William Barr gave a talk today at Fordham, on “going dark” and the need for encryption backdoors. A lot of this is old hat. The surprising thing is that it was the only subject of the talk: it seems like the Trump administration is serious about this. (Thread).

2. The talk follows the typical pattern of asserting that the Fourth Amendment actually requires encryption backdoors. I’m no lawyer, but this is a hell of a legal theory. I just want to flag that one and move on to the technical.

3. Barr cites Mexican cartels as using WhatsApp groups, and then notes that law enforcement is unable to penetrate these groups. This is a bit surprising to me, since WhatsApp group management is one of the weakest areas of the system.

4. What’s really fascinating about this speech is how frankly the Trump administration has moved away from “we just want to access your encrypted phone” to making it clear that communications (text messages) etc. are the real goal.

5. I have to quote this one because it’s unreal: “For example, providers design their products to allow access for software updates using centrally managed security keys. We know of no instance where encryption has been defeated by compromise of those provider-maintained keys.”

6. Is the US Attorney General saying that his department knows of no instance where software update/signing keys were stolen? This is crazy.

I can think of one: Stuxnet. But that’s hardly the last one.

7. NotPetya was allegedly launched using the software distribution infrastructure of a popular Ukrainian product. This wasn’t a key theft, but it’s essentially the same thing. This is a crazy talking point.

8. Barr goes on to claim that there are many proposals for encryption backdoors on the table. He gives three. They’re the same three we always get.

1. A (hardware, phones only) proposal by Ray Ozzie.
2. A proposal to tap chat groups by GCHQ.
3. An ancient article by Matt Tait.

9. One of these proposals is by a signals intelligence agency. Lovely people! But hardly credible, and will be eliminated by coming updates to these systems. I wrote about Ozzie’s proposal here — it’s only for phones. Tait’s is an old policy article. google.com/amp/s/blog.cry…

10. The TL;DR is that the US Attorney General is standing up in front of the country and saying “look, cryptographers can build backdoors”, and citing essentially three plans — one of which is made by a signals intelligence agency, and two by non-cryptographers.

11. “The real question is whether the residual risk of vulnerability resulting from incorporating a lawful access mechanism is materially greater than those already in the unmodified product.” Well, lets talk about that for a second.

12. We don’t have a lot of examples of legitimate backdoors to work with. But we do have one illegitimate one: the Dual EC backdoor that was included in Juniper NetScreen firewalls. This was hijacked by an APT group and exploited, probably against the US. google.com/amp/s/www.wire…

13. The ultimate targets and details of the Juniper attack are still not public. The FBI isn’t talking. It’s all classified. There is a good chance that this continued secrecy hides one of the more catastrophic breaches in US history. The risk here is very real.

14. “After all, we are not talking about protecting the Nation’s nuclear launch codes.” Well, actually.

15. It is generally agreed that events like the Office of Personnel Management breach were a catastrophic blow to our intelligence agencies. The costs of these breaches is not mushroom clouds today, but it could be down the road. google.com/amp/s/www.bbc.…

16. How do US government agencies protect themselves? Using custom encryption developed by the NSA? No. They use COTS products they buy from corporations. Here’s a list of the OPM’s NetScreen firewalls from 2014, with serial numbers.

17. At the end of the day, here’s the line in Barr’s speech that lays bare what the strategy is. “I think it is prudent to anticipate that a major incident may well occur at any time that will galvanize public opinion on these issues.”

18. To make a long thread very short: there is no safe backdoor solution on the table. Barr and the Trump administration have nothing new to offer here except for a creatively terrifying interpretation of the 4th amendment and a desire to minimize risks...

19. But what they do have is time, and the inevitability that given enough of it, something terrible will happen to America on their watch. And they’ll be able to push these proposals without the need for debate. That’s where we are, and it should scare you. (Fin.)