Thursday, November 11, 2010
*** What can we do to help the FBI? ***
This is a feedback that I made to Steve Gibson of grc.com about a subject of a new proposed law in the USA. Look in his transcripts or listen to the securitynow podcasts for more details.
martin
*** What can we do to help the FBI? ***
Hi Steve,
Love the podcast, love spinrite and all the rest.
We need to move the 'complaining' conversation about "back-doors" onwards. As opposed to emphasising how such laws hurt the "good guys", and not the "bad guys", we should rather be asking what the "good guys" would be willing to do to help the ( write in your national authority ).
I personally want to be able to guarantee privacy of my content point to point, and of course I can now always do so. As you say, the maths is in the public domain. But I am perfectly happy to at least 'consider' providing information to authorities if they have 'due cause' to request it.
I am perfectly happy to freely tell the authorities
- what tools I am using to achieve content privacy
- when I am using these tools
- and how they can ask for further info.
I think that all 'good guys' should be happy with this.
My suggestion for what might be done to help the authorities is a law that mandates encrypted P-to-P software to pass a single message to the authorities ( probably in the jurisdiction of the software provider, and then let the nations share!)
- each time the software is started
- giving name/id of user (needs prompting)
- contact ( tel or email address etc) (needs prompting)
This packet should be encrypted with the authorities public key ( note IP is already in the packet)
This has the effect of
- limiting software providers responsibility, placing onus on the user
- unnerving the 'bad guys'
- providing simple 'traffic info' direct to the authorities
- a start for refining a white list for filtering
- and a route for contacting the user
Now obviously its trivial to lie about name and contact, but provided a few checks are made, it will make life more dangerous for the 'bad guys'. and probable false info would be 'due cause' for further investigation.
A checksum of the program would be incorporated to provide at least some protection against program modification or information replay.
You can imagine this as a largely reusable module, which would reduce costs to the software provider, since it not dependent on the system architecture. The user is basically self licensing the software with the authorities on each use.
Anyway my main purpose is not to 'solve' the issue, but rather to highlight the idea in the title. How can we help.
People are free to use these ideas as they wish.
cheers
MartinW
martin
*** What can we do to help the FBI? ***
Hi Steve,
Love the podcast, love spinrite and all the rest.
We need to move the 'complaining' conversation about "back-doors" onwards. As opposed to emphasising how such laws hurt the "good guys", and not the "bad guys", we should rather be asking what the "good guys" would be willing to do to help the
I personally want to be able to guarantee privacy of my content point to point, and of course I can now always do so. As you say, the maths is in the public domain. But I am perfectly happy to at least 'consider' providing information to authorities if they have 'due cause' to request it.
I am perfectly happy to freely tell the authorities
- what tools I am using to achieve content privacy
- when I am using these tools
- and how they can ask for further info.
I think that all 'good guys' should be happy with this.
My suggestion for what might be done to help the authorities is a law that mandates encrypted P-to-P software to pass a single message to the authorities ( probably in the jurisdiction of the software provider, and then let the nations share!)
- each time the software is started
- giving name/id of user (needs prompting)
- contact ( tel or email address etc) (needs prompting)
This packet should be encrypted with the authorities public key ( note IP is already in the packet)
This has the effect of
- limiting software providers responsibility, placing onus on the user
- unnerving the 'bad guys'
- providing simple 'traffic info' direct to the authorities
- a start for refining a white list for filtering
- and a route for contacting the user
Now obviously its trivial to lie about name and contact, but provided a few checks are made, it will make life more dangerous for the 'bad guys'. and probable false info would be 'due cause' for further investigation.
A checksum of the program would be incorporated to provide at least some protection against program modification or information replay.
You can imagine this as a largely reusable module, which would reduce costs to the software provider, since it not dependent on the system architecture. The user is basically self licensing the software with the authorities on each use.
Anyway my main purpose is not to 'solve' the issue, but rather to highlight the idea in the title. How can we help.
People are free to use these ideas as they wish.
cheers
MartinW
