New US Bill would require makers of encrypted devices to leave a backdoor

[Bombastinator]

1 hour ago, straight_stewie said:

@Bombastinator Replace "NSA" with "FBI" and you have it correct.

 

Google search "Can the NSA conduct operations outside the US" and the first result (at least the first result for me) is from NSA.gov and says:

Clicking the second result you are taken to an NSA.gov FAQ of sorts, which is interesting...

 

The NSA was designed solely to conduct operations outside of the US. Hell, they are a part of the DoD...

Nope.  Had it correct the first time.  FBI is criminal stuff only. They have a third charter. CIA and NSA might both work with FBI on different things though. Each group has different powers and limitations.  The charters are there to read.  You said something about complicated.  It is.

NSA deals with external stuff coming into the US and as such has some powers inside the US but only over foreign nationals.  Sort of like the difference between mi5 and mi6

[straight_stewie]

46 minutes ago, GDRRiley said:

NAS claims to be international only but they do plenty domestically.

I would go so far as to say that they are purposefully primarily targeting domestic and citizens of allied countries communications.

I was meaning to discuss what their stated purpose and overt legal boundaries are, as well as what their original charges where, rather than what they are currently being used for or what they do behind the veil of the FISA and it's associated secret courts.

[Bombastinator]

15 minutes ago, straight_stewie said:

I would go so far as to say that they are purposefully primarily targeting domestic and citizens of allied countries communications.

I was meaning to discuss what their stated purpose and overt legal boundaries are, as well as what their original charges where, rather than what they are currently being used for or what they do behind the veil of the FISA and it's associated secret courts.

So its an accusation that the various agencies ignore their charters.   NSA would monitor communication of any foreign national inside the US.  Not citizens though.  FBI could do that but they have different limitations.

[Master Disaster]

I had a quick scan through the full bill, my legalese is terrible but here's the breakdown of the definitions...

 

Hardware Manufacturers

1) The bill applies to any manufacturer of a consumer electronic device in the US that has sold more than 1M devices in any year since 2016

2) A consumer electronic device is any electronic device that is sold to the public and can hold more than 1GB of data

 

Operating System Developers

1) The bill applies to any manufacturer of an operating system in the US that has more than 1M users in any year since 2016

2) An operating system is a piece of software installed on to a consumer electronic device to control its operation or that directs the processing of programs on the consumer electronic device (such as by as signing storage space in memory and controlling input and output functions)

 

Remote Computing Service

1) A remote computing service means the provision to the public of computer storage or processing services by means of an electronic communications system (link)

2) The remote computing service must have more than 1M active subscribers in any year since 2016

 

Applies to all of the above

1) The bill can be enforced using a probable cause warrant

2) It is required to isolate the information requested, decrypt it and provide it to law enforcement in plain English

3) it is required that any and all technical assistance needed by law enforcement be given

4) No legal action can be enforced against the business if the end user has taken additional action to prevent the data from being decrypted

5) No business can be held liable to be sued as a result of compliance

6) The business shall be liable for the cost of developing the technology required for compliance

7) There is up to a $300 per case compensation available to any business to cover expenses occurred while complying

 

https://www.judiciary.senate.gov/imo/media/doc/S.4051 Lawful Access to Encrypted Data Act.pdf

 

They really mean business, it will apply to everything from firmware right through to internet services.

[Bombastinator]

2 minutes ago, Master Disaster said:

I had a quick scan through the full bill, my legalese is terrible but here's the breakdown of the definitions...

 

Hardware Manufacturers

1) The bill applies to any manufacturer of a consumer electronic device in the US that has sold more than 1M devices in any year since 2016

2) A consumer electronic device is any electronic device that is sold to the public and can hold more than 1GB of data

 

Operating System Developers

1) The bill applies to any manufacturer of an operating system in the US that has more than 1M users in any year since 2016

2) An operating system is a piece of software installed on to a consumer electronic device to control its operation or that directs the processing of programs on the consumer electronic device (such as by as signing storage space in memory and controlling input and output functions)

 

Remote Computing Service

1) A remote computing service means the provision to the public of computer storage or processing services by means of an electronic communications system (link)

2) The remote computing service must have more than 1M active subscribers in any year since 2016

 

Applies to all of the above

1) The bill can be enforced using a probable cause warrant

2) It is required to isolate the information requested, decrypt it and provide it to law enforcement in plain English

3) it is required that any and all technical assistance needed by law enforcement be given

4) No legal action can be enforced if the end user has has taken additional action to prevent the data from being decrypted

5) No business can be held liable to be sued as a result of compliance

6) The business shall be liable for the cost of developing the technology required for compliance

7) There is up to a $300 per case compensation available to any business to cover expenses occurred while complying

 

https://www.judiciary.senate.gov/imo/media/doc/S.4051 Lawful Access to Encrypted Data Act.pdf

 

They really mean business, it will apply to everything from firmware right through to internet services.

The DFL had something not as harsh some years back that was backed by Hillary Clinton.  It was one of the main complaints against her.  That the GOP is going with something even more hardcore after complaining about the exact same thing for years is interesting. A bill is just a bill though.

[StDragon]

The arrogance and hubris of our elected officials is astounding!!!!  You want to get hacked by other nation-states, THAT is how you do it!

You could have the Chinese or Russian navy enter the Potomac river and the idiots in DC would all be asking themselves "how would this effect voter turnout". That is how clueless and myopic those assholes are about the security of our nation.

[lewdicrous]

4 minutes ago, Master Disaster said:

They really mean business, it will apply to everything from firmware right through to internet services.

Would be interesting in terms of VPNs that are either based in the US or have servers in the US.

[RejZoR]

1 hour ago, Statik said:

My question is how would this effect things like Protonmail, and VPNs like Express/Nord?

 

Protonmail is hosted/based out of Switzerland, and protected via Swiss privacy laws, and VPN companies like Express/Nord (and I'm sure many others) are hosted abroad (British Virgin Isles, and Panama respectively). So they wouldn't have to comply with the US, would they?

They can't force them, but they can ban their operations on US soil.

[Statik]

2 minutes ago, RejZoR said:

They can't force them, but they can ban their operations on US soil.

Makes me glad to be Canadian... I figured that would be the case.

 

I'm just verbalizing my thoughts right now, but I wonder if that was the case, could you use a US based VPN to simply jump onto anther server and access it without raising flags. I can't imagine they could monitor that usage too heavily.

 

I also can't imagine how banning some of the biggest VPNs and banning people from downloading things like Tor would go down... That's a dark dark road..

[StDragon]

7 hours ago, paddy-stone said:

If this bill passes, I wonder how many companies will just go "fuck the US then!" and not sell in the US so they don't have to have a backdoor and thus break encryption.

That wont happen. What will happen is that the backdoor will somehow get exploited, and our adversaries will embark on espionage of IP theft like you wouldn't believe.

 

Imagine SpaceX having data hoovered up and sent over to China. You don't think they wouldn't copy-paste the plans for their version of "Space Force". Better believe it in a nanosecond!

[Donut417]

1 hour ago, straight_stewie said:

Google search "Can the NSA conduct operations outside the US" and the first result (at least the first result for me) is from NSA.gov and says:

Thats why the NSA exist. Legally that cant operate with in the boarders of the US, but the world is their play ground. Same thing applies to the CIA. A intelligence agencies job is to collect intelligence on enemy countries that's why they exist. 

 

The only thing about this is the NSA does operate on American soil, case in point Edward Snowden. The NSA was found with equipment in one of AT&T's data centers. The only reason the government is doing this is because encryption is gotten so good it takes the government too long to decrypt devices. The people in charge believe we should shred a bit of the constitution to keep this nation safe. Personally I don't think we will be any safer. 

 

[Bombastinator]

6 minutes ago, Donut417 said:

Thats why the NSA exist. Legally that cant operate with in the boarders of the US, but the world is their play ground. Same thing applies to the CIA. A intelligence agencies job is to collect intelligence on enemy countries that's why they exist. 

 

The only thing about this is the NSA does operate on American soil, case in point Edward Snowden. The NSA was found with equipment in one of AT&T's data centers. The only reason the government is doing this is because encryption is gotten so good it takes the government too long to decrypt devices. The people in charge believe we should shred a bit of the constitution to keep this nation safe. Personally I don't think we will be any safer. 

 

Not quite correct.  They can monitor foreign nationals on us soil.  A key difference between the cia and nsa.  The cia is spy.  The nsa is anti-spy

[LAwLz]

15 hours ago, Arika S said:

Maybe that's why the US is trying to destroy Huawei

This is absolutely correct, and it has been known for quite a while.

 

 

A little backstory. UK was rather controversial when they said it would allow carriers to use equipment from Huawei, despite countries like the US banning Huawei.

The US has since then pressured the UK into banning Huawei, and Huawei rivals like Nokia and Ericsson have been happy to fuel the flames since it offers them more business.

But a few months ago we got to learn the real reason for why the US and countries like Australia are heavily pushing to ban Huawei.

Quote

London: Former Australian prime minister Malcolm Turnbull has warned Boris Johnson that allowing Chinese company Huawei to build Britain's 5G network would compromise the ability of the Five Eyes countries to collect and share intelligence.

 

Speaking on BBC Radio 4's The World at One program, Mr Turnbull said the main risk the Australian security agencies had identified was not through potential Chinese interception of intelligence but by denial of access to the network.

 

"We did a lot of work [to see] how we could mitigate the risk and the conclusion we came to was that there just wasn't a satisfactory mitigation of the risk," he said.

 

A lot of the Five Eyes countries (Australia, Canada, New Zealand, UK and US) have tried to pass anti-encryption and mass surveillance enabling laws the last couple of years. If telecom companies started building their networks with Chinese made equipment then it would be far more difficult to force backdoors into equipment compared to if the networks were built by for example Cisco (which the NSA has been backdooring for years now, and when Cisco doesn't comply they just hijack transports and modify the equipment).

 

 

12 hours ago, mr moose said:

It'll be interesting to see if they ever get a bill like that through.  This is not the first time and they likely  already have tech that borders on just as effective.  If I could be arsed I would read the actual bill,  more often than not they are not written the way the media tells you.  Like the Australian bill that was blown so far out of proportion that not a single news outlet reported it accurately.

Here is the proposal.

Haven't read through all of it yet but it really seems as bad as it sounds from news outlets.

Also, I would like to add that pretty much every security expert which has weighted in on the Australian bill has agreed that it is a terrible bill. The only ones who are saying it is blown out of proportions are politicians and some people like you who don't necessarily have the experience with cryptography to form well researched opinions on the subject.

[LAwLz]

37 minutes ago, RejZoR said:

They can't force them, but they can ban their operations on US soil.

The bill also applies to all the equimpent made by US companies that those services use. So even if they can't go after let's say ExpressVPN directly, if this bill passes the US will require for example Dell and HP (who probably makes the ExpressVPN servers) and Cisco (who probably makes the networking equipment) to implement backdoors which the US gonverment can use to spy on ExpressVPN users.

 

Basically, if this bill passes we will have deliberate security holes in servers and software from all US companies, and we can not know when they are being used.

And even if we assume that the US government only has good intentions (please remember that people in the US government have been sentenced for misusing these tool on multiple occasions for private gains such as spying on ex-spouses), it's only a matter of time before they get found by others with less than malicious intentions. If this bill passes, I expect that we will get massive attacks on the scale of WannaCry on a far more common basis. WannaCry was just a small taste test of what happens when the US government stockpiles exploits because they want to use them for themselves.

[Donut417]

13 minutes ago, Bombastinator said:

The nsa is anti-spy

Acutally that falls to the FBI. Because the NSA cant arrest anyone as they don't have the legal authority to do so. Plus the NSA is not allowed to collect info on US citizens, which makes their job harder. The NSA's operates many of our spy satellites and listening posts. They collect data. The CIA is a direct action agency, as in they are the ones who destabilize governments and make back room deals with dictators. 

 

Quote

NSA's mission, as set forth in Executive Order 12333 in 1981, is to collect information that constitutes "foreign intelligence or counterintelligence" while not "acquiring information concerning the domestic activities of United States persons". NSA has declared that it relies on the FBI to collect information on foreign intelligence activities within the borders of the United States, while confining its own activities within the United States to the embassies and missions of foreign nations.^[

 

https://en.m.wikipedia.org/wiki/National_Security_Agency

 

[ARikozuM]

This had better get shot down asap. I hate this kind of authoritarian bullshit. Getting rid of our Bill of Rights seems to be the trend for the last 4-9 administrations. This is becoming ridiculous when it ties into our spending more on surveillance and war instead of education (especially with regards to technology) and infrastructure (especially with regards to technology). 

[Donut417]

3 minutes ago, ARikozuM said:

This had better get shot down asap. I hate this kind of authoritarian bullshit. Getting rid of our Bill of Rights seems to be the trend for the last 4-9 administrations. This is becoming ridiculous when it ties into our spending more on surveillance and war instead of education (especially with regards to technology) and infrastructure (especially with regards to technology). 

Well the 1%'s want to keep control. Thats why they are wanting domestic surveillance. Its all about controlling the population. Thats why they cut educations spending. Keeping us dumb, keeps us docile, easier to control. 

[Bombastinator]

12 minutes ago, Donut417 said:

Acutally that falls to the FBI. Because the NSA cant arrest anyone as they don't have the legal authority to do so. Plus the NSA is not allowed to collect info on US citizens, which makes their job harder. The NSA's operates many of our spy satellites and listening posts. They collect data. The CIA is a direct action agency, as in they are the ones who destabilize governments and make back room deals with dictators. 

 

 

Enforcement does.  The nsa can’t enforce, or at least are extremely limited in their ability.  Interlocked limitations.  NSA has to work with the fbi to actually arrest spies.

[jagdtigger]

 

[LAwLz]

13 minutes ago, jagdtigger said:

 

It starts at around 34:50 for those interested.

Never heard of "How they got hacked" before but it seems interesting.

[leadeater]

1 hour ago, Master Disaster said:

it is required that any and all technical assistance needed by law enforcement be given

 

Quote

NO TECHNICAL DEMANDS.—A directive issued to a person under paragraph (1) may not specify technical means by which the person is required to implement the required capabilities. 

 

Quote

CONSIDERATION OF PETITION.—
‘‘(A) GRANT.—The court may grant a petition filed under paragraph (1) only if—
‘‘(i) the directive does not meet the
requirements of this section; 
‘‘(ii) the person filing the petition
demonstrates, by clear and convincing evidence, that it is technically impossible for
the person to make any change to the way
the hardware, software, or other property
of the person behaves in order to comply
with the directive; or
‘‘(iii) the directive is otherwise unlawful. 

 

 

1 hour ago, Master Disaster said:

The business shall be liable for the cost of developing the technology required for compliance

 

Quote

COST REIMBURSEMENT.—
‘‘(1) IN GENERAL.—Subject to paragraph (3), a
person who receives a directive under subsection (b)
shall be compensated therefor by the United States
for reasonable expenses directly incurred in complying with the directive.
‘‘(2) AMOUNT.—The amount of compensation
provided under paragraph (1)— 
‘‘(A) shall be mutually agreed upon by the
Attorney General and the person complying
with the directive; or
‘‘(B) in the absence of an agreement under
subparagraph (A), shall be determined by the
United States District Court for the District of Columbia.’’. 

 

I'm not too sure you read the document carefully enough, business do for example bear the cost of development but they are entitled to compensation. What that means is you won't received funding to do the work and reimbursement happens afterward not before or during.

[mr moose]

59 minutes ago, LAwLz said:

Also, I would like to add that pretty much every security expert which has weighted in on the Australian bill has agreed that it is a terrible bill. The only ones who are saying it is blown out of proportions are politicians and some people like you who don't necessarily have the experience with cryptography to form well researched opinions on the subject.

You can add whatever you want,  I showed you the bill directly and showed how all those "security experts" (which were basically companies like apple and google and a handful of small timers looking for fame) are were wrong.     If you want to re debate it go back to that thread and read it over from the start then decide if its worth the time trying to redefine words because its the only way you can read into it what you were arguing.     Your argument from authority means nothing given it has now been 4 years since that bill was passed and not a single company has been forced to put in a back door.  This ios of course of no surprise to me or any "real
 security expert, because we know what the definition of a systemic weakness is.  Also you'll note the government is still trying to ask for backdoors in various forms,  why would they be doing that if a law they passed 4 years ago already does that?  Answer, Because that bill you are so adamant allows them to demand a backdoor actually does not as it clearly said.

[straight_stewie]

2 hours ago, Bombastinator said:

A key difference between the cia and nsa.  The cia is spy.  The nsa is anti-spy

This is incorrect. Both the CIA and NSA are "spy agencies" in every sense of the phrase.

The CIA primarily focuses on HUMINT, or HUMan INTelligence. That is, the CIA is really good at running informants, flipping foreign nationals, having insiders in enemy governments... Generally what you would consider "traditional" spy activities.

The NSA, on the other hand, primarily focuses on SIGINT, or SIGnals INTelligence. These days that mostly means intercepting internet based communications, but it can also include radio transmissions and other such things.

Of course, there is some overlap between the capabilities of the organizations. The NSA has field agents, and the CIA does do wiretapping and other such things. In modern times, the NSA also serves to provide off-the-shelf capabilities to the other intelligence organizations (this is what the ANT catalog is).

[wanderingfool2]

Anything that has the potential to weaken encryption by law I am against.

 

*remembers the time when the US arrested the cryptographer for creating a secure program* (I can't remember the guys name...tried searching for it, but it was like 25 years ago when the US had laws that prevent the export of military grade encryption).  If the government has the power, it will eventually be abused (even if it isn't immediately).

 

Honestly though, one thing I think that should be discussed amoungst politicians is the "self incrimination" argument.  While I agree that people should have some right to not self incriminate, I feel it goes to far in that people can't be compelled by warrant to give up things such as a safe password, or a password to their phone,

[AlTech]

I see they gave up on the Earn it act and are now being upfront with their intention to end Encryption.