New Attorney General Loves Him Some Encryption Backdoors, Which Should Pair Up Nicely With FBI Director's Plans For The Future
from the you-make-it,-you-break-it dept
It looks as though this administration may be the Decrypto Party. Trump's pick for Attorney General has already made it clear he thinks asset forfeiture is a damn good thing for the American public, even if it often deprives the public of their property without evidence of criminal wrongdoing or providing a valid avenue of recourse.
Now, he's (once again) confirmed encryption shouldn't keep law enforcement from accessing devices. The EFF reports that Sessions strongly hinted he's in favor of encryption backdoors during his confirmation hearing.
Question: Do you agree with NSA Director Rogers, Secretary of Defense Carter, and other national security experts that strong encryption helps protect this country from cyberattack and is beneficial to the American people's’ digital security?
Response: Encryption serves many valuable and important purposes. It is also critical, however, that national security and criminal investigators be able to overcome encryption, under lawful authority, when necessary to the furtherance of national-security and criminal investigations.
This dim view of the public's use of encryption is nothing new for Jeff Sessions. While still a senator, Sessions made it clear he feels law enforcement's "needs" should come before the general security of phone users. During the battle over access to the San Bernardino shooter's iPhone, Sessions offered his support of an anti-encryption bill.
Republican Senator Jeff Sessions of Alabama questioned Cook’s position. "Coming from a law enforcement background, I believe this is a more serious issue than Tim Cook understands," Sessions said. He said accessing phones is critical to law enforcement.
"In a criminal case, or could be a life and death terrorist case, accessing a phone means the case is over. Time and time again, that kind of information results in an immediate guilty plea, case over," Sessions said. He added that the ability for government to access a phone should not be abused.
Well, yeah… "should not be abused." That should go without saying. But would it be abused? Probably. Law enforcement used to search phones all the time without warrants until the Supreme Court put a stop to that. FBI plug-and-play kiosks allow LEOs to perform forensic searches at their convenience. Presumably the proper paperwork is in play, but it's not as though the FBI's going to frisk cops on the way to the FORENS-O-MATIC.
Add a backdoor and no phone is secure -- not from the government and not from anyone who steals the device.
Sessions and backdooring encryption go back even further than last year's iPhone battle. When Dianne Feinstein decided consumer devices had too much security, Sessions was there to pitch leading softballs and confirm her radicalization-via-Playstation Network fears.
I suspect what happened in the aftermath of Snowden, particularly Europe got very conservative with respect to encryption. And companies back away. Now, that's changing with Paris and God forbid what might happen in the future. I think the world is really changing in terms of people wanting the protection and wanting law enforcement, if there is conspiracy going on over the internet, that encryption ought to be able to be pierced.
Well, Sessions was wrong about what the world wanted. Governments still remain reluctant to mandate encryption backdoors -- despite law enforcement's continual pleas and ongoing attacks in European nations. But being wrong never stopped anyone from exploiting tragedies to push agendas -- even when Sessions' view of the public mindset contradicts the public's actual mindset
Adding to the mix is the federal government's own Donnie Darko, FBI Director James Comey. Comey has yet to switch up talking points on encryption and continues to point to an impending criminal apocalypse that can only be thwarted by
a.) smart people making impossible things happen
b.) smart people being told what's what by legislation mandating decryption/backdoors.
Comey now has a very sympathetic AG watching over his agency and his office. Very little good can come of that.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: attorney general, crypto wars, doj, encryption, fbi, going dark, jeff sessions
Reader Comments
The First Word
“Why Don’t The NSA Do It?
The NSA is supposedly the largest pool of cryptology talent anywhere in the world. And it’s in the pay of the US Federal Government. If anybody can come up with an encryption system that is simultaneously secure against criminals and crackable by law enforcement, why don’t they show us how it’s done? And make the entire unclassified research community look silly into the bargain?I’m sure they would be champing at the bit to do that, if they could.
Maybe Trump can contribute the pixie dust by issuing another Executive Order...
Subscribe: RSS
View by: Time | Thread
You first
As always, anyone advocating for crippling security and making the public less secure should either put up or shut up. If crippled encryption is 'safe enough' then let their data, all of it, from bank info to medical records, personal emails and everything else be protected by deliberately flawed security, so they can show the public just how 'safe' it is.
Of course I don't expect they'd ever do any such thing, because while they love the idea of screwing over the public and handing over the public to criminals everywhere in the process, they'd never put their own privacy and security on the line, hypocrites that they are.
[ link to this | view in chronology ]
Re: You first
The fact that this is out of ignorance and convenience and not out of a decision to lead by example, well....
[ link to this | view in chronology ]
The only argument that shuts these guys up is this:
and network-related technology "made in U.S.A."will dry up.
Everybody, Americans included, will shop elsewhere for tech.
That's trillions of dollars in new trade deficits, hundreds
of billions in lost profits to tech industries and tens of
billions in lost taxes every year until a new administration
undoes the damage and stops the bleeding.
Arguing about security and rights of the American people has
no effect on these clowns because they hold the public in
contempt, and always will. Show them what effect their dumb-
ass meddling will do to their billionaire friends and corporate
backers and they'll quietly let the issue die off without ever
having to admit why it was a stupid idea to start with.
[ link to this | view in chronology ]
Re: The only argument that shuts these guys up is this:
[ link to this | view in chronology ]
Re: You first
I would be all in for Anonymous to do this.
[ link to this | view in chronology ]
Re: Re: You first
Oh if such idiocy becomes law it won't directly affect the ones pushing for it in the least, as you can be absolutely sure they won't be using the Government Approved Encryption(with magical Unicorn Gates), but will of course continue to use encryption that actually works, because their privacy and personal data is of course a matter of National Security.
[ link to this | view in chronology ]
Re: Re: Re: You first
If only.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re: Just reclassify encryption as a munition
Also issue national security based directives from the President with associate gag orders to smartphone, pc and software vendors to put the back doors in smartphones, PC's and OS's without announcing it. Most vendors would gladly roll over for this (Apple and maybe Google wouldn't but would have their hands tied legally with the secret gag order) - and nearly all would want to keep it secret after its done so their sales don't crater if word got out. I wouldn't be surprised (after all we've seen) if we find out Apple was secretly ordered to do this last year and its already happened.
[ link to this | view in chronology ]
Re: Re: Just reclassify encryption as a munition
[ link to this | view in chronology ]
Re: Re: Re: Just reclassify encryption as a munition
They WILL roll right the fuck over, with the right encouragement, just perhaps not in a way you were expecting.
[ link to this | view in chronology ]
Re: Re: Re: Re: Just reclassify encryption as a munition
[ link to this | view in chronology ]
Re: Re: Just reclassify encryption as a munition
[ link to this | view in chronology ]
Re:
A president can ensure that his own agencies won't sue over it.
Private money and years of time must be expended to litigate against things unconstitutional. Depending on the subject matter, a successful litigation may be irrelevant by the time it is achieved through legal process.
What's not to love? Violating the constitution, as long as it's done at a high enough level is a win-win tactic.
[ link to this | view in chronology ]
Re: Re:
While arrest, imprisonment and torture can occur almost immediately.
Dead men file no appeals.
[ link to this | view in chronology ]
Re:
One of the major failings of the public school system in the US.
US government is at NO level a "democracy", no matter how much the left whines and pouts. Never has been, and hopefully never will be.
Google "Representative Republic" and find out for yourself what how the US governmental system works.
[ link to this | view in chronology ]
Re: Re:
"Republic" just means that you don't have a monarch.
"Representative Republic" means that you don't vote directly on laws, but instead democratically vote in a representative who aligns with your views. Also equally known as "Representative Democracy", it's how most democracies work.
[ link to this | view in chronology ]
Re: Re: Re:
Butchering the meaning of democracy to mean what you want it to mean. Sadly if you just check the "definition" you might find that you are fucking wrong... but don't let me get in the way of you being stupid, its fun when you do it on the internet... amiright?
In fact here is the page on Wikipedia where you can go and edit the form of US Government it states that it is.
https://en.wikipedia.org/wiki/United_States
here is the CIA web page on what form the US is, you might not be able to edit it though.
https://www.cia.gov/library/publications/the-world-factbook/fields/2128.html
You know so fucking much so go and tell the world! Don't let the rest of us cock holes tell you what facts are mkay?
[ link to this | view in chronology ]
Re: Re: Re: Re:
From your first link:
And before you move the goal posts, the minority rights protected by law and the system of checks and balances defined by a constitution are a standard feature of democracies. There's nothing particularly "republican" about them.
Grow up.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
Representative Democracy is a descriptive analogy of how people are elected into office, but in no way describes how the system of government itself operates.
You are direct reason why this nation will continue to fail. You think you know, but you you don't understand anything. You don't know your own head from a hole in the ground and continue to refer to things inappropriately while you have the actual information directly at your disposal.
That is the mark of a fool, data handy, yet no desire to understand it! The reason people like to mistakenly call this is a democracy is because like a Freudian slip, that is what they WANT it to be. Well, you might get your wish if you keep shitting this misinformation because it is well established that is you keep telling a lie often enough or create a lie based on some element of truth then they become pretty fucking effective lies.
The reason why things like the electoral college was created was to keep tools like you in check. You are exactly what the founding fathers hoped would not happen to America.
"There is a story, often told, that upon exiting the Constitutional Convention Benjamin Franklin was approached by a group of citizens asking what sort of government the delegates had created. His answer was: "A republic, if you can keep it."
Now excuse me if I take a founders words over yours... no wait... how about you go and fuck yourself instead?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
"Republic" just means that you don't have a monarch. Your quote, in context:
His statement means one thing: The US is not a monarchy.
If there's some difference other than the monarchy thing, then why don't you tell us rather than acting like a six-year-old who just learned to swear?
(Again, electing representatives to vote on laws or vote in a President / Prime Minister is done in non-republican democracies too.)
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
Yes, the Framers referred to a "pure democracy" in places, and the USA doesn't have that. But you're determinedly ignoring 3 things.
Firstly, the USA could not be run on a "pure democracy" because it would take too long to do anything and be too prone to fraud.
Secondly, and more significant to your florid yet poorly argued position, is that the Framers also referred to "representative democracy", and did so with frequency.
Thirdly, the Framers did not invent democracy. Democracy in all it's forms has been around for centuries. I suggest that the Romans would be in a particularly strong position to futuo off.
Next thing you'll be saying is that someone doesn't have a cat because they don't have a "ginger cat".
Pillock
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
I never considered that voting every 4 years for one of two or three guys was very "democratic". At the height of the Cold War it always seemed to me that the US was perhaps at best as democratic as the old Soviets, depending on how difficult it would be to become an influential member of a political organization in either camp.
I always thought that Reagan and Thatcher were being ironic.
[ link to this | view in chronology ]
Re: Re:
Huh?
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
I don't think that's a problem for them.
[ link to this | view in chronology ]
Re:
without turning dictator and mandating it while violating the Constitution in the process
And exactly what makes you think the new administration cares one bit about either of those?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
And today there's this article.
[ link to this | view in chronology ]
"He added that the ability for government to access a phone should not be abused."
But, it will if a backdoor is inserted and compromised by a non-domestic or non-government actor. Which is almost guaranteed over time. It can't be restated enough - it doesn't matter how well you hide the door you're leaving wide open, once it's located then anyone can use it, authorised or not.
"Time and time again, that kind of information results in an immediate guilty plea, case over"
...meaning that the case never makes it to trial. So, we never know if they actually found something incriminating or if they're just able to use the phone as leverage to make the accused believe that a guilty plea is the thing to do whether or not they're actually guilty. Call me paranoid, but "we regularly leverage access to a phone to bypass the need for a trial" is not a point in their favour.
"I think the world is really changing in terms of people wanting the protection and wanting law enforcement..."
...to be accountable for their actions and not bypass the law whenever they feel like it. Especially in light of the abuses of power that have led to the ordinary public wishing to use encryption in the first place, something that was never a priority until people found out how bad the abuses were. I somehow think that's not what he was thinking though.
[ link to this | view in chronology ]
Re:
But, it will if a backdoor is inserted and compromised by a non-domestic or non-government actor or domestic or government actor.
There, FTFY
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Lolcats
End of discussion.
[ link to this | view in chronology ]
Re:
and when, not if, it happens - you will be blamed for what ever was done. Better just ditch that phone now before it becomes a liability. Would the phone companies notice?
[ link to this | view in chronology ]
It's obviously unconstitutional (not even a close call) and deeply troubling that freedom's last resort has turned its back on the fourth amendment.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
That is why this will never work, and why China's crackdown on encryption and privacy tools will never work.
A VPN, or other privacy service, only has to obey the laws of the countries where the servers are. So China and the USA will never be able to enforce any kind of restrictions on encryption against offshore companies.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
A wireless ISP could set up shop in South Lake Tahoe, and provide services in Stateline, Nevada, on the US side of the the border,the US government would no jurisdiction over a Pacifican ISP.
Also, someone with a cell phone could sign up with a cell phone provider on the Pacifican side of the border and get 3G/4G wireless internet. A Pacifcan cell phone provider, in this scenario, would not not subject to United States laws. The US government would not be able to stop a Stateline resident from going accross the border into Pacifica, walking into a cell phone store in South Lake Tahoe, and signing up for service with a Pacifican cell phone service provide.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
The problem is that the "country" status is usually just fantasy.
Sealand was built by the British government and sits within inside British waters. As Wikipedia states:
At best it's "privately owned by British citizens" who still live in Britain and collect the benefits of being British citizens. It's essentially elaborate LARPing.
[ link to this | view in chronology ]
Re: Re: Re:
Tell that to the Chinese. The difference is the Chinese are a nuclear power. Sealand isn't. If you don't have nukes, you ain't shit.
[ link to this | view in chronology ]
Re: Re: Re: Re:
And yes, people ARE "telling that to the Chinese." Their artificial islands do not extend their territory under the Law of the Sea and other laws. It's strictly a case of "might makes right."
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
To which the Chinese are replying "Oh yeah? What you gonna do about it?"
Which was exactly the point. Sealand doesn't have the might. If Sealand had, for example, a fleet of nuclear submarines with ICBM nukes cruising around the oceans, nobody would mess with them, "Law of the Sea" or not.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
You do know that Sealand is a old fort on stilts, 7 miles off the coast of the UK, right... It's in British waters.
Last time I checked, the UK was knee-deep in subs and nukes.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
Yep. The UK, not Sealand.
[ link to this | view in chronology ]
Re: Re: Re:
That's a little misleading. The platform on which Sealand rests was constructed in international waters and then abandoned by the British. International law allowed it to then be claimed by others. It was only after Sealand declared its sovereignty that Britain extended its territorial waters claim to include Sealand.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
The current owners of that franchise have dialed down the filtering quite a bit. You can now access YouTube, and Live 365 was unblocked, before they went dark in January of last year.
Somehow the previous owners of that Taco Bell franchise were able to crack and sniff SSL. I was using a port 443 SSL connection using SoftEther is my server.
[ link to this | view in chronology ]
Re:
Commercial and even some home firewall appliances do a man-in-the-middle attack on HTTPS traffic, so that they can scan for malware and block sites as specified.
For example:
And
Their home use firewall appliances can do this, as can the big corporate models for Fortune 500 companies and ISPs. The difference is the throughput of the different models - how much traffic they can scan at once.
Any time you connect to the internet, even if not through a company firewall, assume that your ISP has this capability.
[ link to this | view in chronology ]
Re: Re:
The MiTM doesn't have the private key for the certificate. So it is unable to negotiate a private session key with the end user browser.
I understand how the MiTM can pretend to be the browser and establish a connection to Amazon.com. But I would surely like to know how the MiTM can impersonate Amazon.com without Amazon's private key.
In short, while MiTMs are theoretically possible. And somewhat possible on a corporate network, it can be detected, and it is not likely to be impossible on your home ISP on your home computer. (Unless you install a trusty CD ROM into your computer provided by your ISP.)
One way that I do know, is to subvert the trust of the user agent (eg, your web browser). That can be done in a corporate environment by inserting a new trusted CA certificate into your local trust store. Now the MiTM can instantly issue it's own Amazon.com certificate, and it will have the private key since it issued the certificate. And your browser will trust it.
That's a corporate environment. Even then, browsers can discover that the certificate the MiTM is presenting is NOT the certificate it should be. Google, for example, knows who signed its certificates, and its browser knows who signs Google's certificates, and that signer is not the CA that was added to the local trust store.
You can also run browser plug in apps that watch for changes in the certificates of secure sites you visit.
In an ISP environment, I really can't see how an ISP can do this. My ISP definitely cannot change the trust store on my browser nor on my OS. So my ISP definitely should not be able to execute an MiTM attack.
Now there is one avenue left. Subvert the entire CA infrastructure. There are a lot of CA certificates in the trust store these days. You could get a Google.com certificate issued by Honest Achmed's Certificate Authority of Tehran Iran. And your browser might trust it. But do you really think a Google.com certificate presented that was signed by Honest Achmed's is real? Do you really think this is where Google purchases certificates from?
[ link to this | view in chronology ]
Re: Re: Re:
But it could also be a certificate purchased from a trusted Certificate Authority, the kind most web sites purchase, where the certificate is already built into your browser. You don't need to install a certificate when you visit those sites.
So when you visit Google.com, your browser gets a legitimate certificate from a trusted CA via the firewall. No need to install a new certificate in your browser. Google.com sees a legitimate Google.com certificate in use, the one it told the browser to use. It doesn't know that it's talking to the firewall rather then the browser on the other side.
I may be wrong, of course. It's not my specialty. But I do know that one way or another it works, and that companies are selling firewall appliances that do it.
[ link to this | view in chronology ]
But the Chinese!
Somebody tell Mr. Trump that encryption backdoors are an open invitation for Chinese government hackers to access American citizen, business, and industrial communications.
That should do it.
(And, it happens to be true.)
[ link to this | view in chronology ]
Re: But the Chinese!
[ link to this | view in chronology ]
Re: Re: But the Chinese!
for china or for russia?
I am getting confused which nation is trump a bitch for?
[ link to this | view in chronology ]
Re: Re: Re: But the Chinese!
I don't know why - my own inclinations are more or less the opposite.
But let's push Trump's buttons.
[ link to this | view in chronology ]
Re: Re: Re: Re: But the Chinese!
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: But the Chinese!
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: But the Chinese!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
We've come a long way since the Clipper Chip fiasco
The absurdity of it became apparent.
They even classified crypto as a munition. They did everything to suppress exporting of good crypto. Because "going dark", or whatever they called it back then.
So what if you took an excellent crypto textbook (quite thick) across the border? The government didn't seem to be quite ready to stop people from taking academic textbooks available in any bookstore or library across open borders.
Also, the rest of the world got the message. Actually two messages:
1. Do NOT trust US government mandated crypto
2. Any real research on crypto would move outside the US
Another thing was learned by all. It's not intuitive. The only good crypto is OPEN crypto. The algorithm must be completely open. Only the keys are secret. If someone is selling you a proprietary or closed crypto, it is snake oil.
Now here we are today well over two decades later, with a lot of lessons learned. And they think they can do this again.
They can pass any laws they want. But they just don't get it.
When strong cryptography is outlawed only outlaws will have strong cryptography.
Terrorists won't be detered from strong cryptography. I'm sure they'll be quaking in their boots that it's illegal in some countries.
The only people without privacy will be law abiding people.
The back doors of government weak insecure crypto WILL be broken. It's only a question of when. Then an enemy will have access to a lot of secrets.
[ link to this | view in chronology ]
Re: We've come a long way since the Clipper Chip fiasco
If they classify crypto as a munition, does that make it protected under the second amendment?
[ link to this | view in chronology ]
Re: Re: We've come a long way since the Clipper Chip fiasco
[ link to this | view in chronology ]
Re: Re: We've come a long way since the Clipper Chip fiasco
[ link to this | view in chronology ]
Re: If they classify crypto as a munition, does that make it protected under the second amendment?
Conflating something like crypto, with its myriad non-violent, constructive uses, with destructive weaponry would not have been very productive.
[ link to this | view in chronology ]
"Asset Forfeiture" IS the biggest organized crime syndicate
[ link to this | view in chronology ]
For once, I wish they'd use lubricant.
Oh, you mean those backdoors.
Sorry. When it comes to the government, such wording can be confusing given how much the government has been screwing everyone in the backside for decades.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
It's also a weasel-term. Torture was(and likely will be again) 'lawful', slavery was 'lawful', internment camps on US soil were 'lawful'. If the best argument they have is that what they're doing is 'lawful' then they're admitting that they cannot defend their actions honestly.
[ link to this | view in chronology ]
Re: Re:
+1
It always brings to mind Darth Palpatine oozing raw naked villainy with the classic: "I will make it legal..."
[ link to this | view in chronology ]
Why Don’t The NSA Do It?
I’m sure they would be champing at the bit to do that, if they could.
Maybe Trump can contribute the pixie dust by issuing another Executive Order...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Since Apple would be in Pacifica, they would not have to obey any restrictions on encryption in the remaining United States.
Since Apple's and Google's servers would be in the Republic Of Pacifica, if this happened, they would only have to obey Pacifican law, and their services would no longer be subject to United States laws.
If, say, the remaining United States outlawed VPNs, VPN providers in Pacifica could supply VPN services, and Pacifican companies would not be subject to United States laws. They would only have to obey Pacifican laws.
Samet thing if the US passed laws requiring VPNs to log user activity. A VPN service in Pacifica, if the Pacifican nation comes into being, will only have to obey the Pacifican law, regarding their VPN sevice. The remaining United States would have no jurisdicton over Internet services in Pacifica if this happened.
[ link to this | view in chronology ]
[ link to this | view in chronology ]