US Says It Doesn't Need a Court Order To Ask Tech Companies To Build Encryption Backdoors

schwit1 shares a report from Gizmodo: According to statements from July released this weekend, intelligence officials told members of the Senate Intelligence Committee that there's no need for them to approach courts before requesting a tech company help willfully -- though they can always resort to obtaining a Foreign Intelligence Surveillance Court order if the company refuses. The documents show officials testified they had never needed to obtain such an FISC order, though they declined to tell the committee whether they had "ever asked a company to add an encryption backdoor," per ZDNet. Other reporting has suggested the FISC has the power to authorize government personnel to compel such technical assistance without even notifying the FISC of what exactly is required. Section 702 of the Foreign Intelligence Surveillance Act gives authorities additional powers to compel service providers to build backdoors into their products.

They are correct

And companies don't need a court order to ignore them.

Re:They are correct

Yeah, until wikileaks releases said documents and your company goes under. Too much risk involved and the government doesn't exactly offer protection from such cases. The risks involved is higher than the government ruining your prospects, because now your reputation is tarnished forever, just like Blackberry. These government officials no longer hold the sway as they used too pre-2010. Threats of ruining your business now results in these people closing up shop and the government ends up with absolutely nothing, other than stifling innovation and security in the process. This approach is no longer viable.

Re:They are correct

Qwest provides a case in point example of what happens when you refuse the request. That's a real nice company you have there, it'd be a real shame if something was to happen to it.

Why would they need a court order

[FrankHaynes]

when heavy-handed coercion will do the trick every time?

boil it down

[TheGratefulNet]

its boils down to:

"I want this. give it to me!"
"why? you have shown you can't be trusted with this. and, math also says its not possible."
"I don't care. I'll force you if you don't volunteer."
"looks like you want a fight. bring it."

and so on, and so on.

some companies will cave in, some will give the impression they are standing tall but actually do cave in. MAYBE there are actual companies that have enough power to say 'no' to the various governments, but I kind of doubt it.

its sad to see the schoolyard bully - who has a power complex - unwilling to give in. every few weeks or so, we have another story about how some official wants to have access to ALL your shit and he will simply stomp his feet, cry and whine until he gets it.

its a tiring process and such a waste of time and energy. and yet, here we are, revisiting this issue yet another time.

Re:boil it down

[rtb61]

Too which the response is, "fine, if I can't have it than, fuck you, you can't have it either". You do that by shifting the encryption coding bit to FOSS, as a network add on and they can try to stick the back door in free open source code, which you can locally compile and then add to you software than lacks a network connection module. The encrypted network connection module can be served up by anyone and if they really need to hack your computer, they can hand you a national security letter and demand you hack yourself or just fucking apply for a search warrant and get busy with cameras and wires and people in the field, no 'bullshit control freak spy a thon for you' more specifically them. There was a time due to US regulation I had to download 128 bit encryption from the internet and install it myself, so, so hard, to do it again, in fact the US government drove FOSS encryption.

Re:boil it down

[TheRaven64]

Bruce Schneier's book, Applied Cryptography, showed precisely how stupid these export restrictions were. They didn't limit algorithms, they limited key length. You could export RSA with short keys, but not with longer ones. His book had source code for them where the algorithms were compile-time constants. If you typed them in as-is, the resulting code was export-legal. If you changed a 128 to a 1024 (or whatever - I forget the exact allowed vs not-allowed numbers), it wasn't. Because of this, it was completely legal to ship the book anywhere in the world, and anyone in a country where it wasn't allowed simply had to change a constant when they typed in the code.

Buy Chinese

[PPH]

They may be spying on you as well. But they won't be using what they get for any parallel construction.

"It never hurts to ask!"

[Locke2005]

Sure, they can ask, and any enlightened company will politely tell them, "No way!" And as long as companies are honest and upfront about whether or not they have built in back doors, so that their customers can chose whether or not they want to deal with the risk, I'm fine with it. The problem is, aren't the criminals the most likely to avoid all the tech with back doors? In other words, voluntary weakening of security doesn't really accomplish anything, does it?

Why should we expect open source to be any better?

What makes you think that open source software is somehow any better?

As the Shellshock and Heartbleed bugs have proven, just because source code is available it doesn't mean that anyone actually looks at it. When major open source software projects have serious bugs in them that go undetected for years or even decades, it's doubtful that a well-hidden backdoor would be found.

Then there are projects like systemd and GNOME 3, which have introduced a lot of new code into many Linux systems. Has all of this code undergone a strenuous security review? I very much doubt it!

Even the OpenBSD project, which is perhaps the most stringent and careful open source project out there, has had scares in the past.

So I don't think we should consider open source software to be any better. It could very well be much worse.

Just keep voting for the establishment

[rsilvergun]

Keep putting millionaires and billionaires in charge. I'm sure they'll drain the swamp any moment now. And if they're not to your liking how about a nice blue dog democrat? He (or she) will promise not to raise your taxes, doesn't hate gay people and won't touch Social Security or Medicare (or anyone over 55). Remember folks, if you don't keep putting pro corporate, right wing people in charge those tax and spend liberals will raise your taxes. And if you're readying this and you're American than I know 60% of you are living paycheck to paycheck (google it) and can't afford it, right?

The important thing is to remember to know your place, stay in your class, respect your betters, and don't ever screw with the aristocracy. Don't even suggest taking their money away, that would be morally wrong. You learned that in grade school economics. Capitalism got you into this mess and only capitalism can get you out of this mess.

Can you tell I'm bitter and angry? I don't suppose there's anybody on this forum that can make an ounce of that anger go away, is there? Well guess what, there's millions of guys just like me. And guess what happens when there's too many of us? What happened in the 20s? How about the 40s? Anyone want to take a crack at proving me wrong and injecting a little hope into this thread?

Re:Why should we expect open source to be any bett

[Excelcia]

Some code hasn't been looked at in a long time. Correct. There could be back doors. Correct. There could be vulnerabilities (intentional or not). Correct.

Every software project, open source included, will have vulnerabilities discovered. There will be scares and exploits of open source like any other software. But yes, you can expect open source to be better. Because:

1) Very few major open source projects have any contributions that occur in a vacuum. Multiple eyes see every patch and for the most part, those multiple eyes are most often from people in multiple organizations with multiple day jobs and multiple personal goals/agendas. Aligning enough people's agendas to get a back door in would be difficult for any major open source project. Intentional vulnerabilities would be easier, but still not trivial. This isn't 20 years ago, people actively look at each patch with an eye towards whether it is introducing a vulnerability. This model is diametrically opposite of any closed source offering, where contributions are by one organization and at the sole control of whomever holds the purse strings.

2) If a vulnerability is suspected anywhere, you (and literally everyone else on the planet) have the option and ability to examine the source at any time. When you do want to investigate any particular piece of open source software, you don't need to decompile or reverse engineer something to do it. You don't have to fight the software in order to test it.

There have been (and will continue to be) vulnerabilities exposed from older open source code written when there was less oversight and less strenuous security testing, but if you want to compare this to the number of exploits (and in some cases intentional back doors) that have come to light in, say, Windows, from ancient code that has thunked it's way down from Windows 3.1, the score isn't even close. And it's not like Microsoft is performing strenuous reviews of their old code - these vulnerabilities have come to light often only from outside researchers performing painstaking and arduous external testing and reverse engineering.

So while you are correct in that open source will never be free of bugs or exploits - it's still written by people, as much as the nut jobs still decry that hard AI is just around the corner. But yes, in this it is just plain better than closed source.

Re:List of assumed backdoors

[nctritech]

You forgot to mention "every radio coprocessor in every smart phone ever made." The radio coprocessor in cell phones typically has full "back door" access to the resources used by the main CPU and OS you interact with. The code for it is 100% closed off and the massive flaws in the cellular system's authentication that allow Stingrays etc. to actually work properly means you have this closed-off CPU that can do arbitrary stuff on your phone open to access from outsiders with knowledge of cell system architecture.

Re:Want to kill technology? This is how.

[gweihir]

No tech company would put in a back door.

Well, CISCO did.

Any that does is basically saying "Don't buy our product" because, as soon as they do, GUESS WHAT..people won't buy it.

Cisco did that too. And Intel is currently trying to do this as well.

Look at what happened to Microsoft after the news about PRISM. Microsoft tried to make the camera a 'requirement' for all X-Box One games until a massive backlash happened. Microsoft backtracked and it basically killed the X-Box camera for gaming outside of a short list.

People won't buy a product with a built in back door. Companies won't make a product that people won't buy.

Yes, but only if they get think they will get caught. As any other criminal-minded entity, they of course assume they will not get caught...

Re:List of assumed backdoors

[TheRaven64]

The radio coprocessor in cell phones typically has full "back door" access to the resources used by the main CPU and OS you interact with

This is not true on iOS devices. The connection between the baseband processor and main memory is quite restricted, because Apple's hardware team doesn't trust third-party IP cores and so locks them down. It's also not true for a few other SoCs, where the baseband core has its own private memory and communicates with the host via an on-chip serial interface. This was a very common way of implementing smartphone SoCs, because it meant that you could trivially validate that there was no way for the application core to modify the baseband core's state and so you could use the same baseband core on a bunch of SoCs without needing FCC approval for each one.