"By 'compromised', the NSA may have had back doors that are built right in to commercial software at manufacture. This may be known or unknown to the manufacturer of that commercial software"
Don't forget hardware. Hardware's even more difficult to suss out than software.
It's just a tacit admission that our telecommunications infrastructure - down to and including mobile handsets - is so thoroughly owned that there's simply no need to focus on encryption in the vast majority of cases.
"That's a nice McDonalds you got there. Be a shame if something were to happen to it. You know how long emergency service response times can be in this area...."
For the first (and quite probably last) jury that I was on, The judge encouraged us to take notes, and the jury was allowed to submit written questions to the judge at any time during the trial, who could then determine if they would be asked of the prosecution and defense lawyers, and potentially witnesses. We received specific instructions about how to submit questions from the judge prior to the start of the trial.
3 or 4 of us did so over the course of a 9-ish day trial. That was 12, 13 years ago in Maricopa County Superior Court. I have no idea if the rule is still in effect, but the answers to my questions definitely had an impact with respect to how I voted on one of the counts in front of us.
Also, once we got into deliberations, the jury was able to request evidence submitted by both sides for further up close and hands on inspection for discussion without the judge or lawyers present. We requested and were allowed to inspect and discuss without the judge or lawyers present.
It was a good model. No idea if its still in place or not. I hope so.
Yeah, that's an awfully big caveat, even for a politician.
In the real world, he doesn't get to implement that caveat. The Chinese pass a law, which is as entirely valid as a law passed in the US, and now they have an entirely legal reason to demand the unicorn-key.
"Them, they, us, good guys, bad guys". A large part of the problem with the debate is that it's not sufficiently personal for those directly involved with it.
"Mr. Comey, please state for the record that you are comfortable with law enforcement and intelligence community members (whom have a legitimate interest, albeit under an entirely separate justice system) from Russia and China utilizing the Unicorn-key you're suggesting we mandate to decrypt all of your personnel correspondence and financial information, at will and without your knowledge."
or maybe one better:
"Mr. Comey, are you prepared to explain to Mr. Chaney that staffers at the International Court of Justice in The Hague, Netherlands, utilized your mandated Unicorn-key to acquire sufficient privileged information to indict Mr. Chaney on War Crimes related charges which led to the extradition warrant in front of me?"
"presumably these corporations would not be compelled to respond to warrants from other nations, but would be for US-issued warrants."
Or money. money is also compelling. Especially when you've got a country sized bank account. Ask the staff over at the Hacking Team.
Also on the list of compelling things: blackmail, drugs, a gun to your significant other(s) (and/or children(s) ) heads, etc. In fact, most people would find any of these more compelling on a personal, visceral basis than a little piece of paper with "warrant" printed on it.
And if you're going to build in a master key that unlocks pretty much all of the interesting crypto in the country, none of the above items are melodramatic scenarios.
It's not just the appearance of being complicit that's bad for business...
"There's some truth to this theory. Tech companies are particularly wary of appearing to be complicit in government surveillance programs as a couple of years of leaks have done considerable damage to their prospects in foreign markets.
It's not just the perception of being complicit that's a problem for companies - the odds of being able to stay secretly complicit are decreasing by the week:
Hacking Team’s Remote Control System software — which can infect a target’s computer or phone from afar and steal files, read emails, take photos and record conversations — has been sold to government agencies in Ethiopia, Bahrain, Egypt, Kazakhstan, Morocco, Russia, Saudi Arabia, Sudan, Azerbaijan and Turkey.
Oh, and apparently to a variety of US Government agencies (state and federal levels).
It warms my heart to to see that the good, well-meaning folks at Hacking Team were only selling their law-enforcement friendly spyware to US Designated "good guys", and weren't in any way influenced by the potential for financial gain by any countries listed by the US as repressive regimes. Oh. Wait...
"Your statement implies that surveillance is currently useful, when pretty much all evidence currently shows that its already pretty useless."
words like "useless" and "failed" are entirely dependent on a projects success criteria. And a project can have multiple success criteria.
Granted, the "obvious" success criteria is "find terrorists". But there are other, not quite so obvious potential success criteria here. Examples include, but aren't limited to:
distraction ("hey everyone, look over here at this useless program")
indoctrination - "in 5 years, people will be used to X, then we can implement Y"
funding support - "X isn't useful today, but will be given another $Y"
misdirection - "we've told the terrorists we found the location to their secret base via correlation of landmarks with satellite footage. Lets hope they don't figure out to turn off the location function on their smartphone camera and/or figure out how to strip exif data out of images."
"I wonder if he knew about the operational insecurity of the OPM? "
Maybe. Doesn't really matter.
"You have to admit that it would have saved an awful lot of hot mess if he had warned the government about it before it happened."
Unlikely. History shows - repeatedly - that such warnings - at best - would have been ignored and at worst would have been received with great hostility.
"In that case, he would have been awarded a medal for it and given a better job."
No. Having embarrassed the Authorizing Official (required under FISMA, look it up) for whichever system it was, he'd have been lucky to have gotten the equivalent of an "atta boy, good job, go back to work" and subsequently having the report shelved, not be be looked at again until some reporter filed a FOIA request for it.
I mean, don't get me wrong - there's no question that this is really bad. But if we, as a country, continue to centralize information on everybody in the name of security, then before too many years have elapsed, we're going look back on this particular breach as being small scale and, dare I say it, quaint.
Yes, but do they have a root certificate openly tied to the US Government pre-installed in every major browser and operating system? https://www.irs.gov's ssl cert is issued by Akamai and fails to validate due to a hostname mismatch. https://www.whitehouse.gov is signed by Verizon/Akamai. https://www.cia.gov is signed by Symantec.
The US Government is big, and if they're going to successfully implement this mandate, they're going to need their own public root certificate authority to cost effectively sign all those new SSL Keys, and for the sake of simplicity, that root CA cert will need to be installed everywhere by default. Otherwise Grandpa is going to get a browser cert error when he goes to www.irs.gov, and we can't have that.
Of course, once a root is installed, it can be used to sign certs for any web site.
On the post: Both Michael Hayden And Michael Chertoff Surprise Everyone By Saying FBI Is Wrong To Try To Backdoor Encryption
Re: Re:
Don't forget hardware. Hardware's even more difficult to suss out than software.
On the post: Both Michael Hayden And Michael Chertoff Surprise Everyone By Saying FBI Is Wrong To Try To Backdoor Encryption
Re: Alternate reality
It's just a tacit admission that our telecommunications infrastructure - down to and including mobile handsets - is so thoroughly owned that there's simply no need to focus on encryption in the vast majority of cases.
On the post: Both Michael Hayden And Michael Chertoff Surprise Everyone By Saying FBI Is Wrong To Try To Backdoor Encryption
Re:
No need to "break" encryption if you can get the cleartext by other means.
On the post: St. Louis County Still Considering Bringing Trespassing Charges Against Journalists Police Arrested In Ferguson
Re: Trespassing
On the post: Judge Kozinski: There's Very Little Justice In Our So-Called 'Justice System'
Re: Re: Ghost jurors
3 or 4 of us did so over the course of a 9-ish day trial. That was 12, 13 years ago in Maricopa County Superior Court. I have no idea if the rule is still in effect, but the answers to my questions definitely had an impact with respect to how I voted on one of the counts in front of us.
Also, once we got into deliberations, the jury was able to request evidence submitted by both sides for further up close and hands on inspection for discussion without the judge or lawyers present. We requested and were allowed to inspect and discuss without the judge or lawyers present.
It was a good model. No idea if its still in place or not. I hope so.
On the post: NSA Apologist Offers Solutions To 'Encryption' Problem, All Of Which Are Basically 'Have The Govt Make Them Do It'
Re: Re: Re: Re:
In the real world, he doesn't get to implement that caveat. The Chinese pass a law, which is as entirely valid as a law passed in the US, and now they have an entirely legal reason to demand the unicorn-key.
On the post: NSA Apologist Offers Solutions To 'Encryption' Problem, All Of Which Are Basically 'Have The Govt Make Them Do It'
Re: Re:
"Mr. Comey, please state for the record that you are comfortable with law enforcement and intelligence community members (whom have a legitimate interest, albeit under an entirely separate justice system) from Russia and China utilizing the Unicorn-key you're suggesting we mandate to decrypt all of your personnel correspondence and financial information, at will and without your knowledge."
or maybe one better:
"Mr. Comey, are you prepared to explain to Mr. Chaney that staffers at the International Court of Justice in The Hague, Netherlands, utilized your mandated Unicorn-key to acquire sufficient privileged information to indict Mr. Chaney on War Crimes related charges which led to the extradition warrant in front of me?"
On the post: NSA Apologist Offers Solutions To 'Encryption' Problem, All Of Which Are Basically 'Have The Govt Make Them Do It'
Re: Re: The debate they're avoiding
Technically, it might be possible. However, you'd very quickly learn the ins and outs of what the terms "state secrets" and "gag order" mean.
On the post: NSA Apologist Offers Solutions To 'Encryption' Problem, All Of Which Are Basically 'Have The Govt Make Them Do It'
Re: Re: Re: The debate they're avoiding
Or money. money is also compelling. Especially when you've got a country sized bank account. Ask the staff over at the Hacking Team.
Also on the list of compelling things: blackmail, drugs, a gun to your significant other(s) (and/or children(s) ) heads, etc. In fact, most people would find any of these more compelling on a personal, visceral basis than a little piece of paper with "warrant" printed on it.
And if you're going to build in a master key that unlocks pretty much all of the interesting crypto in the country, none of the above items are melodramatic scenarios.
On the post: NSA Apologist Offers Solutions To 'Encryption' Problem, All Of Which Are Basically 'Have The Govt Make Them Do It'
It's not just the appearance of being complicit that's bad for business...
It's not just the perception of being complicit that's a problem for companies - the odds of being able to stay secretly complicit are decreasing by the week:
Oh, and apparently to a variety of US Government agencies (state and federal levels).
It warms my heart to to see that the good, well-meaning folks at Hacking Team were only selling their law-enforcement friendly spyware to US Designated "good guys", and weren't in any way influenced by the potential for financial gain by any countries listed by the US as repressive regimes. Oh. Wait...
On the post: DHS Head Jeh Johnson Recognizes The Privacy/Security Tradeoff, But Seems Unlikely To Make The First Concession
Re: DHS Head Jeh Johnson Recognizes The Privacy/Security Tradeoff, But Seems Unlikely To Make The First Concession
On the post: Will Corporate Sovereignty Disputes Lead To Wars One Day?
Re: Re:
Now that'd be reality TV worth watching...
On the post: CIA Still Acting Like A Domestic Surveillance Agency, Despite Instructions Otherwise
"Oversight" - You keep using that word...
On the post: Everyone's An Agent: UK Company Provides Spy Software To Teachers To Weed Out Child Terrorists
Re: Re: Time for a little NSA Haiku
words like "useless" and "failed" are entirely dependent on a projects success criteria. And a project can have multiple success criteria.
Granted, the "obvious" success criteria is "find terrorists". But there are other, not quite so obvious potential success criteria here. Examples include, but aren't limited to:
On the post: Second OPM Hack Revealed: Even Worse Than The First
Re: Another thought
Maybe. Doesn't really matter.
"You have to admit that it would have saved an awful lot of hot mess if he had warned the government about it before it happened."
Unlikely. History shows - repeatedly - that such warnings - at best - would have been ignored and at worst would have been received with great hostility.
"In that case, he would have been awarded a medal for it and given a better job."
No. Having embarrassed the Authorizing Official (required under FISMA, look it up) for whichever system it was, he'd have been lucky to have gotten the equivalent of an "atta boy, good job, go back to work" and subsequently having the report shelved, not be be looked at again until some reporter filed a FOIA request for it.
On the post: Second OPM Hack Revealed: Even Worse Than The First
This is exactly what happens...
I mean, don't get me wrong - there's no question that this is really bad. But if we, as a country, continue to centralize information on everybody in the name of security, then before too many years have elapsed, we're going look back on this particular breach as being small scale and, dare I say it, quaint.
On the post: Amendment Blocking Backdoor Searches, Backdooring Encryption To Be Added To Defense Funding Bill
Re: That'll teach 'em to mess with JQ Public... NOT
"Well, crap, congress says we can't use these dollars for surveillance. Guess we better tack another $500mm onto the black budget..."
On the post: FBI Successfully Stonewalls Inspector General Into Irrelevance By Withholding Timely Section 215 Documents
Re: Re: OIG without Power
If you're given responsibility, but no authority, then your job is to take the blame when things go wrong.
On the post: US CIO Orders All .Gov Websites To Require Encrypted Connections, Amazon Enters The Secure Cert Space
Re: Re: Refreshing honesty
Seems legit.
On the post: US CIO Orders All .Gov Websites To Require Encrypted Connections, Amazon Enters The Secure Cert Space
Re: Re:
The US Government is big, and if they're going to successfully implement this mandate, they're going to need their own public root certificate authority to cost effectively sign all those new SSL Keys, and for the sake of simplicity, that root CA cert will need to be installed everywhere by default. Otherwise Grandpa is going to get a browser cert error when he goes to www.irs.gov, and we can't have that.
Of course, once a root is installed, it can be used to sign certs for any web site.
Next >>