Many of today's security laws will be unworkable according to one security expert speaking at today's 7th Hack in The Box (HITB) conference in Amsterdam.
John Adams, head of security for Bolt Financial, treated the HITB conference to a state of play in the ongoing crypto-wars between the private and public spheres.
Much of the state security community seem badly clued up on how to actually implement the security measures of their imaginations. James Comey, the current director of the Federal Bureau of Investigation (FBI), according to Adams, believes “technology is a tool for dangerous people.”
“The new crypto-wars are pretty much global,” said Adams. We can see the 'only-bad people-need-privacy' Comey mindset play out across the world.
The 'Snooper's Charter,' or IP bill, currently awaiting passage on the floor of UK Parliament, “pretty much makes hacking endpoints legal”. With an anticipated cost in the US$ billions and the sheer physical limitations of processing the amount of data the government desire, “this isnt possible,” said Adams.
The Burr-Feinstein bill, which Adams simply deems 'ridiculous', was conceived in the wake of the argument over the San Bernardino shooter's locked iPhone and the FBI's attempts to make Apple ‘hack itself'. Among the bill's provisions is the a desire to make all online data ‘intelligible'.
Many in the state security community mistrust what they call 'going dark', most of all, the idea of a suspect with no online footprint.
Then again, hiding just isn't that easy these days - in a world where data is a new currency. Information is everywhere and we rely on it to go about our daily lives.
Among other things, one would have to disable default device and key backups to the cloud, avoid sending incriminating evidence by non-encrypted means and above all not make any calls or texts for fear of spreading our metadata. “This is a lot to ask of your average criminal” said Adams.
Furthermore, to justify the ‘backdoors' argument of so many state organs, Adams said you “have to believe there's a set of criminals that can hide themselves better than the next James-Bond-type-person”.
The impossibility of governments' desires does not, however, mean that these laws are at all benign though. The Cryptowars have been raging for quite a while now and the NSA has been at the centre of many of those battles.
On many occasions, developments in cryptography have been hidden from the public using the 1951 Invention Secrecy Act, which allows governments to block the publication of research if there's a potential threat to national security. Adams also blamed the NSA for the "weakening of (the) global cryptography market to ensure people have access only to compromised methods".
Thanks to the government, said Adams we have three major SSL vulnerabilites: Freak, Logjam and Drown. All of which are commonly rated among the top vulnerabilities by researchers. This, added Adams, “would not have happened if we didnt have government trying to weaken SSL 20 years ago.”
More recently, the NSA gave us Bullrun, a programme with, according to leaked documents from the NSA ‘groundbreaking capabilities' to defeat SSL and VPN encryption and according to Adams the “NSA's effort to bypass democratic mechanism and sabotage our security anyway.”
The Apple/FBI fight, attempts to get into the phone, “Opened the encryption debate to the world. If this conversation wasn't started years ago, its going now”. The often obscure ongoing dialogue between privacy and security must be pushed further into the light, concluded Adams: “It's up to everyone in this room to make sure this happens.”