Encryption Under 'Full-Frontal Nuclear Assault' By U.S. Bills

92 views
Skip to first unread message

Grim Reaper"(life) preciouse few are born with it, even fewer know what to do with it, NO FEAR!!!!"

unread,
Sep 3, 2020, 1:13:12 PM9/3/20
to
<https://threatpost.com/encryption-under-full-frontal-nuclear-assault-by-u-s-bills/157748/>

The U.S. government and tech companies continue to butt heads over the idea of encryption and what that means for law enforcement.

Encryption expert Riana Pfefferkorn believes new proposed laws – the EARN IT Act and the Lawful Access to Encrypted Data Act – pose dire threats to cybersecurity and privacy.

In this Threatpost interview, Pfefferkorn, who is associate director of Surveillance and Cybersecurity at the Stanford Center for Internet and Society, lends valuable insight as to why proposed legislation is a “full-frontal nuclear assault on encryption in the United States.”

“I think we’re at a point where there is a rising tide around the world of threats to encryption and threats to our online freedoms more generally,” Pfefferkorn told Threatpost. “And it’s going to become more and more difficult, both as a regulatory atmosphere and as normative matter for companies to continue holding the hardline and saying, we cannot afford to go backwards on cybersecurity in light of the kinds of data breaches, information attacks and ransomware we face right now in the world.”

Listen to the full interview with Pfefferkorn below.

<https://www.youtube.com/watch?v=lFS959M-8NU>

Below is a lightly edited transcript of the interview.

Lindsey O’Donnell-Welch: Hi, everyone, this is Lindsey O’Donnell Welch with Threatpost and I am joined today by Riana Pfefferkorn, the Associate Director of Surveillance and Cybersecurity at the Stanford Center for Internet and Society. Riana, thank you so much for joining us today.

Riana Pfefferkorn: Thank you for having me.

LO: So just for all of our viewers, Riana’s work focuses on investigating and analyzing the U.S. government’s policy and practices for forcing decryption and influencing crypto-related design of online platforms and services, both via technical means and through the courts and legislators. And so that is very applicable for what we’re talking about today, which is a recently introduced bill called the Lawful Access to Encrypted Data Act. And that was introduced in June and Riana I want to talk to you a little bit about this, but this bill argued that the ending of the use of “warrant proof encrypted technology” would “bolster national security interests, and better protect communities across the country.” Now, this has generated a lot of backlash from the security and from the privacy space. And I know that you had many thoughts about this as well. So can you talk to me a little bit about what specifically this bill is and kind of what the fine print is for it, and really what it consists of?

RP: Sure. So what this bill does is that it would amend the various parts of the existing framework that we have for the issuance of warrants under federal statute and the issuance of other types of surveillance orders. In the past it has not been clear within the scope of those laws, whether the government could force a company to decrypt information or provide other technical assistance in order to provide access to the plain text of encrypted data. We’ve seen a couple of court decisions saying no, the existing laws do not go so far as to do what it is that you are asking to do, for example, in the Apple versus FBI San Bernardino case involving a warrant to get into a locked phone. So the goal of this bill, as I see it, is to clarify by making additions and amendments to those laws to that statutory framework, so that rather than relying upon the arguments that the Department of Justice and the FBI have made in recent years to say “these existing laws allow us to get what we want in terms of decrypting data.” Now, this is an admission, “okay, those laws don’t do that.” And therefore, there needs to be amendments to make that more clear. So this would specifically say that for providers of online services -so that could be pretty much anybody. It could be websites, it could be email, it could be social media. It could be apps and so forth – they would have to decrypt data upon demand. If you are a smaller provider with under a million users or customers or devices sold annually in the U.S., you will be subject to receiving a capability notice from the Attorney General saying build a decryption capability for us to get into your service or your device. If you have more than a million monthly active users or devices sold in the United States, annually, etc, then you would have to proactively redesign your products, your service in order to have a decryption capability, so that if and when you do receive a warrant or a wiretap order, etc., then you will already have the ability to decrypt that information for law enforcement. So this is a significant escalation from what we have seen in the encryption debate in recent years, where as I said, it’s mostly been relying upon interpretations of existing language and laws on the books and sort of novel stretching the envelope with regard to what those laws might say. And we have not yet seen any as overt bills as this that directly go to saying encryption out loud.

LO: Right. And I think you make a really good point there about the fact that we’ve seen several kind of bills and policies being discussed that are targeting encryption, but maybe not being so outward about it. Clearly, you’ve been looking at this for a long time and how the U.S. government is handling this. Can you talk a little bit just for context here, about how you’ve seen this debate between law enforcement and the tech industry and and encryption evolve over time? I mean, obviously, we’ve seen the big ones like in 2016, Apple versus FBI over the San Bernardino shooter and then it came to a head again, earlier this year too, right? I mean, the whole FBI asking Apple to help unlock the iPhone of the Pensacola shooter. So really what have you seen? And how have you seen this kind of pretext evolve over time?

RP: Yeah, I think that what we’ve seen has been a shift from, prior to about 2014, it was largely pretty straightforward for law enforcement to be able to go and get access to the encrypted data, because at the time, we didn’t yet have as much web traffic encrypted as there is now, we didn’t have strong end to end encryption built in by default into a lot of popular messaging services the way we do now. And iPhones and Android phones did not have device or file based encryption built in by default, the way that we do now. And so it was just easier for investigators with the kinds of legal process that I mentioned – wiretap orders, warrants, etc. – To be able to get decrypted data because that capability was still there. Since about six years ago, both device manufacturers and app makers have re-engineered their products to make that harder, out of a recognition that there’s a lot of risk to people’s personal data, sensitive information, financial information that can be from having that ability to access it. So by cutting law enforcement out of the loop, this is something that they take as a personal affront to themselves. But really, it’s more designed to keep out your cyber criminals, your hackers, your identity thieves, foreign state actors, as well as you know, company’s own employees. We’ve seen just recently with the Twitter hack, where that was allegedly, at least in part, a social engineering hack that took place in order to do a stupid cryptocurrency scam. And if that’s the case, we really dodged a bullet there because when employees have powerful access to people’s information, including in the Twitter hack, apparently at least one person’s direct message inbox was accessed, direct messages aren’t end to end encrypted, the more that companies realize that they need to build themselves into their threat models for their users, the more we’ve seen them embrace end to end encryption as a means of protecting users information. And so that I don’t think that it is accurate for law enforcement to say this is just about us. This is you targeting us. I think it’s more about companies saying, look, law enforcement does not have a monopoly on ensuring people’s safety, we have a responsibility to our users, to their privacy, to their security, to the real world safety impact of not securing their data adequately. And so we need to be taking this responsibility on for ourselves. So it’s really a matter of taking on more responsibility for users, rather than abandoning it and abandoning that responsibility, the way that law enforcement tries to depict it.

LO: And I know you also mentioned that we’re seeing a ton of kind of policy from the U.S. government around this as well. And one of these more recent related bills that we’re seeing is the EARN IT act. Can you talk about kind of that proposed bill and kind of what, how that’s different, I guess from the Lawful Access to Encrypted Data Act of 2020, how they’re the same and kind of how that fits into all of this as well.

RP: Sure. So there were rumblings about the EARN IT act bill as far back as around the beginning of the year back in January. The bill text came out in March, and there was an immediate public outcry because it was very clear that it was kind of a sneak attack on encryption. What that bill would do, and what still would do under the current amended version of it that has has been put forth more recently, is that it would curtail platforms – again, email, social media apps, etc. – Their immunity that they enjoy under federal law, a law called Section 230 against liability against state criminal charges and private plaintiff civil lawsuits for child sex abuse material on their services. Now, there’s already a federal law that governs what platforms are supposed to do when they learn about this kind of material on their services, and whom they have to report it to, and how long they have to keep it for etc. But rather than amending that law, this bill goes after Section 230, I think because there’s kind of a general public distaste now for big tech, people are kind of fed up. And section 230, while it’s sort of poorly understood is something that I think lawmakers or law enforcement officials who may be behind drafting both of the two bills we’re talking about today, may have seized upon as an expeditious way to kind of get public sentiment behind them, in addition to the fact that we’re talking about one of the most heinous possible crimes out there, which honestly, it’s surprising that this hadn’t been brought out before. It’s kind of a nuclear weapon to bring out child sex abuse material. When previously it’s been kind of lumped in with more of the terrorism focus that we had seen previously around the Pensacola base shooting and around the San Bernardino shooting.

But it seems like public opinion didn’t sway even with really terrible attacks by Islamic extremists. And therefore, now it seems like okay, nobody wants to be seen voting against a bill that supposedly would help protect children. Right? And so the way that these two bills are distinct is that the original version of the EARN IT Bill, like I said, seemed like a sneak attack on encryption because it would have allowed this weird, punting the ball down the field and ultimately landing with the Attorney General, who is – at least currently – Bill Barr is notoriously anti-encryption. Unelected commission headed by him would be allowed to set the rules for the internet. And what those rules could easily be would be, you cannot provide end to end encryption because it would impede the ability to discover CSAM material on your service. Now under the revised version, there is no law that, that commission still exists but it doesn’t have any teeth anymore. It can make these recommendations for best practices. But platforms will if this bill is passed, lose the immunity I mentioned under 234 CSAM on their services irrespective of whether they follow those best practices or not. But that opens them up to a patchwork of state laws regarding the same topic.

I mentioned that CSAM is already legislated at the federal level, it’s illegal at the federal level, it’s illegal everywhere in the world. It’s also illegal under various state laws. And so by opening up platforms to liability to civil lawsuits and state AH criminal charges under those state level laws, this could also still provide a disincentive for platforms around providing end-to-end encryption or otherwise being unable to as efficiently or effectively look for CSAM as they are currently able to do. Many platforms already scan for that automatically. And there’s some concern about whether by having their hand forced, either to do this forcibly by the government, that could actually end up hampering investigations and prosecutions, or whether the reverse could be true where an amendment that’s been added into the the revised version of EARN IT by Senator Lahey would end up incentivizing platforms to encrypt everything because Lahey has attempted to add an amendment in that would more expressly protect encryption, although I’m not convinced that it goes far enough and doing that.

LO: Yeah, that’s, that’s really interesting, for sure. And you mentioned public opinion. I just wanted to ask, what have you seen in terms of public opinion because, I think a lot of what we are looking at is kind of in the security and privacy industry bubble, I guess. But obviously, I’m sure there’s plenty of opinions out there when it comes to data privacy, when it’s the consumers own data in an iPhone or whatever. So what are you seeing there?

RP: It’s interesting, because you know, I think to some degree, I may be kind of in my own bubble, but I do have alerts that tell me, “Okay, where is the EARN IT act being discussed in, you know, in the media,” for example. And it seems like when you see op-ed pieces around at least that bill, it can kind of go either way. There are a lot of people who are sounding the alarm, saying this would not help child safety. And it would be really detrimental to free speech online to privacy, potentially, to encryption. And yet, there’s also still a pretty strong vein of the sentiment I mentioned, that basically says, big tech is kind of too big for its britches. They’re not doing enough about this problem, which is a narrative that I think has been crafted by the Department of Justice. Given that platforms report millions and millions of pieces of CSAM on their services every year. They’re clearly doing a lot.

But sort of taking that tactic and saying they need to be forced to step up and do more rather than abandoning their duties towards the most vulnerable people among our population. So it kind of can go either way. And I think that’s why we’ve seen within our community and within other communities that would be adversely affected by EARN IT, which really is everybody on the internet, but some more than others. There have been really concerted efforts to oppose this bill, partially because there seems to be a sense that it might be more likely to potentially get passed into law, in part because of the child safety issue, in part because it is currently politically popular to introduce attempts to curtail the immunity granted by section 230 to go after big tech through whatever tool you might happen to have at hand. Whereas with the other bill the Lawful Access to Encrypted Data Act bill, that was only introduced by three Republican senators earn it had 10 or 12 bipartisan co-sponsors and has already moved out of committee in the Senate. It doesn’t really look like the other bill, with only three backers from one party behind it, it is going to be moving and that seems to be calculated. That bill was introduced just a few days before the amended version of earnings act. And because of that, it is so extreme and so aggressive and so overtly it’s an attack on there and that security and privacy, a lot of people are saying, look, this has the same co sponsor, Senator Graham from South Carolina -who’s up for reelection this fall – is a sponsor of both of those bills. Therefore, it seems like this is kind of putting out the real good cop, bad cop of saying, “Well, if you don’t like or it could be far worse, here’s this other alternative, doesn’t this make it look really reasonable, and and moderate by comparison,” and that may be true, but they both suck. And so there’s not really any reason to pass either of them. You don’t have to pick one or the other, the lesser of two evils is still evil.

LO: That’s certainly one approach by by them. So that’s interesting. And I wanted to ask you too before we wrap up here, where do you see this whole encryption debate going in the future? In terms of, do you see it evolving at all? Do you see any sort of potential solution or do you think that it’s going to have to get worse before it gets better? What do you think?

RP: I think that we are very entrenched. You know, when I have discussions with people who are on the other side of this issue, it feels like we’re both just reading off of a script. I think it’s gonna be difficult to get any movement on either side. I think that companies that provide encrypted services are under a lot of pressure. But they also are under a lot of pressure on cybersecurity issues. We’ve started to see class actions and steep regulatory fines for poor data security in recent years in the United States. And so they’re being pulled in two directions. And they also have to consider the international aspect as well. There are other fights going on over this same topic over what online platforms should be liable for, around whether they should be allowed to encrypt or compelled to decrypt for governments in other countries around the world, such as India and Brazil. And because there’s this kind of international aspect, I think that helps to play into the debate here in the United States where our government can say, well, Australia passed this law or India is going to pass these rules. Why should we get to have the same here. So I think we’re in a point where there is a rising tide around the world of threats to encryption and threats to our online freedoms more generally. And all of those are going to kind of play into each other. And it’s going to become more and more difficult, both as a regulatory atmosphere and as normative matter for companies to continue holding the hardline and saying, we cannot afford to go backwards on cybersecurity in light of the kinds of data breaches, information attacks, ransomware, etc., that we face right now in the world.

LO: Right. And there is certainly so much going on, as you mentioned with other countries in terms of – I think you mentioned Australia had their own kind of regulation that they’re trying to roll out to0 – and then one last question, I want to ask what are what’s the next steps for kind of the Lawful Access to Encrypted Data Act? What where does that go from here? I know it was first introduced in June but kind of what’s the next steps there?

RP: That one, you know, is currently languishing in committee. I don’t think it has come up for any hearings yet. I’m not even aware of any hearings that have been scheduled on it so far. So it sort of remains to be seen whether that goes anywhere, or whether it just kind of quietly dies on the vine. Congress doesn’t have a lot of time left in the current legislative session before a lot of people- including Senator Graham, that co-sponsored both bills – have to go back to their districts to campaign for reelection. There’s a lot of big things that they need to get done before then such as “Oh, I don’t know, making sure that millions of people don’t end up kicked off of the unemployment rolls and kicked out of their houses after they can’t afford rent anymore.” So it’s not clear to me that that bill is necessarily going to go anywhere, but it would probably first need to go through the same process that EARN IT has already done in terms of coming up for hearings and being voted out of the committee that it was introduced in so we’ll see. But EARN IT right now is still the more pertinent and immediate threat. And you can go to noearnitact.org which is a project of another organization called Fight for the Future that’s been really doing a lot of work campaigning against this bill. If you want to sign a petition, if you want to learn more about the bill, that’s the best place to start to take action.

LO: Great. Well, Riana, thank you so much for coming on and talking to us today about the encryption debate and where that’s going.

RP: Thanks for having me.

Stefan Claas

unread,
Sep 3, 2020, 1:31:29 PM9/3/20
to
Grim Reaper"(life) preciouse few are born with it, even fewer know what to do with it, NO FEAR!!!!" wrote:

> <https://threatpost.com/encryption-under-full-frontal-nuclear-assault-by-u-s-bills/157748/>

To be honest I am so tired of these reports and discussions.

Let them pass the bills and let's see what happens then.

Regards
Stefan


Siri Cruise

unread,
Sep 3, 2020, 2:16:15 PM9/3/20
to
In article <20200903193...@300baud.de>,
We already know. Consumer frauds and impersonations are routine
because the federal government has been fighting civillian
encryption since 1948.

Imagine if encryption hardware was routine and fast enough that
all your storage was strongly encrypted and your device had slots
for keys to unlock various parts of your storage. Anyone stealing
your device without a key would have nothing more than a metalic
brick.

--
:-<> Siri Seal of Disavowal #000-001. Disavowed. Denied. Deleted. @
'I desire mercy, not sacrifice.' /|\
The first law of discordiamism: The more energy This post / \
to make order is nore energy made into entropy. insults Islam. Mohammed

Stefan Claas

unread,
Sep 3, 2020, 2:50:38 PM9/3/20
to
Siri Cruise wrote:

> In article <20200903193...@300baud.de>,
> Stefan Claas <s...@300baud.de> wrote:
>
> > Grim Reaper"(life) preciouse few are born with it, even fewer know what to do
> > with it, NO FEAR!!!!" wrote:
> >
> > > <https://threatpost.com/encryption-under-full-frontal-nuclear-assault-by-u-s
> > > -bills/157748/>
> >
> > To be honest I am so tired of these reports and discussions.
> >
> > Let them pass the bills and let's see what happens then.
>
> We already know. Consumer frauds and impersonations are routine
> because the federal government has been fighting civillian
> encryption since 1948.

Why did they changed then ITAR in the 90's , for example, which allows
U.S. companies and U.S. Open Source programmers to distribute strong
encryption globally, instead domestically only?

Regards
Stefan



Sylvia Else

unread,
Sep 4, 2020, 12:08:58 AM9/4/20
to
Those wanting to remain secure would use software that isn't subject to
US laws. Uncle Sam would be able to spy only on those who are either
stupid or don't care that much.

We'd then have to see what the Supreme Court thought of the proposition
that the use of strong encryption created probable cause for searches
and arrests.

People would start transmitting terabytes of genuinely random data to
provide the NSA with something to do.

Sylvia.

Dirk T. Verbeek

unread,
Sep 4, 2020, 4:48:36 AM9/4/20
to
Op 03-09-2020 om 20:50 schreef Stefan Claas:
<SNIP>
>
> Why did they changed then ITAR in the 90's , for example, which allows
> U.S. companies and U.S. Open Source programmers to distribute strong
> encryption globally, instead domestically only?

Because the US companies would lose out on business, alternatives were
and are available.
>
> Regards
> Stefan
>
>
>

Siri Cruise

unread,
Sep 4, 2020, 4:55:11 AM9/4/20
to
In article <hrdsum...@mid.individual.net>,
Sylvia Else <syl...@email.invalid> wrote:

> Those wanting to remain secure would use software that isn't subject to

Encryption hardware would be cheaper and faster. It would
encourage routine encryption as well as routine training in
student of cryptographic protocols.

Stefan Claas

unread,
Sep 4, 2020, 6:03:46 AM9/4/20
to
Exactly! Add on top of that the motto 'supremacy&leadership' and everybody,
old enough, should ask themselves why Bill Clinton an AlGore 'invented' the
Internet. Before they 'invented' the Internet, the Internet was a friendly
place.

In this context people should also ask themselves why young people like
Mark Zuckerberg and others run so called 'social' media sites for free,
instead charging registered users a monthly usage fee, like global online
services did decades ago.

Does the NSA and friends don't do a good job in fighting terrorism and the FBI,
with rule 41, a good job in fighting child pornography? If not, then parents, for
example, should ask themselves why their minors need online 'social' media accounts
and a smartphone, instead of playing on the playground, doing something creative
and meeting with friends.

I guess China and Russia don't face these problems and will be quite happy
if these U.S. bills pass. Sleepy Europe may wake up and see it's chance
in securing then the commercial hard/software crypto market.

What I would be interested in, in case these bills pass, what would people
in the U.S. face in case they don't follow later laws and still use strong
encryption, under the hood of weak encryption, or via their protected U.S.
Postal Service. Or, will U.S. citizens face charges if they register their
accounts overseas, like in Switzerland etc. to use strong encryption with
these services.

Regards
Stefan



Siri Cruise

unread,
Sep 4, 2020, 7:31:18 AM9/4/20
to
In article <20200904120...@300baud.de>,
Stefan Claas <s...@300baud.de> wrote:

> Exactly! Add on top of that the motto 'supremacy&leadership' and everybody,
> old enough, should ask themselves why Bill Clinton an AlGore 'invented' the
> Internet. Before they 'invented' the Internet, the Internet was a friendly
> place.

And the parents of those everybodies knows Gore never claimed to
have invented the internet. What Gore did do is get congress to
subsidise the internet between the time it was a tool for
programmers using 1200 bps async or 9600 bps sync into the Mbps
commercial necessity used by much of the world's population.

Back when in the good old pre-Gore days the friendly internet
generally forbade commercial (ie for profit) use. Encryption
wasn't that important because money wasn't being transferred. In
the friendly days people included US mail addresses until the
unabomber started killing people with no discerned pattern or
motive.

Gore's subsidies created an environment that developped the
internet as a self sustaining business. However encryption was
still under World War 2 era laws. While sophisticated hardware
and software could be sold within the US, it could not be sold
outside the US. Computer sellers either had to maintain two lines
of product, foreign and domestic, or deny domestic customer
encryption.

Encryption software ran afoul of the first amendment since
software is an expression not a device. NSA still does whatever
it can. Encryption hardware is a device and can and is
restricted. Again suppliers either maintain separate domestic and
foreign lines or deny encryption to domestic customers.

Note the 'enemies' of the US like USSR, PRC, France, Russia don't
need to import from the US. They have been using unbreakable
ciphers for decades. The real enemies of the NSA are americans.
If two americans have a conversation for which the NSA cannot get
a transcript, the NSA has failed. As a result americans have to
depend on techniques barely advanced since the last world war to
protect their privacy, money, bank accounts, and commercial
transactions. That trust is repeatedly violated with routine
disclosures. Since the NSA doesn't have to pay legal penalties
they see no problems and no need to, like, protect the people.

Check out how banks do money transfers. Their asses are on the
line, so they do more than trust the NSA.

Stefan Claas

unread,
Sep 4, 2020, 11:40:09 AM9/4/20
to
Siri Cruise wrote:

> Note the 'enemies' of the US like USSR, PRC, France, Russia don't
> need to import from the US. They have been using unbreakable
> ciphers for decades. The real enemies of the NSA are americans.
> If two americans have a conversation for which the NSA cannot get
> a transcript, the NSA has failed. As a result americans have to
> depend on techniques barely advanced since the last world war to
> protect their privacy, money, bank accounts, and commercial
> transactions. That trust is repeatedly violated with routine
> disclosures. Since the NSA doesn't have to pay legal penalties
> they see no problems and no need to, like, protect the people.

I would see it this way, regarding NSA's real enemies: General
Alexander once said that they don't look for the needle in the
haystack, they take the whole haystack. Assuming the haystack
includes the whole U.S. Internet and telephone traffic, they do
this, I strongly assume, to filter later out the bad guys trying
to do harm to the United States and it's citizens.

If this would be not the case, what guaranties have U.S. citizens
that other parties, from overseas, are not capable of doing the
same to U.S. citizens?

Regards
Stefan



Siri Cruise

unread,
Sep 4, 2020, 4:19:11 PM9/4/20
to
In article <20200904173...@300baud.de>,
GCHQ is the UK equivalent of NSA. NSA is not supposed to spy on
americans, and GCHQ is not supposed to spy on british. So NSA
spies on the british, GCHQ on americans, and they share with each
other.

That's when NSA doesn't just break the law and spy on americans
because they can get away with it.

The best way to protect americans is to tell NSA to piss off and
encourage strong encryption hardware for domestic and export
markets, encourage operating systems to provide simple
interfaces, and teach programmers how to use it routinely. It's a
question of whether the government should protect the people or
protect its ability to spy on the people.

Stefan Claas

unread,
Sep 5, 2020, 9:11:41 AM9/5/20
to
Siri Cruise wrote:

> The best way to protect americans is to tell NSA to piss off and
> encourage strong encryption hardware for domestic and export
> markets, encourage operating systems to provide simple
> interfaces, and teach programmers how to use it routinely. It's a
> question of whether the government should protect the people or
> protect its ability to spy on the people.

Isn't it interesting that engineers could in the 60's send men safely
to the moon, with little bit of computer technology and nowadays IT
giants are not able to design and manufacture (NIST, BSI) certified
secure IoT devices, whether desktop or mobile to protect users,
regardless if crypto is used or not?

Maybe visionaries like Elon Musk could give us such devices, in case
he would be interest in this huge market segment ...

Regards
Stefan


Betty Hollinshead

unread,
Sep 8, 2020, 10:36:34 AM9/8/20
to
Why is there all this debate about the threat which backdoors create for users of services with end-to-end encryption?

Surely users who want secure messaging can use A PRIVATE CIPHER BEFORE messages enter the channel? The snoops then get a real problem when they use the backdoor.....a problem which looks like this.

1cAc0ely0j800LxO1NL50mG60OlL0bnI0LVX05Xx
0SFi01jN11fc0wdX0wC50z=G11Ms0rEr0ALd0eej
0y7W1m6n1fmt0zwf1NwQ0Ivp17LL0h8C1INY1Egl
1Gly0zsE08GH1YYy07FT1hF60G7R0BQT0RRw0bOI
1QFj15xy1Jdr0XLz16tG0zwu0ptv0OSy1JeR0Akr
00ts1IBV0Ry70RQ71M191dAn098M1UXS1i$71gUp
0DAH18MP0YtP1O7b1XpU0DYm0j$X0gQa1l4e0BVl
0ow61BYL1ilv1W5e0xqc0Uq701CG0NvJ15FF0oKL
0h$y1J$O05y31Vyd1jqo0nzx0V1=0m9B052D0qvY
1Ht71Cb60dtl0lf70Fjt0kAz12131kbr1X8V0WLn
1L2l0P3E0B5F0WZP1P0K1f8l0ZEU1lWe0fyd13K7
1RV11F7T1DyV1Ycx0Avx0fYg0LnY0gg00Ell1icK
0nCk0rix0XQL0x471H0a1HXD1mjg0oSn1eOi0hrx
0F3R0Gq80d8T00q300h70eX$1DGm0gFF1RX30UjA
1QM003Mj1ewW01SV1kWK0F0J0d9z1ZFW0xFx1a9G
1hlb0MTb1Gk=0xtG0FAt0Whr0bN90R$$0tiE1AvF
04=60fd30WZb1AvO0HQR1S5c

And if the common opinion is that private ciphers are "poor" and "insecure", then someone here will EASILY be able to tell us what this message says.

Max

unread,
Sep 8, 2020, 11:24:57 AM9/8/20
to
No use in robbing the poor and insecure. I'm sure your banker, lawyer,
customers, friends and grandma will be more than pleased to engage in
your nifty scheme.

Tell them, I said "hi!".

Cheers,

Max


P.S. this looks like scalar cryptography to me, so I guess there is a
guy around who can take care of this EASILY.

FromTheRafters

unread,
Sep 8, 2020, 3:58:54 PM9/8/20
to
Betty Hollinshead explained on 9/8/2020 :
Not really, because a 'secret algorithms' might be a OTP which is
perfectly secure yet 'poor' in implentation of the key management.

I don't think that your conclusion follows from the facts.

Scott Dorsey

unread,
Sep 13, 2020, 8:43:58 AM9/13/20
to
Stefan Claas <s...@300baud.de> wrote:
>
>Why did they changed then ITAR in the 90's , for example, which allows
>U.S. companies and U.S. Open Source programmers to distribute strong
>encryption globally, instead domestically only?

Why did they change it? Mostly because Americans spent a lot of time
protesting against it. People getting RCS tattoos, people selling
T-shirts with encryption algorithms on them, all making the US government
look like a laughingstock for trying to make mathematics into a secret.

The folks who were made to look like a laughingstock in the nineties are
still around and they are still fighting back. And they still have the
ludicrous idea that the good guys can have encryption without the bad guys
having it. Math isn't that way.

The idea is like a bad penny, it keeps comiong back.
--scott

--
"C'est un Nagra. C'est suisse, et tres, tres precis."

Stefan Claas

unread,
Sep 15, 2020, 3:34:34 PM9/15/20
to
Betty Hollinshead wrote:

> On Saturday, 5 September 2020 at 14:11:41 UTC+1, Stefan Claas wrote:
> > Siri Cruise wrote:
> >
> > > The best way to protect americans is to tell NSA to piss off and
> > > encourage strong encryption hardware for domestic and export
> > > markets, encourage operating systems to provide simple
> > > interfaces, and teach programmers how to use it routinely. It's a
> > > question of whether the government should protect the people or
> > > protect its ability to spy on the people.
> > Isn't it interesting that engineers could in the 60's send men safely
> > to the moon, with little bit of computer technology and nowadays IT
> > giants are not able to design and manufacture (NIST, BSI) certified
> > secure IoT devices, whether desktop or mobile to protect users,
> > regardless if crypto is used or not?
> >
> > Maybe visionaries like Elon Musk could give us such devices, in case
> > he would be interest in this huge market segment ...
> >
> > Regards
> > Stefan
> Why is there all this debate about the threat which backdoors create for users of services with end-to-end encryption?
>
> Surely users who want secure messaging can use A PRIVATE CIPHER BEFORE messages enter the channel? The snoops then get a
> real problem when they use the backdoor.....a problem which looks like this.

Apologies for my late reply! Snoops will have no problem if your,
or someone else's, device is already compromised and you are not
aware of it. Think of Government trojans like Finfisher/FinSpy
for the Desktop or for example Pegasus, from NSO Group, for mobile
devices.

So in order that your encryption scheme will work for you and
your friends you will most likely need a second offline device
to transfer securely the encrypted data to your (compromised?)
online device.

Problem with that is that currently nobody is talking about this
when you read security / crypto etc. FAQs or articles.

To sum it up privacy/security/anonymity costs money.

Regards
Stefan



Max

unread,
Sep 16, 2020, 1:24:31 PM9/16/20
to
On 15.09.20 21:33, Stefan Claas wrote:
[...]
> you will most likely need a second offline device
> to transfer securely the encrypted data to your (compromised?)
> online device.
>
[...]
>
> Regards
> Stefan
>
>
>

I was looking into this some years ago. The problem (one major problem
at least) was that I wasn't able to find an air-gapped / air-gappable
smartphone to use as the offline device.

Do you know of any such device? Maybe a tutorial how to *really* air-gap
a consumer grade smartphone? My experience has been that just removing
the antenna isn't enough, as the on-board elements will still be able to
establish connections (just with less signal strength).

Cheers,

Max

Stefan Claas

unread,
Sep 16, 2020, 1:42:28 PM9/16/20
to
Good question! I must admit that I purchased a smartphone just a couple of
month ago and was starting to think using one with a second offline smartphone,
due to the form factor, compared to a notebook.

A faraday bag would help when carrying them, but what to do when using them ...

I looked also for a portable Raspberry Pi solution but found only an old DIY
tutorial and I am to old for that, to build one myself.

I think this is really a topic, for the sci.crypt community, to further explore.

Regards
Stefan

Rich

unread,
Sep 16, 2020, 2:40:15 PM9/16/20
to
Max <maxt...@gmx.net> wrote:
> On 15.09.20 21:33, Stefan Claas wrote:
> [...]
>> you will most likely need a second offline device
>> to transfer securely the encrypted data to your (compromised?)
>> online device.
>>
> [...]
>
> I was looking into this some years ago. The problem (one major
> problem at least) was that I wasn't able to find an air-gapped /
> air-gappable smartphone to use as the offline device.
>
> Do you know of any such device? Maybe a tutorial how to *really*
> air-gap a consumer grade smartphone?

Maybe use only inside a faraday cage? Granted, that does make for a
lot of trouble and effort.

> My experience has been that just removing the antenna isn't enough,
> as the on-board elements will still be able to establish connections
> (just with less signal strength).

You are correct there. Any driven wire will radiate EM. So even a
small PCB trace from the chip to the antenna will, itself, act as an
antenna. It will be massively less efficient than the original
antenna, but it will still be a weak EM radiator and receiver.

For somewhat older phones that might have had the radios on a separate
chip from the CPU it might be possible to remove the radio chip and
leave the CPU behind. The standard OS would likely not work in that
configuration but if one could install a custom OS it might work. But
there are just too many unknowns there, and this would be a task only
for the quite skilled (in more areas than one) so this is also not
likely a useful solution either.

Rich

unread,
Sep 16, 2020, 2:47:27 PM9/16/20
to
Do keep in mind that any electronic device, even if not meant to do so,
radiates EM signals as part of its operation. There was talk long ago,
and I recall there was finally a published paper of someone
successfully doing so, of wirelessly reproducing the picture from a CRT
monitor by detecting the radiated EM signals from the beam sweep coils
and electron gun drive electronics. Alas, I do not have any ready
reference to said paper.

So even if a "no radio" device existed, you'd still want some form of
faraday bag/cage if you were maximally parinoid about not possibly ever
being monitored by anyone while using it. In reality, if you were that
worried, you'd probably want something akin to a home SCIF
(https://en.wikipedia.org/wiki/Sensitive_Compartmented_Information_Facility).

Stefan Claas

unread,
Sep 16, 2020, 3:02:10 PM9/16/20
to
Thanks for your reply, much appreciated. While just googling for the topic,
I found a link from researchers, while wearing my tinfoil hat.

<https://cyber.bgu.ac.il/advanced-cyber/airgap>

So if I understand it correctly, I leave my smartphone in the same room, as
my offline Notebook and if a Pegasus Operator compromises my smartphone he
then installs additional malware which then listens to my offline Notebook
and then the smartphone transfers back the obtained data to him.

I hope that this attack won't work with my dumb phone.

Regards
Stefan


Rich

unread,
Sep 16, 2020, 3:45:59 PM9/16/20
to
Unless by "dumb phone" you mean an old analog transformer coil rotary
or pushbutton western electric styly POTS telephone, then do keep in
mind that a "dumb phone" is also a computer inside, it just does not
expose any amount of general purpose computing ability to its user.
But if someone were able to hijack it, subject to the contraints of its
system (generally weaker CPU and lower RAM) it could be programmed to
perform the same 'listening' activities.

Stefan Claas

unread,
Sep 16, 2020, 4:12:47 PM9/16/20
to
Mmmhh, well, but would you agree that chances are slim that this could be
done to 'dumb phones' on the market, while targeting Android, iOS etc.
users would be more practical, as understood?

I mean how would one attack such a 'dump phone' when AFAIK it never updates
for newer versions of the OS, or would not allow remote software component
updates? Or do 'dumb phones`never show this, in case they are doing this?

I ask this, because I did recently a little test with my 'dump phone', connected
it with a USB cable to my computer and put from my computer an encrypted PGP message,
encoded with JAB-code, on it and send it as MMS.

I currently see this as a way to send with an offline Notebook encrypted messages
as MMS. This way one could theoretically send MMS to friends or co-workers and the
encrypting/decrypting plus JAB encoding/ decoding workflow is pretty easy and fast.

Regards
Stefan



Rich

unread,
Sep 16, 2020, 4:50:07 PM9/16/20
to
Stefan Claas <s...@300baud.de> wrote:
> Rich wrote:
>
>> Stefan Claas <s...@300baud.de> wrote:
>
>> > <https://cyber.bgu.ac.il/advanced-cyber/airgap>
>> >
>> > So if I understand it correctly, I leave my smartphone in the same
>> > room, as my offline Notebook and if a Pegasus Operator compromises
>> > my smartphone he then installs additional malware which then
>> > listens to my offline Notebook and then the smartphone transfers
>> > back the obtained data to him.
>> >
>> > I hope that this attack won't work with my dumb phone.
>>
>> Unless by "dumb phone" you mean an old analog transformer coil
>> rotary or pushbutton western electric styly POTS telephone, then do
>> keep in mind that a "dumb phone" is also a computer inside, it just
>> does not expose any amount of general purpose computing ability to
>> its user. But if someone were able to hijack it, subject to the
>> contraints of its system (generally weaker CPU and lower RAM) it
>> could be programmed to perform the same 'listening' activities.
>
> Mmmhh, well, but would you agree that chances are slim that this
> could be done to 'dumb phones' on the market, while targeting
> Android, iOS etc. users would be more practical, as understood?

Slim does not mean zero in any case. Yes, those interested in crime
will target the majority market, because there are more opportunities
that way. But were you to become the target of an "investigation" then
simply having a dumb phone might not be enough to prevent hacking.

> I mean how would one attack such a 'dump phone' when AFAIK it never
> updates for newer versions of the OS, or would not allow remote
> software component updates?

Use an exploit to achieve remote code execution, then upload the code
to perform the exploit via the remove code execution exploit.

> Or do 'dumb phones`never show this, in case they are doing this?

Some may update without informing the user anything has occurred.
Note, I know of no examples, but such it technically possible.

> I ask this, because I did recently a little test with my 'dump
> phone', connected it with a USB cable to my computer and put from my
> computer an encrypted PGP message, encoded with JAB-code, on it and
> send it as MMS.
>
> I currently see this as a way to send with an offline Notebook
> encrypted messages as MMS. This way one could theoretically send MMS
> to friends or co-workers and the encrypting/decrypting plus JAB
> encoding/ decoding workflow is pretty easy and fast.

Provided your computer was not exploited (and note, it likely has a
much larger attack surface, so from a risk perspective it is at higher
risk of being exploited) then this is probably safe from the MMS side
of the picture (maybe).

Also, provided the phone was not exploited to contain a USB takeover
hack to apply to your computer when you attached them, the phone would
only ever see the PGP message after encryption, and so the security of
the message in transit would be identical to any other PGP message in
transit, and depend only upon the PGP encryption used.

But say you were targeted by the NSA or MI6 or some other black-ops
agency. If they see you transmitting PGP MMS messages from your dumb
phone, they will surmise you are likely creating them on a computer.
So they might try to exploit the phone to insert an exploit within it
to use against the computer the next time you connect the phone to the
computer. Assuming this PC was your "air-gapped" PC, then they have
just exploited your air-gapped PC via a channel you mistakenly left
open to them.

This is the part about security that is hard. There are *many* ways
for the security to possibly fail. Whatever you are doing has to
withstand *all* of them. But from the NSA/MI6 perspective, they just
have to find one way in and they have succeeded.

Stefan Claas

unread,
Sep 16, 2020, 5:09:45 PM9/16/20
to
Thank you very much for your detailed reply, much appreciated!

I do all this encryption stuff as a hobby and for exploring news ways
to use encryption in 2020, because I see Internet usage nowadays with
online devices and the used encryption software on them as a problem,
if no new ways are found and discussed, while many people still believe
that following old (PGP) tutorials from the Internet are secure enough.

I also started such a discussion a while ago on the GnuPG ML and to my
surprise old PGP users still recommend to use PGP encryption on online
devices, which I find in 2020 a bit problematic, with all advancements
related to the field of Internet security/privacy and best practice.

Regards
Stefan



Chris M. Thomasson

unread,
Sep 16, 2020, 6:03:10 PM9/16/20
to
Encrypt on a clean device inside of a fractal cloak, or a clean room.
Store the encrypted data on a clean card. Destroy the device. Now the
card has the encrypted data.

https://users.math.yale.edu/public_html/People/frame/Fractals/Panorama/ManuFractals/InvisibilityCloak/InvisibilityCloak.html

Pepe LePew

unread,
Nov 25, 2021, 11:55:40 AM11/25/21
to
On 9/3/20 11:08 PM, Sylvia Else wrote:

> People would start transmitting terabytes of genuinely random data to
> provide the NSA with something to do.

Um, funny that you mention it. I already do exactly this. I have set up
scripts to send fake data that looks like encrypted goodies. I've been
doing it for years.

It is easy to set up several tor hidden services and have them talk to
each other with randomly-timed, random gibberish while I do my browsing
from one of them through a double Tor tunnel.

Sending PGP-encrypted, fake messages to government email addresses
through anonymous remailers is another tactic. Put 'leaked' or
'classified' or 'top secret' or 'whistleblower report' in the subject or
in the clear with the message and you're good to go. Encrypt them to a
temporary public key then scrub the keys.

I presume (and I hope) that I have wasted a lot of the spooks' time over
the years.

Ain't I a stinker?

--

Pepe LePew

Richard Heathfield

unread,
Nov 25, 2021, 12:41:39 PM11/25/21
to
On 25/11/2021 16:55, Pepe LePew wrote:
> On 9/3/20 11:08 PM, Sylvia Else wrote:
>
>> People would start transmitting terabytes of genuinely random data to
>> provide the NSA with something to do.
>
> Um, funny that you mention it. I already do exactly this. I have set up
> scripts to send fake data that looks like encrypted goodies. I've been
> doing it for years.

If it's distinguishable from random, it doesn't look like encrypted
goodies. And if it isn't, it doesn't look like anything.

>
> It is easy to set up several tor hidden services and have them talk to
> each other with randomly-timed, random gibberish

Randomly re-opening an 18-month-old thread is easy too. That doesn't
mean it's bright.

<snip>

> I presume (and I hope) that I have wasted a lot of the spooks' time over
> the years.

They're not interested. If they want to know your secrets, they have
more cost-effective (and painful) techniques to find them out than
trying to decrypt your gibberish.

--
Richard Heathfield
Email: rjh at cpax dot org dot uk
"Usenet is a strange place" - dmr 29 July 1999
Sig line 4 vacant - apply within

Pepe LePew

unread,
Nov 25, 2021, 1:46:05 PM11/25/21
to
On 11/25/21 11:41 AM, Richard Heathfield wrote:
> On 25/11/2021 16:55, Pepe LePew wrote:
>> On 9/3/20 11:08 PM, Sylvia Else wrote:
>>
>>> People would start transmitting terabytes of genuinely random data to
>>> provide the NSA with something to do.
>>
>> Um, funny that you mention it. I already do exactly this. I have set up
>> scripts to send fake data that looks like encrypted goodies. I've been
>> doing it for years.
>
> If it's distinguishable from random, it doesn't look like encrypted
> goodies. And if it isn't, it doesn't look like anything.
>
>>
>> It is easy to set up several tor hidden services and have them talk to
>> each other with randomly-timed, random gibberish
>
> Randomly re-opening an 18-month-old thread is easy too. That doesn't
> mean it's bright.

Does it then mean mean commenting about the obvious is bright? Do you
tend to nitpick as a means of trying to elevate yourself above other people?

Do you spend your time isolating and attacking the village idiot so you
can look clever? Do you fill this group up with critique of the usual
crank's drivel while you are not innovating any thing?

Do your comments here are add anything of value to the art of
cryptology? Or do your comments distract from fruitful labor in that regard?

Is the purpose of your posts here is to elevate yourself over others who
are already in the gutter? If one can't be king of Rome can he at least
be king of the royal outhouse?

> <snip>
>
>> I presume (and I hope) that I have wasted a lot of the spooks' time over
>> the years.
>
> They're not interested. If they want to know your secrets, they have
> more cost-effective (and painful) techniques to find them out than
> trying to decrypt your gibberish.

"They're not interested?" Since when did you become an apologist and
propagandist for the empire? Are you a moldy Angloid Canzcuck? serious
question. Are you?

Everyone in here with two brain cells to rub together knows that the
intelligence services don't just look for the needle in the haystack.
They take the whole haystack. If they're not interested in everyone's
communication then why are they taking the whole haystack?

If "they're not interested" in people's encrypted gibberish then what of
PRISM, XKeyScore, Echelon, Shadownet, Operation Glowing Symphony, and
billion-dollar IIA protocols? Do you believe everyone in this group is
that ignorant? Or are you that ignorant? Big reveal, people. Choose one.

--

Pepe LePew

Richard Heathfield

unread,
Nov 25, 2021, 2:46:28 PM11/25/21
to
On 25/11/2021 18:46, Pepe LePew wrote:

<snip>

>
> Do your comments here are add anything of value to the art of
> cryptology?

37 09 0B 53 1C 4F 01 57 1B 45 0C 16 16 53 00 17
04 01 4B 00

Roger Blake

unread,
Jan 8, 2022, 3:49:23 PMJan 8
to
On 2020-09-05, Stefan Claas <s...@300baud.de> wrote:
> Maybe visionaries like Elon Musk could give us such devices, in case
> he would be interest in this huge market segment ...

Elon Musk is more of a carnival huckster and confidence trickster
than he is a "visionary". I certainly have no interest in going
where his "vision" would take me.

--
------------------------------------------------------------------------------
18 Reasons I won't be vaccinated -- https://tinyurl.com/ebty2dx3
Covid vaccines: experimental biology -- https://tinyurl.com/57mncfm5
The fraud of "Climate Change" -- https://RealClimateScience.com
There is no "climate crisis" -- https://climatedepot.com
Don't talk to cops! -- https://DontTalkToCops.com
------------------------------------------------------------------------------

Stefan Claas

unread,
Jan 8, 2022, 5:06:32 PMJan 8
to
On Saturday, January 8, 2022 at 9:49:23 PM UTC+1, Roger Blake wrote:
> On 2020-09-05, Stefan Claas <s...@300baud.de> wrote:
> > Maybe visionaries like Elon Musk could give us such devices, in case
> > he would be interest in this huge market segment ...
> Elon Musk is more of a carnival huckster and confidence trickster
> than he is a "visionary". I certainly have no interest in going
> where his "vision" would take me.

I would like to know your opinion about his Starlink, i.e. do you think
it can give us more privacy, compared to using a classic ISP?

Regards
Stefan

Chris M. Thomasson

unread,
Jan 8, 2022, 5:24:44 PMJan 8
to
On 9/4/2020 4:31 AM, Siri Cruise wrote:
> In article <20200904120...@300baud.de>,
> Stefan Claas <s...@300baud.de> wrote:
>
>> Exactly! Add on top of that the motto 'supremacy&leadership' and everybody,
>> old enough, should ask themselves why Bill Clinton an AlGore 'invented' the
>> Internet. Before they 'invented' the Internet, the Internet was a friendly
>> place.
>
> And the parents of those everybodies knows Gore never claimed to
> have invented the internet. What Gore did do is get congress to
> subsidise the internet between the time it was a tool for
> programmers using 1200 bps async or 9600 bps sync into the Mbps
> commercial necessity used by much of the world's population.
>
> Back when in the good old pre-Gore days the friendly internet
> generally forbade commercial (ie for profit) use. Encryption
> wasn't that important because money wasn't being transferred. In
> the friendly days people included US mail addresses until the
> unabomber started killing people with no discerned pattern or
> motive.
[...]

What about using encryption to protect trade secrets... If I need to
communicate with a colleague across the internet, and the content of the
communication involved sensitive company secrets... Why not encrypt the
shit out of it?

Siri Cruise

unread,
Jan 25, 2022, 3:10:41 PM (yesterday) Jan 25
to
In article <20200904173...@300baud.de>,
Stefan Claas <s...@300baud.de> wrote:

> If this would be not the case, what guaranties have U.S. citizens
> that other parties, from overseas, are not capable of doing the
> same to U.S. citizens?

NSA spies on the UK and shares with UK. GHQ spies on the US and
shares with the US.

--
:-<> Siri Seal of Disavowal #000-001. Disavowed. Denied. Deleted. @
'I desire mercy, not sacrifice.' /|\
Discordia: not just a religion but also a parody. This post / \
I am an Andrea Doria sockpuppet. insults Islam. Mohammed

Sn!pe

unread,
Jan 25, 2022, 3:32:51 PM (yesterday) Jan 25
to
Siri Cruise <chine...@yahoo.com> wrote:

> In article <20200904173...@300baud.de>,
> Stefan Claas <s...@300baud.de> wrote:
>
> > If this would be not the case, what guaranties have U.S. citizens
> > that other parties, from overseas, are not capable of doing the
> > same to U.S. citizens?
>
> NSA spies on the UK and shares with UK. GHQ spies on the US and
> shares with the US.
>

s/GHQ/GCHQ

Hi, BTW.

--
^Ï^ <https://youtu.be/_kqytf31a8E>

My pet rock Gordon just is.
Reply all
Reply to author
Forward
0 new messages