US officials target social media, encryption after Chattanooga shooting

Was the Chattanooga shooter inspired by IS propaganda? There’s no evidence to back the claim, but some officials are already calling for access to encrypted messages and social media monitoring. Spencer Kimball reports.

US officials target social media, encryption after Chattanooga shooting

It’s not an unusual story in America: A man in his 20s with an unstable family life, mental health issues and access to firearms goes on a shooting spree, shattering the peace of middle class life.

This time, the shooter’s name was Muhammad Youssef Abdulazeez, a Kuwaiti-born naturalized US citizen, the son of Jordanian parents of Palestinian descent. And he targeted the military.

Abdulazeez opened fire on a recruiting center and naval reserve facility in Chattanooga, Tennessee last Thursday. Four marines and a sailor, all unarmed, died in the attack.

But the picture that’s emerged from Chattanooga over the past several days is complicated, raising questions about mental health, substance abuse, firearms, religion and modernity.

Yet elected officials have been quick to suggest that events in Chattanooga were directly inspired by “Islamic State” (also known as ISIL or ISIS) Internet propaganda, though there’s still no concrete evidence to back up that claim.

“This is a classic lone wolf terrorist attack,” Senator Dianne Feinstein told US broadcaster CBS. “Last year, 2014, ISIL put out a call for people to kill military people, police officers, government officials and do so on their own, not wait for direction.”

And according to Feinstein, part of the solution is to provide the government with greater access to digital communications.

“It is now possible for people, if they’re going to talk from Syria to the United States or anywhere else, to get on an encrypted app which cannot be decrypted by the government with a court order,” Feinstein said.

Going dark

Two years ago, former NSA contractor Edward Snowden revealed the extent of US government surveillance to the public. Responding to public outcry in the wake of the NSA revelations, companies such as Facebook, Yahoo, Google and others stepped up efforts to encrypt users’ personal data.

But the Obama administration, in particular FBI Director James Comey, has expressed growing concern about encryption technology. Law enforcement argues that even with an appropriate court order they still cannot view communications masked by such technology. They call it “going dark.”

Feinstein and others believe that Internet companies have an obligation to provide law enforcement with a way to view encrypted communications, if there’s an appropriate court order. But according to Emma Llanso, that would only create greater security risks.

“If you create a vulnerability in your encryption system, you are creating a vulnerability that can be exploited by any malicious actor anywhere in the world,” Llanso, director of the Free Expression Project at the Center for Democracy and Technology, told DW.

Monitoring social media

It’s not just an issue of encryption technology. There’s also concern about how militant groups such as the “Islamic State” are using social media, in particular Twitter.

“This is the new threat that’s out there over the Internet that’s very hard to stop,” Representative Michael McCaul told ABC’s This Week. “We have over 200,000 ISIS tweets per day that hit the United States.

“If it can happen in Chattanooga, it can happen anywhere, anytime, any place and that’s our biggest fear,” added McCaul, the chairman of the House Homeland Security committee.

In the Senate, an intelligence funding bill includes a provision that would require Internet companies to report incidents of “terrorist activity” on their networks to authorities.

According to Llanso, such activity isn’t defined anywhere in the provision, which means companies would have an incentive to overreport in order to meet their obligations. And speech clearly protected by the US First Amendment can also lead to incitement, said Philip Seib, co-author of “Global Terrorism and New Media.”

“If somebody puts something up on Facebook that says Muslims are being oppressed in the Western world, maybe that’s an incentive to somebody to undertake a violent act,” Seib told DW. “But you can’t pull that down, that is a free speech issue.”

Islamist connections?

In the case of Chattanooga, it’s unclear how government access to encrypted communications or requiring social media reporting would have stopped the shooting. One of Abdulazeez’s friends told CNN that the 24-year-old actually opposed the “Islamic State,” calling it a “stupid group” that “was completely against Islam.”

But Abdulazeez was critical of US foreign policy and expressed a desire to become a martyr in his personal writings, according to CNN sources. The young man’s father was put on a terrorist watch list but was then cleared of allegedly donating money to a group tied to Hamas. Abdulazeez also spent seven months in Jordan visiting family in 2014.

He also reportedly viewed content related to radical cleric Anwar al-Awlaki. An American citizen, Awlaki was killed in 2011 by a US drone strike in Yemen for alleged ties to al Qaeda in the Arabian Peninsula.

“The Guardian” reported that just hours before the shooting spree, Abdulazeez sent a text message to a friend with a verse from the Koran: “Whosoever shows enmity to a friend of Mine, then I have declared war against him.”

Guns, drugs and depression

Abdulazeez reportedly suffered from depression and had suicidal thoughts. He abused alcohol and drugs, including marijuana and caffeine pills. He had recently been arrested and charged with driving under the influence, with a court date set for July 30. He also took muscle relaxants for back pain and sleeping pills for a night shift at a manufacturing plant, according to the Associated Press.

His family life was also unstable. In 2009, Abdulazeez’s mother filed for divorce, accusing his father of abuse. The two later reconciled, according to the “New York Times.”

And he had access to guns, including an AK-47 assault rifle. Abdulazeez liked to go shooting and hunting. He also participated in mixed martial arts.

Officials told ABC News that Abdulazeez had conducted Internet research on Islamist militant justifications for violence, perhaps hoping to find religious atonement for his problems.

“The campaigns by the Western governments – the US primarily, the Brits and others – have indicated that they don’t really understand what’s going on in the minds of many young Muslims,” Seib told DW.

“The Western efforts don’t ring true amongst many people they seek to reach because on issues such as human rights the Western governments don’t have much credibility,” he added.

Passphrase.io Uses Bitcoin-level Encryption To Create A Safe Online Notepad Service

Passphrase.io Uses Bitcoin-level Encryption To Create A Safe Online Notepad Service

Passphrase.io – A Social Experiment With Lots of Potential

Storing sensitive data in a secure and safe environment is not an easy task to accomplish for most people. Even though there are multiple guides on the internet of how to store data, and even encrypt if needed, doing so is still a hassle for most people. After all, our society values convenience above anything else, even if it goes at the cost of security.

On top of that, even if a user manages to create a backup of their sensitive data, there is still the question of what type of media to use. Storing a text file with passwords in the cloud is not the best of ideas, and physical storage is subject to wear and tear. Plus, there is always the potential of physical storage being stolen or tossed away on accident. Alternative solutions have to be created, and that is exactly what Passphrase.io aims to do.

The way Passphrase.io works is rather simple: open up the website, enter your passphrase and type the text you want to save in the notepad. It is important to remember the passphrase you entered at the beginning, as this “token” will be used to authenticate access to your notepad in the future. Rather than forcing users to create an account, a passphrase provides a more user-friendly authentication procedure for users.

Creating a passphrase may seem easy at first, but don’t be fooled by the platform’s simplicity. It is imperative to create a strong and lengthy passphrase. In fact, using shorter sentences, or combinations that can be gathered from games, music, movie or tv shows, have a higher chance of “being stumbled upon” by malicious individuals.

As soon as such a service launches, there is the unavoidable question of how secure a platform like Passphrase.io is. According to the developers, all of the information is encrypted in the user’s browser, making it impossible to see plain text notepad content or passphrases. Once you click “Save” in your notepad, all data is encrypted with AES-256, after which an SHA-256 hash is run on the user’s passphrase.

And this is where things draw a major parallel to Bitcoin’s ideology. Similar to how Bitcoin users need to remember their private key in order to access funds, Passphrase.io users need to keep their passphrase safe at all times. There is no recovery for a Bitcoin wallet when you lose the private key, and there is no recovery process for Passphrase.io either.

Last but not last, the encrypted passphrase and hash are stored on servers controlled by the Passphrase.io team. Considering both these key elements are encrypted, the Passphrase.io staff will never be able to determine your passphrase, nor your notepad content. And with no data being stored in your browser after closing the website, there is no trace left behind of what you entered.

Potential Use Cases For Passphrase.io

As good as all of the above may sound, there is no guarantee that consumers will start using Passphrase.io en masse. But there are some potential use cases for such a service at this time. Storing sensitive passwords, or even an important piece of text on Passphrase.io, rather than unencrypted in the cloud, are just two simple examples.

Perhaps the most interesting sue cases for Passphrase.io comes in the form of its “social experiment” aspect. Because there are no logins to meddle with, it won’t take until malicious individuals try to start guessing passphrases in order to see what kind of data is being stored in people’s notepads. Should this be the case, it will also provide a proper test to see how serious consumers are taking security when it comes to sensitive data.

After Washington Post rolls out HTTPS, its editorial board bemoans encryption debate

After Washington Post rolls out HTTPS, its editorial board bemoans encryption debate

There’s hope that by the time the Washington Post’s editorial board takes a third crack at the encryption whip, it might say something worthwhile.

Late on Saturday, the The Washington Post’s editorial board published what initially read as a scathing anti-encryption and pro-government rhetoric opinion piece that scolded Apple and Google (albeit a somewhat incorrect assertion) for providing “end-to-end encryption” (again,an incorrect assertion) on their devices, locking out federal authorities investigating serious crimes and terrorism.

Read to the end, and you’ll find the editorial came up with nothing.

It was a bland and mediocre follow-up to a similar opinion piece, which was called”staggeringly dumb” and “seriously embarrassing”for proposing a “golden key” to bypass encryption.

Critically, what the Post gets out of this editorial remains widely unknown, perhaps with the exception of riling up members of the security community. It’s not as though the company is particularly invested in either side. Aside the inaccuracies in the board’s opinion, and the fair (and accurate) accusation that the article said “nothing” (one assumes that means nothing of “worth” or “value”), it’s hypocritical to make more than one statement on this matter while at the same time becoming the first major news outlet to start encrypting its entire website.

The board’s follow-up sub-600 worded note did not offer anything new, but reaffirmed its desire to see both tech companies and law enforcement “reconcile the competing imperatives” for privacy and data access, respectively. (It’s worth noting the board’s opinion does not represent every journalist or reporter working at the national daily, but it does reflect the institution’s views on the whole.)

Distinguished security researcher Kenn White, dismissed the editorial in just three words: “Nope. No need.”

Because right now, there is no viable way allow both encrypted services while allowing police and federal agencies access to that scrambled information through so-called “backdoor” means. Just last week, a group of 13 of the world’s preeminent cryptographers and security researchers released a paper (which White linked to in his tweet) explaining that “such access will open doors through which criminals and malicious nation-states can attack the very individuals law enforcement seeks to defend.”

In other words: if there’s a secret way in for the police and the feds, who’s to say a hacker won’t find it, too?

The Post’s own decision to roll out encryption across its site seems bizarre considering the editorial board’s conflicting views on the matter.

Such head-scratching naivety prompted one security expertto ask anyone who covers security at the Post to “explain reality” to the board. Because, clearly, the board isn’t doing its job well if on two separate occasions it’s fluffed up reporting on a subject with zero technical insight.

If the board, however, needs help navigating the topic, there is no doubt a virtual long line of security experts, academics, and researchers lining up around the block ready to assist. At least then there’s hope the board can strike it third-time lucky in covering the topic.

Ace Secret Disk Updated to the Latest Version 8.05

Ace Secret Disk allows you to create a secret disk on your computer, on which you can store your private files (such as photos, videos and financial information documents) just like you would do on a normal disk. In this way the danger of data leakage can be completely eradicated. In the new version, we have added the feature for users to view the property of the secret disk, also we fixed some minor bugs and optimized the software performance.

Change Log of Ace Secret Disk 8.05:

File Name: Ace Secret Disk

Version: 8.05

File Size: 3.24MB

Category: Encryption Software

Language: English

License type: Trial Version

OS Support: Win2000/XP/WISTA/Win7/Win8

Released on: July 15, 2015

Download Address: http://www.dogoodsoft.com/ace-secret-disk/free-download.html

What’s New in This Version:

+ Added a feature to view the property of secret disk;

– Fixed a bug that software ID exception in specific systems;

* Improved the encryption efficiency and strength when creating a secret disk;

* Enhanced software interface for XP;

– Fixed two minor bugs.

Ace Secret Disk Updated to the Latest Version 8.05

Why Choose Ace Secret Disk:

Ace Secret Disk creates an additional virtual disk on your computer with a password, which can make your private documents (images, videos, financial files, etc.) invisible and protected. It works as a regular hard disk, while completely prevents your files and folders from leakage. Ace Secret Disk is known for its three features:

(1) High Safety

It adopts new methods to protect data on your personal secret disk, and only with the correct password you can access it.

(2) Excellent Software Performance

The secret disk takes up no extra space, with data import and export as fast as lightning.

(3) Easy and Convenient Usage

The secret disk is used just like a normal disk, easy for you to save your private files.

TeslaCrypt 2.0 comes with stronger encryption and a CryptoWall disguise

TeslaCrypt 2.0 comes with stronger encryption and a CryptoWall disguise

TeslaCrypt, primarily known for encrypting gaming files, has beefed up its techniques and most recently, greatly improved its encryption in its newest 2.0 version.

Kasperky Lab wrote in a blog post that TeslaCrypt 2.0 not only makes it impossible to decrypt files, but also uses an HTML page copied directly from a separate ransomware: CryptoWall. And to take it a step further, TeslaCrypt no longer uses its own name; it instead opts to disguise itself as CryptoWall.

More specifically, once infected, a victim is taken to an HTML payment page directly copied from CryptoWall. It only differs in that the URLs lead to TeslaCrypt’s Tor-based servers.

Fedor Sinitsyn, senior malware analyst at Kaspersky, said in emailed comments to SCMagazine.com that he couldn’t provide an answer as to why the gaming ransomware might be using this disguise, but he speculated it’s “aimed to scare the victim and to puzzle experts trying to help the victim.”

While TeslaCrypt might not be as notorious or recognizable as CryptoWall, the ransomware’s new encryption scheme could put it higher up on IT professionals’ threat radar. Previous versions saved data in a file that could be used to recover the decryption key, Sinitsyn said. This critical data isn’t saved in the system. Backups are more imperative than ever, and Sinitsyn emphasized that they are the best defense against ransomware attacks.

“System administrators should be in charge of corporate backup and be leading the process on the corporate level,” he said. “Also, they should educate their uses on how to protect themselves from ransomware.”

TeslaCrypt mainly spreads through exploit kits, including Angler, Sweet Orange and Nuclear, and a large portion of its infections have been in the U.S.

“Ransomware as a threat is growing, criminals develop new and sophisticated pieces of malware, and in many cases decryption of the attacked files is impossible,” Sinitsyn said. “If your data is valuable, please take your time to make reliable backup copies.”

New Version of Teslacrypt changes encryption scheme

New Version of Teslacrypt changes encryption scheme

A new version of the nasty TeslaCrypt ransomware is making the rounds, and the creators have added several new features, including an improved encryption scheme and some details designed to mimic CryptoWall.
TeslaCrypt is among the more recent variants of ransomware to emerge and the malware, which is a variant of CryptoLocker, is unique in that it targets files from gaming platforms as well as other common file types. Version 2.0.0 of TeslaCrypt discovered recently by researchers at Kaspersky Lab, no longer uses a typical GUI to show users the warning about their files being encrypted. Instead, the malware opens a page in the user’s browser to display a warning message that is taken directly from CryptoWall.

That change, researchers speculated, could be a way to make TeslaCrypt seem more intimidating.

“Why use this false front? We can only guess – perhaps the attackers wanted to impress the gravity of the situation on their victims: files encrypted by CryptoWall still cannot be decrypted, which is not true of many TeslaCrypt infections,” Fedor Sinitsyn of Kaspersky Lab wrote in an analysis of the new ransomware.

But the more significant modification in version 2.0.0 is the inclusion of an updated encryption method. TeslaCrypt, like many other ransomware variants, encrypts the files on victims’ machines and demands a payment in order to obtain the decryption key. The payment typically must be in Bitcoin and the attackers using crypto ransomware have been quite successful in running their scams. Estimates of the revenue generated by variants such as CryptoLocker run into the millions of dollars per month.

Researchers have had some success in finding methods to decrypt files encrypted by ransomware, specifically TeslaCrypt. But the change to the malware’s encryption method may make that more difficult.

“The encryption scheme has been improved again and is now even more sophisticated than before. Keys are generated using the ECDH algorithm. The cybercriminals introduced it in versions 0.3.x, but in this version it seems more relevant because it serves a specific purpose, enabling the attackers to decrypt files using a ‘master key’ alone,” Sinitsyn said.

“Each file is encrypted using the AES-256-CBC algorithm with session_priv as a key. An encrypted file gets an additional extension, ‘.zzz’. A service structure is added to the beginning of the file, followed by encrypted file contents.”

The TeslaCrypt authors also took out the decryption mechanism in the malware that researchers were able to exploit in previous versions.

CHK File Recovery Has Been Updated to Version 1.08

CHK File Recovery is an excellent recovery tool specialized in recovering CHK files in a quick and easy way, which has been updated to version 1.08 recently. In this new version, we added 5 recoverable  file types, and fixed the bug that the chk file cannot be recovered after manually identified.

Change Log of CHK File Recovery 1.08:

File Name: CHK File Recovery

Version: 1.08

File Size: 2.82MB

Category: CHK File Recovery Software

Language: English

License type: Trial Version

OS Support: Win2000/XP/VISTA/Win 7/Win 8

Released on: July 12, 2015

Download Address: http://www.dogoodsoft.com/chk-file-recovery/free-download.html

What’s New in This Version:

+ Added 5 recoverable file types;

– Fixed a bug that the chk file cannot be recovered after manually identified.

CHK File Recovery Has Been Updated to Version 1.08

CHK File Recovery can accurately and quickly recover more than 120 common file types, such as mp3, mp4, jpg, bmp, gif, png, avi, rm, mov, mpg, wma, wmv, doc, docx, xls, xlsx, ppt, pptx, zip, rar, exe, dll, sql, mdb, psd.

CHK File Recovery can determine file type automatically by default. However, for file types that cannot be recognized automatically, manual judging is used to confirm file type. Manual judging can check the content of an unknown file through 4 methods and recover it afterwards.

Encryption: if this is the best his opponents can do, maybe Jim Comey has a point

  • “We share EPA’s commitment to ending pollution,” said a group of utility executives. “But before the government makes us stop burning coal, it needs to put forward detailed plans for a power plant that is better for the environment and just as cheap as today’s plants. We don’t think it can be done, but we’re happy to consider the government’s design – if it can come up with one.”
  • “We take no issue here with law enforcement’s desire to execute lawful surveillance orders when they meet the requirements of human rights and the rule of law,” said a group of private sector encryption experts, “Our strong recommendation is that anyone proposing regulations should first present concrete technical requirements, which industry, academics, and the public can analyze for technical weaknesses and for hidden costs.”
  • “Building an airbag that doesn’t explode on occasion is practically impossible,” declared a panel of safety researchers who work for industry. “We have no quarrel with the regulators’ goal of 100% safety. But if the government thinks that goal is achievable, it needs to present a concrete technical design for us to review. Until then, we urge that industry stick with its current, proven design.”

Which of these anti-regulation arguments is being put forward with a straight face today? Right. It’s the middle one. Troubled by the likely social costs of ubiquitous strong encryption, the FBI and other law enforcement agencies are asking industry to ensure access to communications and data when the government has a warrant. And their opponents are making arguments that would be dismissed out of hand if they were offered by any other industry facing regulation.

Behind the opponents’ demand for “concrete technical requirements” is the argument that any method of guaranteeing government access to encrypted communications should be treated as a security flaw that inevitably puts everyone’s data at risk. In principle, of course, adding a mechanism for government access introduces a risk that the mechanism will not work as intended. But it’s also true that adding a thousand lines of code to a program will greatly increase the risk of adding at least one security flaw to the program. Yet security experts do not demand that companies stop adding code to their programs. The cost to industry of freezing innovation is deemed so great that the introduction of new security flaws must be tolerated and managed with tactics such as internal code reviews, red-team testing, and bug bounties.

That same calculus should apply to the FBI’s plea for access. There are certainly social and economic costs to giving perfect communications and storage security to everyone – from the best to the worst in society. Whether those costs are so great that we should accept and manage the risks that come with government access is a legitimate topic for debate.

Unfortunately, if you want to know how great those risks are, you can’t really rely on mainstream media, which is quietly sympathetic to opponents of the FBI, or on the internet press, which doesn’t even pretend to be evenhanded on this issue. A good example is the media’s distorted history of NSA’s 1994 Clipper chip. That chip embodied the Clinton administration’s proposal for strong encryption that “escrowed” the encryption keys to allow government access with a warrant.

(Full disclosure: the Clipper chip helped to spur the Crypto War of the 1990s, in which I was a combatant on the government side. Now, like a veteran of the Great War, I am bemused and a little disconcerted to find that the outbreak of a second conflict has demoted mine to “Crypto War I.”)

The Clipper chip and its key escrow mechanism were heavily scrutinized by hostile technologists, and one, Matthew Blaze,discovered that it was possible with considerable effort to use the encryption offered by the chip while bypassing the mechanism that escrowed the key and thus guaranteed government access. Whether this flaw was a serious one can be debated. (Bypassing escrow certainly took more effort than simply downloading and using an unescrowed strong encryption program like PGP, so the flaw may have been more theoretical than real.) In any event, nothing about Matt Blaze’s paper questioned the security being offered by the chip, as his paper candidly admitted.  Blaze said, “None of the methods given here permit an attacker to discover the contents of encrypted traffic or compromise the integrity of signed messages. Nothing here affects the strength of the system from the point of view of the communicating parties.” In other words, he may have found a flaw in the Clipper chip, but not in the security it provided to users.

The press has largely ignored Blaze’s caveat.  It doesn’t fit the anti-FBI narrative, which is that government access always creates new security holes. I don’t think it’s an accident that no one talks these days about what Matt Blaze actually found except to say that he discovered “security flaws” in Clipper.  This formulation allows the reader to (falsely) assume that Blaze’s research shows that government access always undermines security.

The success of this tactic is shown by the many journalists who have fallen prey to this false assumption.  Among the reporters fooled by this line Craig Timberg of the Washington Post,“The eventually failed amid political opposition but not before Blaze … discovered that the “Clipper Chip” produced by the NSA had crucial security flaws. It turned out to be a back door that a skilled hacker could easily break through.” Also taken in was Nicole Perlroth of the New York Times: “The final blow [to Clipper]was the discovery by Matt Blaze… of a flaw in the system that would have allowed anyone with technical expertise to gain access to the key to Clipper-encrypted communications.”

To her credit, Nicole Perlroth tells me that the New York Times will issue a correction after a three-way Twitter exchange between me, her, and Matt Blaze. But the fact that the error has also cropped up in the Washington Post suggests a larger problem: Reporters are so sympathetic to one side of this debate that we simply cannot rely on them for a straight story on the security risks of government access.

PC Shutdown Timer and Schedule – Magic Timed Shutdown Updated to Version 10.03

Magic Timed Shutdown is a professional software application that powers off your computer automatically at specific times. It has four main features – timed auto shutdown, advanced computer control, computer use time limitation and startup/shutdown log analysis. In this new verison, we fixed some bugs and enhanced the software stability.

Change Log of Magic Timed Shutdown 10.03:

File Name: Magic Timed Shutdown

Version: 10.03

File Size: 5.45MB

Category: Timed Shutdown Software

Language: English

OS Support: Win2000/XP/VISTA/Win 7/Win 8

Released on: July 07, 2015

Download Address: http://www.dogoodsoft.com/magic-timed-shutdown/free-download.html

What’s New in This Version:

* Enhanced software interface for XP;

* Improved software stablility;

– Fixed the bug that the system cannot be shut down in some cases;

– Fixed several minor bugs.

PC Shutdown Timer and Schedule - Magic Timed Shutdown Updated to Version 10.03

Why Choose Magic Timed Shutdown:

Magic Timed Shutdown is an advanced and powerful tool that permits you to schedule certain tasks for your computer, such as shutdown, logoff, standby, reboot and so forth. It has four main features – Shut Down, PC Management, Time Limit and Log Analysis, which can meet all customer requirements, and especially, is a good helper for parents and computer administrators.

In The Debate Over Strong Encryption, Security And Liberty Must Win

When Sen. Chuck Grassley (R-Iowa) gaveled a Senate Judiciary Committee hearing into session on Wednesday, he called it the “start” of a conversation about privacy, security and encryption. Frankly, it was just the latest forum for a much older discussion.

While it may have been the beginning of a long day on Capitol Hill for FBI Director James Comey, the national conversation about law enforcement and strong encryption has been ongoing since the 1990s and the so-called “Crypto Wars.” While the debate now has a charged geopolitical context, includes the biggest tech companies on the planet and involves smartphone encryption, it’s not a new one.

No crytographers testified at Wednesday’s hearing. If one had been present, he or she might have told the representatives of the Federal Bureau of Investigation and the Justice Department that what they were asking Silicon Valley to develop — retaining the capacity to respond to lawful orders by providing data from computer systems with end-to-end encryption — wasn’t technically feasible in a way that didn’t fundamentally compromise the security of those systems.

If any of the 15 experts in cryptography that authored a new white paper on encryption had been called to testify, they likely would have made that case:

In the wake of the growing economic and social cost of the fundamental insecurity of today’s Internet environment, any proposals that alter the security dynamics online should be approached with caution. Exceptional access would force Internet system developers to reverse forward secrecy design practices that seek to minimize the impact on user privacy when systems are breached. The complexity of today’s Internet environment, with millions of apps and globally connected services, means that new law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws. Beyond these and other technical vulnerabilities, the prospect of globally deployed exceptional access systems raises difficult problems about how such an environment would be governed and how to ensure that such systems would respect human rights and the rule of law.

The FBI and Justice Department may want the tech industry to “try harder” and give a “full, honest effort” to provide a technological way to provide access to encrypted information, but the tech industry isn’t biting.

“Proposals to mandate weakened encryption would undermine security and end user confidence in the Internet without any clear national security benefits,” said Abigail Slater, the vice president of legal and regulatory policy at the Internet Association.

“Strong encryption protects billions of global end users from countless privacy threats ranging from financial fraud to repressive governments stifling speech and democracy. Instead of forcing

companies to lower their security standards, policymakers should promote and protect the wide adoption of strong encryption technology.”

In his spoken testimony, Comey said, “There is no such thing as secure: There’s only more secure and less secure.”

Of that, there is no doubt. “Split key encryption,” where digital master keys to unlock encrypted data or systems are held in escrow, is less secure, just as it was when government officials proposed it nearly two decades ago.

The Justice Department and FBI may want to have a debate on encryption, but they’ve been dealt a losing hand at this table.

As law professor Peter Swire testified later in the Senate hearing, the review group on intelligence and communications technologies that President Barack Obama convened in August 2013 unequivocally recommended supporting strong encryption in its report on liberty and security later that year:

The US Government should take additional steps to promote security, by (1) fully supporting and not undermining efforts to create encryption standards; (2) making clear that it will not in any way subvert, undermine, weaken, or make vulnerable generally available commercial encryption; and (3) supporting efforts to encourage the greater use of encryption technology for data in transit, at rest, in the cloud, and in storage.

That conclusion is anything but isolated, as Kevin Bankston, the director of the Open Technology Institute at the New America Foundation, pointed out in an essay Tuesday:

…the broad consensus outside of the FBI is that the societal costs of such surveillance backdoors — or “front doors,” as Comey prefers to call them — far outweigh the benefits to law enforcement, and that strong encryption will ultimately prevent more crimes than it obscures.

Tech companies, privacy advocates, security experts, policy experts, all five members of President Obama’s handpicked Review Group on Intelligence and Communications Technologies, UN human rights experts, and a majority of the House of Representatives all agree: Government-mandated backdoors are a bad idea. There are countless reasonswhy this is true, including: They would unavoidably weaken the security of our digital data, devices, and communications even as we are in the midst of a cybersecurity crisis; they would cost the US tech industry billions as foreign customers — including many of the criminals Comey hopes to catch — turn to more secure alternatives; and they would encourage oppressive regimes that abuse human rights to demand backdoors of their own.

Bankston is no zealot, nor has he impugned the honor, intentions or distinguished public service record of Comey, who has notably stood on the side of civil liberties in his career.
What Bankston and many others are saying, and have been saying for years, however, is that protecting the privacy of citizens from those who would do them harm or steal from them is now intrinsically bound to encrypting devices, communications and data.

That’s true whether for cellphones, email, health records, tax transcripts or the of  tens of millions of public servants.

This isn’t a competition between privacy and security or a choice between opposing value systems: it’s security and security, and on the line is the capacity of democratic societies to do investigative journalism, engage in digital commerce or securely make transactions with government.

It’s fair to acknowledge that the FBI may have a diminished capacity to conduct some investigations as a result, but in striking an appropriate balance between safety and liberty, that is sometimes the outcome.