French Government Wants A 'Global Initiative' To Undermine Encryption And Put Everyone At Risk https://www.techdirt.com/articles/2...-undermine-encryption-put-everyone-risk.shtml
Apple encryption war continues: NY DA requests 400 iPhones be unlocked http://www.techrepublic.com/article...inues-ny-da-requests-400-iphones-be-unlocked/
Long term it seems to me that use of unbreakable encryption needs to be purposely handed over to the end user. Explaining: On my laptop (made by a major manufacturer) I can and do employ open source encryption products, which I believe are impenetrable except for any operator errors. Why this is KEY is that it releases the mfg of my laptop from "pressure" by any 3 letter agency. There is no one to lean on and mandate a "backdoor". The end user is solely responsible for how he/she decides to handle the pressure to provide the decryption credentials. Why can it not be the same with Apple, or any manufacturer of devices? Surely in a free society (pipe dream) the end user (owner) of the device can elect to equip it according to their wishes. Then THEY bear the burden of defending their position regarding opening it. While simple, this model removes all the public debate about banning Apple phones in America. Other players are going to find themselves in line too. Further; this model makes ME the end user more confident in possessing solid unbreakable encryption. I see it as a win win.
Looking at software development and some of the legal issues, I'm contemplating having a plugin architecture with a reference open-source implementation that do the crypto part as a plugin. It would then be the user's job, if they want strong crypto, to go get that from wherever, nothing to do with me as a producer. Might save a whole load of absurd grief because the authorities and legislation have not done the hard but necessary work of creating international treaties which provide a sensible balance with peoples' legitimate need for privacy and security, and the rule of law; and they persist in counterproductive mass surveillance, which is the prime cause of the demand for encryption in the first place.
I'll tell you why not with apple etc. Imagine yourself the CEO or a member of the board of directors of a company that produces a widely used security product. Government officials call a meeting in which they present a case to you all describing how your product is protecting pedophiles, terrorists, human slave trafficers, people who are mean to kittens or whatever other emotive issue they can use to make you lose sleep at night.
Are you and your board of directors going to be tough enough and wise enough to their tactics to call BS ? and if you are what about your employees? What is your chief programmer going to say when they approach him and offer him a million dollars if he can create a hidden weakness in the implentation of one of its algorithms? Like the article says, this is war. If everyone would realise this, they would realise what I and others have been trying to tell them is accurate. The security of our tech products is being weakened by design.
You can also be sure commercial products are not where this ends. Open source projects and institutions are now battlegrounds where the group is infiltrated by those with an alternative agenda The only defense we have is to examine the products we use with the mentality of a criminal investigator. If you would weaken a system what would you do. Are there signs this was done.
Well, Apple could perhaps resist domination. But then, what are other implications of private companies that are strong enough to manage that? And yes, I'd rather trust open-source apps from collaborative groups. They can be infiltrated. But at least there's the opportunity for oversight.
I think you'll find Apple is one of the companies named in the snowdon documents as having collaborated with the nsa in 2012 but I do agree with you about open source projects. Although as an old c programmer I am aware that to go through someone elses code and try to find a coding error is one thing, to figure out if it is coded to create a hidden weakness in the security of the entire project is something else entirely. Extremely difficult thing to do. You need a complete understanding of everyones code and the algorithms they were working on plus the mentality of a criminal investigator who is suspicious of everything to the point of paranoia. Example is that flawed random number generator that no one noticed for more than a decade.
Well, what US firm could have resisted collaborating with the NSA in 2012? But yes, I have a very hard time trusting any corporation. I trust them even less than governments. What you say about open source projects is true, sadly enough. Still, one could make the argument that placing an infiltrator suitably to create subtle weaknesses is nontrivial. But I'm no coder, so Maybe that's why there's resistance to complex patches that aren't fully commented?
Yes that is why comments are important. At least when code is commented you know what the coder says he/she was trying to do. Another example was the truecrypt project, even though a security audit was carried out which reported no major problems, later on someone else, I believe it was the guy who started the veracrypt project discovered what he described as a critical flaw in the code. I hope the current climate combined with events of the past decade results in much closer scrutiny. I hope right now there are thousands of eyes all around the world on TLS 1.3... I think you're right about 2012 most companies would have believed they were doing the right thing. As for trusting government vs corporation you may as well consider them the same thing.
Cybersecurity for the Public Interest https://www.schneier.com/blog/archives/2019/05/cybersecurity_f_2.html
