Slashdot Mirror
Leaked Memo Says Apple Provides Backdoor To Governments
Voline writes "In a tweet early this morning, cybersecurity researcher Christopher Soghoian pointed to an internal memo of India's Military Intelligence that has been liberated by hackers and posted on the Net. The memo suggests that, "in exchange for the Indian market presence" mobile device manufacturers, including RIM, Nokia, and Apple (collectively defined in the document as "RINOA") have agreed to provide backdoor access on their devices.
The Indian government then "utilized backdoors provided by RINOA" to intercept internal emails of the U.S.-China Economic and Security Review Commission, a U.S. government body with a mandate to monitor, investigate and report to Congress on 'the national security implications of the bilateral trade and economic relationship' between the U.S. and China. Manan Kakkar, an Indian blogger for ZDNet, has also picked up the story and writes that it may be the fruits of an earlier hack of Symantec. If Apple is providing governments with a backdoor to iOS, can we assume that they have also done so with Mac OS X?"
The next time you text "i hacked my xbox!" to your friend, expect federal prison for life.
It's all a big setup. The Patriot Act lets them investigate anything, anywhere, without a warrant. Now they are on your devices. Now any terrorist loses his rights as an American. The next war is at civil. No wonder the troops are coming back home.
When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
I'm not a huge open source guru. I have nothing against it and I use open source software all the time. But I'm not a zealot on the subject. Still... this is unacceptable. If I buy a bit of software from apple or microsoft, it has to be understood that I control the security. I bought the OS. I bought the machine. I own that license. if they're going behind my back to sell my security to a third party... then I consider that a breach of contract and I'm really not amused.
If this is valid... and it hasn't been confirmed yet... then anyone that signed that agreement is untrustworthy.
Nothing else to say on the matter.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
Is there any reason to believe that governments wouldn't put pressure on all OS vendors, telecom providers, etc that wanted to sell into their countries to do something like that? I'd be very surprised if very many cellphones so in the USA don't have a way in for the Feds.
...) originate in China, what are the odds that they are not all compromised?
At the same time, if you are concerned about the possibility of backdoors, it's awfully easy to bury one in deep in some standard hardware component that user space processes and most of the OS don't normally interract with. Since most of our cellphones and PCs (and GPSs and media boxes and cameras and
Suppose you were an idiot. And suppose you were a member of congress. But then I repeat myself. -- Mark Twain
How RIM, Nokia and Apple becomes just Apple is beyond me. Magic?
This smells of bullshit. Now a tweet and a few images are considered legit news? Couldn't just one journalist or blogger pick up the phone and get the "RINOA" comment on the matter? Or is it just easier to post conspiracy-laden speculation ending with a giant question mark?
You know, your argumented and reasonable stance on this problem is what led many "open source zealots" like me into their present situation. In a functional legal environment you could use proprietary software and assume that such a breach of confidence would have so serious consequences for the companies involved that no one would dare to take the risk to put a backdoor in their software or to even make it possible. This is not however the case, this affair is one of many (CarrierIQ, Echelon, illegal-later-legalized wiretapping, Bluecoat, Amesys, etc...) and the only cure seems to use open source everywhere a backdoor could exist. And that means, mostly, everywhere.
Anyway, I like how you present it : "I'm not an open source zealot, I'm merely an opponent to secret backdoors"
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
But how uninformed do you have to be to blame Kakkar for something he didn't write?
Well, you're slightly better off. Unless you expect a global conspiracy where every person who ever read the code and would talk about it has been bought or silenced.
The key is that it's heaps harder to slip a backdoor into OSS simply because far more people can (and do) examine it. The chance that someone finds it and reports it is simply by some margin higher.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
And face it, the worst is not the possible surveillance by the ones that originally placed this. These people did invest significantly to place and hide the backdoor. They will use information gained from it only sparingly, to protect the source. After all, if they are caught possessing information that they can only have gotten this way, the backdoor becomes worthless.
IMO the real problem is if the backdoor can be used by others that do not have to protect their investment or respect laws (however flimsy). For an example of surveillance software made by people without much of a clue about security, look to the German "Bundestrojaner", recently analyzed by the CCC. Severe flaws include no authentication or encryption on data transfer, a hard-coded AES key that seems to be the same in all instances used for command transfer (still no authentication), and data-transfer via a foreign server (which is likely illegal). In addition, these cretins are of course not liable if somebody uses their backdoor and likely will not even notice.
Same old story: For a few temporary small benefits, people are willing to accept enormous potential damage. That is my personal definition of evil.
On the protection side: Use reputed open-source. There is at least some chance that somebody will notice a backdoor and that the person will not be easy to silence. And once somebody has found such a problem, anybody can verify it. Not so with closed-source. There it would be a lot more difficult to find anything, and then to get taken seriously as others cannot easily verify a finding. Some postings here already demonstrate that problem. In addition, use restrictive firewall settings and encryption. Difficult to do in a mobile setting, I know, so as a last measure, do not trust any device not under your own system-administration. In particular, do not trust any mobile phone or similar system. You may also want to add markers to any document you do put on potentially backdoored devices, so you can identify the source. This last step also helps against insiders leaking data.
Of course, if your secrets are transient and not worth risking the backdoor for (even fore a 3rd party user of said backdoor), then you are probably reasonably secure. This should apply to most people for private use.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
No need for global conspiracy. You don't control what code is used to build your Android handset. The handset maker just tell you what base version they used and you need to trust them. Even on a vanilla Galaxy Nexus that would be trivial to slip a backdoor.
No. As soon as you decrypt anything to use/view it on a compromised system then that data is compromised, as is any other data using the same key. Anyone with secrets worth protecting shouldn't be storing them on a phone or accessing them from an insecure device.
While most people cannot, or will not read the source code... It only takes one of them to read it and find a backdoor, and then tell the world.
If your really paranoid, you can read the code yourself or find someone you trust to do it for you. Personally i'd much rather trust a friend, or someone who is working explicitly *for me* than a company which has the primary goal of making profit at any expense.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
2 weeks after my wife and I bought our house in 2001, I was laid off. After 3 months of searching 9/11 happened, and the shit really hit the fan. Silicon Valley for a time looked like a ghost town. Moving trucks were moving east (getting the fuck out of dodge so to speak)
A year later I wound up getting a crappy job at a bar. 10 years later I'm still here, working on my own software that runs certain aspects of the bar (very profitably I might add) When we bought our house in 2001 interest rates were sky high, and the wife and I thought our futures in tech were pretty secured. I think we were at 10% interest. We refinanced twice over the 10 years trying to keep payments down so we could stay in our house.
In the last 2 years the ARM on our loan got so high we were paying over $1600@mo for the new interest charges alone. We were virtually on the brink of losing our house. Then the "Obama Affordable home" plan was passed. Bank of America didn't make it easy. My wife had to call them every single day for a year. (like calling your AT&T subcontractor when your T1 goes down) At one point they denied us because "We couldn't verify your identity" (one of the loan modders wrote my social security number down wrong)
Despite what you might think of Obama.. He's just doing the best he can. He's no Bill Clinton, but having to clean up after GWB can't be easy. He stopped the banks from bending over hardworking people. Osama was killed during his term. Troops are withdrawing from Iraq.
Please, please, PLEASE stop spreading this lie. We can't run a country based on false information.
The NDAA is a military spending bill. It gets passed every year. For several years it has allowed the military to detain members of Al Qaeda, and no one had a problem with this. In the latest version, this was expanded to cover members of other terrorists organizations, but it still states that it cannot be applied to United States citizens or immigrants.
I know that doom and gloom is fun. It gets the blood pumping, and being outraged squirts some feel good chemicals into your brain. But stop spreading lies, and go read the damn thing. Claiming that the US is now a police state is the sort of lie I'd expect from Glen Beck; no different from claiming that the government subsidizing people meeting with their doctor to learn about Do Not Resuscitate orders is equivalent to the Holocaust.
A smart backdoor would look like a bug and could easily be explained away as such...
Tee hee. A while ago, one of the hacker sites had a competition to see who could hide a "backdoor" -- the idea was to take an image in a script compatible form (all the numbers were in text, rather than in binaries), black out a certain region (think redaction), and still have some way to have the redacted area be recoverable when the right inputs were given.
The catch? The code would be given a peer review, so you had to come up with something that would pass most attempts at oversight.
A lot of people tried to hide stuff in "error detection" routines.
The winning code had no bugs of any kind. It did perfect redaction of the specified area. No flaws, no errors, nothing to be spotted in code review.
Except for one oddball usage of fetching and writing individual characters -- getc() and putc(). The author explained that as an attempt to make sure that no matter what was in the input data, no matter how messed up the graphics were in an attempt to break the code, it would not have any overruns, no undefined behavior, etc.
Result? The "black" would be written out as "0", "00", or "000", depending on the light level of the source. For all three color channels.
Absolutely unnoticeable when viewed on a viewer. There was no hidden alpha channel, no slight alternation between black-0 and black-1, etc.
Yet you could still recover readable text, almost perfect pictures, etc.
Security hole back door? Very doable.