Key under the doormat is a good analogy.
When the Thompson submachine gun came out it was advertised as giving the advantage to the police because criminals would not be able to get hold of it. Of course the old pray and spray rapidly became the choice of mobsters.
Once the ultra-secret decryption keys to the unhackable software have appeared on the dark net websites, itâs game over for everybody.
The complexity of todayâs Internet environment⌠means that new law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws.
Thatâs okay. Criminals would never be able to take advantage of something like that. Neither would the Chinese, or the Russians, or Israel, or IranâŚ
Great. Computer Scientists will be the latest scientists to be attacked by the GOP now. Go stand over there by the climate scientists and the biologists.
Law enforcement agencies tend to be run by bureaucrats and political appointees. Both types feel threatened by experts, and the extreme right has no use for science or experts of any sort. Itâs a match made in heaven.
âYouâll find Prof. Nutt over there with the, erm, refreshmentsâŚâ
I look forward to banking without any digital communications whatsoever!
But thatâs an invulnerable security system, no?
To say nothing of the criminals in law enforcementâŚ
Thank goodness we have a Democrat in the White House then. One who promised to protect our privacy.
Iâm not sure how parallel the situations are, but Iâm reminded of logjam, where deliberately weak export-grade encryption ended up compromising security for a large number of users twenty years after its introduction.
One item that is needed - and there are several ânearly thereâ packages, apps, etc. - is easy to deploy and use, easy to understand, open source, freely available, strong, peer-reviewed provably strong crypto and devices that are open for it (i.e. upon which it can run and act), preferably most or all devices that store our communications and data.
You want my data, you must have my permission to decrypt it.
Sure, criminals will use it. But criminals already use crypto. What about an escrow system or a warrant court system? Well, thatâs working out so well with the FISA Court and its siblings around the globe.
Hereâs a real world example:
Guy who works for me, who Iâll call Mike, calls me just before U.S. Fathersâ Day. Says heâs got to take care of some family business and is headed to the city where his parents live and needs to be there a couple of days. Okay, heâs a great guy with a stellar work ethic and I respect him in every way. So, Iâm concerned that this must be serious. I ask if there is anything he needs. He breaks down. He tells me to be careful and to tell all our company and our families to be carefulâŚ
His father called him late at night to ask for help. He made his son promise not get get mad and not to punish his grandson, Mikeâs son, Jimmy, when this is all over. Mike promises and asks, âOkay, whatâs going on, Dadâ?
Dad says, âIâm just trying to get Jimmy home for Fathersâ Day.â
Mike says, âWhat are you talking about? Jimmy is home, heâs sleeping in his room down the hall.â
Dad mutters and stutters and asks to speak to Jimmy, wonât believe it.
Dad/grandpa and Mom/grandma have been taken for over $1M U.S., their entire retirement savings and the proceeds from a new mortgage on their house which they paid off when Dad retired, by a Mexican Prisoner scam.
The scammers claimed Jimmy was in Mexico partying with friends and was arrested⌠Pay us money and we can get him out and keep this off his record. Jimmy is also in the ROTC and plans a military career like his father and grandfather.
Long story, short sad end: Dad/Grandpaâs cell phone and laptop were compromised through a backdoor in a widely promoted âsecurityâ suite along with all the family, personal and financial detail needed to make the scam seem all too real to this man who retired as a Marine Colonel, then had a long second career as an attorney, tax accountant, prosecutor and finally a financial and investment advisor. Not someone easily fooled.
Strong security and crypto for his data could have helped, if it was easy to use, if it was the default, instead of a difficult to find and use option that, âI donât need if I have nothing to hide.â
Now the retired grandfather is going back to work.
It sounds like some neat urban legend. It ainât. Itâs real people, the real fine details are for gorrier than I can portray here and their story is not unique. Their very real lives in a gigantic mess with wrecked credit, depending on their children, that theyâre fortunate enough to be able to recover from in most ways with some effort and a much altered picture of their âgolden years.â
Aside from all the other social and security issues their story raises, this is a glimpse of one scenario and one dimension of what will happen if crypto is weaponized and regulated in this way.
Wow- really? I did not know that about the Thompson. Cool.
Even more proof that as long as thereâs a way for something to go wrong- it eventually will.
That is extremely sad.
He has a good point- there are plenty of people that donât buy into this bullshit âI have nothing to hideâ arguement, and would use crypto if they knew how.
Case in point- me. I have enough passing knowledge about crypto and what it is, and why itâs needed from reading slashdot and bruce schneier for years, but I donât know anyone that can simply sit down with me, and show me how to use it. And I would if I could, but some things really only get through to me when someone physically shows me how it works.
I donât do anything wrong, Iâm not hiding a secret criminal life, I just donât feel like letting the NSA watch me at will, and leave my data unguarded for people like that to use against me. Crypto is needed, but even using the term âstrong cryptoâ makes it seem to a layman who knows nothing that having it must be like having armour piercing bullets- just the terminology like that I think scares the general public into thinking itâs somehow bad, or something only the government should have.
Hereâs the only arguement anyone who believes the US government needs to hear to get it:
You have a group of people who amassed an enomormous database with the personal data of every government employee for the last 30 or so years- and then, because they didnât care about those peopleâs data, or because they didnât understand encryption, or because they were just technologically inept, they allowed that information to be compromised completely. Something that could have been thwarted by good crypto.
Now those same people are screaming something that would have covered their asses if they knew how to use it is âbadâ and should be fundamentally flawed, so they can get access the same way the people who hacked them did because of nebulous âterroristsâ concerns.
These are the same people who are also spying on your phone calls and internet use. They donât seem to think you have anything to hide, and they were apparently not concerned with protecting the information of the very people that work for them. They fail to understand that if they can get access, anyone can- and that much easier.
Would you feel safe with people like that deciding international security protocols? I sure as hell wouldnât!
Beyond these and other technical vulnerabilities, the prospect of globally deployed exceptional access systems raises difficult problems about how such an environment would be governed and how to ensure that such systems would respect human rights and the rule of law.
Whatâs all this âgovernanceâ and ârule of lawâ and ârespect human rightsâ business, Poindexter? The whole point of banning strong crypto[1] is to make it easier for ungoverned TLAs to evade the rule of law and ignore those pesky human rights.
[1] and @Joe makes a good point about âstrong cryptoâ. But thereâs an even better one. Strong vs. weak crypto is the wrong framing. Thereâs crypto that works, and crypto that doesnât. What works depends on the context, but deliberately crippling all of it just ensures that all crypto is crypto that doesnât work.
Iâd be in favor of renaming âweak cryptoâ to âobfuscationâ. It can be good enough for a limited range of uses, but real crypto it is not.
That reminds me of those Munitions t-shirts.
Which led me to thoughts of modernizing them using QR-codes, to be machine-readable.
Which led me to writing a generator of DXF files for laser-cutting masks for spray-painting QR-codes, for e.g. making such shirts or spreading links (or small generic blobs of binary or textual data) by stenciling them on surfaces.
Which led me to discovery that some (but not all) QR-code readers get confused by the thin strips of white that are inevitable to separate the pixels to hold the mask together. (And that if the stenciling was not perfect and the pixels got smeared and the lines obscured, it often worked better.)
Which led me to adjusting the code for working with generic pixel art.
The âGrand Experimentâ is over. âGood Bye Americaâ we loved you.
