Glenn Greenwald Debates Keith Alexander

Interesting debate, surprisingly civil.

Alexander seemed to have been okay with Snowden revealing surveillance based on Section 215:

"If he had taken the one court document and said, 'This is what I'm going to do'... I think this would be a whole different discussion," Alexander said. "I do think he had the opportunity [to be] what many could consider an American hero."

And he also spoke in favor of allowing adversarial proceedings in the FISA Court.

On the other hand, I am getting tired of this back-door/front-door nonsense. Alexander said that he's not in favor of back doors in security systems, but wants some kind of "front door." FBI Director Comey plays this wordgame too:

There is a misconception that building a lawful intercept solution into a system requires a so-called "back door," one that foreign adversaries and hackers may try to exploit.

But that isn't true. We aren't seeking a back-door approach. We want to use the front door, with clarity and transparency, and with clear guidance provided by law. We are completely comfortable with court orders and legal process--front doors that provide the evidence and information we need to investigate crime and prevent terrorist attacks.

They both see a difference here. A back door is a secret method of access, one that anyone can discover and use. A front door is a public method of access, one that -- somehow -- no one else can discover and use. But in reality, there's no difference. Technologically, they're the same: a method of third-party data access that works despite the intentions of the data owner.

In the beginning of the debate, I got the feeling that Alexander is trying to subtly shill his company. (Not that there's anything wrong with that -- I sometimes do the same thing. But realizing it helped me understand some of Alexander's comments better.) Later, the discussion turned into a recycling of common talking points from both sides.

Posted on September 7, 2015 at 9:14 AM • 83 Comments

Comments

blakeSeptember 7, 2015 10:06 AM

> ... this would be a whole different discussion

It was a whole different discussion when the first document was released, it was "the NSA isn't doing that at all". Then the 2nd came out and it was a different discussion again "OK yes but only metadata, and not targeting Americans". Additional documents let to further "whole different discussions" about how it's not really "collected" until a human looks at it even if it is gathered in bulk.

I might not be exact on the chronology, but the point is: on each subsequent Snowden release, we *did* get a whole different discussion, and that's part of the problem.

MarkSeptember 7, 2015 10:16 AM

Bruce, it is completely wrong to publicise your own company when your company profits from having misled the public over surveillance.

Clive RobinsonSeptember 7, 2015 10:52 AM

@ Bruce,

But in reality, there's no difference. Technically, they're the same: a method of third-party data access that works despite the intentions of the data owner.

I guess it depends on your view of the world...

Surveillance has the usual tenses of past, current and future.

The trick this "collect everything" idea is trying to work is to eliminate the past tense and make it all current tense. That is in effect they are trying to build an 'Informational time machine'.

However you can not record everything only a small percentage of things, which is where the "wiggle room" comes in on this "backdoor/frontdoor" issue in their --not our-- minds.

Look at it this way, you have a computer sitting between a user and some kind of communication off to a storage medium of some form somewhere. You have a choice of "Points of View" to consider for surveillance. Firstly the User, Secondly the Communications and thirdly the computer either looking towards the user or towards the communication.

What we tend to ignore is the first option when we talk about computer and communication security, that is watching what the user sees, what the user does and hearing what they hear and say. Importantly this is a mistake in a great many peoples heads, because it tends to fall into the realms of traditional "Physical Security" not "ICT security".

From an LEO perspective, the second option is problematic as there is no supportable "chain of evidence" for a whole heap of technical reasons. So they like the IC prefere the first option, with the added bonus of the issue of wiretap and other legislation does not arise. From their point of view they want such surveillance to be the equivalent of "being present" or "looking in from public property" etc and we have seen this "in plain sight" argument pushed further and further in the courts.

There are two basic ways they can surveil the user. The first is via the traditional "Mark 1 eyeball" or the more modern equivalent of CCTV, microphone etc that is in range of the users environment. The second is by getting low level access to the computer effectivly below the OS at the driver or IO hardware level.

Thus an argument can be made that remote surveillance via laser microphone and high performance optical side channels into the users environment from outside is the equivalent of "in plain sight".

The argument can then be pushed further, that is the use of optical methods to transducers such as vases, crisp packets and plastic cups etc is logically the same as electrical connections to other transducers in the users environment that the user has chosen to put there. Such as the computers microphone, camera, keyboard and screen. All they have to do is push the demarcation point in court, which they have been trying to do for years with other systems in the users environment...

Thus in the IC and LEO minds --not ours-- because these devices are bellow the OS or CPU level in the computer, any signals that come from them are not from the computer just objects the user has in plain sight in their environment.

Thus adding a device that takes the output from these plain sight transducers and makes it more available as part of the low level functioning is an argument they are likely to consider as a "front door". Thus providing it functions below the CPU or OS level to send it's data out or through the computer transparently to the network would not in their minds be a "backdoor" on the computer as it in no way effects the computers operation, and nothing you can do in the way of OS or Application software is going to change that.

The idea is not new, think back to CarrierIQ where the NSA benifited greatly from the "test function" the phone companies had installed in users phones that then sent plaintext of key strokes etc back to CarrierIQ's servers across the internet...

This is also a further issue they might consider which is the danger of Microsoft and Win 10. MS as a commercial organisation are making what you do on your computer "their business records" and thus available via a very broad NSL etc. Thus they don't need "golden keys" or "backdoored software".

Arguably from their limited perspective if you are a US Win 10 user this "user data" will only be available on "US Networks segments" therefore from this deliberatly limited view point "unavailable" to anyone else.

We know otherwise, but you try convincing a politico who is getting the usual lobbying presentations and incentives, you won't get on the hill let alone across the threshold of any room they are in.

rgaffSeptember 7, 2015 11:52 AM

Basically just abandon those silly notions of democratic process and freedom and just embrace communism and free prison for everyone.

SocraticGadflySeptember 7, 2015 12:13 PM

"Technically," if by that you really mean "technologically,' no, there's no difference between front doors and back doors.

But, by intent, how that intent plays out and other things, by the very nature of the public vs private, there's definite differences.

rSeptember 7, 2015 12:48 PM

"Trust me, securing the internet is in our BEST interests." :)
-notreallyaquote

For who? From whom? Would China and Russia use the same front door? Would we use China's? Is Pakistan going to cooperate? Who's going to install the lentil? Are they reputable? Are they insured? Am I going to have a region code installed in my children? I'm so confused, is there a spin doctor available to push me a sedative before he kickbacks in Tijuana?

We're supposed to trust a government that values it's relationship to tech companies who prescribe NDA's to sheriff's offices for finding stolen phones?
We're supposed to trust a government who tells the DEA to fabricate evidence?
We're supposed to trust the child molesting senators their metadata can blackmail?

Give me bcrypt or give me death.

rSeptember 7, 2015 1:03 PM

We're supposed to trust the secret service or the FBI that steals a million dollars in bitcoin?
We're supposed to trust the prosecutors that try to lynch a young man for downloading (massively) a freely available library?
We're supposed to trust a government that doesn't trust us?
It's not their job to trust us, it's their job to remain trustworthy in the eyes of their people and uphold the laws of the land.
It's not their job to reinterpret what congress has said.
The NSA is a para-military organization (not intended to be derogatory), it is none of their business what the American people are doing except in times of extreme emergency.
Is their an emergency?
Has the habit of shirking congressional declarations of war been extended to undeclared states of martial law now too?

d33tSeptember 7, 2015 1:34 PM

This guy and Hayden still walk around as free men and people still get upset about the US flag being burnt in protest occasionally. These debates, like the one between Hayden and Greenwald (and others) in 2014 are probably good for the purpose of helping to vindicate whistle blowers and informing the public about the importance of government employees and contractors breaking ranks (violating oaths of secrecy made to a country whose leaders have violated their oaths to the people) and serving the public (they work for) by telling the truth about constitutional violations and state sanctioned murder. It saddens me to see these debates take place outside of a court room. These opinions should be aired on record during the criminal trials of Alexander and Hayden (as well as many congressional members, Clapper, Feinstein, Obama others). Of course these trials will never happen and they would likely be fixed if they did. It appears that the corruption of the US government is in a state of deep and permanent rot at this point. It doesn't stop here in the US, it appears to be a western disease and no ancient document or ideal is safe from it.

Somehow, I'm guessing these people have been sold the idea that with enough data, a predictive science is possible. As with the Secure Science Corporation product
"Colossus", they can use math and tons of data to minimize risk (payouts), maximize profits as well as influence markets, predict the shifting will of the public and insure their positions in society forever.

Maybe this can be mastered for a short period of time? Although the whole "quant" engineered derivatives market and financial meltdown in the US has alerted me to the notion that if you don't create new solutions, make things, change your behavior when it doesn't work, keep your word, tell the truth (if you know what it is for that moment) and govern yourself honestly and treat others fairly, all is lost. No matter how tricky you get, chaos is still playing everywhere and a ponzi is a ponzi even with lots of lipstick.

Back doors vs Front doors, they're still *holes*, just like Windows.

Who?September 7, 2015 1:39 PM

Back door may refer to a subtle bug while front door may refer to a well established "out-of-band" access to data, mathematically blessed. Well written a front door may be as difficult to crack as a good encryption algorithm. It may depend on a secret as difficult to break as the encryption itself. A back door, on the other hand, is weak in the sense that it is usually "an intentional bug in software" that can be easily discovered by source auditing, binary testing or just by luck.

Ah, all fine... they want to replace a deliberately weak software implementation with some sort of "mathematical key", let us say in the form of certain cooked constants that all implementations MUST use. Yes, it would work IFF the NSA proves that no leaks from this secretive government agency are possible. Sadly they have more holes in their own security than a block of emmental cheese. Sooner or later the key that protects the front door will be known.

tyrSeptember 7, 2015 3:21 PM


I am continually amazed that no one in government
evr considers the possibility that what they are
doing is wrong enough to stop doing it. Instead
they endlessly circle around their own lawbreaking
activities in a cloud of obfuscations and logic
choppings, collections aren't collections, doors
aren't really doors if they are wide open in front
instead of wide open in the back. It does a real
disservice to intelligent human beings to engage
in this incessant level of twaddle and expect it
to acomplish anything other than give them the
space to build a new collection apparatus to take
the place of the exposed one.
If all this data is such a boon to law enforcement
why aren't any of the banking gangsters in jail ?

If all of this intelligence gathering is such a
boon to the military, why is ISIS shooting its way
to control of part of the middle east ? The worst
part was the IC bleating about not seing ISIS as
it formed.

I'd rather see Spandam debate Jake, but Alexander
would be totally out-gunned in the brains department.


Sancho_PSeptember 7, 2015 5:57 PM

@Clive Robinson wrote:
”Surveillance has the usual tenses of past, current and future.”

Right. ( - BTW a very realistic extrapolation of their arguing!)

But let me pick off the “future” in an other aspect:
Aside from the insanity to create a secure extra door in an insecure building,
wouldn’t any third party “golden” access inevitably mean that such “protected” communication, be it ad hoc (online) or in the future, could be faked by a third party, especially on state actor level?

They could use my credit card info (e.g. from amazon) to donate to AQ?
They could produce “secure” + encrypted evidence before hanging the dissident?

***

However, I stand corrected, I was wrong in thinking Alexander is just another goat like Hayden (“… give me a square …”).

Alexander said:
”We are the country that created the internet … we are to be the first to secure it. Set the right security and the right civill liberty and privacy in place now, we have to do that before something bad happens.”

- I concur with.

Coyne TibbetsSeptember 7, 2015 6:37 PM

@blake

They actually have done that, well, probably a dozen times now. It's the same as "retreat and regroup":


  • We're not conducting phone surveillance any Americans.
  • Okay, we're conducting phone surveillance on some Americans, but only if it's incidental to surveillance of a foreign national.
  • Okay, we're conducting phone surveillance of some Americans, but only if there's reason to believe they're involved with foreign nationals.
  • Okay, we're conducting phone surveillance of some Americans who have no relation to foreign nationals, but only if their calls pass through foreign networks.
  • ...etc.
  • Okay, dammit, we recorded metadata on every American everywhere for months, but we didn't keep any of the data.
  • Okay (effing Snowden), we recorded metadata on every American and kept it for months, but we've deleted it now.
They never tell the truth-truth, just retreat to the next line of half-truth. I've argued (and still do) that, as a result, we should base our assumptions of what they are doing on the practical limits of their capability. Can they record the voice of all phone calls? Probably. Therefore, presume that's what they're doing.


@Who?: "Back door may refer to a subtle bug while front door may refer to a well established "out-of-band" access."

This is a meaningless distinction. Either way, the primary user of the encryption is not entitled to have secrets safe from anyone; an "out-of-band access" is as easily exploited by China, or Facebook, or your neighborhood cops, as it is by the NSA.

It's merely a matter of knowledge and, as Snowden has so ably demonstrated, knowledge leaks. Knowledge can be independently discovered. Knowledge gets sold: right off the bat, if NSA has an "out-of-band access", how long do you think it will be before they pass it on to the "Big 5" (I forget the name)? If NSA got this today, the "mafia" and "cartels" would have it before the end of the week.

And BTW, the "mafia" and "cartels" won't be using the front-door susceptible encryption; and neither will the terrorists. They have the incentive to find something better.

Which actually reveals the ultimate concern: Once again, NSA doesn't give a flying leap about terrorists and criminals; they're looking for a means to watch all US citizens. This has been quite clear throughout everything that has happened since, well at least 2001: All the legal exceptions, the FISC, the Patriot act: None of that is about foreign nationals, because none of those things are required to watch foreign nationals (who have no Fourth Amendment Rights). It's all about US citizens, pure and simple.

SkepticalSeptember 7, 2015 7:32 PM

They both see a difference here. A back door is a secret method of access, one that anyone can discover and use. A front door is a public method of access, one that -- somehow -- no one else can discover and use. But in reality, there's no difference. Technologically, they're the same: a method of third-party data access that works despite the intentions of the data owner.

But there's an enormous difference from a broader perspective than the technological.

A front door is susceptible to democratic discussion and to dissent by those outside certain institutional frameworks. A back door is not.

Put differently, a front door enables a balancing of the equities to occur up front and in the light. A back door often requires that such balancing occur after the fact of its existence and in the dark.

If there is no front door, then it will be the government's duty to find back doors, perhaps sometimes to create back doors, and to consider - secretly - whether a discovered back door ought be disclosed or used.

That a process is secret does not mean it is bad, of course. But in some ways it will be harder to get right - and it will be harder for those not privy to the details of the process to trust that it's right.

Look - either way, we will all need to accept some risk. The lack of front doors simply obligates law enforcement and intelligence agencies to find back doors, and there will be incentives to preserve those back doors once found.

Put differently, in removing front doors from the market, you've simply shifted all the demand to back doors.

With front doors on the market, by contrast, you allow the government to pursue a more consistent approach to the security of non-critical information and communication systems. And you allow everyone to work in concert on strengthening the security of those front doors. Of course, you still must accept the risk that some of those front doors will fail. Precisely that consideration - the possibility of failure - should motivate certain features of such designs, so that damage will be limited should failure occur.

But at least it's a risk that can be addressed openly; at least it's a mechanism that can be designed to fail detectably, that can be repaired verifiably, that the worth of which can be judged democratically.

One cannot avoid danger in this world either of a government too weak or a government too strong. The right course is to provide government with the powers needed to accomplish its purposes, but also with the transparency and structure needed to guard against the temptation to abuse those powers. Front doors offer an opportunity to do so, while aligning government and individual interests in security and perhaps clearing obstacles to the implementation of better security for everyone.

Dirk PraetSeptember 7, 2015 7:37 PM

I would really appreciate these folks whining over "going dark" and "front door access" speak their mind and come up with a concrete proposal of their own that can be debated in public and passes both technical and legal objections.

rgaffSeptember 7, 2015 7:45 PM

A DOOR IS A DOOR IS A DOOR IS A DOOR.... it's got a knob, and hinges, and it swings.... whether you have a "FRONT" or "BACK" label over the top makes NO DIFFERENCE WHATSOEVER on its operation, or who can use it! The exact same thing applies to technology, regardless of your endless meaningless twaddle. I just figured out that Skeptical is Keith Alexander... hello guy who's responsible for destroying democracy and freedom in the world!

futureskynetdeveloperSeptember 7, 2015 8:20 PM

@Skeptical

The interesting part is Alexander brought up the Front door retort but neglected to mention anything on how this would technically be achieved. Thereby pulling the wool over the eyes of the less educated.

What you are talking about is subverting encryption. If you had read any of Bruce's books you would know that security is only as strong as the weakest link in the chain.

You are condoning replacing the measurable entropy of all encryption algorithms with what people in closed rooms think will suffice. At that point every crypt analysis white paper from now on will include a new chapter that will only contain a giant question mark with the subtext, "Not publicly disclosed information".

I am sure the super villains will remember to update to AES 256 GVMT+.

CallMeLateForSupperSeptember 7, 2015 8:31 PM

@Coyne Tibbets

"... the 'Big 5' (I forget the name)"

I think the term that eludes you is "Five Eyes".

One wonders: why "Five Eyes"? Why not "Ten Eyes", unless each country has just one eye? Odd.

Cubicle TANFSeptember 7, 2015 9:17 PM

Sickest and most delusional skeptical yet! Where to begin? Skeptical doesn't know what a duty is, he has no clue what the state's duties are or where they are set out, so he pulls an imaginary duty out his ass. A clandestine one, legally meaningless by definition. Poor sad mediocrity still can't get his head around the meaning of an obligation either. Skep parrots the beltway asskisser's balance canard. There is nothing for him to balance. There are constraints on state conduct, that is all. Sadly, skep's 3rd-rate vocational training feeds him just enough optimization jargon to get him all confused about the difference. Then skep regurgitates some half-digested economic goo-goo ga-ga from 13th grade. Markets! Demand! Pitiful as Trump explaining NPV in court.

No, this is really how they talk, the beltway parasites. When they polish up their resumes for the commercial Big Time, they stick words in sentences to sound all smart. Merciful Dunning-Kruger oblivion spares them from derision in the corridors of power. They never even know they're being laughed at.

Then as usual with skeptical, on and on and glug glug glug and it all just dissolves into nonsense and trying to sound like the founding fathers on that Ken Burns documentary.

One cannot avoid danger... but one can, if one is a bedwetting statist pussy like skeptical, abjectly shake in one's boots all the time.

You're tits on a bull. Go get real jobs.

AnuraSeptember 7, 2015 9:30 PM

I really don't get what they think "front door" means. If you are using the term "back door" as an analogy for a covert channel for someone other than the end user to use, then that implies that the end user is the one using the front door. If the term doesn't imply that the end user is going in through the front door, then the "back" in "back door" would be unnecessary, and you would simply call it a door.

rgaffSeptember 7, 2015 9:57 PM

@ Anura

It means "well, if 'back door' has a bad connotation, let's white-wash what we're saying by calling it the opposite... I know... a 'froooont' door... that'll make all the unknowledgeable masses think it's ok..." It's meaningless verbiage just like "collection" not being "collection" anymore and "least untruthful" lies and crap... The problem is they're hemorrhaging this kind of crap so much that even the stupidest dunderhead is starting to see through it... But they can't stop, it's like spam, it doesn't work so well anymore? well then, just have to crank it up a notch and poop it out at faster rate...

rgaffSeptember 7, 2015 10:10 PM

I'm convinced that the only way to deal with this kind of intransigent thug is to make fun of them over and over and call them Nazis....

rgaffSeptember 7, 2015 10:12 PM

Just do it over and over until they really start to believe themselves that they are comical nazis... that is all...

rgaffSeptember 7, 2015 10:18 PM

I mean, stop correcting the spelling and accept the Freudian Slip... "FIB Director" was correct... and his name, "Comey" how can he not be a Communist with a name pronounced like "Commie"... he's the director of lies, and he's a communist. enough said.

rgaffSeptember 7, 2015 10:21 PM

Comical Commie Comey is the director of all the biggest and best fibs in the country. Need I go on...

name.withheld.for.obvious.reasonsSeptember 7, 2015 11:06 PM

When @Skeptical defines front doors as "susceptible" and democratic processes that form dissent, he is indirectly forming a risk analysis/perspective that democratic processes are inherently dangerous/bad. This leads me to believe (I use the word figuratively) that @Skeptical is a DoD plant. This is the attitude that has been held by the Pentagon since the end of the Vietnam war. DoD sees the civilian population, in general, as an existential threat to funding, prestige, power, procurement, and exercise of an inane hegemonic globalism.

As none of these ideas are defensible in the light of day, the Industrial Intelligence Complex serves to create the narrative, the MIC serves to maintain the fences. The walls and fences are set around us and the IIC serves a tale to make us believe that we are not seeing fences but "walls of opportunity". It is too bad that the press is either to kowtowed to their masters or just too dimwitted to understand what is going on and what's at stake. Your cushy upper-middle class life style afforded you for betraying your heritage (the good parts) is no more "secure" than your fidelity to ideals.

Windows 10 is the CALEA answer that the FBI has wanted all along, the timing of FBI propaganda/blitz appearances by Comey and Friends (also a new Fox News segment yet to be announced), the failed CISA, and the "take the moment" not the high road approach to law enforcement was sure to produce this type of result.

Coyne TibbetsSeptember 7, 2015 11:33 PM

@Skeptical: "A front door is susceptible to democratic discussion and to dissent by those outside certain institutional frameworks. A back door is not."

I actually LOL'd when I read this. You think this is about having a democratic discussion, where the public have a say? Nothing the TLAs have done to date suggests that they're interested in a public discussion as anything other than a smokescreen for the next Patriot act.

Especially since every "front door" law will be re-interpreted by the TLA's very expansively, and non-democratically, into a back door justification.

@CallMeLateForSupper

You're correct, Five Eyes is what I was trying to think of. Ten Eyes, Five Eyes, you're right, very strange counting. Maybe they count by pairs?

65535September 8, 2015 12:36 AM

The “Front Door” solution.

Since, GEN Keith Alexander (Ret.) is shining example of virtue why don’t we start with him and his company IronNet Cyber Security. We need the hay stack to find the needle – who knows maybe there is “leak” somewhere. Let’s go through the front door and look through:

1] All of his private emails to and from his employees, contacts, engineers, political friends and family members. He has nothing to hide.

2] All of his proprietary products and NSA style spy tools. I am sure there has been no theft of other people’s intellectual property.

3] All of his phone conversation and metadata including his customers, his financial backers, political backers and the times and geo-locations of said conversations. He has nothing to hide.

4] Let’s look at all of his companies banking records and transactions then chain them together to form a map. Who knows we might find a crook or even a terrorist.

5] Let’s looks at his tax records and see if there has been any cheating. I sure he has nothing to hide.

6] Let’s not stop there. Let’s check up on his 16 grand children and their parents while we are at it via contact chaining. We may find some National Security documents that have leaked out.

7] Let’s not for get his router, firewall and his personal nest items like that “Smart meter” to see when he is home. Don’t forget the smart TV and the Samsung refrigerator. They could be leaking “Classified data” to our enemies… and on and on.

He wants a “Front Door” so why don’t we contact him and ask him to give us the keys?

http://ironnetcyber.com/keith-alexander.html

CuriousSeptember 8, 2015 1:03 AM

Having read that first comment from Clive Robinson above, I cringe at the thought that the intelligence community might scheme their way into having their front door regardless, by depending on corporations like Microsoft with its Windows OS as a surveillance platform, on initiative of corporation themselves that are/were perhaps served veiled threats from the government; just like Wikileaks showed in a document some years ago from norway, iirc in which a government official (I forgot which, might have been Knut Storberget) had implied that every IPS's would be in trouble if they did not implement a blacklisting of certain websites.

CuriousSeptember 8, 2015 1:25 AM

Btw, I read about some corporation's "willingness" to cooperate, maybe AT&T. I am thinking, that in a sense, the notion of anyone's 'willingness' as a mere description, might as well be equivalent to 'cooperation' as such, and so a critical distinction would be lost with regard to the meaning of words when/if a proper context is omitted/unknown. Meaning, one could turn it around and there would be no difference: cooperation = willingness. Even if threats were not used, simply the act of admonishing a corporation or some group of people would render such "willingness" quite questionable, even more so if not being 100% transparent as a policy.

Clive RobinsonSeptember 8, 2015 3:24 AM

@ CallMeLateForSupper, Coyne Tibbets

One wonders: why "Five Eyes"? Why not "Ten Eyes", unless each country has just one eye? Odd.

Firstly remember who set it all up, it was those running Bletchly Park, amongst whom Gordan Welchman (read his "Hut Six Story") realised that the British who were bankrupted by WWII needed to take the lead on what has become known as "The Special Relationship" that rose up from the BRUSA agreement on Intel Sharing.

Those "Bletchly types" all originated from Oxford or Cambridge as did most of the seniors in the UK IC post war.

Such "scholars" usually have a sense of humour that is both childish and reliant on "in jokes" and knowledge. One such distinguisher is the prerequisite knowledge on "Classics" not just Roman and Greek but Anglo-Saxon, Germanic and Norse mythology as well.

In there you will find the story of Wodan / Odin (from which we get Wednesday) and the story of how he traded "one eye for wisdom" which is very much how the British saw the Americans when it came to Intelligence Matters. And it's still how many in GCHQ and Hanslop Park see things, "The Brits bring the brains, the Americans the cash and manufacturing".

But as with all such "old boy network" jokes there are several subtexts or layers to it.

Often Odin is pictured with animal companions or familiers, Geri and Freki the wolves but more importanty the ravens Huginn and Muninn, who bring him information from all over the world thus the Brits also brought their own "ravens" to the table which were Australia, Canada and New Zeland.

But there is another layer which is actually quite important, and revolves around the wolves and Odin's eight legged horse Sleipnir. Which not only takes him across the sky but also importantly into the underworld as well. The British may have been bankrupt, but they controled directly and indirectly a lot of territory and as a result hand quite extensive Humint resources and still does, which they also brought to the table.

The US did not have Humint resources and got "hurt" politicaly when they tried to develop them in a "technical" not "human" manner. Thus the US carried on down the "Technical Surveillance" route, not the Humint route, which lead to further embarrassment via the U2 which also helped push along the space race side which the NRO has proved adept at.

The British however have paid quite a significantly price under the Special Relationship in all sorts of ways. The British development of the worlds first super sonic plane, had progressed into a fully built aircraft that was due for it's first test flight, only to be stopped from flying at the very last moment by US political preasure. Likewise the first fly by wire aircraft, which is why many in the military aviation industry wonder how the Jump Jet made survived. We know the only reason Concorde did not get canceled was because of the French applying more political power on the British than the US was prepared to do. Further the UK holds a unique position when it comes to the race for space thanks to the US. The British having developed safer and more cost effective rockets and payloads had put their first satellite into space, it was again canceled via US intervention in the politics of the UK. The only reason the satellite got up was it was already in transit to launch and payment guarantees signed with other nations. When Maggie Thatcher came to power it was the US use of "the war debt" for political leverage she determinedly got rid of. She also pushed forward UK development of space technology, however greed and corruption by UK MIC brought the Secret Surveillance Satellite side crashing down, before it got off the ground. Luckily the academic side had started to achive a firm set of foundations and non governmental funding, which is why the UK is one of the leaders in payload design.

But the pain goes on as those watching the pantomime of UK defence spending have a look at the current state of the process on the UK's two new aircraft carriers... and how the UK has ended up doing a "time share" on a French aircraft carrier. Oh and as for time share look at the UK's supposadly independent nuclear deterrent. Due to more special relationship nonsense the UK has to officialy ask permission from the US prior to using this deterrent... hardly "independent" then, and the current UK political encumbrents have just anounced a 500,000,000GBP investment in it to in part keep "the US sweet" and in the main to cause trouble "north of the border" and to other political threats, all whilst trying to cover up the fact it's policies are killing thousands of disabled people.

qqwerttySeptember 8, 2015 3:45 AM


@CallMeLateForSupper

One wonders: why "Five Eyes"? Why not "Ten Eyes", unless each country has just one eye?

I'm guessing they got inspired by LOTR. And I have to say, it kind of fits...

Bob S.September 8, 2015 3:58 AM

In my opinion a corporate created mass surveillance "FRONT DOOR" platfrom certainly has been created and is in the "wild". A recent release is obvious. I am thinking there must be many more devices and "apps" that are equally wide open.

Meanwhile, CISPA, the Cyber Intelligence SHARING and Protection Act provides the double speak legalisms to permit mass surveillance and protect participating corporations and the government from any liability whatsoever. It's right there up front in your face.

That's why a rant about constituional rights or existant laws is mute...CISPA trumps all that.That it didn't pass the Senate this session is a small bump in the road, it will next time.

Presumably we have choices. Leaving the internet altogether is one option. That's very disabling and generally not necessary.

Disconnecting from the internet to do anything sensitive is a wise move in my opinion. Move data manually via encrypted storage devices.

Another is to dig down deep and adjust the "opt out" sliders. I think those might work as they seem in most cases. However, the code is there to surveil the device and it would be child's play to comunicate code to override sliders indivually or on a mass basis. For example, the police want to know about a certain poltical protest...simply text corporate hq and tell them to "update" the sliders on all devices within 100 miles of the event until further notice. No warrant needed, CISPA covers that.

I agree this is all tin foil hat stuff, but I don't see anything at all that contradicts my view. Not at all.

The FRONT DOOR exists.

Wesley ParishSeptember 8, 2015 5:31 AM

Well, well, well, welcome back, @S[k]eptical. I worried you had been thrown to the wolves or under a bus - literally. The company you keep is intolerant of failure.

You still remind me of the time you attempted to persuade us that increasing complexity did not increase vulnerability and risk ... I still chuckle over that. When are you going into stand-up comedy, I mean, politics?

A front door is a door, a back door is a door. A door is a break in a continuous surface. As such it concentrates stress. It's one of the things a read of the DH Comet tragedy teaches one - one of the more elementary lessons of aeronautical engineering. Frankly I don't share your confidence in the ability of the various US Govt Security/Intelligence Agencies to make a secure insecurity. I'm too well aware of Microsoft's great success in that area: in spite of not having the source code, various malware authors were able to pinpoint insecurities and exploit them on a regular basis.

Nor am I so trusting of the good faith argument you present, that a front door is part of the democratic process and subject to it, while a back door is an accidental result of programming and/or electrical engineering gone bad.

I can see where you derive that argument from - it's based on the idea that a front door is comparable to a search warrant. In truth, because of the insecurities it introduces, a front door will be in operational experience, a lot closer to a general warrant and a disarming of the average citizen.

Of course, you haven't mentioned that a front door that is opaque to the average citizen, that he does not know about, let alone the location thereof, is not in fact equal to a material front door at which the LEO has to present the search warrant, duly signed into force by a judge. If there is no presentation of a search warrant indicating where is to be searched, and what is to be searched for, it is in fact the No Knocks again. Tonton Macoutes most likely.

Thank you for your input. I like light comedy masquerading as serious discussion. Stay away from colleagues and buses and wolves ... live long and prosper!

65535September 8, 2015 8:33 AM

@ Bob S.

“CISPA, the Cyber Intelligence SHARING and Protection Act provides the double speak legalisms to permit mass surveillance and protect participating corporations and the government from any liability whatsoever…”

I agree. CISPA is a stinking dirt sandwich on white bread.

“CISPA has been criticized by advocates of Internet privacy and civil liberties, such as the Electronic Frontier Foundation, the American Civil Liberties Union, Free Press, Fight for the Future, and Avaaz.org, as well as various conservative and libertarian groups including the Competitive Enterprise Institute, TechFreedom, FreedomWorks, Americans for Limited Government, Liberty Coalition, and the American Conservative Union. Those groups argue CISPA contains too few limits on how and when the government may monitor a private individual’s Internet browsing information. Additionally, they fear that such new powers could be used to spy on the general public rather than to pursue malicious hackers.” –Wiki

https://en.wikipedia.org/wiki/Cyber_Intelligence_Sharing_and_Protection_Act

Bob S. has got me wondering if Win 10 with all its surveillance capabilities was made to seamlessly integrate with CISPA or as a backup surveillance platform should CISPA fail. It fits the pattern of corporate boot lickers positioning themselves as “service providers” of the NSA - at a hefty fee. That seems to be the new business model in IT these days.

On topic:

I listened to the colorful story Gen. Keith. Alexander told about the proposed persons on the NSA review board. When an ACLU member was on the list Alexander “You got to be sh*tting me. He thinks I am Darth Vader…” [10.59 minutes in].

Then Keith Alexander goes into the happy story about the ACLU member who actually complements him.

Alexander reached in his vest pocket and pulls out a verbatim statement from Jeffery Stone [sp] of the ACLU and read it: “To say I was skeptical is a truth and an understatement. I came away with my work on the review group… and found it surprising… The NSA… operates with a high degree of integrity and a deep commitment to the rule of law…”

[12:02 into the youtube video]
https://www.youtube.com/watch?t=12&v=sfPjgUgoLaQ

I find the statement to be self-serving and taken out of context. Jeffery Stone was probably buttering Alexander up before a heap of criticism to be delivered.

I don’t know how Alexander got that exact quotation – be it from a transcriber in the room or his personal recollection. But, if there were no transcriber in the room then the only way Alexander could have gotten the verbatim statement was from a recording [see or unseen - bugged].

Any way you cut it the ACLU as a whole doesn’t feel that way. Just look at the sheer number lawsuits they have filed against the NSA. It’s just more of Alexander’s clever misdirection.

Bob S.September 8, 2015 9:12 AM

Google: "Microsoft inks $617 million deal to bring Windows 8 to 330,000 Department of Defense employees"

In July the NAVY signed a similar agreement for $700 million dollars.

Clearly collaborationism pays very well.

The various corporations involved in the new mass sharing paradigm will be recieving guaranteed license and service fees amounting to multi-billions of dollars yearly for simply "sharing" data.

Would you do the same?

Most people don't know or care about any of this. Many are people who should know better, ...some paid very well to know and do better.

.September 8, 2015 9:57 AM

I was there and yeah I had the exact same perception.

Interesting, civil, and definitely plugging his company which is why he was extremely civil.

Nick PSeptember 8, 2015 2:18 PM

It was an interesting interview. Unfortunately, no newer and better points introduced like the ones we came up with here. Alexander's response is actually consistent with my hypothesis that he's just an agent of post-9/11 law. I wrote here that NSA's mission (and secrecy/immunity) was the problem. Their mission is so broad and near impossible that subversion of about every device with constant surveillance is the only way to achieve it. They won't succeed but they have to make every attempt. So, with my theory, Alexander would personally like a debate on the laws, mission, and/or accountability but the *existing* mission and laws require them to do exactly what they're doing.

We have to change the requirements and laws to make this unnecessary. Further, we should change the requirements and laws to make this impossible without lots of scrutiny. I still put the blame on the American people for their apathy. There's more discussion in Europe, etc about American law and surveillance than in friggin' America! Problem predates 9/11 where Americans just let government corruption persist and rarely punish the abuses that get public. It's their fault. They need to fix it.

Note: Perfect example of this is America's reaction to 2008 crisis vs Iceland's. America's corrupt politicians gave $1-6 trillion to the criminals with criminal immunity. Country did nothing past griping. Icelanders put the criminals in prison (even politicians), seized their assets, passed strong regulations, abolished the questionable debts, got new people in charge, and insured against future issues by creating strong legal protections for press. *That* is democracy in action. America? A plutocracy with peasants being herded along like sheep except without the fight-or-flight response to the wolves they see. They run right toward them instead.

jonathanSeptember 8, 2015 2:34 PM

bruce said: """A front door is a public method of access, one that -- somehow -- no one else can discover and use."""

Has anyone ever seen such a system? As far as I can tell this is on par with a perpetual motion machine. The claim that such a thing can even be created is an extraordinary claim. Extraordinary claims require extraordinary evidence.

Nick PSeptember 8, 2015 2:54 PM

@ jonathan

Personally, I think what the INFOSEC community says on this is retarded or politically-motivated lying. They're getting schizo or something. Here's why.

1. In business, INFOSEC pro is asked to create a way for select people to gain access to a machine (or its secrets) while blocking everyone else out. They deliver this using a remote access solution. They have a variety of tools for doing this, with SSH being a hacker favorite. They work well enough.

2. In NSA debate, they claim there's no way to build a "front door" that allows some people in but not others. They say any remote access solution you build will allow everyone in somehow. They say no remote access should be allowed.

See my confusion? They say one thing in one venue and another thing in another venue despite the capability being the same thing! You can build remote access in for limited parties. There might be vulnerabilities found in it over time. That's true for anything. A monoculture of one scheme on many devices and its keys in one spot creates tremendous risk. That is also true. However, the concept of selective, remote access is not only proven: it's in production in desktops, servers, and mobile across the world in many forms.

So, I keep calling bullshit on their claim that you can't do it. Many that claim it do it personally lol... They should stick to claims about the actual risks rather than stupid stuff like this. It's only creating an opportunity for enemy to discredit them and even with their own claims in other venues. That's not good for our side of the debate.

rgaffSeptember 8, 2015 3:33 PM

@Nick P

(1) A security system with NO DOOR AT ALL is not a transmission system, it's a deletion system. If nobody can access it, not even the recipient of the transmission, then you might have well just deleted the message. Never the less, this is the MOST SECURE there is. Nobody can access it. It's secure.

(2) A security system with exactly ONE DOOR only, where ONLY the intended recipient can access it, is LESS SECURE than #1 above. But it's more useful. You can transmit things from one location to another, or from one person to another, instead of just deleting them.

(3) A security system with TWO DOORS.... one for the intended recipient... and another for THOUSANDS OF GOVERNMENT AGENTS TO ACCESS AT WILL... is the LEAST SECURE of all... because you don't just have one person with access, you have THOUSANDS of people with access. This is thousands of times worse exposure, it's thousands of times less secure than #2 above. Note that I keep emphasizing the word "thousands" not because there are thousands of doors, but because thousands of individual people have access to the key for door number 2. The more with access, the more insecure it is. This is a law of nature, you cannot go against this.

This is not bullshit, this is what the government wants. They want us to go from #2 to #3 and lower our security, by a HUGE degree. But they claim they want to do it without lowering security... which is impossible. That's asking for a Unicorn. Does it make sense when explained this way?

Nick PSeptember 8, 2015 5:02 PM

@ rgaff

What you say agrees with my post. If anything, I should've added that as an extra, specific risk. The point of the post is that No 2 exists and can be used in this situation. Security professionals keep saying No 2 doesn't exist despite knowing better. THAT is bullshit. Arguing what you're arguing (increased risk of No 2) would be much more honest of them and I'd agree with it. As I have in the past.

rgaffSeptember 8, 2015 5:17 PM

@Nick P

They're reacting to government officials saying bullshit like "no, we don't want to make things less secure AT ALL, we just want to have added access without increasing risk AT ALL..." And this is where comparisons to Unicorns and Perpetual Motion Machines comes as a retort to that... amid hand wavings and "what's the matter with you all, you sent us to the moon, surely you can deliver this..."

Obviously adding a door is ALWAYS possible... just stick a little C4 on the wall, and BOOM... door. Of course the building may collapse and everyone may die, but gosh golly darn you got your door! (thumbs up)

The issue is they want it without drastically increased risk to I dunno things like the economy collapsing, which isn't possible. Note I'm NOT guaranteeing the economy WILL collapse from this, I'm saying there's a drastically increased risk of such.

Who wants to rush toward such precipices? We should be staying away from those... (of course, the world IS rushing toward that particular one in many other ways (eyeroll), but at least my math doesn't have to contribute to it dammit)

Clive RobinsonSeptember 8, 2015 5:28 PM

@ Nick P,

In your point one, you specify no bounds on access only access via a secure tunnel.

Because you did not specify bounds you incotlrectly state that this secure tunnel must therefore forfill the requirments of a lawfal front door.

The problem is that a lawfull front door as described by Comey et al is that it must technicaly obay all laws for warents etc.

An ssl tunnel without bounds can not meet the requirments of "lawfull access".

So as I've said in the past the problem you are trying to solve is one where there are bounds on the secure tunnel in that LEO must be stopped by technical means from not only gaining access without a warrant, but also when the warrant expites the LEO must have their access revoked by technical means. The technical means must not in any way alter the suspects computer (ie no "tipping off") and must have cast iron security from the LEOs to avoid their well known unlawfall behaviour. Further what ever the technical means is it must be uniquely keyed to each and every computer individually such that the scope of a search can not be illegaly broadened by the LEO's to other computers within the lawfull time frame. Lastly the technical means needs to be secure against hacking to stop it or it's methods being used unlawfully.

Even with some kind of key escrow for each computer the technical means can not be achieved by the technology we currently have.

Solving the warrant controled access issue whilst still maintaining the "no tipping off" aspect appears to be not possible.

However as I've pointed out it's not access to the computer LEOs actually want it's access to what the user sees, hears, says and does that LEOs realy want.

Nick PSeptember 8, 2015 6:20 PM

@ rgaff

Again, you're ignoring my point to push a peripheral one that I already agree with and have said so. The point is that security professionals need to stop pretending that RAT's don't exist. They do, they're strong enough to hold off the hordes in practice, they have occasional flaws that are fixed, and otherwise work. They can continue fighting these government proposals without making shit up. Their other arguments are good enough. So were yours.

@ Clive Robinson

"Because you did not specify bounds you incotlrectly state that this secure tunnel must therefore forfill the requirments of a lawfal front door. The problem is that a lawfull front door as described by Comey et al is that it must technicaly obay all laws for warents etc."

The mechanism and the policy for usage are two different things. The common statements act as if the mechanism itself doesn't exist. That's my gripe. The policy, key management, and other aspects of your post are the next part of the discussion. And why it's impractical.

"Solving the warrant controled access issue whilst still maintaining the "no tipping off" aspect appears to be not possible."

This seems to be true. It's why I'm highly skeptical, regardless of mechanism, whether they truly want a front door given you can't sneak in it. ;)

Dirk PraetSeptember 8, 2015 6:56 PM

@ Curious

I cringe at the thought that the intelligence community might scheme their way into having their front door regardless, by depending on corporations like Microsoft with its Windows OS as a surveillance platform, on initiative of corporation themselves that are/were perhaps served veiled threats from the government

That is exactly what's going on. Reading between the lines of @Skeptical's last comments, he too hints at the fact that unless the industry cooperates voluntarily, the government will just find another way. IMHO, the current front door/backdoor debate and mediatized skirmishes between the USG and tech companies are nothing but a smoke screen behind which a directed effort is already well on its way, the depths of which the general public will stay in the dark about until the next Snowden in a couple of years from now.

Let's make no mistake about it: Google and Facebook showed the world just how profitable surveillance as a business model is. Many others, including Apple and Microsoft, and for obvious reasons, have followed their lead. It's self-evident that ANY government wants to tap into these vast capabilities on top of what they already have, whether by legal or other means. From a corporate vantage, privacy and security have always been afterthoughts. Zuckerberg & co. have declared privacy for ordinary people dead, and the IoT is creating yet another wave of ubiquitous insecure devices. Cooperation with authorities, even voluntary, simply used to be the smart and easy thing to do.

Snowden and a couple of other leakers - known and unknown - did however change the game. They have lifted the veil of secrecy surrounding the extent of mass surveillance by the Five Eyes and the collusion between authorities and the tech/telco industry. The USG and its IC have come under scrutiny and legal challenges, whereas the US tech industry has squandered the trust of its users and is facing billions in lost sales, especially in international markets. In public, they cannot but take a bold stance in challenging the USG and adding encryption layers to their products and services in order to regain that trust. I am however fairly confident that in chambers an entirely different agenda is on the table because they all know that in the end they will lose.

I can only speak for myself, but things being what they are I can no longer recommend any mainstream US based product or service in environments where confidentiality is of the issue. Either they are already compromised, or compromise is just a FISC order or NSL away.

Nick PSeptember 8, 2015 7:14 PM

@ Dirk Praet

"I can only speak for myself, but things being what they are I can no longer recommend any mainstream US based product or service in environments where confidentiality is of the issue. Either they are already compromised, or compromise is just a FISC order or NSL away."

Exactly. And one of the reasons I'm reviving on forums my old topic of proprietary, open-source. Would be a nice differentiator for U.S. products post-Snowden. Especially with a review team and mirror hosting in a country uncooperative with U.S. LEO's. Still working on it where I have time to.

Dirk PraetSeptember 8, 2015 7:39 PM

@ Nick P

See my confusion? They say one thing in one venue and another thing in another venue despite the capability being the same thing! You can build remote access in for limited parties.

You're absolutely right about building a front door for remotely accessing a system or device. But how do you build a front door into encryption ? And which is actually what the entire debate is all about. However much I hear you, I maintain that it is really up to the government to come up with a workable solution. And when sooner or later it blows up in everyone's face, then let them take the responsibility and accountability for whatever catastrophe ensues, not the general public, the industry or some poor team of schmucks who thought they could come up with something.

That's just risk management 101. As long as the government fails to produce any relevant statistics or quantitive analysis about significant numbers of high-impact cases that could not be prevented due to unbreakable encryption, there simply is no valid business case for what they are asking other than the ability to spy on world plus dog at their leisure.

Nick PSeptember 8, 2015 7:43 PM

@ Dirk Praet

" I maintain that it is really up to the government to come up with a workable solution. And when sooner or later it blows up in everyone's face, then let them take the responsibility and accountability for whatever catastrophe ensues"

I like that. Keeps me from becoming one of those schmucks.

"there simply is no valid business case for what they are asking other than the ability to spy on world plus dog at their leisure. "

I agree. The cost-benefit tradeoff is horrific. Even if it shifted dramatically, I still doubt that backdooring encryption would help much.

HansSeptember 8, 2015 7:48 PM

The whole front/back door discussion is totally a waste of time, and isn't furthering the debate.

What they (those doing surveillance) want is the equivalent of being able to "pick a lock" or "crack a safe" and gain access to whatever is protected inside, that is, they want Apple, Google, etc. to somehow always be able to gain access to the clear text of an encrypted message or communication stream. Very roughly this is like lock manufacturers keeping a copy of every key, or safe manufacturers keeping a copy of every combination, or always having a "known weakness" in the system (e.g. pick-ability of a lock).

The problem is, and this is what I think isn't being said out loud by the parties in the debate, that modern encryption can create the equivalent a practically (in the literal sense of the word) un-pickable lock or un-crackable safe, where the only key or combination is held by the owner, not the manufacturer. And this is what Apple/Google are, iMessage bugs excluded, trying to do with their encrypted phones.

Now, back to the front/back door debate...

Dirk PraetSeptember 8, 2015 7:58 PM

@ Nick P

I like that. Keeps me from becoming one of those schmucks.

Don't take it the wrong way. You have no idea how much I have learned on this blog from people like you and @Clive over the last couple of years. In this particular case, I just think we need to differentiate between the technical aspects of the issue and the actual business case. And which really is weak.

Nick PSeptember 8, 2015 9:07 PM

@ Dirk Praet

Oh, I understood exactly what you were saying. Appreciate the kindness anyway. :) My quote was more on the lines of: "Yeah, we'll probably build something pretty good that gets smashed and take all the blame for their bullshit like you said. Rather let them look like screwups [again] instead of us looking like schmucks." Odds of schmuckhood being against me because I dabbled in high assurance lawful intercept. Personally, I think you delivered one of best contributions in our prior discussions on feasibility which I wish I archived a link to.

You basically pointed out that the group possessing the keys would have every nation-state, hacker, and criminal in the world trying to extract them. I can design things and organizations that can stop many hackers, burglars, spies, and even [to degrees] nation-states. Even I get silent and feel no confidence in trying to answer how I would stop *all* of them throwing everything they have at me without rest indefinitely. The U.S. government was compromised by many individual nation states and lost data in most classified programs. But they think that suddenly they can stop them all and when they're focused on one thing, too?

Not likely. Excellent way to frame it, Dirk!

Mark WingSeptember 8, 2015 9:49 PM

Alexander is used playing Yahtzee with semantics in hopes to drown out any rational discussion, and confuse the tech-illiterate people who make policy into thinking "yeah, ok, that sounds fair--let's do it."

In must be infuriating to see how some of the big tech companies have woke up, and now they see right through all this textbook obfuscation, and more importantly are starting to push back. A system is either intentionally compromised up front or it's not. The flowchart is very simple: Is it secure? If no, then it doesn't have value. Period.

name.withheld.for.obvious.reasonsSeptember 9, 2015 2:26 AM

@ Clive Robinson

Such "scholars" usually have a sense of humour that is both childish and reliant on "in jokes" and knowledge. One such distinguisher is the prerequisite knowledge on "Classics" not just Roman and Greek but Anglo-Saxon, Germanic and Norse mythology as well.

This is why I don't hang out with watery tarts...

If I were to go around claiming I were emperor because so me...

My comments written in the original Python compiler, Monty. And I apologize to the/my brethren internationally for the complete lack of thought, candor, and resolve respecting the unlawful exercise of hegemonic globalism by my country, the United States. Certainly my British friends recognize the folly of global colonialism--others certainly do.

CuriousSeptember 9, 2015 4:00 AM

I really don't want to get weird with people, especially not in this blog, however from time to time I get an epiphany, and I am inclined to repeat what I think I mentioned here in this blog some time ago:

There is imo a serious issue with how the the internet has effectively been weaponized by nation states and their governments, making corporations that collaborate de facto accomplices to all those negative events associated to how a nation state behave towards people. And so called 'lawfulness' doesn't even come into this, in part of how *I* am not a subject of neither my local or foreign governments unless one consider the basic concept of democracy as being compatible with authoritarian rule, and most certainly not because I am using a MS Windows product/service, and then there's the issue of how warring states are implicated in all of this in all kinds of nasty ways, overlooking the real violence and abuse in the world, there are the problems of collusion and support to nation states which in turn have me think of such elements as likely being a threat equal to the proverbial enemy combatant (doesn't matter who). I am ofc a mere civilian, so don't freak out when you read this, but this all is very serious in a global context and I would ofc strongly suggest that corporations understand that there is a deep corruption in both making money and in actively supporting nation states in shaping society (basically something 'amoral' given the abstract entity which are corporations); because a problem with notions of 'law' and 'lawfulness', is that on an ideological level, simply complying with legal and social requirements on principle (an important distinction to be made), is then nothing but supporting an autocracy because of the so to speak inherent ideology that lies in wanting to have and/or use such a 'principle' (forget 'ethics', this is about being a moral understanding as in making a choice), and so I'd have to say, that for a corporation and its representative to think or even express a belief in there being a 'service' to people at all, is in that case really a dirty damn lie (and this has nothing to do with what other people might be thinking again).

I could now try making a point about how I think corporations ought not try police its users and customers, however with the integration of state power into businesses in unprecedented ways (think anything privacy related) in our modern time, the proverbial police state is already here I'd argue, and it would be something of an understatement of me to say that "I don't like it".

AnuraSeptember 9, 2015 9:34 AM

@Nick P

"The cost-benefit tradeoff is horrific. Even if it shifted dramatically, I still doubt that backdooring encryption would help much."

As long as all encryption algorithms remain secret, then no one will be able to make their own software for secure communications and will thus be relying on software that's been backdoored by the government.

See? It's as simple as building a time machine and banning the publishing of crypto research worldwide for the last century.

Clive RobinsonSeptember 9, 2015 9:46 AM

@ Nick P,

The common statements act as if the mechanism itself doesn't exist. That's my gripe.

Whilst I agree parts of the "mechanism" are available in some circumstances, I'm also very certain neither all parts required are available, and even if they were they would in fact not be of any use in the cases Comey / Alexander consider to be the reason they --publicaly-- say they are a "must have".

Thus I can only conclude that the reason they want the mechanisum is for reasons very diferent to those they publicaly state. The reason for this is that the size of the group of people they claim to be after who are either "ill informed / stupid" is so small as to not be economically justifiable financialy or in terms of lost life / physical and mental injuries, thus there must be non --publicaly-- stated reasons for what they want, all of which as far as I can see are not legal unless very deceptivly carried out (such as routing US internal traffic across boarders to make it appear foreign traffic). Thus I'm concluding that the real reason for their need is to strip the rights of law abiding US citizens for political or economic reasons.

As for the parts that are not available, you first have to make some valid assumptions. The first of which is that once the secret data is encrypted with a suitable algorithm it is not obtainable without knowledge of the key. A second assumption is that if the resulting ciphertext is then put inside other carrier data via suitable stegonography that renders the ciphertext insufficiently distinguishable from the surrounding carrier data thus it's existance can not be proven as is (the constraint on the carrier data is the same as that for an OTP keystream which makes life complex at higher levels).

If the assumed actions are carried out either manually --via say fair dice, paper and pencil-- or via a mechanical or electronic device that is seperated from the transmitting computer via an "enhanced airgap" --ie no energy or storage coupling to it or the environment-- then it does not matter a jot if the transmitting computer has any kind of back, side or front door lawfull or otherwise, it's not going to allow access to the secret data.

This has been known for well over a century, which is one of the reasons why radio operators and cipher clerks were kept as tasks to be done by seperate individuals in seperate "chinese walled" environments, often with a third individual "super-enciphering" the ciphertext in between as another isolating step.

Neither Comey or Alexander can be ignorant of this and to have been appointed into the various senior positions they have been in over the past decade or so. It's part of the "reading in" process as well as being public knowledge in many open sources, including very popular fiction such as the "James Bond" books (see "From Russia with love") amongst many others.

So the "door" of any type on any computer is fairly easily avoidable by those who care to practice some not very demanding OpSec. The only thing they need is the basic knowledge, the ability to understand it and most importantly the patience to practice the OpSec reliably and maintain those "chinese walls". The thing about "Chinese walls" is not only are they an idea that is thousands of years old, they have since the stock market crash of 1929 become more and more a legislated buiness process and they are a basic requirment of nearly all financial processes currently. So the required OpSec is not only nothing new, they are actually well understood by very many people almost implicitly all be it by a different name.

Thus the "Golden Key", "Lawfull Front Door" or any other kind of technical mechanism on ICT can not do what Comey, Alexander, Cameron, May, et al claim of it, no mater how they claim otherwise.

And this brings us onto the next point in your post,

The policy, key management, and other aspects of your post are the next part of the discussion. And why it's impractical.

As I've already indicated I realy don't think "their policy" is about what thay --publically-- claim. Thus in the main the points although valid are kind of moot, even though it's not possible to meet them.

The point which is most definitely not moot to them is "tipping off", it's why they hate warrants and public court orders etc, and also why amongst other things they want more "conspiracy legislation" that can not be defended against.

It is why as I've said before about Comey, Alexander, Cameron May et al, "it's the users enviroment they want access to". And this can clearly be seen not just with the arguments the FBI and other US Federal legal argument, but also "Police Chiefs" in every WASP nation and just about all other Western Nations. Importantly it's not just ICT they have in the cross hairs it's also your movments, workplace, home, papers, possessions and friends and loved ones without exception. They want compulsory 24/7 surveillance on the masses from cradle to grave and beyond it's what drives the "Collect it ALL mentality".

It's a point people are not paying sufficient attention to, and one which will ultimately hurt us all if we don't address it publicaly as well. I'm not the first to notice this it's again in open literature, scientific, social/cultural and fiction. It's afterall a main stay plot argument in the first part of the one book by George Orwell every person who has ever heard of him can name, as well as many people who have never heard of him, "1984".

Which brings me back to the point I made at the top of this thread about Win 10 and their IC community previous "wet dream made real" CarrierIQ.

The idea is simple, if people are "technicaly reliant" turn the technology into surveillance systems the users not the IC community pay for.

The marketing industry is as far as I can tell not just the "biggest dollar industry" in the world, it's also the most invasive. It collects, stores, collates, analyses and makes available more data on this planets occupents than has ever been available to anyone at any point in our entire human history. The only problem the various Governments have on getting this data, is they "have to pay" and this is very noticable and often news worthy. Likewise both the LEOs and IC see the "have to pay" issue not just as a resource issue but also as "tipping off", worse they want not the "analysed data" but the "raw data", because "marketing" has different aims and objectives therefor different analysis.

Thus both the LEO's and IC want to get at the raw surveillance data as close to the "sensor" as they can. By happy coincidence those involved in the mass collection of raw data for the marketing analysis also want to get to "what people do" rather than "what people say they do". They also want to do it in as lower cost way as they can to maximise profit potential, and you can not get a much better deal than making people pay you for the surveillance you use...

Low cost goes hand in hand with low security, thus the communication of raw data back to the analysts is not going to be secure unless it's legislated for, which I suspect Comey, Alexander, et al will push against quite hard in one way or another.

But even if security is legislated for, it will be no more effective than WEP. But even if more secure processes were used, it would not solve the massively exploitable hole the KeyMat issue is. Thus you would end up with at best a low bit size PK infrastructure, but even if the bit size was large, the master private key would become a target. We know from Stuxnet Private Keys used by corporations for important security get known to the IC one way or another.

Thus with Microsoft and the hard forcing of Win10 onto ordinary users you have to start asking questions.

The first being "tipping off", because surveillance is an inbuilt feature of Win10 it's an active process from day one. Thus the LEO's and IC do not need to change anything, thus a user can not see any difference by monitoring of it in any way, so can not be "tipped off". If Microsoft or some part of it --as many suspect-- is complicit with the US Gov, IC and LEO's then upgrading the type of monitoring will not happen to one individual using Win10 but all users using it via the standard patching process.

Thus from the IC community view point, no "tipping off", no "sensor cost", no "communications infrastructure cost", no "deployment cost", oh and "plausable deniability", what's not to like from their point of view... As for the LEO's all they have to do is play along via "parallel construction" which we suspect they are upto already, and in a number of cases they directly or indirectly control "public place surveillance" via CCTV and road tolls etc all of which is going to rise as technology costs, so they have "bargening power" with the IC for quid-pro-quo.

But the problem is Win10 is not ubiquitous nor are other commercial OS's, so there is a fly in the ointment not on the wall. How to solve this... well the recent anouncment by the FCC gives a solution, even if it was not intentional behaviour by the IC or LEO's.

Soon, you will not be able to buy a consumer computer without some kind of RF transmitter in it under software control, it's the way of the marketplace and unavoidable without legislation. The FCC along with the desire of manufactures to increase profits will make the likes of Open Source software at lower levels less and less viable. Provided the "mechanism" used for the "sensors" and "wireless" remain at or below these levels then it's "game over" for by far the majority of uses.

I fully expect to see other "safety" legislation and rules that not only protect vested interests in the market but also make the IC and LEO's reach much greater as it has in the past with telephone standards... As I've mentioned before this sort of "finessing" is a game they have been playing since before the end of the Second World War.

The sad thing is that even though there is much documented "previous" on this, Joe Public does not want to come to terms with it partly because believing the FUD of Comey, Alexander, et al is easier than actually doing something like think. So as a result slowely slowely the net closes around society, because they have been sold a belief in "beads and baubles" whilst being robbed blind (something native american history, and what little is known of the Aztecs and many others can tell us).

Dirk PraetSeptember 9, 2015 1:40 PM

@ Anura

It's as simple as building a time machine and banning the publishing of crypto research worldwide for the last century.

No, it isn't. If I remember that physics class correctly, you could in theory travel forward in time but never travel back further than your original starting point. So unless someone has managed to create a time machine somewhere in the past, this option is off the table.

CallMeLateForSupperSeptember 9, 2015 2:12 PM

I posit that "back door" has outlived its usefullness and should be abandoned.

A-way back when, everyone who encountered that metaphor subconsciously translated it as "third-party access method". No problem. But recently the double- and N-speak LEO and COMINT folks brilliantly adapted the blueprint for "back door" to introduce ... TA-DAH! ... a red herring, the "front door". The second prong of their two-prong obfuscation campaign was as bold as it was vapid: profess the existance of a fundamental difference between a cryptographic front-door and a cryptographic back door. In a nut shell, back-door is sneaky and wrong; front-door is open and right. Balderdash.

This subject is third-party access. Our calling it what it is would go a long way to both de-obfuscating our half (at least) of the conversation and steering the conversation back on track.

AnuraSeptember 9, 2015 3:52 PM

@Dirk Praet

No, it isn't. If I remember that physics class correctly, you could in theory travel forward in time but never travel back further than your original starting point. So unless someone has managed to create a time machine somewhere in the past, this option is off the table.

Was your physics class "Primer"?

Anyway, backwards time travel is thought to be impossible due to causality - however, I was watching a documentary and there was a guy who went back in time to 1947 (which caused the Roswell incident) and slept with his grandmother, making him his own grandfather. They also showed that if you travel far enough into the future, the entire universe would repeat and you can just keep going until you reach your intended time.

Nick PSeptember 9, 2015 4:17 PM

@ Dirk, Anura

It's really a matter of if strong crypto was invented before or after the DeLorean model was fielded.

@ Clive Robinson

Those extra, hidden requirements are important. Someone really should put together a series of use cases that connect to requirements. Then, illustrate those requirements along with the clear indication they're a backdoor. I also keep pushing for emphasis on how these don't merely provide read-only access: they allow planting of evidence in ways that would be undetectable by software forensics and be admitted in a trial. That plus the Hoover blackmail precedent should be pushed more to the forefront of the debate in terms of risk. Nobody wants a Chinese hacker to easily frame or extort them because they used *U.S. government approved* "security."

Dirk PraetSeptember 9, 2015 4:56 PM

@ Anura, @ Nick P

Was your physics class "Primer"?

We spent some time on the issue while studying stuff like the Gödel metric and traversable wormholes. When I was younger, I was totally into particle physics and quantum mechanics, but since I thought myself too stupid to make a career and a decent living out of those I accidentally ended up in IT. I still intend to go back to university as soon (or if ever) I have enough money to retire. Scholarships, sponsoring or a job at CERN always welcome 8-)

AnuraSeptember 9, 2015 5:42 PM

@Dirk Praet

Honestly, moving out of IT could be a nice change for me, but I don't know if Physics is really a good field for me. I'm just sick of sitting in front of a computer screen all day, shaking my head at the stupidity of some programmers. Although this may just be because I'm in a bad mood after I see that someone managed to insert 3 blank lines between every existing line of code in a file, nearly a year ago, and no one has bothered to fix it. I guess they are so used to code being so unreadable, with no consistency that they didn't notice. Maybe I just need a better gig.

name.withheld.for.obvious.reasonsSeptember 9, 2015 11:01 PM

@ Clive Robinson,

But the problem is Win10 is not ubiquitous nor are other commercial OS's, so there is a fly in the ointment not on the wall. How to solve this... well the recent anouncment by the FCC gives a solution, even if it was not intentional behaviour by the IC or LEO's.

Two things; the last few years has seen a major shift in internal operations, rules, and "missions" within the IC, and, there is a concerted effort to leverage "everything" to the extent possible to build a technological control system that can be applied at every level.

One, the new re-constituted CIA is noticeable missing from DoD directives, memorandum, and policies where there once was a relationship--at least with the ODNI--it is unclear "where" the CIA now lies (deliberate pun). Two, future deployments consisting of the "last mile" of the surveillance network are near to completion.

Combine this with what I mentioned before regarding the coup subverting civilian law and authority and a system designed to "manage citizenry" and produce "compulsory compliance" by eliminating the space (figuratively and literally) bewteen the citizenry and the state and it is "game-over".

Ironically, the operatives currently at the helm of this project don't understand that the state's new weaponry will be turned and pointed at them. The world that Snowden envisions as all but inevitable will become a place few will "want" to inhabit.

Nick PSeptember 9, 2015 11:22 PM

@ name.withheld

"onically, the operatives currently at the helm of this project don't understand that the state's new weaponry will be turned and pointed at them. The world that Snowden envisions as all but inevitable will become a place few will "want" to inhabit."

The part that bothers me the most. It's why I keep thinking about trying to convince the elites to help deal with this. They're untouchable from conventional and legal attacks most of the time. However, they could be quite vulnerable to a power-made intelligence service or rogue operatives in it. They also have the pull to possibly deal with the problem. Whether they'd do it or care is another matter. But they seem like a better shot than the American people at this point.

Wesley ParishSeptember 10, 2015 12:44 AM

@Nick P

See my confusion? They say one thing in one venue and another thing in another venue despite the capability being the same thing! You can build remote access in for limited parties. There might be vulnerabilities found in it over time. That's true for anything.
I would say commercially available Remote Access contains several components: protocols used to communicate; processes to run on remote computer; storage access (this is divisible into working memory, short-term memory and long-term memory, eg, RAM, flash or the equivalent, disk and backup); and permissions.

Permissions range from the "global" rights granted to the remote accessor to a username and password right down to "granular" rights conferred by Read/Write/Execute permissions on directories and files.

As I read the various statements of various figures wanting these legal remote accesses to my hardware and software, they propose to do all this without bothering to specify the proposed permissions they require. Much less all the other troublesome technical details.

Much less the social permissions required by the law to make sure their actions are limited.

Again, most of these technical details are openly discussed and the source code of many implementations are freely available to study and improve. That's because reputations are at risk.

Is the NSA and the like going to allow similar treatment for their Remote Access software and hardware? Not the way they're reacting to Snowden!

tyrSeptember 10, 2015 6:29 PM


CIA is perfectly happy to be invisible while throwing NSA
and others under the bus of public opinion. Every time in
the past they have had the light of scrutiny shine on them
it has been disastrous to their mad schemes. Conspiracy
theories have all turned out to be true and much worse than
any nutty could possibly imagine.
Thats the clear legacy of secrecy and unaudited financials in
government. What is most amazing to me is how easily academics
have rolled over to play dead on command by ignoring the set
of materials that are available from the actors in this farce.
Not tinfoil hat jobs, just their own documents that either
slipped through the cracks or were finally released in public.

The race is on to clamp down on everything ignoring the lesson
that putting all your eggs in one basket is defined as insnaity.
The other side is gearing up for a new set of Nuremberg trials
in which the highly touted rule of law gets applied to those
who rave on about it.

Nature always gets the last play in the game and if you think
we are immune you're delusional.
If you like Black Swans, try this one. A massive flare from
Sol is pointed directly at Earth.
Flares happen all the time the only thing different is the
direction. Now figure out what are the consequences of losing
95% of communications for our modern society. Imagine a world
without TV to store and Opiate the masses and no Cellphones
to bitch about their sudden plight.

All that money that used to be paper tokens but that is now
ones and zeroes in comp systems vanishes instantly in a puff
of solar particles. All the people barely trusted because of
records are suddenly free to make up whatever they wish to
adjust any real wealth into their own pockets. The world
government the fiveys have been building falls apart since
the currency of control given by surveillance evaporates into
thin air. The dick pics biometric database is unreachable.
So you think no problem we'll just recreate a technically
compartmentalized and interconnected society from scratch.
How hard could that be ? It took until 2000AD for them to
understand how the Roman Coliseum sunshades for the crowd
worked and they had coins with the pictures on them. One of
the ugliest myths humans drag around with them is teleology.
The smooth arc of onward and upward into a glorious future
of betterness. Nobody who has been around this community
should harbor that illusion, if it was true comp should be
the most secure of human endeavours instead of the least.

Look at "cyberwar" the whole idea of throwing dynamite at
interconnected glasshouses and hoping it works without
burying you under broken glass needs to be ridiculed out of
existence before the State actor malware rebounds on the
fools who thought it was a wonderful idea.


SkepticalSeptember 11, 2015 8:24 PM


@Coyne: I actually LOL'd when I read this. You think this is about having a democratic discussion, where the public have a say? Nothing the TLAs have done to date suggests that they're interested in a public discussion as anything other than a smokescreen for the next Patriot act.

I think that a frontdoor is something that we CAN discuss, that we CAN examine, and that we CAN decide whether to approve or not. A backdoor is not.

Therefore from a PROCESS vantage, from an ACCOUNTABILITY vantage, from a DEMOCRATIC vantage, a frontdoor differs significantly from a backdoor.

@name.withheld: When @Skeptical defines front doors as "susceptible" and democratic processes that form dissent, he is indirectly forming a risk analysis/perspective that democratic processes are inherently dangerous/bad.

My point is precisely the opposite.

@Wesley: the time you attempted to persuade us that increasing complexity did not increase vulnerability and risk ...

I said, in what I described as a very minor point, that complexity does so only given certain assumptions and circumstances. Those assumptions and circumstances often apply, but we should not treat a rule of thumb as an axiom of logic.

you haven't mentioned that a front door that is opaque to the average citizen, that he does not know about, let alone the location thereof, is not in fact equal to a material front door at which the LEO has to present the search warrant, duly signed into force by a judge.

Not all warrants need be presented before a search takes place - and that has always been the case. Nor need frontdoors be opaque, necessarily, to the average citizen - unless you mean that they're opaque given that the average citizen knows little about security, which is true but a trivial point.

@Dirk: Reading between the lines of @Skeptical's last comments, he too hints at the fact that unless the industry cooperates voluntarily, the government will just find another way.

I'm being as explicit as words permit. Legitimate functions of the government include, indeed depend upon, figuring out how to intercept communications, to extract data from information devices, etc. If you tell the FBI that the sex-trafficking ring it's investigating only communicates using this program on that platform, etc. etc., and the FBI believes that serving a warrant will serve no end, then the FBI has a duty to seek and to find alternative methods of gaining access. And that certainly includes the use of backdoors, undisclosed vulnerabilities, etc.

Wesley ParishSeptember 12, 2015 5:40 AM

@S[k]eptical

I think you could inform us about relevant RFCs on backdoors, frontdoors and the like that the TLAs have issued. So far I've only seen statements on how they think they should have Remote Access by right into whoever wherever whenever. That's not a discussion or even an attempt to start a discussion, that's a demand.

Oh, the TLAs have also complained bitterly whenever they have been unmasked, which is hardly behaviour one would expect from innocent LEOs merely doing their job: according to their own much-repeated mantra of "If you're not doing any wrong, you have nothing to hide; if you have nothing to hide, you have nothing to fear", they have plenty to hide and thus plenty to fear, ergo, they are doing plenty wrong.

So the actual behaviour of the relevant TLAs is hardly consistent with the picture you are attempting to paint of them.

To reiterate: in the internet development and maintenance community and in the cryptography/logy field, there is a universal acceptance that stuff to be worth developing, has to be open to public scrutiny. In the internet development and maintenance community this is done via Requests For Comment. And Remote Access is the field in which these mythical "Front Doors" would exist: FTP, HTTP, Telnet, SSH, and the like are the traditional (legal) occupants of that field. So far no one has ever seen any such thing from any of the US Federal Government's massive "Intelligence" and "Security" Agencies. But that is the recognized legal method of opening any such discussion on this topic. And @Bruce'll confirm for you that something similar applies to cryptography.

So they're about as serious as any spieler you'll meet in a crowded bar after a few too many drinks. Some Mothers Do 'Ave 'Em

SkepticalSeptember 12, 2015 1:57 PM

@Wesley: So far I've only seen statements on how they think they should have Remote Access by right into whoever wherever whenever. That's not a discussion or even an attempt to start a discussion, that's a demand.

No, all Comey has asked for is a discussion. There was actually a post about it on this blog recently. You should look it up.

Nor has anyone even suggested lawful access implies the ability to access anything, anytime, at will. In general, most of the statements in opposition above simply assume the worst possible kind of mechanism and then speak against it.

For instance, rgaff's:

A security system with TWO DOORS.... one for the intended recipient... and another for THOUSANDS OF GOVERNMENT AGENTS TO ACCESS AT WILL... is the LEAST SECURE of all... because you don't just have one person with access, you have THOUSANDS of people with access. This is thousands of times worse exposure

And this is simply incorrect. Why would the front door be one that thousands can access at will? There is little reason for this supposition. It's mere fear-mongering at this stage.

Look, privacy is important, and strong encryption is an important tool to achieve that end.

But in our societies we also value the ability of our government to investigate possible criminal activity and to, with a warrant or appropriate judicial authorization, intrude into areas that would otherwise be private.

It's silly to pretend that only the former is valued, and not the latter. In a society with an independent judiciary, rule of law, and legal protections of rights, the remedy against inappropriate government intrusion is not a door that is unbreakable but rather a process that allows redress.

Now if we believe that those processes are insufficient, then THAT is where the focus should be: on improving those processes. Frankly the focus on preventing government access even where lawful and desired is somewhat bizarre. The US Government is not suppressing free speech, oppressing political dissidents, or undertaking any such actions that would render the systematic thwarting of such access a good thing.

The discussions in these comment threads will sometimes devolve into a weird roundtable where the US Government is considered public enemy #1, responsible for every evil under the sun, and against which all cutlery and communications must be locked.

And - I'm sorry - but that's a kind of bizarro-world. Really, the discussions are rather precise analogues to those held by fervent defenders of "gun rights", who believe that individuals with firearms are the true bulwark against government abuse.

You do not assure liberty or privacy by engaging in an unending arms race with your own government. Instead you develop institutions, processes, and cultures that enable those values to be defended as part of your political and legal framework.

All that said, there are less far-fetched reasons to be skeptical of frontdoor proposals to security features, but these reasons don't have anything to do with the supposed evil of law enforcement or intelligence agencies. And these reasons are much more contingent upon specific features of any proposal, and upon the state of technology.

I thought the short paper issued in the last few months by a group of eminent authors is a good start to a serious discussion. But it's not a finish, and many seem oddly intent on thwarting serious proposals from ever being developed - as though the very thought should be taboo. Anthropologically it's fascinating, but it's a self-inflicted wound, or akin to the adoption of a set of blinders.

The trends in technology, in the developing world, and in the rise of non-democratic powers, all point to a future where such blinders are not sustainable. 9/11 will probably not be the last terrorist event of its magnitude. World War II will probably not be the last war in which democratic nations find their future existence challenged. History hasn't ended - if anything, it seems to have accelerated in certain respects.

We can have discussions where we take these trends seriously now - or we can pretend that such trends don't exist, and we can have the discussion and develop proposals during a crisis. The choice is our own. Often democracies tend to wait for a crisis - and certainly those without a true sense of history do - though to be fair, it's a bias that affects us all. Will we do so again? I would not be surprised; and once that storm breaks, there will be neither the will nor the time for careful design.

Dirk PraetSeptember 13, 2015 8:09 PM

@ Skeptical

The discussions in these comment threads will sometimes devolve into a weird roundtable where the US Government is considered public enemy #1

As an EU citizen faced with an unacceptable privacy invasion through mass surveillance and bulk data collection by the US government and US tech industry, I am very sorry to say that in this particular field the USG is indeed public enemy #1.

Furthermore, the USG has shown itself to be utterly incompetent at keeping secrets (Manning, Snowden, OPM etc.) and as an ally completely untrustworthy by its grand scale spying on our politicians, institutions and corporations. In this context, the USG simply cannot be trusted either to keep any type of OOB access secure or not to abuse it. Because unfortunately reality is telling an entirely different story.

So my advice to Comey and his gang is twofold: instead of whining, try to regain the public's trust and then come up with a decent proposal of your own. And then maybe we can talk.

Clive RobinsonSeptember 13, 2015 8:56 PM

@ Dirk Praet,

Furthermore, the USG has shown itself to be utterly incompetent at keeping secrets (Manning, Snowden, OPM etc.)

You forgot to mention the USG "burning" it's allies assets & sources for the sake of a little pointless Political grandstanding.

There are other things such as making local interpreters in Iraq and Afghanistan highly vulnerable to insurgent forces etc.

Such behaviour "Does not make friends" or influence people positively as I'm sure they will find out on their next deployment of "boots on the ground".

rgaffSeptember 13, 2015 11:52 PM

"Why would the front door be one that thousands can access at will?"

Last time I checked, there's more than one person working in the government... Whatever number of government and corporate people have access (everyone from the administrators taking care of the systems involved to the actual analysts), it's going to be that many times more vulnerable than if just the intended recipient had access.

You, Skeptical, KNOW THIS... and your picking on my word "THOUSANDS" instead of ceding my point, makes you A DAMN LIAR AND DECEIVER... Is this the least untruthful answer you got?

gpoffSeptember 14, 2015 4:09 AM

>The trick this "collect everything" idea is trying to work is to eliminate the past tense and make it all current tense. That is in effect they are trying to build an 'Informational time machine'.

That's partly true. A time machine would capture all states as if snapshot. Thus in effect it works with slices of time. However, what they really have us on a correlation machine not lets see what went back in time machine.

Wesley ParishSeptember 14, 2015 5:54 AM

@S[k]eptical

I was remembering the hoo-haa over the Clipper chip while reading your last post, and I was wondering if you understood that this whole point, of sanctioned "front/backdoors" was gone over in minute detail during the late nineties. I'm sure @Bruce can fill you in on the details; IIRC, he was involved in shooting it down.

And lo and behold, the US "Intelligence" and "Security" communities went right ahead and broke the law anyhow. I don't know that 9/11 was even required.

Ask @Bruce. I'm sure that the idea of having to reiterate that 1 + 1 = 2, 1 - 1 = 0, 1 * 1 = 1, and 1 / 1 = 1 to another set of thick politicians and bureaucrats delights him - NOT!

rgaffSeptember 14, 2015 1:04 PM

@Wesley Parish

Reiterating basics to someone who genuinely doesn't understand and wants to learn, is actually a delight... What's not a delight is wasting one's time trying to teach someone who simply has an agenda to deceive, regardless of whatever the truth may be. Therefore, keep in mind that a response to Skeptical isn't really for his benefit, it's for the other readers here so they are not led astray.

SkepticalSeptember 20, 2015 5:08 PM


@Dirk: Governments, even allies, spy on each other. The notion that the US has been anything but an absolutely staunch and vital ally of Western Europe for over a century now is ludicrous in the extreme.

As to your personal information, with respect to the private sector, I agree that there's a serious problem, and, beyond that, I think Europe is ahead of the US in taking on the problem with appropriate legislation. Beyond that, unless there's some particular reason for a foreign intelligence agency to want to look at your private information, you probably have a better chance of being struck by lightning than of having anyone in NSA look through your private information.

@rgaff: You're missing my point. Not every cop has access to your home simply because, with a warrant, he can lawfully enter it. Something similar might apply to certain methods of accessing particular communications or information. You might need, both technically and legally, the involvement and consent of multiple parties.

@Wesley: :)

ChasIsSeptember 21, 2015 10:34 AM

The front door problem is simple, you encrypt with the most secure method, that's the users', then you do it again using the TLA's keys, guess whose that is? They get their copy, nobody gets your's. They don't have your keys, they have their own. It's not the key to your house, it's the house next door that is *exactly like your's, furniture and everything.* (Then we figure out how to feed their's a different clear-text (different, interior designer.) Done "right," the API delineates the two steps.)

Dirk PraetSeptember 21, 2015 6:26 PM

@ Skeptical

Governments, even allies, spy on each other.

In most, if not all relations, partners also lie to and cheat on one another. Some do it occasionally, for others it's just a way of life. One thing I do know is that no relationship survives serial lying and cheating. Every relation is based on mutual trust and respect. Once that's gone, the relation turns sour, especially if one of the partners keeps maintaining that there really is no problem.

.... unless there's some particular reason for a foreign intelligence agency to want to look at your private information, you probably have a better chance of being struck by lightning than of having anyone in NSA look through your private information.

I'm very sorry that I don't feel comfortable with foreign governments and corporations collecting any type of information on me and against my will, especially when it's against the laws of my own country. Whether or not they actually look into it is just a secondary concern.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.