×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Jersey Congressman Seeks To Bar NSA Backdoors In Encryption

timothy posted about 7 months ago | from the that'll-stop-'em-sir dept.

Democrats 200

Frosty P writes "Congressman Rush D. Holt, a New Jersey Democrat, has proposed legislation (summary, full text) that would prohibit the agency from installing 'back doors' into encryption, the electronic scrambling that protects e-mail, online transactions and other communications. Representative Holt, a physicist, said Friday that he believed the NSA was overreaching and could hurt American interests, including the reputations of American companies whose products the agency may have altered or influenced. 'We pay them to spy,' Mr. Holt said. 'But if in the process they degrade the security of the encryption we all use, it's a net national disservice.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

200 comments

Pointless posturing (5, Insightful)

Scutter (18425) | about 7 months ago | (#44782891)

A law to stop the NSA? Yeah, that oughta do the trick. *rolls eyes*

Re:Pointless posturing (1)

Anonymous Coward | about 7 months ago | (#44782903)

I am so very glad that every single time the media says "encryption", they are so careful to tell me it is a form of scrambling. I think journalists who don't tell me this are not merely fired but also executed. I mean after the first few hundred times a fella tends to forget these things, you know?

Re:Pointless posturing (2)

AHuxley (892839) | about 7 months ago | (#44783123)

It seems a lot of CS and other grads missed the basics of testing/coding/understanding/selling/buying/reading up on .....encryption too.
If they had a hint of something extra in their hardware/software why did they not notice, speak up, go to a conference?
It seems as if the world fell for the hardware and software exports without saying too much...over many years, so many staffing changes...
All just too happy to install the new devices/upgrade and let their own govs trust it?

Re:Pointless posturing (2)

Joce640k (829181) | about 7 months ago | (#44783317)

Just be thankful they don't feel the urge to explain what 'scrambling' is.

(Somehow everybody knows what 'scrambling' is. From birth.)

Re:Pointless posturing (2)

zippthorne (748122) | about 7 months ago | (#44783477)

Is there encryption that works like "scrambling"? (i.e. requiring the decryption of the entire message because information about each character is spread out to the whole thing?)

From what I've read (not much, so I'm probably totally off base), I think such encryption would be pretty ideal, and maybe is naive explanation of what's going on in each block of a block cipher, but would be murder on cpu for any message larger than a small email...

Re:Pointless posturing (0)

Anonymous Coward | about 7 months ago | (#44783577)

that would probably be done at the encoding level

Re:Pointless posturing (2, Insightful)

Anonymous Coward | about 7 months ago | (#44782907)

A law to stop the NSA? Yeah, that oughta do the trick. *rolls eyes*

Well, it is politics. And who knows, maybe he's just offering up another law the government will pass and then ignore, all the while telling us that it has restrained their efforts.

At this point I'd need independent verification of a weather report if it was supplied by our government.

Re:Pointless posturing (2)

PopeRatzo (965947) | about 7 months ago | (#44783065)

At this point I'd need independent verification of a weather report if it was supplied by our government.

It's why the government invented windows that open.

Re:Pointless posturing (1)

Connie_Lingus (317691) | about 7 months ago | (#44783169)

It's why the government invented windows that open.

im 100% sure that if governments invented windows not only would they not open, they would be made out plywood not glass.

Re:Pointless posturing (0)

Anonymous Coward | about 7 months ago | (#44783191)

Yes, but remember that with the first version, you couldn't have two next to each other.

Re:Pointless posturing (5, Informative)

Red Jesus (962106) | about 7 months ago | (#44782961)

Whoa, now. While it's true that the NSA has a history of disregarding the law, it's bad to fall into the trap of believing that there's no point to creating such laws at all.

What do you want Congressman Holt do? Rip off his shirt and physically attack James Clapper? That's not going to help curtail the powers of the NSA and you know it. Congress creates laws. That's what they're supposed to do. If you think the law is a good idea, then proposing the law isn't "pointless posturing," it's Congress' job.

It's easy to get so lost in cynicism that you stop believing that forward progress is possible. But it's an ugly fact that many of the NSA's recent activities have had explicit Congressional approval. Revoking that approval is an essential step to fixing the situation, and Congressman Holt should be applauded for attempting to do so.

Re:Pointless posturing (0)

Anonymous Coward | about 7 months ago | (#44782997)

What do you want Congressman Holt do? Rip off his shirt and physically attack James Clapper?

I'd rather he kept his shirt on. We don't want people to get the wrong impression about our government's attitude towards man-on-man semi-nakedness.

Re:Pointless posturing (5, Insightful)

Scutter (18425) | about 7 months ago | (#44783021)

I would like our current laws to be enforced. If the NSA is violating the law, those responsible should be prosecuted. If they aren't enforced, then there is literally no point in creating new laws.

Re:Pointless posturing (5, Insightful)

Jah-Wren Ryel (80510) | about 7 months ago | (#44783189)

I would like our current laws to be enforced.

As John Oliver said on the Daily Show when these stories started to break:

"Mr. President, no one is saying you broke any laws, we're just saying it's a little bit weird you didn't have to."

Re:Pointless posturing (5, Insightful)

bondsbw (888959) | about 7 months ago | (#44783195)

Any law that the NSA violates puts them at risk in court, and this could be especially hazardous as political climates change.

If the law isn't being enforced, that is the direct fault of the the President of the United States. He is in charge of enforcement, especially of executing laws related to national security. Don't weaken the law simply because the President fails to act.

Re:Pointless posturing (2)

b4upoo (166390) | about 7 months ago | (#44783291)

It is rare that laws can restrain government in areas that approach national security. First there are problems with statutes of limitations as usually things are discovered too late for legal remedy. Then there is an issue as to who prosecution should be focused. Since the president directs the armed forces there is a certain power of office that demands action when it involves threats to national security. Then there is the simple fact that ways to get around the laws are known to government agencies. For example if a back door is created and installed in a product it could be done off shore. That makes American law inapplicable in many cases. Phone intercepts have been handled that way for many decades. The signal is diverted to England where it is decoded and sent back along the wire. Even the use of torture has the same gimmick. We put prisoners in the hands of foreign powers knowing full well that they will be tortured even to death in order to gain information. This goes on today by the way. And our government will claim they do not know what foreign governments do. A list of secret prisons outside the US that exist for US prisoners is easy to come by as it has been on the web.

Re:Pointless posturing (4, Insightful)

istartedi (132515) | about 7 months ago | (#44783385)

I would like our current laws to be enforced

And... Enforcement is the job of the Executive Branch, not Congress. Lots O' luck.

Re:Pointless posturing (1)

scsirob (246572) | about 7 months ago | (#44783113)

Well, a first step could be that those people at the NSA who are responsible for not abiding the law, are identified and brought to justice. Laws already exist, and people who break them should by dragged into court. I'm sure if some of the NSA hotshots find their a**es in jail, other hotshots will pay attention and perhaps think twice before trampling the laws again.

Re:Pointless posturing (0)

Anonymous Coward | about 7 months ago | (#44783141)

Cut off funding (on the books and off the books) to NSA until the matter is settle in the legal process.
Mean while figure a way to have the proper overseeing of NSA activities.

>Rip off his shirt and physically attack James Clapper
Vladimir Putin would approve!

Re:Pointless posturing (2, Insightful)

Anonymous Coward | about 7 months ago | (#44782993)

Well all the good congressman and his peers need to do is de-fund the NSA and their activities. No Bucks, no retards spying on everybody but you see it's no secret that the intelligence committees in the House and Senate have members who create rules themselves and classify information, denying basic information to the rest of their congressional counterparts. [commondreams.org] Not only do you have the NSA spying on everybody, you have the committees keeping it a secret from the rest of congress! What a great and open system we have! What's more disgusting is that these assholes, the ones who defend the NSA the most fervently, receive lots of campaign contributions from guess who? companies with vested interests in keeping the system going because they provide services and technology to guess what the NSA. This is why the seniority system in DC is bad, very bad for our rights and our nation.

It's time to do three things in this country. 1) Introduce term limits for congress. Sorry, Feinbitch, McShame, you're time is up and it's clear you don't have the best interests in mind for our country. 2) Change campaign funding legislation and limit all contributions to $1000 from any company or private party. 3) We need to re-introduce Stocks (not the wall street kind) [wikipedia.org] in DC and start putting these assholes in them for a week or two, I'm sure it will be a boost to the local economy in terms of travel and vendors selling rotten tomatoes.

Re:Pointless posturing (1)

fustakrakich (1673220) | about 7 months ago | (#44783747)

If funding is cut off, they will simply revert back to this [fas.org], not that they ever stopped doing things that way.

Term limits are stupid. Just look towards Mexico to see how effective they are. Corruption sees the law as damage and will always route around it.

Authority has gone rogue, and instead of trying to stop it, most people are looking for a piece of the action. That's just nature at work.

Re:Pointless posturing (1)

Z00L00K (682162) | about 7 months ago | (#44783007)

That would be the most toothless law ever.

No prosecutor would even think of trying to go against the NSA unless he's willing to spend the rest of his life somewhere in the outback of Alaska.

Brave Duty (1)

duckintheface (710137) | about 7 months ago | (#44783111)

Oh yes, there certainly would be brave presecutors and brave judges who would face down the NSA, just as Edward Snowden has, regardless of the personal cost. But they must have a law to work with.

The greatest threat in the face of evil is complacency. The greatest power of despotism is the ability to induce self-censorship.

Do you recognize evil when it is reading your email?

Re:Pointless posturing (0)

Anonymous Coward | about 7 months ago | (#44783143)

It would depend on the wording, but it seems more likely that one would file a lawsuit against the government in such a situation.

Re:Pointless posturing (1, Insightful)

SuricouRaven (1897204) | about 7 months ago | (#44783027)

The NSA is an agency out of control. To lie to the people is expected of an intelligence agency - to lie to Congress is another matter entirely.

Re:Pointless posturing (0)

Anonymous Coward | about 7 months ago | (#44783041)

It is only pointless if you assume that the point is to stop the NSA from installing back doors. It isn't. The posturing is the point. It will give hime more credit than it will cost him. That is the point.
I guess it was his turn to harvest some "man-of-the-people" credits.

Re:Pointless posturing (0)

Anonymous Coward | about 7 months ago | (#44783053)

The "do nothing" party continues to urge acceptence of your status as chattel.

Cynicsm is neither productive or attractive.

Wimps.

Re:Pointless posturing (0)

Anonymous Coward | about 7 months ago | (#44783057)

Yeah really rather pointless. If they want to punish the NSA they should just de-fund them.

Re:Pointless posturing (1)

return 42 (459012) | about 7 months ago | (#44783107)

A law to stop the NSA? Yeah, that oughta do the trick. *rolls eyes*

"There's this about cynicism. It's the universe's most supine moral position. If nothing can be done, then you're not some kind of shit for not doing it, and you can lie there and stink to yourself in perfect peace." (Paraphrased from "Borders of Infinity", Lois McMaster Bujold.)

If there are laws in place that clearly prohibit certain activities, and the NSA (or whoever) continues to practice those activities in defiance of the law and lie about it, there will be more people in the know who will be faced with an ethical conflict and who will have a clear moral imperative to blow the whistle, as Snowden did. Continue that cycle long enough, and Congress will eventually have to clean house, defunding the NSA, impeaching the president, or whatever it takes.

Re:Pointless posturing (1)

AlphaWoIf_HK (3042365) | about 7 months ago | (#44783441)

If there are laws in place that clearly prohibit certain activities

The constitution is already in place, and it quite clearly prohibits them from doing this nonsense (they didn't have any probable cause to spy on millions of innocent people, and since that is the case, any warrants the FISA courts handed out are invalid).

Re:Pointless posturing (0)

slick7 (1703596) | about 7 months ago | (#44783279)

A law to stop the NSA? Yeah, that oughta do the trick. *rolls eyes*

Well at least he'll be a short term politician.

Re:Pointless posturing (5, Informative)

swillden (191260) | about 7 months ago | (#44783481)

A law to stop the NSA? Yeah, that oughta do the trick. *rolls eyes*

Your cynicism has run away with your sense.

The NSA has clearly been breaking the law, but they've been doing it through a series of rationalizations, and they've just been edging over the line, not just ignoring the law completely. Specifically, they have redefined the word "collection" to mean "reading", which allows them to hoover up all the information they can get access to and then only later have to decide what they can legally look at and what they can't. And, of course, once they have the data, mistakes are inevitably made or in some cases they may even decide flat out that there is sufficient justification to ignore the law "in this case". And of course there has been no law at all against installing back doors, just a tension with the other mission of the NSA, which is to ensure the security of US signals. Again, some rationalization can allow them to get past that.

That's the kind of thing that it's very easy for good people who feel like they're working for the higher good to do. They can easily tell themselves that they're following the law except in isolated cases where it really, really matters because they have really, really good reasons.

A law like this would be different, because backdooring systems must be done well in advance of any specific case where the backdoor would be used, making it extraordinarily difficult to rationalize it... and also making violations abundantly clear. To really make certain, the law should apply severe criminal penalties to anyone who knew about and didn't report the violation.

I would like to see the law also require them to quietly go about closing all of the backdoors/weaknesses they've already put in place.

Another change to the law that I think would be very useful is to explicitly clarify the definition of "collect". Granted that it's impossible in many cases not to collect a little extra data alongside the stuff that you're really trying to grab, but that could be addressed by specifying data retention limits in the law. Perhaps they should only have 24 hours to evaluate the origin/destination of captured data, and then be required by law to discard anything that they can't substantiate as being lawful for them to collect. Another suggestion I've heard would allow the NSA to capture everything they want, but would require them to immediately escrow all of it with a court or other agency, from whom they could request the pieces they can show they should have access to. That court or agency would, of course, have as its primary job to ensure the NSA doesn't cross the lines.

Re:Pointless posturing (1)

AlphaWoIf_HK (3042365) | about 7 months ago | (#44783797)

and they've just been edging over the line, not just ignoring the law completely.

No, they're ignoring the constitution completely.

Locks? (5, Insightful)

QuantumLeaper (607189) | about 7 months ago | (#44782893)

If the NSA can get through a Backdoor, how do you know if a competitor or enemy is not getting in though the same backdoor?

Re:Locks? (0)

Anonymous Coward | about 7 months ago | (#44782917)

Exactly. The NSA might as well be an ice cream stand at this point, because the moment all of these leaks started happening the Gov created a new Shadowcorp to put a back door into the NSA.

Re:Locks? (2)

Teancum (67324) | about 7 months ago | (#44782949)

If the NSA can get through a Backdoor, how do you know if a competitor or enemy is not getting in though the same backdoor?

You don't. It is as simple as that.

There are some at the NSA who really do try to make encryption which is really good... hence why it would be used for military applications as it can't be as easily decrypted. Still, it doesn't hurt to get the best guys in the business to at least try cracking this stuff.

There are quite a few non-classified papers that have been authored by NSA employees over the years, and their work has been used for improving cryptography tools by people who have a clue about this stuff who also do software development. Simply put, if the NSA thinks that a particular encryption method is vulnerable, you should be paying attention very closely and likely be shifting to something else. If you keep using that same encryption method in spite of the warning, that is your own damn fault for not paying attention.

Of course there are a lot of home grown encryption hobbyists who think they know better than the real pros and try to come up with something better. On a very rare occasion, they might come up with something really good, but far more often they simply repeat mistakes made in the past or simply duplicate encryption concepts that have long since been broken.

Of course you can convince some MBA managers of software teams that double ROT-13 encryption is strong enough for the kinds of things they are doing.

Re:Locks? (1)

Anonymous Coward | about 7 months ago | (#44782999)

Of course you can convince some MBA managers of software teams that double ROT-13 encryption is strong enough for the kinds of things they are doing.

If twice is good enough, then four times would be twice as good!

Re:Locks? (2)

djmurdoch (306849) | about 7 months ago | (#44783029)

Simply put, if the NSA thinks that a particular encryption method is vulnerable, you should be paying attention very closely and likely be shifting to something else.

And Bruce Schneier is saying [schneier.com] that since the NSA is encouraging you to use elliptic curve encryption, that's an indication that you shouldn't use it.

So don't use what they recommend, and don't use what they don't recommend. Makes the choice easy, doesn't it?

Re:Locks? (1)

qwijibo (101731) | about 7 months ago | (#44783087)

Yes, the choice is easy. Don't trust anything the NSA says. They can lie to congress with impunity, what does that tell you?

If Bruce thinks elliptic curve encryption is suspect due to the NSA's statements, I'll defer to his experience and expertise.

There are plenty of encryption algorithms that are considered secure by the security community and non-NSA affiliated cryptographers. Those are all perfectly good choices based on their own merits.

Re:Locks? (1)

Somebody Is Using My (985418) | about 7 months ago | (#44783131)

So don't use what they recommend, and don't use what they don't recommend. Makes the choice easy, doesn't it?

There's always the gripping hand...

NSA: Don't use ROT-13!
User 1: Ah, good advice. That's not secure.
NSA: Use elliptic curve encryption!
User 1: Ha! I know your tricks; you've already compromised that encryption, haven't you? I won't use it!
User 2: What about symetric-key encryption?
NSA: Shhhhh!

The NSA is interested in people using encryption /it/ can break but others cannot. This helps maintain its monopoly on secrets, which is the source of its power (that it may also be useful in protecting American businesses and interests from foreign penetration is a bonus). Therefore it will point you towards stronger tools if it can, so its advice is not totally without merit.

Whether its advice can be discounted totally because any suggestions they make are to direct people towards NSA-compromised ciphers is debatable but even if this is true, there are still options for users interested in securing their data; use the strong ciphers that the NSA specifically is not mentioning. If there are two encryption methods known to be equally strong and the NSA is pointing people towards one, use the other. Unless their on to us and it's all an elaborate double-cross designed to trick us in that direction. Then we're doomed.

But ultimately, the lesson to take from the revelations of the last few months is that if the NSA wants in, they are getting in. It might be through broken keys, compromised providers, massive super-computer complexes brute-forcing the cipher, or even the $5 wrench, but they are getting that information. There will be no simple technical solution that delivers us from this problem; it will require a systemic change - through legal, economic and behavorial - to mitigate these vulnerabilities.

Re:Locks? (4, Interesting)

Teancum (67324) | about 7 months ago | (#44783253)

The NSA is interested in people using encryption /it/ can break but others cannot. This helps maintain its monopoly on secrets, which is the source of its power (that it may also be useful in protecting American businesses and interests from foreign penetration is a bonus). Therefore it will point you towards stronger tools if it can, so its advice is not totally without merit.

The kinds of people that publish non-classified papers about encryption by the NSA also know damn well that there are other very smart people around the world who do not work for the NSA, the U.S. federal government, or even give a damn about America.

Seriously, where do you come up with this crap?

Yes, if you see something published by the NSA, perhaps take it with a grain of salt and do your own kind of analysis. Learn a bit about mathematics first and understand not just that they have pontificated about some sort of algorithm but understand why they came to those conclusions. If not yourself, then at least find somebody who you can trust.

There are secure encryption methods that are being used, and there is a good reason why the NSA wants to be assisting with the larger cryptographic community in developing secure forms of communication. Don't get into this kind of conspiracy theory bullshit and claim that they have some kind of mystical powers that simply don't exist. The NSA doesn't have any sort of monopoly over the concept, and of course neither did the Germans with the Enigma machine. In fact, it would have helped the Germans in World War II to have at least discussed their design with a few mathematicians prior to spending so much effort building the device rather than being so damn clever that some of the design ideas actually backfired and made it easier to crack that encryption method.... not that the guys at Bletchley Park complained if German engineers made their job easier.

NSA agents aren't gods. They are good at what they do because they are professionals who do encryption on a full time basis and have received advanced training in mathematics. It is sufficient training that some of those people could teach mathematics as a professor at almost any university in the world, yet they choose to use their efforts to understand encryption in regards to the country they serve. That doesn't make them sinister, just patriots... patriots that know there are people just like them in other countries around the world.

Besides, all encryption, from any point in history, has always been an issue of how much effort must be applied in order to break the code, not the question as to if the message can be read at all. If you need the services of a server farm covering a hundred acres working for a month in order to crack a message, you've done your job. The NSA isn't going to be applying that kind of brute force decryption effort on love letters between you and your girlfriend.

Re: Locks? (0)

Anonymous Coward | about 7 months ago | (#44783333)

The guys at bletchley park were spying on the undisputed enemy that declared war on us. The NSA is spying on law abiding citizens. The guys (and girls) at bletchley park were patriots, the NSA are criminals. You sir, are a despots wet dream and a law abiding citizens worste nightmare.

Re: Locks? (0)

Anonymous Coward | about 7 months ago | (#44783651)

The guys at bletchley park were spying on the undisputed enemy that declared war on us. The NSA is spying on law abiding citizens.

How can you tell the difference with any sort of absolutism? You're like those guys that want to voluteer to be human shields in Syria. If some amateur radio operator was sending a message in code in the UK during WWII, they would have their code broken too.

The methods were always this way, just the internet made it so easy now to network things that everyone's playing in the same playground, and you're mad that the big kids are using your toys.

Re:Locks? (1)

Anonymous Coward | about 7 months ago | (#44783471)

That doesn't make them sinister, just patriots... patriots that know there are people just like them in other countries around the world.

Did you just call people who help violate the constitution... patriots? No, they are absolute scum for working for such an organization.

Re: Locks? (0)

Anonymous Coward | about 7 months ago | (#44783509)

Why not split the difference? Encrypt it once with elliptical key then again (with a separate pass code) with non elliptical key. At worst you've takn a needless extra step that increases your security.

Re:Locks? (0)

Anonymous Coward | about 7 months ago | (#44783773)

If you look elsewhere http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance [theguardian.com], he is saying that there are some constants that he doesn't trust. Perhaps the method is sound, and you should just use a different variation of it. Elliptic curve cryptography is often batted about as a method that does not have an easy solution with a quantum computer... perhaps there are governments out there that have developed quantum computers finally.

Frankly, ROT13 probably would confuse the heck out of most people, if you just put it somewhere you weren't expecting it.

Re:Locks? (1)

AHuxley (892839) | about 7 months ago | (#44783213)

The problem was "shifting to something else" was usually a US gov backed standard that 'everybody' in the public and private sector in the US liked and the NSA passed...
The world was paying attention, to what they thought was export grade quality cryptography - protected by law/bad press if faulty and the makers stock price and a lot of other legal/coding hopes.
The US did not seem to be "dogfooding" its own networked military applications, just always drawing bulk data inwards to very secure sites for further work.

Re:Locks? (1)

Tom (822) | about 7 months ago | (#44782995)

You can use encryption. That's pretty common for botnet malware, their owners have the same issue, they want your computer, but they don't want to open it to the competition. In fact, some of them will even patch the vulnerability that allowed them access, so others can't take over the machine.

Re:Locks? (1)

d33tah (2722297) | about 7 months ago | (#44783001)

If the NSA can get through a Backdoor, how do you know if a competitor or enemy is not getting in though the same backdoor?

Authentication comes to my mind. If the backdoor only works if you supply some credentials, or the command is signed by some kind of asymetric key... Well, I guess that could work as some sort of "protection".

Re:Locks? (4, Interesting)

Anonymous Coward | about 7 months ago | (#44783083)

You can also use the same sort of mathematics that makes DH, ECDH, RSA and ECDSA possible to design secure-looking moduli or curves (in the case of ECDH and ECDSA) that are secure as long as you don't know the parameters used to generate the curve. It's basically DSA/DH but with three factors instead of the usual two.

Both parties know the curve (it's a published standard), and one party (the guy with the private key) has both factors of the configuration parameter, the other party knows only the composite of the two secret factors (the public key). Now the exchanged nonce can be obtained by either the party with the private key or the party with the curve factors (the NSA).

It is speculated that some published curves for ECDSA, have been designed in such a way that some aspect of their generation that is only known to the NSA allows elliptic curve solutions to be rapidly reduced. It is at least well known by cryptographers that certain curves are insecure in any usage, and that other curves might be designed to be trivially reduced only with some knowledge of the parameters used to generate them. What is not known is whether designing curves in such a manner doesn't also make them weak to other yet-to-be-discovered reduction methods.

Interesting tidbit: there is no theory of security* for either ECDSA, RSA or DH, faith in all of these public key cryptographies rests solely on the lack of a theory of insecurity for them and the belief that if it were easy to create a theory of insecurity, someone would have published one by now (and some partial reductions of RSA have been published, prompting the necessity of using larger RSA keys than previously thought necessary)

* For commonly used symmetric block ciphers, theories of security exist, that is there is good mathematical reason to believe they are secure and not merely presumption.

Re:Locks? (1)

misexistentialist (1537887) | about 7 months ago | (#44783187)

I don't think they really care who has our data. Government officials and corporate executives use alternate channels to communicate. And different companies and governments have more in common with each other than with the general population, so cooperative surveillance of consumers and civilians is probably beneficial.

Re:Locks? (2)

Pav (4298) | about 7 months ago | (#44783349)

This raises another important issue : powerful, well resourced adversaries - security professionals often don't seriously considered trying to guard against them, or even that it's worth trying... which is why we're so pathetic regarding the NSA threat.

There are many powerful adversaries out there - national intelligence agencies of all stripes, powerful private intelligence agencies (eg. the mercinary company Blackwater is getting into this), organised crime, media organisations, even coalitions/alliances of these etc... Ignoring well resourced threats as too hard is frankly defeatist and a mistake.

These actors are even facing the same threats from eachother, so could even be our allies on the defense side, and some already are eg. cooperating with the open source community on Tor for instance. Perhaps we on the defence side should think in terms of a cartoonish uber-resourced adversary eg. Chaos (from the old TV show "Get Smart") to de-politicise development of these tools ie. no stated real-world adversary (eg. China, the NSA etc...). We want all security experts to be able to cooperate developing these important tools without appearing to be working against their own organisations.

100 points for effort (5, Insightful)

Anonymous Coward | about 7 months ago | (#44782895)

but if you're worrying about the reputation of US companies, you're too late.

Re:100 points for effort (5, Insightful)

Anonymous Coward | about 7 months ago | (#44783003)

Yesterday's news marks the very first day for what will become a very bad time for American closed source security products. It would almost have been better for them if Snowden had been able to leak the actually collaborating and subverted companies names rather than just the generalization "all major ones" - because as it stands now, big or small, they are all equally guilty and will suffer the democratic process their customers voting with their feet/wallets abandoning their backdoored closed source products. They all gave guarantee's of being secure before and the PR departments are working overtime to try and maintain the illusion, but it is a hopeless battle now... trust once lost is veery hard to recuperate.

but if you're worrying about the reputation of US companies, you're too late.

Especially when there is an army of politicians - all ONE of them AFAIK - calling this out.

Re:100 points for effort (1)

AHuxley (892839) | about 7 months ago | (#44783037)

Yes you see the news like : http://in.news.yahoo.com/google-beefs-user-data-encryption-amidst-nsa-snoop-043521614.html [yahoo.com]
The backhaul to the data centers will be more encrypted... read on for the hint ...."no effect on legal requirements for any tech company to furnish data when demanded"
I wonder what the spying output will be like from the backdoored closed source products over the years? A lot of attempts at misinformation, past time/joke/junk use and drop in actionable gossip.

Re:100 points for effort (1)

Art Challenor (2621733) | about 7 months ago | (#44783655)

The only problem with that theory is that there are no more trusted sources for the products. Where are you going to get the switches, telco equipment, databases? India, China? Even if you look at the EU where some hope of sanity exists, many companies are multi-nationals so your only hope would be to buy the product through a European subsidiary and then export it to the US - good luck with that.

On the software side there may be open source alternatives, but for industrial strength infrastructure hardware there's nowhere to go. Even items like Android handsets have closed source "radio" software.

Re:100 points for effort (0)

Anonymous Coward | about 7 months ago | (#44783761)

That just means there's a business opportunity, and that it's just the beginning of a long decline for US companies, as competing products appear on the market. I sincerely doubt that the reputation can be recovered. It's an eviction from paradise.

Re:100 points for effort (0)

Anonymous Coward | about 7 months ago | (#44783219)

Use existing laws to go after the companies.
If there was agreements with the government, it will be exposed.
NSA went beyond their mandate and mission. Companies will need legislation to protect them, or government help to fight the charges.

Look at the wallstreet problem. Who got prosecuted?
gonna happen again.

Who is gonna step up and prosecute?
Any lawyers out there?
Awesome class action everyone vs the NSA

Grandstanding (-1)

Anonymous Coward | about 7 months ago | (#44782897)

The Constitution of the United States (highest law of the land) didn't stop the NSA. What makes anybody think some duck-lipped douchebag making some piss-ass law will?

NJ needs to focus on unravelling their absolutely draconian violations of civil rights represented by their anti-gun laws. They might actually be able to change that, and those firearms will be necessary to unravel what the federal government has done eventually as they will not back down.

Re:Grandstanding (1)

dmbasso (1052166) | about 7 months ago | (#44782909)

Good luck putting your rifle against a drone.

Re:Grandstanding (0)

Anonymous Coward | about 7 months ago | (#44782969)

Good luck putting your rifle against a drone.

Put it against the head of the drone operator. Far more effective.

Re:Grandstanding (0)

Anonymous Coward | about 7 months ago | (#44783025)

Good luck putting your rifle against a drone.

Put it against the head of the drone operator. Far more effective.

The end boss is so weak he'll never let you come close to him.

Net Loss (2)

m2pc (546641) | about 7 months ago | (#44782921)

The fact (if it can ever be concretely proven as such) that the NSA has influenced the encryption algorithms to make them less secure has completely undermined the fundamental trust that was intentionally put in place to allow secure online transactions to occur. Without this trust, much of the value of the Internet is lost. SSL is based on a specific chain of trust from the browser all the way to the Certifying Authority and the entities that allow them to act as such. If this chain is indeed broken as is suspected, then there is a major problem that needs to be fixed.

THHGTTG : doors, opening of (0)

Anonymous Coward | about 7 months ago | (#44782927)

The problem with a door is that it has no idea who's passing through it.

Not unless it's the Hitchhiker's Guide to the Galaxy, in which case the door will be very happy to have opened for you :-)

insecurity by design - everyone wants in (0)

Anonymous Coward | about 7 months ago | (#44782937)

Oh and also - you can be damn sure every hostile agent in the world is trying to find out about backdoors in equipment. Espionage, bribery, hacking into design documents, you name it.

A backdoor is insecurity by design.

Getting security right NORMALLY is incredibly hard.

If you've put a *DELIBERATE* backdoor in, forget it. It will be subverted.

Any kit with a backdoor - from whatever source, State sponsered or otherwise - is basically an open door.

Re:insecurity by design - everyone wants in (1)

AHuxley (892839) | about 7 months ago | (#44783079)

Like the Russians who got some early insight into http://en.wikipedia.org/wiki/Operation_Gold [wikipedia.org] (1950s to tap into landline communication of the Soviet Army headquarters in Berlin).
Everything may seem normal but the historic hints about backdoors in equipment is not new. I wonder how many govs over the years played the "insecurity" side by pushing junk info back out and waiting to see a hint of it in the US press?

Dumbing down (0)

Anonymous Coward | about 7 months ago | (#44782981)

...encryption, the electronic scrambling that protects e-mail, online transactions and other communications.

Oh riiiight. So that's what encryption is!

Only correct in the most technical of senses (0)

Anonymous Coward | about 7 months ago | (#44782989)

“Anything that yesterday’s disclosures add to the ongoing public debate,” it continued, “is outweighed by the road map they give to our adversaries about the specific techniques we are using to try to intercept their communications in our attempts to keep America and our allies safe and to provide our leaders with the information they need to make difficult and critical national security decisions.”

Stories of the sheriff's excesses and abuses was ALSO a roadmap given to robin hood about how he keeps Nottingham safe, as well.
That doesn't make it any less patriotic or correct to hand it over.

Already illegal? (1)

Shavano (2541114) | about 7 months ago | (#44783043)

Isn't it already illegal under the USC Title 18, Section 1030 subsections (a)(2)(A) and (C) , (a)(6)(A)?

To answer my own question, it most certainly would except for this little gem:
USC Title 18, 1030(f) This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.

See they're "lawfully authorized" or so they claim. I would argue that planting back doors in commonly used encryption is fraud and isn't lawfully authorized, but hey, it's the government and who's going to prosecute them? The authority to do so under the law rests with the Secret Service and the Federal Bureau of Investigation and they're as complicit as anybody could possibly be.

The proposed legislation doesn't go far enough. It needs to not only prohibit them from backdooring, undermining, lying to the public about the security of or acting as a man in the middle with regard to encrypted communications and declassify and disclose to the public all such past actions.

It needs to make explicit in law the conditions under which any agency of the government may intercept, record or attempt to decrypt foreign or domestic communications and those conditions need to be very limited in scope: communications of individuals specifically named or otherwise individually identified as having been or suspected of being involved in crimes or conspiracies to violate US law, agents of foreign governments or criminal organizations (including terrorists) and their known or suspected associates and communication devices operated by the same. It should be specifically forbidden to scoop up general communications, with the intent of combing through it later to find bad guys and there should be a time limit on how long communications can be stored at all unless those specific communications are identified to a court as pursuant to a specifically identified investigation.

Unfortunately, we're stuck with a problem of who's watching the watchers unless we want to modify the Constitution to allow State governments to go after Federal officials for issues like this.

Three-fourths of state legislatures (1)

tepples (727027) | about 7 months ago | (#44783167)

Unfortunately, we're stuck with a problem of who's watching the watchers unless we want to modify the Constitution to allow State governments to go after Federal officials for issues like this.

I think you hit upon how it'd happen: "modify the Constitution". Three-fourths of state legislatures can go after the feds. They can call a convention, propose an amendment, and ratify it.

Re:Three-fourths of state legislatures (1)

AHuxley (892839) | about 7 months ago | (#44783261)

A new Church report with internal whistleblowing protections? Public hearings with outside experts? Iran Contra like?
The big brands/contractors and the sub committees trying to correct or shape the public record.
Nobody would be prosecuted but the mystique would fall and be replaced by the best telco/crypto/CS "quote of the day".
The endless fun we could have with the resident sockpuppets on slashdot too :)

Already not allowed by the constitution (1)

Anonymous Coward | about 7 months ago | (#44783071)

The treason of most of the US fed gov is beyond belief. Hell Putin - even with his anti gay bias - looks like he'd be far less the jackass for a US president than Obama.

This is a stupid idea. (3, Informative)

tlambert (566799) | about 7 months ago | (#44783093)

This is a stupid idea. The 1976 consultation between the NSA and IBM over DES resulted in a stronger DES. The NSA couldn't disclose what it knew about how to easily attack the DES as it was originally proposed, and it took about 8 years for an academic researcher to understand why the original algorithm was actually weaker than the one with the proposed NSA modifications.

They are doing some rather asshole things at the moment (at the behest of the Federal Government - "We were just following orders"), but they tend not to screw with cryptography which is allowed to be on the GSA schedule when embodied in communications equipment for sale to the U.S.Military.

Re:This is a stupid idea. (1)

Nemyst (1383049) | about 7 months ago | (#44783205)

Why is it a stupid idea? The NSA is good at crypto, yes, that's quite obvious, but this doesn't lessen the damage they're doing to US corporations. As it is, if you have any kind of sensitive information as a foreign person or corporation, you're basically obligated not to deal with US companies if you don't want your data snooped or worse. It's going to dramatically hamper US companies' ability to deal with foreign nations.

If congress passes laws specifically targeting that behavior, then it can be stopped.

Re:This is a stupid idea. (0)

Anonymous Coward | about 7 months ago | (#44783297)

Why is it a stupid idea? The NSA is good at crypto, yes, that's quite obvious

I figure the questions of NSA stories and what to do about them are a bit above my paygrade, and there is little that I can (or choose to?) do about it at the moment. So my only comment is this -- glad my passport is from the winning team.

I'm also a Mariners fan, but some days I think it'd be easier to be a Yankees fan, even with the stories of steroids and the fact that they can throw more money at the problem than anyone else, I'm sure it must feel good to be winning all the time. Wait, are we still talking about baseball?

Re:This is a stupid idea. (5, Interesting)

Jah-Wren Ryel (80510) | about 7 months ago | (#44783217)

but they tend not to screw with cryptography which is allowed to be on the GSA schedule when embodied in communications equipment for sale to the U.S.Military.

So the NSA did not screw with Dual_EC_DRBG [wired.com] in the NIST standard? Or is it just that any hardware which implements Dual_EC_DRBG is going to be rejected without explanation when it is submitted for FIPS 140 [wikipedia.org] certification?

Re:This is a stupid idea. (1)

SuricouRaven (1897204) | about 7 months ago | (#44783245)

The concern isn't with them introducing weaknesses into the mathematical descriptions, but implementations. It's possible for an expert to find a deliberate weakness in an algorithm - it's much harder when the weakness is buried deep in the silicon somewhere, or a few bytes of machine code in an obstrucated binary. It's not only possible but likely that they have pressured some US software and hardware vendors to introduce such weaknesses. It wouldn't be that hard to, for example, sneak a deliberately weak RNG into a VPN appliance or web browser.

Re:This is a stupid idea. (0)

Anonymous Coward | about 7 months ago | (#44783325)

Once such encryption is defeated and the message (or whatever) decoded, how is it then archived?
The NSA is creating this enormous archive of everything, so we can assume it'll be a large database. What database security has proven to be unbreachable?

Might as well just unencrypt everything and post it on your social networking pages, including corporate intellectual property, acquisition and merger insider information, everything.
The NSA system administrators, such as Snowden, don't even have to log what records they peruse.

Re:This is a stupid idea. (1)

swillden (191260) | about 7 months ago | (#44783299)

The 1976 consultation between the NSA and IBM over DES resulted in a stronger DES.

Yes and no.

They did fix the S boxes to make the algorithm resistant to differential cryptanalysis, but the original Lucifer cipher had 128-bit keys and a 128-bit block size. The NSA reduced the key size to 56 bits and the block size to 64 bits.

Re:This is a stupid idea. (1)

Dr. Blue (63477) | about 7 months ago | (#44783517)

That's only partially true. NSA provided two changes to the original IBM Lucifer cipher: different S-Boxes (which made it more secure), and shorter keys (which made it less secure). The evidence is that they strengthened it enough to keep it just out of reach of everyone else who might attack it, while keeping it vulnerable enough for them. All the evidence shows that they're probably doing the same thing right now by putting in backdoors that only they can exploit (and there are some subtle ways to do this). Or at least that the THINK only they cna exploit - and that's the biggest danger, no matter how smart the folks at NSA are.

Re:This is a stupid idea. (1)

swillden (191260) | about 7 months ago | (#44783539)

They are doing some rather asshole things at the moment (at the behest of the Federal Government - "We were just following orders"), but they tend not to screw with cryptography which is allowed to be on the GSA schedule when embodied in communications equipment for sale to the U.S.Military.

Perhaps. I wonder, though, if the NSA hasn't suffered a little "mission shift". Theoretically, their mission is twofold: To spy on the signals of the rest of the world, and to ensure the security of US signals. In the past, that latter part also included securing not just government communications, but civilian communications which were relevant to national security. I once worked on a purely private-sector project which had NSA oversight because it was considered critical to the well-being of the US financial infrastructure, for example.

But.. the recent revelations make me think that the second half of the mission has been de-prioritized. Not disregarded, but it sounds like the NSA is no longer much concerned with private sector security, no matter how crucial, and it might even be that they're willing to make minor compromises where government signals security is involved, as long as they can convince themselves that it's still secure enough against others.

Given the nature of large organizations, it wouldn't surprise me at all if the pieces of the mission were allocated to separate sub-organizations, and if, further, the sub-organization focused on spying has grown far larger and more powerful than the one focused on signals security. The organization focused on signals security would find itself in the place that successful security teams always do, with very little to show for their efforts. If your security is good enough that opponents are unable to dent it, it's hard to muster high-level support for throwing more resources at security. Meanwhile, I can see how a series of expensive but spectacular successes by the spying side of the house could lead to rapid growth in resources, staffing and internal political power, to the point that the organization as a whole became dominated by its spying mission.

This is all speculation, of course, but it fits Snowden's claims.

This would work as well as the war on drugs (1)

schwit1 (797399) | about 7 months ago | (#44783115)

And keeping guns out of the hands of criminals
And keeping the borders secure

Re:This would work as well as the war on drugs (1)

Anonymous Coward | about 7 months ago | (#44783315)

And keeping the borders secure

Did the US get invaded by a foreign military and nobody told me?

Oh, no? It's just the same cultural war that's been going on with every generation everywhere? Then who gives a damn.

Try to be enlightened once in a while. Or just go have a beer.

just nsa? (0)

Anonymous Coward | about 7 months ago | (#44783175)

nice effort.... now what about the rest of the three letter thugs?

the real problem (1)

spirit_fingers (777604) | about 7 months ago | (#44783211)

When bad guys use encryption to conceal their activities, we need to be able to decrypt it. Crippling the NSA is not the answer. The real problem is oversight. FISA is little more than a rubber stamp for whatever the intelligence services want to do. We need stronger oversight to protect the privacy of law abiding citizens, not a weaker ability to catch bad guys.

Re:the real problem (0)

Anonymous Coward | about 7 months ago | (#44783323)

You know what, new rule:

If you have to use the phrase "bad guys" in your argument, you lose.

I mean, what is this, grade school?

Re:the real problem (0)

Anonymous Coward | about 7 months ago | (#44783503)

Are you actually retarded?

1) Name one "bad guy" brought to justice. I'll give you a hint: justice involves a public trial, not indefinite detention without charge, torture, or revenge murder.
2) Any "oversight" would still be secret and thus useless.
3) The NSA is actively violating our constitutional rights and undermining our national security. That is not acceptable under *any* circumstances.

Re:the real problem (1)

cyber-vandal (148830) | about 7 months ago | (#44783521)

Not invading countries full of religious psychos would probably go a long way to not requiring the NSA in the first place.

Re: the real problem (2)

spirit_fingers (777604) | about 7 months ago | (#44783613)

Religious psychos don't need an invasion to provoke them. They kill people simply for disagreeing with them.

Re: the real problem (1)

Arker (91948) | about 7 months ago | (#44783731)

True enough. But on their own they are weak and marginalized and little threat.

When they do manage to provoke an invasion, that strengthens their hand immensely. The death and destruction and poverty inflicted gives them a generation of recruits and donors they would not otherwise have. And now we have jihadi armies, from Libya to Syria and on over to Afghanistan, created by US foreign policy and interventions.

Re:the real problem (2)

AlphaWoIf_HK (3042365) | about 7 months ago | (#44783569)

When bad guys use encryption to conceal their activities, we need to be able to decrypt it.

The people in the NSA (and the government in general) are the "bad guys." Anyway, why are you so worried about a nonexistent threat? The government is more of a threat to you (as in, your individual liberties, and if you're one of the few who make them angry, your well-being) than these fabled "bad guys" who use encryption.

Crippling the NSA is not the answer.

Yes, it is; they're human garbage.

The real problem is oversight. FISA is little more than a rubber stamp for whatever the intelligence services want to do.

That's only part of the problem. You'll never have effective oversight unless the public can always see what they're doing, and even then, the public might just accept the injustices. Furthermore, even if we did have "effective oversight," we'd just have another TSA on our hands; in other words, an organization that quite openly violates people's individual liberties.

We need stronger oversight to protect the privacy of law abiding citizens, not a weaker ability to catch bad guys.

What do you suggest we do to catch these "bad guys"? Intentionally weaken all encryption? After all, if we advocate the use of strong encryption, these fabled "bad guys," who apparently aren't using it already, might use it, too!

The notion that I must weaken my own security and put up with blatant government overreach (and putting backdoors in encryption software is overreact) all to stop some "bad guys" is something I find disgusting.

In tonght's news... (0)

pablo_max (626328) | about 7 months ago | (#44783227)

A New Jersey congressmen was killed last last night after his car veered off the road. Inspectors at the scene have said that the congressmen had most likely fallen asleep and that no foul play was suspected.

To Late (0)

fast turtle (1118037) | about 7 months ago | (#44783417)

seeing as how the entire Certificate Authority system is already compromised by its structure. Each and every key is a subkey of the Root CA master key. The question then becomes, who has a copy of that master key besides the Root CA?

Web of Trust - completely broken as it does not exist. PGP/GPG and Self Signed/Generated keys are the only solutions currently and for self-signed keys, a site needs to place their Public Key on the front page of their site so it can be downloaded.

Remember the Diginotar Incident? A Certificate Authority that had been compromised? I gave up trusting all Certificates at that time and although it's a PITA at times to add the needed exceptions, I've found that I only have a few more then a dozen certs I have exceptions for. That's on the entire web. Now if we could simply convince Mozilla to move to an Untrusted Model instead. Yes it'll piss people off suddenly getting warnings about certficiates but then it may at least get them thinking about the mess that the x509 certs has become.

Exclusions to this. Loopholes. Ways out. (0)

Anonymous Coward | about 7 months ago | (#44783597)

The problem with legislating this is that they could easily sneak in a paragraph or subsection either now or in the future that would actually allow the NSA to engage in such activity legally. It also might mean that whilst the NSA cannot do it, what about the DEA or CIA or FBI or NIO? And what if it was done not by the NSA but by the GCHQ acting on behalf of the NSA?

The only way to achieve this would be to make it illegal for any American to knowingly do it or assist (if any way) any other person in doing it.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...