Slashdot Mirror
US Says It Doesn't Need a Court Order To Ask Tech Companies To Build Encryption Backdoors (gizmodo.com)
schwit1 shares a report from Gizmodo: According to statements from July released this weekend, intelligence officials told members of the Senate Intelligence Committee that there's no need for them to approach courts before requesting a tech company help willfully -- though they can always resort to obtaining a Foreign Intelligence Surveillance Court order if the company refuses. The documents show officials testified they had never needed to obtain such an FISC order, though they declined to tell the committee whether they had "ever asked a company to add an encryption backdoor," per ZDNet. Other reporting has suggested the FISC has the power to authorize government personnel to compel such technical assistance without even notifying the FISC of what exactly is required. Section 702 of the Foreign Intelligence Surveillance Act gives authorities additional powers to compel service providers to build backdoors into their products.
And companies don't need a court order to ignore them.
when heavy-handed coercion will do the trick every time?
slashdot: A failed experiment.
its boils down to:
"I want this. give it to me!"
"why? you have shown you can't be trusted with this. and, math also says its not possible."
"I don't care. I'll force you if you don't volunteer."
"looks like you want a fight. bring it."
and so on, and so on.
some companies will cave in, some will give the impression they are standing tall but actually do cave in. MAYBE there are actual companies that have enough power to say 'no' to the various governments, but I kind of doubt it.
its sad to see the schoolyard bully - who has a power complex - unwilling to give in. every few weeks or so, we have another story about how some official wants to have access to ALL your shit and he will simply stomp his feet, cry and whine until he gets it.
its a tiring process and such a waste of time and energy. and yet, here we are, revisiting this issue yet another time.
--
"It is now safe to switch off your computer."
Microsoft OS
Cisco iOS
Intel ME
AMD TrustZone
Bottom line is they don't need encryption backdoors because they have lower level access. What the FBI and law enforcement need is a legal excuse for how they got your information without drawing attention to the more sophisticated exploits reserved for national security level operations (NSA, CIA, ect..)
They may be spying on you as well. But they won't be using what they get for any parallel construction.
Have gnu, will travel.
So much for american technology
They did not need a court order to get Intel to install a backdoor into ME, AMD to install a backdoor into PSP, or Microsoft to install a backdoor into Windows 10, since they all did so quite willingly.
It is a shame consumers can no longer fully own their modern computers. And yet these government agencies refuse to cover any part of the cost of new computers which they have some control over.
Sure, they can ask, and any enlightened company will politely tell them, "No way!" And as long as companies are honest and upfront about whether or not they have built in back doors, so that their customers can chose whether or not they want to deal with the risk, I'm fine with it. The problem is, aren't the criminals the most likely to avoid all the tech with back doors? In other words, voluntary weakening of security doesn't really accomplish anything, does it?
I've abandoned my search for truth; now I'm just looking for some useful delusions.
What makes you think that open source software is somehow any better?
As the Shellshock and Heartbleed bugs have proven, just because source code is available it doesn't mean that anyone actually looks at it. When major open source software projects have serious bugs in them that go undetected for years or even decades, it's doubtful that a well-hidden backdoor would be found.
Then there are projects like systemd and GNOME 3, which have introduced a lot of new code into many Linux systems. Has all of this code undergone a strenuous security review? I very much doubt it!
Even the OpenBSD project, which is perhaps the most stringent and careful open source project out there, has had scares in the past.
So I don't think we should consider open source software to be any better. It could very well be much worse.
I wonder, are any of these people elected? Do they think that they owe any allegiance to the elected US government, seeing that it changes all the time? And when the elected government tries to control them, they hiss and threaten to strike back. If they don't think they should be under the control of the elected government, what's to stop them from doing any damn thing they please?
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
ASKING doesn't require a court order, and compliance is OPTIONAL .
Ken
the weasel words about PRISM.
If a company never refuses the gov, legal protections never had to be mentioned.
If the brand never says no the gov, they never have to tell their own legal department.
The Rules of Collect it all Club.
First rule of collect it all club, never tell an in house lawyer.
Someone yells whistleblower, goes bankrupt, sells out, the collection is over.
No lawyers, no admins.
One agency at a time.
Collection will go on as long as it has to.
If this is your first connection to the Collection Club, you HAVE to collect it all.
Domestic spying is now "Benign Information Gathering"
I could ask a company to put a backdoor in their product if I wanted to. I might be laughed at, but I can certainly ask.
A court order is only required if you need to force the recipient to comply.
File under 'M' for 'Manic ranting'
Keep putting millionaires and billionaires in charge. I'm sure they'll drain the swamp any moment now. And if they're not to your liking how about a nice blue dog democrat? He (or she) will promise not to raise your taxes, doesn't hate gay people and won't touch Social Security or Medicare (or anyone over 55). Remember folks, if you don't keep putting pro corporate, right wing people in charge those tax and spend liberals will raise your taxes. And if you're readying this and you're American than I know 60% of you are living paycheck to paycheck (google it) and can't afford it, right?
The important thing is to remember to know your place, stay in your class, respect your betters, and don't ever screw with the aristocracy. Don't even suggest taking their money away, that would be morally wrong. You learned that in grade school economics. Capitalism got you into this mess and only capitalism can get you out of this mess.
Can you tell I'm bitter and angry? I don't suppose there's anybody on this forum that can make an ounce of that anger go away, is there? Well guess what, there's millions of guys just like me. And guess what happens when there's too many of us? What happened in the 20s? How about the 40s? Anyone want to take a crack at proving me wrong and injecting a little hope into this thread?
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Some code hasn't been looked at in a long time. Correct. There could be back doors. Correct. There could be vulnerabilities (intentional or not). Correct.
Every software project, open source included, will have vulnerabilities discovered. There will be scares and exploits of open source like any other software. But yes, you can expect open source to be better. Because:
1) Very few major open source projects have any contributions that occur in a vacuum. Multiple eyes see every patch and for the most part, those multiple eyes are most often from people in multiple organizations with multiple day jobs and multiple personal goals/agendas. Aligning enough people's agendas to get a back door in would be difficult for any major open source project. Intentional vulnerabilities would be easier, but still not trivial. This isn't 20 years ago, people actively look at each patch with an eye towards whether it is introducing a vulnerability. This model is diametrically opposite of any closed source offering, where contributions are by one organization and at the sole control of whomever holds the purse strings.
2) If a vulnerability is suspected anywhere, you (and literally everyone else on the planet) have the option and ability to examine the source at any time. When you do want to investigate any particular piece of open source software, you don't need to decompile or reverse engineer something to do it. You don't have to fight the software in order to test it.
There have been (and will continue to be) vulnerabilities exposed from older open source code written when there was less oversight and less strenuous security testing, but if you want to compare this to the number of exploits (and in some cases intentional back doors) that have come to light in, say, Windows, from ancient code that has thunked it's way down from Windows 3.1, the score isn't even close. And it's not like Microsoft is performing strenuous reviews of their old code - these vulnerabilities have come to light often only from outside researchers performing painstaking and arduous external testing and reverse engineering.
So while you are correct in that open source will never be free of bugs or exploits - it's still written by people, as much as the nut jobs still decry that hard AI is just around the corner. But yes, in this it is just plain better than closed source.
No tech company would put in a back door.
Any that does is basically saying "Don't buy our product" because, as soon as they do, GUESS WHAT..people won't buy it.
Look at what happened to Microsoft after the news about PRISM. Microsoft tried to make the camera a 'requirement' for all X-Box One games until a massive backlash happened. Microsoft backtracked and it basically killed the X-Box camera for gaming outside of a short list.
People won't buy a product with a built in back door. Companies won't make a product that people won't buy.
I never said open source was more secure. The article is about the US coercing companies to build in backdoors. The US has their exploits in open source as well but their method of obtaining them is different. The method is crucial to the justice system. I am ok with law enforcement getting a warrant and breaking my front door down. I am not ok with them enforcing no locks on any doors because it makes their job easier. When private US companies are forced to build backdoors it puts everyone at risk. Also when backdoors and security holes are independently found on open source software they can be patched. This is not the case with built in, custom order, spyware disguised as a feature the public wanted.
You can choose politicians, but by and large the party division is a sham and the "real" government marches on regardless. Witness how many federal government departments shut down under Trump: 0
"There is more worth loving than we have strength to love." - Brian Jay Stanley
The tech companies need to ask the feds if they want a modern internet with secure banking and communications. Cause if they DO, the whole "backdoor" nonsense is a nonstarter. If you compromise a mathematically-proven and trusted system, guess what? No one can trust it anymore. On the other hand, if the feds really don't care if there's secure online communications or not, then hey, no problem.
What we seem to have are people who keep asking for the impossible without understanding what's really at stake.
and I will adapt!
I'm sure it'll be VASTLY entertaining when they get told to pound sand.
The second it's been found out one of these companies has compromised their encryption this way, it's The End for them.
Chas - The one, the only.
THANK GOD!!!
People were comparing germany to stasi and worst here :
https://yro.slashdot.org/story...
Note that this article is from a local unknown journal, with NOBODY confirming what it pretend is happening, to my knowledge not even the local CCC knows about it, and at least if it tries to put it as law there will be a PUBLIC DEBATE, and this is the Germany, not the US, people tend to really debate such things.
And here were have the US saying "fuck that we have above the law we can stamp you with FISC to have you add a backdoor" Bypassing the judicial , not even needing law , bypassing check and balance. And the reaction is.... Mutted, far less vitriolic. Fancy that.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
What the Shellshock and Heartbleed bugs have proven is exactly the opposite of what you are saying. If they occurred in closed source software they would have never been found. Or they may be found but kept secret because it cost money to fix. Or they may be found but only the "currently supported" versions are patched, and people with old versions are just told to fork out more money to upgrade.
The name of the game is not there will never be vulnerabilities in the code. The name of the game is whether those vulnerabilities will be found by good people before they are found by bad people. Since good people outnumber bad people, the more people in general who can look at the code the better the chances are that a good person finds the problem first.
Shellshock, for example, was known by nobody (effectively) until it was discovered, patched, and reported. It was only then that a bunch of bad people started to try to exploit it.
Only crack the nuts that crack. You don't put the ones that don't crack in the sack.
A lot of computer owners would probably wind up keeping certain computers completely off any network connected to the Internet if the government had the ability to force the of use backdoors.
That would be worse for the value of the Internet than anything else I can think of.
Except they don't say no, remember Microsoft? Keen to get lots of surveillance contracts bent over backwards to give them disk encryption keys.
https://www.theguardian.com/world/2013/jul/11/microsoft-nsa-collaboration-user-data
" Microsoft helped the NSA to circumvent its encryption to address concerns that the agency would be unable to intercept web chats on the new Outlook.com portal; The agency already had pre-encryption stage access to email on Outlook.com, including Hotmail; The company worked with the FBI this year to allow the NSA easier access via Prism to its cloud storage service SkyDrive, which now has more than 250 million users worldwide; Microsoft also worked with the FBI's Data Intercept Unit to "understand" potential issues with a feature in Outlook.com that allows users to create email aliases;"
Blackberry? Remember their CTO's meeting with law enforcement to tout their cooperation?
Can I point out something that people don't seem to connect in the current shock reveal. Erik Prince of Blackwater proposed to Trump to form a hit squad/propaganda/plumbers unit loyal to Trump and Trump alone funded privately to overcome 'deep state' legal resistance. Erick Prince also admitted to meeting Kirill Dmitriev, head of the Russian Direct Investment Fund, when he was a Trump team advisor. So who do they think would fund and run these mercenaries loyal to Trump?... It's really no different to the hacking squad that backed Trump, it would be run in the same way.
Would you be so upset with what you have if your alternative is what people these days are getting under the rule of Kim Jong Un?
It will be far worse for them when Kim Jong Deux will seize power !
(sorry, french joke, I couldn't resist)
Votez ecolo : Chiez dans l'urne !
A heartbleed-esque attack due to both keys and the packet buffer going on the heap. I don't get all the specific details, but it could convince the remote server to barf an arbitrary size packet back to it including whatever was currently on the stack.
This is a project that has been around for 3+ years and has been claimed secure by its developers. Either the developers are inept, it was a genuine mistake, or it was malicious.
Regardless of which it was, it has potentially compromised hundreds to thousands of nodes in the i2p network, as well as every service running on them. Even worse i2pd is mostly russian developers and commonly used among privacy oriented russians trying to stay off state surveillance. If this has been exploited in the wild (which would only be discovered through log correlation with full packet logging on a targetted honeypot system), it means that potentially thousands of russians can now be directly targetted by their government, and that users of any of their services could be connected to compromised hidden services believing them to be verified and safe.
All it takes with crypto is one wrong bug in a popularly used project and it can compromise the security of thousands to billions of users.
https://eyalitkin.wordpress.co... 'GarlicRust' has full details for anyone interested.
US government is forcing encryption specialists to move out of the US by implementing draconian laws.
Personally, I am not upset with what I have when I look at what the US is like.
Greetings, Europe.
P.S.: If you keep looking down for something to compare yourself to, you'll not improve. Look up to know what to aspire to.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I think the main difference is that in open source it'd take some extraordinary trick to create a backdoor or unofficial feature for any particular group or organization. Could you have Heartbleed-class bugs? Yes. But they're double edged swords, it could expose your enemies but unless you manage to roll out a massive, secret patch/firewall regime you'll be vulnerable too. How often does open source software secretly log data and send it off to a server in China? It just doesn't happen. Why is open-source DRM an oxymoron? Because you can't hide what it's doing. Which is not to say you can't have controversy about default software and settings, like Ubuntu's shopping lens but it's at a whole other level.
And it doesn't take all that much effort to make a version that modifies the behavior, quite probably there's already a fork or patch for you. Because even when or if I find out that Windows or macOS is doing something I don't really approve of it's very hard to do something about it, you can turn off settings which they turn back on, you can block it at the firewall and they change ports and servers, you can use third party hacks that may or may not work well but compared to open source it's a black box. And turning off those features could also be hardening the software, it might not prevent bugs but reduces your attack surface and information leaks.
Live today, because you never know what tomorrow brings
It's usually not argued nearly that seriously. What CEO or corporation would argue with a government willingly knowing that the end result is going to be a cessation of government contracts, barring from export, and anything else the government has that they can legally do that are in there powers?
Export of what exactly?
For hardware, most things are made outside of the US, so they're actually "imported" by American consumers.
For software, you shift the crypto component offshore, and US customers "import" that component. OpenSSL (then SSLeay) actually began in Australia during the first 'Crypto War' of the 1990s to get around the US ITAR restrictions. Ditto for for OpenBSD: strong crypto coded in Canada. Debian had a "non-us" repo for strong crypto:
* https://wiki.debian.org/non-US
As did FreeBSD:
* https://svnweb.freebsd.org/base/head/crypto/
People worked around the ITAR restrictions before, and while the infrastructure may be a bit stale, it can be brought back easily enough.
We've been through this before.
There was all this hand waving about the Chinese and Russians having backdoors to stuff sold in the US. How will the US having backdoors be any better, to any other government?
If it is a question of backdoors, then you might as well have low grade encryption, since it is probably not much better than the master key getting leaked?
Jumpstart the tartan drive.
How much of an idiot do they think I am. Anyone would know that someone, somewhere, is going to exploit, and hack into that backdoor they created. So I need a list of idiot software to avoid.
and I mean *ALL*. every bit of VPN and encrypted data you generate should be sent to the FBI so they won't have to work so hard to collect what they want. I'm sure they have enough storage and bandwidth to handle it.
What a ridiculous perspective. Reminds me of a gag from The Onion: Oh, sure, if you're going to compare us to first-world countries, we're definitely not going to come out looking so good.
Instead of Republican. Obama was very much center right. What's needed is left wing politics. Single payer healthcare, infrastructure spending, progressive taxes, college paid for by the public, ending our 8 wars (yes, we're at war in 8 different countries all under the same authorizations Congress have for Iraq) . We need left wing action, not just left wing rhetoric.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Seriously, why is this an issue?
Public/private key cryptography has been proven secure. HTTPS is based on it, and it is strong enough for me to do banking on-line.
For cases like the police needing to get into an iPhone, all that needs to be done is to take the phone secret (say, an AES key or the phone unlock code) could be encrypted using Apple's public key, and this encrypted secret could be made public (or presented over the USB port). Nobody can do anything with it, except the people who hold the private key (the manufacturer).
Law enforcement can turn over a warrant and the manufacturer can decrypt the secret key, and turn it back over to law enforcement. The government still needs to present a warrant, it is secure, and everybody should be happy.
Have I missed something?
"-1 Troll" is the apparently the same as "-1 I disagree with you."
Unfortunately, the TLAs answer it ... "Just a second. Hold my beer."
You in the XXX organization of government have no right to use official resources to ask third parties to do things that go against our interests.
Congress hasn't passed an act directing you to "ask" companies to embed concealed defects into their products that you sell to the people, therefore, you doing so is an ABUSE.
Now if your directors of departments want crypto backdoors in YOUR OWN GOODS that you buy for the use by that government department from those same companies, that's a different matter entirely; that's the ONLY kind of product design influence you should have on any private-sector individual or company.
Already do.
I have three networks at my house:
* Internet connected (through IPFire and PiHole) LAN access (Wired/WiFi WPA2)
* Internet connected (through IPFire and PiHole) WiFi open (NO LAN access) labeled GuestMonitoredConnection
* Isolated. No Internet connection, different physical layer, no WiFi. Accessed through Bastion host that has IpKVM type connection to internal LAN. The bastion is able to RDP to all machines on isolated network, and it is connected to through use of a Raritan IPKvm on the LAN. The KVM is easily turned off to provide hard isolation if really needed.
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
That's the only appropriate response to this. They can't 'force' anything. If they could, then the entire premise behind what the United States was founded on and ostensibly stands on becomes invalid.
So your hacker access point is the WPA2. Hope you have logs.
Also bitlocker is 128 bit by default, and limited to 20 chars for the pw
So I question the plausibility of your conclusion that it's more likely a good person will find them first than bad.
It's borne out by the historical evidence, especially the 2 examples cited by the GP. Many of the examples where exploits are known by bad guys for a long time are in closed source, e.g. the Windows exploits from the Shadow Broker releases that allowed WannaCry to take down the UK's National Health Service.
Only crack the nuts that crack. You don't put the ones that don't crack in the sack.
Of course I have logs, I also have physical remoteness and a couple other measures (remember everything is moderated through IPFire, which supports RADIUS authentication).
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
And here we see another advantage of F/OS software: a negligible chance of being sued if you bring up a problem.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
I can say I'm the Queen of Sheba. That doesn't mean I've got tits and a crown.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
Certainly the modern definition of 'papers' extends to our data stored on remote servers and 'home' extends to the access of that data.
That only extends to persons, houses, papers, and effects which existed at the time it was ratified.
how many of them died rich and happy. It ends well all the time. Only very rarely do the elite get their comeuppance. And with modern militaries, drones and information control I'm not sure they ever will again. Not the real ones.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/