Report: U.S. Gov't Revises Stance On 'Golden Key' Approach To Encryption

[Lucian Armasu]

A Washington Post report said that the government has been considering four new "front door" solutions to get user data: hacking users through the companies' automatic update systems, using backdoor ports in devices, forced backups and split keys.

Report: U.S. Gov't Revises Stance On 'Golden Key' Approach To Encryption : Read more

 

[thor220]

It would be funny if they did do Hijacked updates. Would make windows 10 all the more unpopular.

 

[Math Geek]

the "bad guys" the government wants to monitor is already smarter than these types of back doors would help them track. a simple encrypted message emailed is transferred to a thumb drive, then opened and read on a machine that is unconnected to the web in any way. the response is typed and encrypted on this machine as well, then transferred back to the first machine to be sent in an email. at no time is this data unencrypted and available for it to be uploaded to the web by whoever is trying to get it.

this has been employed for a very long time by the "bad guys" since the backdoors have been in place for a very long time. think about the Bin Laden raid and all the juicy bits they got from the pc's they got there. all this was new info since it was kept off the grid by simply not connecting them to the web to be hacked and read by the governments who wanted to read it. everything was sent encrypted and only opened off the grid.

the backdoors will only allow the gov to spy on citizens who really are not a threat. i spent a number of years working in the intelligence field and can say for sure that this method has been in use since before 9/11 and after. there is no reason to think that they will all of a sudden stop doing this now ESPECIALLY if the exploit is publicly known and acknowledged. the gov already intercepts all web traffic just about world wide and can't read this encrypted data. they are hoping this backdoor will allow them to catch the data before it is encrypted and vulnerable.

the "bad guys" are just smarter than this and it won't have any effect.

 

[Onus]

In the US, this would be a clear violation of the 4th Amendment, which requires a warrant (supported by sworn affidavit) before a search (which must be specific) can be conducted.
For those outside the US, this is the amendment that recognizes the right of the people to be secure in their persons, papers, and effects against unreasonable search and seizure. IMHO, it is important to note that neither this amendment, nor any other, grants any rights, they recognize inherent, pre-existing rights that it was our government's chartered purpose to secure. If you're laughing, you probably should be crying.

 

[skit75]

Front door, back door or my window..... Get a warrant, even if the door or window is open. The chilling effect of some of these ideas grossly outweighs any perceived benefit.

 

[Math Geek]

In the US, this would be a clear violation of the 4th Amendment, which requires a warrant (supported by sworn affidavit) before a search (which must be specific) can be conducted.
For those outside the US, this is the amendment that recognizes the right of the people to be secure in their persons, papers, and effects against unreasonable search and seizure. IMHO, it is important to note that neither this amendment, nor any other, grants any rights, they recognize inherent, pre-existing rights that it was our government's chartered purpose to secure. If you're laughing, you probably should be crying.

the 4th amendment has already gone out the window with the mass info grab they have been doing and the SCOTUS has upheld the gathering. this would actually require multiple agencies to agree and put their keys together to get at a person's data. arguably less intrusive since the exploit has to be specifically activated to be used rather than the mass data the collect now "in case they need it".

i don't like either one myself but do understand what they are trying to do. i can say that in my years working in the field in an active war zone i never once used the mass collected data for anything useful. we got all we needed from specifically targeting a person's devices and/or pc's for data. we could tap a cell phone or other device of the person we wanted to monitor. this is why they quickly went back to staying off the grid and literally passing hand written notes to pass along data before they figured out encrypted data was the way to go so long as it was read off grid.

this literally will have no effect on day to day for the true enemies who have already been pretty smart in their info security than we want to give them credit for.

 

[dgingeri]

I say we get a full on class action lawsuit going to sue the government and force the law to make it illegal to even ASK for such things.

 

[Math Geek]

I say we get a full on class action lawsuit going to sue the government and force the law to make it illegal to even ASK for such things.

the SCOTUS has already upheld the data collecting multiple times now. we have already lost the case and can only take steps to protect yourself as you go. keep important data offline and only connect to send the data encrypted is the only way to go. if it is connected it WILL BE READ, is pretty much the moral of the story from here on out,.

 

[xenogen]

I can verify that the authorities have been targeting our smartphones/flip phones for a long time... I had to go to the SDPD for an errand. I noticed while waiting in the lobby that a virus had entered my phone through bluetooth. It created a small message in the phone, connect to xyz virus with some bug symbol that flashed for a second. At the time Bluetooth was new tech and there had been reports of Bluetooth viruses in the news. I was going to bring it up to the staff but decided not to. This was on a flip phone, blue in color, popular for t-mobile around 2003. I now believe that virus was not from a crook hacker but from the police department itself. Without a doubt. True story. 100%

 

[stuart lynne]

If the government wants weakened security will the government provide liability coverage for malicious use.

The dollar value for data breaches that use these back doors (or Golden Keys) could amount to billions (with a B) of dollars. Will the government be there to pay that out to 1st parties (companies that get breached) or 2nd parties (users whose data got stolen.) Or reimburse for funds lost?

While the government has a wicked problem protecting us from terrorist attacks. They run the risk of imposing far higher burdens on us from the run of the mill criminal use of our data and theft of our funds. If they are going to weaken security they need to say who is going to pay for the increase cost of that use by criminals. And it is a number in the billions of dollars per year range.

 

[Wisecracker]

1) You guys should read and comprehend the piece in the Post; and
2) Lucian Armasu should be flogged.

 

[Math Geek]

yah the author could have been a bit more clear but overall, he's mostly on point of what the gov is considering. they can say they are only brainstorming but based on my experience, by the time anything ever goes public/leaked, it has already been done privately. i have been out of the game for about 10 years now but i know what we were doing before that and most of what i hear now as "brainstorming" sounds VERY familiar to me.

right now, the agencies are trying to figure out how to get around the recent SCOTUS rulings. they have upheld the bulk data collection but have shot down most searches of cell phones without consent. they even decided that if you have a keycode on your phone, then you CANNOT be compelled to give it up to law enforcement. so the nice encrypted cell phone data is yours and yours only so long as it is locked with a passcode!! note that they also ruled that biometric security IS NOT protected and you can be compelled to provide the fingerprints to unlock your phone.

even with a warrant to search the phone you can't be forced to give them your passcode to unlock the phone (5th amendment issue) and the encryption is too good for them to decode themselves. so these discussions they are having is trying to get around the SCOTUS ruling about the passcodes and give them access to the data on the phone without your consent. not sure how the legality of it will hold up but as we know, they like to employ the "better to ask forgiveness than permission" approach to running the agencies.

we had serious issues in the middle east since most people we wanted to monitor used sat phones that were encrypted. we could not listen in despite knowing who was talking to who. and we really really wanted to listen in phones are a lot better now than they were then and the only way we had back then to eavesdrop was to get hands on the phone and clone it or install a new encryption chip programmed so we could listen in. they are hoping to use the data connections to be able to do this without hands on. as i say, i understand the reasons but hate that they are being employed on innocent citizens en mass.

 

[jehanne]

If you are concerned about your privacy, use Tails with Tor, TrueCrypt, and if possible, anonymous Wi-Fi hotspots. But, this is the problem, isn't it? Because, once the TLAs have implemented their front/back door policies, they will be back, this time to outlaw open-source code which contains encryption, and after that, elementary number textbooks that detail encryption algorithms. "Absolute power..."

 

[Math Geek]

tor is not as secure as folks thought it was. law enforcement has been able to hack into the network already and keep tabs on a lot of the stuff going on in the network. you can encrypt the data transfer but as already noted this stuff the gov is looking into is designed to get to the data while on your phone/pc still and vulnerable. they already know they can't decrypt it once it has been locked up and sent.

how does tor keep the data safe while it is still on your pc/phone? we already know from the numerous busts that they can easily monitor the network and know who/where people are on the network.

 

[Darkk]

I've been using TrueCrypt for years and feel that it's very well protected software. Even when the devs mysteriously shut the site down with no real explanation as to why. Theory goes that government might be behind the shut down due to the fact of how well it's encryption works and no possibility of a backdoor (source code available)?

I still have the original files and the source code at various locations if somehow an update makes the program "disappear" from my hard drive. Paranoid? Maybe or maybe not.

 

[jehanne]

tor is not as secure as folks thought it was. law enforcement has been able to hack into the network already and keep tabs on a lot of the stuff going on in the network. you can encrypt the data transfer but as already noted this stuff the gov is looking into is designed to get to the data while on your phone/pc still and vulnerable. they already know they can't decrypt it once it has been locked up and sent.

how does tor keep the data safe while it is still on your pc/phone? we already know from the numerous busts that they can easily monitor the network and know who/where people are on the network

.

There have not been "numerous busts." Of the 100K+ users on the original Silk Road, only a small handful have been "busted." As for the security of Tor, the Snowden documents have revealed that the NSA and other TLAs have been able to unmask only a tiny handful of Tor users, but it is very expensive for them to do so. In addition, many of these users have been "misusing" Tor (by enabling JavaScript and other Flash exploits), so they have certainly had a "hand" in their own demise. So, your comment is hyperbole at best. Using Tails with bridges and anonymous access points and with its full security options (such as disabling JS) can and will lead to a very secure browsing experience, provide that one does not "dox" himself/herself. Question is, "Why would anyone need that type of security?" But, then again, why would anyone need to own a firearm?

 

[Math Geek]

ok fine, let's pretend that tor is all you hope it is and everyone is impotent to spy on the network.

that still does not address anything related to this article. i'll say (yet again) that the article is looking at proposals by the government to not spy on your internet traffic. already been established that they can't look at encrypted data and as you wish to believe, the tor network is impossible to crack.

the proposals are ways to get at your data WHILE STILL ON YOUR PC!!!!! you can keep it encrypted while not using it, send it encrypted and even use the totally fool proof tor to upload it to the web, but eventually, you will want to work with the data in whatever way on your pc. at this point in time, it is now wide open and vulnerable to being spied on. these proposals are for ways to get a "back-door" into your pc so that whenever you do finally open the files, they can at that time be snooped on. again this has nothing to do with surfing the web or anything else related.

so my question is still how does tor or truecrypt or whatever else protect you form what the gov is proposing? they are willing to sit back and wait until you open the files on your pc and attempt to use them. then they will pounce and grab the data through whatever means they finally decide on.

as i said in the first post, the only way to keep it truly safe is to keep it and work with it off the grid. if it is connected to the internet, they will find a way to access it. and plenty of people need this type of security. anything enterprise related or that maintains customer/client data would kind of like to keep this data secure. however it is important for the data to be internet accessible. we already know many companies are directly working with the gov and handing over your data but for the few who chose not to hand it over, it would be nice if the gov could not simply take it anyway. as has already been noted, win 10 seems to log everything you do including simply typing a word document. this creates a rather detailed profile of you and to think that even if they decided not to hand it to the government at will, that the government can't simply plant a back-door and take it.

private citizens may not have as much to worry about but just because you may not be working with ISIS on a daily basis does not mean you don't have the right to expect your basic privacy in your day to day. folks have said it before, " you may not being doing anything wrong, but you still don't want someone sitting outside your window on a stool watching you watch tv snuggled up with your significant other."

 

[jehanne]

Well, that's the point, isn't it? People who are smart, who are using open-source solutions, such as Tails (and, you can mount TrueCrypt volumes in Tails), who access the Tor network via anonymous Wi-Fi and Tor bridges, who purchase their hardware (likely, tablets) anonymously and with cash only, who maintain the physical security of that hardware at all times and places, who wipe every trace of Windows from it, and perhaps, use an open source BIOS, pray, tell, how are TLAs/LE going to nab those people unless they dox themselves? Pretty unlikely; in fact, I do not know of any such case. The only attacks, so far as I know, have been against Windows, and everyone who is concerned about privacy is using Linux.

Point is that the US TLAs/LE will be back, once their "golden solutions" fail, and before you know it, it will be a crime to own a textbook on elementary number theory or even study such a topic. As Philip Zimmermann said, "If privacy is outlawed, only outlaws will have privacy."

Not a World that I care to live in.

 

[anathema_forever]

I think the "Government" needs to take a "Golden Shower" with all of those golden ideas they been having and stay the hell away from us with them.

 

[anathema_forever]

tor is not as secure as folks thought it was. law enforcement has been able to hack into the network already and keep tabs on a lot of the stuff going on in the network. you can encrypt the data transfer but as already noted this stuff the gov is looking into is designed to get to the data while on your phone/pc still and vulnerable. they already know they can't decrypt it once it has been locked up and sent.

how does tor keep the data safe while it is still on your pc/phone? we already know from the numerous busts that they can easily monitor the network and know who/where people are on the network

.



There have not been "numerous busts." Of the 100K+ users on the original Silk Road, only a small handful have been "busted." As for the security of Tor, the Snowden documents have revealed that the NSA and other TLAs have been able to unmask only a tiny handful of Tor users, but it is very expensive for them to do so. In addition, many of these users have been "misusing" Tor (by enabling JavaScript and other Flash exploits), so they have certainly had a "hand" in their own demise. So, your comment is hyperbole at best. Using Tails with bridges and anonymous access points and with its full security options (such as disabling JS) can and will lead to a very secure browsing experience, provide that one does not "dox" himself/herself. Question is, "Why would anyone need that type of security?" But, then again, why would anyone need to own a firearm?

Questions like why would anyone want some privacy are kind of unanswerable because then the information wouldn't be private anymore would it. But questions like why would anyone need a firearm are more easily answered, to shoot the government of course. But I shouldn't openly say that the redacted are probably databasing this right now regardless of the intended purpose of the right to bear arms. So maybe I should have just tried to protect my privacy and pretend guns are for hunting