Monday, September 27, 2010

New wiretap Bill

Source: http://www.nytimes.com/2010/09/27/us/27wiretap.html?_r=2

It appears the Obama administration is attempting to expand (or simply renew, depending on who's view you read) the government's ability to listen in on communications. It seems the law enforcement agencies are getting feeling left-out in the age of TCP/IP based communications. While their power currently gives them the authority to monitor internet traffic, the new age of readily available and virtually uncrackable encryption protocols has the security agencies in a tizzy.

If I follow their argument correctly, they would require communications companies (which is only loosely defined at the moment) to have backdoors into the encryption algorithms that they use to protect customer data. This would give law enforcement a way to quickly eavesdrop on communications being sent by a party. Allegedly they would still need a warrant and everything to carry out these wiretaps.

As an initiate in the field of computer security I have a few REALLY big problems with this plan.

First, obviously, a potential invasion of personal privacy. Supporters may say "but they already have the ability to wiretap which seems pretty legit" and it does to a point. But the fact of the matter is wiretapping a person's phone takes a little more than decrypting messages; it requires hardware to be installed, bugs to be placed, personnel to be positioned, etc. These extra measures makes it prohibitively expensive to perform a phone wiretap on anyone except those you have reasonable suspicion against. Having a back door to an encryption algorithm would, in theory, allow one guy with a warrant and a laptop to go to a ISP network hub and listen to any transmission over that line. Would they, maybe-maybe not, but it would potentially give them the ability, with appropriate legislation, to screen all private, encrypted transmissions for keywords or suspicious activity.

Secondly, possibly more importantly, this measure could open a massive security hole in traditionally secure transmissions. If the companies and the government have a backdoor to the encryption then (especially if it is well known that there is a backdoor) you'll have every kiddie, hacker and bored college student from here to china trying to get in. Will they be able too? That depends on the amount of work the company puts into designing this back door. The algorithms and keys would need to be constantly updated or someone will figure out the way in and could potentially access millions of confidential transmissions. All those engineers working on this would cost the company time and money which will lead to a higher cost and or a lower quality service to the consumer.

Three, this would be a logistical nightmare to implement. The cost of designing and testing new algorithms with the backdoor would be enormous. It took nearly two years for the DES algorithm to be designed and tested, and that turned out to not be totally secure (reasonably secure, but not totally).

Four, this bill passing would likely spur a wave of third-party anonymous freeware algorithms; most of which would probably be weak from a security stand-point, but would gain the security through obscurity bonus on a scale the likes of which we've never seen.

Five, This wouldn't stop client-side encryption with secure protocols, only ISP side encryption; so any terrorist with half a brain would put all of his communications through AES and the government would be SOL.

There's probably more reasons but that's what I can think of for now.

Wednesday, September 22, 2010

So here we go

Guess I should make an actual post. Not that anyone will ever read it, but whatever. So in true blog style I guess I'll just start talking about shit that no-one cares about. I'll probably want to spend at least half of the post rambling on about a subject in an incoherent and redundant manner. Ummmmm... lets seeee.... musings from a intro level philosophy. Religious people are funny, any argument that proposes anything 'about' god is false is immediately discredited. Plato's arguments against Divine Command Theory are generally considered to be sound, but nowhere do they ever try to discredit or disprove the existence of god; the argument only states that a certain school of thought on the nature of god is wrong. So either there are 13 idiots in the class that actually believe, despite repeated critical reasoning, that moral rightness or wrongness is dependent entirely on the will god, or there are 13 idiots in the class that refuse to accept logical arguments; making their whole experience in a field dedicated to logic and reasoning pointless. Well I think that's enough for now, maybe one day I'll actually make this blog about something, but probably not seeing as I'm just talking into a void anyway.