Slashdot Mirror
US Says It Doesn't Need a Court Order To Ask Tech Companies To Build Encryption Backdoors (gizmodo.com)
schwit1 shares a report from Gizmodo: According to statements from July released this weekend, intelligence officials told members of the Senate Intelligence Committee that there's no need for them to approach courts before requesting a tech company help willfully -- though they can always resort to obtaining a Foreign Intelligence Surveillance Court order if the company refuses. The documents show officials testified they had never needed to obtain such an FISC order, though they declined to tell the committee whether they had "ever asked a company to add an encryption backdoor," per ZDNet. Other reporting has suggested the FISC has the power to authorize government personnel to compel such technical assistance without even notifying the FISC of what exactly is required. Section 702 of the Foreign Intelligence Surveillance Act gives authorities additional powers to compel service providers to build backdoors into their products.
And companies don't need a court order to ignore them.
when heavy-handed coercion will do the trick every time?
slashdot: A failed experiment.
its boils down to:
"I want this. give it to me!"
"why? you have shown you can't be trusted with this. and, math also says its not possible."
"I don't care. I'll force you if you don't volunteer."
"looks like you want a fight. bring it."
and so on, and so on.
some companies will cave in, some will give the impression they are standing tall but actually do cave in. MAYBE there are actual companies that have enough power to say 'no' to the various governments, but I kind of doubt it.
its sad to see the schoolyard bully - who has a power complex - unwilling to give in. every few weeks or so, we have another story about how some official wants to have access to ALL your shit and he will simply stomp his feet, cry and whine until he gets it.
its a tiring process and such a waste of time and energy. and yet, here we are, revisiting this issue yet another time.
--
"It is now safe to switch off your computer."
Microsoft OS
Cisco iOS
Intel ME
AMD TrustZone
Bottom line is they don't need encryption backdoors because they have lower level access. What the FBI and law enforcement need is a legal excuse for how they got your information without drawing attention to the more sophisticated exploits reserved for national security level operations (NSA, CIA, ect..)
They may be spying on you as well. But they won't be using what they get for any parallel construction.
Have gnu, will travel.
that's you americans doubly fucked then.
So much for american technology
And given this is a Gizmodo article, entirely fabricated.
When I say no.
They did not need a court order to get Intel to install a backdoor into ME, AMD to install a backdoor into PSP, or Microsoft to install a backdoor into Windows 10, since they all did so quite willingly.
It is a shame consumers can no longer fully own their modern computers. And yet these government agencies refuse to cover any part of the cost of new computers which they have some control over.
I'll only buy from the Chinese and the Russians. They don't care what's on my devices.
Sure, they can ask, and any enlightened company will politely tell them, "No way!" And as long as companies are honest and upfront about whether or not they have built in back doors, so that their customers can chose whether or not they want to deal with the risk, I'm fine with it. The problem is, aren't the criminals the most likely to avoid all the tech with back doors? In other words, voluntary weakening of security doesn't really accomplish anything, does it?
I've abandoned my search for truth; now I'm just looking for some useful delusions.
What makes you think that open source software is somehow any better?
As the Shellshock and Heartbleed bugs have proven, just because source code is available it doesn't mean that anyone actually looks at it. When major open source software projects have serious bugs in them that go undetected for years or even decades, it's doubtful that a well-hidden backdoor would be found.
Then there are projects like systemd and GNOME 3, which have introduced a lot of new code into many Linux systems. Has all of this code undergone a strenuous security review? I very much doubt it!
Even the OpenBSD project, which is perhaps the most stringent and careful open source project out there, has had scares in the past.
So I don't think we should consider open source software to be any better. It could very well be much worse.
I wonder, are any of these people elected? Do they think that they owe any allegiance to the elected US government, seeing that it changes all the time? And when the elected government tries to control them, they hiss and threaten to strike back. If they don't think they should be under the control of the elected government, what's to stop them from doing any damn thing they please?
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
ASKING doesn't require a court order, and compliance is OPTIONAL .
Ken
the weasel words about PRISM.
If a company never refuses the gov, legal protections never had to be mentioned.
If the brand never says no the gov, they never have to tell their own legal department.
The Rules of Collect it all Club.
First rule of collect it all club, never tell an in house lawyer.
Someone yells whistleblower, goes bankrupt, sells out, the collection is over.
No lawyers, no admins.
One agency at a time.
Collection will go on as long as it has to.
If this is your first connection to the Collection Club, you HAVE to collect it all.
Domestic spying is now "Benign Information Gathering"
I could ask a company to put a backdoor in their product if I wanted to. I might be laughed at, but I can certainly ask.
A court order is only required if you need to force the recipient to comply.
File under 'M' for 'Manic ranting'
she said.
Keep putting millionaires and billionaires in charge. I'm sure they'll drain the swamp any moment now. And if they're not to your liking how about a nice blue dog democrat? He (or she) will promise not to raise your taxes, doesn't hate gay people and won't touch Social Security or Medicare (or anyone over 55). Remember folks, if you don't keep putting pro corporate, right wing people in charge those tax and spend liberals will raise your taxes. And if you're readying this and you're American than I know 60% of you are living paycheck to paycheck (google it) and can't afford it, right?
The important thing is to remember to know your place, stay in your class, respect your betters, and don't ever screw with the aristocracy. Don't even suggest taking their money away, that would be morally wrong. You learned that in grade school economics. Capitalism got you into this mess and only capitalism can get you out of this mess.
Can you tell I'm bitter and angry? I don't suppose there's anybody on this forum that can make an ounce of that anger go away, is there? Well guess what, there's millions of guys just like me. And guess what happens when there's too many of us? What happened in the 20s? How about the 40s? Anyone want to take a crack at proving me wrong and injecting a little hope into this thread?
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Some code hasn't been looked at in a long time. Correct. There could be back doors. Correct. There could be vulnerabilities (intentional or not). Correct.
Every software project, open source included, will have vulnerabilities discovered. There will be scares and exploits of open source like any other software. But yes, you can expect open source to be better. Because:
1) Very few major open source projects have any contributions that occur in a vacuum. Multiple eyes see every patch and for the most part, those multiple eyes are most often from people in multiple organizations with multiple day jobs and multiple personal goals/agendas. Aligning enough people's agendas to get a back door in would be difficult for any major open source project. Intentional vulnerabilities would be easier, but still not trivial. This isn't 20 years ago, people actively look at each patch with an eye towards whether it is introducing a vulnerability. This model is diametrically opposite of any closed source offering, where contributions are by one organization and at the sole control of whomever holds the purse strings.
2) If a vulnerability is suspected anywhere, you (and literally everyone else on the planet) have the option and ability to examine the source at any time. When you do want to investigate any particular piece of open source software, you don't need to decompile or reverse engineer something to do it. You don't have to fight the software in order to test it.
There have been (and will continue to be) vulnerabilities exposed from older open source code written when there was less oversight and less strenuous security testing, but if you want to compare this to the number of exploits (and in some cases intentional back doors) that have come to light in, say, Windows, from ancient code that has thunked it's way down from Windows 3.1, the score isn't even close. And it's not like Microsoft is performing strenuous reviews of their old code - these vulnerabilities have come to light often only from outside researchers performing painstaking and arduous external testing and reverse engineering.
So while you are correct in that open source will never be free of bugs or exploits - it's still written by people, as much as the nut jobs still decry that hard AI is just around the corner. But yes, in this it is just plain better than closed source.
No tech company would put in a back door.
Any that does is basically saying "Don't buy our product" because, as soon as they do, GUESS WHAT..people won't buy it.
Look at what happened to Microsoft after the news about PRISM. Microsoft tried to make the camera a 'requirement' for all X-Box One games until a massive backlash happened. Microsoft backtracked and it basically killed the X-Box camera for gaming outside of a short list.
People won't buy a product with a built in back door. Companies won't make a product that people won't buy.
I never said open source was more secure. The article is about the US coercing companies to build in backdoors. The US has their exploits in open source as well but their method of obtaining them is different. The method is crucial to the justice system. I am ok with law enforcement getting a warrant and breaking my front door down. I am not ok with them enforcing no locks on any doors because it makes their job easier. When private US companies are forced to build backdoors it puts everyone at risk. Also when backdoors and security holes are independently found on open source software they can be patched. This is not the case with built in, custom order, spyware disguised as a feature the public wanted.
And you were doing so well until you brought up religion...
You can choose politicians, but by and large the party division is a sham and the "real" government marches on regardless. Witness how many federal government departments shut down under Trump: 0
"There is more worth loving than we have strength to love." - Brian Jay Stanley
The tech companies need to ask the feds if they want a modern internet with secure banking and communications. Cause if they DO, the whole "backdoor" nonsense is a nonstarter. If you compromise a mathematically-proven and trusted system, guess what? No one can trust it anymore. On the other hand, if the feds really don't care if there's secure online communications or not, then hey, no problem.
What we seem to have are people who keep asking for the impossible without understanding what's really at stake.
and I will adapt!
They can make that argument, but they'd be wrong. Does nobody recall the Apple case and the one before that Apple relied on recently in its refusal to build a backdoor for the government? It boils down to this. The government can't compel a company to build it anything. The US isn't like Germany or other countries where courts have been able to force backdoors even into anonymous open source Tor-like homegrown anonymity network software.
This is also why the copy"right" industry will fail at forcing companies to implement censorship filters unlike its successes elsewhere. Essentially what it boils down to is that ISPs are not required to build censorship filters nor have they. So long as an ISP does not take the initiative to do so on its own a company can't be ordered to censor a web site or list thereof. In other countries like Canada and the UK there are either "voluntary" (created via threat of legislation forcing it) censorship filters or mandatory ones. The basis for these censorship filters and remains a threat and danger to this day was child porn. The UK doesn't just censor child porn and Canada is quickly becoming censorship happy too. Other seemingly modern countries have been found to be censoring political speech.
This shit makes me so fking angry. Privacy is dead, and has been for a long time. They really need to stop flogging this dead horse.
Encryption has made their job harder, boo effing hoo. Sounds like they need to just get better at their job and leave shit alone.
He lost me at slashdot.
I'm sure it'll be VASTLY entertaining when they get told to pound sand.
The second it's been found out one of these companies has compromised their encryption this way, it's The End for them.
Chas - The one, the only.
THANK GOD!!!
Despite all the corruption and crime in DC, you are probably far better off in terms of health and wealth in your life than what you would end up with, had you had to deal with a much more likely scenario.
Consider what you have in terms of hot and cold running water, heating, air conditioning, Internet, travel by car (or public transportation in your area, if that's your thing), health care, medication, and readily available food. Consider also, by comparison, the life you'd have, were you born into a wealthy or royal family about 3-400 years or so ago. Also, by way of comparison, consider the sort of life which is to be expected in some place like North Korea. Would you be so upset with what you have if your alternative is what people these days are getting under the rule of Kim Jong Un?
People were comparing germany to stasi and worst here :
https://yro.slashdot.org/story...
Note that this article is from a local unknown journal, with NOBODY confirming what it pretend is happening, to my knowledge not even the local CCC knows about it, and at least if it tries to put it as law there will be a PUBLIC DEBATE, and this is the Germany, not the US, people tend to really debate such things.
And here were have the US saying "fuck that we have above the law we can stamp you with FISC to have you add a backdoor" Bypassing the judicial , not even needing law , bypassing check and balance. And the reaction is.... Mutted, far less vitriolic. Fancy that.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
What the Shellshock and Heartbleed bugs have proven is exactly the opposite of what you are saying. If they occurred in closed source software they would have never been found. Or they may be found but kept secret because it cost money to fix. Or they may be found but only the "currently supported" versions are patched, and people with old versions are just told to fork out more money to upgrade.
The name of the game is not there will never be vulnerabilities in the code. The name of the game is whether those vulnerabilities will be found by good people before they are found by bad people. Since good people outnumber bad people, the more people in general who can look at the code the better the chances are that a good person finds the problem first.
Shellshock, for example, was known by nobody (effectively) until it was discovered, patched, and reported. It was only then that a bunch of bad people started to try to exploit it.
Only crack the nuts that crack. You don't put the ones that don't crack in the sack.
A lot of computer owners would probably wind up keeping certain computers completely off any network connected to the Internet if the government had the ability to force the of use backdoors.
That would be worse for the value of the Internet than anything else I can think of.
Except they don't say no, remember Microsoft? Keen to get lots of surveillance contracts bent over backwards to give them disk encryption keys.
https://www.theguardian.com/world/2013/jul/11/microsoft-nsa-collaboration-user-data
" Microsoft helped the NSA to circumvent its encryption to address concerns that the agency would be unable to intercept web chats on the new Outlook.com portal; The agency already had pre-encryption stage access to email on Outlook.com, including Hotmail; The company worked with the FBI this year to allow the NSA easier access via Prism to its cloud storage service SkyDrive, which now has more than 250 million users worldwide; Microsoft also worked with the FBI's Data Intercept Unit to "understand" potential issues with a feature in Outlook.com that allows users to create email aliases;"
Blackberry? Remember their CTO's meeting with law enforcement to tout their cooperation?
Can I point out something that people don't seem to connect in the current shock reveal. Erik Prince of Blackwater proposed to Trump to form a hit squad/propaganda/plumbers unit loyal to Trump and Trump alone funded privately to overcome 'deep state' legal resistance. Erick Prince also admitted to meeting Kirill Dmitriev, head of the Russian Direct Investment Fund, when he was a Trump team advisor. So who do they think would fund and run these mercenaries loyal to Trump?... It's really no different to the hacking squad that backed Trump, it would be run in the same way.
Microsoft tried to push this as Palladium.
The British by way of ARM got the foundation implemented for arm... 12-15 years ago. A similiar featureset was offered prior to that via the BREW signed Java app support cell phones had been using since the late 90s. Intel followed by implementing it in the Q35/Q45 chipsets along with IOMMU support, working out the kinks in a couple buggy hardware revisions. They got it right with Sandy Bridge, but it still wasn't enough. AMD got pressured during this period, but thanks to their marketshare being crippled by Intel weren't forced into implementing it until their next major model revision, which turned out to be the FM2 chip generation, when the first of the arm trustzone cores went in. They didn't work right until FM2+ when they were actually enabled. Following that they ended up in EVERY AMD processor, obstensibly to help with power management, but really to allow backdoor access. Now not even that is enough and the same is happening to our GPUs. First NVidia's signing of their firmware, and now AMD's implementation of PSP on the AMD Vega series GPUs.
Combined with cell phones, literally every computer device less than 10 years old is DEFINITELY backdoored. They might not be doing anything now, but the provisions are there and they are just waiting for the 'probable cause' that will allow them to use it without the citizenry trying to fight back, and having hardware that is still secure.
We are fast approaching the point of no return and too much of the populace is too narrowsighted, naive, uneducated, or just plain stupid to notice, put the pieces together, and learn to take the parables of history and overlay them with modern technology to understand the full brunt of the dangers being posed by these sorts of backdoors, not only to our immediate digital security, but also to our future mental, physical, and social freedom. Liberty is dead, long live Big Brother. Big Brother will protect you from all dangers, even those inside your own head!
A heartbleed-esque attack due to both keys and the packet buffer going on the heap. I don't get all the specific details, but it could convince the remote server to barf an arbitrary size packet back to it including whatever was currently on the stack.
This is a project that has been around for 3+ years and has been claimed secure by its developers. Either the developers are inept, it was a genuine mistake, or it was malicious.
Regardless of which it was, it has potentially compromised hundreds to thousands of nodes in the i2p network, as well as every service running on them. Even worse i2pd is mostly russian developers and commonly used among privacy oriented russians trying to stay off state surveillance. If this has been exploited in the wild (which would only be discovered through log correlation with full packet logging on a targetted honeypot system), it means that potentially thousands of russians can now be directly targetted by their government, and that users of any of their services could be connected to compromised hidden services believing them to be verified and safe.
All it takes with crypto is one wrong bug in a popularly used project and it can compromise the security of thousands to billions of users.
https://eyalitkin.wordpress.co... 'GarlicRust' has full details for anyone interested.
'just plain better' is still just plain wrong despite your several good points. I can imagine people working for the CIA, knowing they have an organization intimately familiar with say, closed source Winblowz, and I'm sure they have way more confidence in their closed source option than I have in my FOSS option. Does that mean I'm going to switch to closed source Winblowz- even if somehow I could assume that assessment is the actual case- Hell NO, of course not :) In the end there is a larger factor you didn't focus on (enough)- the deployment/configuration/actual-use-case-and-individual-threat-model matters I would guesstimate far more than the open/closed source issue. Situational issues. Are you concerned that any breach of this com channel will result in your family being burned to death? Or is it a situation with a dramatically lesser worst-case scenario? I wish I could vouch for some FOSS project that I'd be confident enough in for the former. Presumably one of these days we will (decades too late) witness some sort of com-sec international sport where it's capture the flag, but the flags are hundreds of millions of dollars worth of bitcoins. When I see some FOSS configuration defending that kind of a flag for years, then maybe I'll consider it *really secure*. But there are so many vastly less critical scenarios, that while I'll still opt with FOSS, I'm not going to try to tell others that it's "just plain better than" winblowz. I'm sure if you've got a CIA/NSA friend telling you to run winblowz in some very specific way, in that situation that closed source is going to be 'just plain better' than any FOSS option anybody I know who isn't NSA/CIA connected will come up with. And of course, GPG/SFTP/onetimepads/blablabla.
It's good to know others have seen this for what it was.
The question now is: What can we do to return future secure systems to commercially available status?
US government is forcing encryption specialists to move out of the US by implementing draconian laws.
...if you installed Windows 10 Spyware Edition.
I think the main difference is that in open source it'd take some extraordinary trick to create a backdoor or unofficial feature for any particular group or organization. Could you have Heartbleed-class bugs? Yes. But they're double edged swords, it could expose your enemies but unless you manage to roll out a massive, secret patch/firewall regime you'll be vulnerable too. How often does open source software secretly log data and send it off to a server in China? It just doesn't happen. Why is open-source DRM an oxymoron? Because you can't hide what it's doing. Which is not to say you can't have controversy about default software and settings, like Ubuntu's shopping lens but it's at a whole other level.
And it doesn't take all that much effort to make a version that modifies the behavior, quite probably there's already a fork or patch for you. Because even when or if I find out that Windows or macOS is doing something I don't really approve of it's very hard to do something about it, you can turn off settings which they turn back on, you can block it at the firewall and they change ports and servers, you can use third party hacks that may or may not work well but compared to open source it's a black box. And turning off those features could also be hardening the software, it might not prevent bugs but reduces your attack surface and information leaks.
Live today, because you never know what tomorrow brings
Just not in any existing country.
You would think with all those 'Sovereign Person' kooks in the US, a few of them would be willing to formally renounce their citizenship and do what is necessary to establish a new state.
But no. Because Sovereign People, like libertarians and a host of other ideological groups, are too big of chickenshits to even take the risks the colonial revolutionary army did to ensure they have the sort of liberties their forefathers pined for, but never recieved, even after founding their glorious new nation. And that folks is why the world today is only getting worst. Because nobody has bothered to learn from the past the changes necessary to avoid reliving the past.
It's usually not argued nearly that seriously. What CEO or corporation would argue with a government willingly knowing that the end result is going to be a cessation of government contracts, barring from export, and anything else the government has that they can legally do that are in there powers?
Export of what exactly?
For hardware, most things are made outside of the US, so they're actually "imported" by American consumers.
For software, you shift the crypto component offshore, and US customers "import" that component. OpenSSL (then SSLeay) actually began in Australia during the first 'Crypto War' of the 1990s to get around the US ITAR restrictions. Ditto for for OpenBSD: strong crypto coded in Canada. Debian had a "non-us" repo for strong crypto:
* https://wiki.debian.org/non-US
As did FreeBSD:
* https://svnweb.freebsd.org/base/head/crypto/
People worked around the ITAR restrictions before, and while the infrastructure may be a bit stale, it can be brought back easily enough.
We've been through this before.
http://www.un.org/en/universal-declaration-human-rights/
Article 12.
No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.
Article 28.
Everyone is entitled to a social and international order in which the rights and freedoms set forth in this Declaration can be fully realized.
Article 30.
Nothing in this Declaration may be interpreted as implying for any State, group or person any right to engage in any activity or to perform any act aimed at the destruction of any of the rights and freedoms set forth herein.
VIENNA CONVENTION
https://treaties.un.org/doc/publication/unts/volume%201155/volume-1155-i-18232-english.pdf
SECTION 3. INTERPRETATION OF TREATIES
Article 31, GENERAL RULE OF INTERPRETATION
1. A treaty shall be interpreted in good faith in accordance with the ordinary
meaning to be given to the terms of the treaty in their context and in the light of its
object and purpose.
There was all this hand waving about the Chinese and Russians having backdoors to stuff sold in the US. How will the US having backdoors be any better, to any other government?
If it is a question of backdoors, then you might as well have low grade encryption, since it is probably not much better than the master key getting leaked?
Jumpstart the tartan drive.
Why the fuck was this even promoted?
Are they surprised that the government can ask companies to do things?
What a fucking shitpile. Get out while you can. Learn not-English and emmigrate before you're trapped in the prison.
A bunch of delusional gun nuts to all die by Predator Drone strikes?
You cunts aint winning against your gubmints superior arms.
How much of an idiot do they think I am. Anyone would know that someone, somewhere, is going to exploit, and hack into that backdoor they created. So I need a list of idiot software to avoid.
and I mean *ALL*. every bit of VPN and encrypted data you generate should be sent to the FBI so they won't have to work so hard to collect what they want. I'm sure they have enough storage and bandwidth to handle it.
I think the main difference is that in open source it'd take some extraordinary trick to create a backdoor or unofficial feature for any particular group or organization.
No it does not.
All it takes is for the malicious individual to have slightly more skill than the evaluators of the specific function they added a vulnerability to.
Given how "thorough" open source code review is, a patient hostile actor will be able to get any vulnerability into the accept code of any project, the only issue is patience. In most cases, it doesn't require great coding skill, just the normal social-hacks that covert operatives are primarily trained in. Submit minor useful code changes while watching the bug tracker, fix one of the older bugs and see how the crowd responds. Mess up a fix on another old bug and see how the crowd responds. Just a few pokes to see what it takes to add truly malicious code.
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
Certainly the modern definition of 'papers' extends to our data stored on remote servers and 'home' extends to the access of that data.
Sure. They can ask. I don't mind.
I asked my father to take the RV to prom too. He never answered.
I asked to take the Lincoln to prom. He shook his head no.
I asked to take the rabbit, he saw he would need to think about it.
A week before prom, he said yes to the rabbit.
If a company volunteers to break into a phone, THEN I have an issue.
I think that strong, unbreakable, encryption is a human right. Clearly, many governments (including mine) don't agree. That just means that using only encryption provided to the masses isn't for me. Additional steps are needed.
I just wish more people weren't so trusting and understood that 1 tiny bug is all that is necessary for any encryption system to be broken. There are probably 100+ bugs on any system, at least.
See my subject & WHY I posted THIS https://it.slashdot.org/comments.pl?sid=11433711&cid=55673813/ a few days ago...
* Unbelievable!
APK
P.S.=> TheRaven64 made a HELL OF A GOOD POINT too https://yro.slashdot.org/comments.pl?sid=11443809&cid=55686303/ ... apk
Mod TheRaven64 up to +5 (he's right) & I thought I'd mention it in my reply too (good job TheRaven64) https://yro.slashdot.org/comments.pl?sid=11443809&cid=55687683/
APK
P.S.=> So much for "SECURE" sockets layer... apk
Instead of Republican. Obama was very much center right. What's needed is left wing politics. Single payer healthcare, infrastructure spending, progressive taxes, college paid for by the public, ending our 8 wars (yes, we're at war in 8 different countries all under the same authorizations Congress have for Iraq) . We need left wing action, not just left wing rhetoric.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Seriously, why is this an issue?
Public/private key cryptography has been proven secure. HTTPS is based on it, and it is strong enough for me to do banking on-line.
For cases like the police needing to get into an iPhone, all that needs to be done is to take the phone secret (say, an AES key or the phone unlock code) could be encrypted using Apple's public key, and this encrypted secret could be made public (or presented over the USB port). Nobody can do anything with it, except the people who hold the private key (the manufacturer).
Law enforcement can turn over a warrant and the manufacturer can decrypt the secret key, and turn it back over to law enforcement. The government still needs to present a warrant, it is secure, and everybody should be happy.
Have I missed something?
"-1 Troll" is the apparently the same as "-1 I disagree with you."
Unfortunately, the TLAs answer it ... "Just a second. Hold my beer."
You in the XXX organization of government have no right to use official resources to ask third parties to do things that go against our interests.
Congress hasn't passed an act directing you to "ask" companies to embed concealed defects into their products that you sell to the people, therefore, you doing so is an ABUSE.
Now if your directors of departments want crypto backdoors in YOUR OWN GOODS that you buy for the use by that government department from those same companies, that's a different matter entirely; that's the ONLY kind of product design influence you should have on any private-sector individual or company.
I should (hope) that the new Linux phones will be safe from back doors. One currently in development can be loaded with multiple Linux versions. Then, only an additional chip could back door a phone.
Already do.
I have three networks at my house:
* Internet connected (through IPFire and PiHole) LAN access (Wired/WiFi WPA2)
* Internet connected (through IPFire and PiHole) WiFi open (NO LAN access) labeled GuestMonitoredConnection
* Isolated. No Internet connection, different physical layer, no WiFi. Accessed through Bastion host that has IpKVM type connection to internal LAN. The bastion is able to RDP to all machines on isolated network, and it is connected to through use of a Raritan IPKvm on the LAN. The KVM is easily turned off to provide hard isolation if really needed.
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
That is why the court order is needed - not because anyone needs a court order to ask someone to intercept the communications, but because without the court order the person doing to the interception would be committing a crime. Actually, if the Feds asked someone to break encryption without a court order and that person complied then they should immediately arrest them. Choosing to follow an unlawful order and breaking the law does not absolve you of the crime. You might have a good duress defense but the crime still needs to be investigated. Law officers do not have responsibility of deciding the law, but do have the responsibility for enforcing all criminal laws equally.
"The name of the game is whether those vulnerabilities will be found by good people before they are found by bad people. Since good people outnumber bad people, the more people in general who can look at the code the better the chances are that a good person finds the problem first."
The incentives are disproportionate though. If a bad person finds a vulnerability they can make a lot of money, gather a lot of intelligence, etc. If a good person can find the vulnerability they can warn of the issue, maybe collecting some small bounty (or maybe getting sued/prosecuted for their trouble). Then you have situations were state-level bad guys collect exploits and write code to leverage them, and then those get hacked/leaked/etc. So I question the plausibility of your conclusion that it's more likely a good person will find them first than bad.
That's the only appropriate response to this. They can't 'force' anything. If they could, then the entire premise behind what the United States was founded on and ostensibly stands on becomes invalid.
The government also doesn't need a court order to find ever so many ways to make your life miserable if you don't comply with their "request".
There are many terrors in the night.
So your hacker access point is the WPA2. Hope you have logs.
Also bitlocker is 128 bit by default, and limited to 20 chars for the pw
They can "ask" all they want... doesn't mean they will receive compliance.
So I question the plausibility of your conclusion that it's more likely a good person will find them first than bad.
It's borne out by the historical evidence, especially the 2 examples cited by the GP. Many of the examples where exploits are known by bad guys for a long time are in closed source, e.g. the Windows exploits from the Shadow Broker releases that allowed WannaCry to take down the UK's National Health Service.
Only crack the nuts that crack. You don't put the ones that don't crack in the sack.
Clearly things need to change. A court order should be needed. They should not be allowed to ask nicely. Requiring a court order could remove the "we ask that you volunteer to help voluntarily" but with implied threats real or imagined that it is not voluntarily.
Of course I have logs, I also have physical remoteness and a couple other measures (remember everything is moderated through IPFire, which supports RADIUS authentication).
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
And here we see another advantage of F/OS software: a negligible chance of being sued if you bring up a problem.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Remember when Linus said they came to him to put a back door into the Linux kernel?
I can say I'm the Queen of Sheba. That doesn't mean I've got tits and a crown.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
This Windows NSA key should satisfy your curiosity:
Type Bits/KeyID Date User ID
pub 1024/51682D1F 1999/09/06 NSA's Microsoft CAPI key
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i
mQCPAzfTdH0AAAEEALqOFf7jzRYPtHz5PitNhCYVryPwZZJk2B7cNaJ9OqRQiQoi
e1YdpAH/OQh3HSQ/butPnjUZdukPB/0izQmczXHoW5f1Q5rbFy0y1xy2bCbFsYij
4ReQ7QHrMb8nvGZ7OW/YKDCX2LOGnMdRGjSW6CmjK7rW0veqfoypgF1RaC0fABEB
AAG0LU5TQSdzIE1pY3Jvc29mdCBDQVBJIGtleSA8cG9zdG1hc3RlckBuc2EuZ292
PokBFQMFEDfTdJE+e8qoKLJFUQEBHnsH/ihUe7oq6DhU1dJjvXWcYw6p1iW+0euR
YfZjwpzPotQ8m5rC7FrJDUbgqQjoFDr++zN9kD9bjNPVUx/ZjCvSFTNu/5X1qn1r
it7IHU/6Aem1h4Bs6KE5MPpjKRxRkqQjbW4f0cgXg6+LV+V9cNMylZHRef3PZCQa
5DOI5crQ0IWyjQCt9br07BL9C3X5WHNNRsRIr9WiVfPK8eyxhNYl/NiH2GzXYbNe
UWjaS2KuJNVvozjxGymcnNTwJltZK4RLZxo05FW2InJbtEfMc+m823vVltm9l/f+
n2iYBAaDs6I/0v2AcVKNy19Cjncc3wQZkaiIYqfPZL19kT8vDNGi9uE=
=PhHT
-----END PGP PUBLIC KEY BLOCK-----
See subject amicusNYCL: It's impolite to talk w/ your mouth full as you EAT YOUR WORDS https://tech.slashdot.org/comments.pl?sid=11415277&cid=55646849/ failing as always vs. me!
So - have some class @ least (& anyone can see your history & see who calls me that https://slashdot.org/~amicusNYCL/ to let you further bury yourself & show who is LOW class (more like NO class OR proof of your words)).
* QUESTION: How did EATING YOUR WORDS taste amicusNYCL?
Did they taste like YOUR FOOT IN YOUR MOUTH ramming them back down your chicken-neck throat washed down by the bitter taste of SELF-defeat? Bet they did!
(Only problem is, I didn't defeat you directly - you defeated yourself FOR me!)
APK
P.S.=> "Your kind" just DOES NOT "get it" vs. me - you can downmod me ALL DAY & I'll just repost running you DRY of those 'downmodpoints' you + sockpuppets you fake name for fake lives types use online, as I have NO POSTCOUNT LIMITS unlike most ac posters do, & I win as always (you lose as always also - but then, nobody ever said you were smart either) ... apk
You dont need back door access when you're being invited through the front.
Think the NSA doesn't have the ability to scan facebook for a photo and come up awith a name in real time?
FB techs have access to the data, you think that acess level isn't being shared ?
The UK narcs wanted ID. The people didn't But everyone has given their details over to FB anyway and those that haven't have dark profiles anyway.
All that data, cross matched for false positives and you think the agencies dont have access to it ??
Its a global ID card system. It's a stasi wet dream.
how many of them died rich and happy. It ends well all the time. Only very rarely do the elite get their comeuppance. And with modern militaries, drones and information control I'm not sure they ever will again. Not the real ones.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/