Twitter | Search | |
Matthew Green
William Barr gave a talk today at Fordham, on “going dark” and the need for encryption backdoors. A lot of this is old hat. The surprising thing is that it was the only subject of the talk: it seems like the Trump administration is serious about this. (Thread).
Reply Retweet Like More
Matthew Green 23 Jul 19
Replying to @matthew_d_green
2. The talk follows the typical pattern of asserting that the Fourth Amendment actually requires encryption backdoors. I’m no lawyer, but this is a hell of a legal theory. I just want to flag that one and move on to the technical.
Reply Retweet Like
Matthew Green 23 Jul 19
Replying to @matthew_d_green
3. Barr cites Mexican cartels as using WhatsApp groups, and then notes that law enforcement is unable to penetrate these groups. This is a bit surprising to me, since WhatsApp group management is one of the weakest areas of the system.
Reply Retweet Like
Matthew Green 23 Jul 19
Replying to @matthew_d_green
4. What’s really fascinating about this speech is how frankly the Trump administration has moved away from “we just want to access your encrypted phone” to making it clear that communications (text messages) etc. are the real goal.
Reply Retweet Like
Matthew Green 23 Jul 19
Replying to @matthew_d_green
5. I have to quote this one because it’s unreal: “For example, providers design their products to allow access for software updates using centrally managed security keys. We know of no instance where encryption has been defeated by compromise of those provider-maintained keys.”
Reply Retweet Like
Matthew Green 23 Jul 19
Replying to @matthew_d_green
6. Is the US Attorney General saying that his department knows of no instance where software update/signing keys were stolen? This is crazy. I can think of one: Stuxnet. But that’s hardly the last one.
Reply Retweet Like
Matthew Green 23 Jul 19
Replying to @matthew_d_green
7. NotPetya was allegedly launched using the software distribution infrastructure of a popular Ukrainian product. This wasn’t a key theft, but it’s essentially the same thing. This is a crazy talking point.
Reply Retweet Like
Matthew Green 23 Jul 19
Replying to @matthew_d_green
8. Barr goes on to claim that there are many proposals for encryption backdoors on the table. He gives three. They’re the same three we always get. 1. A (hardware, phones only) proposal by Ray Ozzie. 2. A proposal to tap chat groups by GCHQ. 3. An ancient article by Matt Tait.
Reply Retweet Like
Matthew Green 23 Jul 19
Replying to @matthew_d_green
9. One of these proposals is by a signals intelligence agency. Lovely people! But hardly credible, and will be eliminated by coming updates to these systems. I wrote about Ozzie’s proposal here — it’s only for phones. Tait’s is an old policy article.
Reply Retweet Like
Matthew Green 23 Jul 19
Replying to @matthew_d_green
10. The TL;DR is that the US Attorney General is standing up in front of the country and saying “look, cryptographers can build backdoors”, and citing essentially three plans — one of which is made by a signals intelligence agency, and two by non-cryptographers.
Reply Retweet Like
Matthew Green 23 Jul 19
Replying to @matthew_d_green
11. “The real question is whether the residual risk of vulnerability resulting from incorporating a lawful access mechanism is materially greater than those already in the unmodified product.” Well, lets talk about that for a second.
Reply Retweet Like
Matthew Green 23 Jul 19
Replying to @matthew_d_green
12. We don’t have a lot of examples of legitimate backdoors to work with. But we do have one illegitimate one: the Dual EC backdoor that was included in Juniper NetScreen firewalls. This was hijacked by an APT group and exploited, probably against the US.
Reply Retweet Like
Matthew Green 23 Jul 19
Replying to @matthew_d_green
13. The ultimate targets and details of the Juniper attack are still not public. The FBI isn’t talking. It’s all classified. There is a good chance that this continued secrecy hides one of the more catastrophic breaches in US history. The risk here is very real.
Reply Retweet Like
Matthew Green 23 Jul 19
Replying to @matthew_d_green
14. “After all, we are not talking about protecting the Nation’s nuclear launch codes.” Well, actually.
Reply Retweet Like
Matthew Green 23 Jul 19
Replying to @matthew_d_green
15. It is generally agreed that events like the Office of Personnel Management breach were a catastrophic blow to our intelligence agencies. The costs of these breaches is not mushroom clouds today, but it could be down the road.
Reply Retweet Like
Matthew Green 23 Jul 19
Replying to @matthew_d_green
16. How do US government agencies protect themselves? Using custom encryption developed by the NSA? No. They use COTS products they buy from corporations. Here’s a list of the OPM’s NetScreen firewalls from 2014, with serial numbers.
Reply Retweet Like
Matthew Green 23 Jul 19
Replying to @matthew_d_green
17. At the end of the day, here’s the line in Barr’s speech that lays bare what the strategy is. “I think it is prudent to anticipate that a major incident may well occur at any time that will galvanize public opinion on these issues.”
Reply Retweet Like
Matthew Green 23 Jul 19
Replying to @matthew_d_green
18. To make a long thread very short: there is no safe backdoor solution on the table. Barr and the Trump administration have nothing new to offer here except for a creatively terrifying interpretation of the 4th amendment and a desire to minimize risks...
Reply Retweet Like
Matthew Green 23 Jul 19
Replying to @matthew_d_green
19. But what they do have is time, and the inevitability that given enough of it, something terrible will happen to America on their watch. And they’ll be able to push these proposals without the need for debate. That’s where we are, and it should scare you. (Fin.)
Reply Retweet Like