Eggs out of pancakes
So he demands to be able to get the eggs back out of the pancakes.
There has been a bumper crop of security news this week, including another shipping giant getting taken down by ransomware, Russian hackers apparently completely pwning US power grids and a sane request from Senator Wyden (D-OR) for the US government to dump Flash. But there has been other news bubbling under. Useless action …
You just feed the pancakes to a hen and a cow, they will process them for you and return your eggs and milk.
Eggsellent idea.
If you add pancakes to your compost heap you can also use them to fertilise sugar beet and lemon trees.
Cor, this is an even better whiz than extracting sunlight from cucumbers!
This post has been deleted by its author
The analogy is really simple.
He wants a single skeleton key that opens every door in the land.
Would you *give* someone a master key to your house? Would you give the police a copy of your keys? Whether or not they "only" use them when authorised to do so, and though you could justify it as "it saves police time as they'll be able to get into places when they have a search warrant without needing the owner's co-operation", it's a really, really bad idea. Because such a key's existence totally compromises everyone's security (as it will also open all the big City banks, etc.), access to that key can't be controlled if so many organisations require it, and the criminals only need see that key once to open EVERYONE'S home.
It's a really, really, really dumb idea.
Now... there might well be a way to implement it. There are a number of encryption schemes built around combinations of access keys, where you only need to hold a certain number of them to open the encryption while ordinary users still have encryption/decryption keys as normal and can't open other's messages. But their very existence is a huge chasm of potential compromise.
And exactly those people who you NEED to decrypt their communications won't ever use such a system for anything they don't want the FBI etc. to know. It's just that simple. It's like giving everyone a safe that the government can always open and then expecting criminals to put all their ill-gotten gains and bank vault plans into it. It's ridiculous.
Organisations need to accept that encryption is a double-edged sword, and a feature that you can't uninvent - you would be much better off putting all your resources into old fashioned policing and spying than trying to ensure that the criminals haven't used an encryption that's impossible to break. After all - at some point they have to decrypt those things, and that's your avenue, not mass surveillance and breaking into every machine on the planet and filtering out everyone's Facebook posts.
Literally, the signal-to-noise of what they want plummets the second that you capture ordinary people in the loop, so they're not helping anyone. This was always my argument against the "acres of datacentres" tripe. Maybe they do have those. But, guess what? All that does it make it even harder to spot what you were after compared to just tailing the guy you're interested in and putting a bug on his computer. At great expense.
Encryption is like "deception". It's a natural part of life now. And you can't just demand that criminals "never deceive you" or that you should be given the ability to always tell when they are being deceptive. We all are carrying devices that can run open-code that provides military-grade encryption written by people who are nothing to do with the US government, capable of encrypting hundreds of megabytes of data a second without even flinching, to the point that the encryption is irreversible within the age of the universe with current technology. Give it up. Sure, you USED to be able to not have to deal with that. Now you can't.
If the PGP / Zimmerman suit had prevailed, you might have had some control. But any mathematician with a numerical recipes book, any decent coder, anybody with a copy of Maple or Matlab or similar can give you a maths puzzle that you can never reasonably solve without having to do more than include a library or run a function. And every member of the public has a device in their pocket that's encrypting hundreds of connections an hour.
There is no backdoor that you can reasonably use.
Careful. The TSA have a master key that has to be able to open any locked luggage that enters the US. So they sell locks that are TSA approved, meaning the lock will fit the master key. (I assume if not they break the locks)
I read an article that actually said "Don't worry, only TSA approved staff have access to the key." :)
So America wants a skeleton key because they already have one for physical luggage.
Literally, the signal-to-noise of what they want plummets the second that you capture ordinary people in the loop
That presumes that the real reason is an attempt to capture the 'bad guys'. Problem with that again is thay the definition of 'bad guys'is constantly shifting.
'if we can put a man on the moon, surely we can put a man on the sun,'
Actually, that's not a great analogy for back-door encryption. It's not physically impossible to put someone 'on' the sun, just insanely difficult. It is not mathematically possible to have encryption back-doors without undermining the whole encryption system.
Oh you jest but when I showed my mate a picture I took of mercury transiting the sun the other year, his first question was "is that the moon"? When I explained it was the sun with its closest body passing across it, question 2 was "Did you take the picture at night"?
Shoot me now.
I suspect that most people who could understand the math around the halting problem could understand the math about crypto back doors.
It did take a year or two of university math to prepare to prove the relevant theorems. How many government funtionaries or politicians will have that? (which hints at a wider and deeper problem)
Why not just counter with Turing's Halting Problem disproof?
All you need is a super-Turing computer. Like, for instance, an Analogue X Machine.
Turning your intended analogy on its head, I guess politicians and spooks can dream of an entirely new crypto framework. Then un-inventing our existing framework can be the next thing after brexit to keep them away from reality.
This post has been deleted by its author
"Contrary to popular belief and what most mathematicians will tell you, all of the digits in the decimal expansion of π are known! They are: 0, 1, 2, 3, 4, 5, 6, 7, 8, and 9. It is the order that they appear that is not known."
Hell, it's even easier if you use the pinary representation: 1π
This post has been deleted by its author
All you need is a super-Turing computer. Like, for instance, an Analogue X Machine.
Hypercomputing machines aren't counterexamples to the Halting Problem proof, since the proof only establishes that the HP is not computable (or, if you prefer, "effectively computable").
You could just as well state that the HP can be solved by a magical all-knowing oracle. It's not an interesting claim. (That's not to say there's no value in hypercomputing research,1 just that "hey, a hypercomputing machine could solve the HP!" isn't in itself a productive observation.)
The same applies to "secure" cryptographic backdoors. We can imagine various non-realizable systems for achieving them, but as we're unable to construct any of them, that doesn't support Wray's thesis.
(Technically, of course, there are uncertain2 - possibly-correct - hypercomputing designs which can be realized. That doesn't help with the HP, though, and I don't see it helping with crypto backdoors; we already have classical protocols for converging on the correct output of a decryption function.)
1Though certainly some people have argued there isn't.
2And nothing is certain anyway, if you're logical. Doxastic logic shows that any reasoner of sufficient power can never believe in its own consistency, without thereby becoming inconsistent.
> Why not just counter with Turing's Halting Problem disproof? If one cannot accept formal proof of an impossibility, one doesn't believe in math, meaning one's not in touch with reality and should be dismissed.
@ Charles9: your logic is impeccable but wasted: there are plenty of politicians whose preference for God over evolution is a positive advantage to being elected, so a preference for wishful thinking over mathematics will barely register.
Why not just counter with Turing's Halting Problem disproof?
(I take issue with the word "disproof", but whatever. I'm also not certain that the HP is isomorphic to "secure" cryptographic backdoors, but again that's peripheral to the main question.)
Because the whole problem is that Wray, and others like him, either 1) know that it can't be done securely but don't care, or 2) are determined to remain ignorant.
They use facile analogies like man-on-the-moon to sway public opinion and influence others who don't understand the technical issues.
Countering that with technical arguments is rhetorically pointless. People who understand the math are either on the side of the angels, or mendacious. People who don't have no reason to find the argument persuasive, because they don't understand it.
Maybe he meant the Sun has no solid surface so you can't really put a man of the Sun, even if you can survive the heat and radiations, and be able to decelerate enough in such gravity well. It's not a matter of technological innovations.
Anyway, to get to the Moon US needed a not so small number of 'available' German scientists and engineers... instead of dreaming about backdoors, it would be smarter to stop to piss off long time allies and collaborate efficiently in fighting crime.
The "surface" gravity of the Sun is about 27 Earth g's.
And of course there is no actual "surface" to land on.
But idiot politicians will hike you their diapers and stream at the top of their lungs "We want you to land on the Sun" anyway.
Not sure what the journey time to the sun would be (judging by the queues to use the Channel Tunnel at present, due to a few temperature problems, probably infinite), google says 19 years. By that time any encrypted messages should easily have been cracked, so he just needs to be patient.
"It's not physically impossible to put someone 'on' the sun, just insanely difficult."
Without some form of force-field, it actually is impossible to put someone 'on' the Sun.
The temperature of Sol's photosphere is ~5700K but the most refractive metal, Tungsten, melts at just 3695K. But even if you could find a usable compound that could maintain its integrity as a vessel at those temperatures then without a cooling system everything inside it would also soon reach the same temperature. That cooling system would have to remove the heat from inside the vessel to somewhere cooler, which would mean far away from the Sun - think heat-pipes that are tens of thousands of miles long. Trouble is, not only would the cooling system need to be able to transport heat energy away from the vessel but it would also need to be able to keep itself cool enough to maintain its own integrity.
Then there's the issue of radiating heat away in space...
RE: Tungsten melting point, temperature on the sun's surface
Well in theory as the metal vaporizes, it absorbs latent heat of fusion from whatever material it's attached to (and/or being heated by) - think of the heat shiield on the Apollo spacecraft as it was coming back to earth.
But other materials would make a better heat shield. And they would be consumed, rapidly. So there's an obvious time limit involved.
So it's possible, but not practical.
That of course is a complete distraction to the original point, the absolutely STUPID comparison of 'man on the moon' to 'back-doorable encryption'. How about this Mr. FBI dumb-dumb: FREEDOM. PRIVACY. SELF-RELIANT SECURITY. SELF-DEFENSE. yeah you don't want THOSE either, do you?
The researchers found a list of 809 targeted organizations, two thirds of which were in Saudi Arabia, the Lebanon, Israel and Kuwait also targeted. Occam's Razor would suggest that maybe the Iranian hacking teams have a new subgroup that's going to work.
I could understand Iran targeting Saudi Arabia and Israel, but Lebanon and Kuwait? Why would they do that?
Particularly Kuwait. This state has been long considered "neutral" in the Gulf tensions and whatnot.
Of course, it's bollocks, but the social engineering was quite clever, using a stolen password to convince the recipient that the threats were real.
Imagine you used porn. And the same password on everything.
These two facts are enough to at least shake your and, at most, make you shit your pants.
Just try putting yourself in the victim's shoes.
Why bother? Looks like there are plenty of victims ready to cough up without it.
Yes, but that's orthogonal to Charles9's point, as I understood it: there are some fairly obvious protocols for confirming the threat.
Obviously a subset of potential victims won't think to employ those protocols. But that's always been true of phishing scams, which generally try to minimize costs to the attacker and gather the low-hanging fruit. Sometimes they're deliberately stupid to reduce the number of potential victims who initially engage but then bail out.
I got one of those blackmail e-mails today, demanding 300 bitcoin or something. The FBI got a copy of it on their on-line complaint web site (with mail headers). Yes, NOTHING is too good for our new special friend!
It's the best thing to do with it, forward to whatever law enforcement agency has jurisdiction. And the "you can't find me I'm in another country" taunt at the end was laughable, at best.
[I wonder how many people received this e-mail, obviously a bulk mailing]
"but a REAL blackmailer would provide proof it's not a bluff: just a little taste from something actually belonging to the victim"
You mean like that new spam that's going around? I got a few over the past couple of days. It actually includes a password of mine, and claims that they used that password to hack into my computer and use the camera to record video of me jerking off, and if I don't pay them an outrageous amount of money, they'll send the video to all of my contacts.
It's a nice try at providing a "little taste", but fails because I haven't used that password in over 10 years and my computer has no camera attached to it. Ignoring the fact that if someone did manage to get such a video, I'd much prefer that it was distributed to everyone in my contact list over paying those people even a single penny, they did try to make it sound like viable blackmail.
Proof of having blackmail goods has to be more substantial than just a little taste.
"Proof of having blackmail goods has to be more substantial than just a little taste."
For it to be an actual taste, it has to be a FRESH and PLAUSIBLE taste. They made the mistakes of (a) using stale data and (b) making a nonsense threat. A REAL blackmailer would actually have dirt and attach say one of the files they exfiltrated as proof.
Imagine you used porn. And the same password on everything.
These two facts are enough to at least shake your and, at most, make you shit your pants.
Well, no, it wouldn't, because I wouldn't use a machine with a camera for my recreational activities.
I certainly understand the social engineering in this attack, and it's moderately clever. But let's not overstate the case.
The idea that we can't solve this problem as a society -- I just don't buy it.
Well, I don't buy that the good US Government (as a whole) is going to use the power of "backdoor" to do any good. One good example is when US George Bush confronted Saudi Arabia about them buying from Airbus. The information came from an encrypted email between Saudi Arabia and Airbus which the NSA was able to intercept & decipher.
Next, I don't also "buy it" that the good US Government knows how to keep this "backdoor" within the US Government. (I mean, ETERNAL BLUE, ring a ding-ding anyone?)
Seriously, if the US Government want decryption keys or encryption back doors, then this should go "both ways": (Highly) Confidential documents be open to the public.
"We're a country that has unbelievable innovation," he said. "We put a man on the Moon. We have the power of flight. We have autonomous vehicle. The idea that we can't solve this problem as a society -- I just don't buy it."
Chris (and Theresa), here are a few facts for you:
1) Encryption is mathematics. If you let one entity in on the algorithm, you potentially let everyone in.
2) This behaviour isn't a problem, it's by design. We don't want to lose all semblance of privacy just because a few god-botherers and psychopaths have decided to misbehave. We, the people, wish to preserve our privacy.
3) Nobody trusts you. The scope for misuse of a backdoor into anything is almost limitless. You may be all good intentions now but in the future we may want to discuss you without you knowing about it. That's not conspiracy or subversion, it's democracy, a principle you claim to support when you want a vote or two.
4) Your record for keeping secrets when they're not yours is appalling. One visit to a motel with your "friend" and the USB drive with the keys to the world's encrypted communications is gone. Once it's gone, it never comes back and we'd have to re-work everything from scratch.
If those aren't enough, I have more. All of these apply to our (the UK's) very own Snoophenge, too.
What's needed is a way to make this so simple to describe that even a total idiot can understand it (failing that, they can be reasonably denounced as complicit). Something like, "How do you prevent your significant other from making a secret copy of your house key?" Or, "How can you be certain the guard holding all the keys to the building isn't a mole?" Something that doesn't even involve maths (since there are those who don't believe in math--yes, they consider it an acceptable break from reality just like President Trump) but even simpler.
Everyone, or nearly, is missing the bureaucrat-speak wording here; how to lie by making it easy to misconstrue what you're saying due to your cognitive bias- without actually lying. It's usually a thing pols are masters of. At that level, he's not a cop, he's just another politician, only not one we vote for.
He's not trying to convince _us_ with this drivel. He knows, we know, we know who knows. He's providing cover for bad legislation, to come.
"as a society" is the key part of the phrase. What he's saying is that we asked nicely, now instead of doing by math, we're just going to get encryption we can't break made illegal - "as a society". This talk isn't aimed really at us, but at legislators, after all, we asked nicely...and they're dumber than a box of rocks and love to be seen doing something.
In his eyes, that means the encryption they can't break is itself a crime. Sure, you can do it - the math is the math - but if caught with it, also go to jail for having it, like drugs. Which allows them all kinds of fun - all they need to find is some random data and you can be accused of anything, stuff like that.
I suppose you could go to jail for inventing it or supplying it, also like drugs, but the ability to not even need Cardinal Richelieu's "6 lines from the purest of men"...solid gold to them. Allows for all kinds of selective enforcement for the Just-Us system we all seem to have these days.
Charles 9 wrote: "What's needed is a way to make this so simple to describe that even a total idiot can understand it ..."
I get where you're coming from but actually I'm not sure this would work. Wray is clearly one of the majority whose knowledge of math is feeble, and a great many of those folks perceive it as both a bit magical but also malleable—rather like their superstitions: your god(s) can be whatever you want them to be.
A tangible analogy referencing house keys might well get the response "Yeah, but they are physical, and math isn't: you can do/write/prove anything with math". They are wrong, but lack even sufficient knowledge to realise how completely wrong they are. This is, after all, a common problem with politicians and people who behave like them: their need to believe counterfactual evidence-free rubbish, coupled with ignorance of the topic, tends to produce mouths flapping earnest recitals of nonsense ... against all reasoned rebuttal.
What I really cannot fathom is why Wray doesn't simply ring his pals at Ft Meade and ask them. One phone call would save him repeating embarassing drivel in public—and save our ears, and many calories of expended frustration.
At the risk of being pedantic, perhaps someone would like to point out where in the interview Wray makes any suggestion of a technical solution to the problem let alone mentions backdoors for encryption.
https://aspensecurityforum.org/wp-content/uploads/2018/07/ASF-2018-A-Chat-with-Christopher-Wray.pdf
Good luck searching, because it isn't in there - TechDirt made up the assertion and El Reg just copied it because, well, everyone's going to believe it. Bonus points for recognising that Wray actively avoided answering the direct question "Have you [found a solution]?" (page 13).
This post has been deleted by its author
"- divide by zero"
This one is solved - it's done in Javascript, based I believe on work done in the maths department at Reading. 0/0 = NaN, anything else divided by zero = Infinity.
Using the result as part of a subsequent calculation is a different matter. It is a bit of an example of Titanic deckchair relocation.
Actually, we can fix world hunger. Humanity currently produces about 30 trillion calories of food per day, enough for every human to have 3500-4000. We also have the technology and manufacturing capacity to solve the distribution problems. The only problem is getting the funding to do so (current estimates peg it at about 100-150 billion USD per year to cover >95% of the human population).
"Humanity currently produces about 30 trillion calories of food per day, enough for every human to have 3500-4000."
But are those 4000 proper, balanced calories to include fruits, vegetables, and so on, also taking veganism and allergies into consideration? Plus when you mention distribution problems, do you include all the rural and isolated areas, including islands?
I'll take "Solve World Hunger." Pegged that one as part of mastering International Development. It's always governments that cause it, directly or indirectly with their policies. We've got the food. Getting it where it's needed is the problem. I've done boots on the ground which is why it ended up as part of my economics portfolio.
Serious eyeopener on how this is used in, e.g. India's, politics in real life.
Just, the 3 letter agencies don't want to admit it.
This constitutes a functional "back door" (with fine print). Virtually every mass produced device has enough implementation bugs to allow anyone in-- a classic example in the extreme is the continuing failure of QKD, works in theory but so far every commercial implementation has breaks (you can't break a true QKD path, although you can brute force comms using a key transmitted by QKD if the key is not equivalent to an OTP with sufficient entropy).
So, Wray dude, build a machine that can break AES256 (and TDES, and...) in real time, preferably hundreds of streams at one time. Oh, surely this is an expensive moon shot so we can certainly do it for the FBI. Wait, you say you also want a CHEAP secure crypto break moon shot, pennies a flight? That dear sir is currently impossible. It is about resources, not ability to implement. Give me a big enough PO, and I'll give you the machine you want (well, not CHEAP).
(fine print) "short" ciphertext messages may not brute force decrypt to plaintext reliably
"You don't need back doors. Just Australian Law. As Australian Prime Minister Malcolm Turnball said, Australian Law trumps the laws of mathematics governing encryption."
Any day now I expect our Aussie governbent to redefine π to be 10, coz we is a metric country and it's just easier all 'round. Or maybe 1, that's even easier.
0 Ban/break encryption? Fine. Mathematicians already have the "next thing" up their sleeves: (7cfdd8)
1 http://people.csail.mit.edu/rivest/chaffing-980701.txt (626648)
2 Surrender my encryption keys on pain of prosecution? Well, sorry, I don't do any encryption... (12ac7c)
...but we can't do it faster than the speed of light, despite all out "innovation".
[Sounds better to me than the "can't put a man on the Sun" retort: we can, in principle, send the FBI Director to the Sun. He won't survive for long, but that's a different matter.]
Samsung shouldn't be trusted with software:
Security Researcher Finds 40 Zero-Day Vulnerabilities in Samsung’s Tizen OS
Enlightened (need a free hour to read all this)
Describing Wray's position on his interview as having advocated back-doors for encryption because that's what the TechDirt article says is lazy journalism.
Go and read the eff-ing transcript of the interview before echoing what other people have already written who also haven't paid attention. Try https://aspensecurityforum.org/wp-content/uploads/2018/07/ASF-2018-A-Chat-with-Christopher-Wray.pdf, see page 12.
Wray was fairly careful in his selection of responses, and he kept his statements related to 'legal process' and not to a technical solution that isn't even mentioned in the interview. To a large extent he actively avoided answering the question. There is still a need to keep up pressure on legislative bodies to avoid all the shag and hassle of having to prove, yet again, that you can't backdoor encryption even through the magic of legislation, but that doesn't give tech journos the remit to make stuff up just because they want to believe in something.
That part of the article is a bit of shoddy tat. Investigate then report - not cut-and-paste opinions from other outlets to make the copy up.
CSIRO in partnership with NASA are currently seeking via seek a Computer Systems Administrator with experience in Sun, and scripting in TCL/TK, which is the majority of the code base for 'FooCrypt,0.0.1,Core', so I applied, and am currently seeking a response to my query :
'On my reading of the Position Description, there appears to be no reference to security clearance requirements, can you clarify if a security clearance is required and whom conducts the security clearance.
I'm assuming the position requirements is not in any way in correlation with the recent comments by the head of the F.B.I. in requirements for encryption back doors.'(sic)
CSIRO in partnership with NASA are currently seeking via seek a Computer Systems Administrator with experience in Sun, and scripting in TCL/TK, which is the majority of the code base for 'FooCrypt,0.0.1,Core', so I applied, and am currently seeking a response to my query :
'On my reading of the Position Description, there appears to be no reference to security clearance requirements, can you clarify if a security clearance is required and whom conducts the security clearance.
I'm assuming the position requirements is not in any way in correlation with the recent comments by the head of the F.B.I. in requirements for encryption back doors.'(sic)
The correct metaphor here is the burglar who breaks into your house when the family is away on vacation and then leaves the door off its hinges when he escapes into a stormy night. The house, of course, gets inundated and probably visited by both other nefarious humans and hungry wildlife. By the time you get back the place is near uninhabitable and certainly not a safe place for your kids to sleep.
Tacked on that last sentence just to be able to say, "What about the children?"
Can't really blame the FBI. Their brothers over in the NSA and CIA have been playing the vandal burglar for years while pretending to protect the public, and have only recently been getting called out for it by the technical community.
I actually pounded 'End Game' [ C.I.A. Financed & staffed by ex N.S.A. head / other defence personal ] for their interference in my software this year via my submission report for the D.T.C.A. [ headed by the former Inspector General Of Intelligence ] review after it took them over 6 weeks to 'white list' it.
http://www.defence.gov.au/publications/reviews/tradecontrols/Docs/Mark_Lane.pdf
Anonymization doesn't work in the face of Big Data, so any time someone claims it's all good because they anonymize user data, they're either intentionally lying or they have so little understanding of the issue that they can't be trusted with handling any data whatsoever.
Checking terms and conditions of a service is all well and good, but 99% of them will tell you the same thing: "we'll use your data as we see fit". Also, let's not forget that a large number of these statements specifically include language that allows them to unilaterally change them, without notice, at any time. Which means that you can't trust them no matter what else they say.
Cloudy services are like War Games: the only winning move is not to play.
Government asking for their own master key as a standard for a crypto scheme to thwart criminals is in the same vein as doing away the police and let just criminals report themselves because these are definitely the kind people that wants to get caught for their deeds. Both are equally just as retarded.
While we did - a few times, 45 years ago - put men upon the Moon, we cannot do so NOW - nor will we be able to do so for longer than the entire Apollo Project took. If the cures for AIDS and all cancers were deposited on the Moon by godlike aliens, we couldn't go get it for at least 10 years.
And going to the Moon was trivial compared to creating crypto that the USA could crack - but that nobody else ever could. Any crypto backdoor _WILL_ be used against us. Not only are there more Chinese and North Korean programmers working on that, one of our own people would most certainly sell it to them. Aldrich Ames; the Walker brothers; Edward Snowden; Bradley Manning - the list of traitors goes on and on.
It MIGHT be possible to create crypto that they cannot hack - but not if there's a backdoor anywhere. By claiming that they want a way to hack our computers, they're flat out stating that the FBI and CIA and all the three-letter agencies DO NOT CARE about _OUR_ security. It's the "clipper chip" all over again!
The real irony is how we were able to get to the moon in the 1960-70s but yet we can't do it now despite with our massively more collective global wealth. I think I know the answer why: unbridled capitalism concentrates said wealth into the hands of the few, who has no vision with their money other than getting more of it while spending them on their 1000th real estate, luxury yachts and Ferraris.
"The "surface" gravity of the Sun is about 27 Earth g's."
Well that's a crushing disappointment.
I am pleased that you understand the gravity of this sort of operation.
Mine's the one with the warm glowing pockets.
"We send them at night when the sun is cold."
Why do I hear Spike Milligan's voice when I read that line?