Testifying before two Senate committees on Wednesday about the threat he says strong encryption presents to law enforcement, FBI Director James Comey didn’t so much propose a solution as wish for one.
Comey said he needs some way to read and listen to any communication for which he’s gotten a court order. Modern end-to-end encryption — increasingly common following the revelations of mass surveillance by NSA whistleblower Edward Snowden — doesn’t allow for that. Only the parties on either end can do the decoding.
Comey’s problem is the nearly universal agreement among cryptographers, technologists and security experts that there is no way to give the government access to encrypted communications without poking an exploitable hole that would put confidential data, as well as entities like banks and power grids, at risk.
But while speaking at Senate Judiciary and Senate Intelligence Committee hearings on Wednesday, Comey repeatedly refused to accept that as reality.
“A whole lot of good people have said it’s too hard … maybe that’s so,” he said to the Intelligence Committee. “But my reaction to that is: I’m not sure they’ve really tried.”
In a comment worthy of climate denialists, Comey told one senator: “Maybe the scientists are right. Ennnh, I’m not willing to give up on that yet.”
He described his inability to make a realistic proposal as the act of a humble public servant. “We’re trying to show humility to say we don’t know what would be best.”
Comey said American technologists are so brilliant that they surely could come up with a solution if properly incentivized.
Julian Sanchez, a senior fellow at the Cato Institute, was incredulous about Comey’s insistence that experts are wrong: “How does his head not explode from cognitive dissonance when he repeats he has no tech expertise, then insists everyone who does is wrong?” he tweeted during the hearing.
Prior to the committee hearings, a group of the world’s foremost cryptographers and scientists wrote a paper including complex technical analysis concluding that mandated backdoor keys for the government would only be dangerous for national security. This is the first time the group has gotten back together since 1997, the previous instance in which the FBI asked for a technical backdoor into communications.
But no experts were invited to testify, a fact that several intelligence committee members brought up, demanding a second hearing to hear from them.
Comey got little pushback from the panel, despite his lack of any formal plan and his denial of science. Sen. Martin Heinrich, D-N.M., thanked him for his display of “humility” in not presenting a solution, while Committee Chairman Richard Burr, R-N.C., said “I think you deserve a lot of credit for your restraint.”
Comey at one point briefly considered the possibility of a world not like the one he imagined, then concluded: “If that’s the case, then I think we’re stuck.”
(This post is from our blog: Unofficial Sources.)
Photo: Getty
My sympathies with Comey. But an urge came over me as I watched him on a TV (not mine) make his case : to yank out all the money from my pockets. On the back of each bill, 2, 1 and 1 – single dollars, a five dollar and a twenty dollar bill respectively, the works continued to read “In God We Trust.” And so we do. And should.
We should trust ( I am an unrepentant agnostic) that God’s word is true when it says: “Do unto others as you would have them do unto you.” So, armed with that knowledge, and being a nation “under one God”, we must have wished or hoped that others would do unto us as we did, and continue to do, unto them.
This is the same fool who said the church massacre in Charleston was not terrorism, even though the Justice Department at the time had an ongoing investigation as to whether or not it was, and even though Roof declared openly that he was trying to touch off a race war. How is the promulgation of an ethnic civil war by violent means not the very definition of terrorism? Oh, that’s right, I forgot. All terrorists are Muslim. My bad.
“Comey said he needs some way to read and listen to any communication for which he’s gotten a court order.” (From the article)
I don’t doubt that he would want to say that he has “needs”, but interestingly, such a ‘need’ isn’t really relevant I think can be argued, because, it is afaik not legal to torture people in order to have them talk when they don’t want to. So, to simply pretend that there has to be a “need” (think requirement) is nonsense and isn’t convincing to me at all, because if someone doesn’t want Comey to read and listen to any of their communication, there being a court order is irrelevant if people DIDN’t allow that (i.e no court order would help).
It just occurred to me, if he has a problem with inaccessible communication when it’s a question of upholding the law, I’d certainly hope he has a major problem with Hillary Clinton. And if he doesn’t, I don’t see why he’d expect that anyone should care what he thinks.
I think, they may, once again, be making fun of us.
the source paper being this one:
http://dspace.mit.edu/bitstream/handle/1721.1/97690/MIT-CSAIL-TR-2015-026.pdf
It seems we forgot too fast how such “experts” as Bruce Schneier who admitted he didn’t know about the scale of NSA technical abuses and Tim Berners-Lee, who saw the “possibility for abuse”, but “didn’t realize it would be so big” reacted to Snowden revelations.
Let’s not forget that encryption as hard as you may make it, has its fundamental weaknesses:
a) encryption is a syntactic device
b) text is not that random (which facilitates brute force corpora-based dictionary attacks)
Let me see (using as an example a hash sum):
$ _DT=$(date +%Y%m%d%H%M%S); _tmpfl00=$(mktemp “${_DT}”.XXXXXX); touch ${_tmpfl00}; ls -l ${_tmpfl00}; md5sum -b ${_tmpfl00}
-rw——- 1 knoppix knoppix 0 Jul 11 07:03 20150711070342.V4dnpR
d41d8cd98f00b204e9800998ecf8427e *20150711070342.V4dnpR
$ _DT=$(date +%Y%m%d%H%M%S); _tmpfl00=$(mktemp “${_DT}”.XXXXXX); touch ${_tmpfl00}; ls -l ${_tmpfl00}; md5sum -b ${_tmpfl00}
-rw——- 1 knoppix knoppix 0 Jul 11 07:03 20150711070346.YAQgvH
d41d8cd98f00b204e9800998ecf8427e *20150711070346.YAQgvH
Hmm! An empty file (of course) gives me always the same signature …
Now let’s put just one character there:
$ _DT=$(date +%Y%m%d%H%M%S); _tmpfl00=$(mktemp “${_DT}”.XXXXXX); touch ${_tmpfl00}; echo “a” > ${_tmpfl00}; ls -l ${_tmpfl00}; md5sum -b ${_tmpfl00}
-rw——- 1 knoppix knoppix 2 Jul 11 07:08 20150711070835.NlC9uz
60b725f10c9c85c70d97880dfe8191b3 *20150711070835.NlC9uz
$ _DT=$(date +%Y%m%d%H%M%S); _tmpfl00=$(mktemp “${_DT}”.XXXXXX); touch ${_tmpfl00}; echo “a” > ${_tmpfl00}; ls -l ${_tmpfl00}; md5sum -b ${_tmpfl00}
-rw——- 1 knoppix knoppix 2 Jul 11 07:08 20150711070845.KsZqM1
60b725f10c9c85c70d97880dfe8191b3 *20150711070845.KsZqM1
…
How many char are there in a language? Ach! Scratch that, we could consider text to be a stream of binary chars anyway (from which we have only 2^8=256)
Then we should consider the combinatorial space that chars allow in a NL text …
Now lets encrypt that file. How many options for passwords are possible? How many hash algorithms exist? …
Technical feasibility regarding storage and processing power to them is peanuts. Not long ago people thought such a beast as the NSA was impossible. Not long ago people would not find a job for a box with 128 Gb of RAM. Now we use such for play.
c) even if for semantic, impossible to predict reasons, textual information can be, -is- Zeitgeisted, which reduces NL texts’ randomness even more
d) most people use less than 2,000 words as part of their day-to-day vocabulary
Let’s not forget either that “there are many ways to skin a cat” and many people using encryption don’t do it right anyway
They also have their problems (let’s not even address their existential one ;-)) while dealing with their weaknesses. Among them they are police and politicians … who want, must “Collect it All”, “Process it All”, “Exploit it All”, “Partner it All”, “Sniff it All” ™ …
Satyagraha,
RCL
or they can exploit directly your OS
I wonder sometimes, when will they be able to process data faster than we (society at large) can produce it. That kind of real time ongoing monitoring, will bring us into a new age …
RCL
Except (with all due respect) your ‘example’ isn’t at all how modern strong crypto works. Any sufficiently strong cryptosystem can’t just be broken the way you’re suggesting. I’d (also) hope most people wouldn’t still think stuff like UNIX crypt was secure, for instance. Even md5 as a sum was a poor choice (weak hashing algo).
I do agree that most people completely f*ck up implementation, though.
Of course not.
I contrived my example to show how any kind of syntactic 1-1 encoding (data-its hash, clear-cypher text) could be exhaustively mapped, bypassing encryption altogether
RCL
You have no clue what you are talking about. You are just stringing techy-sounding words together.
Try a seed with your hash smart guy.
Second Useful Idiots’ comment.
Look up “diffusion” and “confusion” in the context of encryption.
So why even bother writing books, essays, etc. at all? All we have to do is randomly generate text until the works of Shakespeare come out.
I think you’re missing an important point which is that unless your encrypted messages consist of relatively few characters, it’s not practical to brute force in the way you describe. Take the average English-language paragraph and actually go calculate the number of possible combinations of ASCII characters that are in it and then get back to me.
Probably you are the one who should get back to me when you understand that language isn’t really about “combinations”
In fact, the English language has less than 2^16 formants. You have …
RCL
Okay, I have decided to task RCL with using John the Ripper (with Jumbo Pack) and a semi-reasonably sized 500mb dictionary, along with –rules, to try to decrypt something generated with gpg -c -a, on his laptop. -c being conventional (not even key-based, merely passphrase). I’ll even tell you how long the passphrase is, if you want.
I’m sure you can crack that in no time, RCL?
So the world’s largest criminal terrorist organization want’s to ensure that the other minor criminal terrorist organizations can get at every-one’s data.
Don’t get me wrong, I definitely sympathize with the problem of how to catch bad guys who manage to shield their wrongdoings. Yet this makes me wonder. How do you begin to set up an argument against someone when you’ve already won the argument to begin with?
BTW why is nobody else noticing that by focusing on how possible or not a backdoor, magical or not, is they’re making the HOW the debate instead of making the debate about whether they should have it in the first place? By indulging in THAT debate we are willingly acknowledging, on some level, that we agree that that debate even deserves merit to begin with.
As I said in a different comment, no matter what they regulate or require, short of criminal charges and outright outlawing of crypto that isn’t backdoored (totalitarian much?), they’re NOT going to stop people from encrypting things with things that aren’t backdoored. That’s clear because they already have much of the major encryption backdoored, weakened and/or exploitable.
Don’t people realise how slick this is? It’ll be encoding into law something that’s already done off the books to make it much easier to do for the majority of people who’d use crypto at all (but not those who have a clue). They could also pursue more cases they might otherwise not be able to pursue if they were willing to give up that they have backdoors.
Sorta similar to how the ‘Freedom Act’ made it all legal and dubious by (hey hey) handily pushing things out to third parties and requiring cooperation… and those third parties (by law) don’t require nearly the same level of legal singsong to turn over data.
Can we have that other debate, please? The one where they shouldn’t be able to have this debate?
Get out of here narc.
Hit the showers kid.
Aw yeah, I’m narqing on their strategy to get us to accept that their desire for these backdoors has any merit.
Your comment cracked me up. Thanks for the laugh.
let me paint the pig a picture he can dig, theres a door with a lock that can be picked or theres a brick wall
The problem is not so much that an encryption system which allows a 3rd party (court/police/telco/nsa/whoever) to also be able to decrypt the message. That sort of thing exists now. The problem is this simplistic description is not what they really want.
Things like key management are the issue. Is this key a master key that can only unlock the requested information or unlock all user information (past, present & future?)? What happens if this key is compromised and needs to be revoked (such a master key would be a prime target for spies)? Is there an audit trail for anyone using the key to be able to determine whether the key has been compromised? Who is able to access the audit trail and how is it monitored? Who gets access to the key, under what conditions, and how? If the key is able to unlock only the requested information, then someone will have to store a lot of different keys – how will this database be created, stored & secured? How do you implement all this without compromising the security of the underlying algorithms – including by timing and other side channel attacks?
Since Commey has not begun addressing what he actually wants and describe how he thinks it should work, it’s impossible to not only propose a solution, but also explain to him the many points of failure of his idea.
How does Julian Sanchez’s head not explode with cognitive dissonance dissing a politico for not being a technical expert and talking on technical subjects?
Did anyone here actually read the “complex technical analysis” in the paper? It’s actually mostly market feasibility arguments, not technical anything. The one truly technical difficulty in the thing was maintaining forward secrecy. The other arguments were based on the difficulty of international political arrangements of keeping a superkey, and on the notion that any such change would squelch the free and open innovation on the net, which if you live in proximity to San Francisco right now you might just be stunned hearing that such people think it still exists.
The reason Comey can talk the way he can is that it’s really true that nobody’s tried to actually provide a solution to his demands and the demands of his opponents simultaneously. On the other hand, since almost all encryption secrecy is at long last based on finding a computability difficult mathematical problem, and computability changes with different devices, it isn’t outrageous to believe that there’s actually such a solution based on devices that aren’t Turing. The only argument in the paper that seems to counter that is their statement that the problem is engineering not mathematics, by which they mean that such a solution can’t be rolled out, or that there simply isn’t any way to do encryption or decryption other than what their august selves have thought of so far.
Sorry. I really do believe in their expertise, I really do believe that people deserve ironclad encryption. I also believe in Blum, Cucker, Shub, and Smale, and that choosing the correct mathematical problem to base the encryption on would make the solution one of hardware, not software.
I know this isn’t exactly SOP but do you have a way we can talk away from here (with encryption)? I wanted to ask you something.
[Ah, but there’s also the rub.]
Maybe. Is it you who needs the encryption or are you offering it to me, or does the subject matter require it?
It’s just a conversation I don’t think either of us would want to have publicly. Though I suppose we can exchange public keys here and paste a couple GPG’ed messages in this thread if it’s tolerated (I wouldn’t be a fan, as that wouldn’t be ideal, but it would solve the endpoint issue — not like we have any good way to tell one another HOW to contact the other). It’s probably not that important, though, if you don’t want to bother. Thought you might want to compare notes.
I mostly need confidentiality, not real privacy, been thinking of how on earth we can possibly link up given the vagaries of the net.
keep working on that wheel
Pretty sure within 5 more years you’ll discover capital letters, smart guy. Keep us posted.
Ondelette, yeah that’s the problem I’m coming up against. . I just wanted to ask you something technical without necessarily revealing either of our experience levels to the ‘greater public’. It’ll do without asking, anyway. Thanks for replying. :)
Kind of ironic, though, isn’t it? Why I keep saying peoples’ chances of ever ‘rising up’ as some people like to say would be hard to actually pull off, especially online. Clearly the desire to communicate anything in private though must to some people signify plots to blow shit up, perform governmental overthrows, kill innocent patriotic children, or track people down instead of try to avoid getting them identified.
The easiest accusation of the untrustworthy is to call someone else a rodent.
Thanks for referencing that article, I didn’t see your last reply about Everything2. Not sure it’s the same thing. The millionaire’s net is the property of search engines to reward celebrity and create celebrity as a response to rewards. Therefore the net ends up generating virtual “income disparity”. I was musing on the possibility of simply reversing that by reversing how blogs and comments are done, reversing their roles and making the articles just a vehicle for linking so that the celebrity tended to reward the commenters instead of the blogger. It wasn’t a really well thought out idea, my better thought out ideas involve using P2P and changing how search works. The human brain uses endocannabinoids to stifle viral activity so maybe all the net needs to end the “income disparity” is a form of digital marijuana.
Actually, some patriotic cryptographers tried _very_ hard to come up with a solution to this problem in the late nineties: key escrow. Ultimately it failed not because it wouldn’t have worked to give the government access, but precisely for the reason that the cryptographers you’re referring to said: there’s no way to keep it secure. Not being able to intercept some communications could be inconvenient, but not being able to do ecommerce anymore would be very, very inconvenient. It would make 2008 look like a small dip in the market.
Bear in mind that the government that’s supposed to protect these keys is the same government that was unable to protect the private information of all of the government employees and contractors who have gotten security clearances. All of that information is in the hands of some group of black hat hackers. This is the government you want to put in charge of maintaining the security of their back door to the entire global ecommerce system?
If Comey gets his way, I’ll have to stop telecommuting and move to California. That’s how serious this is. It’s unfortunate that so many people are so ignorant about crypto and about exploits that they think that reasoning like that which you just used is actually plausible. If you really think it’s possible to do what you say, go do it, and show us the result. If we can’t crack it, then you can school the rest of us on crypto. Until then, I would suggest that you may be suffering from the Dunning-Kreuger effect.
I must confess, I had to look up the Dunning-Kreuger effect. Yuppers.
Do you know what the BSS machine is, or are you just blathering? Because if you know what it is, your answer is very damned far off the mark. It’s quite possible that no solution exists to build such a machine in full, but it really is true that there are problems solvable over the reals that aren’t solvable over the integers, making a machine that solves them not Turing. If you have proof that no such machine can be built, fine, I’m all ears. But I said nothing about building uncrackable codes that have never been built, nor about escrowing keys. There’s a reason I didn’t. See if you can figure it out.
OOC how far off from quantum crypto do you believe we are?
They have, as far as we know, one device that does one kind of quantum operation at a huge cost that many of the quantum logic people don’t think is real quantum computing. Nevertheless, one of the things it does is solutions to systems of differential equations natively. So it probably is an example of computing over the reals.
There are other possibilities, of course, especially optical and fluid. It’s not crypto, but an example is that a 2D Fourier transform computes (using the FFT) at O((NlogN)^2). But an optical 2D Fourier transform computes at constant speed, and that speed is quite high — a few femtoseconds for the whole transform.
As a math person, I grate when I hear this kind of argument — “A lot of very brilliant minds looked at the problem and couldn’t solve it” — as an argument that something can’t be done. Maybe it can’t. But I also remember a professor of mine, a really brilliant mind, opine that perhaps Fermat’s Last Theorem was one of the statements with no proof predicted by Godel’s theorem. Ten years later is was proven, after a whole slew of maximally bright minds threw themselves against it for nearly 400 years.
All I’m saying is that the ridicule of Comey’s attitude isn’t warranted. Not passing judgment on how hard it would be or whether it should be done at all. But I can think of ten things that those particular bright minds who wrote the paper didn’t consider before breakfast, and so can a lot of people. Will they work? Who knows. But until those two guys at Mickeysoft showed the flaw in NIST’s elliptic curve algorithm, people thought it couldn’t be broken without “multiple universes of time and computers” to paraphase another commenter.
thank you, antikythera, for being a voice of reason
Reason, when the subject is mathematics, comes in the form of proofs, not in the form of “some really smart guys couldn’t solve it.”
No one should provide a solution to his demands, whether a physical technological solution is possible or not. His demands are the demands of a dictatorship. There is absolutely no reason to attempt to accede to such appalling breaches of basic human rights. There is no “national security” in a society where everybody is insecure about their personal effects, communications, thoughts and correspondences.
That wasn’t the premise of the article. The premise was that it was ridiculous for him to claim that his demands could be met without weakening encryption. I’m just saying, that isn’t as ridiculous as it seems on technical grounds. Whether there are other reasons for not acceding to the demands is irrelevant to that argument, however worthy it might be to another one.
@ondelette
It doesn’t require technical expertise to outlaw math. Outlawing open source software is not a mathematical problem.
This isn’t about bright minds solving mathematical problems, this is about making math and software illegal. This is about restricting speech. The technical arguments about a solution to a problem are distraction. An embarrassingly thin distraction. And a fundamentally dishonest one.
This isn’t about key escrow or engineering, or even really about encryption.
This is about making software and math illegal. This is about taking software and math out of the realm of speech–or to speak closer to the truth–This is about a new radical and expansive power of the government to restrict and punish speech well beyond current jurisprudence and constitutional understanding.
As a mathematician who has found it increasingly difficult to keep working on a couple of problems that don’t tickle the imagination of the PTB, I know exactly what someone trying to make a mathematics illegal feels like. But some kinds of mathematics are very like tantric Buddhism — working on increasingly detailed and complex mental pictures leading to a sort of enlightenment as the proof comes into view. They haven’t outlawed tantra in thousands of years of trying, I don’t think they will succeed in outlawing mathematics. Wherever one can scratch a sketch, even dissident mathematics can proceed. As the saying goes, “Mathematics is done in the quiet of one’s mind.” There’s really no problem with ashes in the hair and living in the graveyard if the mind is quiet. In that case, it’s the ultimate form of dissent.
Now what were you saying about encryption?
I hope you don’t mind if no one hangs their hat on your opinion that “I don’t think they will succeed in outlawing mathematics.”
I noticed that you went out of your way not to mention software. Why was that?
Just so I can get some clarity out of your post, when you say they won’t succeed in outlawing mathematics, you are saying that you don’t think the dream of outlawing encryption will succeed. It that correct?
Maybe you are arguing that they can’t outlaw encryption because people can do it in their heads. Which I guess would also apply to gay marriage.
I’m not going to say anything to pass judgment on ondelette or the wavelet’s intentions. I can tell he/she is actually quite smart, and I can tell exactly where he/she is going with this. I actually have a hard time disagreeing with where I believe he/she is going with this technically (ie, “solution-wise”), because I can see it in my own head, and that’s NOWHERE any of us wants to be living — and that partially involves ‘good enough’ backdoors. But again, I resent the idea that any backdoor should exist at all in a ‘free society’. If you want to say that you don’t want to live in a free society, though, then I can’t entirely fault your thinking. I know you’re thinking hardware. It’s what I’d think (and I’ve said as much elsewhere). Of course the way I’m thinking (and you’re probably thinking) wouldn’t enable massive decryption over the wire — it’d require physical access. But correct me if I’m wrong. Either way, I find it loathsome.
As to your other points, ondelette, you’re talking about pure maths. I agree they can be beautiful. Indeed most music, chess, life itself, revolve around maths. But the minute you start confusing the outlawing of pure maths with the legalisation of applying applied maths to create totalitarian solutions you’re showing you’re really rooting for the other side, the way I see things. But if I’m wrong, correct me. It just looks to me like you’re attempting to distract from the real debate by trying to avoid the *ethics* of it all. To say science or maths require no ethics is to imply that humans can be trusted to practice ethics without thinking. I have yet to see a single case where that doesn’t go totally wrong, often in unintended ways.
It’s not like there’s a surfeit of caves for us all to live in, too. But if we all did start moving into them, chances are we’d probably get a rather unwelcome response.
And I’m not sure we should be the Cinderellas in this story.
If you want to explain why you do think this is ethical, though, I am all ears. I’ll certainly debate you on it, anyway. But it’s honestly nobody’s business how I think, what I write, what I’m interested in, or indeed how good I am on any subject. It’s certainly not the government’s business to know who, for instance, I care about or find interesting. Why do you believe it is any of those things? How can you say a backdoor as anything other than a tool, and those who’d submit to creating it anything other than traitorous?
@thelastnamechosen:
To be quite honest, I found your previous post to be quite difficult to understand, I went over it several times and decided that you thought software and mathematics were in danger of being outlawed, in a move that resembled encroachment on free speech. You said,
I’m very aware of how people try to make some ideas illegal. A bunch of us once spent weeks freeing a colleague who’d been essentially put under house arrest for the knowledge in his mind. But that doesn’t work for very long. I attempted to answer your idea, therefore, by telling you that the kind of mathematics I do, and the kind a lot of people like me do, is very very difficult to crush, even if someone tried to make it illegal, they would fail.
Make software illegal? Do you mean the way they made De-CSS illegal? What happened? They printed the code on teeshirts. It doesn’t work, either. So on the one hand, you have people who’s minds can continue to do any mathematics they try to ban, and on the other hand, you have methods of disseminating software that can’t be banned because they can be turned into speech.
I don’t really care whether anyone hangs their hat on what I said.
As for encryption, it’s been around for a few thousand years, and they’ve never really been able to ban it. Once again, I wouldn’t worry. I put an encrypted message into something I wrote here, for my own reasons. Nobody noticed. Because you expect the encryption to take some other form. With that going on, how do you seriously think people can ban it?
@Useful Idiots:
Where I was going is not to build any backdoors at all, just probably create a class of encryption schemes that may be made as difficult as possible on digital computers, and then use some non-digital computer for which those rules don’t apply. That effectively solves the Comey problem, showing that he isn’t an idiot for saying nobody had tried, because at least the authors of that paper really hadn’t tried.
And that puts the whole debate back in the arena where it really should be decided: human behavior. Having moved it back there, it’s once more in the realm of the 4th Amendment, the law, and what we do and don’t want the government, or the people, or the corporations, or whomever to do. You find the technological consideration of Comey’s problem abhorrent. I find the fact that people thought they could find a technological means of limiting the government equally abhorrent, when governments should be limited by the consent of the governed. Personally, I don’t want the world relying on the good graces of an encryption algorithm to enforce their freedoms. They should enforce those freedoms the old fashioned way, by demanding that those who would threaten them obey social constraints.
And yes, maybe that is because when I see an interesting problem, I’d like to be allowed to think about it and maybe solve it without having to worry that my solution will be used to create some kind of evil by someone who doesn’t believe they should be beholden to the society they live in. I don’t mind saying, because I already once said it on a comment column way back when, that I began my career by refusing the slide-right-in tech job my research had groomed for me when I finished my degree because I didn’t want to work on how to do something that had already been banned by international law. Now many years later, I feel like I don’t want to do that refuse thing again. Evil schemes should be kept in check and freedoms should be won by good governance, not by expecting others to not discover things so someone won’t blow up the world. What I refused to discover was discovered later by someone else doing something else, anyway.
Wasn’t that what the Declaration said? Securing freedoms is the reason “governments are instituted among men deriving their just powers from the consent of the governed.” At long last, securing freedoms shouldn’t be about not letting me think of a solution to Comey’s problem. Securing freedoms is the job of the entity that Comey works for, according to its charter, and he, and everyone else working there should do that job.
@ondelette
Your confusion comes not from a lack of understanding, but from the positions you hold. I think if you were less embarrassed of your own positions, this conversation would be a lot easier for you.
First, I am going to state the super obvious. Banning some software is not banning all software. But you knew that.
Second, the government’s “magic back door” means nothing without the force of law. Nobody is going to volunteer to use this. But you knew that.
Third, your argument that the government can’t make things illegal because people can still break the law is shit stupid. But you knew that. Making pot illegal didn’t work either–except for all those people in jail. But you knew that.
Outlawing encryption is outlawing math and software. But you knew that.
And your rant below that the government should only be legally constrained, not technically constrained–is not only nuts–but a terrible argument.
Even for you ondelette, all of this is extraordinarily stupid. And you still continue to be effortlessly full of shit.
What did Jonathan Gruber say about the stupidity of the American voter and the best way to manipulate them?
@lastnamechosen:
So this is not about making coherent statements about what I was talking about, this is about telling me I’m full of shit?
For the record, I said zilch about backdoors, except to say that there are solutions to the Comey problem that don’t involve them. I didn’t talk at all about banning all software. I said there have been bans on software before, and mentioned some of them, and they’ve failed, there have been bans on encryption before and they’ve failed, and there cannot be a ban on mathematics.
What I found strange about Jenna McLaughlin’s piece was that she thought a dozen guys who have worked together all their careers, have a vested interest in people continuing to use their stuff, and who all have connections to a single privacy group writing what amounts to a pretty non-technical white paper was equivalent to the global scientific consensus on climate change. I find that laughable.
My “rant” on government being constrained is straight out of the Declaration of Independence, so much so that I quoted it. So tell those guys your argument that it’s “extraordinarily stupid.” Those are, after all, the same people who actually wrote the 4th Amendment. I expressed the desire, after all these years, that people who put political wrangling over everything else would get their shit together and regulate their own behavior instead of those of us who create ideas having to worry all the time about not thinking about the wrong thing. It’s just a desire, I know damned well it isn’t going to come to pass. But it should.
You, on the other hand, are telling me that my problem is that I think about the wrong things. You’re part of the problem.
And yet you’re not really seeing that in some cases it is, thelastnamechosen… To wit: http://www.theage.com.au/it-pro/security-it/dangerous-minds-are-maths-teachers-australias-newest-threat-20150608-ghira9.html
@ondelette
Lets’ see if I can get you to answer just a couple questions here. You have said so little using so much text, I just want to see if I can tease just a bit of actual information out of you. You really shouldn’t be so shy about your beliefs, if for no other reason that they will never be sharpened. Say the things you want to say out loud.
1) The government’s “magic back door” means nothing without the force of law. Nobody is going to volunteer to use this. Agree or disagree?
2) If this is voluntary, what is stopping someone from giving the government a back door today? What advances in technology, software or quantum computing need to happen for someone to voluntarily give the government a back door today? Think about this one ondelette, why does the government need some new magic technology for someone to volunteer to give them a back door?
3) Please answer number two. Especially explaining why some technology, that is yet to be invented, is required for someone to voluntarily give information to the government, and explain what external force is stopping a company or anyone else from voluntarily giving the government whatever information the government wants.
4) Answer number 2.
5) Seriously, I’m going to need an answer to number 2.
—–
“I find the fact that people thought they could find a technological means of limiting the government equally abhorrent, when governments should be limited by the consent of the governed. Personally, I don’t want the world relying on the good graces of an encryption algorithm to enforce their freedoms. They should enforce those freedoms the old fashioned way, by demanding that those who would threaten them obey social constraints.”
This was really stupid to begin with. To attribute this thinking to the Declaration of Independence and the 4th amendment is delusional.
You do get two points for that ‘real men wipe their ass with a pinecone despite the existence of Charmin Ultra Soft’ attitude that makes this country great.
ondelette, I put my reply to you and lastnamechosen under lastnamechosen’s message.
Can I ask what those couple of projects are? Or would that be too identifying? (Our world is fairly small, no doubt about that)
I’d rather not say. Because of their lack of popularity they’re pretty identifying.
I assumed as much. It’s one of the reasons I wanted a quick encrypted exchange. Something you said in the XKS story had me thinking we might have other similar interests.
Sorry, I responded on the other thread by mistake. Encryption takes many forms, maybe it’s already been sent.
Touche.
“Humiliation & restraint…?”
It sounds more like the Senators were discussing some private after-hours-preferences — with Phoebe’s cabana boy.
PGP encryption is essentially uncrackable, Phil Zimmermann did a great service to the world in inventing it. He is obviously a very gifted cryptographer/programmer. His views on privacy motivated him to invent PGP.
The real question is not whether possible to invent technology that would allow government to securely access all communications, but whether there is a sufficiently gifted and motivated person anywhere in the world willing to work on the problem.
Perhaps the CIA should ask Phil for help on this… Methinks he would say “NO”
Phil would definitely say “No” to Jimbo here as Phil is currently working on a new protocal for e-mail that would completely encrypt the entire e-mail chain (currently the Header, to from, subject is not encrypted in PGP/GPG) and close the meta data gap that currently exists for encrypted e-mail.
” the Header, to from, subject”
I can buy the subject — because the subject shouldn’t even be related to a PGP’ed email; that’s plain bad opsec, and it’s better to protect people from being ridiculous (tho it won’t stop people from putting the password in the name of a pgp’ed attachment, lawdie help em) — but to and from get very tricky (you can probably mangle it but it won’t be unbreakable, and it certainly shouldn’t be part of the message/DATA portion) if not impossible (correlation wouldn’t be that difficult), and I can’t for the life of me see how the header can be encrypted at all short of completely and totally overhauling the way every single system does SMTP — the header is dynamic and related to (and inseparable from) how messages are routed.
I can, however, see an alternative to SMTP — but without wide adoption you’re just creating another system that’s easily monitored in a different way.
wtf are you talking about password in an email header? with PKI you use the recipients public key to encrypt, not your private key. even if you sent your private key password in an email headr it would have nothing to do with decrypting the message.
Dude, what in the world are you talking about?
Clearly you’ve never seen someone use a PGP attachment or encrypt a document and then say ‘the password is blah blah’ in the email subject line OR AS PART OF THE FILE NAME.
That tells me you aren’t quite as experienced in ‘how stupid people can be’ as you might believe you are.
(Yes, I’m implying some people use non-key-based encryption. And I’m not only talking about PGP/GPG with conventional pass; zip files, pdf files, etc often have people doing the same dumb stuff). But let’s put aside ‘stupid people tricks': Noone should have an attachment that’s PGP’ed and say what the attachment is regarding in the subject line. Do you disagree with that? If so, why?
We already have a safe that can not be unlocked even with a Judge’s order, it is our mind. Governments have not had a master key or backdoor key to our minds since the beginning of time and we as a species have still managed to survive and multiple.
We’re getting closer and closer to that not being the case though. If you look at the science (it’s already pretty advanced) and the funding and DARPA’s history of interest in the subject, it won’t be long, now — it’s just not perfected yet, nor is it possible yet without sophisticated, wired equipment. That and the adoption gap are really all that stands between now and your statement being no longer true. I’m sort of in favour of not letting it progress to that stage.
If only we could find a ready pool of test subjects to work out the kinks..
Those are called ‘university students’ and they have been paid to be the knowing participants in studies for decades. Your attempt at clever insinuation is disingenuous because it implies a need for resistance — plenty of people have no problem with getting pizza money for sitting still for little while doing thought exercises and looking at pictures while their brains are being imaged.
If only we could find a ready pool of Gitmo Prisoners (university students) to work out the kinks. The American Psychological Association: Doing special things to special people inn special places…
But see, that’d be more the second phase. The tech isn’t there yet. There’s always gonna be some version of a Gitmo for those sorts of experiments. Sometimes the people experimented on are whole countries (see: the history of 20th century economics) or political structures and politicians they deem not cooperative enough (http://opinionator.blogs.nytimes.com/2015/02/13/a-military-manual-for-nonviolent-war/). Other times it’s merely stuff like Gitmo and Tuskegee, because we all know they’re not like ‘us’.
But to put things on topic, it turns out that passphrases actually can be narrowed down, in theory, by spotting millisecond to microsecond differences in response while processing words or characters in said passphrase when read on a screen or a page versus ones which aren’t in the passphrase. Or something like that. I don’t have the reference handy, but I’m sure you can find it if you search hard enough — I believe this was researched something like 5 years ago.
Thomas Moore was killed, not because of what he did or said but because of his ideas, thoughts
But apparently criminal judges and “security” system abounding with literal crypto-fascists, can find you in contempt of court for refusing to release the contents of your mind. They tried to do so in the case of James Risen, and I’m sure in numerous other cases as well. They only reason they stopped with Risen because the backlash would have proven too intense at the time for Obama’s relatively new-to-the-job inquisition.
Refusing to give up your passphrases/keys is already against the law in the UK, for instance.
I understand that science and religion think different but technology? A holy cow is a holy cow… is a dead cow.
It’s clear that Comey needs a remedial, 5th grade primer in math… He also needs someone at his office OR in the committee room where the hearings are being held to clean out his ears REAL GOOD… IF some combo of those two remedies don’t do the trick, toss him out a window.
There’s no way someone that stupid can hold the FBI Directors position…
Never mind math. He need to be put in prison for treason.
Never mind math. He need stop be imprisoned for treason.
This debate should not be a debate about technology or mathematical possibility. What Comey is demanding is the undermining of a free society, in which ideas are freely disseminated, in public or in private, as the parties to that dissemination wish.
This.
This is the guy that said the people in Poland(Auschwitz) were NAZI’s. He brings stupid to a whole other level.
Physicist’s cannot deny ‘Dark Matter’ or ‘Dark Energy’ even though it throws many of the age old answers physicists have up in the air, and Comey and company are no fricking different! You cannot have yes and no at the same time without peer review of the facts!
An entirely inappropriate comparison. In science, we realize that because current knowledge is inherently incomplete, our current understanding is only an approximation of the truth. As our horizons expand, new information is acquired and our understanding is altered accordingly. For instances, classical physics dealt with the world at macroscopic scales and in low velocity regimes. Pushing to the microscopic level revealed the limitations of Newtonian science, which was then subsumed by quantum mechanics. Pushing to high velocity regimes revealed inconsistencies with classical science, leading to the special theory of relativity. Comey and company *are* different; their brains are wired to think in terms of dogma and fanciful systems such as the legal system, in which truth is what you define it to be, independent of ordinary reality. People thus inclined tend to be dismissive of the scientific process, and to hold the notion that if you wish hard enough for something to be true, it will become so. Like GW Bush and the WMDs in Iraq.
That’s it. Even Perry Mason knows, “In engineering, there is no bluffing.”
In a comment worthy of climate denialists, Comey told one senator…
I’m curious as to why the author is flaunting her hysterical, sky-is-falling beliefs in an article that has nothing to do with the subject. It’s completely gratuitous and reduces her credibility as an unbiased writer.
Could you give your definition of “an unbiased writer” and why you think that is the be all to end all — preferably without being hysterical about it, of course?
Here are a few words from Jay Rosen on that subject:
________________________________________________
DiA: Should journalists strive to be neutral, disinterested observers?
Mr Rosen: This is complicated. I do not think journalists should “join the team”. They bridle at that, for good reason. Power-seeking and truth-seeking are different behaviours, and this is how we distinguish politics from journalism. I think it does take a certain detachment from your own preferences and assumptions to be a good reporter. The difficulty is that neutrality has its limits. Taken too far, it undermines the very project in which a serious journalist is engaged.
Suppose the forces that want to convince Americans that Barack Obama is a Muslim or wasn’t born in the United States start winning, and more and more people believe it. This is a defeat for journalism—in fact, for verification itself. Neutrality and objectivity carry no instructions for how to react to something like that. They aren’t “wrong”, they’re just limited. The American press does not know what to do when neutrality, objectivity, balance and “report both sides” reach their natural limits. And so journalists tend to deny that there are such limits. But with this denial they’ve violated the code of the truth-teller because these limits are real. See the problem?
Seven Questions for Jay Rosen
The comparison was not to believers in anthropogenic global warming, as you seem to think, but to the fantasy of climate denialism, which holds that science is false when it is inconvenient. If you can’t follow that, read the article again.
Somehow I don’t think rereading the article will help JdL.
Hmm, says me as I scan the article, why didn’t Comey suggest that the “scientists” just need to be paid more, and then they will come over to his magical point of view.
wait for it…
“Comey said American technologists are so brilliant that they surely could come up with a solution if properly incentivized.”
boom!
Cheers, Baldie, but ‘incentivizing’ doesn’t have to be money, and often (when it comes to ‘justice’ and ‘politics’) it isn’t; here’s a better idea of how they’d incentivize: Propose a law that is really ostentatiously Orwellian (like Clipper back in the 90s, but way worse, and not just because of how tech has infiltrated every area of our lives). Push hard for it. Opponents will be against it but in an effort not to have the worst possible ‘solution’ they find something less secure than secure but “more secure” and “less Orwellian”. It’s not like Comey or the government needs a consensus; there is no vote among techies, and nobody’s in a union swearing their lives not to contribute to preventing this. There are lots of techies out there and ‘spine’ isn’t something most people are good at. ‘Compromise’ often sounds better than it should to some people, especially the young. Someone will write it, even though it’s bad, and someone will adopt it. But of course whoever comes up with such a bogus solution will probably also get paid, especially in governmental favour, too.
I don’t see “incentives” in there anywhere, but I do agree that the logic of compromise dictates that we will end up with a solution nobody is happy with.
Sorry, I’ve been under the weather the past few days; it’s definitely affected my ability to communicate. I should’ve been clearer.
The incentives come in the way of influence, opportunity, career growth, and a path laid out for wealth not only in the immediate sense. A lot of the early cyber (ugh) companies succeeded precisely due to these connections. A lot of the newer ones do as well.
But the incentives also come in the way of not losing more (that is, turning the carrot/stick on its head) — which is to say, the carrot offer isn’t so much a carrot as it is not getting hit with a bigger stick: Come up with a way to make this acceptable to you, or we’ll do this thing, which is worse than what you’d come up with — a ‘compromise’ where one side (the gov) isn’t willing to budge and the only movement is for the other party to come closer to the government’s side. As an incentive for helping us, we’ll only chop off two of your limbs instead of all four.
I see. Yes, that seems to be a common approach. In the light of day, however, contractors perform if they are awarded the right kind of contract. Unless these are actual govt employees, which I doubt.
In a true representative republic (cough), where do you believe the raw idea of ‘required crypto backdooring’ needs to actually be debated?
Shouldn’t the people themselves have a say? I mean, if it’s good enough for legalising marijuana and gay marriage, surely it deserves a popular vote before the ‘how’ even gets the floor…?
And when I say ‘the people’ I don’t just mean Americans.
I don’t think I put the above comment where I meant to put it.
I’m curious what can be done if it only takes a handful of people to make something? Most people are vulnerable to threats or enticements. That’s one reason I have so little hope for this not winding up going (at least to some extent) the way they want this to go. It seems to me the only way to stop this is to prevent it on a policy level — which is to say not only make it not part of the law to add backdoors, but make it part of the law to make backdoors (especially coerced backdoors) illegal — or at least *non-transparent* ones. This implies actual choice. And it shouldn’t incur wrath to refuse to use that version nor scrutiny merely for using another encryption program.
But doing that implies more of a ‘free society’ than we really ever had any expectation of having (at least for a long time now), doesn’t it? Can we ever expect that?
(The other issue being, as I said elsewhere, that they *are* slowly racking up backdoors in most of the most-used encryption programs — on some level I don’t think this is about getting access, it’s about making the access ‘legal’ and codified — and useable in more cases (as opposed to having to handpick the cases they use such backdoors on for ones they can best construct parallelly, keep quiet, use nominally to find out how best to dangle informants, or otherwise generally use mostly for intelligence-gathering (not what could wind up potentially being most day-to-day investigations)). Remember, it’s the FBI that wants this. Not just the NSA.
Technology aside for the moment, consider the way the issue is continuously framed: on one side you have criminals, foreign agents, etc., on the other side you have the your government.
Supposedly, the government deserves access to your communications because the government is virtuous, and is acting in your best interests. This is an enormous fiction. Your own government is ever and always the chief threat to your life, liberty, and property. Thus, even if it was technically possible to provide encryption that could be decoded by just you, the recipient of the communications, and the government, agreeing to such a solution would be idiotic.
You started off well. I thought you were going to say that the true framework is “terrrists” on one side and the people of the US on the other. But instead you wandered off into libertarian fantasyland.
Just because the government is indeed a bigger threat than terrorism, which is such a tiny threat as to be almost nonexistent, doesn’t mean that government is the “chief” threat. Liberty, perhaps, especially if you include levels of government waaaay below the level at which Comey operates. But the greatest threat to your life is car accidents, and the greatest threat to your property is other people (entities) with property.
I’ve been wondering how far we could get making a joke campaign to ban the length of outdoor ladders. Or bathtubs. Or stairways without intermittent landings.
I bet we’d get pretty far.
Consider, for the moment, the history of the 20th Century. Speaking in rough terms, 200 million people were murdered by their own governments. Another 100 million were killed by foreign governments. In comparison, automobile accidents constitute statistical noise. Some libertarian fantasy.
As far as “greatest threat to your property is other people (entities) with property”, consider that roughly half of everyone’s income is directly consumed by government in taxes. It is true that much that money goes to other people with property. How could those other people extract that income without the government? On top of taxation, people of wealth use the government to impose other forms of rent and oppression(e.g., intellectual property laws, drug laws, licensing laws, etc.).
It is certainly true that at least one of us is living in fantasy land.
I guess it depends which government you’re talking about. I didn’t realize we were resurrecting Stalin. (I hear his raised corpse is popular at frat parties.)
Yes, one of us is living in fantasyland, and it’s the guy who believes that “roughly half of everyone’s income is directly consumed by government in taxes.” I swear, I can spot you people a mile away.
The government is comprised precisely of criminals and foreign agents “etc”. Comey is a chief among them, as his utterly appalling demands demonstrate.
Maybe they can just require everyone to share their private key with the government. I know, the Office of Personnel Management can safeguard the registry.
Eventually? Probably just be built into a National Identity Card as a chip and pin system — any crypto not using this would be illegal, or at a minimum get you investigated.
Too dystopian?
I couldn’t make better snark than that if I were hired to do so. The Senator and the Committee Chairman should have been backed up by this:
Rim Shot!
Why is Comey, unprepared to support his case with solutions and unknowledgeable on the subject of encryption, willing to make a fool of himself in front of a bunch of vanilla congressmen? Why? Someone above him – and I am not referring to the W.H. – has got to be pushing this.
“O Ship Of State”, you are slipping beneath the darkness with body bound and muzzle placed and fixed by the mighty few. This is your vessel no more. Breath free no more. Hushed for evermore.
It’s not possible. If a company like Google can produce a key that the FBI can use, they can produce a key that anyone, including themselves, can use. That’s way less secure than asymmetric encryption.
Marcy Wheeler, Christopher Soghoian and a few others on twitter were well worth following today on this.
Re: I hate the phrase, “If you outlaw guns only the outlaws will have guns,” but it does kind of apply here. — Carl Weetabix
Re: the later undoubtedly will introduce terminal flaws in the algorithms and of course if the government has a key, what stops it from being stolen? — Carl Weetabix
The answer was (paraphrasing) “Um, no.”
Also, at one point, Comey admitted that his own personal data was stolen during the OPM data heist. So…..
One question for Comey might be what he/they would do about preexisting cryptosystems and code without backdoors. Does that become ‘illegal’? It’s not like you can get rid of something that’s out there (shades of people printing out crypto code to bypass laws in the 90s).
Which leads into the next question: monitoring and oversight. Just make anything not immediately decryptable over the wire flagged communications and sniff all traffic at a DHS level (or ‘just’ report atypical traffic and anomalies to DHS by NSA?)?
Selectively go after the people you want to go after who’d *still* not use the backdoored crypto you’d want them to use, even if they’re doing nothing else wrong, because you can’t prove they aren’t and you wouldn’t want to even if you could — the use of the crypto itself would be doing something ‘bad’, just like how they go after alternate payment mechanisms they cannot monitor and regulate?
This isn’t even a difficult problem to understand. It’s impossible for Comey not to know the reasons a system like he suggests cannot exist which makes his comments even scarier. It is a complete disregard for national security for short term gain.
But look at the career gains he’d make, the favours he’d be granted.
Why not an imaginary solution? After all, it’s an imaginary dilemma.
If I wrote all my correspondence in lemon juice, would he insist the FBI needs a “back door” way to bake all mail?
As long as we pay for it with imaginary money …
In the USA, our founding fathers fully intended citizens to have a private zone that is “going dark” for the government. The 4th amendment prevents the government from intruding into our private zone without a warrant. And if backdoors are put into the encryption then anyone (a rogue element in the government or a criminal hacker) can potentially get access to a person’s private information. The juice isn’t worth the squeeze on this one. Hopefully, Comey’s pleas to Congress will fall on deaf ears.
I’m not sure he’s intentionally or accidentally being obtuse. Either are scary. There are two options here, make the encryption weak enough that only the government can supposedly break it or make it so it has a backdoor key that only the government knows. The former has worked *really* well for things like RC4 (sarcasm intended), the later undoubtedly will introduce terminal flaws in the algorithms and of course if the government has a key, what stops it from being stolen? Yes, there are probably fancier tricks that can be done, but ultimately if anyone except the persons intended to be involved in the transmission can listen in, whatever that technology is is ripe to be stolen or reverse engineered.
I hate the phrase, “If you outlaw guns only the outlaws will have guns,” but it does kind of apply here. Only the innocent will use government sanctioned encryption, the bad guys will use something better.
Then of course there is retrofitting the entire Internet to use an encryption they have no interest to…
Just repeat after me, “We live in a free country, we live in a free country,” because it’s about the only way you’ll convince yourself these days.
Comey has no experience with, no knowledge or concept of the technologies he is apparently in charge of. His main qualifications involve being a conservative white man and longtime DOJ lapdog.
My late conspiracy-theorist mother would have come up with a third option: This is all a show. Corney’s just trying to make it look as if the government is worried about the cryptography solutions that are currently in use. Eventually, in the face of expert knowledge and common sense, he’ll back down, still muttering about the dangers that encrypted communications pose to our security.
Why would he risk ridicule to do this? Let’s say the NSA has recently made a mathematical breakthrough, a new algorithm for rapidly factoring large integers. What better way to conceal the fact that encrypted communications are no longer secure than to temporarily revive the Crypto Wars?
I suspect that is at least partially true, but it’s hard to say to what extent, or for how long. But that works well for them too.
PGP does provide for an alternate decryption key. but, as pointed out by the essay on The Register earlier ( http://www.theregister.co.uk/2015/07/08/security_giants_publish_paper_destroying_government_encryption_plans/ ) there is no reason to believe we can trust the government with any ADKs. they can’t even keep Forms `1040 secure or SF-68s, either
PGP stands for Pretty Good Privacy. Not strong encryption. Use at your peril, or to force the NSA to go through the effort of decrypting your messages instead of just reading the clear text.
Is there some reason you’re deliberately attempting to cast aspersions on the non-corporate version of PGP, one of the few proven secure open source crypto solutions we have? Or was that just sarcasm?
Yeah, PGP’s ADK isn’t anything special, it’s just taking the same data and encrypting it twice, once against whatever public key you’re using and once again against another designated public key that your employer, government, etc. can decrypt messages with.
That would work for things like messaging apps but wouldn’t be feasible for like cell phones – you’d have to encrypt the data twice into two copies (doubling both compute time and storage requirements).