Attorney General William Barr on Encryption Policy

Yesterday, Attorney General William Barr gave a major speech on encryption policy—what is commonly known as “going dark.” Speaking at Fordham University in New York, he admitted that adding backdoors decreases security but that it is worth it.

Some hold this view dogmatically, claiming that it is technologically impossible to provide lawful access without weakening security against unlawful access. But, in the world of cybersecurity, we do not deal in absolute guarantees but in relative risks. All systems fall short of optimality and have some residual risk of vulnerability a point which the tech community acknowledges when they propose that law enforcement can satisfy its requirements by exploiting vulnerabilities in their products. The real question is whether the residual risk of vulnerability resulting from incorporating a lawful access mechanism is materially greater than those already in the unmodified product. The Department does not believe this can be demonstrated.

Moreover, even if there was, in theory, a slight risk differential, its significance should not be judged solely by the extent to which it falls short of theoretical optimality. Particularly with respect to encryption marketed to consumers, the significance of the risk should be assessed based on its practical effect on consumer cybersecurity, as well as its relation to the net risks that offering the product poses for society. After all, we are not talking about protecting the Nation’s nuclear launch codes. Nor are we necessarily talking about the customized encryption used by large business enterprises to protect their operations. We are talking about consumer products and services such as messaging, smart phones, e-mail, and voice and data applications. If one already has an effective level of security say, by way of illustration, one that protects against 99 percent of foreseeable threats is it reasonable to incur massive further costs to move slightly closer to optimality and attain a 99.5 percent level of protection? A company would not make that expenditure; nor should society. Here, some argue that, to achieve at best a slight incremental improvement in security, it is worth imposing a massive cost on society in the form of degraded safety. This is untenable. If the choice is between a world where we can achieve a 99 percent assurance against cyber threats to consumers, while still providing law enforcement 80 percent of the access it might seek; or a world, on the other hand, where we have boosted our cybersecurity to 99.5 percent but at a cost reducing law enforcements [sic] access to zero percent the choice for society is clear.

I think this is a major change in government position. Previously, the FBI, the Justice Department and so on had claimed that backdoors for law enforcement could be added without any loss of security. They maintained that technologists just need to figure out how: ­an approach we have derisively named “nerd harder.”

With this change, we can finally have a sensible policy conversation. Yes, adding a backdoor increases our collective security because it allows law enforcement to eavesdrop on the bad guys. But adding that backdoor also decreases our collective security because the bad guys can eavesdrop on everyone. This is exactly the policy debate we should be having­—not the fake one about whether or not we can have both security and surveillance.

Barr makes the point that this is about “consumer cybersecurity,” and not “nuclear launch codes.” This is true, but ignores the huge amount of national security-related communications between those two poles. The same consumer communications and computing devices are used by our lawmakers, CEOs, legislators, law enforcement officers, nuclear power plant operators, election officials and so on. There’s no longer a difference between consumer tech and government tech—it’s all the same tech.

Barr also says:

Further, the burden is not as onerous as some make it out to be. I served for many years as the general counsel of a large telecommunications concern. During my tenure, we dealt with these issues and lived through the passage and implementation of CALEA the Communications Assistance for Law Enforcement Act. CALEA imposes a statutory duty on telecommunications carriers to maintain the capability to provide lawful access to communications over their facilities. Companies bear the cost of compliance but have some flexibility in how they achieve it, and the system has by and large worked. I therefore reserve a heavy dose of skepticism for those who claim that maintaining a mechanism for lawful access would impose an unreasonable burden on tech firms especially the big ones. It is absurd to think that we would preserve lawful access by mandating that physical telecommunications facilities be accessible to law enforcement for the purpose of obtaining content, while allowing tech providers to block law enforcement from obtaining that very content.

That telecommunications company was GTE­which became Verizon. Barr conveniently ignores that CALEA-enabled phone switches were used to spy on government officials in Greece in 2003—which seems to have been an NSA operation—and on a variety of people in Italy in 2006. Moreover, in 2012 every CALEA-enabled switch sold to the Defense Department had security vulnerabilities. (I wrote about all this, and more, in 2013.)

The final thing I noticed about the speech is that is it not about iPhones and data at rest. It is about communications: ­data in transit. The “going dark” debate has bounced back and forth between those two aspects for decades. It seems to be bouncing once again.

I hope that Barr’s latest speech signals that we can finally move on from the fake security vs. privacy debate, and to the real security vs. security debate. I know where I stand on that: As computers continue to permeate every aspect of our lives, society, and critical infrastructure, it is much more important to ensure that they are secure from everybody—even at the cost of law-enforcement access—than it is to allow access at the cost of security. Barr is wrong, it kind of is like these systems are protecting nuclear launch codes.

This essay previously appeared on Lawfare.com.

EDITED TO ADD: More news articles.

EDITED TO ADD (7/28): Gen. Hayden comments.

EDITED TO ADD (7/30): Good response by Robert Graham.

Tags: , , , , ,

Posted on July 24, 2019 at 6:43 AM70 Comments

Comments

DV Henkel-Wallace July 24, 2019 7:17 AM

To me the most shocking comment was his assertion that it’s merely consumer’s information, so not that important. The country is ultimately made of people, not corporations, or militaries (or “consumers”)

Yes it’s good that a microscopic sliver of rationality has been added to the debate, but a major formulation that the interests of individuals in aggregate is less than that of big entities is appalling.

This is not discussing a need for balance, this is denigration of the value of human rights.

David July 24, 2019 7:25 AM

“Yes, adding a backdoor increases our collective security because it allows law enforcement to eavesdrop on the bad guys. But adding that backdoor also decreases our collective security because the bad guys can eavesdrop on everyone.”

The bad guys can eavesdrop on everyone, that part is true, but you are wrong about the first part Bruce: why would the bad guys use the backdoored versions of sw/hw?

Obtaining non-backdoored sw is trivial, and the backdoored hw is obviously not able to detect all the different ways a non-backdoored sw can be implemented. (If we are talking about a lazy/under resourced bad guy, who can’t/don’t want to produce their own hw.)

YetAnotherBruce July 24, 2019 7:53 AM

Dear AG Barr, the presidential records division of the National Archive would like to discuss this “going dark” problem of which you speak.

ATN July 24, 2019 8:01 AM

The main problem not even understood there is:
Is the backdoor used in public or not?

If you take a physical mobile phone, connect it to a secured PC (without viruses, never connected to Internet, not running uncontrolled USB/video/keyboard drivers) and run something like a password cracker on it, use a zero-day exploit, or use a backdoor to get access – then it is relatively safe for other mobile phone users.

If you use a zero-day exploit or a backdoor on a live mobile phone, or a live PC on Internet, you cannot know how many people are watching you, you cannot know if that mobile phone or PC is part of a honey pot at the time of the attack, it is no more a zero-day exploit / backdoor but a bug to fix as soon as possible – preferably immediately.

Not even talking of those two cases differently looks like someone did not even understood the problem – you should always re-classify a zero-day exploit after its first use on Internet…

Denton Scratch July 24, 2019 8:04 AM

@DV Henkel-Wallace

Agreed: “mere consumers” includes me (and my bank balance). I’m not OK with government employees interfering with my communications with my bankers. Government employees are just like everyone else; some of them are crooks. That includes the police and the security agencies (especially the security agencies).

What about sysadmins who happen to have remote logins from home to corporate and government systems? Is it not reasonable that they should enjoy the same freedom from trojans and backdoors as workers in selected branches of government?

In fact, on my reckoning, I could potentially be safer than J. Random Government-Employee. I can use open-source software; JRG has to use the designated (commercial) VPN etc. My guess is that JRG is snooped on far more than the average citizen. I can even build my own router, using open-source operating systems running on ‘antique’ hardware (less likely to have had hardware hacks burned into the silicon).

Bruce Schneier July 24, 2019 8:15 AM

@David:

“The bad guys can eavesdrop on everyone, that part is true, but you are wrong about the first part Bruce: why would the bad guys use the backdoored versions of sw/hw?”

Most everyone — good guys and bad guys — use the easy defaults. Sure, the smart criminals will layer encryption of top of what is already provided. But most criminals will just use iMessage or WhatsApp or Skype or whatever.

This is not a battle for the edge cases. This is a battle for defaults.

arfnarf July 24, 2019 8:59 AM

Barr is wrong, it kind of is like these systems are protecting nuclear launch codes.

Exactly what I was going to say.

Tatütata July 24, 2019 9:22 AM

It isn’t only vulnerability, but also enforcement, which is an issue.

If there is no threat of punishment, how can you enforce? (I can’t see any other way. Back in telegraph days the carrier could refuse to transmit a coded message, or demand a copy of the code book, but this is no longer feasible.)

Would it become a criminal offense if you use backdoor-free encryption, in lieu of, or on top of, officially approved encryption? If you send meaningless, undecipherable, random gibberish, would that be punishable? Or data that can only make sense to the parties?

And who would be punished? The end user? The system designer? The carrier?

Does expressing yourself in a cipher of your choice covered by freedom of speech?

And what about international connections? Who would have the right to snoop? Could a secure foreign connection be suddenly transmogrified into an backdoored on as it touches US shores?

newguy July 24, 2019 9:42 AM

I agree with OP’s conclusion. We should not compromise security for the convenience of law enforcement.

And let’s be clear: it IS “convenience,” and nothing else. It’s misleading to pretend that criminal investigations cannot take place unless encryption can be compromised. This is the unstated premise in Barr’s argument. How did it go unchallenged?

There are far easier ways to improve safety. Law enforcement should focus, for instance, on keeping dangerous people out of the country by imposing travel restrictions, securing the border, enforcing immigration law already on the books. That, coupled with immigration policy that actually makes sense — like bringing people here that can add value — would drastically improve security in the medium and long term.

I would also argue in favor of exporting weak or flawed encryption products to certain countries that can be counted as “enemies” for various reasons, whether because they are geopolitical foes (Syria, for instance) or simply because they are failed states, like those in central and south America, that export crime, drugs, and engage in human trafficking, whether of “refugees” or sex slaves.

There isn’t any reason that we need to treat American citizens and populations of friendly nations the same way we treat everyone else. This is not a double-standard; it is sensible nationalism. Of course, some people watch too much CNN and think “nationalism” is a dirty word. They should change their news feeds and get a more sensible and realistic perspective.

Petre Peter July 24, 2019 9:54 AM

There is an entire industry that is relying on insecure defaults. Yes the car I buy comes with a lock but if I want to be sure the car won’t get stolen I have to buy add-ons. The battle is how secure should the defaults be?

metaschima July 24, 2019 10:15 AM

This is about surveillance and censorship not about security. Real criminals will simply devise other secure communication methods. This is about snooping on regular people and suppressing free speech.

Impossibly Stupid July 24, 2019 10:42 AM

Yes, adding a backdoor increases our collective security because it allows law enforcement to eavesdrop on the bad guys. But adding that backdoor also decreases our collective security because the bad guys can eavesdrop on everyone.

And then there are the cases where law enforcement is the bad guy. There’s just no reason to think that one class of people is completely isolated from a lesser deserving population. We live in a world where “consumer products and services” constantly touch “large business enterprises”. No rational person can claim there is an encryption solution that works for one system but not the other.

This is exactly the policy debate we should be having­not the fake one about whether or not we can have both security and surveillance.

There is no policy debate that needs to be had. If the government thinks backdoored systems are such a great thing, they are welcome to show us all the proper way to do it by implementing backdoors in their own systems. Until then, the only policy-level issue I see is whether or not abuse of such government backdoors (and failures to report said abuse) should be considered an act of treason.

@Tatütata

And what about international connections? Who would have the right to snoop?

This is a good point, and it even goes beyond the idea of “friendly nations” that @newguy wrongly favors. The fact is, like law enforcement, sometimes our closest allies turn out to have agendas that are hostile to our own best interests. Someone who is our partner today might be someone we want nothing to do with tomorrow. We want to be able to not only close the door on them, but change the locks as well. Until the government shows us the right way to implement backdoors that accomplish these sorts of things, it makes no sense to put the onus on tech companies or the individual citizens to figure out how to make it work for these global powers.

justinacolmena July 24, 2019 11:10 AM

@Bruce Schneier

This is not a battle for the edge cases. This is a battle for defaults.

True.

We are defaulting on mortgages and loans for fully paid-off homes and cars because the brotherhood of thieves in law was so graciously allowed to rob the bank through the encryption “back door” on the consumer-product Internet.

Equifax breach: How to claim your share of the $700M settlement
If you were one of the 147 million people affected, it’s time to prep your claim.

There is no “settlement” under the Thieves’ Code with so much honor among thieves.

The breach in question resulted in hackers stealing Social Security numbers, addresses, credit-card and driver-license information, birth dates and other personal data stored on Equifax’s servers.

People live, work, drive cars, spend money and retire. In a certain sense, these data are all “vital statistics” that cannot reasonably be expected to remain secret or concealed.

As part of its investigation, the FTC alleged that the credit bureau failed to take reasonable steps to secure its network.

Once again, Equifax, along with TransUnion and Experian and various marketing partners, is obviously not coming clean with the full extent of the breach.

Unlimited direct access to our money and real property has been granted to thieves in law, and the government has absolutely no intention of revoking such inappropriate access to our lives, liberty, and property.

David Leppik July 24, 2019 11:10 AM

Even if nobody uses an iPhone to store nuclear launch codes, people use it to store information that could be used to blackmail, threaten, or mislead them into revealing nuclear launch codes.

David Leppik July 24, 2019 11:14 AM

Nor are we necessarily talking about the customized encryption used by large business enterprises to protect their operations.

Actually, yes. Phone security is exactly what large business enterprises rely on, because phones are what high-level managers use to conduct business, and how consumers interface with these businesses and their operations.

Security Sam July 24, 2019 11:34 AM

Encryption according to Barr
Will earn him only one star
Like a hand in the cookie jar
Gain and loss aren’t on a par.

Clive Robinson July 24, 2019 12:00 PM

@ Bruce,

With this change, we can finally have a sensible policy conversation.

No we can not, this is simply a game of “flip flop” their previous stance was bot working for them so they’ve flipped to a different argument.

Their goals of universal surveillance on all citizens has in no way changed.

If you start scoring points on their new approach they will simply flop to a new one.

At each flip or flop they lead the argument away from those defending citizens rights, to follow them is stupid because people will get bored and stop listening.

Thus,

I hope that Barr’s latest speech signals that we can finally move on from the fake security vs. privacy debate, and to the real security vs. security debate.

Wrong it’s most certainly not “security-v-security” that’s a meaningless path into a swap of their creating. Nor can it be security-v-privacy, you can not have privacy without some form of security, one enables the other.

The real argument is “might-v-liberty”, that is the real goal is to destroy the fundemental rights of citizens and the laws that enable those rights. So that those who believe themselves to have “divine right”, “sense of entitlement” or “paternalistic right” or what ever they call it can run over citizens rights, liberties and freedoms rough shod. Having step by step removed the citizens right to both recorse for harm and the right to say “no” to power.

Unless US citizens start asserting their rights, then they will become vassals subject to the whims and vagaries of those that think “might is right” and “all contrary views should be oppressed” with brutal and unrelenting force of Guard Labour.

If people care to think about it that can only lead in one direction, be it tommorow or a later date…

This war of oppression against the average US citizen has been going on since atleast the end of WWII and as each year progresses citizens rights get eroded usually by faux argument or faux appeals to sentiment. There is a reason “Think of the XXX” became a political tool, it was to squease out rational argument.

Many people are now being manipulated by such faux sentiment and do not realise what a faustian bargin they are signing up to. It’s said “Turkey’s don’t vote for Thanksgiving/Xmas”, but each time a citizen buys into that faux sentiment, that is exactly what they are doing.

How you get that generally unpalitable message across is not going to be easy, but getting it across is what needs to be done.

VRK July 24, 2019 12:09 PM

muse for AG Barr:

1) If “the unmodified product” is an unacceptable risk, what about our private thoughts? Is that “Exceptional Access” currently under review also?

2) Now that SIGINTs everywhere are basically off-leash at the endpoint, is this discussion even relevant? (“if you cant beat em, beat em.”)

3)1444152402 1590789457 622322020 2869514621 3695016281 3489766242 2688456431
1459173090 2577099468 1243396722 3329484369 2499795335 2653925344 3940230414
3672002095 2806160540 3161035826 2694675422 1358733477 1903078243 587738304
2946342674 235116896 1703170082 3330859904 366198003 1486322758 3731779165
7595816 1600865557 1409435882 1498898966 1705827428 3058483647 2305033621
312543196 2299483908 591411514 1003441587 3133124899 1773980493 3873990196
1360958084 2796110558 256735390 477305763 3117732583 2532057619 1817852298
450826258 565979755 1954966351 2101164229 3263167491 2570020258 13659229
4122958550 765640730 2237585384 3735016758 215796261 1580654255 3711700010
3194542291 2544496006 151165035 3304995750 3737933042 987516732 4104106459

4) Now that Col. OTP has invented impervious security, is this discussion even relevant?

Alejandro July 24, 2019 12:10 PM

Very soon after the first wired telephone systems were established police insisted on the power to listen in on conversations, and did. Of course that meant literally sitting in the basement of the telephone office using jumper cables to make a parallel connection to resident targets (wire tap).

Of course there were no laws allowing it, or stopping it, then so it simply happened.

In a strategic view, nothing has changed. Police want to listen in to anything and everything we communicate and do, unless specifically prohibited by law or it’s physically impossible.

In my view the current conversation is not about electronics, computers, encryption, back-doors, civil rights, the law or any of that. It’s a simple matter of raw power.

Specifically, it’s about the power to control and dominate the people, all the people, all the time for good cause or no cause at all.

They do it just because they can.

Encryption pisses them off, because they can’t.

Rj Brown July 24, 2019 12:13 PM

The statement:

“The same consumer communications and computing devices are used by our lawmakers, CEOs, legislators, law enforcement officers, nuclear power plant operators, election officials and so on. There’s no longer a difference between consumer tech and government tech — it’s all the same tech.”

sums up the whole point! openssl has already been packaged in a NIST-compliant manner to be certified as a class-(2,3?) cryptographic system, and is used by the military for sensitive communications. It is NOT anything special in terms of the encryption algorithms it uses; it s only packaged in an approved manner.

So what “customized” systems was the AG talking about?

JR July 24, 2019 1:19 PM

Strong encryption may become a problem in some cases.
Lack of stong encryption is a worse problem in most cases.
That’s why encryption was developed in first place.

It is foolish to think to be able to separate personal grade from state grade encryption, because persons uses encryption to protect devices and data and communication channels used to access to (or work with) any kind of sensitive service, from banking to health and taxes.

Crippling encryption of what naively is defined personal security will create a huge attack surface to the sole benefit of bad actors, either for accessing personal data and for side channel attacks on remaibing strong encryption services.

Moreover, passing such a law would not stop smart criminals from breaking one more law and use strong encryption anyway – non smart ones would probably go on doing selfies during robberies and posting them on their open Facebook profile.

Clive Robinson July 24, 2019 2:44 PM

@ Tatütata,

If there is no threat of punishment, how can you enforce?

You can not enforce it currently, and for even the moderatly smart probably never.

To be able to punish you would need to find evidence. This means that every data stream would have to be monitored. Which is an expensive task.

Certain parties in the US Gov have been trying to set up a Faustian bargain with Silicon Valley Big-Corp. The US Gov would pass laws fascilitating the right of Big-Corp to spy on any and everyone. It’s what the AG was talking about when he said,

    We are talking about consumer products and services such as messaging, smart phones, e-mail, and voice and data applications.

In return they would pass on the now “Third Party Business Records” over to the US Gov. A necessary part of which would be all those services had “plain text” at some point. Hence various people getting very stroppy when services were set up that did not put themselves in as “Man In The Middle” or used genuine “end to end” encryption.

Thus laws or EOs etc at some point will have to be put in place to make the use of end-2-end encryption illegal.

Whilst that could with a lot of effort be made to work against what would be considered “normal encryprion” such as AES where it’s output statistics are more or less flat. The same is not true for codes as I’ve mebtioned in the past.

Which is why those who are slightly smarter than average and have need of secrecy will almost certainly use the like of “One Time Codes” which like One Time Pads are in effect secure because when used peoperly one code is not just indistinguishable from another code, it’s also indistinguishable from none code text unless you have the coresponding key.

Thus I could send you what appears a fairly standard salutation such as “Good Day”, “Good morning”. “Hi”, “Hello”, “Howdy”. Just these five enable me to send you two bits of information or a NUL. If I changed the meaning of each every day in a random way as an evesdropper you would end up seeing a random distribution of these salutations. Thus in of themseleves they have no meaning they just stand in for a number 0-3 or a NUL which in turn have no intrinsic meaning. Thus you as a third party evesdropper have nothing to correlate against any observed actions by the communicating first and second party.

Such codes are fairly easy –if time consuming– to build and use. If a little thought has been given to what types of phrase to use then sending a message will look entirely natural. Thus there is no way for a human let alone an automated system to tell if code phrases are being used or not.

Now whilst some politico’s may not be aware of this, you can be sure that the SigInt, IC and LE entities are well aware of it as are all the Silicon Valley Big-Corps. Thus their not talking about it says way more about what their intentions are based on the old “Actions Speak Louder Than Words” observation.

That is they are not concerned about Serious Organised Crime and Terrorists, who would be expected to use such code systems, but as @Bruce has noted above,

Most everyone — good guys and bad guys — use the easy defaults… …This is not a battle for the edge cases. This is a battle for defaults.

Which in the main means “Jo/e Public”.

Clive Robinson July 24, 2019 3:17 PM

@ gordo,

Here’s one topic about which Barr and Mueller agree:

Yes and Mueller’s predecessor fifth Director of the Federal Bureau of Investigation Louis Freeh who held the post –mainly under a cloud–from September 1993 untill June 2001 when he was pushed out by George W. Bush.

The reason was I suppose he was at best an incompetent disaster magnet, there was the revelations about the “Carnivore” surveillance system, the Wen Ho Lee case, Janet Reno having to send in US Marshals to the FBI buildings to get evidence he was illegaly witholding over amongst other things cover ups of serious senior administrative failings.

But those in Europe remember him for his secret mission to push surveillance. He knew the US public would never go for his ideas. So his plan was do a tour of European LEO’s and politicians and persuade them to implement population surveillance first. This he could then use as a method to get some of his ideas past US legislators.

For various reasons his plan failed. However 9/11 came along and some of his ideas got slipped into the “oh so secret” PATRIOT Act…

As I noted earlier, these ideas have been around for several decades, and each time they get put back the just flip flop to a different argument and try again.

They get away with this because there is no downside to repeatedly trying, the tax payer picks up the bill and there are no sanctions for getting told “NO”. Thus they keep trying and won’t stop untill there is a significant downside or sanctions to stop them.

Which means the FBI Directors are on a “win draw” whilst the US Citizens are on a “draw loose”… Something that needs to be changed significantly to protect the citizens from these insecent freedom eroding attacs.

Alejandro July 24, 2019 4:07 PM

I would like to add, there is no such thing as “going dark” happening.

It’s a complete mis-characterization. They already have their noses buried deep into our electronic lives. Too far.

And, from the cases I have seen finding, investigating, arresting, prosecuting and convicting a criminals has never been significantly impeded by limited access to encrypted communication. For example, in the iPhone case in California there was no doubt whatsoever who did what and there was NO prosecution because the bad guys were dead, dead, dead. How does that compute as “going dark”?

Meanwhile, let’s be frank, they don’t want access based on probable cause and a warrant to access data of criminal suspects, they want complete, total access to ALL electronic communication based on their own home brewed rules, simply because they want it.

We are supposed to trust untrustworthy government officials to protect our rights and data. Frankly, that’s laughable based on history.

We DO have a Constitutional right to privacy regardless of specious and dishonest arguments by government hacks.

Yes, we do.

Anon Y. Mouse July 24, 2019 4:37 PM

My response: you first.

Senators, Representatives, the President, all his cabinet members, White House
staff, top military leaders, Federal government officials, etc. etc. should
all set the example and start using devices and software with the proposed
back doors. Let’s see how that works out after they’ve been doing it for a year
or so. Presumably they would have no objections, since, according to Barr,
the risk is slight. After a suitable period during which they’ve demonstrated
there are no problems, then maybe advocating that the general populace adopt
the same measures would be met with far less resistance.

I’m not holding my breath.

John Carter July 24, 2019 5:07 PM

a) The best defence against fake news is to link to the actual transcript….

https://www.justice.gov/opa/speech/attorney-general-william-p-barr-delivers-keynote-address-international-conference-cyber

b)

The tsunami of opioids, cocaine, and methamphetamine that started surging into the United States from Mexico in the latter years of the Obama Administration is one of the greatest dangers to the wellbeing of our Nation that we face today. In a single year, more Americans die from drug overdoses than we lost in the entire Vietnam War. In addition to this death toll, hundreds of thousands of lives are destroyed. The vast majority of the drugs are trafficked into the United States by large, transnational criminal organizations

Wait. What!?

by large, transnational criminal organizations

https://theweek.com/articles/541564/how-american-opiate-epidemic-started-by-pharmaceutical-company

c)

Further, the burden is not as onerous as some make it out to be. I served for many years as the general counsel of a large telecommunications concern.

Talk about a revolving door. The only reasons “large telecommunications concerns” whinge about the “onerous burden” is they scared they won’t get paid for it.

Inserting backdoors and handling records requests and the like is a lovely revenue stream for them. They get the taxpayer to pay them for selling their customers data.

Huge financial misincentive there.

Lawrence D’Oliveiro July 24, 2019 8:21 PM

Nor are we necessarily talking about the customized encryption used by large business enterprises to protect their operations.

In other words, strong encryption is OK for big, important businesses, not for ordinary people like you and me.

fool July 24, 2019 11:08 PM

Strong encryption = criminals don’t get to steal all your stuff and break in easily, because they can’t break it… (as well as governments don’t get to spy on it, but that’s a side effect)

Weak encryption = criminals can freely break in and steal all your stuff, for example, steal your credit card transaction data or bank login credentials and loot your bank account or run up a big bill in your name! Weakening encryption just for the government means criminals get access too. The tech doesn’t “know” who’s using it, it works the same for everybody, criminals and governments alike.

Anyway, I like Clive’s points, very insightful.

David July 24, 2019 11:54 PM

@Bruce Schneier

Two things:

  • You are a celebrity, so when you make such a quotable unqualified statement, that statement will be quoted, and interpreted without nuance.

  • “This is not a battle for the edge cases. This is a battle for defaults.” But using your original statement, they will be selling it with the edge cases (terrorists, organized crime, pedophiles, Russians, Chinese) who will decidedly not be affected by “evil bit” regulations.

Joe July 25, 2019 1:21 AM

@Clive Robinson wrote, “Certain parties in the US Gov have been trying to set up a Faustian bargain with Silicon Valley Big-Corp. The US Gov would pass laws fascilitating the right of Big-Corp to spy on any and everyone. It’s what the AG was talking about when he said,”

In the past, you’ve said that bad guys don’t use these type of applications to converse.

Apps such as messaging, streaming, message boards, etc. generally aren’t laden with the type of criminals the DoD is going after. The average usage is very common joe as in everyday convos. Thus, it would appear that this entire effort to monitor social streams is gearing up for what we know as social control engineering instead of trying to fight terrorists who as you said have already learned to conduct their businesses in more clandestine ways.

I’m more wary that the government is going to open up its data to silicon valley tycoons than the other way around.

Jonathan Wilson July 25, 2019 1:38 AM

If its a choice between weakening security for everyone and letting bad guys (whoever they may be) go free, I vote for letting the bad guys go free.

Nils July 25, 2019 1:38 AM

I think this is an interesting discussion to be had. Here in Germany, the government usually starts out with security laws against terrorists (national security) and child sexual abuse / pornography (because think of the children). Then slowly add more and more felonies to the list on where it is acceptable to for example break in and install spyware, like drug dealing, fraud etc..

Drug dealers are no threat to my security, neither are child molesters, neither are pedophiles, neither are tax evaders and even the risk from terrorists is negligible.

This is the slippery slope argument, with evidence. There aren’t many documented cases where a government has returned liberties to people but plenty where they chip away at them bit by bit.

Denton Scratch July 25, 2019 1:41 AM

@DougA

“Not if it becomes illegal for a US corporation to ship that stuff in app stores. It’ll be easy enough for those of us who know…”

Thing is, I would not be inclined to trust anything downloaded from an app-store, unless it was entirely open-source (and it could be proved that the published source-code was used to create the app). I don’t generally care much for the app-store model of software publication. And of course, I regard my (antiquated) fondle-slab as a thoroughly-untrustworthy piece of equipment.

Bruce has said many times (I think) that “crypto is hard”. It’s not just hard to make good cyphers and hash algorithms and so on; it’s also hard to use crypto properly. This is not a question of using sensible defaults and kitting the software out with an easy-to-use UI; crypto users need to understand what the weaknesses of their chosen system are, and how long they need to keep their data secret for, among other things. I’m no expert, far from it; I rely on trusted authorities to provide advice on these matters (that’s why I’m here, of course).

E.g. I want my long-term master keys to be safe for about a decade; but passwords for most of the websites I login to are of almost zero value to me. They serve only to ensure that the data the website operator collects about me are of merchantable quality. A few of my website passwords protect services that, if hacked, would likely cause me and others quite a lot of hassle, but probably no serious loss. If I had encrypted archives containing sensitive material, I would not want to have to regularly re-encrypt with new keys or crypto-systems; I would want that archive to be safe until well after I am dead.

Happily, I have very few important secrets!

trebla July 25, 2019 3:26 AM

If any policy-making people happen to read this comment I’ll formulate it so you can understand. When you put backdoors in crypto-apps normal people will probably never find them. But you can be sure that nation states will. Do you want the Russians reading American citizens private conversations? Because that is what will happen when you push through something like this. And not only the Russians, the Chinese too. It will make the job of their intelligence communities extremely easy.

Clive Robinson July 25, 2019 4:27 AM

@ DougA, Lawrence D’Oliveiro,

Not if it becomes illegal for a US corporation to ship that stuff in app stores.

That does not matter in the slightest for those that can read a couple of books and think about what they read.

Firstly just accept that it does not matter if the Apps or OS are backdoored to the point they are an entirely open book. Or if you prefere your communications are “broadcast to the world”. Just as they were back during WWII.

The reason it does not matter is because you have shifted your “Security End Point” off of the mobile phone or what ever other form of electronic “Communications End Point” you are using.

Thus the security end point is now beyond those observing the communications channel. Just as it was back in WWII when they used simple Morse Wireless Telegraphy (CW) across very simple HF radio equipment we now call “Spy Sets” (that you could build yourself today if you wanted to). The Security End Point was the paper, pencil and hand code/cipher.

Thus the strength of the “message security” is dependent on what you use as the algorithms, hardware and implementation of the Security End Point.

Which as this has been known for a century tells us a few things,

1, We are being lied to
2, We have not learnt from history
3, we have become lazy

In our push the button for instant gratification life styles we have become like specimens in a Petri dish. We just sit their being fed and observed and experimented on.

Thus those doing the observing and experimentation have it very very easy. As history tells us repeatedly if we do not take responsability for our selves and our freedoms then others will and it most certainly will not be to our advantage, but theirs as the exploit us as much as they like (even H.G.Wells understood this well enough to make it clear).

Thus they lie to us and say it is for our own good, using the techniques of Orwell and Machiavelli and with every step tightening the nose that ever bit tighter.

The big lie however is the fact people are being kept uneducated about the important points of history. People have over centuries fought for their freedom and thus have worked out ways to fight in more optimal ways against those who would take their freedoms.

Thus if people want freedom they have to first educate themselves in how to take responsability for themselves, if however they are happy to be “King for a day” in a “guilded cage” to have their throat cut the following day then they can “Keep pressing the button”.

As @Bruce has finally noted,

    This is not a battle for the edge cases. This is a battle for defaults.

The “default” is being uneducated in a guilded cage. The “edge cases” are those that have chosen to take responsability for themselves and learn what is required to stay out of that guilded cage trap.

And no I’m not talking about “prepers” or those planing on what to do should the “SHTF” event occur. I’m talking about people like our grand and great grand parents who learnt responsability from an early age and were for most important things in life “self reliant”.

Whilst the guilded cage is made of technology, technology is agnostic to use. It is the “directing mind” that is important. Do you want your mind to run your life or that of Facebook’s “Psycho Mark”? Or those faceless suites at Alphabet etc? Or worse very worse those who believe they have entitalment at your expense and hold you in less regard than they would an ant in their garden? Who see you in much the same way as stockmen raising turkeys for Thanksgiving/Xmas?

Don’t moan about what is and is not available in the equivalent of the old “Communist Stores” the world is full of other options go out and learn about them, and take a step out of that guilded techno cage, whilst you still can.

Because one thing history has taught us, is at some point “The books will be burnt”.

Clive Robinson July 25, 2019 4:47 AM

@ John Carter,

With regards your point A and “Wait. What!?”.

Firstly yes there are more people addicted to supposadly non addictive drugs in the US than in the entite rest of the world according to the World Health Organisation.

And the real reason is not hard to find, it’s the US Health Care System that prescribes pain killer drugs for everything in prefrence to proper health care. For instance drugs do not fix one of the biggest causes of lost productivity “bad backs” you need physiotherapy, carefull excercise and rest to do that, all of which are expensive and take time. Pain killers just get you back to work whilst your back further deteriorates, which means more drugs. It’s a vicious circle. Drs are well aware of this, but can tell from your health care insurance supplier if you will be sacked if they give you the proper health care. Thus a handfull of pills keeps you putting bread on the table that little bit longer. But worse as the news is now slipping out bit by bit (see articles on insulin pricing in US) Big Pharma is deliberately manipulating the situation to make things considerably worse to their great profit and your significant loss.

I’ve been looking at this in terms of “security” risk both individual and national, and it is a very very significant risk. Not least because as I expected it would become another “think of the children” type lie to make things worse not just for individual privacy but as an excuse to loot the tax income.

Sancho_P July 25, 2019 5:28 AM

Yes, AG Barr is talking about the ancient system of obtaining actual data in transit, just from the point on where the warrant is delivered and the tap is set.
Never going back in time.
This is what the actual law is about.
The rest is illegal, only held up by the TPD nonsense.

No, we don‘t need a discussion because there is nothing to discuss.
As they don‘t want – and we don‘t want.

They have the metadata, thats more than enough.

Ismar July 25, 2019 6:56 AM

I know this may cause some interesting reactions on this blog but

I would actually agree with this initiative under one condition and that is to design the back doors that they allow access only in such a way which makes it compulsory for an audit record to be created as to when the access was granted, by whom, who requested it and against whom it was executed.
These audit records should then be made public under some sort of freedom of information act or such and everybody should be allowed access to their own entries (if any).

Looking forward to some interesting replies

65535 July 25, 2019 7:05 AM

William Barr

[Wikipedia]

“While employed at the Central Intelligence Agency (CIA) from 1973 to 1977…” – wikipedia

https://en.wikipedia.org/wiki/William_Barr

Gee, what an un-biased Attorney General… who clearly uses encryption everyday – yet wants a backdoor put into his phone and internet… Oh, wait I think he just wants to put a backdoor into everybody but his own telephone and internet.

It is the same old story of Law enforcement wanting encryption for me but not for thee.

When I read this junk like this from the top Law Enforcment office of the USA [Billiam Barr] who has never solved and engineering problem in his life, my eyes glase glaze over and my ears stop up.

These LE officials are too lazy to get out of their over stuffed chairs and do some honest-legal investigations. They what push button law enforce and the ability to listen in on everybody’s phone and internet comminucations. They already has enough of those spy abilities – they need less. Not to mention less budget money.

Bruce Schneier July 25, 2019 8:14 AM

@David:

“‘This is not a battle for the edge cases. This is a battle for defaults.’ But using your original statement, they will be selling it with the edge cases (terrorists, organized crime, pedophiles, Russians, Chinese) who will decidedly not be affected by “evil bit” regulations.”

Yes, exactly. This is a battle for defaults that is being argued in terms of edge cases.

Jan Ceuleers July 25, 2019 10:34 AM

Bruce, I’m disappointed that you didn’t pick up on the significant difference between CALEA (which Barr alleges sets a precedent for the current situation) and encryption back doors, namely the fact that CALEA does not remove encryption from the intercepted data because it isn’t encrypted to begin with.

There may be encryption on the wireless access hops at either end of a phone call, but that is not where the interception happens — CALEA intercepts G.711 voice which isn’t encrypted unless the call is made using crypto phones. And if it is CALEA does not remove that encryption.

Thoth July 25, 2019 8:27 PM

@Ismar, Clive Robinson

Lookup ‘fClipper’ or ‘firmware clipper’.

I have proposed the nasty design here and the designs are not solely isolated to my proposal as this was simply building upon ‘possibilities’ that can happen in modern commercial CPU/MCU. The building blocks for ‘fClipper’ already exists in every ARM/Intel/AMD CPUs and CPU designs. It’s only a matter if the fab plants and CPU/MCU OEMs want to do something about it and install a NSA_NIST_EC_384_PUB_KEY into the silicon layer of every chip during production time.

What is the use of tapping a single or a couple chat app when you could just grab everything off the chip’s processor and memory all in one go and influence the chips’ behaviours.

With the ‘fClipper’, it won’t require the developers to cooperate as there are simply too many developers to subjugate and compel and some are international developers. All you need is plant your agents into ARM/Intel/AMD/Qualcomm/Samsung/Apple/Broadcomm and other US companies or companies that lean in favour of the US and there are very very few silicon fabs that can build these chips or design the chips (ARM is an exception as it only designs chips and doesn’t fab chips commercially).

Most of the chips in the world are heavily reliant on US and it’s allied influences. The Chinese Huawei ban which affects the Huawei smartphones are a good indicator of US’s influence and with that few fabs on the list and they are very obedient to US, they can leverage it and “poison everyone’s drinking water” in the name of IT Security.

@Clive Robinson
I am still hoping that the OpenRISC projects succeed and manage to come out with as little US Govt influence thus being used as a Root of Trust on the hardware level which can be easily asserted and inspected. They would definitely be useful in the C-&-P designs.

I hope you found my previous PDF paper I posted helpful on the tamper detecting guard circuitry and if that could be included into OpenRISC MCUs and CPUs.

Links:
https://www.schneier.com/blog/archives/2018/05/ray_ozzies_encr.html#c6774914
https://www.schneier.com/blog/archives/2018/05/details_on_a_ne.html#c6775253

David July 26, 2019 2:57 AM

@Bruce Schneier

“This is a battle for defaults that is being argued in terms of edge cases.”

Well, that doesn’t sound like an argument that makes any sense to me. Or worse, as @Nils put it, it plays into the hand of the backdoorers.

Clive Robinson July 26, 2019 6:13 AM

@ David,

it plays into the hand of the backdoorers

It’s not just yourself and @Nils that have noticed this.

I made Comment above about the issue and how following their lead was a very bad idea.

The way to win this is to “set the argument” in a clear unambiguous way. Then highlight the falseness of the opposition argument using humor and similar. The one thing the likes of AG Barr can not stand is being made to look like a fool who is not just wrong but at best transparently obviously so, such that people see a clown to be laughed at in public. In short turn him into the Emporer with New clothes”[1] so that every one can clearly see the naked truth and laugh not just at him but those who put him where he is.

[1] For those that are not familiar with the nearl two centuries old works of Danish author Hans Christian Andersen. His little story of “The Emperor’s New Clothes”, might well be worth looking up, as it kind of says a lot about certain personality types that crave positions of power, their vanities and thus weaknesses.

David July 26, 2019 7:17 AM

@Clive Robinson

Far be it from me to claim originality :), I was just trying to encourage Bruce to be a bit more conscious when he makes such statements, as his words do actually carry some weight in a public debate, as opposed to ours. (Or at least mine, for sure.)

Andrew Yeomans July 26, 2019 9:38 AM

The policy debate may be intellectually interesting….
… but why would I ever want to buy US (or Australian) crypto systems?

Goku July 26, 2019 10:16 AM

I find extremely enlightening Schneier’s phrase “It is a battle for defaults”.

The real fight here is to pry strong encryption out of the hands of common citizens.

Who cares if real criminals, motivated psycos, traitors, foreign intelligence, advertisers, and future dictators can still put their hands on secure encryption AND are extremely helped by such law in getting the unprotected data of common people, for mass surveillance, social engineering blackmail and everything else?

The business of modern politics is control of the masses, the enemy is Average Joe, not a criminal or a loon that may scare Average Joe and make it even more dependant and trusteful in his friendly neighborhood politic representative.

Eric Johnson July 26, 2019 5:51 PM

One of the flaws in Barr’s argument is that maybe the populace doesn’t always need high-level encryption, but how are the companies hosting these customers to know when they do? My https communication to my bank looks exactly like my https communication to my favorite pet shop. For that matter, email from my bank looks like email from anyone else.

Telecoms have no way to distinguish between a critical communication that needs high-level security, and those that don’t. All large companies are software companies now – how can we distinguish when any of their employees have sensitive data?

So the premise here is pitting not just the rights of individuals against the government, but the very foundations of commerce against the government. That’s not going to go well.

Clive Robinson July 26, 2019 6:37 PM

@ David,

Or at least mine, for sure.

Every voice counts, because they all fall on different ears.

Whilst @Bruce is listened to by quite a few people, it’s a bit of a truism to say that in many cases he’s giving a sermon to the congregation.

The ears of those who are either unaware or feel they have higher priorities in life, thus are not part of the congregation are the ones that need to be spoken to. Because it’s those ears that count more when they listen as that’s how the congegation grows to the point others have no choice but to listen.

A politician cares little for a lone voice only their aids here. However if enough people speak to the aids then as part of their job they let the politician know. The politician may still not care, but bad press can follow when the timing is right, and politicians do not like bad press, it makes them insecure. Worse knowing that people are laughing at their expense makes them rather more than insecure.

One of the reasons I talk about “hand ciphers” using “pencil and paper” is that there is no technology that can be “backdoored” involved. Thus any law involving back/front doors, golden keys or the wild ramblings of techno geeks and old spooks or political clowns demanding people “nerd harder” can be seen as empty pointless posturing by nearly everyone.

Likewise it’s not hard to demonstrate that One Time Codes not only have no meaning for an evesdropper, but importantly can not be distinquished from natural speech (if designed and used properly). Thus even telling encryption is being used at all becomes impossible to do.

Thus even threats to bring in laws to outlaw encryption in it’s entirety is also empty and pointless posturing.

Importantly all this has been known since WWII atleast.

Thus AG Barr is seen for what he is plain and simple, a clown making threats of no meaning to those “edge cases” he throws up to get people shaking in their beds.

You can then tell people what his real target is, the ordinary every day person such as them, who’s privacy he wants to invade in every way possible.

If the person says “I’ve nothing to hide” you enter into a different conversation it shows they have not just listened but taken some of the message on board. But the “I’ve nothing…” statment is not normally too dificult to show that they do indeed have things to hide, and that not doing so harms not just the individual but society in general.

Whilst Facebook is a bit of a side show, it does point out to people why their privacy is important, it’s not as easy to explain the power of “targeted messages” that just change perception marginally but sufficiently that subsequent messages move peoples POV slowely but surely in a given direction. But sufficiently to “buy an election”.

JR July 27, 2019 2:39 AM

Let’s assume a world when encryption is implemented as required by Barr, John Doe being a NSA officer in charge of nuclear security audits.

Johon Doe uses strong encryption services to store / communicate national security related data.

But, John Doe also uses backdoored insecure encryption to store / communicate non – national security related data: chat with family and friends, home banking, taxes, visit some hobbist websites, read news, watch Netflix.

Any dangerous criminal organization or foreign intelligence can find backdoors in those services or software.

In worst case they can play man in the middle each time John Doe goes online using insecure protocols, to force malicious payloads on his devices – keyloggers, data mining tools – in order to recover credentials to enter secure services (in the example NSA network, nucular security audits) without need to break any secure encryption protocols.

In best case, John Doe will always diligently use a separate device which implements only secure protocols and connects only to national security related services: even in this remote case John security is hamstrung by Barr’s proposal, because all and any of his personal information is available to all and any of his enemies smart enough to find backdoors in personal-grade encryption he and his family use.

This helps mounting on John Doe, his family and his friends anything ranging from social engineering and phishing (to get / guess credentials to access to secure protocols without needing to break the encryption) to plain old blackmailing, any of which would not be possible – or be several orders of magnitude less feasible – having John Doe & co personal data (social, browsing habits, banking, gps…) being properly protected by strong encyption.

Clive Robinson July 27, 2019 5:02 AM

@ JR,

Valid points in the real world.

But AG W.Barr does not live in the real world where actions have consequences both desired and undesired.

If you look at his CV[1] and follow things through you will see that there is actually little thought to his actions. In many cases he can be seen as “Only Following Orders” in a “Make it so” authoritarian structure. At best a “useful idiot, for an authoritarian”. He cares not what the orders are or the reason why he just gets on with being “useful” like a dog at heal.

That is he practices “unitary executive theory” as “absolute executive prerogative” in essence the old King Game “Divine Right” backed up by “Might is Right”. It is a dogmatic and dangerous belief system that in effect enables tyranical behaviour without question.

As John Wesley Dean “master architect of Watergate” put it,

    “In its most extreme form, unitary executive theory can mean that neither Congress nor the federal courts can tell the President what to do or how to do it, particularly regarding national security matters.”

Whilst this might be desirable in a “real war”, it is undesirable at other times for obvious reasons, and probably accounts for why the US has so many “Phoney Wars”.

Oh and William Barr, could be seen as the father of “Unwaranted Surveillance on Citizens” he in effect architected the first system back in the early 1990’s.

He also fathered the idea of “Rendition” where US Guard Labour could “snatch and grab” people in other nations, without the permission of those nations.

He also favours the vast expansion of US Guard Labour and the increased criminialisation and imprisonment of those that do not fit in with his world view. He is also quite happy to distort or hide factual information from official reports and decision making, if it conflicts with his world view. A form of dishonesty you do not want in a person with power or interceding for a person of power.

[1] https://en.m.wikipedia.org/wiki/William_Barr_(American_Attorney_General)

name.withheld.for.obvious.reasons July 27, 2019 8:18 AM

Bruce, you probably understand this better than Everyone_Else – 5.

Secured; disciplined construction and formalized, quantifiable, and measurable systems design is not an art, and not cheap. The debate, I was on the IATF working group under NSA, I believed in the mission up until 2002. You’ve written extensively about the schizophrenia caused by the dual-missioned agency and this must be seriously addressed.

When subversion is your first tool to suborn secure systems in order to provide for the “national security”, what is it that has been achieved. I’d say nothing more than a very expensive session of mental masturbation leading up to an uncontrolled and volatile release of data no-longer accessible (DNA).

name.withheld.for.obvious.reasons July 27, 2019 8:40 AM

@ Clive

Whilst this might be desirable in a “real war”, it is undesirable at other times for obvious reasons, and probably accounts for why the US has so many “Phoney Wars”.

I will argue that the United States suffers from an obsessive compulsive idiocy disorder, OCID, and it has become endemic and chronic (widespread and serious).

Psychopaths cannot and will not reach rational conclusions nor make similar-based decisions. This, in combination of those suffering from OCID results in stochastic behaviors that defy modeling, computational analysis, or the best Kalman Feedback Bayesian, directed network on the largest Hadoop clusters (machine learning).

I am selling my computational devices and polishing the primary and secondary slide rule and insuring that my backup abacus is tested and calibrated. I have certs for them by next month.

JR July 27, 2019 8:42 AM

@ Clive Robinson
Agree.

My point however is that not only Barr proposal is harmful for the common citizen, but – also – that it is especially harmful for national security personnel, because it undermines personal security of any people involved in high profile tasks.

Weakening security of general purpose services increases the attack surface of those people, which are a target not only for mass data theft from common criminals but also for targeted social engineering and blackmailing from highly skilled and motivated opponents.

Moreover weakening general purpose services will also lead to a rise of successful attacks, a fact that can itself lead to increase national expense for criminal investigation and even impair economic growth of infornation technology sector.

Hnerik July 27, 2019 9:21 AM

Mr Barr says ‘the choice for society is clear’. The choice for individuals is just as clear. The technical means are there for anyone smart enough to care.

JR July 27, 2019 9:56 AM

@ A-J

This simply move the problem where to place the backdoor.

If A and B communicate over a protocol that involves strong encryption AND mining / saving plain text, A and B communication security boils down to how securely the mined plain text is handled by Facebook, Whatsapp etc – with official encryption becoming nothing more than false advertising.

This will increase the attack surface of every citizen, leading to higher expenses for Facebook and co for securing the extra data, more frequent data breaches, and higher national expenses to prosecute either criminals breaching the data and comoanies which fails to secure the extra data properly.

Moreover, the extra attack surface will just let secure services more prone to side channel attacks, like social engineering and blackmailing of security related personnel.

Mass mining of clear text data on each end device is a disaster waiting to happen, for the same reason any kind of decrease in security chain of common citizen is the wrong medicine: more possible types of attacks on worthy targets, AND more resources wasted in securing extra attack surfaces for everyone.

Peanuts July 27, 2019 10:59 AM

Barr’s statement is rich considering his personal witnessing that the department(s) he infers to gift as a new class of surveillance elite over the freedom of peasants, is the same moraless asshats fresh off of spree of weaponized political assaults against a sitting President and anyone near or in his arbitrary circles

His world view reveals and acceptance that laziness of LEO’s is ok we will just accept ourselves as slaves to a new intelligence class that wants to nerd harder not smarter

Simmon July 27, 2019 11:39 AM

@Bruce

At the end of the day, even it something similar to the T.O.L.A.(ac) that was passed into law last December in Australia is passed into law in the U.S.A. and 100% of U.S.A. based corporate entities comply with it, the sheer number of available global choices for security / privacy / communications solutions would just see the U.S.A. based entities go bankrupt. Not to mention the personal / corporate /government damage done by putting a back door in encryption.

@Sofakinbd & @Bruce

Nice list, but it is incomplete, out of date and should be updated. Perhaps you could ask congress for some funding to complete it 😉

Also, the OS Platform list is rather underestimated for OpenSSL, and there are also quite a few bits of hardware floating around using OpenSSL in its firmware.

Australia, OpenSSL, OpenSSL Software Foundation, DevTools, Win/Lin, SW, Free, OS, http://openssl.org

openssl-1.1.1a -> ./Configure –help
Configuring OpenSSL version 1.1.1a (0x1010101fL) for
Using os-specific seed configuration
Usage: Configure [no- …] [enable- …] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-egd] [sctp] [386] [–prefix=DIR] [–openssldir=OPENSSLDIR] [–with-xxx[=vvv]] [–config=FILE] os/compiler[:flags]

pick os/compiler from:
BS2000-OSD BSD-generic32 BSD-generic64 BSD-ia64 BSD-sparc64 BSD-sparcv8
BSD-x86 BSD-x86-elf BSD-x86_64 Cygwin Cygwin-i386 Cygwin-i486 Cygwin-i586
Cygwin-i686 Cygwin-x86 Cygwin-x86_64 DJGPP MPE/iX-gcc UEFI UWIN VC-CE VC-WIN32
VC-WIN32-ARM VC-WIN32-ONECORE VC-WIN64-ARM VC-WIN64A VC-WIN64A-ONECORE
VC-WIN64A-masm VC-WIN64I aix-cc aix-gcc aix64-cc aix64-gcc android-arm
android-arm64 android-armeabi android-mips android-mips64 android-x86
android-x86_64 android64 android64-aarch64 android64-mips64 android64-x86_64
bsdi-elf-gcc cc darwin-i386-cc darwin-ppc-cc darwin64-ppc-cc
darwin64-x86_64-cc dist gcc haiku-x86 haiku-x86_64 hpux-ia64-cc hpux-ia64-gcc
hpux-parisc-cc hpux-parisc-gcc hpux-parisc1_1-cc hpux-parisc1_1-gcc
hpux64-ia64-cc hpux64-ia64-gcc hpux64-parisc2-cc hpux64-parisc2-gcc hurd-x86
ios-cross ios-xcrun ios64-cross ios64-xcrun iossimulator-xcrun iphoneos-cross
irix-mips3-cc irix-mips3-gcc irix64-mips4-cc irix64-mips4-gcc linux-aarch64
linux-alpha-gcc linux-aout linux-arm64ilp32 linux-armv4 linux-c64xplus
linux-elf linux-generic32 linux-generic64 linux-ia64 linux-mips32 linux-mips64
linux-ppc linux-ppc64 linux-ppc64le linux-sparcv8 linux-sparcv9 linux-x32
linux-x86 linux-x86-clang linux-x86_64 linux-x86_64-clang linux32-s390x
linux64-mips64 linux64-s390x linux64-sparcv9 mingw mingw64 nextstep
nextstep3.3 sco5-cc sco5-gcc solaris-sparcv7-cc solaris-sparcv7-gcc
solaris-sparcv8-cc solaris-sparcv8-gcc solaris-sparcv9-cc solaris-sparcv9-gcc
solaris-x86-gcc solaris64-sparcv9-cc solaris64-sparcv9-gcc solaris64-x86_64-cc
solaris64-x86_64-gcc tru64-alpha-cc tru64-alpha-gcc uClinux-dist
uClinux-dist64 unixware-2.0 unixware-2.1 unixware-7 unixware-7-gcc vms-alpha
vms-alpha-p32 vms-alpha-p64 vms-ia64 vms-ia64-p32 vms-ia64-p64 vos-gcc
vxworks-mips vxworks-ppc405 vxworks-ppc60x vxworks-ppc750 vxworks-ppc750-debug
vxworks-ppc860 vxworks-ppcgen vxworks-simlinux

NOTE: If in doubt, on Unix-ish systems use ‘./config’.

VRK July 27, 2019 1:02 PM

@Tatütata

Does expressing yourself in a cipher of your choice covered by freedom of speech?

Whether or not there are laws protecting free speech, and laws to oversee the enforcers of those laws, seems a tad moot lately with the undertow of open-ended permissions to enlist “fellows of a baser sort” if enforcement becomes too messy.

And BTW, who is the watchdog of the watchdog?

Cases like Bernstein v. United States,
and USA v Lavabit…

Oddly, the common response to “I wonder what he’s hiding behind those curtains” is
“CAN YOU IMAGINE???” Now all you need to do is feed the imagination, and write a propaganda campaign around it.

Lomax July 31, 2019 3:16 PM

@Clive_Robinson

“Not if it becomes illegal for a US corporation to ship that stuff in app stores.”

“That does not matter in the slightest for those that can read a couple of books and think about what they read.”

Except it does, because those that cannot read and think provide all the financial incentive that these corporations need to stay on this path. They don’t care if you know how to avoid their traps, there are hundreds of millions clueless people for every one wary like us, and each one of them gives them more money.

Since unfortunately uneducated masses will always be a thing, the free market won’t ever give them a reason to abandon this strategy. Thus the task falls to the only thing these giant corporations need to respect (or, more precisely, would be hurt if constantly getting caught disrespecting): laws.

Clive Robinson July 31, 2019 4:26 PM

@ Lomax,

Except it does, because those that cannot read and think

Which is my point.

I’ve been sugesting people,

1, Stop being lazy.
2, Wise up.
3, Start thinking.
4, Start doing.
5, Start advocating.

That is they stop buying into all the crap that’s being peddled about “secure apps”, because there is no such thing with the way current consumer devices are designed.

Then the actually draw what are quite simple pictures to understand why we currently have no security in consumer devices. Then draw the fairly obvious conclusions, and put them into practice.

And finally the most important is to take others along the same path.

If you look at the tech news coming out of China and the political news coming out of Hong Kong, it’s not dificult to see where things are going.

We can even see where it has already got beyond a tipping point. We know for instance that the US has it’s hooks into the credit debit and other payment card industries including those for public transport. Thus for those the “bought into the convenience” there are now hugh volumes of data on their habits prefrences where they go how long they spend there etc etc. That is the payment card was the first kind of universal tracking and bugging device. For those that did not buy into the convenience and pay with cash less is known about them. Some countries are talking about putting RFIDs in bank notes or serial number readers in tills etc to be tied in with CCTV on the payment places. Thus cash is very soon going to be highly tracable. Even people building up “emergancy cash” stocks to obviate the everly increasingly failure prone banking systems will soon become known unless they take extra steps.

Mobile phones are likewise a convenience that is now a Police State tool for observing the citizens in larger numbers of countries every year with plenty of companies selling them the technology.

Car number plate readers and similar are on roads, other transport systems are getting real time CCTV and face recognition etc. Even advertising hordings now have CCTV to do the equivalent of facial recognition.

Governments could not afford to do this level of tracking etc. But the largest and probably the most usless industry in the world “Marketing” can, and they are. And the reason they can is “lazy people” that are “buying into convenience”.

If people just stopped using technology that is so obviously usefull for surveillance then there would be less surveillance. Likewise if they took a little care in other areas there would be a lot less surveillance.

There are the old saws about people taking target practice at their feet and twisting up hemp to go around their necks, it’s getting ever more true every day as people opt for marketing driven technology that has the vague promise of convenience.

Simmon July 31, 2019 6:18 PM

@ et al

This is nothing more than the continuation of rhetoric from 5 eyes, being used to persuade public opinion so that 5 eyes can have back doors. It has been an ongoing sarga from 5 eyes, since Snowden went public in 2013.

https://www.gov.uk/government/news/home-secretary-hosts-five-eyes-security-summit

In attendance will be:

Australian Minister for Home Affairs Peter Dutton MP
Canadian Minister of Public Safety and Emergency Preparedness Ralph Goodale MP
Canadian Minister of Immigration, Refugees and Citizenship Ahmed Hussen MP
Canadian Associate Deputy Minister of Justice Francois Daigle
New Zealand’s Minister of Justice Andrew Little MP
New Zealand’s Attorney General David Parker MP
US Attorney General William Barr
US Acting Deputy Secretary of Homeland Security David Pekokse

WhiskersInMenlo August 15, 2019 5:11 PM

It is important to present individuals like Barr with a sanity test.
Two questions to start.

1) In this case (proposed solution) do you consent to having your phone tapped for the record over the next
two to seven years and trust the next AG or POTUS to do the right thing with any recorded data.

2) please explain the impact of parallel reconstruction in the context of litigation when the prosecution
has data unknown to the defense.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.