Skip to comments.The Fedís Encryption Conniption
Posted on 11/15/2017 7:04:06 AM PST by Kaslin
As soon as the news broke last week that the FBI was unable to gain access to the phone belonging to the Sutherland Springs, Texas killer, you could hear the indignant feet-stomping of security hawks on Capitol Hill. It did not matter that the killer was not a member of ISIS, and acted alone. It did not matter that the motive was a domestic dispute, not the result of some broader terrorist plot. And, it did not matter that it was the governments clerical error in the first place, which allowed for this tragedy to occur.
There was data to be had, nominal in value as it may be, and Apples industry-leading encryption was keeping the feds from it.
The FBIs frustration with Apple, which to its credit quickly offered its assistance to the FBI upon learning the phone at the center of the investigation was an iPhone, echoes a similar sparring match last year following the San Bernardino, California terror attack. Then, in response to Apples principled stand against being compelled to defeat encryption techniques designed to protect its customers (private and public), California Sen. Dianne Feinstein co-sponsored a bill which would force tech companies to provide unencrypted data to the authorities upon request, thus defeating the very premise of encryption. No entity or individual is above the law, Feinstein chirped at the time, noting that such power was crucial for the government to know when terrorists are plotting to kill Americans.
Unsurprisingly, Feinstein now is renewing the call for her bill, because, for her and other bureaucrats like her, personal privacy is a privilege; not a right.
Even in the post-9/11 environment, where our terrorism paranoia has allowed for all manner of curbs to our civil liberties, this warped view of personal privacy is especially troubling. And, the flimsiness of Feinsteins justification for the major step of defeating encryption protections yet again exposes just how twisted security hawks on the Hill view privacy rights of Americans. The 4th Amendment, like the rest of the Bill of Rights, quite clearly is written to preemptively stop government from taking action against individuals rights, as opposed to granting limited freedoms to citizens for personal privacy. That is why the first clause ends with, shall not be violated, instead of at the discretion of law enforcement, or Congress.
Our cell phones, which contain banking information, personal emails, photos, and other highly sensitive data, are like electronic vaults; meant to be as impenetrable as possible from intrusion of any kind, for the sake of protecting this data. Though Feinsteins bill innocuously calls for compulsory assistance in cracking its encryption and avoids calling outright for a backdoor, that is precisely the outcome it intends in order for companies to meet the requirements of the proposed law. Inevitably (and routinely), the cracking techniques that use this backdoor would also be shared with state and local law enforcement as well, for use in investigations having nothing at all to do with stopping terrorists.
As cyber security experts have long warned, and numerous incidents of publicly leaking hacking techniques used by law enforcement have shown, the existence of exploitable backdoors essentially renders private encryption useless. Not only would anyone, from the FBI to the local sheriff, gain the ability to access your most personal data, so would Russia, China, North Korea, as well as the person who swipes a phone off a table at a restaurant.
And what are we putting our privacy at tremendous risk in order to gain? Merely an illusion of safety against the terror monster conjured by Feinstein to get her way. For years, government snoops and their supporters in Congress have argued for ever more advanced ways to spy on Americans in the name of fighting terrorism, while over this time, terrorists have opted for more low-tech ways to evade detection. Today, terror plots are rarely hatched through sophisticated, Dark Web networks of terrorists, but are more likely to be so-called lone wolf attackers with crude plans and methods for their attacks. Nor is it logical to expect terrorists to leave sensitive information available to police after the fact; for example, mass shooters routinely have destroyed their hard drives and cell phones before their rampages, including the terrorist in San Bernardino.
And, the fact is, the government has many tools already in its arsenal to address such cyber problems without new, privacy-invasive powers.
Instead of focusing on new, high tech ways to catch terrorists by imperiling the privacy rights of everyone who uses or manufactures a cell phone, government should focus instead on getting the basics right -- like reporting convicted domestic abusers and persons dishonorably discharged from the military to the FBIs National Instant Criminal Background Check System. Perhaps then we would have one less tragedy on the books, instead of another ineffectual power grab.
FBI can pinpoint Russia hacking (not really) but they can’t unlock a phone...
The horse has already left the barn.
Right here on this computer, I have the source code for BlowFish, a powerful 256-bit encryption algorithm. I could compile it into a library, and use that library to write an application that has uncrackable encryption. Hundreds of thousands of other programmers around the world could do the same thing.
How does the FBI, or anyone else, propose to stop this?
Yeah, but if you have the Blowfish source code - which had an integer signing bug in it for 10+ years that nobody had caught - it doesn’t mean that you KNOW if what you are sending is secure. All those libraries and encryption in general is “magic” to most people.
Moreso, Apple contacted the FBI immediately after the incident, offering services - and making it clear that they had 48 hours to do certain things before the device locked up tight.
Not like Apple hasn’t made it abundantly clear before to FBI that there’s a 48 hour window (including the “dead finger” trick, for those who understand the technical & medical details) for applying any conceivable ways to unlock it.
Almost like FBI is making a _point_ of delaying, leveraging the tragedy into an opportunity to compel the industry into providing back doors.
I say. "Feinstein and other corrupt politicians are not above our constitution."
For stuff I want secure I use GPG encryption with a 2048 bit key.
It's really subtle stuff.
One isolated flaw aside, the point remains: serious encryption is available to users even if government forbids it. Yes, Blowfish had a bug - but there are numerous other well-regarded thoroughly-studied strong-encryption algorithms available ... and they’re so simple I have several on t-shirts.
Encryption will always have the risk of either bad implementation, or mathematical breakthroughs, compromising security. It’s generally accepted that implementations should be open-source (not necessarily _free_) for examination, so such flaws may be publicly discovered ASAP.
Yes, it’s magic to most users. That’s why we need a sense of trust - which we DON’T have when strangers with guns compel us to compromise our security for their benefit, especially when they’re making the demands after they failed to do a bunch of other things we’ve given them authority to do.
Government tyrants should not have backdoors to this technology.
Although they might solve a few crimes here and there, the main use of these backdoors would be to collate and archive information on millions of citizens, useful for blackmailing later. Or spying on girlfriends or boyfriends, etc.
No, let the corrupt governments investigate crimes in the old-fashioned way.
This issue is similar to gun control. The tyrants say, “Turn in your guns so that crime will decrease.” In fact, crime will increase and the tyrant’s control over your life just went up.
If I were actually to do this, I’d probably download something more current. I just downloaded the Blowfish because I wanted to study the encryption techniques it uses.
For really good encryption us at least a 64 character password as well. Any favorite sentence or quotation will do.
I updated mine to 4096 several years ago. I have different keys for different purposes though. If I could ever get freerepublic mail to work correctly, I'd have a firstname.lastname@example.org key.
RSA in 3 lines of perl? I always wanted one of those. "This t-shirt is a munition"
Yup, got that one. Had to send a notarized “I will not take this out of the country” letter to get it.
There is NO reason to encrypt anything; as long as others can’t get their paws on it.
A FR wisely suggested you cut off the dead guys thumb and use it to unlock.
Blowfish has been broken by NSA a long time ago.
So has AES which is why the NSA allows it.
Rolls eyes. Have any proof of that?
Blowfish has been shown to be susceptible to reduced round attacks IIRC. I've not seen any indication a full implementation is similarly vulnerable. Most folks (including its designer Bruce Schneier) recommend Twofish be used instead of Blowfish in any case.
As to AES I believe I've read some concerns about some internal tables, but nothing that would indicate it is "broken".
Of course, this being a public forum, you're welcome to spread FUD all you'd like. Those of us who care about the issue will use that which we consider to be prudent.
It’s hard to break a one time code.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.