Slashdot Mirror
UK Government Wants a Backdoor Into Windows
REBloomfield writes "The BBC is reporting that the British Government is working with Microsoft in order to gain backdoor access to hard drives encrypted by the forthcoming Windows Vista file system. Professor Anderson, professor of security engineering at Cambridge University, urged the Government to contact Microsoft over fears that evidence could be lost by suspects claiming to have forgotten their encryption key."
Let bad guys use deniable encryption schemes and this won't even be a concern... Please, someone in the U.K. gov get a clue about encryption!
\u262D = \u5350
... until the crack is published :)
(sadly this is more insightful than funny)
\u262D = \u5350
\ They just want to play with the big boys. We all know the NSA, the CIA, and the FBI each have their own key! \
Never ask for directions from a two-headed tourist! -Big Bird
It wouldn't surprise me in the least if the US govt has had a back-door inserted into Vista. The problem for the UK govt is that clearly the US govt doesn't want to share it with them. And would the uS govt want to allow any other govt to have their own back-doors, with the potential to remotely access PCs running Vista in the US? Somehow I doubt it.
Laziness, ignorance; the same that prevents them from using encryption now.
Pretty sure that's the point of encryption. Making sure that nobody but you and people you trust can read your data, and anyone else up to and including the government can't. Even if they really really want to.
When did a healthy mis-trust of government suddenly get you tin-foil hat status, and a visit from the FBI?
-- Sorry, I can't think of anything funny to say here.
US export restrictions for cryptographic software were violated when PGP spread worldwide.
This bring up an interesting point on ITAR and the US. Some encryption technologies could violate ITAR if they are done in the US and then exported to other countries. If I remember right, that was part of the reason encryption on OpenBSD was done in Canada.
Oh, and there are a few people who also consider encryption a matter of freedom of speech.
Some would, but how many governements and what is protected under the law. That is different everywhere. Others, also, consider it a privilege.
Some of these laws, in paticualr with the US, are actually there to protect it from other countries. Many people in the country may not want to protect the countires competitive edge but others do and that is part of what our government has been taked with for a long time.
Evolution or ID?
If governments force a backdoor to be installed, it'll be for sale to crackers before the gold masters are pressed, and common knowledge a few weeks later. So "trusted computing" can be subverted using the govt master key. And anyone who actually wants to keep secrets will install somethng that works while not requiring a magic dongle on the mobo. The govt will be able to read data from clueless suspects as they do now. So a win all round. And who doesn't suspect MS would leave backdoors anyway?
You should not be able to read the files without logging into the computer with your password and/or other identification token.
After logging in, the files are accessable. But not before. Someone who just swipes your PC would boot into Windows but would be unable to read any data files, even with a seperate boot CD. That's the whole idea.
But if the government adds a backdoor, you can bet that a hacker (white or black hat) would find it as well, probably within a few weeks of the OS being out. Thus making the encryption useless.
The whole government complaint is useless anyway because for all they know people can be using deniable encryptionn schemes *today* and they'd never even know about it.
Err... You did not understand the target.
The problem UK govt is having and US govt will have the moment they realise what is going on is that any media files on Vista PCs when distributed correctly via the supplied Vista Windows Media frameworks will be immediately encrypted and locked down using the TPM module to the specific machine. On top of that this will be determined by the people who distribute the files, not the users. This makes the current approach of taking disks out and hooking them to a forensic environment unfeasible. They will have to be decrypted on the machine after the user has logged in. It is sufficient for the user to refuse to log in on the machine and the police is stuffed.
As a result any attempt to collect proof of child pr0n and b00tleg movies/music will run into some serious difficulties as long as the providers of illegal goods have done their job of using Windows Vista right.
Frankly, the UK govt should whinge elsewhere. MPAA and the TP group is a good start. Whinging at MSFT is not going to get them anywhere because it will be not just MSFT, it will be everyone implementing this on every device in 5 years time.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
Since when does the government have a right to all evidence in any case? One aspect of English law that I thought existed, is that the people should be protected from the government (particularly from self-incrimination). One could reasonably argue that the average citizen needs the availability of government-inaccessible encryption, due to the decreased cost (in terms of time and manpower) required to search through computer records vs. paper records. Current computers, and the massive amounts of data that they store (internet cookies, browsing history, cache data, registry entries, etc.) make fishing expeditions much, much, easier on law enforcement than sifting through physical documents and interviewing co-workers and family.
And right now Osama's thinking, "Wow, this is better than I could possibly have hoped for..."
Sorry, cheap jibe.
This is amazing - especially when the idea is being promoted by a 'Professor of Security Engineering' at a reputable university. How can adding a backdoor to security systems be anything other than a massive weakness just waiting to be exploited?
Imagine if this went ahead - the British government would want access to versions of Windows sold in this country, the American government to US copies of Windows, the German government ... and so on and so on... Would Microsoft allow the Chinese government access to their citizens' disks? The Chinese government are signed-up members of The War Against Terror - so they could claim they need access, and besides recent experience says that big businesses will always accommodate governments no matter how repressive.
And it gets worse. Microsoft would either have to make a single key that would open every machine in the World; or they would have to issue copies of all the keys to every government - the British government won't accept not being allowed into a suspected terrorist's (and we have a splendidly wide definition of 'terrorist' in this country) computer purely because the suspect happens to be foreign.
But it will all supposedly remain secure and not fall into the hands of wrong-doers.
The Home Office, IT and Microsoft - what an unholy trinity we have there. With this level of stupidity the legislation can't be far off.
...the TrueCrypt binaries alone in your possession then every piece of digital media you own that appears to contain random bytes will be accused of holding an encrypted volume and they will torture out of you whatever they want to hear you say.
Oh wait, I forgot... civilized Western nations never commit torture upon their subjects.
When will the courts realize the bloody obvious fact that bits on a hard drive are evidence of nothing! Until computers are not able to be remotely hijacked with all tracks erased, there's no way to prove who put the bits there!!!
As more and more traditional forms of evidence (audio tapes, photos, DNA records, VOTES for god sakes) become digitized, the more we need to be skeptical of them.
And don't bring up digital signatures so long as keyloggers exist.
Frankly I think it sounds insane.
Think of the number of people who work at Microsoft, even if you limit yourself to the people working upon the OS and not Office, etc, you're talking about literally hundreds of people who can view the source.
Then there are the people who gain access to the source code under educational licenses, NDAs, etc.
The idea that all of them could miss something that was a backdoor is a little hard to swallow. If there were something in the code that was meant to be used then I'm sure it would have been spotted.
(I guess you could say that the recent WMF vulnerability was in the code for years and nobody spotted it - but that is a relatively simple mistake and small piece of code.)
And even if there were a backdoor in the code, what does that even mean?
Would it cause the machine to reformat? Disable the firewall? (Thatd be useless behind a NATing device) Make outgoing connections to Microsoft? (That'd fail for non-connected hosts, and be caught by many people with hardware firewalls / etc).
Really this just sounds like a conspiracy theory ..
> The point is that they might use some obscure algorithm nobody knows
But they don't (invalid point).
> They can also implement standard algorithms such as AES
Which they did.
> but were they correctly implemented?
Yes. Ever heard of test vectors? It's easy to verify if a cipher is correctly implemented using official test vector sets.
> One minor thing - NIST certification is expensive, I doubt TrueCrypt will pass it, unless some company pays for this.
Now, I bet you are the developer or seller of the commercial encryption software you mentioned. Your message basically is: "Look, without money they are worse than us. Commercial stuff is better. Free software sucks." You are just a troll.
The most important point is, however, that being open source is a _premise_ of any security software that is to be trusted by general public. Closed source security is not real security.
Britain has sadly already become a police state. Only criminals and cops have guns, cameras everywhere, illegal to state non-liberal opinions, and now this. Once the control structure is fully in place, most Brits will find themselves being openly persecuted. Anyone want to bet how long it will be before they start implanting RFID chips in everyone? They'll start with the kids and say it's for safety.
Unfortunately, some in the U.S. want that here. I hope the red states can save us.
"The idea that all of them could miss something that was a backdoor is a little hard to swallow."
Sure, but at the same time, such a 'backdoor' does not necessaraly need be a huge part of the code base. There could very well be a very small, controlled group working on that specific piece of code and no one else ever needs to see it in order to write their own part of the code. You don't have hundreds of people looking at ALL the code, you have hundreds of people looking at hundreds of pieces of the code. And Microsoft is NEVER going to licence all of the code to educational/insertgrouphere/whoever. They won't ever release any so called 'backdoor' code.
"And even if there were a backdoor in the code, what does that even mean?"
It could mean just about anything. It could simply mean that the encryption algorithm simply returns true when the backdoor/decryption key is used instead of false. Or returns the user's key. Or whatever. It doesn't have to be complicated. The best conspiracy is a simple one.
</devilsadvocate>
Sounds to me more like the good guy is making a really smart play. Note that it looks like he sort of slipped this in as an aside, since he was really giving evidence about "holding terrorist suspects without charge". Talk about pushing all the right buttons on the govt. machine.
If you are an opponent of TCG / TPM / DRM it is really quite beautiful. As far as I can see it is something like:
"Hey Mr. Government Committee, while you're asking me about terrorist suspects you might want to note that this new TPM / DRM stuff coming real soon from MS/**AA now will make it virtually impossible for you to get info off suspects' PCs. Oh, and the PCs are setup that way by default so no chance of using that fact against suspect. Also, you know that law you fought so hard for where you can jail people for not handing over encryption keys ? - well with this new stuff the key's in hardware and the suspect never has it. If you're worried by this, then maybe you should speak to these guys about crippling the tech..."
Aim big nasty government machine at big nasty corporate machine, stand well back...
Sweet.
In the US, 12 September 2001.
In the UK, 8 July 2005.
You get the idea.
After a major terrorist act, the population is angry, not rational. Many are personally affected by the attacks. Thoughts of proportionate responses and civil liberties are overwhelmed by fear and grief.
This is, of course, the ideal time for a government to try to increase its own power at the expense of the people it should represent. This goes double for governments with only a tenuous hold on power, as is usually the case in the US because of its two-party politics, or for governments whose very mandate is dubious, as is the case of Blair's UK government (which didn't actually win the popular vote in England, and has often relied on the votes of Scottish MPs to push through controversial legislation to which their own constituents will be immune because the Scottish Parliament will decide for them separately).
Hence it is precisely in the wake of a terrorist atrocity that we should be keenest to protect our civil liberties, for it is at these times that they will naturally come under the gravest threat.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.