Questioning the Dispute Over Key Escrow 82
Nicola Hahn writes: The topic of key escrow encryption has once again taken center stage as former Secretary of Homeland Security Michael Chertoff has spoken out against key escrow both at this year's Aspen Security Forum and in an op-ed published recently by the Washington Post. However, the debate over cryptographic back doors has a glaring blind spot. As the trove of leaks from Hacking Team highlights, most back doors are implemented using zero-day exploits. Keep in mind that the Snowden documents reveal cooperation across the tech industry, on behalf of the NSA, to make products that were "exploitable." Hence, there are people who suggest the whole discussion over key escrow includes an element of theater. Is it, among other things, a public relations gambit, in the wake of the PRISM scandal, intended to cast Silicon Valley companies as defenders of privacy?
Solution: Don't Trust Anyone (within reason) (Score:5, Insightful)
Client-side end-to-end encryption using perfect forward secrecy is the only thing we can "trust" now, sadly. Key escrow? Who gives a crap? Our government has destroyed all reasonable expectation of trust or privacy, and it's not like private corporations can't be compelled to cooperate. The problem is, it's not really feasible to vet source code for the vast majority of people, even for open source projects, since it's a highly specialized skill set. And how do we ensure that an update doesn't come along specifically to open up an exploit or a back door? Essentially, we're now in a position of trying to decide which projects we can trust with our privacy.
I used to snicker at people who thought like this, maybe throwing in a "tinfoil hat" joke here and there. Damn... it's not quite at the level of CIA implanted brain bugs, or thought-controlling water additives, but the government is getting damn creepy with it's mass surveillance.
Re: (Score:2)
Yes. The FSF and reviewing millions of line of source code will save your mortal souls. How about that Hearbleed vulnerability?
Insightful! I don't need no steenkin' weighted decision matrix - I'm going back to Windows ('cause it's got less code, and more eyes - and the ads are cool).
Re: (Score:2)
Dear coward
You missed the point. Open source acolytes pray at the feet of "free software" and don't recognize there is no "free labor" to review those scared lines of code. You see both closed source and open source people are putting their faith in something. Are the FSF lovers going to review all those lines? If not then you are hypocrites
I miss the point? And you aren't painting with a broad brush (Open source acolytes pray at the feet of "free software" ) ?!. There's term for that - confirmation bias. No surprise you don't get irony, sarcasm or satire - or "weighted decision matrix".
"You see both closed source and open source people are putting their faith in something.". I do? O'reilly? You seem to put a lot of faith in something... like the belief your "psychic powers" aren't "psychotic delusions". Thanks for your insights.
Re: Solution: Don't Trust Anyone (within reason) (Score:2)
Re: (Score:2)
Proprietary closed source software will always contain a backdoor and will have countless security vulnerabilities. That's obvious to anyone who studies how proprietary software companies have dealt with security problems in the past. If you to trust Crypto AG and the likes, go ahead, but don't be surprised if it turns out later that you've spent tons of cash on snake oil.
Short version (Score:1)
... former Secretary of Homeland Security Michael Chertoff has spoken out against key escrow...
So....what's his financial angle this time?
He was the one who pawned the Full Body X-Ray machines [thenewamerican.com] that were eventually pushed onto prisons [slashdot.org].
I would really like to get a job where I can do what did and does. How does one get those?
Oh yeah, know the right people which is always the case.
Re: (Score:1)
We get old. We get smarter. We learn from our mistakes. Kids who haven't learned the same lessons yet are always ingrates when they disagree with you. It even happens to the best of us.
Re: (Score:2)
And how do we ensure that an update doesn't come along specifically to open up an exploit or a back door?
It doesn't matter if it's intentional or not, the exploits are there. Even OpenBSD hasn't managed to keep remote exploits out of their system (although practically speaking, good luck breaking into an OpenBSD system).
Re:Solution: Don't Trust Anyone (within reason) (Score:5, Insightful)
It doesn't matter if what you are using is exploitable or not. If a state agency is targeting you specifically, you are screwed no matter what. They will probably find a way to collect the information you want. However, using end-to-end encryption with well vetted tools will keep your communications out of these global dragnets the NSA and it's ilk have been running.
You're not going to stop them from hacking your computer if they want to get in, but frankly you're not important enough, but it is worthwhile to keep your data from being swept up incidentally.
Re: (Score:2)
but frankly you're not important enough, but it is worthwhile to keep your data from being swept up incidentally.
How do you know? There are important people on this forum.
Re: (Score:2)
The game changed and nobody told us. Nobody can assume that they aren't "important enough".
You think you're being edgy and clever but all you are is way fucking behind. That's always been true!
Re: (Score:2)
Re: (Score:2)
I used to snicker at people who thought like this, maybe throwing in a "tinfoil hat" joke here and there. Damn... it's not quite at the level of CIA implanted brain bugs, or thought-controlling water additives, but the government is getting damn creepy with it's mass surveillance.
What we know about CIA-implanted brain bugs and thought-controlling water additives is that this government would not hesitate to use either one if it were available to them.
You can already manipulate people's mental states with water additives, and implanted "brain bugs" are only a matter of time — we're making more and more progress along those lines all the time. We don't have long to get this government under control...
Re: (Score:2)
Hey, stop the scaremongering. It works very much differently. You don't add value to this discussion.
You add so little you didn't even log in and be counted, because you know you have nothing useful to add. But that didn't stop you from being a hypocrite, did it?
Most people Can be scared to hell by a few ex marines taling them in the local shopping mall. For life!
Yeah, for me it was all the times my not-just-a-dry-drunk alcoholic ex-marine father told me he knew a shitload of ways to kill me, when he was drunk and pissed off. Guess who's anti-military?
Re: (Score:2)
Client-side end-to-end encryption using perfect forward secrecy is the only thing we can "trust" now, sadly.
I believe that's only as secure as your PRNG. [wikipedia.org] So I would go one step further and say that statement only applies on systems built from free open source software. Microsoft, Apple, and Google could remotely install/remove whatever they want on your hardware, behind your back, without you knowing it. All three are known "friends of NSA" and the OP makes a very good point. Most of what is being discussed is theater, and it is theater designed to rebuild trust in these traitors.
Re: (Score:2)
Sorry to be pedantic, but in this case it is important.
We have every reasonable expectation of privacy and trust we ever had. Government has destroyed every confidence that it can be trusted to honor those reasonable expectations. It is working hard to undermine it's own legitimacy.
Re: (Score:2)
You've stated what I *intended* to convey more clearly than I did.
Stock tip of the year!!!1!!1 (Score:3)
Going long on whoever the hell makes aluminum foil...
Re: (Score:2)
Going long on whoever the hell makes aluminum foil...
Pro Tip: tin. You want tin foil. Too late, you've gone and blown your college fund on aluminum. We told you not to drink the fluoridated water. (and people pay [savingiceland.org] to put fluoride in water [wikipedia.org]?)
Ministry of the Homeland still exists, eh? (Score:1)
Aren't you glad you voted for Obama? Such change he brought.
Re: (Score:2, Insightful)
It's Not Complicated (Score:2)
If the data or encryption key is out of your possession, you must assume it is public. If you want to secure your data, it must be encrypted before it leaves your computer. And if you want to trust your computer, you can't use a proprietary OS.
Most people don't need that level of security... some convenience is worth the likely loss of privacy (to a point). I'm not going to worry about getting my cousin to use PGP in order to email about our family reunion. But if you are concerned about privacy, you have e
Re: (Score:2)
Can we send a dollar to DHS (Score:2)
So they can buy a fucking clue? No, there will be no "escrow" the administration you represent has continued a policy of spying on our communications. Therefore any suggestions, changes, or stupid fucking ideas that would compromise my data's security is off the table. Now as the former VP would say, go fuck yourself!
The central pro-escrow argument is idiotic. (Score:5, Insightful)
Re: (Score:3)
You would think a pair of gloves would render all the police fingerprinting useless, yet haphazard criminals are caught by it all the time. Like everyone else with limited resources, they either catch you because you're important or because you make it easy. Heck, I bet many criminals using computers don't even know what crypto is.
includes an element of theater. (Score:1)
Understatement of the the century!
Zero-days are not "back doors". (Score:4, Insightful)
Zero-days are not "back doors".
Unless the zero day flaw was put there intentionally, as back doors are put there intentionally, a zero day flaw is not a back door, it's just some incompetent who should be employed asking me "Do you want fries with that?", rather than employed writing security sensitive software. In other words: your average bad programmer.
Re: (Score:2)
Zero-days are not "back doors".
Unless the zero day flaw was put there intentionally, as back doors are put there intentionally, a zero day flaw is not a back door, it's just some incompetent who should be employed asking me "Do you want fries with that?", rather than employed writing security sensitive software. In other words: your average bad programmer.
I think the implication of the story is that they are put in there intentionally, at least some of them.
Re: (Score:2)
Every single OS currently being used has 0-day exploits just waiting to be found. So by your reckoning I guess all the developers involved in creating and maintaining these OS's are incompetent? The real incompetence is in all those companies calling themselves security experts. These deep-think groups of geniuses are always 2 steps behind those creating the exploits. They publish white papers containing postmortems on exploits that have already reeked havoc. And the vast majority of exploits today are caus
Re: (Score:2)
These deep-think groups of geniuses are always 2 steps behind those creating the exploits. They publish white papers containing postmortems on exploits that have already reeked havoc
Tee hee. "Reeked" havoc. Do yourself a favor and don't use words you don't understand while talking shit about other people.
Re: (Score:2)
You could have done cavreader a favour and pointed out that he probably intended the past tense of "wreak", which would be "wrought".
I did do him a favor, I gave him useful and timely advice. If he chooses not to follow it, that's not my fault.
Re: (Score:2)
Zero days can be used to install back doors. See "PRISM".
Re: (Score:2)
Zero-days are not "back doors".
Unless the zero day flaw was put there intentionally, as back doors are put there intentionally, a zero day flaw is not a back door, it's just some incompetent who should be employed asking me "Do you want fries with that?", rather than employed writing security sensitive software. In other words: your average bad programmer.
Agreed about a 0-day flaw not necessarily being a "back-door".
You're incorrect about flawed software necessarily being the output of a bad programmer. Even the best programmers make mistakes - it's not just the nature of software, it's the nature of security - "absolutely secure systems do not exist" (Shamir's First Law). Except may death - and even then it's not certain.
Programming languages, development procedures, code auditing, and system architecture keep developing towards inherently better security.
Re: (Score:2)
The US and UK security services have noted that difference and can shape generations of code, funding, standards, trade and competition policy.
An average company thats incompetent due to hardware and software limitations gets contracts, good press and friendly govs buy in for their own staff, education and clear standar
one of two things is true (Score:1)
Major US tech companies can NOT fight the full might of the US government. They are beholden to all those laws, secret or otherwise.
That means one of two things is true. Either (1) those companies are no longer located or have any corporate assets or personnel in the United States, or (2) they are complicit in the NSA's spying. This holds true of all the major US tech companies. Apple, Facebook, Google, Cisco, whoever.
It's fairly clear which of those is true, no?
Comment removed (Score:3)
Re: (Score:2)
Re: (Score:1)
Not a conspiracy, just practical for them (Score:1)
Buy a dictionary (Score:2)
A conspiracy is when two or more people get together (conspire) to take advantage of one or more people. Conspiracies are the norm, not the exception.
Conspiracy Theorist, as a phrase, was ironically (for you) deliberately created by the CIA as a means of discrediting people who had ideas about how they might be fucking us.
Re: (Score:1)
Re: (Score:2)
actually...No. "a secret plan by a group to do something unlawful or harmful."
You also have to know how to use the dictionary. You don't just pick the meaning you like, and then pretend all the other ones don't exist.
1. the act of conspiring.
2. an evil, unlawful, treacherous, or surreptitious plan formulated in secret by two or more persons; plot.
3. a combination of persons for a secret, unlawful, or evil purpose:
4. Law. an agreement by two or more persons to commit a crime, fraud, or other wrongful act.
5. any concurrence in action; combination in bringing about a given result.
You re
Re: (Score:2)
wrong again. Get lost
Just so I know, how old are you? I want to know what class of child I've been wasting my time arguing with.
Re: (Score:1)
This is the second time you have stated this falsehood in as many days. Why lie? Wikipedia is available with a handy history section. The phrase was in use long before the 60s. Dishonesty does nothing but discount everything you say as utter trash.
Encryption is not the big problem we face. (Score:2)
Is it, among other things, a public relations gambit, in the wake of the PRISM scandal, intended to cast Silicon Valley companies as defenders of privacy?
this. Yes absolutely. Googe knew everything about PRISM except possibly it's classified name, thus their straightfaced "we had not heard nor did you know about PRISM". Ditto every other Silicon Valley company. Do you thik Intel got to where it is while defying the US Government's request for backdoors into their products? Or do you think the government di
Re: (Score:2)
The point is, codes need to be cracked or otherwise secret communication compromised and we can now, unlike during WWII, create encryption which can't be cracked. That was the onluy point I was making. I am not supporting, as I said, backdooring encryption. So I am not sure what your point is.
Also Turing didn't crack enigma Poland did. That's potentially interesting. References please.
Re: (Score:2)
Yeah sure . Turing is famous for his Turing machine model of computing. He had a full and robust life outside of the ENIGMA part of his life. The idea he never existed is ludicrious.
You need to critically review your evidentiary threshold for believing unlikely things and you need to be more critical about sources.
HTH