On December 2, 2015, Syed Rizwan Farook and Tashfeen Malik entered the Inland Regional Center in San Bernardino, California and opened fire on the attendees of a holiday party underway inside. After four minutes of shooting, the married couple fled the scene and left 19 dead in their wake. At the time, it was the deadliest act of terrorism in the United States since 9/11.
Farook and Malik were both killed in a shootout with authorities later that day, and in the weeks that followed the tragedy, it became apparent that this act of terrorism was an inciting incident in the renewal of another war which began over 20 years ago. This war, however, is only tangentially related to religiously motivated terrorism. Rather, its frontline combatants are programmers and hackers, the battlefield is cyberspace and the munitions are lines of code.
It is Crypto War 2.0, and its outcome will affect every internet user on Earth, for better or worse.
THE FIRST CRYPTO WAR
What you are about to see was considered to be a highly dangerous and easily accessible weapon in the early 1990s. It was classed as a munition by the US government, and its traffic across borders was regulated in the same manner as hand grenades and tanks. It looked like this:
It may not look like much, but putting these three lines of code on the internet without a permit technically made you an illicit arms dealer under the International Traffic of Arms Regulations (but in a bizarre twist, putting it on a t-shirt or in a bookwas totally chill). The script is an RSA signature coded in the PERL programming language and was used early on in the development of Pretty Good Privacy (PGP), a method of digitally encrypting messages.
Although the first crypto war is rooted in export regulations established at the height of the Cold War with the development of the Data Encryption Standard for use by commercial and military entities, the effects of these crypto regulations didn’t become apparent until 1991. This was the year that the software engineer Phil Zimmerman wrote his PGP program and began disseminating it on the internet, making public key encryption widely available for the first time.
As the US News reported in 1995, the feds came after Zimmerman for violating regulations relating to export of munitions because his software had been exported out of the country on the internet. The first crypto war had begun.
“The government's fear was that if we didn't regulate this [RSA implementation], it would allow the bad guys to have perfect security,” said Nate Cardozo, a senior attorney at the Electronic Frontier Foundation, during a presentation at DEF CON last weekend.
Around the same time that the feds were trying to prosecute Zimmerman, two other major battles of the first crypto war were being fought.
The first was being waged by Netscape Communications, the company responsible for the first widely used web browser, Netscape Navigator. The company was working on developing its SSL encryption protocol to ensure security on its networks, which would eventually lead to the HTTPS web encryption standard used today. But Netscape had a problem: It was in the business of supplying access to the global internet, but the United States’ ITAR regulations meant that it couldn’t export its full, 128-bit SSL encryption protocol outside the US and Canada. So they created a significantly less secure 40-bit encryption protocol that was legal to provide to non-US citizens.
Yet as Cardozo pointed out, Netscape’s dual standard did little beside highlight the absurdity of the US government’s attempt to regulate encryption. In 1995 there was no way to block Netscape users based on the geographical location of their IP address, which meant that when you logged on to Netscape Navigator, you were presented with a choice between the US/Canada 128-bit SSL version of Netscape or the International 40-bit version. The choice was made by clicking a radio button for either version.
There was no way to verify whether or not you were actually in the US when you selected the 128-bit protocol—it was just as accessible to someone in the Kremlin as it was to someone in Kansas. In other words, Netscape was in the business of exporting munitions around the globe.
The same year as the US News report on Zimmerman’s trial, a 24-year-old Daniel Bernstein contacted the Electronic Frontier Foundation. He wanted to sue the US Department of State for a right to write about his cryptographic algorithm, Snuffle. In April of 1996, the case was settled in favor of Bernstein, who is now a computer scientist at Eindhoven University of Technology, in a landmark ruling that classed code as a form of speech, which meant it was subject to First Amendment protections. That same year, President Bill Clinton signed executive order 13026 which removed encryption as a munition regulated by ITAR, and feds dropped their investigation of Zimmerman.
The crypto wars appeared to be over, with encryption and its infosec champions emerging as the victors. But the celebrations would be short lived.
CRYPTO WAR 2.0
Fast forward 20 years from the Bernstein ruling to the aftermath of the San Bernardino attacks. In the weeks that followed the shooting, federal investigators were faced with a problem: the iPhone 5C used by Farook was encrypted and the investigators were unable to access the data stored on the phone. This prompted FBI officials to contact Apple with requests to help them unlock the phone by creating a version of iOS with a backdoor that would allow the government access to the data on the phone. Apple denied their requests on the grounds that it would never compromise the security of its projects and so the FBI applied for a court order which would force Apple to create the requested software.
Farook and Malik were both killed in a shootout with authorities later that day, and in the weeks that followed the tragedy, it became apparent that this act of terrorism was an inciting incident in the renewal of another war which began over 20 years ago. This war, however, is only tangentially related to religiously motivated terrorism. Rather, its frontline combatants are programmers and hackers, the battlefield is cyberspace and the munitions are lines of code.
It is Crypto War 2.0, and its outcome will affect every internet user on Earth, for better or worse.
THE FIRST CRYPTO WAR
What you are about to see was considered to be a highly dangerous and easily accessible weapon in the early 1990s. It was classed as a munition by the US government, and its traffic across borders was regulated in the same manner as hand grenades and tanks. It looked like this:
It may not look like much, but putting these three lines of code on the internet without a permit technically made you an illicit arms dealer under the International Traffic of Arms Regulations (but in a bizarre twist, putting it on a t-shirt or in a bookwas totally chill). The script is an RSA signature coded in the PERL programming language and was used early on in the development of Pretty Good Privacy (PGP), a method of digitally encrypting messages.
Although the first crypto war is rooted in export regulations established at the height of the Cold War with the development of the Data Encryption Standard for use by commercial and military entities, the effects of these crypto regulations didn’t become apparent until 1991. This was the year that the software engineer Phil Zimmerman wrote his PGP program and began disseminating it on the internet, making public key encryption widely available for the first time.
As the US News reported in 1995, the feds came after Zimmerman for violating regulations relating to export of munitions because his software had been exported out of the country on the internet. The first crypto war had begun.
“The government's fear was that if we didn't regulate this [RSA implementation], it would allow the bad guys to have perfect security,” said Nate Cardozo, a senior attorney at the Electronic Frontier Foundation, during a presentation at DEF CON last weekend.
Around the same time that the feds were trying to prosecute Zimmerman, two other major battles of the first crypto war were being fought.
The first was being waged by Netscape Communications, the company responsible for the first widely used web browser, Netscape Navigator. The company was working on developing its SSL encryption protocol to ensure security on its networks, which would eventually lead to the HTTPS web encryption standard used today. But Netscape had a problem: It was in the business of supplying access to the global internet, but the United States’ ITAR regulations meant that it couldn’t export its full, 128-bit SSL encryption protocol outside the US and Canada. So they created a significantly less secure 40-bit encryption protocol that was legal to provide to non-US citizens.
Yet as Cardozo pointed out, Netscape’s dual standard did little beside highlight the absurdity of the US government’s attempt to regulate encryption. In 1995 there was no way to block Netscape users based on the geographical location of their IP address, which meant that when you logged on to Netscape Navigator, you were presented with a choice between the US/Canada 128-bit SSL version of Netscape or the International 40-bit version. The choice was made by clicking a radio button for either version.
There was no way to verify whether or not you were actually in the US when you selected the 128-bit protocol—it was just as accessible to someone in the Kremlin as it was to someone in Kansas. In other words, Netscape was in the business of exporting munitions around the globe.
The same year as the US News report on Zimmerman’s trial, a 24-year-old Daniel Bernstein contacted the Electronic Frontier Foundation. He wanted to sue the US Department of State for a right to write about his cryptographic algorithm, Snuffle. In April of 1996, the case was settled in favor of Bernstein, who is now a computer scientist at Eindhoven University of Technology, in a landmark ruling that classed code as a form of speech, which meant it was subject to First Amendment protections. That same year, President Bill Clinton signed executive order 13026 which removed encryption as a munition regulated by ITAR, and feds dropped their investigation of Zimmerman.
The crypto wars appeared to be over, with encryption and its infosec champions emerging as the victors. But the celebrations would be short lived.
CRYPTO WAR 2.0
Fast forward 20 years from the Bernstein ruling to the aftermath of the San Bernardino attacks. In the weeks that followed the shooting, federal investigators were faced with a problem: the iPhone 5C used by Farook was encrypted and the investigators were unable to access the data stored on the phone. This prompted FBI officials to contact Apple with requests to help them unlock the phone by creating a version of iOS with a backdoor that would allow the government access to the data on the phone. Apple denied their requests on the grounds that it would never compromise the security of its projects and so the FBI applied for a court order which would force Apple to create the requested software.
its like they want shyt to not be secure at all.