Hand over your WEP keys, or go to jail

[GostHacked]

I have noticed that in the past couple years, online security is a huge issue. Now we have a report from the UK about handing over your WEP encryption key. This is equivalent of handing over the keys to your house to the government. NO FFFFFF WAY. Privacy is important to all of us. To me it is important as well, there are just some things no one needs to know. And it is nothing illegal, I just like some aspects of my life private.

http://news.zdnet.co.uk/0,39020330,39269746,00.htm

Businesses and individuals may soon have to release their encryption keys to the police or face imprisonment, when Part 3 of the RIP Act comes into effect

Anyone who refuses to hand over a key to the police would face up to two years' imprisonment. Under current anti-terrorism legislation, terrorist suspects now face up to five years for withholding keys.

Most people and companies that use encryption have it to secure their important transactions. Personal banking information, companies internal communications. Some stuff the government just does NOT need to know. But how will we catch those terrorists you say?

"Terrorist cells use master keys on a one-to-one basis, rather than using them to generate pass keys for a series of communications. With a one-to-one key, you may as well just force the terrorist suspect to decrypt that communication, or use other methods of decryption," said Clayton.

So handing over those keys are useless. Also if I suspect my system is compromised, I change the WEP key right away. Also for me I have not used wifi to this date to keep my system almost problem free. This makes it easier for big brother to watch over me and easier for my information to be used and abused against me. I do not want my information falling into the wrong hands. Meaning people with bad intent who has authority. I agree not all people are bad and not everyone is doing illegal things, but this is a huge blanket of authoirity that to me, seems like it can be abused very easiy.

But again, people will say but if you are not doing anything wrong, what is the big deal? Read this article then comment on that.

http://www.wired.com/news/columns/0,70886-...l?tw=wn_index_2

[geoffrey]

I don't like this one bit. This definitely oversteps both civil liberties and common sense.

[Riverwind]

I have noticed that in the past couple years, online security is a huge issue. Now we have a report from the UK about handing over your WEP encryption key. This is equivalent of handing over the keys to your house to the government.

I understand your concern but I see a need to update laws to deal with encryption. I don't see a problem with police going to a judge and getting warrent that would allow them to seize encryption keys. I see this as no different from getting a warrent to search someone's place of work. That said, the artical made no mention of warrents or similar safeguards. If that is the case then I agree it is something everyone should be worried about.

[GostHacked]

I have noticed that in the past couple years, online security is a huge issue. Now we have a report from the UK about handing over your WEP encryption key. This is equivalent of handing over the keys to your house to the government.

I understand your concern but I see a need to update laws to deal with encryption. I don't see a problem with police going to a judge and getting warrent that would allow them to seize encryption keys. I see this as no different from getting a warrent to search someone's place of work. That said, the artical made no mention of warrents or similar safeguards. If that is the case then I agree it is something everyone should be worried about.

With the tools that are available out there, and I would suspect the government intelligence agencies have it, they can hack a wep key in seconds. So that is really pointless. And I agree, like everything else, a warrent should be obtained if they suspect things. If that is not the case, pointless.

There are many companies out there that do not even use the encyption, so their whole comany is compromised at that point. Even home users, lock down your stuff.

[BHS]

There are a number of problems with this scheme:

- Like our own gun registry, this system only targets law-abiders. Anyone who uses encryption for legitimate purposes will register their encryption key. Terrorists will not. Failure to comply with registration rules is nothing compared to the other stuff they're doing.

- If a company decides to change their security system and / or update their encryption key they will have to re-register to be in compliance. What if the registration system goes down? What if you've been hacked and want to make changes today, but it takes a week for the government to get up to speed? If you are checked for compliance during the window between updating your own system and the government updating their records, will you be charged with non-compliance? How much of a hassle will it be to beat the charges? There's plenty of potential for nightmare scenarios there. And, as I mentioned above, these nightmares will only apply to people who have an interest in following the law. If your business is really a terrorist front there's little likelihood you're going to mind shutting down operations and fleeing if you're charged. Only a business with aspirations to permanency has to worry about the consequences.

[Machinations]

There are a number of problems with this scheme:

- Like our own gun registry, this system only targets law-abiders. Anyone who uses encryption for legitimate purposes will register their encryption key. Terrorists will not. Failure to comply with registration rules is nothing compared to the other stuff they're doing.

- If a company decides to change their security system and / or update their encryption key they will have to re-register to be in compliance. What if the registration system goes down? What if you've been hacked and want to make changes today, but it takes a week for the government to get up to speed? If you are checked for compliance during the window between updating your own system and the government updating their records, will you be charged with non-compliance? How much of a hassle will it be to beat the charges? There's plenty of potential for nightmare scenarios there. And, as I mentioned above, these nightmares will only apply to people who have an interest in following the law. If your business is really a terrorist front there's little likelihood you're going to mind shutting down operations and fleeing if you're charged. Only a business with aspirations to permanency has to worry about the consequences.

/agreed

Registering the keys makes no sense. WEP is not really 'secure'. A weakness in WEP's encryption key derivation implementation makes it possible for an attacker to derive a WEP-protected network's WEP secret key-the encryption key used by all clients on the entire WLAN-after capturing a sufficient number of packets. In other words, against a determined attacker - its useless. Most high security outfits have tried some kind of rotating WEP key system - this works, but the overhead it introduces is huge.

So in other words, if your average 'script kiddie' can hack a WEP key with a laptop, 15 minutes and the backseat of a car, imagine what a real attacker can do. Registering the keys is pointless - the government can brute force a PGP key given a few hours, doubtless - a WEP key would be broken in moments. So if they need something, they can get it. I'm not sure why they would need a registry, or what purpose it could have.

Here's a site that gives you an idea of the scope of the problem: http://www.wardriving.com/