Top FBI lawyer: You win, we've given up on encryption backdoors

We're your servants, says general counsel unconvincingly


After spending months pressuring tech companies to add backdoors into their encryption software, the FBI says it has given up on the idea.

Speaking at a conference in Boston on Wednesday, the bureau's general counsel James Baker even used the term that has been repeatedly used to undermine the FBI's argument: magical thinking.

"It's tempting to try to engage in magical thinking and hope that the amazing technology sector we have in the United States can come up with some solution," he told attendees at the Advanced Cyber Security Center (ACSC) annual conference.

"Maybe that's just a bridge too far. Maybe that is scientifically and mathematically not possible."

The response is a world away from comments made by FBI director James Comey a year ago. In October 2014, Comey decried the decision by Apple and Google to turn on file system encryption as a default on devices following revelations of mass surveillance, complaining that it was impinging the ability of cops to do their jobs.

Apple also turned on an implementation of end-to-end encryption in its messaging software, as has Facebook-owned WhatsApp, meaning the Feds cannot easily decrypt intercepted chatter.

"We aren't seeking a backdoor approach," Comey told the Brookings Institute. "We want to use the front door, with clarity and transparency, and with clear guidance provided by law. We are completely comfortable with court orders and legal process - front doors that provide the evidence and information we need to investigate crime and prevent terrorist attacks."

Terminal-ology

The term "magical thinking" has comes to represent the problem with introducing so-called "split-key encryption" where law enforcement would be given a skeleton key to decrypt information. The magical part is where it is assumed that only law enforcement would ever discover and use the key, and that such a design does not completely hobble the strength of the cryptography.

As a sign that the obvious flaw in this approach has picked up advocates within the US government came when FTC Commissioner Julie Brill referenced "magical thinking" when she told a privacy conference last week why she did not support the idea of an encryption backdoor.

Few expected to hear the words from an FBI official, however.

Last year, Comey complained that criminals were "going dark" – and that phrase formed the title of the session this week in Boston: Going Dark: The Balance Between Encryption, Privacy, and Public Safety.

The FBI is still unhappy about the fact it can't easily access strongly encrypted data, with general counsel Baker saying it does make it harder for law enforcement to carry out surveillance.

And he complained that even when the FBI does get a warrant it can't get access to communications – a reference to the ongoing court case with Apple where the computer company has said it is simply unable to provide the unencrypted data from a specific individual.

However in a line that was used repeatedly at the conference, Baker noted that the FBI was there to serve the American people. "We are your servants,” he said. "We will do what you want us to do."

Continuing that line of thinking, he said: "At the most fundamental level, it is about the relationship between the people and government. When it comes to surveillance, what do you want us to do and what risks are you willing to take on?"

Last month, FBI director Comey confirmed what a leaked Obama administration document had implied – that the administration would not seek legislative powers from Congress to force tech companies to install a backdoor. But he did say that the FBI would work privately with tech companies to reach agreement on a similar system. Baker's comments this week would appear to show that the FBI has given up on that plan, too.

Makes you wonder what they're doing instead to track and surveil citizens, no? ®


Other stories you might like

  • FBI warning: Crooks are using deepfake videos in interviews for remote gigs
    Yes. Of course I human. Why asking? Also, when you give passwords to database?

    The US FBI issued a warning on Tuesday that it was has received increasing numbers of complaints relating to the use of deepfake videos during interviews for tech jobs that involve access to sensitive systems and information.

    The deepfake videos include a video image or recording convincingly manipulated to misrepresent someone as the "applicant" for jobs that can be performed remotely. The Bureau reports the scam has been tried on jobs for developers, "database, and software-related job functions". Some of the targeted jobs required access to customers' personal information, financial data, large databases and/or proprietary information.

    "In these interviews, the actions and lip movement of the person seen interviewed on-camera do not completely coordinate with the audio of the person speaking. At times, actions such as coughing, sneezing, or other auditory actions are not aligned with what is presented visually," said the FBI in a public service announcement.

    Continue reading
  • LGBTQ+ folks warned of dating app extortion scams
    Uncle Sam tells of crooks exploiting Pride Month

    The FTC is warning members of the LGBTQ+ community about online extortion via dating apps such as Grindr and Feeld.

    According to the American watchdog, a common scam involves a fraudster posing as a potential romantic partner on one of the apps. The cybercriminal sends explicit of a stranger photos while posing as them, and asks for similar ones in return from the mark. If the victim sends photos, the extortionist demands a payment – usually in the form of gift cards – or threatens to share the photos on the chat to the victim's family members, friends, or employer.

    Such sextortion scams have been going on for years in one form or another, even attempting to hit Reg hacks, and has led to suicides.

    Continue reading
  • Crypto sleuths pin $100 million Harmony theft on Lazarus Group
    Elliptic points to several indicators that suggest the North Korea-linked gang was behind the hack

    Investigators at a blockchain analysis outfit have linked the theft of $100 million in crypto assets last week to the notorious North Korean-based cybercrime group Lazarus. The company said it had tracked the movement of some of the stolen cryptocurrency to a so-called mixer used to launder such ill-gotten funds.

    Blockchain startup Harmony announced June 23 that its Horizon Bridge – a cross-chain bridge service used to transfer assets between Harmony's blockchain and other blockchains – had been attacked and crypto assets like Ethereum, Wrapped Bitcoin, Binance Coin, and Tether stolen.

    According to blockchain analytics company Elliptic, the attacker immediately turned to Uniswap, a decentralized exchange, to convert most of the assets into 85,837 Ethereum, which researchers said is a common method used by hackers to avoid the stolen assets from being seized.

    Continue reading
  • Telegram adds paid tier as it cracks 700 million users
    Without so much as a mention of encryption, but with a pastel-hued emoji-heavy nod to ‘sustainable monetization’

    Messaging app Telegram, which came to prominence for offering end-to-end encryption that irritated governments, has celebrated passing 700 million active monthly users with a pastel-hued announcement: a paid Premium tier of service.

    A Sunday post celebrates the 700 million user milestone by announcing a $4.99/month tier. The Premium tier distinguishes itself from the freebie plebeian tier with the ability to upload 4GB files, unthrottled downloads that come as fast as users' carriers will allow, and the chance to follow up to 1000 channels, create up to 20 chat folders each containing up to 200 chats, and to run four accounts in the Telegram app.

    Paying punters will also get exclusive stickers and reactions and won't see ads once they sign up to hand over coin each month.

    Continue reading
  • Former chip research professor jailed for not disclosing Chinese patents
    This is how Beijing illegally accesses US tech, say Feds

    The former director of the University of Arkansas’ High Density Electronics Center, a research facility that specialises in electronic packaging and multichip technology, has been jailed for a year for failing to disclose Chinese patents for his inventions.

    Professor Simon Saw-Teong Ang was in 2020 indicted for wire fraud and passport fraud, with the charges arising from what the US Department of Justice described as a failure to disclose “ties to companies and institutions in China” to the University of Arkansas or to the US government agencies for which the High Density Electronics Center conducted research under contract.

    At the time of the indictment, then assistant attorney general for national security John C. Demers described Ang’s actions as “a hallmark of the China’s targeting of research and academic collaborations within the United States in order to obtain U.S. technology illegally.” The DoJ statement about the indictment said Ang’s actions had negatively impacted NASA and the US Air Force.

    Continue reading
  • Man gets two years in prison for selling 200,000 DDoS hits
    Over 2,000 customers with malice on their minds

    A 33-year-old Illinois man has been sentenced to two years in prison for running websites that paying customers used to launch more than 200,000 distributed denial-of-services (DDoS) attacks.

    A US California Central District jury found the Prairie State's Matthew Gatrel guilty of one count each of conspiracy to commit wire fraud, unauthorized impairment of a protected computer and conspiracy to commit unauthorized impairment of a protected computer. He was initially charged in 2018 after the Feds shut down 15 websites offering DDoS for hire.

    Gatrel, was convicted of owning and operating two websites – DownThem.org and AmpNode.com – that sold DDoS attacks. The FBI said that DownThem sold subscriptions that allowed the more than 2,000 customers to run the attacks while AmpNode provided customers with the server hosting. AmpNode spoofed servers that could be pre-configured with DDoS attack scripts and attack amplifiers to launch simultaneous attacks on victims.

    Continue reading

Biting the hand that feeds IT © 1998–2022