Just As FBI Looks To Undermine Encryption, Federal Government Searches For Better Encryption
from the left-hand,-right-hand dept
One of the most bizarre points that became clear in yesterday's Senate hearings on encryption was that many Senators are so focused on the big bad threat of theoretical ISIS violence in the US, that they don't understand the very real (and not at all theoretical) threat of our personal data that is being hacked into and exposed on a regular basis, often due to a lack of encryption. The ACLU's Chris Soghoian summed it up nicely with the following tweet:Congress: OPM should have encrypted federal employee data.
Congress: Apple has blood on its hands for encrypting user data.
Got it?
— Christopher Soghoian (@csoghoian) July 8, 2015
Congress: OPM should have encrypted federal employee data.Indeed, there has been plenty of talk, including from Congress, over the fact that the Office of Personnel Management, whose computers were hacked to reveal all sorts of information on government employees (past and present), didn't use encryption, in part because their computers were too old. To be fair, there are indications that encryption might not have mattered that much, since the hackers allegedly got working credentials to access the system, and thus may have been able to decrypt anything anyway.
Congress: Apple has blood on its hands for encrypting user data.
Got it?
However, it does seem quite telling that at the same time Congress is freaking out about the supposed evils of encryption, the National Institute of Standards and Technology (NIST) is trying to design a better system for encrypting emails via end-to-end encryption -- the very thing that the FBI and some Senators have been complaining about.
In other words, as clueless Senators and FBI officials demand ways to undermine end-to-end encryption, the folks who actually understand technology (NIST) are asking for stronger end-to-end encryption. Perhaps, instead of letting FBI director James Comey prattle on about how he doesn't actually understand this stuff (as he said repeatedly), the Senators could have someone from NIST explain why end-to-end encryption is so important.The National Institute of Standards and Technology is designing a “security platform” to authenticate mail servers using crytographic keys. The platform would let individual users encrypt emails.
The system aims to “provide Internet users confidence that entities to which they believe they are connecting are the entities to which they are actually connecting," according to a NIST draft report on the topic. A subpar system, the draft said, could result in "unauthorized parties being able to read or modify supposedly secure information, or to use email as a vector for inserting malware into the system," among other consequences. The draft report is open for comment until Aug. 14, 2015.
NIST soon plans to issue Federal Register notices to vendors developing individual parts of the end-to-end system.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: encryption, fbi, nist, privacy, security
Reader Comments
Subscribe: RSS
View by: Time | Thread
Entire US infrastructure is currently vulnerable to attack,
Wake up & smell the bacon (oops, not a good thing to say in front of Congress)!
Forget about ISIS on Facebook; we're at far greater risk from ISIS in our power plants, communications networks, banking networks, etc.
[ link to this | view in chronology ]
Re: Entire US infrastructure is currently vulnerable to attack,
[ link to this | view in chronology ]
Almost right.....
There, does that help?
Congress is all for encryption that they can use to keep them safe.
On the other hand Congress is against encryption when it it used by others and thwarts their ability to run roughshod over the Constitution.
The government had mostly unencrypted access to everyone's data, as long as they followed the Constitution and did so legally. Since they have demonstrated that they can't help themselves, now they have to deal with mostly encrypted access to everyone's data.
It's their [the governments] own short sightedness that has caused this problem. No amount of;
Is going to be believed.... nor should it be.
[ link to this | view in chronology ]
I'm sure FBI agents use off the shelf Apple and Android phones. Are they comfortable with China having a means to decrypt those phones? Because if one government can demand access, then every government can and going forward, China may very well be a more important market than the US.
They aren't saying it, but I think the government wants either key escrow or to have all messages encrypted with their public key. They think it's as easy as convincing Apple and Google to cooperate, but the reality is that this is all just mathematics. And it isn't terribly difficult to create new secure communication apps. Once you exchange a secret key (and this can be demonstrated to school children or FBI administrators with finger paints), secure communication is relatively easy. Since the FBI can't force rogue developers to include escrow or the FBI public keys, the only option is to make it illegal to use encryption.
[ link to this | view in chronology ]
Body of idiots
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
I remember NIST was mortified when that came out. They retired their own "standard" upon learning it was intentionally broken (aka. back doored).
[ link to this | view in chronology ]
Co mey stupid or what?
But I'd actually expect the head of the FBI to at least get informed by its own department that this is a very bad idea, and prevented from making himself the laughing stock of security and law-enforcement professionals.
Since the bright guys at the FBI couldn't manage to keep their boss from blathering such nonsense, and couldn't have him removed immediately after he did it, I can only surmise that a) he's either convinced it's really a good idea, which put him on par with people that think the odds of winning in russian roulette are quite good, or b) he knows exactly how bad this is and supresses any sane voice within the FBI, because he's actually craving for the next Führer.
Henlons razor states that you should never attribute malice for things that can adequately explained by stupidity, so I must assume Mr. Comey is not a fascist, but instead must conclude that he is is just utterly, abysmally, stupid.
[ link to this | view in chronology ]
Why is it so hard to understand that any backdoored encryption can be accessed by those other than whom the back door is intended for? Hasn’t recent history made that obvious?
[ link to this | view in chronology ]
Re:
Just presume that FBI Director Comey does indeed understand that. The FBI is the leading domestic counterintelligence agency. So then, where does that train of thought lead you?
Why would our head of counterintelligence urge us to deploy defective defenses?
[ link to this | view in chronology ]
Re: Re:
"Why would our head of domestic counterintelligence urge us to deploy defective defenses?"
You dropped something there. Fixed. Guess who that makes Comey's adversaries. He's not focusing on defending the citizenry. He's annoyed he can't yet find a way to put you in jail.
[ link to this | view in chronology ]
Re:
You would be surprised. My family got together last weekend and, as is usual at family functions, lots of arguments were had. ISIS was mentioned and then a whole discussion around security and privacy ensued. Out of 25 people there, I was literally the only one who though strong encryption was important.
Some people want encryption, others do not.
[ link to this | view in chronology ]
Wrong people
Really, really sloppy thinking.
[ link to this | view in chronology ]