The EARN IT-Bill

[The Lawspeaker]

This video is about the bipartisan EARN IT bill, introduced by senators Lindsey Graham and Richard Blumenthal. The EARN IT bill had its first hearing on March 12, 2020 and aims to allow the government to scan any and all messages online, eventually eliminating end-to-end encryption and the expectation of privacy altogether.

[The Lawspeaker]

A sneaky attempt to end encryption is worming its way through Congress

The EARN IT Act could give law enforcement officials the backdoor they have long wanted — unless tech companies come together to stop it


A thing about writing a newsletter about technology and democracy during a global pandemic is that technology and democracy are no longer really at the forefront of everyone’s attention. The relationship between big platforms and the nations they operate in remains vitally important for all sorts of reasons, and I’ve argued that the platforms have been unusually proactive in their efforts to promote high-quality information sources. Still, these moves are a sideshow compared to the questions we’re all now asking. How many people will get COVID-19? How many people will die? Will our healthcare system be overwhelmed? How long will it take our economy to recover?

We won’t know the answers for weeks, but I’m starting to fear the worst. On Wednesday the World Health Organization declared that COVID-19 had officially become a pandemic. A former director for the Centers for Disease Control now says that in the worst case scenario, more than 1 million Americans could die.

This piece by Tomas Pueyo argues persuasively that the United States is currently seeing exponential growth in the number of people contracting the disease, and that hospitals are likely to be overwhelmed. Pueyo’s back ground is in growth marketing, not in epidemiology. But by now we have seen enough outbreaks in enough countries to have a rough idea of how the disease spreads, and to understand the value of “social distancing” — that is, staying behind closed doors. So I want to recommend that everyone here reads that piece, and consider modifying your behavior if you’re still planning events or spending a lot of time in public.


One risk of having the world pay attention to a single, all-consuming story is that less important but still urgent stories are missed along the way. One such unfolding story in our domain is the (deep breath) Eliminating Abusive and Rampant Neglect of Interactive Technologies (“EARN IT”) Act, which was the subject of a Senate hearing on Wednesday. Here’s Alfred Ng with an explainer in CNET:

The EARN IT Act was introduced by Sen. Lindsey Graham (Republican of South Carolina) and Sen. Richard Blumenthal (Democrat of Connecticut), along with Sen. Josh Hawley (Republican of Missouri) and Sen. Dianne Feinstein (Democrat of California) on March 5.

The premise of the bill is that technology companies have to earn Section 230 protections rather than being granted immunity by default, as the Communications Decency Act has provided for over two decades.

For starters, it’s not clear that companies have to “earn” what are already protections provided under the First Amendment: to publish, and to allow their users to publish, with very few legal restrictions. But if the EARN IT Act were passed, tech companies could be held liable if their users posted illegal content. This would represent a significant and potentially devastating amendment to Section 230, a much-misunderstood law that many consider a pillar of the internet and the businesses that operate on top of it.


When internet companies become liable for what their users post, those companies aggressively moderate speech. This was the chief outcome of FOSTA-SESTA, the last bill Congress passed to amend Section 230. It was putatively written to eliminate sex trafficking, and was passed into law after Facebook endorsed it. I wrote about the aftermath in October:

[The law] threatens any website owner with up to 10 years in prison for hosting even one instance of prostitution-related content. As a result, sites like Craigslist removed their entire online personals sections. Sex workers who had previously been working as their own bosses were driven back onto the streets, often forced to work for pimps. Prostitution-related crime in San Francisco alone — including violence against workers — more than tripled.

Meanwhile, evidence that the law reduced sex trafficking is suspiciously hard to come by. And there is little reason to believe that the EARN IT Act will be a greater boon to public life.Yet, for the reasons Issie Lapowsky lays out today in a good piece in Protocol, it may pass anyway. Once again Congress has lined up some sympathetic witnesses who paint a picture that, because of their misfortune, whole swathes of the internet should be eliminated. It would do that by setting up a byzantine checklist structure that would handcuff companies to a difficult-to-modify set of procedures. One item on that checklist could be eliminating end-to-end encryption in messaging apps, depriving the world of a secure communications tool at a time when authoritarian governments are surging around the world. Here’s Lapowsky:

The EARN IT Act would establish the National Commission on Online Child Sexual Exploitation Prevention, a 19-member commission, tasked with creating a set of best practices for online companies to abide by with regard to stopping child sexual abuse material. Those best practices would have to be approved by 14 members of the committee and submitted to the attorney general, the secretary of homeland security, and the chairman of the Federal Trade Commission for final approval. That list would then need to be enacted by Congress. Companies would have to certify that they’re following those best practices in order to retain their Section 230 immunity. Like FOSTA/SESTA before it, losing that immunity would be a significant blow to companies with millions, or billions, of users posting content every day.The question now is whether the industry can convince lawmakers that the costs of the law outweigh the benefits. It’s a debate that will test what tech companies have learned from the FOSTA/SESTA battle — and how much clout they even have left on Capitol Hill.

The bill’s backers have not said definitively that they will demand a backdoor for law enforcement (and whoever else can find it) as part of the EARN IT Act. (In fact, Blumenthal denies it.) But nor have they written the bill to say they won’t. And Graham, one of the bill’s cosponsors, left little doubt on where he stands:“Facebook is talking about end-to-end encryption which means they go blind,” Sen Graham said, later adding, “We’re not going to go blind and let this abuse go forward in the name of any other freedom.”Notably, Match Group — the company behind Tinder, OKCupid, and many of the most popular dating apps in the United States — has come out in support of the bill. (That’s easy for Match: none of the apps it makes offer encrypted communications.) The platforms are starting to speak up against it, though — see this thread from WhatsApp chief Will Cathcart.

In the meantime, Graham raises the prospect that the federal government will get what it has long wanted — greatly expanded power to surveil our communications — by burying it in a complex piece of legislation that is nominally about reducing the spread of child abuse imagery. It’s a cynical move, and if the similar tactics employed in the FOSTA-SESTA debate were any indication, it might well be an effective one.

[JamesBond007]

I first read about this on March 6th being the Uber Geek that I am I always hear about this kind of thing first :


It's too bad mathematics can't bend to Congress's will.

Tune in next week, when Congress stands on the beach and starts commanding the tides.


Anyway, Congress can make commercial apps like Whatsapp have backdoors but they can't do it with open source projects like OpenSSH.OpenSSH is based in Canada and they have different laws on encryption and even on exporting it :

OpenSSH (also known as OpenBSD Secure Shell[a]) is a suite of secure networking utilities based on the Secure Shell (SSH) protocol, which provides a secure channel over an unsecured network in a client–server architecture.[4][5]

OpenSSH started as a fork of the free SSH program developed by Tatu Ylönen; later versions of Ylönen's SSH were proprietary software offered by SSH Communications Security.[6] OpenSSH was first released in 1999, and is currently developed as part of the OpenBSD operating system.

OpenSSH is not a single computer program, but rather a suite of programs that serve as alternatives to unencrypted protocols like Telnet and FTP. OpenSSH is integrated into several operating systems,[7][8] while the portable version is available as a package in other systems.

https://en.wikipedia.org/wiki/OpenSSH

SSH File Transfer Protocol
In computing, the SSH File Transfer Protocol (also Secure File Transfer Protocol, or SFTP) is a network protocol that provides file access, file transfer, and file management over any reliable data stream. It was designed by the Internet Engineering Task Force (IETF) as an extension of the Secure Shell protocol (SSH) version 2.0 to provide secure file transfer capabilities. The IETF Internet Draft states that, even though this protocol is described in the context of the SSH-2 protocol, it could be used in a number of different applications, such as secure file transfer over Transport Layer Security (TLS) and transfer of management information in VPN applications.

This protocol assumes that it is run over a secure channel, such as SSH, that the server has already authenticated the client, and that the identity of the client user is available to the protocol.

https://en.wikipedia.org/wiki/SSH_Fi...nsfer_Protocol

One can configure OpenSSH to be even more secure from the NSA too. The NSA can't crack certain OpenSSH traffick but it can already crack VPN IPSEC connections AFAIK.

[Wegner]

IPSEC, like SSH, can use multiple types of encryption. Both IPSEC and SSH can use AES encryption, for example.

[JamesBond007]

IPSEC, like SSH, can use multiple types of encryption. Both IPSEC and SSH can use AES encryption, for example.

The Snowden documents hint at some extraordinary capabilities: they show that NSA has built extensive infrastructure to intercept and decrypt VPN traffic and suggest that the agency can decrypt at least some HTTPS and SSH connections on demand.


WikiLeaks has published as part of it's vault 7 leak, detailing two alleged CIA implants that allowed the agency to intercept and exfiltrate SSH (Secure Shell) credentials from targeted Windows and Linux operating systems using different attack vectors. Secure Shell or SSH is a cryptographic network protocol used for remote login to machines and servers securely over an unsecured network. Dubbed BothanSpy -- implant for Microsoft Windows Xshell client, and Gyrfalcon -- targets the OpenSSH client on various distributions of Linux OS, including CentOS, Debian, RHEL (Red Hat), openSUSE and Ubuntu. Both implants steal user credentials for all active SSH sessions and then sends them to a CIA-controlled server.

The NSA has had some success in cracking Secure Shell (SSH) connections. To respond to these risks, a guide written by Stribika tries to help you make your shell as robust as possible. The two main concepts are to make the crypto harder and make stealing keys impossible. So prepare a cup of coffee and read the tutorial carefully to see what could be improved in your configuration. Don't install what you don't need (as any code line can introduce a bug), use the kind of open source code that has actually been reviewed (e.g. OpenBSD), keep your software up to date, and use exploit mitigation technologies.

OpenBSD is a free and open-source Unix-like operating system based on the Berkeley Software Distribution. Theo de Raadt created OpenBSD in 1995 by forking NetBSD. According to de Raadt, OpenBSD is a research operating system for developing security mitigations.[4]

The system is intended to be secure by default. Many of its security features are not included in other operating systems.[5] According to author Michael W. Lucas, OpenBSD is "widely regarded as the most secure operating system available anywhere, under any licensing terms."[6]:xxix

The OpenBSD project maintains portable versions of many subsystems as packages for other operating systems. Because of the project's emphasis on code quality, many components are reused in other software projects. Android uses its C standard library,[7] LLVM uses its regular expression library,[8] and Windows 10 uses OpenSSH with LibreSSL.[9]

The name OpenBSD refers to the availability of the source code on the Internet. It also refers to the wide range of hardware platforms the system supports.

https://en.wikipedia.org/wiki/OpenBSD

You may have heard that the NSA can decrypt SSH at least some of the time. If you have not, then read the latest batch of Snowden documents now. All of it. This post will still be here when you finish. My goal with this post here is to make NSA analysts sad.

TL;DR: Scan this post for fixed width fonts, these will be the config file snippets and commands you have to use.

Warning: You will need a recent OpenSSH version. It should work with 6.5 but I have only tested 6.7 and connections to Github. Here is a good compatibility matrix.
The crypto

Reading the documents, I have the feeling that the NSA can 1) decrypt weak crypto and 2) steal keys. Let’s focus on the crypto first. SSH supports different key exchange algorithms, ciphers and message authentication codes. The server and the client choose a set of algorithms supported by both, then proceed with the key exchange. Some of the supported algorithms are not so great and should be disabled completely. This hurts interoperability but everyone uses OpenSSH anyway. Fortunately, downgrade attacks are not possible because the supported algorithm lists are included in the key derivation. If a man in the middle were to change the lists, then the server and the client would calculate different keys.

read more below :

https://stribika.github.io/2015/01/0...ure-shell.html

[Wegner]

Yes, for example, DES and Triple DES are widely known to be crap but I believe SSH v2 still allows the use of Triple DES. Security standards typically require disabling this and other weak ciphers.

As far as keys, yes, if they are stolen your communications are no longer secure. With a key it was trivially easy to decrypt SSLv1; Wireshark even supports this. SSLv2 is another story, though--did not have any luck using Wireshark to decrypt SSLv2 even with a key, but I found another way to do what I needed to do (troubleshooting) so I didn't spend much time with it.