[Dailydave] The Crypto Summit and "Just say no"

Dave Aitel dave at immunityinc.com
Tue Jul 21 08:32:26 EDT 2015


(this is long and dry, sorry in advance, but I felt it was impt stuff).

So last week in DC I attended the Crypto Summit
<https://www.accessnow.org/page/content/crypto-summit/>, put together by
"Access". It was a series of panels, one of which was an entertaining
bloodbath. Watch that one here: https://youtu.be/SZSr9Ao8zBY . This one
as well had some funny moments:https://youtu.be/A0OotbJoGSg
<https://youtu.be/A0OotbJoGSg> in which Matt Blaze said things like
"Every day is 0day." and "I am in the most incompetent field (security)
of the most incompetent field (computer science) of all of engineering".
His point being "We have a near-impossible job, and you are making it a
lot harder by even asking for key escrow, and the effect of that is not
something you actually want, because the results of us failing are
catastrophic for society and the rule of law".

Nate's (EFF) argument as well was quite interesting. Over and over the
Justice Dept lawyers drilled home the idea that they should have access
to any data at rest where they have a warrant. Nate and others' response
was that the 4th amendment is not a limit on freedom, but a limit on the
intrusion of privacy BY the government. In other words, the ability to
get a warrant does not force everyone to pre-place surveillance
equipment in their house. Nate also knows the history of physical safes
weirdly well, and apparently there was a brief time where people were
creating tumbler safes that were essentially uncrackable unless you knew
the combination, and no laws were suddenly created to outlaw them. This
is only relevant because the government is asking for that capability
digitally, and in a massively more intrusive area.

The other major argument from this side is of course, "show us real
numbers and studies on how this is effecting law enforcement, rather
than trying to scare us with random stories of pretend kidnappings".
Marc Rotenburg pointed out that wiretaps are almost never used for
kidnapping, and in general that whole area is used for
counter-narcotics, which, if  you've seen The Wire, is not news. It does
not help the DoJ that the only official reports on the subject have a
grand total of 4 times encryption has been uncrackable during an
investigation last year. 

From comments from other people in the audience, who had been to similar
meetings in Silicon Valley and elsewhere in DC and NYC, this was in fact
the most Key-Escrow-Positive summit they'd been to. That's a telling
statement, because the people from the Justice Dept were relentlessly
hounded by the other people on the panels and an audience one step away
from throwing rotten fruit. Telling also is who the sponsors are: the
Business Software Alliance (known for their anti-'piracy' efforts),
Microsoft, LinkedIn (!?!), and Google.

The BSA is a pretty decently powerful lobbying group. Their take on the
matter is at 24 minutes into this: https://youtu.be/_rD987SXoJI. It is
worth listening to, to say the least. He's the first one to talk about
the Wassenaar "intrusion tools" regulations, and he is not into the idea
at all. By which I mean to say, the BSA is fighting any increase in
regulatory burden tooth and nail, and that's no small thing.

Having read the Coalition and EFF's responses to the Wassenaar
regulatory comment period along with all of the hackers who posted
theirs yesterday, I can say that having lawyers comb over and write
seventy pages in depth on the details of every word of a regulation is a
powerful thing. And the alliance against key escrow and the Wassenaar
regulations is broad indeed. Reread this article
<http://hackingdistributed.com/2013/08/01/framework-for-surveillance/>
from Emin Sirer to see why it matters, where he discusses the elements
that go into public policy in this area, as split between government,
business, and the populace.

At one point during the Crypto Summit Carrie Cordero from the Justice
Dept finally spoke to the elephant in the room. The whole time the DoJ
side had been pitching "You better come to the table and negotiate
because otherwise we'll force the issue with legislation". But after a
frustrating hour of getting nowhere, with the business and EFF side
giving no ground whatsoever she exclaimed, "This White House won't
propose legislation on this issue because they're in silicon valley's
pocket, and until a new Administration comes in that will, we're going
to get nowhere on this issue."

I don't think a Hillary Administration is going to be any more Pro-DoJ
on this issue. And knowing that, the DoJ and NSA are making a massive
mistake by even ASKING FOR KEY ESCROW AT ALL. It is stupid
counter-insurgency policy to piss the whole technical community off for
an issue you are going to lose anyways. And the business community is
extremely angry about these issues. It is hard to overstate how abused
they feel about the fifty years of rope they've had around their neck on
the cryptographic export issue, which has been used to blackmail and
control them again and again.

People look at the Wassenaar stuff and always say "Well, SOME regulation
is going to happen in this area, so we might as well design one for the
government that hurts us the least!". But additional regulation is not a
given. Export control is a terrible place to PUT regulation over
software and ideas, and there is a vast and powerful alliance against
any additional regulatory burden in this space that is going to force
the government to "Just say no". And it's one that you can and should be
adding your voice to, because this is going to be an ongoing struggle.

 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20150721/495496d7/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20150721/495496d7/attachment.sig>


More information about the Dailydave mailing list