Slashdot Mirror
Leaked Memo Says Apple Provides Backdoor To Governments
Voline writes "In a tweet early this morning, cybersecurity researcher Christopher Soghoian pointed to an internal memo of India's Military Intelligence that has been liberated by hackers and posted on the Net. The memo suggests that, "in exchange for the Indian market presence" mobile device manufacturers, including RIM, Nokia, and Apple (collectively defined in the document as "RINOA") have agreed to provide backdoor access on their devices.
The Indian government then "utilized backdoors provided by RINOA" to intercept internal emails of the U.S.-China Economic and Security Review Commission, a U.S. government body with a mandate to monitor, investigate and report to Congress on 'the national security implications of the bilateral trade and economic relationship' between the U.S. and China. Manan Kakkar, an Indian blogger for ZDNet, has also picked up the story and writes that it may be the fruits of an earlier hack of Symantec. If Apple is providing governments with a backdoor to iOS, can we assume that they have also done so with Mac OS X?"
The next time you text "i hacked my xbox!" to your friend, expect federal prison for life.
It's all a big setup. The Patriot Act lets them investigate anything, anywhere, without a warrant. Now they are on your devices. Now any terrorist loses his rights as an American. The next war is at civil. No wonder the troops are coming back home.
When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
I'm not a huge open source guru. I have nothing against it and I use open source software all the time. But I'm not a zealot on the subject. Still... this is unacceptable. If I buy a bit of software from apple or microsoft, it has to be understood that I control the security. I bought the OS. I bought the machine. I own that license. if they're going behind my back to sell my security to a third party... then I consider that a breach of contract and I'm really not amused.
If this is valid... and it hasn't been confirmed yet... then anyone that signed that agreement is untrustworthy.
Nothing else to say on the matter.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
Is there any reason to believe that governments wouldn't put pressure on all OS vendors, telecom providers, etc that wanted to sell into their countries to do something like that? I'd be very surprised if very many cellphones so in the USA don't have a way in for the Feds.
...) originate in China, what are the odds that they are not all compromised?
At the same time, if you are concerned about the possibility of backdoors, it's awfully easy to bury one in deep in some standard hardware component that user space processes and most of the OS don't normally interract with. Since most of our cellphones and PCs (and GPSs and media boxes and cameras and
Suppose you were an idiot. And suppose you were a member of congress. But then I repeat myself. -- Mark Twain
How RIM, Nokia and Apple becomes just Apple is beyond me. Magic?
The only way to be reasonably sure of security is by using open source encryption (TrueCrypt, PGP). If you're only using a "black box" system to protect your information, you should expect that governments (and crime syndicates who can bribe individual government employees) will have access to your information.
What's surprising is that anyone with secrets worth protecting doesn't already know this, or hasn't already hired someone competent enough to tell them this.
This smells of bullshit. Now a tweet and a few images are considered legit news? Couldn't just one journalist or blogger pick up the phone and get the "RINOA" comment on the matter? Or is it just easier to post conspiracy-laden speculation ending with a giant question mark?
Unless you've personally verified every single line of code in the OS, you're not really better off. You've just hoping that others have verified every single line of code, and unless you've verified that they're all trustworthy, you're just hoping that's true, too.
...and in case anyone's thinking this is an astroturf troll, I use Linux, not Windows or Mac. I've exclusively used Linux for 11 years now.
You know, your argumented and reasonable stance on this problem is what led many "open source zealots" like me into their present situation. In a functional legal environment you could use proprietary software and assume that such a breach of confidence would have so serious consequences for the companies involved that no one would dare to take the risk to put a backdoor in their software or to even make it possible. This is not however the case, this affair is one of many (CarrierIQ, Echelon, illegal-later-legalized wiretapping, Bluecoat, Amesys, etc...) and the only cure seems to use open source everywhere a backdoor could exist. And that means, mostly, everywhere.
Anyway, I like how you present it : "I'm not an open source zealot, I'm merely an opponent to secret backdoors"
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
If I buy a bit of software from apple or microsoft, it has to be understood that I control the security. I bought the OS. I bought the machine. I own that license.
HaHaHaHaHa, HoHoHoHoHo, HaHa, Hoooo....
Eh, turn your keyboard around, gullible is written under it.
There's no scientific consensus that life is important.
Huh? How has a government or large corporation been wronged?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
"If Apple is providing governments with a backdoor to iOS, can we assume that they have also done so with Mac OS X?."
Such an uninformed idiot to not have noticed, how serious the issue but rather wants to gain publicity by making this, big against Apple.
Ridiculous
This is not at all unfair to single out apple in this. It has been apparent for some time that M$ would sell their users security to the highest bidder. Nokia and Rim don't make desktop software, so that leaves apple providing a backdoor on one platform as perfectly viable evidence that they would do this on their other major platform, especially since the two share a significant codebase. The revelation here isn't that only apple would do this, its that apple would do this, and risk their brand at all. All the other players had a bad reputation to start. The big question is: What has google done?
-=Geoskd
I wish I had a good sig, but all the good ones are copyrighted
Nice fanboi response. It has really become a religion.
But how uninformed do you have to be to blame Kakkar for something he didn't write?
Well, you're slightly better off. Unless you expect a global conspiracy where every person who ever read the code and would talk about it has been bought or silenced.
The key is that it's heaps harder to slip a backdoor into OSS simply because far more people can (and do) examine it. The chance that someone finds it and reports it is simply by some margin higher.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
How can anyone be so naive to assume that any system that is commercially produced in large numbers these days does *not* have in-built backdoors for the alphabet soup agencies? Living under a rock much, are we?
Same goes for Google, Facebook and all the rest. If you, even for one second, assume that the three letter agencies do not have permanent liaison staff at the HQs of these companies, and are not free to browse the data accumulated by these companies at will (including specially built data mining apps that cater for their needs, and their needs alone), you are seriously deluded.
Sorry to put it this bluntly, but reality can be a bit harsh at times.
The only real question is what to do about this status quo, and whether it is both possible, or realistic, to ever change it. All things considering, our society is arguably (still) the most free society on the planet. "They" are listening to everything, which is most definitely not the way it should be. But then, "they" have also not been hugely disruptive of discourse within society so far - mainly, I would wager, because "they" are mostly fairly normal citizens who work for the *** agencies. In particular, "they" are not a pampered, segregated elite of any sort, e.g. like the IT minions of the investment banking crooks^H^H^H^H^H^Hcrowd, or the secret service bastards of the former communist countries (who enjoyed considerable privileges beyond what normal citizens ever got). Rather, due to the never-too-stellar payment schemes of government services, the people in charge of all this are, by and large, fairly normal people. Most of them, at least. To quite some degree, I would wager that we can fairly safely count on that sort of people not being all too willing to cooperate in the creation of an actively evil 1984-ish state (as opposed to the passively listening one we have at the moment).
This is not to say that these developments are in any way positive. Nor is it to say that we should just roll over, and stop fighting developments like that. No way. We need to sharpen our instincts for (as it were) "digital freedom" much, much more. But as a part of this, we also need to be realistic about the status quo. Which is currently... odd: theoretically fairly evil, but in practice, apparently still fairly manageable.
Just my 0.2$
A.
If a person were to help another government gain access to confidential data, it would be called treason. If APPLE or Nokia does it, it is OK? Can someone please explain that?
The shiny backdoors the US government was so keen on to spy on its own citizens are also used by foreign governments to spy on the US government. Maybe security and privacy is worth something after all.
And face it, the worst is not the possible surveillance by the ones that originally placed this. These people did invest significantly to place and hide the backdoor. They will use information gained from it only sparingly, to protect the source. After all, if they are caught possessing information that they can only have gotten this way, the backdoor becomes worthless.
IMO the real problem is if the backdoor can be used by others that do not have to protect their investment or respect laws (however flimsy). For an example of surveillance software made by people without much of a clue about security, look to the German "Bundestrojaner", recently analyzed by the CCC. Severe flaws include no authentication or encryption on data transfer, a hard-coded AES key that seems to be the same in all instances used for command transfer (still no authentication), and data-transfer via a foreign server (which is likely illegal). In addition, these cretins are of course not liable if somebody uses their backdoor and likely will not even notice.
Same old story: For a few temporary small benefits, people are willing to accept enormous potential damage. That is my personal definition of evil.
On the protection side: Use reputed open-source. There is at least some chance that somebody will notice a backdoor and that the person will not be easy to silence. And once somebody has found such a problem, anybody can verify it. Not so with closed-source. There it would be a lot more difficult to find anything, and then to get taken seriously as others cannot easily verify a finding. Some postings here already demonstrate that problem. In addition, use restrictive firewall settings and encryption. Difficult to do in a mobile setting, I know, so as a last measure, do not trust any device not under your own system-administration. In particular, do not trust any mobile phone or similar system. You may also want to add markers to any document you do put on potentially backdoored devices, so you can identify the source. This last step also helps against insiders leaking data.
Of course, if your secrets are transient and not worth risking the backdoor for (even fore a 3rd party user of said backdoor), then you are probably reasonably secure. This should apply to most people for private use.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Nothing new here: http://en.wikipedia.org/wiki/Lawful_interception
You may not like that, but that's the way it is. Communications providers can be forced to provide back doors for "legal spying" by governments. All governments know this, and use other methods to protect "sensitive" communications. Any other stuff is, well, who cares?
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
Unless you've personally verified every single line of code in the OS, you're not really better off.
Even if you do, you're not sure. Your compiler may be compromised. See: Reflections on trusting trust.
Try this, not a dump but some more info http://www.zdnet.com/blog/india/have-rim-nokia-apple-provided-indian-military-with-backdoor-access-to-cellular-comm/838
Watch those corners
I bought the OS. I bought the machine.
Technically, while you bought the hardware, you did not buy the OS.
With the machine, you've got the right to do whatever you please with. (Modify, lease ...) Not so with the OS you believe you purchased.
Typically with proprietary software, you only buy a license to use it as-is, and you are not even entitled to study how it works, or even look for backdoors.
IMHO, this is the major problem with proprietary software, and an outrage that such agreements have any legal stance in a free-market society.
I think we can safely assume any closed operating system is backdoored. If I was a foriegn government I'd never use an operating system that I couldn't compile from source myself. I think this is one reason that MS was let off from the Fedreal Lawsuit so easily, so they could aid in surveillance. It makes sense, if I was in their shoes I'd do the same.
an internal memo of India's Military Intelligence that has been liberated by hackers
Let's set the record straight: that memo was stolen.
Catalin Braescu
Ofaly.com
This is borderline FUD. Yes it's possible to poison the code but with a proprietary closed system it's damn near certain you're backdoored. If for nothing else than for the company who sells the software to keep tabs on it. It's in their best interests not to sell you out because loss of credibility means loss of revenue but if the stakes are high enough they can be persuaded. For this reason it's not a problem for the average Joe usually but if you have anything you want kept secure and the stakes are high you'd be a fool to rely on your proprietary OS being secure. Risk management rules apply.
IF I was involved in anything where security was paramount. I mean here life or death basically. I'd certainly need to be sure of all my code and that would mean analyzing and compiling code. As for my own, individual security I feel more comfortable with a linux distro. It might be backdoored but I'm absolutely certain that Windows is compromised and I'm almost as sure about OS X.
No need for global conspiracy. You don't control what code is used to build your Android handset. The handset maker just tell you what base version they used and you need to trust them. Even on a vanilla Galaxy Nexus that would be trivial to slip a backdoor.
Exactly. Even the open source community is built on a massive foundation of blind trust, because perhaps one user in a hundred thousand will actually look at the source. Otherwise, no matter if it's open or closed, the average user says, "That looks neat, I'm gonna install that".
A personal anecdote: my open source theft recovery package for Macs has several thousand users. All of the source (with comments) is bundled with the installer, yet I often get questions from users about what the program does "under the hood", when they could easily learn the answer themselves by reading the source code.
The overwhelming majority of users seem to like open source because it's free, not because it is theoretically more secure. I might have been collecting private information from the users of my program for the past three years, and I often wonder if a single one of them would have bothered to check the source in all that time.
The best attack vector for any malware is incredibly simple: bundle it into something useful, and then give it away. You can guarantee that some people will install it (for the same reason they'll pick up and use a "lost" USB memory stick), because it is human nature to want to take advantage of something that is freely given.
Nothing has to be understood, you didn't buy the software you are renting it and the license agreement says so... It also says that you have no comeback against the company providing it. If you didn't like those terms, then you shouldn't have accepted them.
Companies exist to make profit, its only logical that they would sell you (a small fry) out to a large government willing to pay a lot more money and open up a potentially huge market to them. This is what companies do, welcome to capitalism.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Nokia and Rim don't make desktop software
Well they don't make their own operating systems for PCs, but they both provide desktop software that syncs the contents of the PC with the mobile phone. I've used both and once given the admin rights to install and self-update, I really have no means of knowing what else they read from my drives and copy to the mobile phone and /or to a Nokia/RIM server.
I think it highlights the importance of a common labelling for software in the same way that other consumer products have. In the past I thought it was important to have software labelled for "phones home", "displays adverts", "closed source", now this would require "has government mandated backdoors".
Even if a backdoor is discovered, there's no guarantee that credibility will be lost... A smart backdoor would look like a bug and could easily be explained away as such... Exploitable security holes are commonplace, who's to say some of them weren't originally designed as backdoors?
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
I think as a practical matter, any spying done on devices outside of RIM would have to be at the cellular carrier level - and that wouldn't require the handset makers to cooperate at all. Blackberries all get routed through RIM's servers, but pretty much every other smartphone is just an Internet node.
In the same vein, I'd think that if it's on wifi there wouldn't be anything special that a backdoor would get. Maybe I'm just not paranoid enough.
-- Josh Turiel
"2. Do not eat iPod Shuffle."
Go read NDAA, shamelessly passed by Senate (both parties) and shamelessly signed by Obama little more than a week ago. It allows for indefinite military detention of people your lovely govt. calls "terrorists" without charges and without recourse to a court of law as they're free to ignore court orders. With NDAA passed, US is now officialy a police state of kind it used to install in some many Latin countries in the past. You can kiss your freedoms goodbye as your constitution now has been teared down along with all its amendments.
I doubt US millitary will use it to full extent at first as it would be a major PR disaster, but as time passes and popular anger at corporations/government grows you'll see more and more of people in jail just refusing to do that our corporate overlords want.
The key is that it's heaps harder to slip a backdoor into OSS simply because far more people can (and do) examine it. The chance that someone finds it and reports it is simply by some margin higher.
My thoughts exactly. If you think about this as a developer who wants to implement a backdoor, open source is much more risky for you. You'll have to be clever in order to hide it in plain sight, and there is still a good chance someone will find it. In contrast, when the software is closed, you can write the simplest possible backdoor, and not worry about being seen.
Escher was the first MC and Giger invented the HR department.
Please, you are on Slashdot, we don't need facts when accusing Microsoft of evil!
I was with you until you said "easily" figure out what was going on under the hood by reading the source. Easy for you? Yes, you wrote it. Easy for me? In most cases, unless it's a really ridiculous source tree. Easy for the average user? You're giving the average person on the internet too much credit! :)
While most people cannot, or will not read the source code... It only takes one of them to read it and find a backdoor, and then tell the world.
If your really paranoid, you can read the code yourself or find someone you trust to do it for you. Personally i'd much rather trust a friend, or someone who is working explicitly *for me* than a company which has the primary goal of making profit at any expense.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
To everyone that's telling "oh you didn't buy it, you licensed it!" or "But you clicked OK on the EULA!" or any variation on that theme. I'm pretty confident I could effortlessly sue the silly pants off any company that did this to me... especially if I could show damages in court. What jury is going to sit there and say "oh, he clicked OK on the EULA..." From a legal standpoint, EULAs are almost worthless against consumers and I even question how effective they are against corporations. There are different legal standards here. A big corporation for example has a legal obligation to actually read everything to the last line and appreciate what all the various legal terms mean. One person that has no special legal knowledge can't be reasonably expected to sign such things.
The basis of legal contracts is that BOTH sides know, understand, and agree to the contract. If it can be demonstrated that either side could not be expected to reasonably know, understand, or agree to everything in a contract then the contract is invalid.
For example, if a blind man signs a 500 pages legal contract it's almost certainly invalid. To make such a contract valid there would have be documentation that made it clear throughout that the man read or understood the contract. That might mean having a notary read it and occasionally inital segments of the contract to signify that given portions had been communicated. Or it might mean giving the man a copy of the contract in braille or something.
The problem with EULAs is that no one reads them and worse no one can really be expected to read them. How many EULAs do you see in a day? I see about three on average and I think I've only read about two of them... and that was because I was bored.
EULAs mostly exist not to restrain consumers because they can't reasonably be applied to them. They exist to restrain other corporations who also use the software. Because other corporations don't have this protection. It's one of the big differences legally between small and large organizations. Small groups generally are given a lot of legal slack. Big companies have to make a point of dotting every i and crossing every t. They have to read all these EULAs. And while I bet they don't even do it, they would have a much harder time making the same legal argument in court that they simply don't have the reasonable expectation of reading or understanding such documents.
If Microsoft or Google did something that meant thousands of credit card numbers were stolen. Something where you could show damages. There is no EULA that would defend them. They'd get their silly pants sued off if it could be demonstrated that it was their fault.
Now if it was an issue of malware or something then they can probably successfully argue that end users have a responsibility to secure their systems and MS or Google didn't steal the numbers in any case or intentionally make them available. However, if MS and google intentionally used backdoors to get such information or sold the keys to those back doors to a third party that then used them to get the information. THEN those companies would be screwed sideways.
If the twentieth paragraph in the EULA says "oh by the way, we reserve the right to let third parties pilfer your data at will" it wouldn't stand in court.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
No password needed (But you need to find the hidden port / number to get to the right login screen)
And because they're guilty of one type of bad act, they're guilty of all types of bad acts? Like when I shoplifted last week, got caught, and am now on death row for murder, because being guilty of shoplifting makes me guilty of all other crimes.
Let me know when you find the article that says MS sold access to their phones and operating systems to open up a lucrative market. Anti-trust is bad, but it's not remotely related to selling backdoors for market access.
$_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
So, if "America" backdoors products they sell in India...
Privacy is terrorism.
I dunno. Back in college I used to write code which did a task and also had some form of back door. I'd then challenge my friends to find it.
rarely could they find it even in reasonably minor applications or scripts.of course better coders would be better at finding them but better coders would also be better at hiding them.
Bradley Manning provided access to U.S. government secrets to everyone, because (or ostensibly because) the U.S. government was not duly informing the United States Citizens of the military's actions in their name.
Apple(*) provided access to U.S. government secrets to a foreign national government, because they wanted that foreign national government to give them quid pro quo access to a lucrative market.
Seems pretty clear Apple will be facing more severe charges than Bradley Manning, right? ... Or, at least, it's going to be in the same ballpark, right? ... Well, OK, at least, same kind of national debate, where questions of treason get raised, right? ... No? ... OK, then, well, umm, WTF?!?
* Note: RIM and Nokia are foreign -- an interesting angle to consider, but not as similar to Manning as Apple.
Stop-Prism.org: Opt Out of Surveillance
Why do you think it's so easy for spies to steal your cell phone data? You see it on shows like Chuck and 24 all the time! Spies all have a magical device that plugs into any cell phone and downloads all the data in exactly as long as it takes for the phone's owner to almost get back from the bathroom, giving them just enough time to put it back where it belongs.
How could they do that if Apple (i.e. every evil phone maker) wasn't providing them with a back door?
That's why I always carry a dummy phone with decoy data on it while my bluetooth headset is secretly connected to my real phone, which is hidden in my shoe!
Bush, Obama, Romney.
It no longer matters who you vote for, they are all owned.
Deleted
being leaked for iphones. there is a specific law about classified information being leaked for certain types of cryptographic information, but then only if its leaked to certain people.
the espionage act uses the phrase 'national defense information' not 'classified information'... because its a narrower concept.
but mostly, because presidents and congressmen leak classified information ALL the time to backup themselves in political fights. thats why so many news stories have the phrase "unnamed sources" or "those familiar with the matter" or "officials say that". thats pretty much all examples of someone leaking classified information.
so whenever a bill comes to congress saying 'leaking classified info is illegal', a bunch of them shit their pants because they themselves leaked it in order to make themselves look good / hurt their opponents.
"I think we can safely assume any closed operating system is backdoored."
http://opensource.apple.com/
A.
...bringing you cynical quips since 1998
That is why we install the OS ourselves.
Palm trees and 8
the government. how can it be considered stealing?
the two situations are not exactly the same. Manning is accused of giving information about the national defense to other parties. it would be very hard to argue that apple did that. they just gave instructions to India about how to backdoor their phones.
now the more accurate analogy would not be Bradley Manning, it would be the 'Cambridge Associates' who went under Grand Jury investigation in 2011 regarding their alleged assistance to Wikileaks (and are still under investigation). They are charged with Conspiracy to Commit Espionage. 18 USC 793 g.
now, the other law i think applies here would be the Computer Fraud and Abuse Act. why? the Espionage Act only applies to 'national defense information'. but the Computer Fraud and Abuse Act has its own sort of 'mini-espionage-act' inside of it... that applies to not just national defense information, but also "foreign relations" information. This is the only reason Manning could be sued on so many counts of violating the CFAA, for example the Reyjkavic 13 memo about Icelandic Bank Fraud - thats under the CFAA.
what you have here against Apple, could, theoretically, be Conspiracy to violate the Computer Fraud and Abuse Act, section (1) I believe is the Computer Espionage section.
--
another analogy would be George Hotz + FailOverflow, who published information about how to jailbreak the playstation 3. They were sued by Sony - but that was in civil court, not in criminal court. the DOJ never went after Hotz.
Hardware would have to be awfully clever to /predict/ the software that I'm running on it, and which of the data that it uses, is useful for corrupting or siphoning off.
Religion is what happens when nature strikes and groupthink goes wrong.
so google settled at 500 million with the government over the books scanning.. and 500 million with the FTC over drug ads..
so right there, I've proven definitively that google is at least half as evil as microsoft in your terms?
every day http://en.wikipedia.org/wiki/Special:Random
Yes, but you're still trusting the goverment to do this and the point that should be seen here is we can no longer depend on elected officials to look out for the people. All this simply reaffirms is what Richard Stallman has been preaching for awhile now. It is up to the people to educate themselves and take the proper precautions. Of course the 99% won't and cannot and thus this is the reason we will soon see an event like Arab Spring spreading to the west. Sounds a bit crazy but the revolution will be here...soon.
$action = empty(PHP) ? backToC() : unset(PHP) ; "when the concrete cases are understood, the abstractions are readily
The big question is: What has google done?
IMHO certainly it has not installed the backdoor, but if you wanna be sure I suggest to buy a compatible phone, wipe everything on it, recompile and install Android from source avoiding any proprietary program. We probably agree that's very unlikely that any backdoor would be present in any free/open source program, much less one with such high visibility.
Yes, some Google apps are proprietary (Market, Maps, Videos...), you may want to use open source alternatives if you really don't trust Google.
The latest version (4.0, Ice Cream Sandwich) of the Android source code is available at: http://source.android.com/
Disclaimer: I speak only for myself and not anyone else. IANARE.
There's a hidden treasure in Python 3.x: __prepare__()
I think this apply to BlackBerry devices connected with BIS only. For BES devices (you have own mail server with blackberry software on it) it's still secure. Remember some goverments to ban BlackBerry devices - obviously it means they can not have backdoor for BES devices.
> Google was already exposed last year by Chinese hackers.
Yes! We are all very thankful to those hackers for exposing the secret agreements between Google and the Government that provide access to various email accounts. It is an important fundamental right as citizens to be aware of the workings of our governments. When these governments are corrupted by corporate influence there is no turning back. That is why, I hope all of us will do the right thing now. For the sake of our internet, and our way of life, I suggest we get the rest of us after them. In peace and freedom from fear, and in true health, through the purity and essence of our natural fluids.
There was a time when efficient encryption was considered a weapon and could not be exported from the US. This was given up later.
Looking back this was just logical. The point is that controlling what code is being exported is very hard and anyway coming up with good encryption is not that hard anyway. But once you have devices everywhere that can use end-to-end encryption of communications very easily and cheaply, everyone can use that and encrypted communication is basically out of control.
The only halfway practical way to deal with this is: Just allow all of this but make sure that you get access to the devices at a point BEFORE any encryption takes place (and after decryption).
I don't like the very idea, but on the other hand I really can't imagine any state or government to accept safe encryption in communications being the norm with no way to listen in. Democracy or not, but ubiquitous encrypted communication for everyone (including criminals, terrorists, whoever) is something that is impossible to accept for any government that sees controlling and policing as part of the job description.
You don't even need to go so far. My high school had a special program where students would purchase and own a laptop and use it in class. It was required for the program and the laptop truly was YOURS. They had extensive warranty programs and tech support for the students, but you still owned the laptop and would do so even if you were to leave the school at any point.
What I discovered mere months after getting the laptop was that the school's tech support had created a hidden Windows account (named "backdoor", how original) which had administrative rights and the same password for every laptop in the entire school. Five minutes of L0pht (not even illegal since I was applying it on my own property) gave me administrative access to hundreds of laptops.
I never actually spoke about it a whole lot outside of a few friends, but I think this highlights how people who have no clue about security can cause possible trainwrecks. Imagine if a malicious person had access to such information? That's hundreds of laptops used daily by minors that could be spied on.
If it's a concern, root the thing and install a self-compiled OS.
Did I forget to wind my watch, or is it 2000 all over again? Picking between different flavors of vanilla, and a few trillion dollars, a few thousand lives, some wonderful Federal legislation, zero wage growth, zero oversight of the financial markets...
The problem is that to create real political change requires a hell of a lot more personal commitment than checking an alternative box every few years, or posting about Nader/Paul/Bo, etc.
Luke, help me take this mask off
This is a fallacy based on the idea that something is either completely secure or completely not secure. We don't live in that binary. We make security trade offs all the time, and measures which increase the time, cost and complexity of interception or attack are a good thing, even if they are not by themselves complete solutions.
With a self-compiled compiler.
When the policeman of the tie, rule you violate, hello punishment of the kitty?
Look at what you quoted. I am aware that I just own a license. However, any court worth it's salt will look poorly on a corporation that interprets that as meaning it can insert spy code into my systems and undermine my security intentionally.
The issue here will be showing actual damages to a court.
If you bring this to court and can show material damage of some kind that is quantified. Then you could gut them like a fish.
I know many in the corporate world view EULAs as fostian bargains that everyone that uses their products are stupid enough to sign. These EULAs are actually enforcable between corporations however you'll have a very hard time holding small businesses or consumers to them because it would be very very very easy to argue that they can not REASONABLY be expected to read and understand such agreements. The term "reasonable" is very important in contract law.
If it can be shown that either party in a contract could not have been reasonably expected to understand something or read it then it won't be enforcable. For that reason EULAs aren't particularly effective against consumers especially as it regards little hidden details. They can of course be expected to know that they're not support to pirate software. But they are likely not being made aware of the foreture of rights or other little things they might try to sneak into the contract.
Being sneaky with a contract works between big corporations. They can trick each other because they are expected to read and understand everything. However, individuals and small operations are given special protection. Generally anything that goes over our heads or is even a little slippery tends to not do well in court.
And if you add a jury trial to it... they're screwed.
The legal system has a lot of problems but it's more sensible then you give it credit.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
2 weeks after my wife and I bought our house in 2001, I was laid off. After 3 months of searching 9/11 happened, and the shit really hit the fan. Silicon Valley for a time looked like a ghost town. Moving trucks were moving east (getting the fuck out of dodge so to speak)
A year later I wound up getting a crappy job at a bar. 10 years later I'm still here, working on my own software that runs certain aspects of the bar (very profitably I might add) When we bought our house in 2001 interest rates were sky high, and the wife and I thought our futures in tech were pretty secured. I think we were at 10% interest. We refinanced twice over the 10 years trying to keep payments down so we could stay in our house.
In the last 2 years the ARM on our loan got so high we were paying over $1600@mo for the new interest charges alone. We were virtually on the brink of losing our house. Then the "Obama Affordable home" plan was passed. Bank of America didn't make it easy. My wife had to call them every single day for a year. (like calling your AT&T subcontractor when your T1 goes down) At one point they denied us because "We couldn't verify your identity" (one of the loan modders wrote my social security number down wrong)
Despite what you might think of Obama.. He's just doing the best he can. He's no Bill Clinton, but having to clean up after GWB can't be easy. He stopped the banks from bending over hardworking people. Osama was killed during his term. Troops are withdrawing from Iraq.
The problem is that to create real political change requires a hell of a lot more personal commitment than checking an alternative box every few years, or posting about Nader/Paul/Bo, etc.
Spot on. The political systems have degenerated to the point that revolution is required to make real changes.
Deleted
A smart backdoor would look like a bug and could easily be explained away as such...
Tee hee. A while ago, one of the hacker sites had a competition to see who could hide a "backdoor" -- the idea was to take an image in a script compatible form (all the numbers were in text, rather than in binaries), black out a certain region (think redaction), and still have some way to have the redacted area be recoverable when the right inputs were given.
The catch? The code would be given a peer review, so you had to come up with something that would pass most attempts at oversight.
A lot of people tried to hide stuff in "error detection" routines.
The winning code had no bugs of any kind. It did perfect redaction of the specified area. No flaws, no errors, nothing to be spotted in code review.
Except for one oddball usage of fetching and writing individual characters -- getc() and putc(). The author explained that as an attempt to make sure that no matter what was in the input data, no matter how messed up the graphics were in an attempt to break the code, it would not have any overruns, no undefined behavior, etc.
Result? The "black" would be written out as "0", "00", or "000", depending on the light level of the source. For all three color channels.
Absolutely unnoticeable when viewed on a viewer. There was no hidden alpha channel, no slight alternation between black-0 and black-1, etc.
Yet you could still recover readable text, almost perfect pictures, etc.
Security hole back door? Very doable.
If you're THAT paranoid, yes. Build a compiler just good enough to faithfully compile a compiler just good enough to compile a stage 1 Gnu compiler, etc...
If it's just the particular carrier you're paranoid of (like the person I replied to), using a compiler they haven't touched is sufficient.
If the paranoia runs even deeper, then it's impossible to prove that I don't work for THEM, so you should do the opposite of my advice and run the carrier's official release. They'll never expect that.....
Unless of course, that's what I want you to think they think you thing they think...
Fnord.
Hm, I wonder if a smart keyboard ran its own OS, like Android, running an X client over a network to the main PC's X server, if that would secure the aggregated workstation better against keyloggers and other similar devices. Not trusting the local buses, which seem harder to secure. An Optimus keyboard might have the HW to run the OS and X client. A monitor that's just an OS and X server over a gigabit ethernet to the main PC might complete the picture. And maybe the whole thing would then run even faster.
Or maybe that all just kicks the can a little down the road, to where a keylogger or other spyware just infests the "app host" PC at the core.
--
make install -not war
The Linux kernel is 14 million lines of code alone, when I type in a password I'm guessing between the kernel, xorg and the browser at least double that. Even if only a tiny bit of the code paths are touched, what's to say there's not a trigger set up somewhere to peek at some buffers?
Let's say you're walking in a city of 14 million people. You stop at an ATM and enter your PIN. What's to say that one of those 14 million isn't watching, hoping to steal your PIN and then your money?
When you're wandering around in a city full of strangers, there are real security concerns, some of them supported statistically by the sheer impossibility of being able to trust every member of a given community. But even given those limitations, you can still maintain a decent level of confidence simply by keeping tabs on who's watching you.
But you've got other fish to fry when the bank itself says, 'You don't need to know about what security measures we've put into place. Just trust us.'
FOSS is not a cure-all, and making something open source doesn't magically make it secure or even trustworthy. The only benefit is that it makes it possible to verify. Which is more than can be said for proprietary software.
Crumb's Corollary: Never bring a knife to a bun fight.
there's hundred of people from various places writing and eyeballing source and commits. those people have no incentive to get backdoors in, and if there's a blacksheep, it's going to be very tricky to insert rogue code
Then please explain the reason why security bugs are found in OSS software. A backdoor is simply a security bug.
"If Apple is providing governments with a backdoor to iOS, can we assume that they have also done so with Mac OS X?"
You could, or you could, for example, assume that, because OS X isn't a mobile phone OS, they weren't asked for those sorts of backdoors and didn't provide them. Or you could assume that they've provided both sets of backdoors, independently. I.e., the "if ... then" is somewhat bogus there.
One might be better advised to ask about backdoors in any OS, especially not-completely-open-source OSes, regardless of which particular vendor they came from. As noted elsewhere, the title of the /. article could be changed to "Leaked Memo Says That RIM Provides Backdoor To Governments" or "Leaked Memo Says That Nokia Provides Backdoor To Governments" without loss of generality. It could also be changed to "...Provides Backdoor To Indian Government", as the memo says nothing about other governments; the Indian government apparently required that to allow "Indian market presence", which is not to say that other governments do not impose similar requirements.
What's special about RIM, Nokia, and Apple, I have no idea.
More proof that Apple "caring" about users is complete bullshit. They only care about their bottom line. This is why they have so many user-unfriendly policies.
Boycott Apple.
...in favor about companies that care more about their users than their bottom line. Any suggestions for companies of that sort?
I highly doubt this is true. Not one of these companies would want to be a part of a government looking in on another government's information.
You're presuming that they were told that the purpose of this was to be a part of a government looking in on another government's information, or that, even if they were told or could guess it, they weren't in a position of plausible deniability.
I'm pretty sure that they would be good contenders for treason charges if this was true,
Good luck charging Canadian and Finnish companies with treason against the US (unless you're referring to their US subsidiaries).
That being said, if it's going across wires and isn't encrypted, you shouldn't really expect it to be considered safe information.
Exactly. The question is whether the backdoors mentioned in the memo allow tapping of information before it gets encrypted, e.g. a way to intercept ("lawfully" or otherwise) $PROTOCOL-over-SSL traffic.