Federal agencies didn't flag the San Bernardino killers despite the fact they apparently considered an earlier attack, had connections with known radicalized persons, was radicalized for many years and other serious warning signs.
Having access to encrypted communications is just going add a lot more information to monitor and thus more noise to filter out for federal agencies, who are already bad at catching the red flags.
The answer here isn't MORE surveillance, it's more TARGETED surveillance ie devising much more precise warning patterns to look out for. For example, the San Bernardino killers apparently took out a massive loan and emptied their bank accounts prior the attack.
>For example, the San Bernardino killers apparently took out a massive loan and emptied their bank accounts prior the attack.
This happens quite frequently when people are going to make a big purchase or pay off another loan with worse terms. It's not as much of a red flag as you would think.
It's hard to say whether they're really "bad at catching the red flags" or not because we're looking at the data after the fact, knowing exactly how the situation turned out. Everything looks like a serious, obvious warning sign once the data has been pre-filtered and given context by the fact that we KNOW these people were planning a terrorist attack.
The other thing to consider is what flags actually allow the authorities to do unless the flags rise to the level where the police can actually arrest the suspects or follow them around 24/7.
Actually, they need both. They are building a ML model that detects probable terrorists. You need to work on fine-turning the model as well as gather more data to improve classification accuracy. The question isn't which approach to take, but how much accuracy is good enough. 100% security is only possible if we monitor every thought of every person on this planet. Are we willing to give up our freedom and privacy for increasing our terrorist detection model performance by 0.1%? (just a guess)
>"For example, the San Bernardino killers apparently took out a massive loan and emptied their bank accounts prior the attack."
The same exact thing happened in the Paris attacks: one of the killers (already known by french authorities to be radicalized) withdrew three months of salary shortly before the assault.
Saying that encryption is the problem is simply ridiculous considering the fact that even the most basic procedures aren't being taken care of.
Can someone explain to me how a proposed government backdoor into encryption would work? Is every creator of encryption software supposed to build in a master key and hand that over to the FBI?
I ask this in all seriousness, as I cannot fathom how such a system would be implemented, even disregarding the Constitution and the willingness of those creating the software.
Contrary to many opinions here, this is not a new problem. For many years encryption products included "work reduction" schemes. Not backdoors per se, but schemes that allowed those with the insider knowledge to bruteforce the encryption in a reasonable time. Those without the knowledge (the public) still faced strong encryption. It worked back in the 90s. With today's computing power it is likely no longer practical.
Google "export grade encryption" and "lotus notes"
Dark dark days for privacy, and it came back to bite us as the FREAK vulnerability, but those in charge today are old enough to remember such tricks. That's why generals still talk of cooperation to create reasonable backdoors, they confuse true backdoors with the old work reduction schemes.
Steven Levy wrote an excellent book about the first big battle over encryption standards in the 90s, "Crypto". One of the more heavily pushed "solutions" was the Clipper Chip, which was essentially key escrow.
"Is every creator of encryption software supposed to build in a master key and hand that over to the FBI?"
Including, presumably, not only programmers who're not under the jurisdiction of the FBI, but also programmers for whom the FBI is genuinely "their and their nation's adversary"?
It won't work. That's about it. I.e. once there is a backdoor, security is compromised and it can be used both by law enforcement and malicious attacker.
Like most insane directives I'd imagine this one isn't intended for the masses. Only for the ones you want to compel. This isn't as technical an issue as we'd want to believe.
They want to be able to light a fire under your ass. Once they light that fire, the technical issues are moot.
"It turns out that somehow, Comey believes that the question of whether to ban encryption without backdoors is “not a technical issue.” He told the senators that “plenty of companies” provide services online while still maintaining the ability to read their users' data, and that “plenty” of smartphone manufacturers can unlock encrypted phones. Thus, he concluded, “it’s a business model question.”"
If you read between the lines a bit, it's clear that what they want is encryption to/from cloud hubs where data is stored using escrowed keys (a.k.a. server-side "encryption"). Many services already more or less do this, so the goal would be to push the entire market in this direction and then eventually to outlaw or otherwise restrict systems that do not work in this way.
This fits in with the dumb terminal / mainframe model of the Internet being pushed to varying degrees by most of the tech giants these days and with Amazon's vision for IoT.
It's stupid and naive to claim that there is some technical barrier to what the FBI wants. It's actually quite easy if we apply a bit of government pressure to push the Internet even further toward the "put everything in the cloud" direction it's already going. Anything in the cloud is almost by definition backdoored.
> Anything in the butt is almost by definition backdoored
Pretty much. The TLAs are whining because they got used to wholesale vacuuming of butt data, and now the pendulum is poised to swing the other way.
IMHO Apple is merely poking a hornet's nest, because it will be quite easy for USG to force them to modify their centrally-distributed software. The only truly defensible position we have is Free software. Whether there's enough interest/money to support its wide scale adoption is one of the major questions of our time.
Comey is the emptiest suit I've ever seen testify before Congress. Comey is told by his handlers what he should claim to believe and otherwise he carefully avoids believing anything.
At one point today he really showed his ass. After tacitly agreeing with Leahy about "an Internet sale" of a gun which implied anyone could order a gun online without a background check, Graham asked Comey if such a purchase would be "delivered to my home."
When asked this question, the Director of the FBI, an organization that, along with the ATF, orchestrated the Fast and Furious gun-walking scheme and therefore should have absolutely zero confusion about the exclusive role of FFL holders in the transfer of firearms in the United States and the harsh federal penalties for anyone that fails to obey the relevant laws, answered in public, complete with a genuinely quizzical look;
"... I assumed it's shipped to you, but I don't know for sure actually ..."
Full stop. Not one shred of a clue. Un. Freaking. Believable.
There is nothing there. Comey is literally propping up a suit for the cameras.
Those services can't be trusted now where part of the threat model is corrupt, hostile, and/or authoritarian state actors. Unless you think America is the only place you'll conduct business that needs secure communication, that's not a viable "solution."
The article does label key escrow as 'technical means that badly compromise their users’ security'. Now I'll be the first to admit that I'm not an expert, but saying 'well, you can use key escrow' ignores the fact that the authors label key escrow as one of the ways not to do it.
Outsourcing your computation to the cloud doesn't have to be insecure, if you trust the code you're running (perhaps it's your own code). Cryptographers call this delegated computation, and while modern techniques are still VERY slow, there has been a lot of progress in the past few years, and I think the landscape of these techniques will look much better.
Of course, we still have to contend with the case where the software you use is NOT owned or trusted completely by you. That's a different problem that IMO can only be solved by open source software.
I watched Comey's entire hearing today. The article here is accurate, but I think that it takes an strongly opinionated view of Comey's guarded and yet honest responses.
Comey knows that the solution to this problem won't be solved with legislation, which is why he isn't going to expend his energy trying to accomplish what the EFF suggests as a solution. One good thing to consider is that the EFF and the FBI both recognize that encryption can be an evil thing and that actions need to be taken to protect the citizens and the government that serves them.
With respect to the debate I'm seeing here in the comments, it seems like, to me, that there is a considerable amount of misunderstanding. What was discussed today wasn't the issue of mass surveillance, but of how or even IF these companies that offer secure communication services could aid in FBI investigations. That is both a technical and a non-technical issue. Comey calls it a non-technical issue simply because he thinks the solution ought to be left to the technical people at each company, and that in principle, regardless of encryption strength, these companies should offer a way to help the FBI in these exceptional instances. I think people here are seeing one or the other side and not realizing that Comey is aware of both.
One good thing to consider is that the EFF and the FBI both recognize that encryption can be an evil thing and that actions need to be taken to protect the citizens and the government that serves them.
It's not a useful classification. Encryption can be used for evil, just as everything else in the world can.
Comey calls it a non-technical issue simply because he thinks the solution ought to be left to the technical people at each company, and that in principle, regardless of encryption strength, these companies should offer a way to help the FBI in these exceptional instances.
There's a difference between leaving it to technical people to help, and forcing technical people to help. Legislation is the route to the latter.
There is no way for technical people to help against a good cryptosystem unless that cryptosystem has been subverted from the start. This is the new world we live in, and it's up to law enforcement to either recognize that fact, or weaken American encryption relative to the rest of the world, with predictable consequences.
> these companies should offer a way to help the FBI in these exceptional instances
No. If it's at all possible for the technical staff to help the FBI when 'appropriate', then it will also be possible for them to snoop on you for any other inappropriate reason (jealous boyfriend stalking his girlfriend, corporate espionage for profit, etc.)
Everything can be an 'evil thing'. A hammer, encryption, a laptop and an email client can be 'evil things'. So if everything can be an 'evil thing' the conclusion should be there are no 'evil things' only evil activities perpetrated by (probably) evil people.
> I think people here are seeing one or the other side and not realizing that Comey is aware of both.
I don't think it is possible to see one or the other side, I think in this case there are no 'sides' to be on. The cat is out of the bag, it won't go back in and any time wasted on this subject is time that would be more productively spent elsewhere. Just like gunpowder and nuclear weapons can't be un-invented (and those are a lot more skewed towards being 'evil things' and yet even gunpowder has good uses (explosives used for road building) and we've seen some proposals for PNE's (not that that ever worked)).
If you want encryption to be an evil thing by extension math is an evil thing.
If we're going to have an argument over who needs to change their "business model" so the FBI's anti-terrorism mission is easier, gun manufacturers and sellers should be at the top of the list, not software companies.
That is the same sort of silliness as banning software but applied to hardware instead. Furthermore, many terrorist attacks have been done using knives and machetes such as the May 22, 2013 Woolwich attack.
I'm sure there are plenty of people with different priorities being goaded into making the opposite argument. Defending yourself by offering up others is a poor strategy that results in everyone losing.
> the FBI will rely on backroom pressure to make companies compromise encryption, or even eliminate business models it doesn’t like.
What does this imply for FOSS? I can't really see the feds organizing a sit down with the maintainers of the hot new crypto algo repo hosted on Github.
[+] [-] Briel|10 years ago|reply
Having access to encrypted communications is just going add a lot more information to monitor and thus more noise to filter out for federal agencies, who are already bad at catching the red flags.
The answer here isn't MORE surveillance, it's more TARGETED surveillance ie devising much more precise warning patterns to look out for. For example, the San Bernardino killers apparently took out a massive loan and emptied their bank accounts prior the attack.
[+] [-] hueving|10 years ago|reply
This happens quite frequently when people are going to make a big purchase or pay off another loan with worse terms. It's not as much of a red flag as you would think.
[+] [-] rainsford|10 years ago|reply
The other thing to consider is what flags actually allow the authorities to do unless the flags rise to the level where the police can actually arrest the suspects or follow them around 24/7.
[+] [-] harigov|10 years ago|reply
[+] [-] oliv__|10 years ago|reply
The same exact thing happened in the Paris attacks: one of the killers (already known by french authorities to be radicalized) withdrew three months of salary shortly before the assault.
Saying that encryption is the problem is simply ridiculous considering the fact that even the most basic procedures aren't being taken care of.
[+] [-] TazeTSchnitzel|10 years ago|reply
[+] [-] austenallred|10 years ago|reply
I ask this in all seriousness, as I cannot fathom how such a system would be implemented, even disregarding the Constitution and the willingness of those creating the software.
[+] [-] sandworm101|10 years ago|reply
Google "export grade encryption" and "lotus notes"
https://en.wikipedia.org/wiki/Export_of_cryptography_from_th...
Dark dark days for privacy, and it came back to bite us as the FREAK vulnerability, but those in charge today are old enough to remember such tricks. That's why generals still talk of cooperation to create reasonable backdoors, they confuse true backdoors with the old work reduction schemes.
[+] [-] newman314|10 years ago|reply
[1] https://www.schneier.com/blog/archives/2015/09/tsa_master_ke...
[+] [-] Arainach|10 years ago|reply
[+] [-] bigiain|10 years ago|reply
Including, presumably, not only programmers who're not under the jurisdiction of the FBI, but also programmers for whom the FBI is genuinely "their and their nation's adversary"?
Reminds me of a recent tweet: Homeland Security's new "House Un-American Mathematics Committee": https://twitter.com/puellavulnerata/status/67290345222221824
[+] [-] shmerl|10 years ago|reply
[+] [-] jrcii|10 years ago|reply
It's a terrible idea. The only proposed methods with theoretically possible security would suffer insurmountable side channel issues.
Edit: more https://dspace.mit.edu/bitstream/handle/1721.1/97690/MIT-CSA...
[+] [-] coderdude|10 years ago|reply
They want to be able to light a fire under your ass. Once they light that fire, the technical issues are moot.
[+] [-] marcosdumay|10 years ago|reply
Also, the US will probably forbid anybody from outside their jurisdiction from creating encryption software, otherwise it won't work. \s
[+] [-] jacquesm|10 years ago|reply
[+] [-] api|10 years ago|reply
If you read between the lines a bit, it's clear that what they want is encryption to/from cloud hubs where data is stored using escrowed keys (a.k.a. server-side "encryption"). Many services already more or less do this, so the goal would be to push the entire market in this direction and then eventually to outlaw or otherwise restrict systems that do not work in this way.
This fits in with the dumb terminal / mainframe model of the Internet being pushed to varying degrees by most of the tech giants these days and with Amazon's vision for IoT.
It's stupid and naive to claim that there is some technical barrier to what the FBI wants. It's actually quite easy if we apply a bit of government pressure to push the Internet even further toward the "put everything in the cloud" direction it's already going. Anything in the cloud is almost by definition backdoored.
[+] [-] mindslight|10 years ago|reply
Pretty much. The TLAs are whining because they got used to wholesale vacuuming of butt data, and now the pendulum is poised to swing the other way.
IMHO Apple is merely poking a hornet's nest, because it will be quite easy for USG to force them to modify their centrally-distributed software. The only truly defensible position we have is Free software. Whether there's enough interest/money to support its wide scale adoption is one of the major questions of our time.
[+] [-] topspin|10 years ago|reply
Comey is the emptiest suit I've ever seen testify before Congress. Comey is told by his handlers what he should claim to believe and otherwise he carefully avoids believing anything.
At one point today he really showed his ass. After tacitly agreeing with Leahy about "an Internet sale" of a gun which implied anyone could order a gun online without a background check, Graham asked Comey if such a purchase would be "delivered to my home."
When asked this question, the Director of the FBI, an organization that, along with the ATF, orchestrated the Fast and Furious gun-walking scheme and therefore should have absolutely zero confusion about the exclusive role of FFL holders in the transfer of firearms in the United States and the harsh federal penalties for anyone that fails to obey the relevant laws, answered in public, complete with a genuinely quizzical look;
"... I assumed it's shipped to you, but I don't know for sure actually ..."
Full stop. Not one shred of a clue. Un. Freaking. Believable.
There is nothing there. Comey is literally propping up a suit for the cameras.
[+] [-] Zigurd|10 years ago|reply
Those services can't be trusted now where part of the threat model is corrupt, hostile, and/or authoritarian state actors. Unless you think America is the only place you'll conduct business that needs secure communication, that's not a viable "solution."
[+] [-] lmitchell|10 years ago|reply
[+] [-] Ar-Curunir|10 years ago|reply
Of course, we still have to contend with the case where the software you use is NOT owned or trusted completely by you. That's a different problem that IMO can only be solved by open source software.
[+] [-] sobinator|10 years ago|reply
Comey knows that the solution to this problem won't be solved with legislation, which is why he isn't going to expend his energy trying to accomplish what the EFF suggests as a solution. One good thing to consider is that the EFF and the FBI both recognize that encryption can be an evil thing and that actions need to be taken to protect the citizens and the government that serves them.
With respect to the debate I'm seeing here in the comments, it seems like, to me, that there is a considerable amount of misunderstanding. What was discussed today wasn't the issue of mass surveillance, but of how or even IF these companies that offer secure communication services could aid in FBI investigations. That is both a technical and a non-technical issue. Comey calls it a non-technical issue simply because he thinks the solution ought to be left to the technical people at each company, and that in principle, regardless of encryption strength, these companies should offer a way to help the FBI in these exceptional instances. I think people here are seeing one or the other side and not realizing that Comey is aware of both.
[+] [-] sillysaurus3|10 years ago|reply
It's not a useful classification. Encryption can be used for evil, just as everything else in the world can.
Comey calls it a non-technical issue simply because he thinks the solution ought to be left to the technical people at each company, and that in principle, regardless of encryption strength, these companies should offer a way to help the FBI in these exceptional instances.
There's a difference between leaving it to technical people to help, and forcing technical people to help. Legislation is the route to the latter.
There is no way for technical people to help against a good cryptosystem unless that cryptosystem has been subverted from the start. This is the new world we live in, and it's up to law enforcement to either recognize that fact, or weaken American encryption relative to the rest of the world, with predictable consequences.
EDIT: "The Horror of a 'Secure Golden Key'" https://news.ycombinator.com/item?id=8428632
[+] [-] aianus|10 years ago|reply
No. If it's at all possible for the technical staff to help the FBI when 'appropriate', then it will also be possible for them to snoop on you for any other inappropriate reason (jealous boyfriend stalking his girlfriend, corporate espionage for profit, etc.)
[+] [-] jacquesm|10 years ago|reply
> I think people here are seeing one or the other side and not realizing that Comey is aware of both.
I don't think it is possible to see one or the other side, I think in this case there are no 'sides' to be on. The cat is out of the bag, it won't go back in and any time wasted on this subject is time that would be more productively spent elsewhere. Just like gunpowder and nuclear weapons can't be un-invented (and those are a lot more skewed towards being 'evil things' and yet even gunpowder has good uses (explosives used for road building) and we've seen some proposals for PNE's (not that that ever worked)).
If you want encryption to be an evil thing by extension math is an evil thing.
[+] [-] mrsteveman1|10 years ago|reply
[+] [-] passionfruit|10 years ago|reply
[+] [-] mindslight|10 years ago|reply
[+] [-] fein|10 years ago|reply
[+] [-] dcw303|10 years ago|reply
What does this imply for FOSS? I can't really see the feds organizing a sit down with the maintainers of the hot new crypto algo repo hosted on Github.
[+] [-] alextgordon|10 years ago|reply
https://en.wikipedia.org/wiki/Bernstein_v._United_States
[+] [-] unknown|10 years ago|reply
[deleted]
[+] [-] unknown|10 years ago|reply
[deleted]