US Says It Doesn't Need a Court Order To Ask Tech Companies To Build Encryption Backdoors

schwit1 shares a report from Gizmodo: According to statements from July released this weekend, intelligence officials told members of the Senate Intelligence Committee that there's no need for them to approach courts before requesting a tech company help willfully -- though they can always resort to obtaining a Foreign Intelligence Surveillance Court order if the company refuses. The documents show officials testified they had never needed to obtain such an FISC order, though they declined to tell the committee whether they had "ever asked a company to add an encryption backdoor," per ZDNet. Other reporting has suggested the FISC has the power to authorize government personnel to compel such technical assistance without even notifying the FISC of what exactly is required. Section 702 of the Foreign Intelligence Surveillance Act gives authorities additional powers to compel service providers to build backdoors into their products.

boil it down

[TheGratefulNet]

its boils down to:

"I want this. give it to me!"
"why? you have shown you can't be trusted with this. and, math also says its not possible."
"I don't care. I'll force you if you don't volunteer."
"looks like you want a fight. bring it."

and so on, and so on.

some companies will cave in, some will give the impression they are standing tall but actually do cave in. MAYBE there are actual companies that have enough power to say 'no' to the various governments, but I kind of doubt it.

its sad to see the schoolyard bully - who has a power complex - unwilling to give in. every few weeks or so, we have another story about how some official wants to have access to ALL your shit and he will simply stomp his feet, cry and whine until he gets it.

its a tiring process and such a waste of time and energy. and yet, here we are, revisiting this issue yet another time.

Re:boil it down

[rtb61]

Too which the response is, "fine, if I can't have it than, fuck you, you can't have it either". You do that by shifting the encryption coding bit to FOSS, as a network add on and they can try to stick the back door in free open source code, which you can locally compile and then add to you software than lacks a network connection module. The encrypted network connection module can be served up by anyone and if they really need to hack your computer, they can hand you a national security letter and demand you hack yourself or just fucking apply for a search warrant and get busy with cameras and wires and people in the field, no 'bullshit control freak spy a thon for you' more specifically them. There was a time due to US regulation I had to download 128 bit encryption from the internet and install it myself, so, so hard, to do it again, in fact the US government drove FOSS encryption.

Re:boil it down

[Puls4r]

It's usually not argued nearly that seriously. What CEO or corporation would argue with a government willingly knowing that the end result is going to be a cessation of government contracts, barring from export, and anything else the government has that they can legally do that are in there powers?

It's usually held behind closed doors and handled, and if it isn't like the Apple issue, then there is a reason you and I don't know about. It will STILL get handled behind closed doors, the government will just have to give something up in return like looking the other way on Irish tax havens, etc.

Re:boil it down

[TheRaven64]

Bruce Schneier's book, Applied Cryptography, showed precisely how stupid these export restrictions were. They didn't limit algorithms, they limited key length. You could export RSA with short keys, but not with longer ones. His book had source code for them where the algorithms were compile-time constants. If you typed them in as-is, the resulting code was export-legal. If you changed a 128 to a 1024 (or whatever - I forget the exact allowed vs not-allowed numbers), it wasn't. Because of this, it was completely legal to ship the book anywhere in the world, and anyone in a country where it wasn't allowed simply had to change a constant when they typed in the code.

Re:boil it down

[TheRaven64]

Compared to what?

Compared to the level of security that you need from an organisation holding information that, if public, could cripple your company. Most companies are fairly good at keeping their own secrets, because they understand the cost of not doing so.

"It never hurts to ask!"

[Locke2005]

Sure, they can ask, and any enlightened company will politely tell them, "No way!" And as long as companies are honest and upfront about whether or not they have built in back doors, so that their customers can chose whether or not they want to deal with the risk, I'm fine with it. The problem is, aren't the criminals the most likely to avoid all the tech with back doors? In other words, voluntary weakening of security doesn't really accomplish anything, does it?

Why should we expect open source to be any better?

What makes you think that open source software is somehow any better?

As the Shellshock and Heartbleed bugs have proven, just because source code is available it doesn't mean that anyone actually looks at it. When major open source software projects have serious bugs in them that go undetected for years or even decades, it's doubtful that a well-hidden backdoor would be found.

Then there are projects like systemd and GNOME 3, which have introduced a lot of new code into many Linux systems. Has all of this code undergone a strenuous security review? I very much doubt it!

Even the OpenBSD project, which is perhaps the most stringent and careful open source project out there, has had scares in the past.

So I don't think we should consider open source software to be any better. It could very well be much worse.

So thats what PRISM had to hide

[AHuxley]

the weasel words about PRISM.
If a company never refuses the gov, legal protections never had to be mentioned.
If the brand never says no the gov, they never have to tell their own legal department.

The Rules of Collect it all Club.
First rule of collect it all club, never tell an in house lawyer.
Someone yells whistleblower, goes bankrupt, sells out, the collection is over.
No lawyers, no admins.
One agency at a time.
Collection will go on as long as it has to.
If this is your first connection to the Collection Club, you HAVE to collect it all.

Just keep voting for the establishment

[rsilvergun]

Keep putting millionaires and billionaires in charge. I'm sure they'll drain the swamp any moment now. And if they're not to your liking how about a nice blue dog democrat? He (or she) will promise not to raise your taxes, doesn't hate gay people and won't touch Social Security or Medicare (or anyone over 55). Remember folks, if you don't keep putting pro corporate, right wing people in charge those tax and spend liberals will raise your taxes. And if you're readying this and you're American than I know 60% of you are living paycheck to paycheck (google it) and can't afford it, right?

The important thing is to remember to know your place, stay in your class, respect your betters, and don't ever screw with the aristocracy. Don't even suggest taking their money away, that would be morally wrong. You learned that in grade school economics. Capitalism got you into this mess and only capitalism can get you out of this mess.

Can you tell I'm bitter and angry? I don't suppose there's anybody on this forum that can make an ounce of that anger go away, is there? Well guess what, there's millions of guys just like me. And guess what happens when there's too many of us? What happened in the 20s? How about the 40s? Anyone want to take a crack at proving me wrong and injecting a little hope into this thread?

Re:They are correct

[Billly+Gates]

And companies don't need a court order to ignore them.

You know the federal government has tens of millions of seat licenses of sales to keep your share prices high.

It would be a shame if something happened to that deal?

Re:Why would they need a court order

[TheRaven64]

If I don't like Facebook, which I don't, at-least I don't have to use it.

The problem, as always, is network effects. It was easy to avoid Microsoft too, right up until the point where you wanted to bid for a lucrative contract where the customer would only accept submissions using their complex Word template. Asking them for a copy in an open format would just have you marked as uncooperative and you'd lose automatically.

The same is increasingly true for Facebook. I don't use it, but an increasing number of companies use Facebook and Twitter as their primary method of providing customer support and provide discounts for people who like them on these platforms.

Re:List of assumed backdoors

[TheRaven64]

The radio coprocessor in cell phones typically has full "back door" access to the resources used by the main CPU and OS you interact with

This is not true on iOS devices. The connection between the baseband processor and main memory is quite restricted, because Apple's hardware team doesn't trust third-party IP cores and so locks them down. It's also not true for a few other SoCs, where the baseband core has its own private memory and communicates with the host via an on-chip serial interface. This was a very common way of implementing smartphone SoCs, because it meant that you could trivially validate that there was no way for the application core to modify the baseband core's state and so you could use the same baseband core on a bunch of SoCs without needing FCC approval for each one.

restricting crypto

It's usually not argued nearly that seriously. What CEO or corporation would argue with a government willingly knowing that the end result is going to be a cessation of government contracts, barring from export, and anything else the government has that they can legally do that are in there powers?

Export of what exactly?

For hardware, most things are made outside of the US, so they're actually "imported" by American consumers.

For software, you shift the crypto component offshore, and US customers "import" that component. OpenSSL (then SSLeay) actually began in Australia during the first 'Crypto War' of the 1990s to get around the US ITAR restrictions. Ditto for for OpenBSD: strong crypto coded in Canada. Debian had a "non-us" repo for strong crypto:

* https://wiki.debian.org/non-US

As did FreeBSD:

* https://svnweb.freebsd.org/base/head/crypto/

People worked around the ITAR restrictions before, and while the infrastructure may be a bit stale, it can be brought back easily enough.

We've been through this before.

Re:They are correct

[Antique+Geekmeister]

In particular, they'll lose the licenses necessary to export the goods, or to import them if manufactured overseas. They can also lose government sales. With abusive legal tactics such as "Patriot Act" orders, a company refusing to cooperate with orders for backdoors is vulnerable to extremely destructive legal and extra legal abuse from the FCC and from Homeland Security.

Re:They are correct

Qwest provides a case in point example of what happens when you refuse the request. That's a real nice company you have there, it'd be a real shame if something was to happen to it.