Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Communications Encryption Government Privacy

Questioning the Dispute Over Key Escrow 82

Nicola Hahn writes: The topic of key escrow encryption has once again taken center stage as former Secretary of Homeland Security Michael Chertoff has spoken out against key escrow both at this year's Aspen Security Forum and in an op-ed published recently by the Washington Post. However, the debate over cryptographic back doors has a glaring blind spot. As the trove of leaks from Hacking Team highlights, most back doors are implemented using zero-day exploits. Keep in mind that the Snowden documents reveal cooperation across the tech industry, on behalf of the NSA, to make products that were "exploitable." Hence, there are people who suggest the whole discussion over key escrow includes an element of theater. Is it, among other things, a public relations gambit, in the wake of the PRISM scandal, intended to cast Silicon Valley companies as defenders of privacy?
This discussion has been archived. No new comments can be posted.

Questioning the Dispute Over Key Escrow

Comments Filter:
  • by Dutch Gun ( 899105 ) on Friday July 31, 2015 @06:51PM (#50227351)

    Client-side end-to-end encryption using perfect forward secrecy is the only thing we can "trust" now, sadly. Key escrow? Who gives a crap? Our government has destroyed all reasonable expectation of trust or privacy, and it's not like private corporations can't be compelled to cooperate. The problem is, it's not really feasible to vet source code for the vast majority of people, even for open source projects, since it's a highly specialized skill set. And how do we ensure that an update doesn't come along specifically to open up an exploit or a back door? Essentially, we're now in a position of trying to decide which projects we can trust with our privacy.

    I used to snicker at people who thought like this, maybe throwing in a "tinfoil hat" joke here and there. Damn... it's not quite at the level of CIA implanted brain bugs, or thought-controlling water additives, but the government is getting damn creepy with it's mass surveillance.

    • by Anonymous Coward

      ... former Secretary of Homeland Security Michael Chertoff has spoken out against key escrow...

      So....what's his financial angle this time?

      He was the one who pawned the Full Body X-Ray machines [thenewamerican.com] that were eventually pushed onto prisons [slashdot.org].

      I would really like to get a job where I can do what did and does. How does one get those?

      Oh yeah, know the right people which is always the case.

    • We get old. We get smarter. We learn from our mistakes. Kids who haven't learned the same lessons yet are always ingrates when they disagree with you. It even happens to the best of us.

    • And how do we ensure that an update doesn't come along specifically to open up an exploit or a back door?

      It doesn't matter if it's intentional or not, the exploits are there. Even OpenBSD hasn't managed to keep remote exploits out of their system (although practically speaking, good luck breaking into an OpenBSD system).

      • by flink ( 18449 ) on Friday July 31, 2015 @09:16PM (#50227783)

        It doesn't matter if what you are using is exploitable or not. If a state agency is targeting you specifically, you are screwed no matter what. They will probably find a way to collect the information you want. However, using end-to-end encryption with well vetted tools will keep your communications out of these global dragnets the NSA and it's ilk have been running.

        You're not going to stop them from hacking your computer if they want to get in, but frankly you're not important enough, but it is worthwhile to keep your data from being swept up incidentally.

        • but frankly you're not important enough, but it is worthwhile to keep your data from being swept up incidentally.

          How do you know? There are important people on this forum.

          • The name of the game is "low hanging fruit". You want someone else to be the easy hack, and your stuff to be not worth the effort/time/money to hack.
    • I used to snicker at people who thought like this, maybe throwing in a "tinfoil hat" joke here and there. Damn... it's not quite at the level of CIA implanted brain bugs, or thought-controlling water additives, but the government is getting damn creepy with it's mass surveillance.

      What we know about CIA-implanted brain bugs and thought-controlling water additives is that this government would not hesitate to use either one if it were available to them.

      You can already manipulate people's mental states with water additives, and implanted "brain bugs" are only a matter of time — we're making more and more progress along those lines all the time. We don't have long to get this government under control...

    • by MacDork ( 560499 )

      Client-side end-to-end encryption using perfect forward secrecy is the only thing we can "trust" now, sadly.

      I believe that's only as secure as your PRNG. [wikipedia.org] So I would go one step further and say that statement only applies on systems built from free open source software. Microsoft, Apple, and Google could remotely install/remove whatever they want on your hardware, behind your back, without you knowing it. All three are known "friends of NSA" and the OP makes a very good point. Most of what is being discussed is theater, and it is theater designed to rebuild trust in these traitors.

    • by sjames ( 1099 )

      Sorry to be pedantic, but in this case it is important.

      We have every reasonable expectation of privacy and trust we ever had. Government has destroyed every confidence that it can be trusted to honor those reasonable expectations. It is working hard to undermine it's own legitimacy.

  • by ErikTheRed ( 162431 ) on Friday July 31, 2015 @07:00PM (#50227369) Homepage

    Going long on whoever the hell makes aluminum foil...

    • Going long on whoever the hell makes aluminum foil...

      Pro Tip: tin. You want tin foil. Too late, you've gone and blown your college fund on aluminum. We told you not to drink the fluoridated water. (and people pay [savingiceland.org] to put fluoride in water [wikipedia.org]?)

  • by Anonymous Coward

    Aren't you glad you voted for Obama? Such change he brought.

  • If the data or encryption key is out of your possession, you must assume it is public. If you want to secure your data, it must be encrypted before it leaves your computer. And if you want to trust your computer, you can't use a proprietary OS.

    Most people don't need that level of security... some convenience is worth the likely loss of privacy (to a point). I'm not going to worry about getting my cousin to use PGP in order to email about our family reunion. But if you are concerned about privacy, you have e

    • by Skapare ( 16644 )
      simple ... just use PGP for your government-takeover email and clear-text for everything else. ooh, how obvious".
  • So they can buy a fucking clue? No, there will be no "escrow" the administration you represent has continued a policy of spying on our communications. Therefore any suggestions, changes, or stupid fucking ideas that would compromise my data's security is off the table. Now as the former VP would say, go fuck yourself!

  • by Kaz Kylheku ( 1484 ) on Friday July 31, 2015 @07:24PM (#50227459) Homepage
    Why would criminals conform with laws that require them to use back-doored crypto, when they can deploy the real thing through their organizations, and leave the back-doored crap to the honest citizens? Criminals don't conform with laws (by definition!) and so they will use whatever crypto they see fit.
    • by Kjella ( 173770 )

      You would think a pair of gloves would render all the police fingerprinting useless, yet haphazard criminals are caught by it all the time. Like everyone else with limited resources, they either catch you because you're important or because you make it easy. Heck, I bet many criminals using computers don't even know what crypto is.

  • Understatement of the the century!

  • by tlambert ( 566799 ) on Friday July 31, 2015 @07:51PM (#50227535)

    Zero-days are not "back doors".

    Unless the zero day flaw was put there intentionally, as back doors are put there intentionally, a zero day flaw is not a back door, it's just some incompetent who should be employed asking me "Do you want fries with that?", rather than employed writing security sensitive software. In other words: your average bad programmer.

    • Zero-days are not "back doors".

      Unless the zero day flaw was put there intentionally, as back doors are put there intentionally, a zero day flaw is not a back door, it's just some incompetent who should be employed asking me "Do you want fries with that?", rather than employed writing security sensitive software. In other words: your average bad programmer.

      I think the implication of the story is that they are put in there intentionally, at least some of them.

    • Zero days can be used to install back doors. See "PRISM".

    • Zero-days are not "back doors".

      Unless the zero day flaw was put there intentionally, as back doors are put there intentionally, a zero day flaw is not a back door, it's just some incompetent who should be employed asking me "Do you want fries with that?", rather than employed writing security sensitive software. In other words: your average bad programmer.

      Agreed about a 0-day flaw not necessarily being a "back-door".

      You're incorrect about flawed software necessarily being the output of a bad programmer. Even the best programmers make mistakes - it's not just the nature of software, it's the nature of security - "absolutely secure systems do not exist" (Shamir's First Law). Except may death - and even then it's not certain.

      Programming languages, development procedures, code auditing, and system architecture keep developing towards inherently better security.

    • by AHuxley ( 892839 )
      Re: "Unless the zero day flaw was put there intentionally, as back doors are put there intentionally, a zero day flaw is not a back door, it's just some incompetent who should be employed"
      The US and UK security services have noted that difference and can shape generations of code, funding, standards, trade and competition policy.
      An average company thats incompetent due to hardware and software limitations gets contracts, good press and friendly govs buy in for their own staff, education and clear standar
  • by Anonymous Coward

    Major US tech companies can NOT fight the full might of the US government. They are beholden to all those laws, secret or otherwise.

    That means one of two things is true. Either (1) those companies are no longer located or have any corporate assets or personnel in the United States, or (2) they are complicit in the NSA's spying. This holds true of all the major US tech companies. Apple, Facebook, Google, Cisco, whoever.

    It's fairly clear which of those is true, no?

  • by account_deleted ( 4530225 ) on Friday July 31, 2015 @08:07PM (#50227573)
    Comment removed based on user account deletion
    • Comment removed based on user account deletion
  • Think how much easier it is to target people if you have a system designed for the purpose. Exploits are most useful if they aren't used all the time. Every time they are used, you risk detection. Once the exploit is detected by enough "bad guys", you are put in the odd position of knowing that you are complicit in weakening the "good guys" security too and exposing them to risk from the "bad guys". By having a standard mechanism for truly legal requests, you can save the other *expensive* exploits for the
    • A conspiracy is when two or more people get together (conspire) to take advantage of one or more people. Conspiracies are the norm, not the exception.

      Conspiracy Theorist, as a phrase, was ironically (for you) deliberately created by the CIA as a means of discrediting people who had ideas about how they might be fucking us.

      • actually...No. "a secret plan by a group to do something unlawful or harmful." Key escrow is not (to my knowledge) a secret plan by a group. It's public. And I oppose the idea in case you try to lump me in with the people pushing the idea. I believe in strong open source encryption with lots of continuous audit. But for real secrets I wouldn't trust a computer.
        • actually...No. "a secret plan by a group to do something unlawful or harmful."

          You also have to know how to use the dictionary. You don't just pick the meaning you like, and then pretend all the other ones don't exist.

          1. the act of conspiring.
          2. an evil, unlawful, treacherous, or surreptitious plan formulated in secret by two or more persons; plot.
          3. a combination of persons for a secret, unlawful, or evil purpose:
          4. Law. an agreement by two or more persons to commit a crime, fraud, or other wrongful act.
          5. any concurrence in action; combination in bringing about a given result.

          You re

      • by KGIII ( 973947 )

        This is the second time you have stated this falsehood in as many days. Why lie? Wikipedia is available with a handy history section. The phrase was in use long before the 60s. Dishonesty does nothing but discount everything you say as utter trash.

  • Is it, among other things, a public relations gambit, in the wake of the PRISM scandal, intended to cast Silicon Valley companies as defenders of privacy?

    this. Yes absolutely. Googe knew everything about PRISM except possibly it's classified name, thus their straightfaced "we had not heard nor did you know about PRISM". Ditto every other Silicon Valley company. Do you thik Intel got to where it is while defying the US Government's request for backdoors into their products? Or do you think the government di

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...