Slashdot Mirror
US Says It Doesn't Need a Court Order To Ask Tech Companies To Build Encryption Backdoors (gizmodo.com)
schwit1 shares a report from Gizmodo: According to statements from July released this weekend, intelligence officials told members of the Senate Intelligence Committee that there's no need for them to approach courts before requesting a tech company help willfully -- though they can always resort to obtaining a Foreign Intelligence Surveillance Court order if the company refuses. The documents show officials testified they had never needed to obtain such an FISC order, though they declined to tell the committee whether they had "ever asked a company to add an encryption backdoor," per ZDNet. Other reporting has suggested the FISC has the power to authorize government personnel to compel such technical assistance without even notifying the FISC of what exactly is required. Section 702 of the Foreign Intelligence Surveillance Act gives authorities additional powers to compel service providers to build backdoors into their products.
And companies don't need a court order to ignore them.
when heavy-handed coercion will do the trick every time?
slashdot: A failed experiment.
its boils down to:
"I want this. give it to me!"
"why? you have shown you can't be trusted with this. and, math also says its not possible."
"I don't care. I'll force you if you don't volunteer."
"looks like you want a fight. bring it."
and so on, and so on.
some companies will cave in, some will give the impression they are standing tall but actually do cave in. MAYBE there are actual companies that have enough power to say 'no' to the various governments, but I kind of doubt it.
its sad to see the schoolyard bully - who has a power complex - unwilling to give in. every few weeks or so, we have another story about how some official wants to have access to ALL your shit and he will simply stomp his feet, cry and whine until he gets it.
its a tiring process and such a waste of time and energy. and yet, here we are, revisiting this issue yet another time.
--
"It is now safe to switch off your computer."
They may be spying on you as well. But they won't be using what they get for any parallel construction.
Have gnu, will travel.
They did not need a court order to get Intel to install a backdoor into ME, AMD to install a backdoor into PSP, or Microsoft to install a backdoor into Windows 10, since they all did so quite willingly.
It is a shame consumers can no longer fully own their modern computers. And yet these government agencies refuse to cover any part of the cost of new computers which they have some control over.
Sure, they can ask, and any enlightened company will politely tell them, "No way!" And as long as companies are honest and upfront about whether or not they have built in back doors, so that their customers can chose whether or not they want to deal with the risk, I'm fine with it. The problem is, aren't the criminals the most likely to avoid all the tech with back doors? In other words, voluntary weakening of security doesn't really accomplish anything, does it?
I've abandoned my search for truth; now I'm just looking for some useful delusions.
What makes you think that open source software is somehow any better?
As the Shellshock and Heartbleed bugs have proven, just because source code is available it doesn't mean that anyone actually looks at it. When major open source software projects have serious bugs in them that go undetected for years or even decades, it's doubtful that a well-hidden backdoor would be found.
Then there are projects like systemd and GNOME 3, which have introduced a lot of new code into many Linux systems. Has all of this code undergone a strenuous security review? I very much doubt it!
Even the OpenBSD project, which is perhaps the most stringent and careful open source project out there, has had scares in the past.
So I don't think we should consider open source software to be any better. It could very well be much worse.
ASKING doesn't require a court order, and compliance is OPTIONAL .
Ken
Keep putting millionaires and billionaires in charge. I'm sure they'll drain the swamp any moment now. And if they're not to your liking how about a nice blue dog democrat? He (or she) will promise not to raise your taxes, doesn't hate gay people and won't touch Social Security or Medicare (or anyone over 55). Remember folks, if you don't keep putting pro corporate, right wing people in charge those tax and spend liberals will raise your taxes. And if you're readying this and you're American than I know 60% of you are living paycheck to paycheck (google it) and can't afford it, right?
The important thing is to remember to know your place, stay in your class, respect your betters, and don't ever screw with the aristocracy. Don't even suggest taking their money away, that would be morally wrong. You learned that in grade school economics. Capitalism got you into this mess and only capitalism can get you out of this mess.
Can you tell I'm bitter and angry? I don't suppose there's anybody on this forum that can make an ounce of that anger go away, is there? Well guess what, there's millions of guys just like me. And guess what happens when there's too many of us? What happened in the 20s? How about the 40s? Anyone want to take a crack at proving me wrong and injecting a little hope into this thread?
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Some code hasn't been looked at in a long time. Correct. There could be back doors. Correct. There could be vulnerabilities (intentional or not). Correct.
Every software project, open source included, will have vulnerabilities discovered. There will be scares and exploits of open source like any other software. But yes, you can expect open source to be better. Because:
1) Very few major open source projects have any contributions that occur in a vacuum. Multiple eyes see every patch and for the most part, those multiple eyes are most often from people in multiple organizations with multiple day jobs and multiple personal goals/agendas. Aligning enough people's agendas to get a back door in would be difficult for any major open source project. Intentional vulnerabilities would be easier, but still not trivial. This isn't 20 years ago, people actively look at each patch with an eye towards whether it is introducing a vulnerability. This model is diametrically opposite of any closed source offering, where contributions are by one organization and at the sole control of whomever holds the purse strings.
2) If a vulnerability is suspected anywhere, you (and literally everyone else on the planet) have the option and ability to examine the source at any time. When you do want to investigate any particular piece of open source software, you don't need to decompile or reverse engineer something to do it. You don't have to fight the software in order to test it.
There have been (and will continue to be) vulnerabilities exposed from older open source code written when there was less oversight and less strenuous security testing, but if you want to compare this to the number of exploits (and in some cases intentional back doors) that have come to light in, say, Windows, from ancient code that has thunked it's way down from Windows 3.1, the score isn't even close. And it's not like Microsoft is performing strenuous reviews of their old code - these vulnerabilities have come to light often only from outside researchers performing painstaking and arduous external testing and reverse engineering.
So while you are correct in that open source will never be free of bugs or exploits - it's still written by people, as much as the nut jobs still decry that hard AI is just around the corner. But yes, in this it is just plain better than closed source.
You forgot to mention "every radio coprocessor in every smart phone ever made." The radio coprocessor in cell phones typically has full "back door" access to the resources used by the main CPU and OS you interact with. The code for it is 100% closed off and the massive flaws in the cellular system's authentication that allow Stingrays etc. to actually work properly means you have this closed-off CPU that can do arbitrary stuff on your phone open to access from outsiders with knowledge of cell system architecture.
What the Shellshock and Heartbleed bugs have proven is exactly the opposite of what you are saying. If they occurred in closed source software they would have never been found. Or they may be found but kept secret because it cost money to fix. Or they may be found but only the "currently supported" versions are patched, and people with old versions are just told to fork out more money to upgrade.
The name of the game is not there will never be vulnerabilities in the code. The name of the game is whether those vulnerabilities will be found by good people before they are found by bad people. Since good people outnumber bad people, the more people in general who can look at the code the better the chances are that a good person finds the problem first.
Shellshock, for example, was known by nobody (effectively) until it was discovered, patched, and reported. It was only then that a bunch of bad people started to try to exploit it.
Only crack the nuts that crack. You don't put the ones that don't crack in the sack.
Except they don't say no, remember Microsoft? Keen to get lots of surveillance contracts bent over backwards to give them disk encryption keys.
https://www.theguardian.com/world/2013/jul/11/microsoft-nsa-collaboration-user-data
" Microsoft helped the NSA to circumvent its encryption to address concerns that the agency would be unable to intercept web chats on the new Outlook.com portal; The agency already had pre-encryption stage access to email on Outlook.com, including Hotmail; The company worked with the FBI this year to allow the NSA easier access via Prism to its cloud storage service SkyDrive, which now has more than 250 million users worldwide; Microsoft also worked with the FBI's Data Intercept Unit to "understand" potential issues with a feature in Outlook.com that allows users to create email aliases;"
Blackberry? Remember their CTO's meeting with law enforcement to tout their cooperation?
Can I point out something that people don't seem to connect in the current shock reveal. Erik Prince of Blackwater proposed to Trump to form a hit squad/propaganda/plumbers unit loyal to Trump and Trump alone funded privately to overcome 'deep state' legal resistance. Erick Prince also admitted to meeting Kirill Dmitriev, head of the Russian Direct Investment Fund, when he was a Trump team advisor. So who do they think would fund and run these mercenaries loyal to Trump?... It's really no different to the hacking squad that backed Trump, it would be run in the same way.
No tech company would put in a back door.
Well, CISCO did.
Any that does is basically saying "Don't buy our product" because, as soon as they do, GUESS WHAT..people won't buy it.
Cisco did that too. And Intel is currently trying to do this as well.
Look at what happened to Microsoft after the news about PRISM. Microsoft tried to make the camera a 'requirement' for all X-Box One games until a massive backlash happened. Microsoft backtracked and it basically killed the X-Box camera for gaming outside of a short list.
People won't buy a product with a built in back door. Companies won't make a product that people won't buy.
Yes, but only if they get think they will get caught. As any other criminal-minded entity, they of course assume they will not get caught...
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
The radio coprocessor in cell phones typically has full "back door" access to the resources used by the main CPU and OS you interact with
This is not true on iOS devices. The connection between the baseband processor and main memory is quite restricted, because Apple's hardware team doesn't trust third-party IP cores and so locks them down. It's also not true for a few other SoCs, where the baseband core has its own private memory and communicates with the host via an on-chip serial interface. This was a very common way of implementing smartphone SoCs, because it meant that you could trivially validate that there was no way for the application core to modify the baseband core's state and so you could use the same baseband core on a bunch of SoCs without needing FCC approval for each one.
I am TheRaven on Soylent News
It's a bit like if the US went and shot a person in public vs. North Korea doing it. In the US it would be an outrage. In NK, well, we kinda expect that by now.
Same here. Domestic spying, privacy elimination, trying to establish a Fascist regime... that's something we had come to expect from the US, hearing this from Germany is so odd and unfathomable.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
It's usually not argued nearly that seriously. What CEO or corporation would argue with a government willingly knowing that the end result is going to be a cessation of government contracts, barring from export, and anything else the government has that they can legally do that are in there powers?
Export of what exactly?
For hardware, most things are made outside of the US, so they're actually "imported" by American consumers.
For software, you shift the crypto component offshore, and US customers "import" that component. OpenSSL (then SSLeay) actually began in Australia during the first 'Crypto War' of the 1990s to get around the US ITAR restrictions. Ditto for for OpenBSD: strong crypto coded in Canada. Debian had a "non-us" repo for strong crypto:
* https://wiki.debian.org/non-US
As did FreeBSD:
* https://svnweb.freebsd.org/base/head/crypto/
People worked around the ITAR restrictions before, and while the infrastructure may be a bit stale, it can be brought back easily enough.
We've been through this before.
https://googleprojectzero.blogspot.com/2017/10/over-air-vol-2-pt-3-exploiting-wi-fi.html
This is literally the front page of Googles Project Zero blog right now.
Sure Apple makes it a bit more difficult than some other phones but the core weakness is not eliminated. People often confuse vulnerabilities and exploits. Having a closed source chip in your baseband IS a form of vulnerability... there may not be a working exploit that is currently known, and it may be difficult to accomplish but it remains a weakness.
With Apple continuing to lock down baseband access it may eventually be strong enough to resist even a malicious broadband chip. Much like the Intel Management Engine, years of people calling it safe doesn't make it so.
Cwm, fjord-bank glyphs vext quiz
SuperKendall blathered:
You can choose politicians, but by and large the party division is a sham and the "real" government marches on regardless. Witness how many federal government departments shut down under Trump: 0
What utter, driveling bullTrump.
Republicans are trying to impose tax "reform" that will benefit the rich and giant corporations at the expense of the poor and middle-class, and small businesses. Every Democrat in the Senate voted against their version, and almost every Democrat in the House voted against their even worse version. The Republican-led FCC is hellbent on repealing the net neutrality rules the Democrat-led version enacted. The Republican president is about to move the U.S. consulate in Israel from Tel Aviv to Jerusalem, which will further inflame anti-U.S. tensions in the region (and is guaranteed to spark a global wave of new terror attacks against U.S. citizens, as well as increase the number of fresh recruits for Daesh, et alia). The Republican-dominated Supreme Court has struck down every attempt Congress has made at campaign finance reform, and has granted corporations free reign to spend as much money as they choose to influence U.S. elections. The Republican head of the Department of Justice is determined to revive the incredibly wasteful and counterproductive "war on drugs" at the exact time that the de-criminalization/legalization of marijuana has gained majority support among voters of both parties. The Republican-led EPA is doing everything in its power to roll back the Clean Air and Clean Water acts (that were enacted under a Republican president).
The list just goes on and on.
"There's no difference between the two major parties" is an outright, boldfaced lie perpetrated by Republican spinmeisters in what has been a remarkably successful, concerted, long-term campaign to persuade prospective Democratic voters to stay away from the polls - while the Republican base reliably turns out to vote against its own best interests (because "conservative values").
Benjamin Disreali noted, "There are three kinds of lie: lies, damned lies, and statistics." Well, "there's no difference between the two major parties," is a damned lie - and you are a damned liar ...
Check out my novel.
Republicans are trying to impose tax "reform" that will... ...change almost nothing in reality.
You claim to be Woke, but you have yet to Wake.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Have I missed something?
Several things, actually. First, your scheme requires the ability to export the private key from the device (even if it is encrypted). This is poor security practice. The current trend—long overdue, and implemented in response to real security breaches—is to generate and store the private key in a tamper-resistant secure chip, with no external access to the key material. All operations involving the key occur inside the chip. This protects against vulnerabilities in the operating system as well as physical tampering.
Second, why should the manufacturer have the ability to decrypt the user's data? Again, poor security practice. The manufacturer should not be considered a trusted party, beyond device itself as it was originally delivered and later software updates accepted by the owner and installed while the device is unlocked.
Third, the private key on the device is generally only part of the information needed to decrypt the contents; you also need the user's password. Even assuming you could get the private key from a locked device, if the user chose a secure password (as opposed to a PIN you could easily brute-force) then the device key won't do you any good. Storing the combined key would, of course, be very poor security practice, even wrapped in some form of encryption.
Fourth, the manufacturer's private key will eventually leak. Their backdoor access is a single point of failure, and a very tempting target for hackers and foreign governments alike. The manufacturer does not have nearly as much incentive to secure their backdoor as all of the end-users combined have to secure their individual devices.
Fifth, the manufacturer cannot be trusted to represent the owner's interests by requiring a legally-sound warrant before exercising their backdoor. They can be coerced or bribed into complying "voluntarily", without a warrant—the subject of this very article—and they have no incentive to fight dubious warrants which have a chance of being overturned since it's not their data, the effort required to comply would be trivial, and they have the cover of a "legal" order (however threadbare) to protect them against any public backlash.
"The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat