Michael Chertoff Speaks Out Against Backdoors

This is significant.

News article.

EDITED TO ADD (7/28): Commentary, and former Director of the National Counterintelligence Center Michael Leiter's comments.

Posted on July 27, 2015 at 1:16 PM • 31 Comments

Comments

Alan KaminskyJuly 27, 2015 2:04 PM

From the article, quoting Chernoff:

Finally, I guess I have a couple of overarching comments. One is we do not historically organize our society to make it maximally easy for law enforcement, even with court orders, to get information. We often make trade-offs and we make it more difficult. If that were not the case then why wouldn’t the government simply say all of these [takes out phone] have to be configured so they’re constantly recording everything that we say and do and then when you get a court order it gets turned over and we wind up convicting ourselves. So I don’t think socially we do that.

This is the first time I can recall anyone (implicitly) arguing that backdoors conflict with the Fifth Amendment, rather than the Fourth.

Mace MonetaJuly 27, 2015 2:15 PM

Let's also not forget that the first time one of the 200 countries with a backdoor key loses control of it, all data accessible with the key is compromised. Like DVDs or Blu-Ray, it only takes one slip to screw the global pooch.

rgaffJuly 27, 2015 2:53 PM

@ Alan

I think he's more directly implying if we ignore or effectively reverse the fourth for some reason, what's to stop us from doing the same to others too for the same reason (the fifth being the example)... Multiple amendments make things more difficult for law enforcement, in order to ensure freedom from what otherwise naturally turns into an oppressive government, so that argument applies to multiple amendments.

NateJuly 27, 2015 3:10 PM

Isn't that the typical pattern though: That people develop sanity after leaving their policy making positions?

rgaffJuly 27, 2015 3:15 PM

@Mace

The safest place to put your data, is where nobody AT ALL can ever access it. Not even you. Assuming such a place existed, this is effectively the same as the data never existing in the first place.

Every time you add someone with access, you increase the odds of it "leaking" out to unauthorized individuals. So if you have data which only one person can access, it's at greater risk than if nobody has access. Note that this is still not communication, because communicating data requires at least two people with access, which is even less safe than with only one person.

Then you add a GIANT government agency, and OMG you just added anywhere from DOZENS to HUNDREDS to THOUSANDS with access... You can see the danger just went up multiple orders of magnitude...

Then you add all those government agencies around the world, and by then you almost might as well just forget it and make it public, because you can be sure every criminal organization worldwide will certainly have access by then. Law abiding citizens will be the last to get access.

And this is not even talking technology and what's technically possible, this is just logic alone.

rgaffJuly 27, 2015 3:23 PM

@ Nate

I think it's more common for people to develop terminal insanity when they start such a position, and they never recover. It's good that a few lucky ones recover before they bite the dust.

Tadashi TogoJuly 27, 2015 3:41 PM

From the article:

Nevertheless, it’s not just hippies and hackers making these arguments. It’s also someone who, for most of his career, pursued and prosecuted the same kinds of people that Jim Comey is today.

There is **no way** "only hackers & hippies" are making this argument.

It should be noted that while "hacker" is a potentially controversial word. In the programming field, it is routine for developers to use it. For law enforcement distant from computer security (which can include people recently moved to the area), the term "hacker" only has negative connotations. In computer security, it is largely used with people who "break stuff".

Finding people *for* this argument who know anything about computer security is very hard to do. It is horrible for security.

Technically, according to the official wiretap statistics of last year, something like only .00001% of cases were hampered by encryption. Thankfully, they are not actually lying. Yet.

This is also a horrible statement to be making diplomatically, commercially, and from an intelligence angle.

Politically, it is a disastrous, negative statement to make.

Conservative, liberal, anywhere in-between or outside, Americans are not friendly for invasive systems that resemble Nazi or Communist type sympathies. Asking to put a backdoor in all American code comes off, politically and diplomatically like, "Hey, we are joining the North Korean Communist party and want to backdoor all American systems, just like the Soviets used to do!" It is atrocious. They are making fools out of themselves.

Diplomatically, it is a menace, it is especially a menace as it follows on the wake of the Snowden and Manning disclosures. It says, "Hey, remember us, a freedom loving country, well now we are thinking since we have so much power, maybe the Soviets and Nazis weren't so off".

Commercially and diplomatically, it says, "Hey, world, you know all those great American products you buy? Well, we want to be able to put in spy doors for them."

Why not just say, "Don't think you will be continuing to buy American products in the future. We don't want you to."

It is like the sense of privacy is gone. People assume there are such things done, but it is something else to be flagrant about it.

It is like filming yourself taking a shit. Everyone knows you take a shit. We do not actually want to think about it. Close the door when you are taking a shit.

That is meant to be private and secret. Otherwise, what happens? You start to have a society where everyone is starting to take shits in public. Chaos results. Lol.

Intelligence strategy wise, they might as well wear a tshirt that says "I am a spy", and wear sunglasses and a trenchcoat. Pass em out to all your people. Why can't everyone know you are going to spy on them and when you are? We can have a truly "naked" culture, globally. Where everyone gives up all privacy rights to everyone else. Clothes? Pshaw. Privacy? Forget about it.

rgaffJuly 27, 2015 4:09 PM

@Tadashi Togo

I would add that the problem is that while we're all busy debating about whether they should be publicly allowed to backdoor everything out in the open... they're freely busy backdooring everything imaginable in secret...

So we need to go much farther than just stopping them from doing it openly, we actually need to make it harder and/or impossible for them to do it in secret too! Otherwise, the same thing will result: World says "thanks US, but we don't need your stinkin products!"

By the way, I love Godwin's Law :)

Tadashi TogoJuly 27, 2015 5:41 PM

^^ Great example of how the word "hacker" is often very deeply misunderstood outside of development and computer security circles:

http://arstechnica.com/security/2015/07/a-public-marketplace-for-hackers-what-could-possibly-go-wrong/

The idea really was good. The word usage was horrible. Everyday people do get hacked all the time, or need security advice. But, because of the usage of the word, the site gets overun by these sorts of requests:

"Change my final grade" "Change degree in english university" "I want emails sent and received by addresses with the url [redacted] to be automatically forwarded to my proxy email address for an indefinite period of time. The addresses are not likely to be heavily protected but I require that no address can be missed from the forwarding hack." "I am trying to find someone skilled in Hacking social media accounts to hack two facebook profiles." "I believe my husband is cheating on me and I have no access to his phone and would someone to hack into his whatsapp to confirm this." "My brother in law has been avoiding my sister lately a lot and she is worried...I would like to have a full access on his email."


Minor point, but who is most ardent about this backdoor issue are computer security people. And you can rule out these agencies espousing this cause, because their bosses have this opinion, the rest of the organization will follow suit.

I mean, some of these laws people have been espousing are sick. Really far removed from reality.

I do think, however, everyone can understand the meaning of "the US Government wants backdoors in all American made software and hardware products".

JamesJuly 27, 2015 5:53 PM

@Alan Kaminsky

The Fifth Amendment analogy is interesting, and I also think that compelled self incrimination is the aversion to which Chernoff is alluding.

However, one must not forget that the Fifth Amendment is generally no direct bar to regulatory regimes making law enforcement easier.

For example, the Supreme Court has held that the government can compel a driver of a vehicle to identify himself after being involved in an accident, even though such a self reporting requirement is tantamount to self incrimination.

And the court has essentially carved out a big loophole for records which retention and production can always be compelled by the government without any Fifth Amendment protection.

The government can mandate that any user of non-backdoored encryption must keep a copy of the decryption key for inspection by law enforcement.
And whether such a self escrow mandate is constitutional has no easy answer.

One might think that it's clearly unconstitutional, because the government can't punish people for failing to keep a diary of their crimes, but under the required records doctrine there is no longer self incrimination once the information contained in the record is something to which the government is entitled.

Dirk PraetJuly 27, 2015 6:31 PM

I don't know. One cannot but wonder if he would still say the same thing if he had been wearing a TLA hat. That would have been significant indeed.

DanielJuly 27, 2015 6:38 PM

We are veering off topic but the reason that hackers is controversial term in the eyes of some is because back in the gold old days of the 1970s and 1980s there was a distinction drawn between "hackers" and "crackers". Hackers were the bad guys and crackers were the good guys, even though they did exactly the same thing. Over the ensuing decades this distinction (rightfully so, IMO) got lost and was replaced instead with the "black hat" vs "white hat" distinction.

Where the hacker/cracker terminology still has some salience is in the "freedom to tinker" movement. These people worry that if they become associated with hackers (negative connotation) this will be an excuse to take away their "right to tinker". The better approach, IMO, is simply to stop thinking of hackers as doing something socially negative--a point Bruce has made in the past. Call them what one wills but we need people to break things, not just tinker with things.

rgaffJuly 27, 2015 6:49 PM

The only way you can make things better is to figure out how they break...

Tadashi TogoJuly 27, 2015 7:32 PM

@rgaff

By the way, I love Godwin's Law :)

It is what registers in the back of the minds of Americans and Europeans. That is their definition for 'evil'. And, it is a good thing. People today know the definition of evil. They can be certain about it.

In context, I was just explaining the message they are sending to the world. People interpret messages on a core level, and are very indirect about how they claim to process them. Not so many would directly say, "This is Nazi", but many would have that button hit inside them. They may not even consciously think it, but that button would be hit.

These points are about them doing their own jobs very badly. They clearly have very bad technical advisers, and they have a very poor understanding of communicating with the global public. We saw a very similar situation in the lead up to the Iraq War. The facts were poor. The evidence was shoddy. And the presentation was very poorly delivered.

I do not personally believe they are literally Nazi, nor Soviet. It is just a really bad idea. Even if it were a good idea, technically? It is a horrible idea to back from a standpoint of representing your organizations and nation to the world.

I suppose it is a bit ironic. 2015. Major leaders. Should be big fish in a big ocean. But, really? You are talking about very insular people who thrive in small ponds. Important, powerful ponds. But it is very removed from the bigger ocean of the world. Hollywood gets it. Music industry gets it. But these people do not get it.


I would add that the problem is that while we're all busy debating about whether they should be publicly allowed to backdoor everything out in the open... they're freely busy backdooring everything imaginable in secret...

I do not have as much confidence in their capabilities. Individually, you have a lot of usually competent and even very competent adults. Collectively, they can build some sophisticated products. But, also, collectively, there is enormous waste there. The overall system is operating very poorly.

The defense and intelligence system, altogether, is very big. But what they are attempting to tackle is practically everything. That is much, much bigger.

They want political intelligence, economic intelligence, sci-tech intelligence, they want information on the entire world's population. They want to try and understand everyone. To see if anyone is a possible threat. They believe their system can take on everything. But, it can not. That is not reality. That is magic.

And not the kind of magic that is technology yet to be understood, either. The kind of magic that does not exist, but people believe exists.

In the corporate world, where very bad ideas do get very well funded and do not flourish, investors lose confidence. There is competition. Bad projects, poorly timed projects, they do not succeed. They go bankrupt. Investors learn. The industry learns. There is adaptation. It is poor, but functional.

This is not the way it is with government. There are puddles of competence. But a vast sea of incompetence.

...

So, I do think they are frustrated.

I do not think this is all just a cover. A very elaborate, public cover to hide the real competency.

I think because they are frustrated in getting what they want, there are advisers telling them to go this official backdoor route.

This kind of speaks against my argument that, by their own wiretap report, they are not frustrated. I am not sure where they are frustrated. We know they use security vulnerabilities illegally, in foreign espionage. They probably use them domestically. That is hard to fund. Look at that DEA agent in the Silkroad case. He went rogue, and that was a major new type of investigation. Just, drop of the hat. Crazy rogue. Surely he knew his information was being logged? That his bank transfers would be easily tracked back?

So, I do not think they go crazy with that, domestically. It is too dangerous.

They are frustrated somewhere, but not saying where.

They do get a lot of security vulnerabilities. We can be sure about that. But, these do get found and they get fixed. And then they go stale. That does cost money. I guess, the idea is, they can remove that problem from the equation. But, all they are doing is shouting at any potential user, "Warning: Probably Is Surveilled by the US Government".

So, even from an intelligence gathering angle? That does not work. It is a horrible strategy.

All of this from a cover strategy? Pretending they do not 'thoroughly penetrate all the foreign systems', when, in fact, they do? Excellent strategy.

But, then, bigfoot, gnomes, unicorns, and aliens do not exist. People are human beings. Weak, fragile, young.


So we need to go much farther than just stopping them from doing it openly, we actually need to make it harder and/or impossible for them to do it in secret too!" Otherwise, the same thing will result: World says "thanks US, but we don't need your stinkin products!"


Everyone in the industry stays by this mantra, whatever their threat table looks like. That never changes. I have never worked where the US is the threat, not even post-Snowden. Many do not and have not, not in the US. They design security systems to be unassailable, from anyone. If they are detection systems, to detect systems attacker neutral.

China, US, criminal hackers, organized crime, full disclosure researchers, malware writers, even your own red teams. Whatever.

Threat analysis is important. It is important to 'know your enemy'. If you think Person X is your enemy, and they are not? You may not be paying attention to Person Y who is your enemy. Distraction and focus are key points of good security.

The glut does mean there can be misfires. Seasoned analysts and agents or officers are seasoned because they are good at not misfiring. There are exceptional cases which make the headlines, but those are exceptional cases.

They can read people, even complex people.

If you are in a nation other then the US, though, you are open season, if you have any value. I do not have value for any nation, no information currency they could value. Nothing they could trade anyway.

Do you? I do not know. Not a polite question to ask. I would think "not", if only because you are freely posting here.

Tadashi TogoJuly 27, 2015 7:49 PM

@rgaff

The only way you can make things better is to figure out how they break...

Yes, exactly. And when this is not done, what is produced is a horrible product. The industry has matured much, though. But the way it was, be it AV, general software security, network security products - whatever - there was a lot of very poor "gaming" implemented. Now, much better. In fact, this is one of the best industries, today, where solid and consistent, aggressive "gaming" goes on.

Lotsa vaporware though. Sounds good on paper, does not work good in practice. Poorly tested. Overly well marketed.

@Daniel

Where the hacker/cracker terminology still has some salience is in the "freedom to tinker" movement. These people worry that if they become associated with hackers (negative connotation) this will be an excuse to take away their "right to tinker". The better approach, IMO, is simply to stop thinking of hackers as doing something socially negative--a point Bruce has made in the past. Call them what one wills but we need people to break things, not just tinker with things.

Yes...

It has gotten much better. Ironically, that is because of hacking being so prevalent. People have some grasp "there must be a lot of people working against that". Purely breaking stuff, remains an easy, solid career route with plenty of high paying positions. Consultancies all over the place, every company has teams. If you are really good, break something major, and poof, you have a resume.

I say "ironically", because it is also true that media depictions are usually of attacking hackers. It is not sexy to secure stuff or even game stuff. Even offensive hacking is hardly sexy. In most shows, they play minor, nerdy characters where one person represents teams.

But, it is difficult stuff to explain. Everyone goes to see a doctor or dentist. They do not understand their "tech". But, what computer security professionals do is behind closed door and is arcane, obscure. I do not think it is sexy. More then a lot of jobs, and you see and know a lot of interesting stuff.

But, nothing to make a movie about. :-)

Bob S.July 27, 2015 8:33 PM

The remarks kind of make up for Mr. Chertoff's unseemly support of body scanners ahwile back.

Also, Chertoff's comments paint Mr. Comey, Mr. Rogers and like minded power freaks as technologically backward, politically repressive and Anti-Constitutional.

However, it could be secret "i-doors" are already in place on well known and distributed software and hardware, leaving police state leaders leaders no other choice than to whine, cry and grovel for new laws making more mass bulk collection retroactively legal and forever immune from accountability.

Bruce, I thought you may have wrote the comments for Chertoff.

1111111111111111July 27, 2015 9:19 PM

”…what are we going to tell other countries? When other countries say great, we want to have a duplicate key too, with Beijing or in Moscow or someplace else? The companies are not going to have a principled basis to refuse to do that. So that’s going to be a strategic problem for us… One is we do not historically organize our society to make it maximally easy for law enforcement, even with court orders, to get information. We often make trade-offs and we make it more difficult. If that were not the case then why wouldn’t the government simply say all of these [takes out phone] have to be configured so they’re constantly recording everything that we say and do and then when you get a court order it gets turned over and we wind up convicting ourselves…requiring people to build a vulnerability may be a strategic mistake.” -Michael Chertoff via emptywheel

https://www.emptywheel.net/2015/07/26/michael-chertoff-makes-the-case-against-back-doors/

I concur with Chertoff. He states the problem well. I will say if an American product is backdoor’d or laden spyware customers will go to other venders and hurt American business.

Being hit in the money purse over government rigged products is very painful and destructive to American business. Don’t let it happen.

CallMeLateForSupperJuly 27, 2015 10:35 PM

opined a poster, above: "Being hit in the money purse over government rigged products is very painful and destructive to American business."

Basic freedoms are in the balance here. Arguments premised on good/bad for business are a dangerous distraction.

Different subject... I wanted to cheer out loud when I read Chertoff's statement "...we do not historically organize our society to make it maximally easy for law enforcement". My response to Comey's first "going dark" grumblings last year was, who says your job must be easy?!

GweihirJuly 27, 2015 11:20 PM

Well, at least the idea that this issue may not actually be as simple as "more surveillance possibilities are better" is getting more widespread.

Of course, none of the surveillance the NSA, FBI and their ilk are doing is actually about what they claim it is: Fighting terrorism does just not work that way and and we now have plenty of examples. Rather obviously (just look at the Soviet Union under Stalin, the 3rd Reich and what, for example, Northern Korea is doing) it is about identifying dissenters, independent thinkers and anybody they do not like. This is hugely dangerous, but the one good thing about it is that they cannot actually today tell the public that this is their goal. That would be far too obviously evil. Hence they have to come up with the "terrorism" lie and similar ones. And there they run into this little problem that China and Russia and a lot of others have the same level of legitimacy (real: none, lie: a lot) of wanting to fight that too. And there the whole idea of crypto-backdoors breaks down in a fashion that is obvious even to non-experts.

Fortunately, they did not find a better lie to cover what they are actually after or we would be in deep, deep trouble. Still, there is a global raise in fascistic tendencies, so we may actually see the cover-story shifting here and end up with everybody being spied on all the time and openly, "for their own good". Interestingly, this justification worked in Stalinism and the 3rd Reich, so if people can be frightened enough, it may just work again. Quite a few people are working hard in that direction.

Clive RobinsonJuly 27, 2015 11:30 PM

@ Daniel,

We are veering off topic but the reason that hackers is controversial term in the eyes of some is because back in the gold old days of the 1970s and 1980s there was a distinction drawn between "hackers" and "crackers". Hackers were the bad guys and crackers were the good guys, even though they did exactly the same thing.

The first sentance is partialy incorrect the second is wrong.

"A hack" or "to hack" was about the technology / method that was used, it had nothing to do with the use to which it was put. The origin of the word "hack" whilst not lost to history predates computers by several hundred years, and had several derivations, including in horsemanship. It's origin appears to be the equivalent of "cut through" or "cut around" otherwise dificult or impossible ground. Thus have similar meaning as "a cut through" / "rat run" / "short cut".

Back in the early days of model railways being connected to computers where the term "hacker" was coined, it originaly refered to some one who frequently did hacks or cleaver short cuts. It was thus a complement on skill similar to calling some one a "guru" or "steely eyed missile man".

It was the general press of the 1980's who did not do their homework on the culture of the early home build and home coding teenagers that perverted the term "hacker" to mean some one who did "evil" deeds. The press did the same lack of homework with the meaning of "acid" from "acid house" music, the term was about cutting music together in the mix, and absolutly nothing what soever to do with drugs.

But the press by their "clarion call" misuse in both cases ment that idiot "knee jerk" politicos started misusing the words as well, thus giving "official gloss" to the incorrect usage...

It was in self defence the homebrew and old school hackers came up with the word "cracker" to mean some one using a hack for ill intent, and thus try and stop the tide of misuse of hacker but it was to late.

It feels strange to have lived through the rapid change of quite a few terms not just hacker and acid, that were not "youth culture" usage such as "sick" and the invented word I most hate "init". It feels even more unreal when you find the "youth culture" has "taken them back" and given the words new meaning yet again...

It's why the anger of people at the NSA redefining words like "collect" is not at the action of redefining the word, but because the NSA do what all secret societies do, use it to hide their activities from non initiates, and appear innocent when in fact they are guilty of treasonous deeds. Those initiated in such societies will incorrectly call the action "jargon" which it is not, because the meaning of jargon is actually absent of any intent towards deliberate secretivness or malice.

Oddly perhaps we've had this hacker / cracker origin and usage conversation on this blog in the past and Bruce felt that we had lost the argument so should use what had by that time become the common usage of the word hacker. Thus it feels down right odd not to say spooky to see some one who has 180'd the meanings.

No doubt at some point lexicographers possibly within my lifetime will be as confused about the origin of the word hacker in the subset of human meaning that is computer culture, as they currently are about the word nutmeg and how it came about in the sub culture [1] of --English-- football (or soccer to those of the NFL sub culture, or more honest "Ozzie Rules" sub culture).

[1] I'm using "sub culture" here in the literal meaning not the purgative meaning. That is "under the meaning of the word football" not as others might wish to use it to imply it as being some how detremental or demeaning of a group of individuals [2].

[2] And yes it's a measure of how much this blog has changed in recent times that I have to make this clear, to try to head off those wishing to appear to be the new "Self Appointed Political Correct brigade" (and yes I do mean that in the same purgative meaning as "trolling").

Gerard van VoorenJuly 28, 2015 12:12 AM

@ Dirk Praet

"I don't know. One cannot but wonder if he would still say the same thing if he had been wearing a TLA hat. That would have been significant indeed."

My thoughts exactly.

Tadashi TogoJuly 28, 2015 12:55 AM

@CallMeLateForSupper

opined a poster, above: "Being hit in the money purse over government rigged products is very painful and destructive to American business."
Basic freedoms are in the balance here. Arguments premised on good/bad for business are a dangerous distraction.

Another poster made that statement, but I made a similar one, and offered similar opinions.

I do not disagree with this argument, that the primary focus should be on aiming at the problem of them attempting to compromise our (and even their own) basic freedoms.

Why did I make the statements I did? I am arguing from their standards of morality. I am arguing from their perspectives. Individuals and to some degree social groups have their own standards of morality. To get them to break you have to show them not how they violate my standards nor your standards, but their own. This proves, by their own standard, that they are wrong.

A liberal does not care if they do something a conservative would condemn deeply but a liberal would not condemn. A conservative does not care if they do something a liberal might deeply condemn. Either does, however, care, if they have it shown to them... what was previously unknown to them... that something they are doing is equivalent to what they most deeply condemn.

For whatever reason? People keep strong moral codes quite often, but they do not properly think out all of the equivalents.

When you can explain to them, using reason, that something they are doing is equivalent to something they very consciously and very deeply condemn? You can get them to change their course of action.

Then it is not *you* nor "the choir" condemning them. It is their own self. Hard to believe, but every single person on the planet earth is actually capable of reasoning. As dishonest and as hypocritical as they can be, somewhere, deep inside, they can actually properly reason. And to get shit done, you can use that capacity for rational weighing of weightier versus weightiless against them. By their own standard.

Some build up. Some tear down.

Building up, remind people of how this sort of thought and statement is immoral, even totalitarian, Nazi. How no one would want to have their own personal rights taken from them. How they may be totally fine with "doing this to others" -- but how do you really get them to understand in a believable way... that this very same thing could happen to them? How quick they are to change the course when you get them really understanding - not just thinking, understanding - on those terms.

Manipulative, diabolical, evil, yes. Whatever. Indirect. People are indirect, manipulative, diabolical, and evil. You establish rapport with them, at the core level, and lead them to some damned possibility far better then the limited options their limited imaginations are considering.

Not edifying. Ripping down, and cutting open.

Important consideration: does this actually work?

From an anonymous, highly 'morally sketchy' voice? I find it works scary well.

Food for thought.

Sadly, I can not get such people to operate as I might be so amused, nor such large and powerful social groups. For instance, I might enjoy them all the more if I could get them to believe and act as if they were my personal doggies. Unfortunately, I can not do this. What I can do, with like minded people I work with, is get them to come to some manner of 'common sense'. And change course from obvious and clear evil they were previously ignorant of.

X...X...X... signed, in my own human blood, lol :-), Advocatus Diaboli.

Or, simply, super fucking accurate Golgi 13.

Whatever *that* means.


Clive RobinsonJuly 28, 2015 1:20 AM

With regards,

… what are we going to tell other countries? When other countries say great, we want to have a duplicate key too, with Beijing or in Moscow or someplace else? The companies are not going to have a principled basis to refuse to do that.

We already know the answer to this and "the usuall suspects" were dissussing this over in the current "squid thread" less than two days ago.

Blackberry, used to have a reputation as to being able to offer "secure" phones (we know this was the reason Obama "lived on" one and got a very rude shock on becoming president).

However certain countries, that those in WASP nations regard as "repressive" for various reasons, used the "give us the keys or we will ban you" negotiating tactic. Being a relativly small company with no real diversity of product, Blackberry did what they thought was best for the shareholders and caved in to the tactic.

It was a stupid thing to do, because the "domino" effect started and soon Blackberry had three problems, further countries using the same tactic, and customers in WASP nations were corporate sales realy counted dumped them as "snake oil sellers". Not what the share holders wanted at all thus they started to get out and the share price dropped as well...

It's a lesson which we will see be repeated several times before the idiot politicos --who make the mistake of listening to the criminally negligent / terminally lazy LEO's that Comey represents-- get the message "it's a stupid policy" from their voters who have lost their jobs...

As for the countries who try the tactic, they usually have a lot more to lose by banning "Smart Phones" than they could ever hope to gain, so it's a lose:lose tactic for them if the US is the only supplier.

But the US is not the only supplier, in fact it's a major market for other countries products... Countries that nearly all manufacture in the Far East or more recently other parts of Asia...

Thus the US are going to find a couple of things, firstly they will lose foreign sales --which is already happening--, secondly they loss of moral credability not just with the rest of the world but with their own citizens will have unavoidable consequences...

One of which is those who manufacture in the Far East will put in not just the US backdoor for US bound product, but a backdoor for China etc as well, and the US can not moraly object. Secondly the Far East manufacturers will simply supply product without the US backdoor to every other nation and those products without US backdoors will end up being used by criminals in the US regardless, because there are so many already there any way.

Even if the US clamp down on phones without the US backdoor, criminals will have no dificulty in getting around the backdoor. This is because computer files are a "bag of bits" and without the correct metadata that bag of bits has a multitude of meanings, thus tagging a bag of bits with the wrong metadata gives another meaning to the file. Call it stenography or code it does not matter the intended recipient knows the real metadata thus the files real meaning an interceptor does not. There is no way to enforce the correct corespondence of file and meta data unless you fully control the process, which you can not.

I could go on at considerable length to show that at every conceivable angle the idea of a backdoor is going to fail easily in some way so can never reach it's objectives. But a quick search on the Internet will show that to those who know how to search.

It's the secondary and tertiary effects to the US economy and what it does in turn to the US citizen that are less easily searched out.

Back prior to World War One the US had a "Splendid Issolationist" policy in place and it got a very rude awakening. Back then the US population was less than a quater it's current size, and by modern standards the majority were in technological poverty. US society worked in an entirely different way. To try to go back to those times is impossible for various reasons not least of which is the US can not meet it's food and energy requirments for it's current population domesticaly.

The attempted enforcment of a US backdoor will mean that "Splendid Issolation" will be the result if successfull and the US will fail as an economic entity shortly there after. I'm not sure what "fourth world" living will be like, but I'm fairly certain the likes of Somalia etc can give people indicators. Think along the lines of war torn third world nations to get a nicer view of one potential outcome of this policy if fully enforced.

I can not see the citizens of the US wanting to go down that route so at some point a US backdoor policy will fail to be enforcable.

Which brings us back to why the Key Escrow and Clipper Chip got scrapped, people with wiser economic heads got the attention of the executive of the time. And the "stake to the heart" was the realisation that the backdoor it's self had been backdoored which Matt Blaze demonstrated was there by negligence or intent of the NSA...

Now either Comey is an idiot or a gambler, or both. The question is what he is realy after with his tactic. There is an old horse trader trick, where by "You make the best deal go bad" thus the second deal on offer will be accepted no matter how bad it is in reality.

The only sensible thing to do when you sense such a tactic is to say "no deal, no how, no way, now or in the future, you've burnt your boat, live with it". And that is what Comey should be told loud and clear by the politico's. And in many respects that is what Michael Chertoff is diplomaticaly saying. Comey has overplayed his hand and should be handed his hat and coat at the tradesmans exit.

tyrJuly 28, 2015 1:25 AM


@Clive

I think you meant perjorative rather than purgative
in footnote 1. You might be surprised about how net
savvy lexicographers are if Erin Mckean is an
example.

I'm surprised anyone would get the hacker/cracker
inverted since it was one of the endless FAQ
materials that were almost required readings in
the earlier days. Schneier has a greatly expanded
media profile these days so the closed nature of
the blog had to open up a bit. It doesn't take
long to weed out the agenda pushers or the spin
specialists here.

I figured Chertoff for just another beltway bandit
but this at least shows there's no monolithic drive
towards a fascistic state and that the debates are
still open among the inner circles. That is what we
really need, if you get enough people into the mix
for the debate the consensus won't satisfy everyone
but at least it won't be decrees by fiat from the
clueless (I'm unkind enough to be thinking cousin
Cameron Here).

CuriousJuly 28, 2015 2:08 AM

"Finally, I guess I have a couple of overarching comments. One is we do not historically organize our society to make it maximally easy for law enforcement, even with court orders, to get information."

"So it’s a little bit of a long-winded answer. But I think on this one, strategically, we, requiring people to build a vulnerability may be a strategic mistake."

I've come to think of 'strategy' to always revolve around achieving a specific goal, so to me it sounds like the man is pretty much saying that: it is a mistake having people getting used to living in a police state.

I think someone should ask him if he thinks US is the proverbial police state. Get a debate going on this topic and avoid discussing things with an ironic distance.

Clive RobinsonJuly 28, 2015 2:22 AM

@ tyr,

You are right on "perjorative", it's not in the spell checker on this "not so" Smart Phone, and I'll pleed guilty to an insomniac's tired brain brought on strangely enough by the purging effect of a change in health (I made the mistake of visiting the doctor to try and sort out an administrative issue, and came away with rather more than I wanted, in that I've got somebodies unwanted bug as a freebie :-(

With regards Michael Chertoff being a beltway bandidt, oh he's definatly been that in the past, but he's a lot smarter than most, and has fingers in a lot of very rich pies, I suspect that you and I could live very comfortably for a year on what he makes in a week or less.

As for David "marry a trust fund" Cameron, he's neither smart or sensible, it's debatable as to if he has ever done what most people on this blog would consider an honest days work in his life.

I can still vividly see him standing their spouting his "I'll leave them no place to hide" speach with Obama looking at him like he was the "home coming queen" about to "kiss and show all" in a teenage coming of age 18+ comedy movie. It lacks the dignity you would expect of the leaders of two of the wealthiest nations in the WASP world.

Tadashi TogoJuly 28, 2015 2:54 AM

@'arguing to win where the truth is relative to the observer'

In considering this, I realize that, to really argue and win against the observer, you have to do the unspeakable sometimes. Which is to gain, keep rapport with them, and then lead them to a different direction. So, in this instance, you are talking about individuals who are completely opposed to all common sense and reason, who, while representing "Democracies" and "liberty", actually are representing the opposite.

How do we know this? Simple. We saw what the Nazis did. Even if one observes the Soviets, or other such regimes, one can think, perhaps - just unconsciously - 'that is what the Nazis did, and I know that is wrong'.

Problem with this thesis? On the surface, it appears wrong. It appears as if one is then using superior technology - of speech, of communication - to manipulate a more dim witted cousin. This? Is akin to the very 'black magic' and 'witchcraft' which all societies condemn, especially the more primitive and morally lost of ones.

Question: Have you ever come across something that you felt you 'just should not read', or 'should not hear'? Why? Maybe because you believe that, in doing so, the author would somehow... crawl inside your "head". And stay there.

Nothing worse then that? Am I right? To read or listen to something you know... you probably should not... and then realize "this person is inside my head and won't get out". :-) Now, I do not mean that in 'crazy terms', but it is true. Lol. :-) There are a lot of matters people just dare not read nor listen to, lest they find the author really makes a home in their head.

Everyone, on the internet, has experienced this to some degree or another. Some crazy poster who is probably very annoying, yet who... for whatever reason, despite all reason!... you just can not completely forget about.

Or even off the internet. Someone says something, and you strongly disagree. Yet? It stays with you. You find your own mind struggling against what they have said, as if it had come alive. Again and again and again.

Truth be told? We just do not know that much about how we operate. It could be what they said somehow jarred something loose. Or it could just be they believed this would happen, they imagined something so strange as this as happening... that? It happened.

Now, not very useful, right? But, it has been well proven that we tend to speak what we believe. And if we truly, really believe that what we will say will change a person's perspective? Well, maybe no one else believed that before about their perspective. And that very thing is all which was ever missing.

So, one finds exactly the right words to say to them that actually gets them to stop in speech, to come around, and to come back, "You know what? I was wrong. This backdoor idea was a bad idea." Maybe? People are much more relative and submissive to communication expectations then what is commonly believed.

Maybe, even 'we can lose face' and 'our ideological adversary is not actually The Enemy, but someone who speaks for our own betterment, providing us with ideas we simply never considered or realized before'?

And maybe, I do think, that must be expressed by reasoning, by weighing and showing the other party that they can weigh less weighty versus more weighty... that when we speak, we also convey a difficult to describe confidence that transcends mere 'patterns of behavior' which some say is all 'conviction' relies on. That it is genuine, and more then just observable in such things as 'the pause' of "closing". Something which can be artificially affected?

If you go into a "debate" having zero confidence you will win, maybe that actually does come out in your speech?

But, if you go into it, fully armed, fully confident, because your fists of lead are far weightier then your opponent's? Maybe there is actually some physical science behind that backing you.

Still, and I will end this and vamoose, vanish: I do believe we have all come across confusing things we have read and known, in our deepest hearts, we 'should not read' or 'should not listen to'.

Because we *know*, if we do? It will change us.

Maybe a fictional recipe, a magical spell, something bad which should not exist. Or maybe some hardwired switch necessary to be pulled. An emergency switch. To change the otherwise inevitable course of history?

PaulJuly 28, 2015 6:02 AM

I see the SSL thumbprint for this website has changed again; I thought he only had a new certificate a few months back but according to the certificate it was issued on the 19/07/15.

Can anybody confirm what the thumbprint for this website is please?

KokeJuly 28, 2015 8:52 AM

@ Clive Robinson
"Thus it feels down right odd not to say spooky to see some one who has 180'd the meanings."

It's quite common in counter culture, thus spooky to see. The difference in perspective is apparent if not suggestive. African Americans are known to use the n word to call each other favorably. The offense isn't in the word used, but the way they are used. It's apparent in slangs and other linguistics, verbal not well-defined.

name.withheld.for.obvious.reasonsJuly 28, 2015 9:04 AM

@ Clive Robinson

It feels strange to have lived through the rapid change of quite a few terms not just hacker and acid, that were not "youth culture" usage such as "sick" and the invented word I most hate "init".

It's would probably seem strange to you, or me as I am an "old-school" hardware hobbyist, spending the youthful years having grown up after the 1980's.

I was surprised you didn't mention phreakin'.

Seems I share much with you--even in the corporate/nation state "espionage". Hopefully you skipped the whole "Cheney/Rumsfeld cabal are idiots" friction, railing against those that were part of the neocon group-think club that had little tolerance when called out. During the run-up to war in Iraq, you could set the volume to 10 and denote the error in their thinking and not get into trouble. But, if a "nervous neo-con" heard (or herd) you it was their duty to report/shot you.

rgaffJuly 28, 2015 10:44 AM

Though freedoms are more important, it seems almost as if the general populace doesn't care about them... but everyone cares about their money! Everyone cares about losing their jobs! So relating it to "omg all american business will suffer" becomes a much stronger argument that has much more chance of making anyone listen, even though it's far less of an important matter.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.