Congress Seeks Answers on Juniper Networks Breach Amid Encryption Fight (reuters.com) 42
A group of U.S. lawmakers preparing to fight a legislative attack on encrypted communications is trying to establish what happened when encryption was subverted at a Silicon Valley maker of networking gear. From a report: Democrat Ron Wyden, who sits on the Senate Intelligence Committee, said the 2015 incident at Sunnyvale-based Juniper Networks could shed light on the risks of compromised encryption before an expected hearing on the proposed legislation. The EARN IT Act could penalize companies that offer security that law enforcement can't easily penetrate. "Attorney General (William) Barr is demanding that companies like Facebook weaken their encryption to allow the Department of Justice to monitor users' conversations," Wyden told Reuters. ""Congress and the American people must understand the serious national security risks associated with weakening the encryption that protects Americans' personal data, as well as government and corporate systems." In a letter to Juniper Chief Executive Rami Rahim sent late Tuesday, Wyden, Republican Senator Mike Lee of the Judiciary Committee, and the chairmen of the House Judiciary and Homeland Security committees asked what had happened to an investigation Juniper announced after it found "unauthorized code" inside its widely used NetScreen security software in 2015.
What Happened? (Score:4, Insightful)
They swept it under the rug.
Short of meeting any regulatory compliance, there is no benefit for a company to announce to the world that they have been hacked. Bad PR.
Very few companies will keep their own insecurity in the public eye. It's common sense.
What will happen (Score:5, Insightful)
It will take the Chinese 5 minutes to compromise a police department (or the Department of Justice). From there, with the help of Google Translate, they will have the private keys to listen in on Facebook (or whichever app) in 20 minutes.
The NSO Group will have the keys even faster and will be happy to sell them (for a huge profit) to any group unable to steal the keys for themselves.
Giving the police the tools they need to get whatever they want on their own will not end well.
Re:What will happen (Score:4, Insightful)
Pretty much. Compromised encryption is compromised. The backdoor-keys leaking is just a matter of time then. In addition, it will be set up so that those that lose the backdoor-keys are not responsible for the damage that does, so no real motivation to even make sure they are secure.
Hence anybody sane will just use a second layer of encryption that _they_ control. Competent criminals have been doing that for ages anyways.
Re: (Score:2)
Hence anybody sane will just use a second layer of encryption that _they_ control. Competent criminals have been doing that for ages anyways.
And then, after they're no longer "hidden" in the encryption the masses are using, their encrypted data sticks out very visibly. What are you hiding, Citizen? You probably shouldn't be hiding anything, Citizen. I think you're up to no good, Citizen. You have to stop doing that, Citizen. Congress says so. Oh you won't? Now I have a criminal violation and probable cause to rummage through everything. Have a nice day, Citizen. I'm sure that concrete box will be comfortable.
*insert thunderous applause
Re: (Score:2)
Well, that acts as a nice indicator that your data is being looked at. Hence this will _not_ being done unless they cut down individual freedoms enough. At that time, you go done to face-to-face meetings with no electronic devices present. You know, like in any totalitarian system.
Re: (Score:1)
anybody sane will just use a second layer of encryption that _they_ control.
For what it's worth, I agree. Unfortunately, that won't stop those in power from barreling forward. Certainly it will end up biting them in the ass though. Karma comes for all.
Can we as individuals show them the error of their ways? Optimists would say yes. Not all of those in charge are so set in their ways. Give them examples of what this will do. Randomness of data will give way to well-ordered data. Encryption is not the only way to hide a message. Scrutinize this post, for example. Secrets may be fo
Re: (Score:2)
anybody sane will just use a second layer of encryption that _they_ control.
For what it's worth, I agree. Unfortunately, that won't stop those in power from barreling forward. Certainly it will end up biting them in the ass though. Karma comes for all.
Hopefully. It will bite a lot of other people as well, unfortunately.
Can we as individuals show them the error of their ways? Optimists would say yes. Not all of those in charge are so set in their ways. Give them examples of what this will do. Randomness of data will give way to well-ordered data. Encryption is not the only way to hide a message. Scrutinize this post, for example. Secrets may be found.
And there I thought my graphics card was dying ;-)
Re: (Score:1)
China probably already has that ability. It will be smaller countries who will take advantage of weakened back-doors.
Re: (Score:2)
Re:What will happen (Score:4, Insightful)
Specifically overseas? I think you underestimate the greed of the average American corporate executive or the spooks in the alphabet soup of US intel agencies. Think of the payout of early insider information on a stock split or buyback, or being able to short Ford on its next recall of a gazillion vehicles. I rather suspect this sort of info is what Barr and his cronies are actually far more interested in acquiring. They don't give a shit about any phantasmagorical terrier attack, since they won't be affected in any measurable way.
Re: (Score:2)
Re: (Score:1)
You are neither.
Re: (Score:2)
Half the country is talking about defunding law enforcement, the other half is talking about giving them more power.
It’s a weird irony.
“Only cops should be allowed to have guns!”
“Nobody needs a gun for protection, that’s what police are for!”
“We need more men arrested for rape, the police aren’t doing enough!”
“The police are racist pigs who kill black men with impunity!”
“Police need to end able to access the private communication of all
Re: (Score:1)
...
“Only cops should be allowed to have guns!”.... “The police are racist pigs who kill black men with impunity!(at least you go that right!)” .....
Wait, let me get this laughably straight. Did you just call for the murder of police, as protection against being murdered?
Encrypt but don't Encrypt (Score:2)
That is what the government is telling these companies.
The likes of the FBI put a lot of pressure on these companies to give them access to the data to catch "bad guys" but to do this, that means they will need to put in a security hole in the system.
It is one thing to encrypt from point to point. But to encrypt point to point, with a Tee to the FBI has made things exponentially more complex.
The primary rule when I code software that needs to be secure (internet facing) I need to make it so I cannot access
Re: (Score:2)
Catching prosaic criminality is second banana in importance to preventing dictatorship and its panopticon.
The Founding Fathers would have loved encryption like this, and the Tyrant King George III would have forbidden it, so it would have ended up as part of the First Amendment.
You have a right to speak encrypted.
Every time a politician speaks of the horrors of crime, or terrorism even, they are missing the far bigger picture. Instead, imagine a boot stepping on a human face, forever. This isn't theoretic
Re: (Score:2)
Isn’t it clear what happened? (Score:5, Insightful)
When it fails, who will be left holding the bag? (Score:2)
Companies should ask that the law supply a bailout if their law-weakened security results in financial loss, such as a customer data breach. But I don't know if lawmakers care, they'll dump the problem onto tax-payers or pile up debt and move on.
Re: (Score:2)
Re: (Score:2)
They're more likely to just prohibit public release of information about breaches. That makes it much easier on their true constituency, the mega-corporations.
Laws against encryption? (Score:5, Insightful)
What kind of congress are you electing? Or, for 90% of them, reelecting? Aren't you supposed to vote crooked politicians out of office? I mean, isn't that why you have a regular vote?
Re: (Score:2)
Please mod parent up. This question should be front and center.
Re: (Score:2)
Re: (Score:1)
Yeah, yeah, that's the standard generic complaint I hear from everybody. It still boils down to the voters' decision to play along, probably out of some desire to get a piece of the action, preferential treatment, whatever. They don't want to feel like they're responsible for anything. They refuse to acknowledge the role they are already playing in shaping their world.
Re: (Score:2)
They refuse to acknowledge the role they are already playing in shaping their world.
I would argue the issue is that the majority of people aren't involved enough in their local politics. Change doesn't start at the top, it has to start at the bottom. You don't get an "independent" president or congressperson without first starting with an independent city council, mayor, state rep, etc. Start there, and then get money out of politics.
Re: (Score:1)
I would argue the issue is that the majority of people aren't involved enough in their local politics.
Yes, that is their choice.
Money only reflects the voters desire to be close to celebrity. The weakness is on their part.
Things get done in the places where the voters take the initiative.
Like you said, bottoms up!
Re: Laws against encryption? (Score:3)
Voters aren't playing along. Voters aren't even playing the game. Those playing the game intentionally manufacture false narratives around wedge issues so that votes can be divvied up to preserve the existing power structures.
The idea that Republicans and Democrats are different is mostly a myth. It's a myth created to keep people engaged with the "correct" issues: that is, issues that don't mean anything in scheme of things. Like gun control and abortion. As long as people are passionate about individual i
Re: (Score:2)
So what I'm seeing in your rant is that "someone values issues more highly than the one I'm concerned about, therefore we don't really elect congressmen." You're not even trying here--if you raised the issue of gerrymandering (which is quite prevalent, exercised by both parties, and designed to allocate seats to the "correct" party or at least keep incumbents in office) you'd have at least the makings of a point.... but your comment above is just whining that since the election turns out in ways you don't
Re: (Score:3)
You missed the point of my post, likely because I didn't articulate it well. The argument works just was well with "They value women's rights and gun control, so I'm going to vote for them." I picked those because they have been the "big topics" in the last couple of election cycles. At the end of the day, those are the types of issues that gain attention because they are emotional issues that people have strong feelings about. Strong encryption is not an emotional issue, nor one that your average person
Re: (Score:3)
Your opening sentence really did set the tone for the rest of your post... sorry for the rush to judgement on my part.
"They value women's rights and gun control, so I'm going to vote for them."
I think this is probably the inverse of what happens in most cases. Most voting the US seems to be negative rather than positive... it's not so much "hey, that lady is pro-gun, so I'm going to vote for her" but rather "that guy is on record saying he'd ban strong encryption given the chance, so there's no way he's getting my vote." Both parties are quite good at exploiting these wedge issu
Re: Laws against encryption? (Score:3)
Re: Laws against encryption? (Score:3)
It's not my congressman who's the problem. It's everyone else's. At least that's what statistics tell us. Congress as a whole has an abysmal approval rating. But people are much happier with their local congressmen.
Unless encryption is your Big Issue, most people are voting based on abortion and gun control, with a few voting based on globalization or labor rights. Those are the only relevant issues in American politics. It's designed that way so that the issues that are really important - keeping the power
Re: (Score:1)
But people are much happier with their local congressmen.
Yeah, well, we have restrict the local's effect on the whole. Those important jobs like speaker and all those other committees have to be under much faster rotation and randomly assigned. But we have to vote for a congress that would do that. Damn! It always comes back to us! Doesn't that just suck? Nothing will get done unless we vote for it.
Earn It? (Score:4, Insightful)
How about the law enforcements work on EARNing our trust first? Show us a good reason law enforcement should be trusted not to leak the gold key to the kingdom? It may take a while after the debacle where the NSA managed the cyber equivalent of misplacing a live nuke (causing billions in damages when it was used for ransomware).
Beyond that there's the numerous cases where the feds skipped a warrant then used parallel construction (perjuring themselves in the process).
They have even gone so far as to bug park benches outside of a courthouse hoping to overhear defendants talking to their lawyers.
Our trust, when will they at least try to EARN IT?
Re: (Score:2)
How about the law enforcements work on EARNing our trust first? Show us a good reason law enforcement should be trusted not to leak the gold key to the kingdom? It may take a while after the debacle where the NSA managed the cyber equivalent of misplacing a live nuke (causing billions in damages when it was used for ransomware).
I agree with you completely, but...
The way things are going it will be renamed the "Stop Rioting and Looting Act" and people will support it because they're tired of looting, even though the bill has nothing to do with rioting or looting.
Re: (Score:2)
They have forgotten who works for who here.
Morons!!! (Score:3)
If this is true there is no security at all.
If the Law Enforcement can do it easily, so can everyone else.
Just my 2 cents
Re: (Score:2)
Considering that people join LEOs because they want to be heroes, not because they want to be computer gurus, any backdoor would have to be brain-dead simple to compromise. Probably with a nice point-and-click GUI.