Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management //

Encryption

12/6/2017
10:05 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Crypto Wars: The Show That Never Ends

The German Interior Ministry is spearheading an effort to create a new law that would require tech companies to provide backdoors for a range of devices. It's the latest salvo in the war over encryption.

As the classic Emerson, Lake and Palmer song goes: "Welcome back, my friends, to the show that never ends." Only this time, it's the Crypto Wars that are being refought.

The German government is preparing a law that would make all electronic device manufacturers include a backdoor that could be used by law enforcement authorities, according to local media reports. Such a backdoor in a connected auto might disable the warning it sends to its owner when physically disturbed -- say in a police investigation.

The German Interior Ministry is spearheading the effort, and is looking far beyond stopping car notifications to suspect owners. The ministry want companies to tell the government about any future plans that they have for encryption and other protocols in products, so that the police can analyze them.

Investigators also want the power to hack back at attackers, so that they can shut down some remote computer in a crisis.

(Source: Tumisu via Pixabay)

Some of those who have seen the draft bill also point to provisions in it that would allow the state to intercept any Internet traffic. That kind of power would allow a full-blown surveillance state with snooping everywhere. Of course, the ministry says such power would only be used under court order.

This kind of effort is not unexpected to those that have seen similar efforts arise lately in France and the UK for such backdoors.

Indeed, closer to home, the US Justice Department has revisited the issue lately when Deputy Attorney General Rod Rosenstein told an audience in London this October: "There is no constitutional right to sell warrant-proof encryption."

The push back against working encryption is on the rise, without a doubt.

Once the province only of the government, it seemed that the first crypto wars of the 1980s and 90s had established that crypto use was not only legal, but that it was enabling the establishment of a digital economy. It seems obvious that people would not give financial information to a website to pay for shopping if they did not feel that it was being protected in a secure manner.

These new efforts that hold up the straw men of terrorists and criminals to the public miss some major points here. Backdoors or decrypting will not stop someone that wishes to blow things up. They will just change methods to ones that are harder to expose, like trusted couriers and face-to-face meetings.

And if there was some master key to encryption methods, how long would it take before it was stolen by threat actors? Such a key would make it easy for miscreants to obtain anything they wanted without any trace left behind, making the situation even worse.

The balance between too little and too much privacy in social settings has been discussed for years on end. It will continue to be discussed, no doubt. But a simplistic approach such as the removal of encryption from devices can only have unintended consequences that will end up crippling the only growth area left in the world.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-26814
PUBLISHED: 2021-03-06
Wazuh API in Wazuh from 4.0.0 to 4.0.3 allows authenticated users to execute arbitrary code with administrative privileges via /manager/files URI. An authenticated user to the service may exploit incomplete input validation on the /manager/files API to inject arbitrary code within the API service sc...
CVE-2021-27581
PUBLISHED: 2021-03-05
The Blog module in Kentico CMS 5.5 R2 build 5.5.3996 allows SQL injection via the tagname parameter.
CVE-2021-28042
PUBLISHED: 2021-03-05
Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directory Traversal via a crafted ZIP archive to the Upload feature or the MO Connect component. This can lead to remote code execution.
CVE-2021-28041
PUBLISHED: 2021-03-05
ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
CVE-2021-3377
PUBLISHED: 2021-03-05
The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.