FBI Director Chris Wray Says Secure Encryption Backdoors Are Possible; Sen. Ron Wyden Asks Him To Produce Receipts

from the not-so-great-when-you're-on-the-receiving-end-of-a-bludgeoning-interrogation dept

I cannot wait to see FBI Director Christopher Wray try to escape the petard-hoisting Sen. Ron Wyden has planned for him. Wray has spent most of his time as director complaining about device encryption. He continually points at the climbing number of locked phones the FBI can't crack. This number signifies nothing, not without more data, but it's illustrative of Wray's blunt force approach to encryption.

I'm sure Wray views himself as a man carefully picking his way through the encryption minefield. But there's nothing subtle about his approach. He has called encryption a threat to public safety. His lead phone forensics person has called Apple "evil" for offering it to its users. He has claimed the move to default encryption is motivated by profit. And if that's not the motivation, then it's probably just anti-FBI malice. Meanwhile, he claims the FBI has nothing but the purest intentions when it calls for encryption backdoors, even while Wray does everything he can to avoid using that term.

He claims the solution is out there -- a perfect, seamless blend of secure encryption and easy law enforcement access. The solution, he claims, is most likely deliberately being withheld by the "smart people." These tech companies that have made billionaires of their founders are filled with the best nerds, but they're just not applying themselves. Wray asserts -- without evidence -- that secure encryption backdoors are not only possible, but probable.

Senator Ron Wyden has had enough. He's calling out Director Wray on his bullshit. Publicly. His letter [PDF] demands Wray hand over information on his encryption backdoor plans. Specifically, Wyden wants Wray to name names. [via Kate Conger at Gizmodo]

Your stated position parrots the same debunked arguments espoused by your predecessors, all of whom ignored the widespread and vocal consensus of cryptographers. For years, these experts have repeatedly stated that what you are asking for is not, in fact, possible. Building secure software is extremely difficult, and vulnerabilities are often introduced inadvertently in the design process. Eliminating these vulnerabilities is a mammoth task, and experts are unified in their opinion that introducing deliberate vulnerabilities would likely create catastrophic unintended consequences that could debilitate software functionality and security entirely.

I would like to learn more about how you arrived at and justify this ill-informed policy proposal. Please provide me with a list of the cryptographers with whom you've personally discussed this topic since our July 2017 meeting and specifically identify those experts who advised you that companies can feasibly design government access features into their products without weakening cybersecurity. Please provide this information by February 23, 2018.

Remember how FBI directors (Wray, Jim Comey) claimed they just wanted to have "an adult conversation" with tech experts and cryptographers? My guess is they've never even tried. Wray hasn't held the post for long, but he's been beating Comey's weathered anti-encryption drum as long as he's held the title. And in all this time, I doubt he has talked to anyone in the tech industry directly about his encryption backdoor theory. Even if he has, he certainly hasn't found anyone who agrees such a thing can be done without weakening device security. Wray will have no answers for Wyden. We can only hope being publicly embarrassed by Senator Wyden will force him to rethink his position.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: backdoors, chris wray, encryption, fbi, going dark, responsible encryption, ron wyden


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    Stephen T. Stone (profile), 26 Jan 2018 @ 9:40am

    Wait, someone on Capitol Hill recognizes reality?

    He is so not getting re-elected.

    link to this | view in thread ]

  2. This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 26 Jan 2018 @ 9:44am

    So you're saying the whole public / private key thing is wrong.

    Seems "cryptographers" are of two opinions, both wrong. I'd avoid everything NSA advises, just because the method is known if not the keys.

    Use any custom method instead.


    "petard-hoisting" -- What is it with mangling this standard phrase this week?

    It's "hoist with your own petard", meaning blown up by your own bomb. There is NO "bomb-hoisting" even possible if you understand the notion!

    Then there's "weathered anti-encryption drum"! Where DO you come up with these concatenations of ordinary words? They're unique and practically INHUMAN, and I mean that this minion MAY be "AI".

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 26 Jan 2018 @ 9:50am

    Re: So you're saying the whole public / private key thing is wrong.

    I'm sorry English is so difficult for you. It's a strange language.

    link to this | view in thread ]

  4. identicon
    I.T. Guy, 26 Jan 2018 @ 9:55am

    "And in all this time, I doubt he has talked to anyone in the tech industry directly about his encryption backdoor theory."

    He absolutely has, no doubt. He was also advised it's not possible... without making everyone less secure. He (FBI, NSA, ETC) could give 2 shit about the latter and it is acceptable collateral damage as long as they get the backdoor.

    link to this | view in thread ]

  5. identicon
    Pixelation, 26 Jan 2018 @ 9:56am

    Re: So you're saying the whole public / private key thing is wrong.

    " 'petard-hoisting' -- What is it with mangling this standard phrase this week?"

    Perhaps he should have said, petard-hoisted?

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 26 Jan 2018 @ 9:58am

    ...this from the guys who lost all those texts...

    link to this | view in thread ]

  7. identicon
    David, 26 Jan 2018 @ 10:08am

    Let me pick one tidbit from the intro:

    [Wray] has claimed the move to default encryption is motivated by profit.

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 26 Jan 2018 @ 10:10am

    Before the smart phone and Internet, all this evidence he is complaining about was not recorded and available. Have the FBI forgotten how to do real police work so fast that they cannot solve crimes without criminals preserving every little bit of evidence and making it accessible to them?

    link to this | view in thread ]

  9. icon
    DannyB (profile), 26 Jan 2018 @ 10:15am

    There are TWO choices

    Pick one choice:

    1. Securely encrypted devices. Hackers can't get into them. But neither can the government.

    2. Insecure devices. The government can get into them. But so can hackers.

    link to this | view in thread ]

  10. identicon
    ryuugami, 26 Jan 2018 @ 10:15am

    Re:

    Yeah, maybe he has, and they told him it was impossible. But when your basic position is "it's a conspiracy and they're all in on it", every denial just reinforces that position...

    link to this | view in thread ]

  11. identicon
    David, 26 Jan 2018 @ 10:18am

    Let me pick one tidbit from the intro:

    [Wray] has claimed the move to default encryption is motivated by profit.

    If the offer of encryption is enough of an added value for enough customers to make their phone choice (and it's not like the price spread is all that large) profitable, it seems like enough customers care for their privacy that should be protected from government intrusion by the Fourth Amendment (but isn't really anymore) that it counts.

    So how about some representatives offering to work on making the Fourth Amendment heeded? There is a market for it, you know. It's just that the market is getting bled dry because of partisan politicsmaking and either of the two ingrained parties being a lousy choice for heeding any of the amendments coined against government overreach because either are too accustomed to getting their turn in the seat of power occasionally.

    A person must not be running more than twice for president. How about a party being only permitted to rule not more than 5 times at all? Now that would upset the party system continuity that rides roughshod over democracy.

    link to this | view in thread ]

  12. identicon
    Anonymous Coward, 26 Jan 2018 @ 10:31am

    Re:

    Wyden's been cited on EFF so many times I've lost count. If they can't get rid of him after this long, he's probably in it for the long haul, especially after three consecutive re-elections.

    link to this | view in thread ]

  13. identicon
    Machin Shin, 26 Jan 2018 @ 10:32am

    Re: So you're saying the whole public / private key thing is wrong.

    Have you done much reading on encryption? If so I doubt you would be suggesting "Use any custom method instead." I will freely admit I am no expert, but as someone fascinated by math who has taken some time to understand the basics of encryption... trying to make your own encryption will fail horribly verses any real attacker.

    Encryption relies on scrambling data so it appears to be random even if it isn't. All it takes is a very slight mistake for it all to come apart. The enigma machine was cracked because of someone sending a message that was one letter repeated over and over. Once someone finds a pattern your encryption falls.

    Building a solid encryption system is well beyond the skill level of most people.

    link to this | view in thread ]

  14. icon
    Roger Strong (profile), 26 Jan 2018 @ 10:35am

    To: FBI Director Christopher Wray

    From: Senator Ron Wyden

    Re: Backdoors without weakening security

    When you wish upon a star

    Makes no difference who you are

    Anything your heart desires

    Will come to you

    If your heart is in your dream

    No request is too extreme

    When you wish upon a star

    As dreamers do

    To: Senator Ron Wyden

    From: INS

    Re: Dreamers

    Dreamer located. Please deport.

    link to this | view in thread ]

  15. identicon
    Anonymous Coward, 26 Jan 2018 @ 10:37am

    FBI...

    As in "Federal Bureau of Investigation"

    not

    "Freely Browse Information"!

    link to this | view in thread ]

  16. icon
    Roger Strong (profile), 26 Jan 2018 @ 10:37am

    Re:

    Nuts. Mixed up the To/From on the second message.

    link to this | view in thread ]

  17. identicon
    TDR, 26 Jan 2018 @ 10:46am

    The Nerd Harder Song

    Nerd Harder (played to the tune of Eye of the Tiger)
    ---------------------------------------------------------

    Nerd!
    Nerd! Nerd! Nerd!
    Nerd! Nerd! Nerd!
    Nerd! Nerd! Nerd!

    Nerd!
    Nerd! Nerd! Nerd!
    Nerd! Nerd! Nerd!
    Nerd! Nerd! Nerd!

    Loggin' in, startin' up Windows
    Worst OS on the planet
    But the spooks, they just love it to death
    They want us all insecure all the time

    Clapper's
    lied on and on about this whole goin' dark
    wants to go
    and install some useless backdoors
    But it's
    not gonna work and it'll make us less safe
    Now Wray still says tech needs to go
    nerd harder

    Nerd!
    Nerd! Nerd! Nerd!
    Nerd! Nerd! Nerd!
    Nerd! Nerd! Nerd!

    Nerd!
    Nerd! Nerd! Nerd!
    Nerd! Nerd! Nerd!
    Nerd! Nerd! Nerd!

    Ignorant, that's what Chris Wray is
    Not a clue about nothin'
    Safe backdoors, it just cannot be done
    But he still asks for the impossible

    Clapper's
    lied on and on about this whole goin' dark
    wants to go
    and install some useless backdoors
    But it's
    not gonna work and it'll make us less safe
    Now Wray still says tech needs to go
    nerd harder

    Just got to nerd harder

    link to this | view in thread ]

  18. identicon
    Anonymous Coward, 26 Jan 2018 @ 10:48am

    "These tech companies that have made billionaires of their founders are filled with the best nerds, but they're just not applying themselves."

    In otherwords, nerd harder. So far that hasn't worked for eliminating the effects of gravity for physicists. It's a dodge for trying to say, "That's not my problem, I just know what I want. Someone else make it possible".

    If it were that easy, I want to be able to go to other galaxies. Not next year but tomorrow. Has the same ring of reality to it.

    link to this | view in thread ]

  19. icon
    DannyB (profile), 26 Jan 2018 @ 10:50am

    Another consequence of backdoored encryption

    If US companies are forced to build insecure systems and backdoored encryption, it will put the US at a competitive disadvantage compared to the other 96% of the world's population.

    The other 96% of the world population will know better than to use products from US companies -- because of baked-in backdoors. If you're looking for a security product, or a secure product, DON'T BUY FROM THE US!

    Quasi-related: Intel's Management Engine is going to come back to bite them so hard they will hate the day they ever built it. These things just take time. But I suppose I should consider that Windows is used all over the world and Microsoft can totally pwn your Windows computer at its whim.

    link to this | view in thread ]

  20. identicon
    Anonymous Coward, 26 Jan 2018 @ 10:57am

    Re:

    He absolutely has, no doubt. He was also advised it's not possible... without making everyone less secure. He (FBI, NSA, ETC) could give 2 shit about the latter and it is acceptable collateral damage as long as they get the backdoor.

    Actually, you can be absolutely certain that he's found a government contractor - probably small and almost certainly fly-by-night - that specializes in telling government officials what they want to hear, who can absolutely accomplish what's considered to be impossible (by actual experts) as long as there are enough zero's on the check.

    link to this | view in thread ]

  21. identicon
    Machin Shin, 26 Jan 2018 @ 11:09am

    Re: Another consequence of backdoored encryption

    "But I suppose I should consider that Windows is used all over the world and Microsoft can totally pwn your Windows computer at its whim."

    LOL, You mean like how Windows 10 is a huge malware program pretending to be an OS? They demand control over your computer any time they feel like they need an update. Then they spy on all that you do on your computer. If you try and stop all the spying then they make sure the next forced update "fixes" all your settings preventing the spying.

    link to this | view in thread ]

  22. identicon
    Thad, 26 Jan 2018 @ 11:09am

    Re:

    ...he's been reelected three times.

    link to this | view in thread ]

  23. icon
    orbitalinsertion (profile), 26 Jan 2018 @ 11:09am

    Re: So you're saying the whole public / private key thing is wrong.

    _There is NO "bomb-hoisting" even possible if you understand the notion!_

    Wuh? Bomba nu explody? Modern warfare is a lie!

    link to this | view in thread ]

  24. identicon
    Thad, 26 Jan 2018 @ 11:10am

    Re: Let me pick one tidbit from the intro:

    I mean, it is. Because it is a feature that customers want.

    link to this | view in thread ]

  25. identicon
    Thad, 26 Jan 2018 @ 11:16am

    Re: Another consequence of backdoored encryption

    Quasi-related: Intel's Management Engine is going to come back to bite them so hard they will hate the day they ever built it. These things just take time.

    I think you're being optimistic.

    Intel's share of the processor market is already decreasing, but that's mostly due to the rise of ARM in mobile devices. Intel has very little competition in the desktop/laptop market; AMD has made some positive steps in the past year, but the vast majority of people buying a desktop or laptop are not the kinds of consumer who pay attention to whether it's got an Intel or AMD processor under the hood. (And the kinds of users who are likely to switch to AMD are enthusiasts who are more interested in performance for the buck than security -- if security were their highest priority, they wouldn't be using Windows.)

    If IME is going to dent Intel's bottom line, it's going to be because OEMs become wary of Intel processors, not end users. I don't see much evidence of that happening yet. If a major remote exploit shows up in the wild, that could change things, but so far most of the exploits have required physical access, and there's no evidence of any attacks as yet.

    I'd like to see users rise up against IME, but I just don't think it's a priority for most users -- hell, most users aren't even aware that it exists.

    link to this | view in thread ]

  26. icon
    orbitalinsertion (profile), 26 Jan 2018 @ 11:21am

    Re:

    They keep ignoring the better nerds who actually do encryption. If Apple is actually rolling their own, the FBI probably already has what it wants and just doesn't know it. Or again, broken encryption isn't really what they want, or only part of it. They want to keep shifting what the public is used to, and probably even for no really good police-state reason, but just to suit their authoritarian tastes.

    link to this | view in thread ]

  27. icon
    orbitalinsertion (profile), 26 Jan 2018 @ 11:28am

    Re: Re: Another consequence of backdoored encryption

    OEMs will switch to AMD, at least in some portion of their offerings, for similar reasons as when they used AMD in the past: cost, or some feature. Considering AMD and Intel both have other IME flaws, and i don't see security as being a big point of consideration with OEMs anyway, i imagine you have a fair point here.

    link to this | view in thread ]

  28. identicon
    Anonymous Coward, 26 Jan 2018 @ 11:34am

    Re: So you're saying the whole public / private key thing is wrong.

    Nobody's saying PKI is wrong. However, it's irrelevant to this topic: you cannot have PKI where the private key is publicly held, which is what the FBI appears to be proposing.

    For an illustration of how this falls apart, look at the FAA's public/private key solution for suitcase locks.

    Someone took a picture that just happened to include the keys handed out to appropriate personnel, and suddenly that key wasn't so private. And ALL locks made for the program were suddenly useless.

    And yes: in the FAA illustration, "rolling your own" is likely better, although it will result in your own lock being destroyed by the TSA eventually.

    In the case of cryptography, rolling your own has ALWAYS resulted in something that didn't work. Real cryptography is done in public, with industry feedback. Even the smartest cryptographer is going to miss something, because the subject is insanely complex.

    link to this | view in thread ]

  29. icon
    Uriel-238 (profile), 26 Jan 2018 @ 11:38am

    Petard Hoisting

    I assumed this meant I wasn't the only one who listened to the Idle Thumbs and Important If True podcasts.

    Hoists by one's own petard is a major theme

    link to this | view in thread ]

  30. icon
    Roger Strong (profile), 26 Jan 2018 @ 11:39am

    Re: Another consequence of backdoored encryption

    I'm pretty sure that Microsoft and Apple already create regional versions of their products.

    US customers would get the backdoor distribution, while others - and no doubt the US government and FBI - would get the secure one.

    link to this | view in thread ]

  31. icon
    Uriel-238 (profile), 26 Jan 2018 @ 11:45am

    "Purest Intentions"

    The FBI has demonstrated from the Hoover years forward that it never has pure intentions.

    Remember this is the same institution that entraps mentally disabled people in terrorist sting operations by gaslighting them and isolating them from all their friends.

    Even if it _was_ possible to design encryption with a backdoor safe from hackers, The FBI (and the rest of our Law Enforcement) have demonstrated they should not be trusted with the keys.

    Wray doesn't follow codes of ethics or honor. He just trumpets for his team -- a team to which the rest of us do not belong.

    link to this | view in thread ]

  32. icon
    Jeffrey Nonken (profile), 26 Jan 2018 @ 11:48am

    Re: Re: Let me pick one tidbit from the intro:

    Because we know that making profit is inherently evil.

    That's why we're so proud of being a capitalist economy. Because making profit is evil. Right?

    Right?

    link to this | view in thread ]

  33. icon
    Uriel-238 (profile), 26 Jan 2018 @ 11:50am

    Dangit!

    I keep forgetting to check my boxes.

    Maybe put on the Techdirt wishlist the option to set the defualts for the comment options into our account settings

    link to this | view in thread ]

  34. identicon
    Iggy, 26 Jan 2018 @ 11:52am

    Maybe the FBI needs to attract more "Smart People" to their side

    If the "Smart People" are withholding solutions the FBI needs, maybe they should do more to attract "Smart People". They wont find a secure encryption with a back door but they might get a leg up in the hacking arms race against Silicon Valley. As the Senator said, there are often vulnerabilities right from the design stage of many encryption schemes and hackers working for the government have found zero-day vulnerabilities before as in the Stuxnet virus. In modern times, there are costs to alienating people in STEM fields and the FBI is experiencing them now.

    link to this | view in thread ]

  35. icon
    Jeffrey Nonken (profile), 26 Jan 2018 @ 11:53am

    It's a giant conspiracy. All the nerds say is that it can't be done, and every single one of them is lying.

    Hasn't this guy ever heard of Occam's Razor?

    link to this | view in thread ]

  36. icon
    DannyB (profile), 26 Jan 2018 @ 11:58am

    Re: Re: Another consequence of backdoored encryption

    Q. Father, please tell me, is it a sin to use Windows 10?
    A. No dear child, using Windows 10 is not a sin, it is a penance.

    link to this | view in thread ]

  37. icon
    Uriel-238 (profile), 26 Jan 2018 @ 12:48pm

    Rolling your own encryption

    These days, rolling your own means taking one of the several well-tested sans-backdoor encryption schemes available and using one of them. Contrast the 1990s in which security through obscurity was still regarded as a valid encryption tactic. And it was in vogue for mathematics freshmen to try their hand at amateur crypto.

    We've gotten really good at both cryptanalysis and guessing human-created passwords, and this has been established by the late aughts. So it's commonly known (at least should be within the tech sector) that it is dangerous to attempt to construct an encryption scheme without a lot of study, practice and rigorous testing. And if passwords are easy to guess or stowed while lightly encrypted themselves, they're going to be discovered.

    (Curiously, it's less well known that cracking TPMs is expensive but doable and has been since 2011. Generally, something that is expensive to crack is regarded as acceptable. Regarding the San Bernadino Shooter iPhone affair, either the FBI lied about having cracked it, or the consulting firm broke the unit's TPM with a tunnelling electron microscope.)

    And granted, programming is a messy, buggy process, but that puts the vulnerability of roll-your-own encryption not in the encryption algo but its implementation.

    link to this | view in thread ]

  38. identicon
    Chris Way, formerly known as James Comey, 26 Jan 2018 @ 12:51pm

    "We know it's possible to make tobacco cigarettes that don't harm the health of smokers and passive smokers. We just don't know how, but you must find a way, or else."

    link to this | view in thread ]

  39. identicon
    Zonker, 26 Jan 2018 @ 1:08pm

    Making a secure encryption backdoor is impossible because in order to work the backdoor must be able to break the encryption. If the encryption can be broken, it is not secure.

    Authorized persons would have the key to the encryption.
    Unauthorized persons would not have the key and have to find a backdoor to get in.
    If a backdoor exists, they will be able to get in. If it doesn't, they won't.

    link to this | view in thread ]

  40. identicon
    Anonymous Coward, 26 Jan 2018 @ 1:21pm

    Choice

    "He has claimed the move to default encryption is motivated by profit. And if that's not the motivation, then it's probably just anti-FBI malice."

    I certainly hope the choice list is longer, including at least sane, sober considerations of the security needs of private citizens and an entire web of national and international commerce. However, if no other options ARE on the list, I hope it's malice. When it comes to malicious retaliation for deceitful attacks on Constitutional rights, I can think of no more deserving group than the FBI.

    link to this | view in thread ]

  41. icon
    The Wanderer (profile), 26 Jan 2018 @ 1:41pm

    Re:

    The argument is that a secure backdoor could be one where any given ciphertext can be decrypted by either of two keys: the unique one controlled by the person who the encryptor means to be able to decrypt the data, and a single central key which is in the control/custody of law enforcement (or of a company which is obligated to use it upon demand of law enforcement).

    No encryption-breaking is involved in that backdoor; it's just that the encryption is designed to have two valid keys. (This is also why they try to argue that it's not a backdoor, it's a second front door, or something like that.)

    Of course, even leaving aside the problems with securing the central key and the likelihood that that central key would be abused even by its authorized holders, the counterargument is that a system which is designed to have two keys in this way would be inherently easier to crack than one which is designed to have only one key, because of the mathematical underpinnings of the encryption.

    That counterargument is where I understand the "nerd harder" line to come in; "if you think making one that's not less secure would be impossible, you must not be trying hard enough".

    link to this | view in thread ]

  42. identicon
    Anonymous Coward, 26 Jan 2018 @ 1:44pm

    Re: Re:

    A central key also has the huge risk that it will leak out, and the system becomes completely equivalent to no encryption..

    link to this | view in thread ]

  43. icon
    Richard (profile), 26 Jan 2018 @ 1:49pm

    Re: Rolling your own encryption

    Contrast the 1990s in which security through obscurity was still regarded as a valid encryption tactic.

    That's not how I remember the 90's. I think you need to go back a lot further to get to the point where anyone competent thought that. I was looking at ASIC implementations of RSA in 1983.

    link to this | view in thread ]

  44. identicon
    Bruce C., 26 Jan 2018 @ 2:08pm

    Hmmm...

    Maybe there's a bright side to Fox News claiming that the FBI contains a vast left-wing conspiracy to discredit the Trump presidency. If the Republicans get on board with Sen. Wyden with questioning the FBI's truthiness, we might actually get some answers rather than obfuscation.

    link to this | view in thread ]

  45. identicon
    Thad, 26 Jan 2018 @ 2:50pm

    Re: Hmmm...

    Right, because it's not like they'd ever claim something that contradicted something else they'd previously claimed.

    link to this | view in thread ]

  46. identicon
    Lawrence D’Oliveiro, 26 Jan 2018 @ 2:57pm

    Re: Intel's share of the processor market is already decreasing

    Intel is currently at number 3 in the processor market:

    • x86 -- under 300 million units per year and still dropping
    • MIPS -- close to a billion units per year
    • ARM -- more units shipped per year than the entire population of the Earth.

    link to this | view in thread ]

  47. identicon
    Anonymous Coward, 26 Jan 2018 @ 2:58pm

    Re: Re: Rolling your own encryption

    Agreed; there were a group of us working with Phil Z in the 90s to find secure implementations of accepted crypto routines.

    The problem with "rolling your own" isn't limited to rolling your own key crypto: the problem extends to rolling your own implementation of known-secure crypto. All it takes is for your random seed to not be so random, or your inputs to be subject to a replay or timing attack, and it doesn't matter which crypto lib was used. This stuff needs many eyes from end to end to ensure that the implementation doesn't have a fatal flaw.

    Adding the complexity of third party keys into the mix basically makes the "acceptable security" part of it impossible. If one person doesn't control the keys, they don't control the security.

    So the only way this could possibly work is if, say, the FBI had a PKI program where they held the master key, but access to that key was role based and time boxed. You could even have multipart keys, where, say, the FBI and the manufacturer both held key parts, and they both had to present their tokens within a specific timeframe to gain access to the master key. This access would then be used alongside the individual's public key to generate a decryption key for the individual product.

    Works fine in napkin theory. However, such a model is rife with holes in security management: not only will those keys need constant rotation to stay secure (due to the known bug in PKI and human fallability), someone still has to manage the servers that manage the private keys. And we've created a single point of failure that every single hacker in the world is going to see as the ultimate target, and this single point HAS to be connected to the Internet.

    TL;DR: Sure there's plenty of bright people out there, but in order for good enough security, the entire process needs many eyes and few inputs. What the FBI wants is few eyes and many inputs, which isn't secure.

    link to this | view in thread ]

  48. icon
    Toom1275 (profile), 26 Jan 2018 @ 4:05pm

    "So, we've just rolled out our 'secure encryption backdoor.' How long do you think we can keep this to ourselves?"

    "Ten..."

    "Ten Ten what?"

    "Eleven..."

    "Wait, if this is a countdown, aren't you counting the wrong way?"

    "Twenty..."

    "... And now it's accelerating?!"

    "...Fifty. This isn't a countdown, it's just a count - of how many malicious hacker groups already have possession of our 'secret secure master key'. One hundred..."

    link to this | view in thread ]

  49. icon
    Dave Cortright (profile), 26 Jan 2018 @ 5:09pm

    Are you willing to conduct all of your personal banking with this backdoor encryption system, Mr Wray?

    When it comes to literally putting your money where your mouth is, I would like to see any person who is proposing a backdoor encryption model move all of their personal banking, stocks, bonds, loans, retirement accounts... really all financial data over to using that encryption. Given all the bad actors out there, do they really trust all of their money with this system? I think we all know the answer...

    link to this | view in thread ]

  50. icon
    Atkray (profile), 26 Jan 2018 @ 5:26pm

    Re: Re:

    Still made me almost choke on the water I was drinking.

    link to this | view in thread ]

  51. identicon
    Anonymous Coward, 26 Jan 2018 @ 5:26pm

    Re:

    They (anyone) can get in if they crack the encryption.

    link to this | view in thread ]

  52. icon
    That One Guy (profile), 26 Jan 2018 @ 5:43pm

    Re: Are you willing to conduct all of your personal banking with this backdoor encryption system, Mr Wray?

    Absolutely right. If they're willing to put the public's security at risk by mandating a security hole for things like banking, medical data, email and so on they should be required to put their own data under the same protections to demonstrate that they really believe that it's secure.

    Anything less should be treated as a flat out admission that they don't trust what they claim is secure, and as such need to shut up.

    link to this | view in thread ]

  53. icon
    orbitalinsertion (profile), 26 Jan 2018 @ 6:07pm

    Re: Re: Intel's share of the processor market is already decreasing

    RISC architecture CPUs are still used differently than 86/64 CPUs. The continuing drop in the x86 market is the general purpose desktop being killed off. (I'd go for a RISC system for an open source OS, at least with one of the more current chips that basically are comparable in function to x86, or with board design that covers what the main processor doesn't.)

    link to this | view in thread ]

  54. identicon
    Anonymous Coward, 26 Jan 2018 @ 6:19pm

    Re:

    But then they had an age of unencrypted http traffic and clear-text passwords because it was probably judged to be safe enough for the relatively small amount of people who knew enough to make use of the poor security. IT was a niche thing for nerds and a lot of people thought it a fad that would never be a major necessity in neither business as well as other places.
    In 2000 - 2010 they said that we educated too many people in IT and the bubble was bursting again.
    Today it is easy with very little knowledge to "hack" as long as you have $50 and know the right place to look (or can do the right search) and then we have "home-grown" IT people without an official education but with access to the greatest gathering of knowledge ever known.
    My point is that the agencies loved the clear-text age, because they had the people with the knowledge to use (or misuse) that... today they are outdone by many forms of encryption that everyone has access to. So yeah, they have forgotten how to investigate, because for years it was so very easy for them.

    link to this | view in thread ]

  55. identicon
    Anonymous Coward, 26 Jan 2018 @ 6:32pm

    Re: Re: Re:

    And you have got to wonder: with all the knowledge and potential company secrets, which could be worth billions, if a 3'rd party offered 10 million $ or even 100 million for either the ability to decrypt or even just a peek, can we then ever be sure that it would be safe?

    link to this | view in thread ]

  56. identicon
    Anonymous Coward, 26 Jan 2018 @ 6:45pm

    It is refreshing...

    that someone is finally and openly protesting this and asking the good questions. One of the most frustrating aspects of this whole debate is how we have to entertain the notion that what these people say should be taken seriously, while the media and even opponents dance around the blatant lies and immature attacks because "terrorists" and "for the children" tales that are used in all their arguments.
    These people with an impossible demand of "safe backdoors" keep demanding that we have an adult conversation, all the while acting like children, stomping the ground, going on like a 7 year old screaming "Waaah! I want a rocket launcher! Why can't I have it?! You are so mean!"

    link to this | view in thread ]

  57. identicon
    Anonymous Coward, 26 Jan 2018 @ 6:49pm

    Re: It is refreshing...

    No wait... that is wrong. There is a possibility that somewhere a 7-year old could actually get a rocket launcher.
    Replace with Unicorn, Flying carpet or a Genie.

    link to this | view in thread ]

  58. identicon
    Anonymous Coward, 26 Jan 2018 @ 6:52pm

    Re: So you're saying the whole public / private key thing is wrong.

    How's that TOR exit node working out for you, blue boy? I think you'd like it if you got a backdoor in your encryption.

    When is Masnick going to put up that article in support of breathing?

    link to this | view in thread ]

  59. icon
    That One Guy (profile), 26 Jan 2018 @ 7:23pm

    "Experts in the field agree with me." "Name them." "Uhh..."

    Why do I get the feeling that there's going to be another 'least untruthful answer' forthcoming? That or a dodge which may or may not include an answer to a completely unrelated question that Wyden didn't ask?

    link to this | view in thread ]

  60. icon
    Toom1275 (profile), 26 Jan 2018 @ 9:21pm

    Re: Re: So you're saying the whole public / private key thing is wrong.

    I guess google tramslate English -> Russian doesn't handle idioms very well.

    link to this | view in thread ]

  61. identicon
    Anonymous Coward, 27 Jan 2018 @ 1:39am

    Re: Re:

    We'll keep on electing him too!

    I'm proud to have TWO great Senators from Oregon
    Wish I could respect every Senator as much as I do Wyden and Merkley.

    link to this | view in thread ]

  62. identicon
    David, 27 Jan 2018 @ 2:25am

    Ouch

    Encryption relies on scrambling data so it appears to be random even if it isn't.

    Oh wow. No, that's not what encryption relies upon. That's a side effect, and only so if you don't package the result with steganography afterwards.

    Building a solid encryption system is well beyond the skill level of most people.

    Given the understanding displayed in the above, this conclusion is doubly valid.

    link to this | view in thread ]

  63. identicon
    Anonymous Coward, 27 Jan 2018 @ 4:01am

    Re: Re:

    I was thinking of police work before the clear text age, where most of the infomation they are now gathering was conveyed by that most ephemeral of methods, talking face to face. Policing was carried out long before the phone, an the capability of recording, existed.

    link to this | view in thread ]

  64. icon
    Eldakka (profile), 27 Jan 2018 @ 4:26am

    Re: Re: Re: Intel's share of the processor market is already decreasing

    The x86/x86-64 ISA is CISC, but the in-silicon processor architecture of the processing cores have been RISC for over a decade.

    Their front-ends are CISCy, but the decode step in the pipeline breaks the instructions down into RISC instructions - what Intel calls micro-ops - for processing on the ALU/FPU. The actual processing cores - ALUs, FPUs, etc - are RISC engines.

    link to this | view in thread ]

  65. identicon
    Anonymous Coward, 27 Jan 2018 @ 7:00am

    History repeating itself...

    The USG's desire to backdoor encryption used by it's citizens and around the world is long known. This particular moment in history is just a repeat of the clipper chip push from the early 90's. Look what happened there - Backlash against the USG from the public and private sector combined with release of strong (somewhat easy to use) encryption onto the internet, it all rendered the USG's plan completely useless. The cat is out of the bag, you can't outlaw math.

    It's almost as it Wray and his like keep reading Nineteen Eighty-Four where INGSOC is the benevolent dictator and Winston Smith is the enemy. Or maybe they're reading it as a 'how to'...

    link to this | view in thread ]

  66. identicon
    Anonymous Coward, 27 Jan 2018 @ 7:12am

    deliberately being withheld by the "smart people."

    So, Director Wray, are you telling that the "smart people" at the NSA are withholding this great secret from you?

    link to this | view in thread ]

  67. identicon
    Anonymous Coward, 27 Jan 2018 @ 7:33am

    Re:

    Occam's Razor? Isn't that a nerd thing? And don't we already know that all those nerds are lying?

    link to this | view in thread ]

  68. identicon
    ryuugami, 27 Jan 2018 @ 7:36am

    Re: deliberately being withheld by the "smart people."

    No, he's saying that only stupid people work for the FBI.

    Which makes the FBI Director the King of the Stupid :)

    link to this | view in thread ]

  69. icon
    Dave Cortright (profile), 27 Jan 2018 @ 7:57am

    And… it's gone!

    link to this | view in thread ]

  70. icon
    Dave Cortright (profile), 27 Jan 2018 @ 8:01am

    Re: Re: Are you willing to conduct all of your personal banking with this backdoor encryption system, Mr Wray?

    Maybe he should talk to Todd Davis…
    https://www.wired.com/2010/05/lifelock-identity-theft/

    "Apparently, when you publish your Social Security number prominently on your website and billboards, people take it as an invitation to steal your identity.

    LifeLock CEO Todd Davis, whose [social security]number is displayed in the company's ubiquitous advertisements, has by now learned that lesson. He's been a victim of identity theft at least 13 times,…"

    link to this | view in thread ]

  71. identicon
    Anonymous Coward, 27 Jan 2018 @ 9:35am

    Re: Ouch

    No, that's not what encryption relies upon. That's a side effect&helllip;

    Look, since you seem so sure about this, then instead of me trying to explain “indistinguishability” to you—how 'bout you explain it to me. Please.

    My question is… simply… what is IND-CPA, IND-CCA1, and IND-CCA2 all about?

    I can handle a moderate amount of math in your explanation, but listen, I'm an EE, not a mathematician.

    link to this | view in thread ]

  72. identicon
    Dave P., 27 Jan 2018 @ 9:58am

    Brilliant

    We could do with some forthright politicians like Mr. Wyden here in the UK. His letter is brilliant and he obviously understands what he's talking about, unlike most of OUR waffling parliamentary members - and I am especially directing that comment at our lovely P.M; Mrs. May, who, once again, is up to her usual grandstanding tricks of trying to outlaw encryption. Do they not take any notice whatsoever of all the cryptographic experts who say that safe backdoors can't be done? I despair.

    link to this | view in thread ]

  73. icon
    That One Guy (profile), 27 Jan 2018 @ 5:52pm

    Re: Brilliant

    Do they not take any notice whatsoever of all the cryptographic experts who say that safe backdoors can't be done?

    Giving them the benefit of the doubt, they know, they just don't care.

    Under that view it's simply grandstanding about how the terrible encryption helps criminals(ignoring the millions of non-criminals it protects), and how it allows them to avoid government scrutiny (again, ignoring that it also makes it harder to go on baseless fishing expeditions).

    Besides, it's not like their data will be protected by broken encryption, because while every person is equal, some are more equal, and therefore more deserving of protection, than others.

    link to this | view in thread ]

  74. icon
    That One Guy (profile), 27 Jan 2018 @ 6:19pm

    Re: Re: Re: Are you willing to conduct all of your personal banking with this backdoor encryption system, Mr Wray?

    Credit where it's due, he did put his money where his mouth was and learned personally why what he was pushing was a bad idea.

    ... Well, I was going to say I hope he learned his lesson, but a quick check at their wikipedia page and it seems that whether or not he learned his lesson the company at large apparently just brushed it aside and carried right on, to the point that they've been hit with multiple fines by the FTC, one in 2010 for deceptive advertising and another in 2015 for violations of the 2010 'agreement'.

    link to this | view in thread ]

  75. identicon
    Anonymous Coward, 28 Jan 2018 @ 10:24am

    This is very VERY simple.

    Everyone is forced to 'backdoor' encryption for banks etc and the FBI holds the backdoor key.

    if there is ANY breach, whether malicious or not, no matter who breached or why, the FBI's payroll budget is on the hook for compensation.

    I'd say we match copyright at say $150,000 per item per breach. Sound fair to everyone else?

    link to this | view in thread ]

  76. icon
    rant spiner (profile), 28 Jan 2018 @ 3:00pm

    Re: Re: Re:

    Isn't there some Gerrymandering that can be done to get rid of him with all the reasonable talking making everyone dizzy..

    link to this | view in thread ]

  77. identicon
    Mavery76266, 29 Jan 2018 @ 8:34am

    Re: Re: Re: Re:

    No. Senatorial elections are pretty much immune to gerrymandering because they are run on a state-wide basis.

    link to this | view in thread ]

  78. identicon
    Wendy Cockcroft, 30 Jan 2018 @ 5:28am

    Re: Re: Re: Let me pick one tidbit from the intro:

    It's neither good nor evil, it just is. The problem (or not) is in how the profit is generated — and at whose expense.

    link to this | view in thread ]

  79. identicon
    Wendy Cockcroft, 30 Jan 2018 @ 5:29am

    Re: The Nerd Harder Song

    I love you, TDR! Thank you for the chuckle.

    link to this | view in thread ]

  80. icon
    nasch (profile), 30 Jan 2018 @ 8:40am

    Re: Re: Intel's share of the processor market is already decreasing

    ARM -- more units shipped per year than the entire population of the Earth.

    That is a crazy statistic, and has been the case since 2011.

    https://www.theatlas.com/charts/Ek18VmbP

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.