 countries is they use standards.

    We use standard ciphers because at some point we believed they were strong enough to keep us safe. Some people who call themselves security experts think they're unbreakable, that is sheer vanity and silliness. There have been many enhancements made to AES for example which strengthen it, but the AES block cipher itself isn't particularly strong.

    The reason we still use these ciphers has more to do with dependence on things like hardware and software for encryption. Intel and ARM CPUs have acceleration engines for the standard ciphers as well as some of the more popular non-standard ciphers. Processing the encryption in software is not practical for most applications. For example, running full disk encryption in software would take that awesome SSD and make it feel like MFM drives from the 80s.

    For messaging and mail and basic storage encryption, software can be used. But which cipher should we trust?

    AES became a standard after a massive amount of peer review and a great deal of experimentation by thousands of researchers, mathematicians and hackers. To find a suitable replacement would require a European or UN effort of similar scale. Even now, there is a certain belief that unless a cipher is blessed by the NSA or the Israeli Mossad, it's likely considered weak. There are many cipher researchers outside the US and Israel, but it is unlikely they are as public or well funded as thsoe guys are.

    Is it time for something better? Sure... just need to run a competition like they did for AES, find a suitable review board and pass European laws to mandate that Intel and ARM can't ship AES acceleration unless they also support the new standard... this can take a few years.

    1. Alister Silver badge

      Re: From 55 Countries?

      Let's be fair for a moment. Encryption standards as they stand today originate in the US.

      AES - Belgium

      RSA - one of the inventors is Israeli

      ??

  44. Anonymous Coward
    Anonymous Coward

    No US suppliers in sight.

    I work in payments, processing cards and payments for most of Europe. Our company also does (state) authentication etc. We deal with a lot (all?) of the HSM suppliers and smart-card suppliers.

    Off the top of my head we are dealing with Finnish, Danish, Dutch, German, Belgium, French, Swiss Austrian, Italian and UK suppliers.

    There is not a single USA company involved.

    Some of our customers have a specific non-USA requirement...

  45. Stevie Silver badge

    Bah!

    Encouraging tht the CIA has finally got the bit between its teeth after two decades of bad intel and outright lies.

  46. wd400

    Brennan is correct: he talks about <<US-based technology>>, and that includes the HARDWARE and MICROCODE which can be used to weaken cryptography by installing some sort of a backdoor.

    Some not so theoretical examples:

    1. bios-based anti theft which the capability to run arbitrary code on the machine.

    2. producer's "trusted" signature that can be used to (remotely?) replace processor microcode.

    3. (activated by default) CPU-based Management Technology.

  47. wd400

    Brennan is correct. Backdoors are possible.

    Brennan is correct: he talks about [US-based technology], and that includes the HARDWARE and MICROCODE which can be used to weaken cryptography by installing some sort of a backdoor.

    Some not so theoretical examples:

    1. bios-based anti theft which the capability to run arbitrary code on the machine.

    2. producer's "trusted" signature that can be used to (remotely?) replace processor microcode.

    3. (activated by default) CPU-based Management Technology.

  48. Anonymous Coward
    Anonymous Coward

    To reuse a comment about Boris J.

    He's not nearly stupid enough to believe what he is saying.

  49. Kevin McMurtrie Silver badge
    Paris Hilton

    The world is flat so non-US corporations are at risk of falling over the edge. I stood on a ladder today and checked: it's true.

  50. Koschei

    wa?

    Ok, so we don't "dominate" the encryption landscape, sure, but .AU has a few companies, including YDF (your digital file)- doing very nice encryption, thank you very much. Typical american-centric view of the world.

    Plenty of startups outside the US going hammer and tongs on encryption. Nothing theoretical about it. And we will happily eat their lunch if the US want to shoot themselves in the foot.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020