FBI Director Claims That The World's Most Knowledgeable Cybersecurity Experts Are Not 'Fair Minded' About Encryption Backdoors
from the oh-really? dept
Earlier this week, we noted that a huge list of companies, non-profits and cybersecurity experts had signed a letter to the White House about the stupidity and danger of trying to order backdoors into encryption (disclaimer: we signed the letter as well). While many in the press focused on the companies that had signed onto the letter (including Google, Apple, Cisco, Microsoft, Twitter and Facebook), as we noted, what was much more interesting was the long list of cybersecurity/encryption experts who signed onto the letter. Just in case you don't feel like searching it out, I'll post the entire list of those experts after this post.It's a who's who of the brightest minds in encryption and cryptography. Whitfield Diffie invented public key cryptography. Phil Zimmermann created PGP. Ron Rivest is the "R" in "RSA." Peter Neumann has been working on these issues for decades before I was even born. And many more on the list are just as impressive.
So how do you think FBI director James Comey -- who has been leading the charge on backdooring encryption -- responded to these experts?
By calling them uninformed.
I wish I was joking.
A group of tech companies and some prominent folks wrote a letter to the President yesterday that I frankly found depressing. Because their letter contains no acknowledgment that there are societal costs to universal encryption. Look, I recognize the challenges facing our tech companies. Competitive challenges, regulatory challenges overseas, all kinds of challenges. I recognize the benefits of encryption, but I think fair-minded people also have to recognize the costs associated with that. And I read this letter and I think, “Either these folks don’t see what I see or they’re not fair-minded.” And either one of those things is depressing to me. So I’ve just got to continue to have the conversation.First of all, it's kind of hilarious for the FBI director to be arguing that the people who signed that letter haven't done a cost-benefit analysis, since we've noted that the intelligence and law enforcement communities almost never do such an analysis. They always insist "more surveillance" must be better, without considering the costs involved.
And then there's this, showing that Comey still doesn't understand the letter at all:
We’ve got to have a conversation long before the logic of strong encryption takes us to that place. And smart people, reasonable people will disagree mightily. Technical people will say it’s too hard. My reaction to that is: Really? Too hard? Too hard for the people we have in this country to figure something out? I’m not that pessimistic. I think we ought to have a conversation.Hey, Comey! No one is saying it's "too hard." They're saying it's IMPOSSIBLE to do this without weakening everyone's security. Impossible. It's not a "hard" problem, it's an impossible problem. Because if you weaken security to let the FBI in, by definition you are weakening the security to let others in as well. That's the point that was being made.
And this is important. For all of the ridiculous claims by Comey and others that we need to "have a conversation" on this, we do not. A conversation is counterproductive. All of these people can and should be working on systems to make us all more safe and secure. But if they have to keep explaining to ignorant folks like Comey why this is a bad idea, then they are taken away from making us safer. You can have a discussion over things that are hard. But there is no point in having a discussion over things that are impossible.Security and Policy Experts
Hal Abelson, Professor of Computer Science and Engineering, Massachusetts Institute of Technology
Ben Adida, VP Engineering, Clever Inc.
Jacob Appelbaum, The Tor Project
Adam Back, PhD, Inventor, HashCash, Co-Founder & President, Blockstream
Alvaro Bedoya, Executive Director, Center on Privacy & Technology at Georgetown Law
Brian Behlendorf, Open Source software pioneer
Steven M. Bellovin, Percy K. and Vida L.W. Hudson Professor of Computer Science, Columbia University
Matt Bishop, Professor of Computer Science, University of California at Davis
Matthew Blaze, Director, Distributed Systems Laboratory, University of Pennsylvania
Dan Boneh, Professor of Computer Science and Electrical Engineering at Stanford University
Eric Burger, Research Professor of Computer Science and Director, Security and Software Engineering Research Center (Georgetown), Georgetown University
Jon Callas, CTO, Silent Circle
L. Jean Camp, Professor of Informatics, Indiana University
Richard A. Clarke, Chairman, Good Harbor Security Risk Management
Gabriella Coleman, Wolfe Chair in Scientific and Technological Literacy, McGill University
Whitfield Diffie, Dr. sc. techn., Center for International Security and Cooperation, Stanford University
David Evans, Professor of Computer Science, University of Virginia
David J. Farber, Alfred Filter Moore Professor Emeritus of Telecommunications, University of Pennsylvania
Dan Farmer, Security Consultant and Researcher, Vicious Fishes Consulting
Rik Farrow, Internet Security
Joan Feigenbaum, Department Chair and Grace Murray Hopper Professor of Computer Science Yale University
Richard Forno, Jr. Affiliate Scholar, Stanford Law School Center for Internet and Society
Alex Fowler, Co-Founder & SVP, Blockstream
Jim Fruchterman, Founder and CEO, Benetech
Daniel Kahn Gillmor, ACLU Staff Technologist
Robert Graham, creator of BlackICE, sidejacking, and masscan
Jennifer Stisa Granick, Director of Civil Liberties, Stanford Center for Internet and Society
Matthew D. Green, Assistant Research Professor, Johns Hopkins University Information Security Institute
Robert Hansen, Vice President of Labs at WhiteHat Security
Lance Hoffman, Director, George Washington University, Cyber Security Policy and Research Institute
Marcia Hofmann, Law Office of Marcia Hofmann
Nadim Kobeissi, PhD Researcher, INRIA
Joseph Lorenzo Hall, Chief Technologist, Center for Democracy & Technology
Nadia Heninger, Assistant Professor, Department of Computer and Information Science, University of Pennsylvania
David S. Isenberg, Producer, Freedom 2 Connect
Douglas W. Jones, Department of Computer Science, University of Iowa
Susan Landau, Worcester Polytechnic Institute
Gordon Fyodor Lyon, Founder, Nmap Security Scanner Project
Aaron Massey, Postdoctoral Fellow, School of Interactive Computing, Georgia Institute of Technology
Jonathan Mayer, Graduate Fellow, Stanford University
Jeff Moss, Founder, DEF CON and Black Hat security conferences
Peter G. Neumann, Senior Principal Scientist, SRI International Computer Science Lab, Moderator of the ACM Risks Forum
Ken Pfeil, former CISO at Pioneer Investments
Ronald L. Rivest, Vannevar Bush Professor, Massachusetts Institute of Technology
Paul Rosenzweig, Professorial Lecturer in Law, George Washington University School of Law
Jeffrey I. Schiller, Area Director for Security, Internet Engineering Task Force (1994- 2003), Massachusetts Institute of Technology
Bruce Schneier, Fellow, Berkman Center for Internet and Society, Harvard Law School
Micah Sherr, Assistant Professor of Computer Science, Georgetown University
Adam Shostack, author, “Threat Modeling: Designing for Security”
Eugene H. Spafford, CERIAS Executive Director, Purdue University
Alex Stamos, CISO, Yahoo
Geoffrey R. Stone, Edward H. Levi Distinguished Service Professor of Law, The University of Chicago
Peter Swire, Huang Professor of Law and Ethics, Scheller College of Business, Georgia Institute of Technology
C. Thomas (Space Rogue), Security Strategist, Tenable Network Security
Dan S. Wallach, Professor, Department of Computer Science and Rice Scholar, Baker Institute of Public Policy
Nicholas Weaver, Researcher, International Computer Science Institute
Chris Wysopal, Co-Founder and CTO, Veracode, Inc.
Philip Zimmermann, Chief Scientist and Co-Founder, Silent Circle
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: backdoors, cybersecurity, encryption, fbi, james comey, phil zimmermann, ron rivest, security, whitfield diffie
Reader Comments
The First Word
“They don't want a conversation.
We had a conversation. It didn't go the way they wanted. So now they want a monologue.Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
And pervasive surveillance has zero cost in his mind, it seems. I've seen and talked to people like him. They don't give a fuck about rights and the well-being of others as long as their narrow view of what is right is implemented.
I've been in discussions with people that advocate dictatorships are good because people are too ignorant to be left free and allowed to choose things and otherwise live without some totalitarian ruling them. And I don't mean some crazy ass out there, oh no. One of them was in his 25's, about to become a father and is generally a good person. This is scary.
He may actually be genuinely 'depressed' even if it's a consequence of his total ignorance of how encryption works. This is scary. And it's even scarier when you think that people have been trying to explain those types about encryption and why a 'golden key' destroys it for a while now and he simply refuses to learn. As I said, he is not alone out there.
[ link to this | view in thread ]
A failure of wishful thinking
[ link to this | view in thread ]
Being Fair Minded
Others say that:
I'm no expert on where the sun rises or where it shines but there are a lot of smart people in silicone valley and if they put their mind to it, the sun could rise in the West.
Those narrow minded people who say the sun rises in the East are not being Fair Minded.
[ link to this | view in thread ]
I suppose there's always the possibility that Comey considers all of that to be a feature anyway.
Comey: "I want a backdoor inserted into all strong encryption."
Every cypto expert ever: "That's impossible! It would irrevocably weaken everyone's security!"
Comey: "Then it's not impossible."
[ link to this | view in thread ]
Umm okay. I think I know who I'm going to believe. Wake me up when the White House stops appointing morons in charge of tech-related policies.
[ link to this | view in thread ]
Either it's protected from 'good guys' or it's vulnerable to 'bad guys'.
But good luck telling people no who have redefined 'no' to mean 'yes and' and are allowed to get away with anything without repercussion.
[ link to this | view in thread ]
Giving me money is too hard? For the people who read this comment section? Hah. They're far to resourceful and intelligent to call it too hard.
[ link to this | view in thread ]
Idiot's logic
[ link to this | view in thread ]
Re: Being Fair Minded
The sun could rise in the west if:
a) "West" was redefined to mean "East" (the US Gov't is good at this one)
b) The earth is flipped on its axis. Of course, the process of doing this would likely destroy all life on earth, but the goal of making the sun rise in the West would be accomplished.
Likewise, giving the US government a "golden key" is not impossible like Mike stated it was -- it is just "less desirable to the human race and specifically US citizens" than pervasive uncrackable encryption.
The security industry and Comey are talking at cross purposes here: anyone with half a brain knows that compromising security compromises security, full stop. Comey isn't talking about that really; he's talking about accepting a compromised state of encryption and depending on other mechanisms to prop it up.
Of course, at the end of the day, this is also impossible. Something is either known or it isn't. Copyright, DRM and patents have shown us what happens in this arena.
[ link to this | view in thread ]
Sorry I missed signing this one
I suspect that he knows this, but is hoping that sufficient repetition combined with the usual pounding on the drums of fear will convince enough people otherwise.
[ link to this | view in thread ]
Comey must be on some heavy anti-depressants if other aspects of reality depress him as much as encryption does. There are societal costs to the fact that we can't read each other's minds or that people are able to tell lies, but you don't see people lamenting that and calling anyone who says those aren't possible/practical to "solve" uninformed.
[ link to this | view in thread ]
Re: Re: Being Fair Minded
[ link to this | view in thread ]
Re: Sorry I missed signing this one
The government is doubleplus good at math.
[ link to this | view in thread ]
I'm so glad to be called uninformed...
Considering that, just yesterday, I spend my morning writing a non-technical explainer on the latest UXO from the first crypto war that just blew up in our faces...
[ link to this | view in thread ]
Re:
Are you challenging Sleeping Beauty's record?
[ link to this | view in thread ]
Re:
And the weaker, the better... that's what he's arguing for here.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: I'm so glad to be called uninformed...
According to Comey, encryption is not supposed to be strong, it's supposed to be easy for government subversion.
Sounds like you're indeed uninformed.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
The technical term
[ link to this | view in thread ]
Re: Re: Being Fair Minded
But as Comey says, we need to have a conversation about whether the sun rises in the East or the West.
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Comey's right, of course.
That's a soluble problem: you narrow the gap from two points: first you throw money at "computationally hard". Idiotically much money, but that's what the NSA steals from the government anyway, using blackmail and other threats.
And then you work on the consensus using blackmail, threats, torture and bribes.
That's the manner in which the NSA bought itself elliptical curve constants from standard committees and RSA.
It's not that those opposing groups are uninformed or not fair-minded about the mathematics. They are uninformed or not fair-minded about the depravity and recklessness that the NSA is capable of employing and about its means for corrupting experts.
The NSA clearly did manage to corrupt encryption for their own use in NIST standards and RSA protocols, in areas which were pretty safely encrypted if you had no information of the skeleton keys used for creating the published elliptic curve cryptography constants. So basically turning the mathematical problem into one of keeping the underlying general keys hidden. Which is not particularly torture-and-bribe-safe. But puts the game in the ballpark they are comfortable with. And if it blows up, they get to blame the mathematicians.
They do know what they are talking about here. Criminal depravity. They are experts in that.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
“these folks don’t see what I see...”
Of course they don't see what you see. I'm impressed that you got your own head in there, I don't think there's room for anyone else.
[ link to this | view in thread ]
"Could you please just give me your password?"
"Don't worry, I work for an important agency, your password is safe with me."
"If you don't give me your password, you'll get in trouble."
"If you don't give me your password, bad things will happen to someone else!"
"Your boss said not to share your password? They must have forgot to let you know that I can have it."
The FBI knows that if you can't attack the encryption, finding a way to weasel in through social engineering is plausible and often effective tactic. It's often easier to fool people than a computer.
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: I'm so glad to be called uninformed...
[ link to this | view in thread ]
Re:
More appropriately: he wants you to leave an extra key under the mat where only your son can find it. Still not exactly how it might work, but more along the lines of what he's asking for.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
"Just in case."
[ link to this | view in thread ]
Re: A failure of wishful thinking
[ link to this | view in thread ]
7 perpendicular lines
https://www.youtube.com/watch?v=BKorP55Aqvg
That's ok. Obviously the experts must be wrong because you can do ANYTHING if you just try harder!
[ link to this | view in thread ]
I am confused
[ link to this | view in thread ]
Re: I am confused
[ link to this | view in thread ]
Re: Re: Being Fair Minded
[ link to this | view in thread ]
http://www.phoronix.com/scan.php?page=news_item&px=HTTPS-Logjam-Vulnerability&utm_source =feedburner&utm_medium=feed&utm_campaign=Feed:+Phoronix+%28Phoronix%29
Let's be clear: Logjam exists as a direct result of forcing weaker encryption on export in the 90s, thus allowing people to use lesser SSL encryption for compatibility sake. That allowable downgrade is exactly the vector this attack uses.
To quote the article:
Another HTTPS vulnerability has started to make its rounds earlier this morning. Dubbed Logjam by its researchers, the vulnerability stems from the US's encryption export mandate back in the 1990s. This particular vulnerability, in the transport-layer security layer protocol, breaks the Diffie-Hellman perfect forward-secrecy. Susceptibility to the vulnerability is depended on servers and clients supporting the DHE_EXPORT encryption scheme, or using a key less-than-or-equal to 1024 bits.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: A failure of wishful thinking
Any compromise of his "conversation" will likely result in a ban on some types of encryption.
Welcome to the encryption wars 2.0!
[ link to this | view in thread ]
You are missing something here...
A group of tech companies and some prominent folks wrote a letter to the President yesterday that I frankly found depressing.
...
James Comey is suffering from depression. This is a cry for help. He REALLY needs to have the conversation... with his therapist. Really.
It's okay. James, we understand. Go talk it out. It will make you feel better. In the meantime, leave the policy making to people who actually know what they are talking about.
[ link to this | view in thread ]
Re: Re: Re: Re:
I'm not familiar with Walter, Sybil, or Wendey; it's been a long while since I looked at the literature.
[ link to this | view in thread ]
Re: Re: I'm so glad to be called uninformed...
Unless of course they did find them, in which case it's the revelation that's inopportune.
[ link to this | view in thread ]
Re: The technical term
[ link to this | view in thread ]
Re:
If the occasional person disappeared or got fed through a woodchipper, isn't that an acceptable price to pay for being able to embrace western fashion?
The trouble with back doors, is as experience with XP and other software has shown, once the hole is deployed, it's there for a decade or more. In order to deploy a back door, the compromised security is distributed widely; some people know the back door, some know how it was done, etc. If it's a common set of keys, that information would be worth a fortune. Once the "other side" knows it, you would have no way of updating everyone. Plus, if it's not subject to wide peer review, then just how good is it?
Remember DVD encryption? All those crazy music DRM schemes? Blurray? How long did any of those take to break - and once the genie is out it was too late.
Plus, what are you going to do? Make it illegal to use a Swiss Skype-like service? Make it illegal for your browser to download a foreign encryption add-in? Possession of TrueCrypt will land you 5 years in jail?
[ link to this | view in thread ]
Re: Comey's right, of course.
If it had actually come into widespread use, more people would be looking at it. It's not an easy problem (like FEAL was), so there would have to be more incentive into finding the backdoor. I imagine some of the experts would have pooled their money and offered a prize to add even more incentive.
[ link to this | view in thread ]
Re: 7 perpendicular lines
https://www.youtube.com/watch?v=B7MIJP90biM
[ link to this | view in thread ]
Re: “these folks don’t see what I see...”
That would certainly explain the cephalocoprorhea he's suffering from.
[ link to this | view in thread ]
One Example. .
Unless you believe he remained FBI director for so long, based on his charming personality and how he looked in an prom dress!
[ link to this | view in thread ]
Re: Re: Comey's right, of course.
Everyone knows the "backdoor sauce."
The ECC issue was not that it introduced a backdoor as such, it's that it introduced a flaw in the random number generation that dramatically reduced the search space for keys. Even with the reduced search space, factoring those keys is still a huge computational task. The weakness just moved the task from "effectively impossible" to "possible".
The NSA's hope was that the crypto would still be strong enough that only the resources of nations or major corporations could pull that off. Which is a crazy hope, considering that you can get supercomputer-level computing resources very cheaply nowadays. if you want to own the hardware yourself, it's about on par with buying a house. Or you could use cloud computing services.
[ link to this | view in thread ]
Re: Re: Comey's right, of course.
[ link to this | view in thread ]
Re: Re: The technical term
Simple, just encrypt it.
[ link to this | view in thread ]
The funny thing to me is....
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
They don't want a conversation.
[ link to this | view in thread ]
Not Unfair ...
[ link to this | view in thread ]
Re:
Tell them to read a history book. There are a lot of idiots, but "absolute power corrupts absolutely". I'd rather take my chances with the idiots.
[ link to this | view in thread ]
Re: The technical term
Any crypto key could be encrypted by a second public key with the corresponding private key being held by a third party. That encrypted key is sent to the government. If they want to get the key back they just need to ask the third party to decrypt it.
If a criminal on the other hand wants to decrypt that key they just need to catch the encrypted key on the wire (trivial) and then take a lead pipe and 'ask' the third party to decrypt it in exchange for keeping their kneecaps.
[ link to this | view in thread ]
Re: Re: Re: Comey's right, of course.
The OP mentions curve constants so I assume he meant the first issue, and it does entail a genuine back door. Knowing the magic number that is the precursor to the published constants reduces the time it would take to break a message encrypted using a NIST curve from 'functionally never' to 'next week, maybe sooner'.
[ link to this | view in thread ]
I wish someone would connect the dots once and for all
They've long realized that's the ONLY thing that can defeat surveillance and by proxy the only real threat to the Status Quo.
Reflect deeply on this
[ link to this | view in thread ]
Re: A failure of wishful thinking
[ link to this | view in thread ]
The Real Issue IMHO Is Financial Loss
[ link to this | view in thread ]
Re: Re: Re:
Even more accurately, to mail the police a spare key.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
He is claiming: if all the smart people get together and try really hard, they can make back-doored encryption that all the smart people can't break.
How does he know it stops there? Maybe if they try even harder, they'll find a way to break it.
Don't sell them short! They're really smart!
[ link to this | view in thread ]
Re:
Or sit down at home, like this guy, and try to deduce from a-priori platitudes whether the Irresistable Force is stronger than the Immovable Object.
[ link to this | view in thread ]
I don't remember ...
[ link to this | view in thread ]
Re: Re: Re: Being Fair Minded
[ link to this | view in thread ]
Re: Re: The technical term
[ link to this | view in thread ]
Re: The technical term
[ link to this | view in thread ]
We NEED protection against the bad guys
Thus we need encryption.
[ link to this | view in thread ]
let's change math and reality through laws
this is totally Ayn Rand's Atlas Shrugged:
Morons in power trying to manipulate reality (MATH?) through stupid laws.
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
These So-Called "Expets" Are Obvouisly Lying
Thats a very one-sided and HIPPOCRITICAL form of "expertise", if you ask me.
[ link to this | view in thread ]
Re: Comey's right, of course.
[ link to this | view in thread ]
let's change math and reality through laws
to put a gun on every security expert's head until they create our wished "unicorn front door" with our "pure soul unicorn key"... or else! Comey James - FBI Director
this is totally Ayn Rand's Atlas Shrugged:
Morons in power trying to manipulate reality (MATH?) through stupid laws.
[ link to this | view in thread ]
They're not stupid- you're missing the forest for the tree's.
[ link to this | view in thread ]
Re:
Because the U.S.A. specializes in making the next generation so much more dumb that they don't stand a chance to figure out what the current generation has been thinking.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: They're not stupid- you're missing the forest for the tree's.
[ link to this | view in thread ]
Re: A failure of wishful thinking
[ link to this | view in thread ]
Re: Re: They're not stupid- you're missing the forest for the tree's.
[ link to this | view in thread ]
Re: doublethink, linebreaks
TD has often refused properly formated posts for me- maybe this is fixed now. In any case lack of line breaks was deliberate.
[ link to this | view in thread ]
Re: Re: doublethink, linebreaks
No amount of understanding or trying to see it from the misguided point of view is going to start making rational people empathize, or suddenly convince Comey to stop being a dumbass.
And really, if your whole aim was to be taken seriously, annoying people by refusing to use line breaks was a stupid move.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:Re: Re: doublethink, linebreaks
What's being asked for is most certainly possible- it also has the major 'no f'n way' caveats of introducing potentially fatal security flaws, and generally turning the entire concept of property ownership and human rights on it's head (and numerous other things, but I digress). Yes, they could certainly have a backdoor that was 'only for the good guys', until either a human issue or a bug/exploit opened it much wider, and they could have something update-able that could fix that, until it couldn't under some circumstance. It's history that makes it clear that this wouldn't work, not a rational theoretical measure of what's technically possible. I'll come back to this.
The central point I've tried to make is this could be rationally viewed in many ways as an massive improvement over what is currently going on.
Comey is not dumb- he wants people to be secure from everyone except the government, and he surely recognizes that what's going on now is significantly hurting security far more then a mandated crypto backdoor would.
You don't get to a position like Comey's unless you are very intelligent, believe in authoritarianism, and have peoples best interest at heart under that context. ..maybe that's a can of worms to say here- but I stand by the statement- road to hell paved with best intentions and all that. power grows and corrupts. all tyrants start out as (and usually believe they are) protectors. (not saying he is a tyrant... just a general observation- Plato's actually)
Most people seam to have missed that a lot of tech has been going in this direction already anyway. Cellphones are a perfect example with how people seam to be (blissfully ignorant of or) quite fine with an a carrier controlled CPU and OS (the baseband) operating below the users OS, and having unrestricted access to network, ram, and user files. That's a backdoor in all but name- watch what the blackhats can do with it on youtube. EFI/UEFI could (probably does in some cases) easily implement something similar.
Existing POC's (proof of concepts) have shown hardware backdoors can be hidden directly in CPU architecture during manufacture- disguised to look like manufacturing errors. Additionally, POC chips have been made which will self destruct if subjected to requisite testing procedures for discovery of such. POC's such as these cost a monumental amount to achieve- it's doubtful the designs wouldn't be put to use at whatever scale can be achieved. These manufacturing processes where conceived to control exported weapons platforms- not much of a stretch these days (from an authoritarian perspective) to include general purpose computers in that category. Implementation of such could be explained away as a means to protect IP on device design to stop counterfeiting.
Take a moment to search, and see how many examples (if any) of people physically disassembling processors to check for malfeasance you can find. The number of people with the equipment to do so, let along the requisite knowledge is extremely limited- factor in self destructing chips... See where I"m going with this?
People often make the valid point- that a software backdoor would be easily discoverable, defeatable, exploitable..etc...while ignoring the 800# hardware backdoor gorilla in the room.
It's societal pressure that will keep something like this from happening (in the open)- not a technological barrier. Regardless of whether it happens in the open- it's going to happen behind closed doors; it's the long term path of least resistance, and there is little I can think of that would stop it- the current consolidation of power/control is too great. There are very few chip manufacturers, very few engineers in a position to oversee relevant areas.
I would honestly love to hear others contrasting thoughts on any of this though, really- please, change my very open mind- I'm begging you... at least help me feel more at ease with the people running this shit... That's honestly most of the reason I make posts such as this.
So yes- a crypto backdoor is dumb idea, which would further totalitarian potential, and restrict autonomic democratic potential; It's much less dumb then what's currently going on, and what's likely to go on in the future.
While most commentators here seam to be painting Comey in a little box labled 'dumbass' and dismissing out of hand that he might have anyone's best interest at heart regardless of his belief structure; I feel a beguiled respect for a move that seams almost ethical, relative to the ocean of putrid shit the intel community has nearly drowned the very concept of a constitutionally bound government in. If he wants it, the 800# gorrilla is gonna have your ass whether you like it or not- is it not better to let people know?
Take me seriously- or better yet, show me exactly why I'm ignorant; I'd love to know that- I'd much rather be foolish and wrong then the bearer of such dismal perspective.
[ link to this | view in thread ]
Re: Re:Re: Re: doublethink, linebreaks
He is being extremely dumb, as every society that has been heavily monitored and controlled by a government has also bee extremely fragile. Let the government control over such a society slip by the smallest fraction, and it explode into chaos, as different faction fight to establish their flavor of autocracy over the remainder. The USSR exploded, the Middle east has not recovered from the collapse of the Caliphate, ... need I go on.
[ link to this | view in thread ]
Re: Re:Re: Re: doublethink, linebreaks
It's like leaving the key to your front door under your doormat because it's convenient for the police. What if a burglar gets that front door key, then? Are you going to somehow magically make a key that only works for the police but not anyone else? What if the key lands in the wrong hands? It's going to suddenly stop working?
And seriously, ethical? Constitutionally bound? Things like LOVEINT are precisely why people don't trust the government with backdoors. Sure, you can argue that Comey's hands might be tied. The problem is, the current people in power have proven that they're not interested in the responsibility that comes with said power.
[ link to this | view in thread ]
Re: A failure of wishful thinking
[ link to this | view in thread ]
S.O.P.
As long as he keeps saying "We must establish backdoors...", he keeps his willingly gullible audience thinking that the backdoors will not be installed until after the "conversation" ends.
The reality is that when he stops having this conversation, the deed will have been completed and all American communications will have a hole through which every criminal organization on earth can drive a truck, in both directions.
I mean come on guys, this is the American Spy Agency.
Everything they do is secret and behind the scenes.
There is no way in hell the CIAF BINSA are ever going to "have a conversation" with the US public over whether they should or should not do something nefarious and stupid TO the US public. They just do it, secretly, with legal lubrication, and the tax payer pays for the damage inevitably done.
Standard Operational Procedure.
They did something similar with Wall Street - telling them that the non-member Wall Street Tycoons should welcome the NSA's surveillance of all their dealings by willingly installing all sorts of technical stuff that would allow the NSA easy access, when in reality, the "stuff" was already installed and the NSA was already sucking up all Wall Street's paperwork and has been for years, and of course, still is.
The notion that Comey wants a conversation with the US citizens over whether they should welcome backdoors in their communications devices, is as far fetched an idea, as believing that Comey is an imbecilic buffoon who knows nothing about encryption and/or technology.
When it comes to government, never attribute to incompetence that which is better explained by malice.
---
[ link to this | view in thread ]
Re: Re: Re:Re: Re: doublethink
I agree. The difficulty is, we're already monitored and controlled far more then any civilization in history- and they're doing a better job of it then ever before. That frailness exists non the less, and is a motivating factor for the surveillance state, and general increasing authoritarianism. The concentration of media ownership and obvious collusion that exists to push various (mostly) gov and corp friendly viewpoints, and minimize the unfriendly ones is so common it's even been a major topic of popular news satire shows. For propaganda to work long term, people must not realize it's propaganda- judging from polls measuring trust in news, they are remarkably successful at this, though it's slipping somewhat. People are slowly becoming more wise to 'think tanks', spinmasters, pundents and the game and true cost of 'exclusive access', sources and what are essentially planted stories and framed spins taken at face value without question.
I do get that. This is absolutely correct; and not a fact I've tried to diminish. I've attempted to bring the context to light, that the way things are done now is more dangerous, more subject to abuse and even more unethical. The reality of how things would play out- where they to get this known back door, is that it's not really a choice between one or the other- but the idea that it IS can be leveraged as a strong argument point regardless. Thus a backdoor can rationally be viewed and pushed for as the lessor of evils, and far more inline with the stated goals of the organization. That doesn't make it right- and doesn't mean I'm advocating for it.
You're right- a backdoor could not conceivably be done without significant risk, and IF lack of risk is a requisite qualifier to whether it's "possible"- then yes, it can then be considered "impossible". However, there is NO technological barrier to implementing a backdoor- one which would conceivably be 1000x harder to abuse then what they use currently. Nothing is immune to compromise when it comes to tech- Even if there were perfect tech, we'd never have perfect humans to implement it... Expecting perfect is unrealistic; the best we can do is minimize the potential for compromise.
The current system relies on nothing but vulnerabilities that anyone can use- many many of them, so that when they lose one, they don't lose access. There is little effort to stop security holes, because making people more secure is equivalent to them losing access. The incentive structure is fucked. At face value- what they're suggesting would be far less complicated and far less prone to compromise then the existing system, it would also improve the hideous side effects that the current system has. At face value- It is the difference between a system that attempts to control who has access, and one which fervently ruins security for everyone, against everyone, to maintain access. Stating this does not mean I am advocating for such a solution- I only advocate for a wider viewpoint.
The solution I would advocate for is that people need to get much much more serious about security, and authority over their devices- We need to support companies and people that enable that security and authority; and boycott companies and technologies that enable the surveillance state. That means ditching google (use ixquick or startpage) and facebook, adobe, windows/mac- embrace open source software, open hardware, tech such as Tor, Tails, PGP, TOX, and Cryptostorm; hardware like gluglug thinkpads with coreboot, grsec foss linux or openbsd, and neo900 phones... (the only phone currently made that gives you genuine authority over the device) It's a hard pill to swallow right now- but if market forces could sway to show that security, autonomous authority and technological freedom mean more to people then flashy features and the latest and greatest specs- soon things would change for the better.
I may have worded things poorly and in excess, reaching for prose. The statement was:
I can see how that's hard to decipher, it's an over-complicated sentence; it's meant to be read as- not ethical, and not remotely constitutionally bound- also beguiled= conned into, or mislead.
The government has "backdoors" (air quotes to indicate functional equivalence) already, many of them; it's kind of an open secret. Those backdoors are open to everyone who can find them, already. They shouldn't have these- they should be working to close them and help us all be secure.
I don't believe Comeys hands are tied- I believe he's an authoritarian who believes the government needs to have ultimate power and control/authority over technology in order to fulfill their responsibility- Further I believe this stems not from any sort of malevolence, but from a genuine drive and desire to help and protect people by any means necessary.
[ link to this | view in thread ]
Why wouldn't your financial institution or R&D division like this new security module with a "trusted" flaw imposed by the US? They would never misuse it and no one else would have any interest in this mandated flaw. And why not accept these other "updates" from russia, china, (nation to be named)? It's the law in the US so it shouldn't be a problem, am i rite?
[ link to this | view in thread ]
Re: Re: Re: Re:Re: Re: doublethink
That's pointless. A backdoor that's difficult for outsiders to abuse would have to be harder for "the good guys" to use, because technology is impartial that way. Think of the Sony hacks. The information was easily hacked into and disseminated precisely because the original information was poorly protected - because tech-illiterate executives don't understand that making things easier for them to access makes it inherently easier for outsiders to access.
Any anti-abuse measures implemented would be quickly overridden because that's what the people in power want. They want personal security but they don't want to go through all the trouble that would require. So what you end up with are backdoors with backdoors, vulnerabilities on vulnerabilities. And when shit hits the fan, the tech guys get the blame.
"The solution I would advocate for is that people need to get much much more serious about security, and authority over their devices- We need to support companies and people that enable that security and authority; and boycott companies and technologies that enable the surveillance state."
But that's precisely what people like Comey don't want. More citizens are in fact getting serious about security, encryption and privacy over their communications and devices - to law enforcement and people like Comey, that makes their job harder, so they absolutely hate it. You can claim Comey isn't malevolent all you want, but that's not going to change anything.
[ link to this | view in thread ]