Nut-job Conspiracy Theory Ping!
To get onto The Nut-job Conspiracy Theory Ping List you must threaten to report me to the Mods if I don't add you to the list...
Posted on 08/16/2015 11:10:27 AM PDT by zeugma
At the Aspen Security Forum two weeks ago, James Comey (and others) explicitly talked about the "going dark" problem, describing the specific scenario they are concerned about. Maybe others have heard the scenario before, but it was a first for me. It centers around ISIL operatives abroad and ISIL-inspired terrorists here in the US. The FBI knows who the Americans are, can get a court order to carry out surveillance on their communications, but cannot eavesdrop on the conversations, because they are encrypted. They can get the metadata, so they know who is talking to who, but they can't find out what's being said.
"ISIL's M.O. is to broadcast on Twitter, get people to follow them, then move them to Twitter Direct Messaging" to evaluate if they are a legitimate recruit, he said. "Then they'll move them to an encrypted mobile-messaging app so they go dark to us."
[...]
The FBI can get court-approved access to Twitter exchanges, but not to encrypted communication, Comey said. Even when the FBI demonstrates probable cause and gets a judicial order to intercept that communication, it cannot break the encryption for technological reasons, according to Comey.
If this is what Comey and the FBI are actually concerned about, they're getting bad advice -- because their proposed solution won't solve the problem. Comey wants communications companies to give them the capability to eavesdrop on conversations without the conversants' knowledge or consent; that's the "backdoor" we're all talking about. But the problem isn't that most encrypted communications platforms are securely encrypted, or even that some are -- the problem is that there exists at least one securely encrypted communications platform on the planet that ISIL can use.
Imagine that Comey got what he wanted. Imagine that iMessage and Facebook and Skype and everything else US-made had his backdoor. The ISIL operative would tell his potential recruit to use something else, something secure and non-US-made. Maybe an encryption program from Finland, or Switzerland, or Brazil. Maybe Mujahedeen Secrets. Maybe anything. (Sure, some of these will have flaws, and they'll be identifiable by their metadata, but the FBI already has the metadata, and the better software will rise to the top.) As long as there is *something* that the ISIL operative can move them to, some software that the American can download and install on their phone or computer, or hardware that they can buy from abroad, the FBI still won't be able to eavesdrop.
And by pushing these ISIL operatives to non-US platforms, they lose access to the metadata they otherwise have.
Convincing US companies to install backdoors isn't enough; in order to solve this going dark problem, the FBI has to ensure that an American can only use backdoored software. And the only way to do that is to prohibit the use of non-backdoored software, which is the sort of thing that the UK's David Cameron said he wanted for his country in January:
But the question is are we going to allow a means of communications which it simply isn't possible to read. My answer to that question is: no, we must not.
And that, of course, is impossible. Jonathan Zittrain explained why. And Cory Doctorow outlined what trying would entail:
For David Cameron's proposal to work, he will need to stop Britons from installing software that comes from software creators who are out of his jurisdiction. The very best in secure communications are already free/open source projects, maintained by thousands of independent programmers around the world. They are widely available, and thanks to things like cryptographic signing, it is possible to download these packages from any server in the world (not just big ones like Github) and verify, with a very high degree of confidence, that the software you've downloaded hasn't been tampered with.
[...]
This, then, is what David Cameron is proposing:
* All Britons' communications must be easy for criminals, voyeurs and foreign spies to intercept.
* Any firms within reach of the UK government must be banned from producing secure software.
* All major code repositories, such as Github and Sourceforge, must be blocked.
* Search engines must not answer queries about web-pages that carry secure software.
* Virtually all academic security work in the UK must cease -- security research must only take place in proprietary research environments where there is no onus to publish one's findings, such as industry R&D and the security services.
* All packets in and out of the country, and within the country, must be subject to Chinese-style deep-packet inspection and any packets that appear to originate from secure software must be dropped.
* Existing walled gardens (like IOs and games consoles) must be ordered to ban their users from installing secure software.
* Anyone visiting the country from abroad must have their smartphones held at the border until they leave.
* Proprietary operating system vendors (Microsoft and Apple) must be ordered to redesign their operating systems as walled gardens that only allow users to run software from an app store, which will not sell or give secure software to Britons.
* Free/open source operating systems -- that power the energy, banking, ecommerce, and infrastructure sectors -- must be banned outright.
As extreme as it reads, without all of that, the ISIL operative would be able to communicate securely with his potential American recruit. And all of this is not going to happen.
Last week, former NSA director Mike McConnell, former DHS secretary Michael Chertoff, and former deputy defense secretary William Lynn published a Washington Post op-ed opposing backdoors in encryption software. They wrote:
Today, with almost everyone carrying a networked device on his or her person, ubiquitous encryption provides essential security. If law enforcement and intelligence organizations face a future without assured access to encrypted communications, they will develop technologies and techniques to meet their legitimate mission goals.
I believe this is true. Already one is being talked about in the academic literature: lawful hacking.
Perhaps the FBI's reluctance to accept this is based on their belief that all encryption software comes from the US, and therefore is under their influence. Back in the 1990s, during the first Crypto Wars, the US government had a similar belief. To convince them otherwise, George Washington University surveyed the cryptography market in 1999 and found that there were over 500 companies in 70 countries manufacturing or distributing non-US cryptography products. Maybe we need a similar study today.
This essay previously appeared on Lawfare.
http://www.lawfareblog.com/...
Aspen Security Forum:
http://www.aspeninstitute.org/events/2015/07/22/...
Comey's remarks at the forum:
https://www.youtube.com/watch?v=7RyVXLKO0DM
http://www.aspentimes.com/news/17381873-113/...
Mujahedeen Secrets:
https://en.wikipedia.org/wiki/Mujahedeen_Secrets
Identifying encryption programs from the metadata:
https://www.schneier.com/blog/archives/2015/07/...
What Cameron wants:
http://www.theguardian.com/uk-news/2015/jan/12/...
Zittrain's rebuttal:
https://medium.com/message/...
Doctorow's explanation:
http://boingboing.net/2015/01/13/...
Washington Post op-ed:
https://www.washingtonpost.com/opinions/...
Lawful hacking:
http://scholarlycommons.law.northwestern.edu/cgi/...
The First Crypto Wars:
http://www.newamerica.org/oti/...
George Washington University survey from 1999:
http://cryptome.org/cpi-survey.htm
Nut-job Conspiracy Theory Ping!
To get onto The Nut-job Conspiracy Theory Ping List you must threaten to report me to the Mods if I don't add you to the list...
What?! You don’t the Gubbermint to be able to catch terrorists?! What are you, some kind of commie? /bootlicker
Grey’s Law: “Any sufficiently advanced incompetence is indistinguishable from malice.”
—Ref: http://tvtropes.org/pmwiki/pmwiki.php/Main/HanlonsRazor
M4L going dark
Mad always gets it right
Good commentary as always from Bruce Schneier. No government thinks you have any rights to privacy or secrecy. This is especially true for Feral governments like ours.
I don’t understand this article. I thought the government was already able to do these things, as long as there is a warrant. The article suggests they haven’t yet developed the capability—? Or am I missing something?
Yhey can do some of it. Mostly thanks to companies like AT&T that will bend over backwards for the feral governmant any time fedgov says “jump”.
There are things the ferals still can’t do thougj, and it annoys them to no end that there might be a smidgion of your life that you might possibly keep hidden from them.
>>And the only way to do that is to prohibit the use of non-backdoored software,
Because, criminals and terrorists would only use non-prohibited software.
?????
Because diversity. And racism.
Yeah. Kinda tells you who they are really interested in doesn't it?
Never ascribe to malice that which can be explained by incompetence. - Hanlon’s Razor
Unfortunately, with today’s Democrats; it would be more appropriate to say, “Never ascribe to incompetence that which can be explained by malice”.
And sadly, that’s not a joke.
you don’t need encryption to securely pass data across unencrypted lines. just an agreed upon behavior set and a wildly popular virtual world game.
they’d be hidden in plain sight with no ability to detect, track, or decipher.
Absolutely. If you can work up stuff in advance, a message like "John has a long mustache" could have a very specific meaning.
There's a lot of stuff that you can do if your serious about it, and dedicated. However, I think that your average American deserves a little privacy as well.
The feral government disagrees.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.