Sunday, July 12, 2015

Going Dark

Going Dark

Two scary stories made the GMA headlines Thursday morning. The first breaking news was about the coincidental glitches yesterday (knocking down WSJ, halting NYSE, and grounding Continental/United). People, it really could be just a coincidence . (More on that later.) The second nail biter concerned FBI director James Comey's warning: crypto cripples canvassing. I often wonder why I take my cues from ABC, and you would be reasonable to ask "why?". But this was a real story; here's why.

It's called "going dark" when two parties (good or bad) utilize end-to-end encryption. Directory Comey wants a way around it for cases where one of the parties deserves surveillance. A lot of people in my world are doing a facepalm. This is old news. It's the same thing we've heard from the gubmint before. Computer security professionals call it "exceptional access" where a police agency (anyone really) can bypass encryption, somewhat like a traditional wiretap.

When Crypto is Outlawed

It's cliche, but you get the idea. When encryption is outlawed, only outlaws will have encryption. This debate is not new. Techies have been fighting in support of cryptography for decades. If you're not a computer geek, you probably did not know. (If you're not a computer geek, you probably don't *want* to know.)

Today's chilling warning is frustrating: I kind of like Director Comey, but his testimony before congress appears to be without proof.

"Comey didn't offer any evidence regarding FBI investigations thwarted by strong encryption technology. Still, he said, he felt like researchers and tech companies haven't given the government's request a fair shot before dismissing it.  ..."
-- Yahoo news 

I'd like to introduce Mr. Comey to Lynn Wheeler, Bruce Schneier, Jacob Appelbaum, ... and other computer experts. Yes, James, they have given the government's request a lot of thought, and "dismissed" is the wrong word to describe their response. (I know Wheeler personally. Schneier and Appelbaum have high profile reputations in the crypto world, as do Diffie, Rivest, and other contributors to the MIT paper. These people are the best and brightest on this topic.)

When Guns are Outlawed

There's a similar debate about gun control. I have many friends and family who are in the "right to carry" camp. Guns are dangerous, but lots of things are dangerous. My pro-carry peeps get it that the bad guys will have guns. It's better to arm (and train!) the good guys.

Substitute "cryptography" for "guns", or substitute "privacy" there. When guns/crypto/privacy is outlawed only outlaws will have guns/crypto/privacy. The same argument applies (and has yet to be countered) that the bad guys will still have and use guns and crypto even after the law abiding public are disarmed.

The difference (for purpose of analogy) between guns and encryption is that guns are physical and cryptography is mathematics. Any back-door means of bypassing crypto is like an invisible hand on (radio control of) the safety on your Glock. Doesn't matter if the manufacturer swears they'll only ever give that control to legit law enforcement, the mechanism itself is a detriment. Experience has proven time and again that exceptional access leads to unthinkable flaws in the resulting products.

Breaking and Entering

The matter is very personal! I may be damaging my professional reputation by revealing this: I've been hit. It happened a long time ago, and I've learned a lot since then. Someone broke in to one of my computers. Was I surprised, scared? Heck yeah! So I did some forensics and I'm confident about the extent of the breach and have worked hard to keep things secure going forward.

Do I want strong encryption? You betcha!!

But a back door? No way! The front door is enough trouble to guard, thank you.

The FBI wants back doors in the apps and systems (phones). By analogy, these apps and smart phones are akin to a house with cheap siding, too many windows, and no Tyvek. They don't even need the barrel of a tank turret to pierce the wall, just kick it. In other words, the infrastructure surrounding two end-to-end encrypted devices is fully exposed and easily watched.

Good Morning America

It was a GMA headline that jolted me awake. (Coffee had not kicked in yet.) Whether ABC, CBS, NBC, Fox, CNN, ... attention grabbing headlines sell. There's no way "you" are going to get the straight scoop about crypto tech from a major news outlet. It's not in their best interest to give you the full fair-and-balanced story. (Not even Fox, much as they tout that slogan.) If you want to really understand, you may have to do some journalistic gymnastics of your own.

Balanced against the consumerism of ABC is an article on Huffington Post. Not my favorite rag by a long shot (and the author supports "IP enforcement" raising an eyebrow), but truth is truth and Ms Espinel got this one right: back doors weaken defenses.

Good Grief America!

Being a software guy, with decades of experience in encryption, I knew the GMA story told only the most seductive fraction. Director Comey would do better to mute some of the conversation he wants to start. It's not in our best interest to be arguing details in the news media where terrorists can watch.

The fact is, even when a bad guy scrambles the message, he still leaves tracks. Maybe my homey Comey should pal-up with the NSA. Whether they can un-scramble the eggs or not, they're the first people he should ask how-to. The exposed infrastructure (mentioned above) is leaking info all over the place. Google knows it. Apple knows it. The NSA and CIA know it. Chances are the FBI knows it too.

Everyone (not just FBI): quit looking for short-cuts.
Going dark does not make the parties invisible, just opaque. 
Arm the law abiding majority, including the cops, and get busy with actual police work to stop the criminals.

-- R; <><