32 comments

[ 10.5 ms ] story [ 1055 ms ] thread
> Congressman Lieu is one of only four computer science majors in Congress.

There's four computer science majors in Congress? That's four more than I would've thought.

There are 8 engineering majors in Congress (all in the House IIRC), which is pretty suprising.
You'd be surprised. There was even a math major with a masters in computer science who ran for president, Herman Cain.
Herman Cain is a Comp sci major?! Wow, I really had no idea...
I'm very pleased to discover that there are four but I think we need many, many more if we are to change how our government works.

Working in/with technology everyday, we are accustomed to wanting to find technical solutions to all of our problems. Unfortunately, not every problem can be solved with a technical solution. If we are to succeed in changing things, we need people who understand technology in positions of leadership in the government.

There are a lot of very, very intelligent people in Silicon Valley and many of you are here on HN. I wish some of you would consider running for office.

It's comforting knowing there actually are people in congress who understand why weakening our cybersecurity is not the answer.
And there's STILL people who insist Apple is bent on protecting the privacy of a dead terrorist...
Kudos to Ted Lieu. It is frustrating that a piece of legislation passed in 1789, is being substantively applied in a manner that erodes privacy, compromises business and does little to provide further security in ever changing threat landscape.
There is always talk of preventing the next terrorist attack, but there is almost no talk about what is considered acceptable risks.

The attacker inflicted horrific mayhem and death for sure, but let not forget people die of other more common untimely causes all the time.

We put more anger against human agents rather than the impersonal forces of nature.

And it also gave people excuses to revel in their bigotry and suspicion.

What do I know? I wasn't angry that people die in a terrorist attack in France. Nor am I angered or saddened by the attacks in California.

Even now, I respond to the fact that the FBI are the bad guys because of an abstract threat to our privacy.

Terrorists don't matter to me.

They can kill a thousand men and women in a single day, and I wouldn't bat an eye.

What they did was certainly horrible, but they are of no more consequences than a thousand tragic motor accident until congress pass laws and law enforcement demands more power or that we should torture people.

Funny how that works.

That's not to say that I don't have emotion. On the contrary, the most common emotion for me seems to be cringing for other people when they made fools of themselves.

But it is true that terrorist attacks make for interesting news story, in the Chinese sense of the word.

We accept the risk of a car crash when we get in our car. Going to the mall or movies doesn't have the same mental acceptance of that risk, making it more tragic.

I think you can be sad for the victims and their families and still awknowledge that other issues are more important sometimes.

We accept the risks of Freedom when we get in our Democracy.
>> We put more anger against human agents rather than the impersonal forces of nature.

That too is a very american thing these days. "Natural" disasters are seen in religious terms. Things from nature come from god and are believed unstoppable. Floods, earthquakes, tornadoes... even the suggestion that they can be mitigated or prevented is derided. Many take the suggestion that man is more powerful than nature as an affront to deeply held religious views.

This argument makes no sense. There's no legal right to be free from court-approved government surveillance. The government has always had the authority to compel the cooperation of third-parties in search and seizure cases. This is an awesome power, which is why you need to convince a judge to issue a court order to use it. The only way that we ever thought encryption could thwart surveillance is by raising technological barriers. This was Apple's whole argument in the first place! "We can't help the government hack into your iPhone because it's impossible for us to do it ourselves". Turns out that they were wrong; the government did find a way to hack into it given Apple's secrets (their code-signing key).

Now Apple is bending over backwards to try to make it sound like their original argument still applies, when in fact they're making a totally different argument from what I'm going to call "encryptyness", like Colbert's "truthiness". It goes like this: "we tried really hard to protect this technology from our own capabilities, and we convinced our customers that we did, even though it's now clear that we didn't; it would hurt us to be seen helping the government in contradiction of our previous claims, so the government should pretend that we can't help them. They shouldn't be able to get court orders for anything that's encrypty enough." Or even more legally laughable, that the government shouldn't have search and seizure authority period.

The other arguments in support of Apple also have no legal merit. My favorite is the slippery slope argument, that if the government gets a taste of this power that they'll come back for more and use it on everyone's phone. Judges are fully capable of distinguishing between different circumstances. This case is decided on the merits of this case. Tomorrow's case is decided on the merits of tomorrow's case. This is a fundamental principle of common law.

The government's not asking Apple to create a backdoor for them. The door already exists and Apple created it for itself, when they didn't include Apple as a potential adversary in their threat model (which is contrary to their public claims). They could very well design their phones to not have this vulnerability, but it would require a more sophisticated approach. Apple wants the benefits of owning 'your' phone, and the benefits of not having any power over it. You can't have your cake and eat it too.

> Judges are fully capable of distinguishing before different circumstances. This case is decided on the merits of this case. Tomorrow's case is decided on the merits of tomorrow's case.

The US legal system is heavily based on following precedent.

(comment deleted)
Precedent applies when you have facts that are fundamentally equivalent. Forcing Apple to hack a particular phone is totally different from forcing them to ship phones with backdoors.
So when the fact is the government has another phone they want decrypted, and the precedent is that if you lean hard on Apple, they will make it easy to brute force, then the result will be another phone unlocked. And another. And another. And then they'll start leaning for something harder. If you think that this has a chance in hell of being an isolated case, then I've got a bridge in Brooklyn to sell you.
> So when the fact is the government has another phone they want decrypted, and the precedent is that if you lean hard on Apple, they will make it easy to brute force, then the result will be another phone unlocked.

And what's wrong with that? If they get warrants for each phone.

Putting up walls in the form of code signing, TPMs, rate limiters, password hash functions designed to slow down iterative guessing, aren't vulnerabilities in waiting. The government changing the rules by claiming they're entitled to coerce a company to code changes causing these walls to be removed, does not make them pre-existing vulnerabilities.

If the Court rules Apple can be compelled to do the work to create significantly weaker software, and then authenticate it with their signing key, it's pretty reasonable Apple will look for ways to further hard code these walls into the hardware. It's not just in their marketing interest, although that's a factor, it's to get themselves completely out of the business of even having these arguments almost every time they come up, when governments around the world say "gimme!" with a court order. If they refine this so they really can't comply, even by hacking their own products, then the only thing governments have left is to destroy the company. If they go down that road, we have much bigger problems.

>Putting up walls in the form of code signing, TPMs, rate limiters, password hash functions designed to slow down iterative guessing, aren't vulnerabilities in waiting.

It's all about threat models. If you're trying to protect your data from the government, anything that allows anyone but you to access the data is a vulnerability. Very few systems try to contend with such a threat model because it's really hard to defend against, and most people don't care about keeping their data from the government. Seamless updates are way more important to them.

A lot of focus here will be on him getting the technical details right, and I agree that he does, but I'd like to focus on his last paragraph because I think he gets the response to terrorism right too.

  The San Bernardino massacre was tragic but weakening our
  cyber security is not the answer – terrorism succeeds when
  it gets us to give up our liberties and change our way of
  life.
The terrorists don't win by killing people. The terrorists win by causing a disproportionate response. Our best response to these attacks is to be brave in the face of fear rather than to expect our government to make us safe.
>>> Can the government force Google to provide the names of all people who searched for the term ISIL?

Note the use of the term ISIL, not ISIS. America is all about language. Selection of terms, even pronunciation, has political meaning. Obama speaks of ISIL. Trump, ISIS. Brits, wanting to be politically correct, speak of "the so-called Islamic State", while those wanting to sound connected use the on-the-ground term "daesh". I'm tempted to create a venn diagram of these different political groups. At the centre of this diagram I should find the mythical voice of reason, a bridge transcending the idiots and capable of speaking to all sides.

I noticed a similar phenomenon many years ago in the spelling of Hezbollah. I think Hezbollah is the accepted transliteration into American English, but authors on the far right of the domestic political spectrum distinguished themselves with increasingly distorted spelling. Hizballah being common, but to make it look more like Klingon some wackos started adding apostrophes, as in Hizb'allah. This last version was especially popular on the radically zionist blog Little Green Footballs, and was localized to such an extent that one could recognize people who had fallen into that circle by their use of that spelling.

I think both of these words are dog whistles in American politics, used to subtly signal, as a kind of secret handshake, that the author and the reader are on the same side.

It's the "allah" part. Someone told them that Hezbollah means party of god and "allah" is the US spelling. At a subconscious level they probably enjoy using the term in a negative connotation.
(comment deleted)
Hizb'Allah is the most correct one. Hi babe is the Arabic word for "party", as in "The party of Allah". Right wing and zionists got it right this time.
And the New York Times says "The Islamic State, also known as ISIL, ISIS, or Daesh". Every. Single. Time. It gets kind of annoying.
NYT would have said "... I.S.I.L., I.S.I.S., ..."
And what term do these transcendent beings use? :-)
They would be those that use the term their audience expects. They would be the person who moves between all the terms, relying upon none, so to interact with all parties regardless of their codewords. Like a Canadian standing between a Brit and an American.
The vast majority in the intel community refer to them as ISIL so it's not surprising anyone who holds office would also refer to them as such (all of their briefs most likely refer to them as ISIL). ISIS is a mostly media / public term.
Honestly, out of every argument I've heard in regards to this whole debacle, this is the absolute BEST one:

> This FBI court order, by compelling a private sector company to write new software, is essentially making that company an arm of law-enforcement. Private sector companies are not—and should not be—an arm of government or law enforcement.

I get that, if court ordered, a company many have to hand something over. But to be court ordered to work for the government completely changes a company's business model (even if only slightly). It hampers their business (Apple isn't going to magically find, and then fire, the engineers who would need to work on this; they would have to be redirected from other projects).

Yes Apple would be compensated for their time but that doesn't change the harm it could do to their business, not just from a PR standpoint, but from the fact that they are forced to become a government contractor* and would need to redirect / shuffle resources from other projects.

* Yes yes I know Apple participates in government contracts but being forced into one is a little ridiculous.