US Says It Doesn't Need a Court Order To Ask Tech Companies To Build Encryption Backdoors

schwit1 shares a report from Gizmodo: According to statements from July released this weekend, intelligence officials told members of the Senate Intelligence Committee that there's no need for them to approach courts before requesting a tech company help willfully -- though they can always resort to obtaining a Foreign Intelligence Surveillance Court order if the company refuses. The documents show officials testified they had never needed to obtain such an FISC order, though they declined to tell the committee whether they had "ever asked a company to add an encryption backdoor," per ZDNet. Other reporting has suggested the FISC has the power to authorize government personnel to compel such technical assistance without even notifying the FISC of what exactly is required. Section 702 of the Foreign Intelligence Surveillance Act gives authorities additional powers to compel service providers to build backdoors into their products.

They are correct

And companies don't need a court order to ignore them.

Re:They are correct

Yeah, until wikileaks releases said documents and your company goes under. Too much risk involved and the government doesn't exactly offer protection from such cases. The risks involved is higher than the government ruining your prospects, because now your reputation is tarnished forever, just like Blackberry. These government officials no longer hold the sway as they used too pre-2010. Threats of ruining your business now results in these people closing up shop and the government ends up with absolutely nothing, other than stifling innovation and security in the process. This approach is no longer viable.

boil it down

[TheGratefulNet]

its boils down to:

"I want this. give it to me!"
"why? you have shown you can't be trusted with this. and, math also says its not possible."
"I don't care. I'll force you if you don't volunteer."
"looks like you want a fight. bring it."

and so on, and so on.

some companies will cave in, some will give the impression they are standing tall but actually do cave in. MAYBE there are actual companies that have enough power to say 'no' to the various governments, but I kind of doubt it.

its sad to see the schoolyard bully - who has a power complex - unwilling to give in. every few weeks or so, we have another story about how some official wants to have access to ALL your shit and he will simply stomp his feet, cry and whine until he gets it.

its a tiring process and such a waste of time and energy. and yet, here we are, revisiting this issue yet another time.

Re:boil it down

[rtb61]

Too which the response is, "fine, if I can't have it than, fuck you, you can't have it either". You do that by shifting the encryption coding bit to FOSS, as a network add on and they can try to stick the back door in free open source code, which you can locally compile and then add to you software than lacks a network connection module. The encrypted network connection module can be served up by anyone and if they really need to hack your computer, they can hand you a national security letter and demand you hack yourself or just fucking apply for a search warrant and get busy with cameras and wires and people in the field, no 'bullshit control freak spy a thon for you' more specifically them. There was a time due to US regulation I had to download 128 bit encryption from the internet and install it myself, so, so hard, to do it again, in fact the US government drove FOSS encryption.

Re:boil it down

[TheRaven64]

Bruce Schneier's book, Applied Cryptography, showed precisely how stupid these export restrictions were. They didn't limit algorithms, they limited key length. You could export RSA with short keys, but not with longer ones. His book had source code for them where the algorithms were compile-time constants. If you typed them in as-is, the resulting code was export-legal. If you changed a 128 to a 1024 (or whatever - I forget the exact allowed vs not-allowed numbers), it wasn't. Because of this, it was completely legal to ship the book anywhere in the world, and anyone in a country where it wasn't allowed simply had to change a constant when they typed in the code.

Re:Why should we expect open source to be any bett

[Excelcia]

Some code hasn't been looked at in a long time. Correct. There could be back doors. Correct. There could be vulnerabilities (intentional or not). Correct.

Every software project, open source included, will have vulnerabilities discovered. There will be scares and exploits of open source like any other software. But yes, you can expect open source to be better. Because:

1) Very few major open source projects have any contributions that occur in a vacuum. Multiple eyes see every patch and for the most part, those multiple eyes are most often from people in multiple organizations with multiple day jobs and multiple personal goals/agendas. Aligning enough people's agendas to get a back door in would be difficult for any major open source project. Intentional vulnerabilities would be easier, but still not trivial. This isn't 20 years ago, people actively look at each patch with an eye towards whether it is introducing a vulnerability. This model is diametrically opposite of any closed source offering, where contributions are by one organization and at the sole control of whomever holds the purse strings.

2) If a vulnerability is suspected anywhere, you (and literally everyone else on the planet) have the option and ability to examine the source at any time. When you do want to investigate any particular piece of open source software, you don't need to decompile or reverse engineer something to do it. You don't have to fight the software in order to test it.

There have been (and will continue to be) vulnerabilities exposed from older open source code written when there was less oversight and less strenuous security testing, but if you want to compare this to the number of exploits (and in some cases intentional back doors) that have come to light in, say, Windows, from ancient code that has thunked it's way down from Windows 3.1, the score isn't even close. And it's not like Microsoft is performing strenuous reviews of their old code - these vulnerabilities have come to light often only from outside researchers performing painstaking and arduous external testing and reverse engineering.

So while you are correct in that open source will never be free of bugs or exploits - it's still written by people, as much as the nut jobs still decry that hard AI is just around the corner. But yes, in this it is just plain better than closed source.