Of course, there's a reason for this. Having systems more vulnerable to hacking makes it easier for the government to hack into our system. (Yes. Yes, they would.)

Now if you'll all excuse me, I need to get to the store to buy some more tin foil to make my beanies.

"Having systems more vulnerable to hacking makes it easier for the government to hack into our system."

You laugh, but back in the mid-1990s when this decision was made, that was the specificically stated rationale. Of course, it was put more in terms of "we have to be able to wiretap the bad guys", but the government honchos made it clear that they would not permit encryption that wasn't vulnerable.

If you want a scary-yet-amusing read, read up on the history of Clipper Chip and Skipjack.

Sigh. The whole way Android is pushed out and distributed sucks.

> Google said it had also developed a patch, which it provided to partners that make and distribute Android devices.

If users have to wait for phone carriers; most people with Android devices will never see this patch.

Microsoft was in the news not long ago for including NSA access codes in EVERY Microsoft program. The exact number of codes hasn't been determined, but each program contains several. Due to the compartmentalized engineering, no one person or group can know what the others are planting.

Cousin Dave: You laugh, but back in the mid-1990s when this decision was made, that was the specificically stated rationale. Of course, it was put more in terms of "we have to be able to wiretap the bad guys", but the government honchos made it clear that they would not permit encryption that wasn't vulnerable.

Don't misconstrue my intentions, Cousin Dave. I didn't know that that was the rationale used, but I sincerely do believe that their intentions are to make it easier to hack into our systems.

The "tin foil" comment was merely to flip-off those who might think I sound like a conspiracy theorist. So, what if I do? I still believe I'm right.

encryption technology intentionally weakened to comply with U.S. government regulations banning exports of the strongest encryption

Emphasis mine, as it did not regulate use of strong encryption with the USofA. That said, it was a completely stupid regulation. See, you could publish the source code to strong encryption algorithms in a book but you could not provide source code or compiled libraries/executables.

In fact, more than a few people (myself included) routinely violated that export law with four lines of perl. Thus if you ever hear me say "I was an arms dealer back in the 90s" that's what I'm referring to, as the US Government classified such encryption as a munition.

I always enjoyed a scene from Lord of War with Nick Cage, were he tells the BATFE agent that "I take it this isn't about the alcohol or tobacco?

That said, as network guy, I found FREAK about 10 days ago. It took me about 5 minutes to disable my web server from accepting the weak export ciphers. This is less about the failings of the US Government and more about not clearing out the trash from the code base.

Better yet: the encryption code base is so rickety and convoluted that it would be better to start from scratch, and well away from the prying eyes of the world's intelligence agencies.

Shouldn't we thank the US gov't for making the Internet? At least the foundation, which was a Dept of Defense project to stymie to Soviet Union, ironically enough?

Andreessen's work at University of Illinois on the web browser Mosaic was funded by public govt money through the Supercomputing Act, and Google Chrome, Firefox, et al. still use Mosaic stuff, if I understand it correctly.

Maybe a commenter knows more about it.

US govt gave up control of Internet last year and it is now under an independent international group's guidance. Is that good? Hopefully the UN isn't involved.

Patrick, I was actually trying to reinforce what you said... The Clipper was designed specifically to allow hacking by the government. There was something in the output protocol called the "Law Enforcement Access Field" or LEAF, which contained a unit serial number and some other identifying information, and was transmitted in the clear. The idea was that a law enforcement agency could get a warrant to decrypt an encrypted communication of interest, in the same way that they get warrants to wiretap land line phones. They would then take the LEAF information to the government-sanctioned Clipper manufacturer, which would reveal the keys for that device. Clipper would, if the government got its way, be the only legal form of encryption in the United States. All forms of encryption would be illegal, and law enforcement would be allowed to monitor communications systems for the use of illegal encryption, without a warrant.

There was a ton of speculation at the time concerning the algorithm built into the Clipper, which was called Skipjack. The speculation was that the NSA had a mathematical back door baked into the algorithm that would allow them to crack any Clipper device's encrypted data stream. As it turned out, the answer was a lot simpler: All of the Clipper chips had their keys derived from a single master key. The master key was supposed to be held in secret by the manufacturer, but there's not much doubt in anyone's mind that the NSA had it or would have it. With the master key, it was easy to produce the keys for any Clipper device.

If Clipper had gone into wide use, it wouldn't have been just NSA that had the master key. Go over to Bruce Schneier's website and read his screeds on "security by obscurity".

When a single piece of information becomes that important, security will be breached repeatedly. If the KGB and GRU (or whatever they were called post-Soviet Union) couldn't manage to steal the key directly, they've repeatedly managed to infiltrate the NSA and CIA... Mossad would definitely have it, and MI-6, and the Brits have often been a sieve. Fifty lesser national spy agencies would make a try for it, and one of them is bound to get lucky - and shortly afterwards, the rest would get it.

And it won't be just governmental spies. Too many of their personnel feel they are underpaid, and the Clipper master key would be a goldmine in certain private hands - but the value would drop every time someone else sold it, so move fast. The key would spread to commercial espionage, who would be penetrated by teenage hackers... Pretty soon, if you forgot your key to your own files, you'd be almost the only one who couldn't read them.

But maybe that _was_ the real intention. US security agencies have often been far more concerned with keeping secrets from American citizens than from allegedly hostile foreign governments. Look back to the Pentagon papers, which was a massive study of the Vietnam War that was leaked to American newspapers. Among other "top secret" items was the bombing of Laos - the Laotian survivors certainly noticed, and the bombing was reported (and correctly attributed to the US) in newspapers around the world, but our government was assiduous in protecting us from this information. Clippings from London and Paris newspapers were in the file, stamped top secret. The biggest secrets in the entire mass of documents were the conclusions drawn by correlating many different non-secret information sources; that was a project quite beyond any individual citizen, and unlikely to be funded by even the biggest news media, but I'd be amazed if a very similar study wasn't locked in the vaults of the Kremlin - and I doubt they had to wait for the Pentagon Papers to come out in the New York Times to do the meta-study contrasting their study with ours.