Backdoors Won't Solve Comey's Going Dark Problem

At the Aspen Security Forum two weeks ago, James Comey (and others) explicitly talked about the “going dark” problem, describing the specific scenario they are concerned about. Maybe others have heard the scenario before, but it was a first for me. It centers around ISIL operatives abroad and ISIL-inspired terrorists here in the US. The FBI knows who the Americans are, can get a court order to carry out surveillance on their communications, but cannot eavesdrop on the conversations, because they are encrypted. They can get the metadata, so they know who is talking to who, but they can’t find out what’s being said.

“ISIL’s M.O. is to broadcast on Twitter, get people to follow them, then move them to Twitter Direct Messaging” to evaluate if they are a legitimate recruit, he said. “Then they’ll move them to an encrypted mobile-messaging app so they go dark to us.”

[…]

The FBI can get court-approved access to Twitter exchanges, but not to encrypted communication, Comey said. Even when the FBI demonstrates probable cause and gets a judicial order to intercept that communication, it cannot break the encryption for technological reasons, according to Comey.

If this is what Comey and the FBI are actually concerned about, they’re getting bad advice—because their proposed solution won’t solve the problem. Comey wants communications companies to give them the capability to eavesdrop on conversations without the conversants’ knowledge or consent; that’s the “backdoor” we’re all talking about. But the problem isn’t that most encrypted communications platforms are securely encrypted, or even that some are—the problem is that there exists at least one securely encrypted communications platform on the planet that ISIL can use.

Imagine that Comey got what he wanted. Imagine that iMessage and Facebook and Skype and everything else US-made had his backdoor. The ISIL operative would tell his potential recruit to use something else, something secure and non-US-made. Maybe an encryption program from Finland, or Switzerland, or Brazil. Maybe Mujahedeen Secrets. Maybe anything. (Sure, some of these will have flaws, and they’ll be identifiable by their metadata, but the FBI already has the metadata, and the better software will rise to the top.) As long as there is something that the ISIL operative can move them to, some software that the American can download and install on their phone or computer, or hardware that they can buy from abroad, the FBI still won’t be able to eavesdrop.

And by pushing these ISIL operatives to non-US platforms, they lose access to the metadata they otherwise have.

Convincing US companies to install backdoors isn’t enough; in order to solve this going dark problem, the FBI has to ensure that an American can only use backdoored software. And the only way to do that is to prohibit the use of non-backdoored software, which is the sort of thing that the UK’s David Cameron said he wanted for his country in January:

But the question is are we going to allow a means of communications which it simply isn’t possible to read. My answer to that question is: no, we must not.

And that, of course, is impossible. Jonathan Zittrain explained why. And Cory Doctorow outlined what trying would entail:

For David Cameron’s proposal to work, he will need to stop Britons from installing software that comes from software creators who are out of his jurisdiction. The very best in secure communications are already free/open source projects, maintained by thousands of independent programmers around the world. They are widely available, and thanks to things like cryptographic signing, it is possible to download these packages from any server in the world (not just big ones like Github) and verify, with a very high degree of confidence, that the software you’ve downloaded hasn’t been tampered with.

[…]

This, then, is what David Cameron is proposing:

* All Britons’ communications must be easy for criminals, voyeurs and foreign spies to intercept.

* Any firms within reach of the UK government must be banned from producing secure software.

* All major code repositories, such as Github and Sourceforge, must be blocked.

* Search engines must not answer queries about web-pages that carry secure software.

* Virtually all academic security work in the UK must cease—security research must only take place in proprietary research environments where there is no onus to publish one’s findings, such as industry R&D and the security services.

* All packets in and out of the country, and within the country, must be subject to Chinese-style deep-packet inspection and any packets that appear to originate from secure software must be dropped.

* Existing walled gardens (like IOs and games consoles) must be ordered to ban their users from installing secure software.

* Anyone visiting the country from abroad must have their smartphones held at the border until they leave.

* Proprietary operating system vendors (Microsoft and Apple) must be ordered to redesign their operating systems as walled gardens that only allow users to run software from an app store, which will not sell or give secure software to Britons.

* Free/open source operating systems—that power the energy, banking, ecommerce, and infrastructure sectors—must be banned outright.

As extreme as it reads, without all of that, the ISIL operative would be able to communicate securely with his potential American recruit. And all of this is not going to happen.

Last week, former NSA director Mike McConnell, former DHS secretary Michael Chertoff, and former deputy defense secretary William Lynn published a Washington Post op-ed opposing backdoors in encryption software. They wrote:

Today, with almost everyone carrying a networked device on his or her person, ubiquitous encryption provides essential security. If law enforcement and intelligence organizations face a future without assured access to encrypted communications, they will develop technologies and techniques to meet their legitimate mission goals.

I believe this is true. Already one is being talked about in the academic literature: lawful hacking.

Perhaps the FBI’s reluctance to accept this is based on their belief that all encryption software comes from the US, and therefore is under their influence. Back in the 1990s, during the first Crypto Wars, the US government had a similar belief. To convince them otherwise, George Washington University surveyed the cryptography market in 1999 and found that there were over 500 companies in 70 countries manufacturing or distributing non-US cryptography products. Maybe we need a similar study today.

This essay previously appeared on Lawfare.

Tags: , , , ,

Posted on July 31, 2015 at 6:08 AM88 Comments

Comments

Paul July 31, 2015 6:34 AM

Er, “the UK’s James Cameron”? That would be something to do with movies. The political one is David Cameron (as the quotes show).

Bruce Schneier July 31, 2015 7:03 AM

“Er, ‘the UK’s James Cameron’? That would be something to do with movies. The political one is David Cameron (as the quotes show).”

Thanks. Fixed.

Winter July 31, 2015 7:04 AM

And then we have banned all encryption. Remember how the US was able to prevent the Japanese from eavesdropping on their communications without using encryption?

Let them talk Navajo.
http://www.historynet.com/world-war-ii-navajo-code-talkers.htm

Any group of people who know each other can develop an ever changing secret language or slang (or use some obscure local dialect). There is a whole science studying Thieves’ Cant.
http://blogs.spectator.co.uk/books/2012/09/the-language-of-criminals/

This is all high-school “Black Hand” material. And this is know very well to those peddling these plans.

My guess is that they have no interest in criminals and terrorists. This is for keeping a tab on the real enemies of the state: political opponents, whistle blowers, journalists, peaceful demonstrators, and representatives of foreign companies that compete with the locals.

Remember that GCHQ was spying on Amnesty International.

So AI must be considered the enemy of the state. Most likely the spying was done to rat on foreign dissidents who campaign for human rights in “friendly nations”.

Bob S. July 31, 2015 7:06 AM

“Lawful hacking”?

Just ask them: Whatever they do is legal, whether it is, or not. It’s been that way for a very long time.

Frankly, I don’t see serious political or traditional criminals using electronics for their most inner secrets or important plots. Meanwhile, the dumb ones will get caught electronics or no electronics, it’s their nature.

Sam July 31, 2015 8:17 AM

So… how does David Cameron feel about using the internet for…
*Client-lawyer confidentiality? “we must not”
*Online retail banking? “we must not”
*Commercial / wholesale financial systems? “we must not”
*Health information systems? “we must not”
*Industrial control systems? “we must not”
*Online national election voting? “we must not”
*IP enabled civilian cars, police drones, military hardware? “we must not”

The last two (maybe three) shouldn’t be on the internet at all but probably will be anyway; this still leaves out privacy on gambling sites, dating websites, etc. Does Mr Cameron have any idea how much UK infrastructure will be compromised?

Chris July 31, 2015 8:33 AM

the problem is that there exists at least one securely encrypted communications platform on the planet that ISIL can use.

Not sure I can get behind this logic at all. If there still exists one possible path for a bad guy to do bad, then we can’t fix all the other paths? I’m not arguing the merits of your argument. But in practice some encryption is easy to use, and some is difficult to you (think command-line parameters). I think you’ve overestimating ISIL if you think they will only use the very best encryption level, at the total expense of ease-of-use.

Dirk Praet July 31, 2015 8:42 AM

The FBI can get court-approved access to Twitter exchanges, but not to encrypted communication, Comey said.

To the best of my knowledge, Twitter DM is not encrypted. They were planning on doing so, but then shelved the project for unknown reasons. Where does Comical Comey get his information from ?

Re. David Cameron.

Some media outlets have recently reported that the so-called Russian initiatives at recruiting him back in his younger days when traveling in the USSR were in fact gay pick-up attempts. So perhaps we can now safely refer to (Little) Britain’s sharpest knife in the drawer as Daffyd Cameron rather than David or James.

Me July 31, 2015 8:50 AM

*Online national election voting? “we must not”

I agree with David on this one…

It hurts even typing it…

Bruce Schneier July 31, 2015 9:00 AM

“‘…the problem is that there exists at least one securely encrypted communications platform on the planet that ISIL can use.’ Not sure I can get behind this logic at all. If there still exists one possible path for a bad guy to do bad, then we can’t fix all the other paths? I’m not arguing the merits of your argument. But in practice some encryption is easy to use, and some is difficult to you (think command-line parameters).”

Yes. And this is my problem with all of these back-door solutions. The FBI is postulating an adversary that is smart enough to use encryption securely, but too dumb to use secure encryption. That is, he’s smart about configuring and keying the encryption he uses so that the FBI can’t get at his data. But if he’s given a choice between a bunch of US-controlled back-doored encryption programs and a bunch of non-US-controlled non-back-doored encryption programs, he’s going to pick the US ones.

Alan Kaminsky July 31, 2015 9:01 AM

@Chris — I think you’ve overestimating ISIL if you think they will only use the very best encryption level, at the total expense of ease-of-use.

Sooner or later, if they haven’t already, ISIL will recruit and radicalize some software developers with expertise in cryptography and user interface design. These developers will then create a user-friendly app with strong encryption for ISIL operatives to use. If the NSA or FBI does some “legal hacking” and breaks the encryption, the developers will simply update the app to use a different cipher algorithm.

We know that ISIL has already recruited social media savvy people; that’s why they have such a compelling presence on Twitter and other places. ISIL’s recruiting is not limited to military fighters and suicide attack fodder.

Haxton July 31, 2015 9:06 AM

@Chris: The software can often be adapted to improve the ease of use. If there’s a CLI-only tool, make a GUI wrapper around it, make it a library and ship on phones…

Martin July 31, 2015 9:11 AM

And the computer manufacturer should be prosecuted for providing material support in the form of a computing platform. And the service provider, and the electric utility perhaps. And the autoworker who attached the bumper to the car that hit the pedestrian in the commission of a hit-and-run.

Grauhut July 31, 2015 9:13 AM

“And by pushing these ISIL operatives to non-US platforms, they lose access to the metadata they otherwise have.”

I don’t think so. ISIL is still a NSA target and the FBI still sees ip connections from the US to such non-US platforms. So they still have Metadata. But they don’t have clear text content anymore.

Fritz Anderson July 31, 2015 9:18 AM

“… some is difficult to [use] (think command-line parameters). …”

Surely I misunderstand.

I’m all for closing off free rides. That’s why the Cold War powers maintained anti-aircraft systems well into the era of the ICBM: Force the other side into expensive missile development rather than coast on bombers.

But software — computers – exist only to make difficult tasks easier. I wrap complicated functionality into simpler tools for a living. Every programmer does, that’s the fundamental definition of the job. Arcane options are mostly for customizations that any one application or user need not change.

Naïvely I could imagine a strong cryptosystem that exposed only key generation/exchange (and not much of that) to routine users. You might need to manage repudiation etc. out-of-band, and I can imagine how that could be hard to make reliable, but the strength of the in-band crypto doesn’t affect that problem.

I’m not in the business. I’ve probably made a fool of myself in that last paragraph.

JdL July 31, 2015 9:21 AM

Steganography can defeat all of these pathetic attempts by governments to forbid their citizens from communicating with each other securely. As for gov’t attempts to sell the idea that they must read our mail to keep us safe, that could only be true if they were instruments for good. But they’re not: in my view, governments are a far greater threat to our liberty and safety (and money too) than all the “terrorists” in the world combined.

Martin July 31, 2015 9:22 AM

The problem with McLaughlin’s column in The Intercept_ is that it makes it sound like the Obama Administration is actually behind the LawFare blog.

nym July 31, 2015 9:26 AM

It’s in all our best interests to keep the conversation on this and other post-Snowden matters as truthful and accurate as possible. In that spirit, the posted list of “things Cameron must do” in just stupid rhetoric. That list is like saying: “if Cameron wants to prevent murder, then everyone should be banned from leaving their house without a police escort”. Yeah, that would work but seeking perfection by adopting ridiculous policies isn’t how we play our cards against murderers and isn’t how we should play our cards against terorists.

Instead, we increase the difficulty of getting away with murder, have undercover agents pose as hitmen (as Ross Ulbricht discovered) and of course we make it illegal to murder which, duh, cuts down on the number of murders considerably. We make moves to reduce the volume of the problem and then make commiting the crime fraught with peril. That’s how law enforcement is done.

The same thing applies here. If encryption is illegal (not saying I think it should be, I don’t for other reasons- I also believe LEOs can adapt themselves and the legit uses of the same technology yield overwhlemingly benefical results to society long term ) then just using it will draw the law to your door. That would considerably impede the use of it in the first plae and all the reaminer are, by definition criminals.

I am merely trying to keep the conversation focused on legit arguments because I think it’s so important. We can’t tolerate the the kind of rhetoric and “arguments” which prevade the rest of our political dialog or we’ll end up with results similar to the ones we get out of plitical system.

Reading Future Crimes by Marc Goodman and as a result I am seriously considering stopping my peronsla use of Tor, which I use to protect my privacy from commerical profilers. I considered myself informed about cybercrime and cyber threats but even I was shocked by things I’ve read there. Really really bad people do really really bad things far beyond what at least I had conceived of. I just don’t want to be a datapoint that needs attending to by LE resources because that detracts from their ability to deploy those resources towards really really really bad people. But then I’m a guy who stopped flying because of global warming too, so there you go.

Law enforcement has legitimate point regarding encryption and cyber threats it facilitates. It just does. Even more so because the surface area open to cyber attack and the severity of the consequences of those attacks are both going up very quickly, as is the number of people effected by those attacks.

Meanwhile the ease of making those attacks is going down and the number of people needed make those attacks is thundering to it’s theoretical minimum of one. One person inflicts enough chaos to destroy thousands of lives.

Looking ahead a few decades the advancements and concomitant democratization of access to stuff like synthetic biology and nanotechnology, a non-hyperbolic person could come to the conclusion that the future may be literally unsurvivable.

No one talks about this in the future-eager circles I move in. Sort of the same way creators of today’s technology gave little thought to whether the systems they were building were secure and what the consequences of those systems insecurity might be. It’s like they just get excited about all the cool new stuff that can be built and new abilities we’ll have and that short circuits the rest of their brain.

And industry is even worse. If they can make money on it this quarter, then they’ll build it and ship it.

So who does that leave to do the worrying we need to do? The libertarians? (That’s a joke). No it leaves LEOs and the TLAs that everyone loves to hate.

OTOH, those agencies act as if they could never go bad. To even bring that up is to somehow be cast as unpatriotic, to show a lack of faith in our institutions. But we know governments DO go dark, do succumb to both creeping and sudden fascism and start destroying the values which they’re supposed to be protecting in the first place, degenerating into self-justifying, self-sustaining, self-serving oligarchies.

That knowledge is where American’s fear of their government ultimately stems from. People don’t see any way they can reliably put the brakes on that kind of government-going-dark. The spectacle of James Clapper openly lying to Congress while under oath and having exactly zero criminal prosecution for his self-admitted crime is emblematic of what they’re afraid of. A government that doesn’t apply the rule of law to themselves. A clique of insiders who aren’t merely above the law, who effectively ARE the law.

You can’t read the recent history of the whistleblowers in the FBI and CIA and not come away with the impression that the higher ups in those agencies feel empowered to break the law when where and how they fucking feel like it and are heedless to the internal processes those organizations set up to stop that kind of abuse. It’s like we’re back to Nixon’s “if the President orders it, then it’s legal” crap.

Without questioning their intentions or motives, which I actually don’t question, it’s fair to say the internal controls in these agencies are ineffective (FISA court syncophants) or very easily subverted. Which leaves us with the question of what if they go dark? Lacking serious internal controls and apparently licensed to lie, with Congress mostly cut out and otherwise gagged by law, where does oversight come from?

What Americans can see is this- they no stopping mechanism available to the them. It’s massively willfully historically ignorant to say that the people have nothing to fear from the kind of panopticon security apparatus now being built. Anyone who asserts such is lying to themselves or so totally ignorant of even the 20th century’s history as to be unfit for even the position of local alderman.

No one in government sits down and puts the pieces together of how the panopticon could practically be used to subvert democracy, given insiders with special authorities to unlimited information on all of us. We’re talking about how people adn movements can be framed, blackmailed, murdered or otherwise ruined or neutralized. How such could be detected and reported even against the wishes of those in charge of the panopticon.

No one is charged with even defining the scope or outline, nevermind the details, of the massive threat to democracy the all-seeing Sauron’s eye they’ve built is. We can’t defend against something we’re too intimidated or credulous just plain stupid to define and Americnas overwhleming feel they have something to defend against, even as they simultaneously trust the motivations of their current crop of officials.

But defining that threat is a first and necessary step in creating the faith in government’s efforts to protect the nation against the near future threats, threats which WILL materialize into reality tomorrow even as they defy imagination today.

With respect to taking prophylactic action agains this clearly foreseeable adn entirely credible threat, we’re about where we were when we were ignoring the fact that airliners filled with jet fuel could be turned into flying missles to be directed against civilian targets anywhere in the US. “Sure Mr. that COULD happen, but has it ever?”

Can you say Black Swan? I knew you could.

The point is, our government seems incapable of grasping the nature and criticality of historical moment we’re in now. It’s incapable of the truly novel thinking and action necessary to elicit trust from the American people. It’s only tactic is for officials to appear on Sunday TV shows and mouth empty words of assurance which tomorrow’s headlines lay bare as the lies they are.

We need the power to do what Reagan said- trust but verify. We know how to do this with the USSR and even Iran, but we don’t see it as necessary in this context. That’s a big mistake.

Meanwhile Americans are convinced that the FBI and CIA have nothing better to do with their time and resources than target tax payers who chat about Benghazi on Drudge or plan high powered rifle assassinations of shower-needing Occupy! protestors.

A lot of this paranoia is fueled by organizations like the Chamber of Commerce which probably does have something to fear given that they’re stuffed to the gills with the most toxic, bottom-feeding, federal-regulation ignoring, tax evading, Ayn Rand worshipping, export-ban breaking, money laundering, hidden Cayman account holding, insider trading, shell company owning scum known to man.

There are completely legitimate concerns on both sides of this issue which need to be taken seriously by the other side and that’s not happening because netierh side doubts their own purity and moral rightness and are sure the other side’s motivations are at best foolish and at worst nefarious.

Grayputer July 31, 2015 9:44 AM

Chris Said: “But in practice some encryption is easy to use, and some is difficult to you (think command-line parameters).”

Well if I have the source for a good algorithm, it is pretty trivial for almost any good developer to wrap it in a usable UI. ISIL has taken a number of cities who’s population can be coerced and they have recruited a bunch of various talent, some of which are likely developers. This doesn’t seem an insoluble issue to me.

Chris said: “I think you’ve overestimating ISIL if you think they will only use the very best encryption level, at the total expense of ease-of-use.”

Sure today they have lots of options and may not be using the absolute best, as to some extent traffic is lost in the noise and ‘good enough’ is good enough. However, if you think they are using crap for an algorithm, then the FBI doesn’t need to worry, do they. Assuming the FBI has a point, then ISIL must have some sort of a clue. So if pressed, they CAN take source with a good algorithm and fix the UI. OR they CAN take source with a backdoor and remove the back door :).

What does this mean to David Cameron’s position? Well either the world has to stop publishing decent algorithms OR David Cameron needs to ensure they are not available in the UK. Oh yeah, AND he needs to ensure that someone outside the UK with access to those algorithms can’t smuggle them in. So let’s ban USB keys, laptops, phones, tablets, and cameras from crossing the border. Oh, and since I can take the software and use steganography to embedded it in photos, let’s ban photos crossing the border. Wait that works for data files as well, best to ban those from crossing into the UK as well. Wait, photos appear on lots of web sites and in ads, guess we can ban surfing outside the UK. Wait what about email, or ftp, or … Yeah, pretty untenable isn’t it. Of course, it might fix the spam problem :).

— Sarcasm on —
I guess we are back to the only ‘workable’ solution, which is for David Cameron to ban all decent encryption algorithms worldwide. Oh yeah, and hope ISIL doesn’t have someone that can build one (or remember a currently existing one). Yeah, that’ll work. I’m SURE of it. He can do that right?
— Sarcasm off —

TimH July 31, 2015 10:03 AM

Remember that Cameron/Comey et al aren’t just interested in ISIS threats and similar external foreign threats to the country and infrastructure. They are at least as interested in knowing who is a threat to the power base – the successful protest organisers, investigative reporters, and other independent actors that are not controlled by the money interests.

Currently the establishment argument is that visibility is needed to conquer the outside threats, currently labelled terrorists. When that argument is deemed to fail, the threat target will change to child molestors and druggies. Because those are internal threats, and the ability to analyse all internal comms is what 5-eyes wants.

Clive Robinson July 31, 2015 10:17 AM

In the Cory list of things David Cameron would have to do he left out,

  • Ban all compilers and interpreters.
  • Ban all computer education.

Which also means,

  • Ban any hope of UK participation in eCommerce.

Thus render the UK a “fourth world” nation.

The genie is out of the bottle, Pandora left her box open, there is no going back no mater how hard David Cameron thinks we should,secure crypto is here and is not going away.

And those saying “we know who’s talking to who” is being a little silly, as for “but we don’t know what they are saying” there are ways to do an “end run” around the secure encryption in most cases, so you have to ask why they are not doing it…

Instead of listening to his lunatic Home Office Minister who is having her pump primed by ACPO and the UK IC, David Cameron should actually go and get independent academic advice, it will save much embarrassment later.

As for ACPO and the IC they know the Home Office minister is as bad as Maggie Thatcher was, but unlike Maggie does not like the Police or IC and thus want’s to cut their finances.

Thus this situation is brewing up to a “Curried Egg” [1] issue, where they feed factual but biasedly presented information to the Home Office Minister, who if she swallows it will end up looking rather embarrassed at best and a raving loonie or psycho at worst, which will please Boris Jhonston amongst others.

She has already started to go out on a limb based on the biased she’s been fed, the question is what is going to happen.

If she and her boss go to far a kick back is going to happen (and it’s started) if it goes far enough they will look like a pair of Prize Plums just right for kicking into the political wilderness, which starts the other side of the long grass the current political encumbrants will also likely end up in in.

Even if there is not a kickback, the police and IC just hold their hand out and we are in the same game play as Comey, ask for jupiter and settle for the moon and the purse strings open.

But what of the cause celeb or apparent Raison d’etre for this madness, the issue that is ISIS?

The issue of ISIS is becoming a joke in the UK the same political party that Cameron is PM of sent letters to the BBC –only– raising official complaint about the use of IS or ISIS etc because the acronyms represented the word “State” and thus the BBC were giving ISIS legitimacy they were not entitled to…

But ask yourself a question, why the fuss of ISIS? They are not a nation or even a caliphate just a bunch of idiots running around making a lot of noise and killing innocent people for reasons even their holy book forbids. Why are they becoming the goto bogie man?

Well one issue is around the other side of the globe and that is China… they buy the oil ISIS has, contrary to what the WASP nations want. Well China sits on the UN Security Council with a veto… Thus China now has a middle east partner just as the US has with Israel, and this is making some politico’s very nervous.

Even though nobody is seriously talking about getting a UN resolution to deal with ISIS militarily –not after Iraq–, because there would not be support from the voters.

But even if there was the support they won’t go to war unilaterally with ISIS because they fear that China will get involved, and it might turn into another proxie war with the worst political traits of the Korean, Vietnam and Iraq conflicts.

Thus politicos talk tough about ISIS for the newspapers via issues that will not harm ISIS but will cost the economy dearly…

[1] Search for Edwina Curry and egg salmonella scare, that ended her political career as a UK Minister. It even got called “Currygate” at one point.

nym July 31, 2015 10:17 AM

They are at least as interested in knowing who is a threat to the power base – the successful protest organisers, investigative reporters, and other independent actors that are not controlled by the money interests.

And you know this dystopian reality has been realized….how exactly? Big assertions require big evidence last I knew.

Harry Ferguson July 31, 2015 10:24 AM

The tacit endorsement of foreign software neglects the reality that an organization like the CIA is more than capable of toppling foreign governments. Don’t think for a minute that foreign organizations, operating in a domain where the CIA has been mandated to break whatever laws it needs to, are magically immune.

There are reasons why Jihadists have moved to couriers and Russian spies have reverted the typewriters. As MI6 officer Harry Ferguson stated: “western intelligence services have complete control over technical devices.” The key escrow debate is a ruse intended to shift attention to overt back doors and away from more insidious cover back doors based on zero-day exploits.

Winter July 31, 2015 10:27 AM

@nym
“And you know this dystopian reality has been realized.”

GCHQ spies on

Politicians:
http://www.dailyrecord.co.uk/news/scottish-news/snoopgate-scandal-brit-spooks-spying-6127095

http://www.ibtimes.co.uk/scottish-parliament-spying-nicola-sturgeon-demands-david-cameron-respond-gchq-revelations-1512408

Journalists:
http://www.theguardian.com/uk-news/2015/jan/19/gchq-intercepted-emails-journalists-ny-times-bbc-guardian-le-monde-reuters-nbc-washington-post

http://www.commondreams.org/news/2015/01/19/gchq-spied-american-british-journalists-nsa-files-show

Charities:
http://www.theguardian.com/uk-news/2015/jul/01/gchq-spied-amnesty-international-tribunal-email

https://www.opendemocracy.net/digitaliberties/leigh-daynes/doctors-of-world-how-we-discovered-gchq-was-spying-on-our-operations

TimH July 31, 2015 10:29 AM

@nym
Laura Poitras being harassed by Customs on every entry to USA despite being a citizen, until Glenn Greenwald writing an article about it?
No Fly List being used as a political tool?

Winter July 31, 2015 10:31 AM

@nym
“And you know this dystopian reality has been realized.”

GCHQ’s Online Spying Tricks: Rigged Polls, Facebook Propaganda, Skype, LinkedIn Info Capture

http://www.ibtimes.co.uk/gchqs-online-spying-tricks-rigged-polls-facebook-propaganda-skype-linkedin-info-capture-1456780

The Joint Threat Research Intelligence Group (JTRIG) was responsible for developing most of the software programs listed in the documents, which enable GCHQ personnel to make fake victim blog posts, manipulate online polls, send fake SMS text messages, promote a specific video message on YouTube, carry out Denial of Service (DDOS) attacks against websites, and even post fake Facebook posts to entire countries.

Istvan Chung July 31, 2015 10:51 AM

This is all besides the point, because RFC 3514 already provides all the necessary infrastructure to carry out David Cameron’s requirements.

nym July 31, 2015 10:57 AM

@TimH

I totally agree with the Poitras point. Yes she’s in close contact with Snowden but what crime has she committed? Their justification is jsut that- she’s in close contact with Snowden, a man wanted by the govt. I am not sure if she is suing them or not. I would like to see that adjudicated.

As bad is Stratfor’s plot against Greenwald, if the government were ernacting anything even remotely like that- targeting citizens for unemployment and personal andprofessional destruction based on their their expressing Consitutionally protected speech- which is what Aaron Barr and Stratfor was doing, it would be game over for this administration complete with impeachment, trials, jail time and radical oversight reform.

But the govt didn’t do that.

Stratfor was doing that in conjunction with the Chamber of Commerce. See my post for what I think of the later, and as to the former, what Stratofr was planning is probably a crime of some description, at least it’s Tortious Interference with Contracts . It reminds me of the shocking case f Ringlig Barnum and Bailey’s circus learnig that a reporter was going to do an expose of them and, to prevent that, engaging her through a third party to write a different book on a different subject and using this as a pretext FOR A DECADE to suck away her time motivation and interest in doing the expose.

In fact, I haven’t seen what everyone assumes to be true in any of the Snowden documents- that the US govt targets any US citizens for their political beliefs or Constitutionally protected activities. There are no “how tos” wrt to destroying American’s lives, neither public officials or private citizens.

If anyone ever does get access to that kind of document, there WILL be a shit storm of very epic proportions. This is part of the reason I say I trust the people in govt (now)- we got a peak up their skirt as it were and, well, nothing is there (if you count mass illegal surveillance as “nothing”). I don’t, but neither is it fucking cointelpro and targeted assassinations, literal or otherwise.

That doesn’t mean they wouldn’t or can’t. That’s what’s concerning. There has t be something outside them that watches them and has unimpeachable unstoppable power over them- power to whistle blow to people outside them. That runs couter to secrecy and national security objectives but that’s a risk and a price I think we should be willing to run and pay. Yes, it will happen that shit gets compromised, but that’s a lesser evil than totalitariansm, by far.

Notice the NSA engages in the same EXACT kind of thinking as my last szentence, just substitute “the 4th amendment” with “secrets” and “terrorist attack” with “totalitariansim”.

nym July 31, 2015 11:10 AM

@Winter:

For this one:

http://www.dailyrecord.co.uk/news/scottish-news/snoopgate-scandal-brit-spooks-spying-6127095

What I am reading is what they did was NOT illegal, but contravened an informal agreement and also the verbal assurances of the responsible parties. As a result of the revelations, it’s now in the courts and lawmakers are engaging with the issue. All that dastardly, double-dealing, clearly unjust skullduggery and the concomitant follow-on engagment by the lumbering state machinery is how democracy actually works.

nym July 31, 2015 11:28 AM

@Winter

This one:

Says this:

[UK govt talking]
“All classes of journalists and reporters may try either a formal approach or an informal approach, possibly with off-duty personnel, in their attempts to gain official information to which they are not entitled”

In fact what I know of this is worse- they were tapping some journo’s home phone, turning it into a bugging device recording convos with his wife etc. I am not sure how UK law views that. I suppose like here (US) it depends on the goodness of eveidence they have to show they had a reason to do this. Lacking that, they’re in trouble.

I knw the UK doesn’t give journo’s and the press the same protection as the US does. I am not sure what the limits there actually are. Of course, the US still has no federal journo shield law and what’s more, despite it being directly referenced by its own Bill of Rights, can’t decide who qualifies as a member of the press and who doesn’t.

The reason they do this isn’t to protect the PM’s shady investment vehicle involving human trafficking, right? It’s to stop classified (secret) info from leaking and THAT in turn is to stop their tactics against terrorists from being rendered in effective. That’s what this is all about.

My impression is, there are people in the security TLAs who are probably total sociopaths seeking power, ideologues who will do absolutely anything to control public policy decisions and just criminally inclined scum but they aren’t running the shows and what’s more could expect Snowden x 1000 up and down the chain of command if they did try to turn these agencies to the dark side. The problem is, that may not always be true and the continued iterative refinement of the techniques of compartmentalization, restricted access control and internal structural reorganization may finally yield a TLA in which, yeah a small group of like minded maniacs COULD actually take control of and end the democracy.

But these links I am reading are not that as far as I can see.

albert July 31, 2015 11:47 AM

@wym,
It’s naive to think that Snowden had access to secret plans for targeting individuals. This is CIA territory; it’s deeply embedded in their DNA. This is a group that doesn’t share anything with anyone. All we need to know is that the surveillance information is there; that’s all a clandestine operation needs. The actual operations would be very black indeed.
.
It’s downright disingenuous not to believe “…that the US govt targets any US citizens for their political beliefs or Constitutionally protected activities….” This is a government that routinely pisses on the Constitution. NO option is off the table for the IC, legal or not.
.
If 48 out of 50 investigative journalists* are put on no-fly lists, what do you think? Coincidence? Attempts to stifle their activities? Punishment?
.
..
.
..
o
P.S. Maybe the CIA is used only for really big ops. Don’t forget the FBI.
* OK, it’s a hypothetical example; there aren’t 50 real investigative journalists in the world.

nym July 31, 2015 11:54 AM

@Winter We just have different takes on this issue. You see this as Big Brother mating with political and social control to fascist ends. I don’t see evidence of that. I ackowledge that that is possibole and worry about that possibility. What I see now is people trying to prevent society-ending calamity inflicted on us by zealots. If that calamity should be realized, consider that everything guys like you and me care about is going to disappear over night. If you are disappointed in the level of outrage over Snowden’s revelations just wait until the grid goes down and people start starving-in-place. That is going to give them permanent carte-blanche in the eyes of all those you consider insufficiently outraged now.

There’s more of them than there is of us and they’re a lot less, uh, nuanced, in their thinking, in case you hadn’t noticed. I am not yearning to give them the event they need to let their ids out of their cages. THere are very very very bad people out there who realy do want to do unspeakble things to western civilization , which they really do hate as much as much as claimed. We really do need to start them because the first thing to die will be the same civil society you’re worried has caught a cold.

I am not saying that if I were a Dr in one of these organizations I would like being spied on or not seek to end it. I am saying that it’s more nuanced than that- there’s a legitimate other side here with legitimate interests which are, uh.. actually, prefectly aligned with my own interests and values and what’s more fightibng the fight to preserve those interests and values.

I do worry about the security state, but I think I worry about it in a different way than you. They are not (now) the enemy; they are a part of my society that needs suport but also careful designing and engineering, including some way to stop them from going off the rails as people fear they might.

winter July 31, 2015 11:56 AM

@nym
Who said anything about “illegal”?

The party in charge uses state spies to spy on journalists and opposition politicians. There is no state security involved, just political and comercial motives.

“Legal” has a different meaning in a country without a constitution. Anything and everything can be made legal tomorrow in the UK and illegal the day after.

The British goverment lost almost every case brought befor the European courts because of their flagrant disregards of even basic human rights.

nym July 31, 2015 12:10 PM

@albert – all i can say is for each of your asssertions, wehre the non-inductive proof, that is, where is the evidence of the thing you are asserting?

You’d have a shit fit (yes, I am guessing) if the quality and amount of evidence you site as proof that any of these TLAs are gunning for your dissenting ass (I am guessing again LOL) were used as a reason by the govt. to ruin your life or impede your freedoms.

You can’t infer criminality just because you want to. I mean you can, but do’t expect people to take action i civil society based on bare speculation.

Essentially, both sides do the same thing. Somewhere in some TLA there’s a guy’s name on a list of bad guys who is in reality 100% innocent across the board. The people in that TLA are very suspicous of this poor guy and he has no idea at all. But if that amounts to nothing in this innocent guy’s life except a couple of strangers talking smack about him in some RF leak-proof room over two styrofoam cups of bad coffee, well.. really so what?

It’s not different than people here talking smack about the people in the CIA. It’s talking smack based on not-good evidence and coming to bad conclusions and ruminating on those bad conclusions. Some people find that entertaining or something.

What I am saying is there’s a very significant difference between false inferences by fallible humans using fallible processes and pumping a goddamn Tommahawk down some guy’s chimney because of those flawed processes and reasoning, (or anything less than that which effects the material circumstances of his existence.)

Assume the first is happening and has always happened and represents in effect a waste of time and money. The assumption that because the first does happen, the second happens all the time with Constitutional abandon is just wrong.

albert July 31, 2015 12:15 PM

@twitter,

Even the very dysfunctional Obama administration probably wouldn’t target Apple and Google for ‘supporting terrorism’. It doesn’t matter that the US ME policy is totally responsible for ISIL/ISIS in the first place. A ‘suspected terrorist/supporter’ isn’t a terrorist unless they are proved to be engaging in terrorist activities. Under that ‘definition’, we are all ‘suspected terrorists’.

The one thing any US administration does have going for it is the ‘national security’ umbrella. That’s why they can target anyone or any organization with no proof of anything other than their word. Works good for individuals and small groups, but not so easy for really large corporations. A court case would be interesting.

.
..
.
..
o

Emma Bull July 31, 2015 12:17 PM

ISIL’s technique is vulnerable to traditional intelligence strategies–like, say, a deep-cover operative responding to those Twitter messages and getting recruited. Comey may be saying that back doors in tech are the solution, but I doubt the problem he wants to solve is the one he’s trying to scare us with.

Hans July 31, 2015 12:22 PM

Cory Doctorow is possibly way smarter than me, and has likely thought about this more than I have, but I think he is exaggerating just wee bit in the list of things that Bruce quoted of what it would entail to give Mr. Cameron what he wants.

It’s pretty simple to accomplish, and I’m fairly some countries have done it. You simply make it illegal to use encryption that the government can’t breach in one way or another. Using such technology would be direct evidence of guilt of some crime against the State, even if it were actually only love letters to your mistress. There’s no need to do all the complicated stuff Mr. Doctorow outlines, it would simply be illegal to use such stuff. Done!

Now I happen to believe that for the UK (or US) to join such a club of states where laws like this exist is fairly unflattering, and contradictory to their historical legal principles, but if that’s what they’re asking for let’s just call it what it is. If the shoe fits….

nym July 31, 2015 12:26 PM

@winter

OK so the journo spying and suspicion is to stop classified leaks, so really, that is in the job description.

The Scotland parlimentary spying is like the US spyig on the UN. They’re going to do it because wouldn’t most people? if they had the power and cared about the outcome? Lived on earth long? Then you know how people are. Organizations are generally WORSE than idividuals. So draw your conclusions.

That’s the thing- you can’t trust them to keep it in their pants as it were. If it’s legal, they’re going for it. Yes, it should not be that way, they ought to have refrained from spying in this case.

OK so I care that I live in a world where processes actually work. That’s what civilization is. So do you. If it were up to you, the spying would not have been authorized. Same with me. Are either of us successful politicians or spies? Now, think those two facts are related?

Just use what you know about the world . Very highly ambitous people are amoral opportunists, often. That’s why the Romans loved Cincinnatus. He just wanted to go back to his farm (so they say). So apparently this has been going on a long, long time.

You need laws and you need boundaries and you need an authority to enforce those things.

Anon July 31, 2015 12:32 PM

When we talk about banning crypto, I always think back to a story I read many years (decades) ago. Apparently, at one time, it was cheaper to send newspapers through the mail than letters. That was how newspapers were delivered.

So folks would buy a newspaper, open it up, and punch a pinhole above every character they wanted to include in their message. Then they’d reassemble the newspaper and mail it off to their friend at a much lower cost.

In this day and age, do you really think we couldn’t write a nice long letter praising the glory of America and our brilliant leaders, all the while including a secondary message quite the opposite? It’s classic stenography. But without knowing the pattern of which bits matter and which one’s don’t, you’ll never figure it out.

It’s not a question of the low order bits of each pixel make up the message, but more the lower order bits of every Nth pixel make up the message. Or, rather than every Nth character, they could provide the parameters for a random number generator, use it mod X, and anything below 200 characters between letters in the message is skipped. It’s not like we can’t send 100,000 character messages.

Bonus points if the message is hidden in email SPAM, and widely sent to very large numbers of people.

Signal, meet noise.

This whole thing of banning crypt is ridiculous. Anybody who wants to can work around it with minimal effort, and you lose the metadata (envelope) information.

Winter July 31, 2015 12:40 PM

@nym
“The Scotland parlimentary spying is like the US spyig on the UN.”

That is using the spooks to spy on the OPPOSITION party. That is exactly what got Nixon ousted. The Scottish parliament is a BRITISH parliament. Not a foreign one.

And neither Amnesty International NOR Doctors without Borders are in any way involved in UK national security. However, their activities are important as they hackle friendly DICTATORS. They are spied upon to hamper their work for human rights, not for their supposed illegal activities.

And the journo’s spied upon were the ones publishing on UK government law breaking. That is what whistle blowers normally talk about, about governments illegal actions.

All in all these are cases where GCHQ were used against the interests of the British public. And it had to be done in secret as it was against the interests of the British public.

Winter July 31, 2015 12:41 PM

@nym
“You need laws and you need boundaries and you need an authority to enforce those things. ”

All three are missing in the UK when we are talking about GCHQ and the ruling party.

nym July 31, 2015 1:01 PM

The Scottish parliament is a BRITISH parliament. Not a foreign one.

OK what I read was that it’s a sub parliment and not explicitly excluded from being spied on. Here’s the quote that lead me to that conclusion:

Here it is:
++SNIP START++
Internal policy documents obtained by the Record show GCHQ – responsible for mass surveillance in Britain – had extended the decades-old Wilson doctrine to MSPs until March of this year.

The convention is named after former prime minister Harold Wilson, who pledged in 1966 that MPs’ and peers’ phones would not be tapped.

In December 1997, then PM Tony Blair said it extended to electronic communication, including emails.

However, the policy was never officially extended to cover the devolved parliaments in Scotland, Wales and Northern Ireland once they were set up in 1999.

And while GCHQ voluntarily treated MSPs in the same way as MPs until March this year, it can be revealed that they have now changed the policy so MSPs are no longer included.

++SNIP END++

They are spied upon to hamper their work for human rights, not for their supposed illegal activities.

It’s not right, I believe, so we agree we are in opposition to heckling Doctors who heckle dictators.

But that is a judgment on our part about who should or should not be heckled and whether we should consort with any dictators ever, sometimes, or maybe this once given the circumstances and alternatives.

At least my judgement in these matters is subject to revision given further evidence. Unfortunately, I do not have all the information so while I am prepared to be against heckling doctors as claimed, I am not going to claim with 1000% certainity that it is always wrong and therefore it is definitely wrong in every case icluding this one. I can be against something but maintain doubt as to the correctness of judgment.

But the point is, yes we can be against it, and campaign against it, but it is not illegal (that is not our claim) and ultimately it’s rightness or morality may be, in fact, something about which we are mistaken.

And the journo’s spied upon were the ones publishing on UK government law breaking. That is what whistle blowers normally talk about, about governments illegal actions.

Sorry I did not see that in the links. I just reread them and did not see it a second time.

nym July 31, 2015 1:19 PM

@winter

The Joint Threat Research Intelligence Group (JTRIG) was responsible for developing most of the software programs listed in the documents, which enable GCHQ personnel to make fake victim blog posts, manipulate online polls, send fake SMS text messages, promote a specific video message on YouTube, carry out Denial of Service (DDOS) attacks against websites, and even post fake Facebook posts to entire countries.

Yeah but is there any evidence they have done any of this to Americans? Because if there is I missed it and I was looking for it. It’s just what you do to people who threaten your nation. It’s sub-lethal covert action. Three cheers for same.

Actualy, I think Assange may have been a vicitim of :

fake victim (blogs) (later they go on to describe fake accusers of sexual assault also)

and if so then I disagree since he’s not a terrorist. A leak publisher does not deserve fake victims getting him jailed, it’s disproportionate and destructive to our reputation the trust others have in us and we need when we want to convince the world of something important. My opinion.

I think a lot of this is just the shock of civilians at what spy agencies do. They deceive and lie and mislead and manipulate because that’s better than a bhot war. You can and should second guess their actions because if you don’t, if you trust to much then things get going in a very bad direction very quickly (Vietnam, Iran in 54′, Chilean coup etc etc etc)….but a spy is gonna spy and we need them to be able to do what they need to do to be effective because the world is a bad place filled with bad actors who want to do bad things.

Gerard van Vooren July 31, 2015 1:25 PM

I was getting really bored about IS/ISIS/ISIL and that this org/state is being misused by politicians as an excuse to introduce yet other Orwellian practices (as if ISIS is the only dark issue), until Clive Robinson came up with an interesting theory that I have not heard of yet (and would like to know more about), that is China is buying ISIS oil.

Because oil, that is important!

It is worth lying about and going to war for.

Granite July 31, 2015 1:52 PM

I don’t get it Bruce – why do you constantly presume innocence of our government’s intent?

“Perhaps the FBI’s reluctance to accept this is based on their belief that all encryption software comes from the US, and therefor is under their influence.”

Clearly the intent here isn’t as suggested, but a deliberate hegalian-like psyop where they act like banning secure is perfectly healthy, perfectly normal. The proposal is outlandish, yet we continue to tip-toe around the elephant in the room, which apparently not even the most scholarly of us can admit is happening.

Mad Scientist July 31, 2015 2:52 PM

What those items do not take into account is someone like me. I am a very experienced physicist with an old-school computer background. I write my own compilers, do my own independent encryption development/research, and can think-through the issues and create from scratch anything I need. If everything is banned, I will just develop something of my own.

d33t July 31, 2015 2:57 PM

“Comey wants communications companies to give them the capability to eavesdrop on conversations without the conversants’ knowledge or consent; that’s the “back door” we’re all talking about.”

Even if FBI were granted all of the back doors possible in the world, they will still not stop another 9/11 or Boston Bombing et al.(based on results) As far as the record shows, it appears that crypto was never a real problem for them while doing surveillance pre-9/11, and 9/11 happened anyhow .. on their watch, also NSA (likely ignoring already developed surveillance apparatus … ask Binney). Then there are the fake reasons for the Iraq war parroted by even Colin Powell of all people. (Which maybe helped to create the fear and problems they have with ISIL / ISIS now?)

All of the evidence of incompetency by most if not all of 3 letter, LEO / Intel agencies leads to one possible conclusion (of many): That with or without back doors and or (further) destroying privacy and peace of mind in the US for law abiding citizens permanently by neutering cryptography (one part to privacy on the nets), they will fail when it really matters, but they will succeed in violating human rights on a daily basis. Why? Because fear, uncertainty and doubt are really good for big business and corrupted governments (same thing). Like the one we live under right now. As far as I’ve read or seen in my lifetime, they villainize (or kill) innocents more often than they catch bad guys. Which is why this video message is still important today (with regard to FBI).

This government hates the reality of the public bearing defensive privacy weapons, like real cryptography in our daily lives. IMHO, that is the only reason we’re hearing about this all over again now.

Sorry for the rants / links, but this stuff is boring, and old and it makes me really mad. How much longer do we have to suffer the “Hayden” like Comeys anyhow?

albert July 31, 2015 3:30 PM

@wym,
Putting words in my mouth and assuming certain reasons for my motivations isn’t going to help your case.
.
The FBI, CIA, and the military have been and continue to perform covert operations here, and abroad. This has been documented. Many of such operations have been conducted on US citizens.
.
The TLAs can and do use mass surveillance to suppress dissent, and harrass and intimidate journalists. This is documented. Why was Laura Poitras placed on a no-fly list?

“…but do’t expect people to take action i civil society based on bare speculation….”
.
I don’t ‘expect’ people to do anything. We don’t have a ‘civil society’, and the government regularly uses ‘bare speculation’ to spy on its citizens.
.
“…What I am saying is there’s a very significant difference between false inferences by fallible humans using fallible processes and pumping a goddamn Tommahawk down some guy’s chimney because of those flawed processes and reasoning, (or anything less than that which effects the material circumstances of his existence.)…”
.
Drone strikes in other countries are a violation of international law and the sovereignty of nations, not to mention acts of war and human rights violations. “fallible humans using fallible processes” and “flawed processes and reasoning” indeed.
.
What we’re seeing here is creeping fascism, under the guise of fighting ‘terrorism’ (which can mean pretty much anything). There’s no logical reason to monitor everyone. It’s going to get worse, just watch.
.
Imagine, if you can, a US government obliged to follow international law (I’d be happy if they just followed our Constitution for starters). What a different world this would be.
.
..
.
..
o

Nick P July 31, 2015 3:36 PM

@ Bruce

I love Doctorow’s list. That the best way I’ve seen of putting into perspective of what it takes. I suggest you and Doctorow in future presentation tie in North Korea. They mostly implement that level of control. Yet, dissidents in North Korea continue to communicate with the outside world, people smuggle stuff in, we hack their networks due to insecurity that results, and so on. Emphasis: North Korea implements this level of total control and people on the inside still collaborate with those on the outside using what they have and what outsiders smuggle in. That their requirement already failed in countries that implemented the strongest form of it is quite the argument against it.

” George Washington University surveyed the cryptography market in 1999 and found that there were over 500 companies in 70 countries manufacturing or distributing non-US cryptography products. Maybe we need a similar study today”

That was a great move, too. I agree with you that someone should perform another survey. I intended to do it myself but it’s extremely time-consuming. I figure many would be smaller firms advertising in-country without much English. Could be wrong about that. Still seemed like it would take a group effort to pin them all down.

However, just citing the old numbers implies a counter-argument: “even if 80% of countries followed UK’s backdoor approach, ISIL would still have 14 different countries’ willing to supply them crypto gear on top of all the free ones online.” Made their position look so week in First Crypto War and should in Second.

tyr July 31, 2015 3:51 PM

What I find amazing is the wild eyed claims about
ISIS/ISIL and the general lack of understanding
of the narrative about them.

Once communism faded as the “spectre” there was a
clear need for a new boogeyman to justify the arms
industry and its auxiliary branches the IC. This
led to the trashed world is good for businesses
model. The real trouble is all of this clandestine
plotting has led to a confluence of competing
interests becoming so tangled that enemies are
busy funding enemies,nations are funding both sides
of a dimly understood conflict and leaders make
themselves into joke figures trying to appear
rational.

The Turks dislike the idea of a new Caliphate but
fighting it puts them into alliance with the Kurds.
The Shiah leaders in Iraq don’t want to see a
Sunni Caliphate but can’t be overly aggressive because
that would give the dreaded by USA leaders Iranians
a boost. Iran doesn’t want a ressurrected Caliphate
but they haven’t forgotten what happened when they
armed the Kurds in their borders. Israel/USA is
busy supporting Al Qeada in Lebanon because they
oppose Hezbollah. Saudi the perpetrator of most of
this mess is cheerfully bombing a neighboring
country and no one pays attention. Just like the
good old days of the cold war, if the area was fenced
off from the external parties feeding weapons, money
and ammunition into it the conflict would soon be
over. But everybody has an agenda and everybody is
getting a cut of the profits from this clusterf__k.

Nobody wants you to have a clear picture of this
mess, least of all the IC who created most of it
and are always ready to pronounce “We didn’t see
it coming!”.

If Clive is right that will up the stakes in the
game, while stomping on the Rus bears toes is fun
even the dim are wary of trying it with the Dragon.

Cory is rarely wrong about things and he has spent
enough time in international policy making circles
to have a good idea about what goes on there.

Check out thoughtmaybe you might get a better class
of propaganda now and then.

Matt Parcens July 31, 2015 5:49 PM

I really really really really like the part of Michael Certoff’s same quote where he goes on to say:

“Finally, I guess I have a couple of overarching comments. One is we do not historically organize our society to make it maximally easy for law enforcement, even with court orders, to get information. We often make trade-offs and we make it more difficult. If that were not the case then why wouldn’t the government simply say all of these [takes out phone] have to be configured so they’re constantly recording everything that we say and do and then when you get a court order it gets turned over and we wind up convicting ourselves. So I don’t think socially we do that.”

Clive Robinson July 31, 2015 6:38 PM

@ Hans,

It’s pretty simple to accomplish, and I’m fairly some countries have done it. You simply make it illegal to use encryption that the government can’t breach in one way or another.

And the UK is one such country, you need to go and read the “Regulation of Investigatory Powers Act” and it’s amendments.

Whilst using encryption is legal, failing to hand over the keys on demand (no warrant required) can get you a lengthy jail term.

However so far the Judiciary are very reluctant to sentance or harshly sentance when they do. For what they see is fairly good reasons, ie it’s poorly thought out legislation that lacks sufficient oversite, and can also be used to set people up due to having to prove a negative.

Let us say I send you an email the body of which is encrypted with a symetric key. This key is put in the email header encrypted under a public key. All of which is fairly normal for encrypting lengthy messages.

There are a couple of issues, if presented with a letter requiring your key, they usually want your private key, not the asymetric key of the message. This gains them rather more than just the ability to read messages, it also alows them to create fake messages from you. There is no reason for them to have your private key but that’s what they go for.

Secondly there is no way to show that you don’t have the private key for a message sent to you thus were unable to read the message. Likewise it’s not to difficult to send an email where the real asymetric key is not the one which is encrypted under the public key in the message header. Thus you have the second case of trying to prove a negative, in that you can not show that the real message key can not be derived by you from the asymetric key in the header.

But there is a sting in the tail, because of the secrecy rules they can present a derivation algorithm to the court and shroud it’s origin from you and your defence team. Most cautious people receiving an email from an unknown address would treat it with suspicion and assume the “normal worst” of it’s a phishing or other attack and send it to the bit bin. Likewise if it came from a known address but failed to open. Thus anyone seeking to frame you could use a mindlessly simple key derivation algorithm of just invert all the bits or such like, on the fairly simple assumption you will bin the message without trying any investigation. However when presented to a judge the police “expert” could simply say it was the first thing they tried and it worked… The court case that resulted from the detention of Mr Greenwald’s partner, shows that the police present any old hearsay or invented nonsense they chose and do not receive any kind of sanction from the judge, which shows just how low the standards have dropped. Thus the simple attempt to frame you would have a high probability of success. Even if it failed, in trying to prove your innocence you will have revealed your private key…

Thus it’s easy to force you to hand over your private key whilst trying to defend yourself and once that has happened it’s then incredibly easy for the police to abuse it’s use with you having little or no legal recourse.

So RIPA is “plenty powerfull” already, thus you have to question the motives of David Cameron his Home Secretary and those that have “primed her pump”.

Clive Robinson July 31, 2015 7:18 PM

@ Gerard van Vooran, tyr,

China buys something like 50% of Iraqi oil production, puts into tankers and sails them through the South China sea at a quite alarming rate. It’s one of the reasons China is flexing it’s muscles over the South China Seas, and want’s to kick the US out of them.

Iraq has an interesting history of “oil smuggling” during the US sanctions after the first Gulf war, the people and equipment involved are still around. China has supplied more of that equipment to “Iraq” and “Kurdistan” and technicians etc to maintain it as part of their Oil Deal and “Hearts and Minds” political influance.

The word on the ground is both Iraq and the Kurds are selling more oil than they are pulling out of the ground.

So where are they getting it from and how are they transporting it and who takes the lions share of it?

I’ll let you “join the dots” and then go look up what’s happening over Pres Obama’s threats of sanctions against those buying the ISIS oil. It’s in those “shot across the bows” diplomatic language but for some reason there is no real “follow through”.

One reason as the US administration dam well know, they are buying some of it as well, so is Turkey who is sort of a US allie currently. The US could stop buying Iraqi oil and apply major sanctions to stop the ISIS oil, but it would have a knock on effect which would put the global price of oil up by anything up to 50% which would increase US gas and oil prices puting about $1 on a gallon of gas, which would not be popular with US voters…

Clive Robinson July 31, 2015 8:40 PM

@ Granite,

I don’t get it Bruce – why do you constantly presume innocence of our government’s intent?

I don’t think Bruce does “presume” the Government is innocent, however there is little direct evidence that they are guilty beyond doubt.

Whilst any reasonable person on seeing what has sofar been revealed in this area could be easily forgiven for believing the Government are guilty of quite a few things the evidence is circumstantial thus guilt has not been proved to the required standard that we are aware of.

If there was sufficient evidence of guilt that Bruce was aware of then I’m sure he would if he could blog about it, write it up in papers for academic use and give expert opinion testimony on it to members of government or in court.

What evidence there is, that has been published is more hearsay than verifiable fact. If Bruce presented hearsay as verifiable fact and it was found to be inaccurate then his credability where it realy counts in this battle would be blown out of the water.

Further it is apparent that there are or have been people trying to damage Bruce’s reputation, thus he’s in one or more persons cross hairs. Such people do it out of significant intent as Bruce “cuddly as he may look” is a thorn in quite a few peoples sides.

But don’t believe for one moment he presumes anything one way or the other, what he choses to look into and blogs about certainly suggests he has been looking for verifiable facts where he can quite hard.

Has Bruce made mistakes, yes I know of one because I was in part responsible. Which might account for why Bruce appears more cautious now than he was, as I am as well.

Earl Kilian July 31, 2015 11:07 PM

Even if they were to block app stores, it is easy enough to code AES or ChaCha20 in Javascript. Are they going to block Javascript too? That would break the whole web. Anyone could code up these algorithms from the specifications.

tyr August 1, 2015 12:11 AM

@Clive

I love playing connect the dots. One of the dots I
noticed is that in every ISIS fighter picture I’ve
seen they have a shiny new weapon. Most people
won’t know what that means but you will. When
you see folks with bright shiny new stuff they
were given to them by outsiders. The kurds on
the other hand have beatup looking stuff that
still works.

So if you follow the narcotics trade and the arms
trade and the oil trade around the world and
pay attention to the money trail you can connect
a lot of dots. Once in awhile there is an exposure
which fills in the picture as well. The last
Mexico prison break was a nice example.

One other thing that works is to look at conspiracy
theories and watch what floats to the surface in
the roil. P2 and Gladio come to mind there.
There’s also a wealth of info that gets exposed
years later, once they figure no one will look
at it.

Some of the stuff is superficial, we use anti-tank
missles on women and children from drones because
they stockpiled a lot during the end of the cold war.
You have to be as dumb as a cast iron pot to think
a Hellfire is a wonderful anti-personnel weapon to
use against one person. Selling them as the solution
is typical arms dealer stuff. The loon who bought
the Casino at Monte Carlo almost single-hndedly
invented that genre. Sold one country the new
submarine then scurried over to their neighbors
they were tense about and used that information
to sell them two submarines. I’m always interested
when the banned CBUs show up in these minor wars.
It means someone has dumped their inventory for a
nice new profit.

Petter August 1, 2015 12:40 AM

Swedens largest opposition party suggests that:

Säpo (Security Service the ones that protect the democratic system, the rights and freedoms of our citizens and national security) should be given the possibility to secret surveillance and perform sigint as early as during preliminary investigations.

And that they should be given the possibility to access and decrypt encrypted communications to secure evidence for terrorism related crimes.

http://www.moderat.se/nyhetsartikel/moderaterna-presenterar-samlade-atgarder-mot-radikalisering-och-terrorism

Curious August 1, 2015 2:24 AM

Presumably, what one might think of “legal overreach” would partly be about having power (overreaching, as in prosecution as a legal ting and persecution as a political thing) and having/maintaining the initiative (also overreaching, striking first, intimidation, surprise, persecution).

Truly Skeptical August 1, 2015 5:35 AM

Why do the feds keep pretending they need backdoors in encryption?

I’m sure Phase 2 of owning the internet involves FinFisher or Hacking Team style malware being installed on every device connected to the internet. Thus, I asumme they will eventually automatically filter every bit of internet data through their servers doing their best imitation of ‘pre-crime’ detection.

It’s what I would do if I was a fascist, authoritarian bastard with delusions of grandeur, and had unlimited funds for hunting the modern form of the bogey-man….

How long till we can run “FinFisher detect” on all main platforms i.e. Linux/Mac/Win to remove this advance malware?

How long till these spook programs are commonly in use by all hackers? 18 mths? 2 years? The profits are too irrestible for someone to flick the program out the back door.

As Bruce always notes, this stuff always gets out and is soon in the hands of the criminals. Thus, we are paying good taxpayer dollars to erode our own security and fundamental liberties.

Dystopian indeed.

albert August 1, 2015 10:35 AM

@Nick P,
I saw a TV doc showing S. Koreans using balloons to air lift cell phones across the border to NK. (Brilliantly low tech 🙂
.
@Truly Skeptical,
Orwell was right on; he just got some of the tech wrong…..but ‘they’ are still working on detecting and analysing brain waves, and scientists predict that someday we’ll be able to detect and quantify ‘abnormal’ brain chemistry that leads to criminal behavior (with Big Pharma following with ‘therapies’, administered by the Security State)
.
@Everyone,
Why are we still talking about encryption? I thought is was quite clear that the whole world economy would collapse if encryption were banned. Surely even the dimmest CEOs realize this. These are the guys who run the world, right?
.
..
.
..
o

Skeptical August 1, 2015 6:03 PM

Comey actually comes across as entirely reasonable here – he stresses the importance of strong encryption, notes that two important values are in conflict, acknowledges that many smart individuals have claimed that something along the lines of what he wants isn’t possible, and merely makes a plea that we work the problem more.

I think the criticisms levied make several assumptions about what Comey wants that are not necessarily well-supported.

the problem is that there exists at least one securely encrypted communications platform on the planet that ISIL can use.

The FBI is postulating an adversary that is smart enough to use encryption securely, but too dumb to use secure encryption. That is, he’s smart about configuring and keying the encryption he uses so that the FBI can’t get at his data. But if he’s given a choice between a bunch of US-controlled back-doored encryption programs and a bunch of non-US-controlled non-back-doored encryption programs, he’s going to pick the US ones.

Comey’s talking about this here, though, in the context of a threat (ISIL) that depends on being able to communicate with a large number of potential “operatives” (meaning anyone, of any skill level or capability, willing to deliberately further ISIL objectives by undertaking acts they suggest), and then being able to further communicate with interested persons in a manner not susceptible to decryption by law enforcement or intelligence.

So to the extent you increase the technical sophistication required for an interested contact to continue the conversation with ISIL, you are imposing additional constraints on a critical capability.

As the number of interested persons with sufficient technical sophistication diminishes, the proportion of that sophisticated group that can be addressed with more resource-intensive surveillance grows.

You’re essentially arguing that whatever measures are adopted will only have minimal impact on the degree of technical sophistication required – that one will simply need to pick apps from column B and not column A, and nothing more. But this argument assumes quite a bit more than Comey has said, and indeed more than is needed to accomplish the desired ends.

Lancelot August 1, 2015 6:56 PM

@ Truly S

I believe the benefit of doubt should be given to the government because its elected by the people. Unless proven othereise, of course, as we are all presumed innocent.

The difference you look at is in my opinion active vs passive snooping. It makes a big case in not only cost but security, of architecture. A well-versed designer, or architect, considers all angles and tangents. It has to be multifaceted.

Nick P August 1, 2015 11:09 PM

@ Skeptical

“So to the extent you increase the technical sophistication required for an interested contact to continue the conversation with ISIL, you are imposing additional constraints on a critical capability.”

So far, they run into them on web sites, social networking, chat, etc. The same sources could post links to the crypto apps ISIL recommends with shortcuts. The collaborators would download it, follow instructions for use, and off they go. Simple as that. Not much technical sophistication required.

gary August 2, 2015 6:41 AM

agreed banning encryption will accomplish nothing except more hacks…. there will always be a place the bad guys can use . the most reliable way of protecting countless systems globally and they want it dead because of a naive idea .
defend your encryption people !!!

albert August 2, 2015 11:55 AM

@Lancelot,

“… I believe the benefit of doubt should be given to the government because its elected by the people. …” – ROFL. You’ve got a career waiting in stand-up comedy. You should start by writing for John Oliver or Lee Camp.
………..
@anon,
Camerons suggestions are even more untenable than those of US Republicans. What Dave needs is a Peoples Democratic Republic of UK. I’m surprised no one suggested this to him before. Use North Korea as a model. (He might want to militarize his police forces first)
………….
Comey is part of the group that likes to beat wasp nests, then complain when they get stung. ISIS is more like Africanized honey bees. Someday, they’ll go after Asian giant hornets…
.
..
.
..
o

Buck August 2, 2015 2:02 PM

Will the real Skeptical please stand up?

Skeptical on Friday Squid Blogging: Squid Giving Birth:

ISIS is a despicable, evil organization, which the US and most of the world would quite happily see destroyed. And the US is doing a lot to help contain it and ultimately enable its destruction. But it also doesn’t pose sufficient threat to the US to justify a massive commitment of US resources to kill it quickly.

Skeptical on Back Doors Won’t Solve Comey’s Going Dark Problem:

Comey’s talking about this here, though, in the context of a threat (ISIL) that depends on being able to communicate with a large number of potential “operatives” (meaning anyone, of any skill level or capability, willing to deliberately further ISIL objectives by undertaking acts they suggest), and then being able to further communicate with interested persons in a manner not susceptible to decryption by law enforcement or intelligence.

So to the extent you increase the technical sophistication required for an interested contact to continue the conversation with ISIL, you are imposing additional constraints on a critical capability.

So, which is it? Are they a disgusting but otherwise insignificant sideshow? Or are they a serious long-term threat that requires a significant restructuring of our economic and legal systems?

Meir August 2, 2015 2:08 PM

A backdoor im every software is not needed only one on each device. Not that I think it is a good idea and it also requires the backdoor to be more active to be effective. But id I were setting up an Orwellian state I would focous on backdoora on each device.

Skeptical August 2, 2015 2:45 PM

@Nick: So far, they run into them on web sites, social networking, chat, etc. The same sources could post links to the crypto apps ISIL recommends with shortcuts. The collaborators would download it, follow instructions for use, and off they go. Simple as that. Not much technical sophistication required.

Is every application equally easy to verify, install, and use? Of course not. Does ISIL possess equivalent or greater capability compared with large companies and organizations to assess whether a given application achieves its desired purpose? Of course not.

We have to remember a key initial assumption in the argument. If a system were designed which combined the values of strong encryption with the values of allowing truly lawful access, and this system were widely recognized as such, and widely adopted – and obviously whether such a system is possible or feasible is open to question, but that’s the assumption – then options the primary purpose of which is to thwart lawful access would receive less support and less development. Less support and less development often leads to more bugs and less ease of use.

Skeptical August 2, 2015 3:10 PM

@Buck: At present they are neither of the two possibilities, imho. They’re not a sideshow, but they’re not a threat sufficient to justify deploying hundreds of thousands of US troops into Syria and Iraq either.

And Comey hasn’t called for a massive restructuring of our economic or legal system – he’s essentially noted a tension between the advantages strong encryption provides to a society and the disadvantages it carries, and has done little more than ask whether there is not a way to preserve or enhance the advantages while diminishing the disadvantages. It’s a reasonable question, premised on common values, and not one that requires anyone to snap down an ideological visor and charge into battle.

deLaBoetie August 2, 2015 4:11 PM

Sorry to burst the techno-bubble we have here regarding encryption.

“the problem is that there exists at least one securely encrypted communications platform on the planet that ISIL can use”

Indeed – it’s called Arabic.

The agencies have been so obsessed with bulk surveillance and tech that they can never recruit enough Arabic speakers, and if you add a layer of jargon to that, there’s no way they’re going to be able to translate all the false positives you get fast enough to foil realistic plots.

But then, this encryption nonsense was never about the stated purpose – I can only speculate that it’s trying to smokescreen the unacceptable bulk surveillance & state hacking into some form of legality.

Anura August 2, 2015 4:20 PM

@anon

I don’t see how they possibly expect age controls to work on the internet at the web server level. That said, it’s an idiotic culture that treats sex as something horrible while glorifying war and violence.

Buck August 2, 2015 6:09 PM

@Skeptical

and has done little more than ask whether there is not a way to preserve or enhance the advantages while diminishing the disadvantages

Well, that’s good. If he had instead engaged in sensationalist fear-mongering, it probably would have been much more difficult to find technologists willing to consider the merits of his question…

albert August 2, 2015 7:04 PM

@deLaBoetie,
Yes, one might suspect that it’s difficult to get translator/analysts* from countries ones government is destroying 🙂

You might find Sibel Edmonds story interesting:
http://www.vanityfair.com/news/2005/09/edmonds200509

A petit vue into the FBI culture….
.
*translators are fairly useless unless they can sift and weed out useless information.
.
..
.
..
o

Dirk Praet August 2, 2015 8:24 PM

@ deLaBoetie

The agencies have been so obsessed with bulk surveillance and tech that they can never recruit enough Arabic speakers

You must be joking. There’s hundreds of thousands of Arabic-speaking refugees everywhere who’d give anything for a job, an income – however small – and a chance at a better life for themselves and their families. Whether or not it’s also an effective approach is an entirely different question.

@ Skeptical

(Comey) has done little more than ask whether there is not a way to preserve or enhance the advantages while diminishing the disadvantages.

I believe that he has gotten a very clear answer from some really bright subject matter experts. And it’s a no. I still haven’t heard of any crypto expert stating the opposite. If that’s not good enough, perhaps someone should remind him that he’s in charge of a well-resourced organisation employing an army of mathematicians and cryptographers. Maybe he could task them with a proposal for a viable solution?

@ Nick P, @ Skeptical

The same sources could post links to the crypto apps ISIL recommends with shortcuts. The collaborators would download it, follow instructions for use, and off they go. Simple as that. Not much technical sophistication required.

It’s pretty easy to find what they recommend. Check this blog, for example. Apparently, IS doesn’t like Apple products but hasn’t caught up with Stagefright yet. It doesn’t take a genius to understand that most, if not all proprietary US-based tech is probably off limits, and that just like everybody else they’re looking into home-grown, FOSS and non-US solutions such as Threema, Silent Circle and the like.

Which are not necessarily harder to use. With the exception of certain command line utilities, I still have to come across the first GUI-based encryption utility that requires a more extensive skill set than the one needed for driving a car through a crowded city. Adoption of many of these just fails because people are too lazy to learn how to use them (correctly) and/or don’t see the point of using them in the first place. Which becomes an entirely different issue when not doing so can drone you out of existence at any given moment.

deLaBoetie August 3, 2015 5:26 AM

@Dirk Praet

Well some wryness about Arabic being encryption, but not really a joke. The agencies were terrible at having enough people with Arabic speaking skills, and a lot of the ones you’d be likely to recruit might be quite sympathetic to what they are reading…

The serious point I’m making is that with the false positives you get in great profusion from mass surveillance and storage, there is no realistic prospect of having enough proficient multi-lingual analysts to read all that stuff. You are certain to miss something crucial. Sensible people inside the agencies make this exact point – there is a cost (in terms of operational effectiveness of the TLA) to have to analyse the data and have people look at it, because pretty much all of it is rubbish. And, as they’ve admitted, the benefits (at least in respect of terrorism) are minimal. Which means that the bulk surveillance is about other things, probably principally industrial espionage.

If you add into that some types of local dialect, slang, in-group idiom, and deliberate obfuscation, you automatically have a form of steganography – no need to use red-flag encryption.

And this gets back to the crazy nature of these complaints about encryption.

Bulk suspicion-less surveillance of the whole of the planet has automatically created a flourishing market in high quality encryption outside your control – where perfectly rational, ordinary people take steps to protect themselves against unprincipled, unethical surveillance. They’ve created the marketplace, now they’re complaining about the consequences and costs? Bah.

Haggishunter August 3, 2015 4:57 PM

Well, that is excellent PR for British encryption companies. BTW: German encryption firms already must incorporate a back door. Now, I do not care. My Lotus Organizer 6.1 runs on Win 10, so, in the worst case, I just would keep my current encryption software. It also would run for another 10 / 15 years, I assume. But clearly, the EDP understanding of Cameron of just pathetic.

Mr Schneier: Re your hosting for the newsletter: Maybe a solution like takimag.com would help? Sorry, I am not a specialist. Just trying to give you an idea.

Dirk Praet August 3, 2015 7:40 PM

@ Haggishunter

BTW: German encryption firms already must incorporate a back door.

Sources, please?

Haggishunter August 4, 2015 8:18 AM

@Dirk Praet: BTW: German encryption firms already must incorporate a back door. Sources, please?

Hello Dirk, That started in Western Germany in the Mid 90s. I remember having an encryption software from a company based in Western Berlin (that was in 1989 / 1990). They then closed the firm and the owner told me that “he had to close” the business “because”. You certainly will find information on Google. It is a law that has been encated I guess more than 15 years ago. I just red on FAZ 10th Aug. 2013 that the planned law never was enacted but that happened much earlier. Sorry, I am not familiar with German law, since I am not German but I am sure about that law.

On a sidenote: Most file shredding software also have got backdoors. Believe it or not but a programmer working for such a firm told me…

Dirk Praet August 4, 2015 10:11 AM

@ Haggishunter

Sorry, I am not familiar with German law, since I am not German but I am sure about that law.

I know that SAP has been accused of providing backdoors for the NSA, of German companies that develop surveillance malware and of the German government deploying such stuff (e.g. R2D2), but it would strike me as particularly odd that German law would allow for or even mandate software backdoors. If there was such a law, I’m sure organisations like the CCC would have brought it out out in the open long ago. But I can’t find any trace of it anywhere. So until such a time that you can come up with some more convincing references, I think I’m going to take this statement with a pinch of salt.

Haggishunter August 4, 2015 10:53 AM

@Dirk Praet: SAP is an ERP, so I do not know why any software of SAP should have a backdoor…

Anyway, would you trust the encryption software sold by our old friend and blueboxer WH???

Re the legal issue, perhaps you can search or ask at heise.de. Or ask a lawyer. But I am positive on the backdoor.

Dirk Praet August 4, 2015 4:00 PM

@ Haggishunter

Re the legal issue, perhaps you can search or ask at heise.de. Or ask a lawyer.

Err, no. The burden of proof is on the person making the claim, not on the person questioning it.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.