Slashdot Mirror
Why Crypto Backdoors Wouldn't Work
An anonymous reader writes: Your devices should come with a government backdoor. That's according to the heads of the FBI, NSA, and DHS. There are many objections, especially that backdoors add massive security risks.
Would backdoors even be effective, though? In a new writeup, a prominent Stanford security researcher argues that crypto backdoors "will not work." Walking step-by-step through a hypothetical backdoored Android, he argues that "in order to make secure apps just slightly more difficult for criminals to obtain, and just slightly less worthwhile for developers, the government would have to go to extraordinary lengths. In an arms race between cryptographic backdoors and secure apps, the United States would inevitably lose."
Would backdoors even be effective, though? In a new writeup, a prominent Stanford security researcher argues that crypto backdoors "will not work." Walking step-by-step through a hypothetical backdoored Android, he argues that "in order to make secure apps just slightly more difficult for criminals to obtain, and just slightly less worthwhile for developers, the government would have to go to extraordinary lengths. In an arms race between cryptographic backdoors and secure apps, the United States would inevitably lose."
They didn't get their way through other means really. Mass surveillance doesn't trump encryption -- on the contrary, encryption is the only protection against mass surveillance. I think it was more that encryption just wasn't used for most communications, so they realized it was a moot point. Now that companies are shifting toward end-to-end encryption, it's becoming relevant again.
https://www.eff.org/https-everywhere
They can read your RAM
Intel Active Management Technology
(aka vpro, aka vt)
Hardly a good example, Android is clearly *front*doored. It even comes with specific spyware apps for the purpose!
For one thing it communicates your location, even without GPS, even with location services turned off, (Google has a separate switch you have to turn it off twice). You'll never be able to stop their Play Location Service unless you root.
All those free messaging services that need all those permissions, you sign up and your contacts list is sent to them.
Then there's the 'cloud backup' that lets you 'backup' to their cloud.
Go see the list of apps installed on a typical android phone and you'll see they can take control of the phone USING ONLY THE VOICE CHANNEL, see all files, all SMSs, all passwords, record voice, video, fake calls, fake messages. There are quite a few of these, DSMLawMo + DSM Forwarding is one (of 3) that came installed on mine.
You think it went away with CarrierIQ?
I just read the entire article and the author forgot one other solution: the British solution Instead of putting the burden on app developers to include backdoors, or on Google to block apps that don't, put the burden on end users to turn over their keys to police when asked. I'm not saying I like this solution, but it is a solution the author of the article didn't consider. If you make the sentence for non-cooperation long enough, it doesn't really matter if the police find what they're looking for: they can just lock you up for not handing over the keys.
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
I heard a scream come from inside your house, and one of the windows is broken, I think that gives me enough cause the break in.
I want to start by saying that I'm against these measures but while all that is true, it only gets that bad if you try to enforce 100% compliance. Simply making cryptographic systems without backdoors illegal would have a large deterrent effect. It'd be the equivalent of the fact that locks on your doors don't provide 100% security because windows are so easily broken, but we still lock our doors.
First off making non-breakable crypto illegal would prevent such crypto from being used in traditional commercial products. Second, the government wouldn't have to attack the problem from the front like the article suggested. They could use their NSA spying capability (once gain no a big fan) to look for unauthorized encrypted communications. They already take special note of encrypted data use, and with it being made illegal they could directly legally target the users of such tech. The chilling effect of such a large scale NSA backed takedown would be huge.