French say 'Non, merci' to encryption backdoors

[RainfallWithin]

Article from theregister.co.uk and written by Iain Thomson on 15th January 2016: http://www.theregister.co.uk/2016/01/15/france_backdoor_law/

 

 

Minister brands crypto skeleton keys 'vulnerability by design' – is the US listening?

 

 

The French government has rejected an amendment to its forthcoming Digital Republic law that required backdoors in encryption systems.

 

Axelle Lemaire, the Euro nation's digital affairs minister, shot down the amendment during the committee stage of the forthcoming omnibus digital bill, saying it would be counterproductive and would leave personal data unprotected.

 

"Recent events show how the fact of introducing faults deliberately at the request - sometimes even without knowing - the intelligence agencies has an effect that is harming the whole community," she said according to Numerama.

 

"Even if the intention [to empower the police] is laudable, it also opens the door to the players who have less laudable intentions, not to mention the potential for economic damage to the credibility of companies planning these flaws. You are right to fuel the debate, but this is not the right solution according to the Government's opinion."

 

The encryption amendment was introduced after the Parisian terrorist attacks in November that left 130 dead. This despite there being no evidence that encrypted communications were a factor in the outrage; the murderers coordinated their killings via unencrypted SMS which wasn't picked up, despite some of them being under police surveillance.

 

Lemaire called the proposal a plan to introduce "vulnerability by design," and said that while she was aware that law enforcement would like such powers they were not a good idea, and could be used without the proper legal processes that the government supported. She said that, like the Dutch government, her party supported strong encryption.

 

It's an attitude other governments might want to consider. The Feds in the US have been calling for such a backdoor in encryption for years, and used the Paris atrocity to lend weight to their arguments. Initially the Obama administration rejected such a plan, but negotiations are continuing.

 

 

Personal Opinion

Excellent. A backdoor in an encryption method makes encryption pointless. Strong encryption with no flaws is needed to protect citizens' personal information to prevent fraud and other crimes; whistleblowers are also better protected. Hopefully the governments of other countries that are trying to force backdoors into any encryption will realise that it's the worst way of going about protecting their citizens.

[Guest]

If you want true encryption, write it yourself.

[vanished]

Excellent. A backdoor in an encryption method makes encryption pointless. Strong encryption with no flaws is needed to protect citizens' personal information to prevent fraud and other crimes; whistleblowers are also better protected. Hopefully the governments of other countries that are trying to force backdoors into any encryption will realise that it's the worst way of going about protecting their citizens.

Exactly.  Just as games are cracked almost as soon as they come out, you can bet someone will find this backdoor and then the method is worthless.  Hopefully this inherent fact will keep any method with a backdoor from catching on, thus making their efforts to add one useless

[Decon]

+1 intelligence and logical thinking France

 

thanks for not being hive-minded reactionary idiots

[Stuff_]

If you want true encryption, write it yourself.

So, you suggest that your method of encryption will be unbreakable? There's no way your method will be any more secure than what is currently out there.

[Decon]

So, you suggest that your method of encryption will be unbreakable? There's no way your method will be any more secure than what is currently out there.

things are always more secure when you can see the full source code

[ICantThinkOfAnyGoodName]

If you want true encryption, write it yourself.

Using a open source encryption which is trusted amongst security experts will almost definitely be better than anything you could come up with yourself.

[Decon]

Using a open source encryption which is trusted amongst security experts will almost definitely be better than anything you could come up with yourself.

indeed, although an unknown algorithm could theatrically pose a greater barrier to cracking than a well-know open-source standard

[Guest]

Using a open source encryption which is trusted amongst security experts will almost definitely be better than anything you could come up with yourself.

not if you don't even allocate it to a FS and split it up into raid, you can't hack something if it doesn't exist.

 

Also, the more people that recommend it they less secure it get, window is actually pretty well designed, only reason it gets so much shit is beacause how many people use it.

[ICantThinkOfAnyGoodName]

indeed, although an unknown algorithm could theatrically pose a greater barrier to cracking than a well-know open-source standard

If someone is able to gain access to your data, there is also a high chance that they will be able to get the encryption algorithm. If there is a targeted attack against you, whoever does that attack will be able to reverse engineer your algorhithm and likely find weaknesses.

not if you don't even allocate it to a FS and split it up into raid, you can't hack something if it doesn't exist.

Also, the more people that recommend it they less secure it get, window is actually pretty well designed, only reason it gets so much shit is beacause how many people use it.

Just because something is widely used, it doesn't mean that it's insecure. AES is one of the most used encryption standards and has been developed in 1998, yet there are still no effective attacks against it if it's properly implemented.

[Admiral Naismith]

Thank god the French didn't completely transform into a bunch of reactionaries. Some faith is restored in 'intelligent' nations.

[Guest]

If someone is able to gain access to your data, there is also a high chance that they will be able to get the encryption algorithm. If there is a targeted attack against you, whoever does that attack will be able to reverse engineer your algorhithm and likely find weaknesses.

Just because something is widely used, it doesn't mean that it's insecure. AES is one of the most used encryption standards and has been developed in 1998, yet there are still no effective attacks against it if it's properly implemented.

But it's still there, you can't trust anyone when to comes to this kind of stuff. Self code is best code.

You can use the best security company in the world to secure your house, bunker, bank and vault. And no one can get in. But will someone know "how" (notice the " " ") to get in? Yeah the people that designed and built them.

A average joes is much better off with a AES, but if you are a serious guy with some real business that you don't want some else gettings their hands on.

 

Your best bet is a raid 0 with 3+ SSD (so they degrade over time) on a raw FS, plus self written encryption.

[TetraSky]

I'm glad the French didn't decide to try and pass this as a "counter terrorist" BS (especially after the events of last year in France) like some other countries would probably try to make you believe, and instead just didn't allow it in the first place.

There's no point to encryption if you're putting a backdoor in it.

[ICantThinkOfAnyGoodName]

But it's still there, you can't trust anyone when to comes to this kind of stuff. Self code is best code.

You can use the best security company in the world to secure your house, bunker, bank and vault. And no one can get in. But will someone know "how" (notice the " " ") to get in? Yeah the people that designed and built them.

A average joes is much better off with a AES, but if you are a serious guy with some real business that you don't want some else gettings their hands on.

 

Your best bet is a raid 0 with 3+ SSD (so they degrade over time) on a raw FS, plus self written encryption.

As I've said, in most scenarios where someone is able to gain access to your data and does a targeted attack against you, they will also be able to gain access to the algorhithm you are using and analyse it to look for possible weaknesses. I would trust AES over ANYTHING that I could write myself.

Just because someone knows how your house, bunker, bank and vault is secured doesn't mean they can get in. It only means that they can use their knowledge to find weaknesses. And I would rather trust a system where people have looked for weaknesses for millions of hours and failed than trust a system I designed myself where no one other than me has even tried to look for weaknesses.

[ICantThinkOfAnyGoodName]

But it's still there, you can't trust anyone when to comes to this kind of stuff. Self code is best code.

You can use the best security company in the world to secure your house, bunker, bank and vault. And no one can get in. But will someone know "how" (notice the " " ") to get in? Yeah the people that designed and built them.

A average joes is much better off with a AES, but if you are a serious guy with some real business that you don't want some else gettings their hands on.

 

Your best bet is a raid 0 with 3+ SSD (so they degrade over time) on a raw FS, plus self written encryption.

Btw here's a pretty good answer as to why you shouldn't write your own encryption: http://security.stackexchange.com/a/18198

[Guest]

Btw here's a pretty good answer as to why you shouldn't write your own encryption: http://security.stackexchange.com/a/18198

Okay, you have a very valid point here.

But in this current context "Digital Republic law that required backdoors in encryption systems.!"

If you wrote it yourself it's your own code, you do not need a backgate. It's your own IP and no one can look at it or modify it.

[Stuff_]

indeed, although an unknown algorithm could theatrically pose a greater barrier to cracking than a well-know open-source standard

It's not the algorithms, its the mathematical techniques used to reduce the frequency analysis. There is a lot more to it than simply creating a mathematical formula. And this is not something one single person could do (at least not well).

A self written encryption system would likely not be worth the time or effort to do. There are many encryption systems with no known compromises. Those will be entirely safe to use until there comes a day one has been cracked.

The security research community is soooooo huge now. People are nonstop trying to break encryption systems.

[Guest]

It's not the algorithms, its the mathematical techniques used to reduce the frequency analysis. There is a lot more to it than simply creating a mathematical formula. And this is not something one single person could do.

encryption is usually busted like you said with "frequency analysis" and by doing so you can bust even the heaviest codes. But with "2 layer" like i said before, on a raw FS and a physical RAID system, it makes it times harder to find the actual data, you can theoretically make your files 8X harder by shifting your binary values by one place, aka a byte so each new passage on a 8*raid 0 starts on a different bit. This can make it alot harder to crack.

Also some maths just forms patterns naturally, like prime numbers. They will always make a pattern and can be seen in any base number systems. But if you can code effectively you can form a code that can be performs recursively and peel away each time, just like how TOR works but on a much deeper and rich level.

I'm no expert, but 1 man can create a fairly hard to crack code especially if they have worked before in the field.

[ICantThinkOfAnyGoodName]

encryption is usually busted like you said with "frequency analysis" and by doing so you can bust even the heaviest codes. But with "2 layer" like i said before, on a raw FS and a physical RAID system, it makes it times harder to find the actual data, you can theoretically make your files 8X harder by shifting your binary values by one place, aka a byte so each new passage on a 8*raid 0 starts on a different bit. This can make it alot harder to crack.

Also some maths just forms patterns naturally, like prime numbers. They will always make a pattern and can be seen in any base number systems. But if you can code effectively you can form a code that can be performs recursively and peel away each time, just like how TOR works but on a much deeper and rich level.

I'm no expert, but 1 man can create a fairly hard to crack code especially if they have worked before in the field.

One man can create a somewhat decent algorithm, but as Bruce Schneier said: "Any person can invent a security system so clever that he or she can't imagine a way of breaking it." Also: "Secrecy and security aren't the same even though it may seem that way. Only bad security relies on secrecy; good security works even if all the details of it are public."

[LokiFire]

( ͡° ͜ʖ ͡°)( ͡° ͜ʖ ͡°)( ͡° ͜ʖ ͡°)( ͡° ͜ʖ ͡°)( ͡° ͜ʖ ͡°)( ͡° ͜ʖ ͡°)

French say 'Non, merci' to encryption backdoors

[SSL]

If you want true encryption, write it yourself.

 

False, false, false.

 

Invariably, proprietary encryption standards are defeated because they do not benefit from the collaborate development and scrutiny that an open standard enjoys.

 

Case in point: https://www.schneier.com/blog/archives/2015/11/cryptanalysis_o_1.html

 

And do I even need to bring up the phrase "security by obscurity"? I seriously hope not.

[suicidalfranco]

Meanwhile in the US and UK [emoji10]

[Stuff_]

One man can create a somewhat decent algorithm, but as Bruce Schneier said: "Any person can invent a security system so clever that he or she can't imagine a way of breaking it." Also: "Secrecy and security aren't the same even though it may seem that way. Only bad security relies on secrecy; good security works even if all the details of it are public."

This.

 

You want a system that, even if all the details are public, it is still secret and anyone in the middle that is sniffing are completely unsure of how to decrypt. 

This is very difficult to do.

[Trik'Stari]

The FBI knew about the terrorists planning 9/11, well before 9/11 happened, they did nothing.

 

I think it's safe to say that blanket electronic surveillance doesn't freaking work.

[Misanthrope]

The FBI knew about the terrorists planning 9/11, well before 9/11 happened, they did nothing.

 

I think it's safe to say that blanket electronic surveillance doesn't freaking work.

 

I'll give you a more recent example: Twitter has, knows and continues to allow accounts from known Isis members. They have 0 technical reasons not to do anything about it and it's just their bs SJW rhetoric that believes any action against known criminals is "islamophobic"

 

Good thing they're being fucking sued over it and their stock is taking a huge nose dive:

 

https://www.rt.com/news/328995-isis-twitter-sued-widow/