Schneier on Security
A blog covering security and security technology.
« Status Report: Liars and Outliers |
| Dilbert on Security Standards »
October 7, 2011
From a review of Susan Landau's Surveillance or Security?:
To catch up with the new technologies of malfeasance, FBI director Robert Mueller traveled to Silicon Valley last November to persuade technology companies to build "backdoors" into their products. If Mueller’s wish were granted, the FBI would gain undetected real-time access to suspects’ Skype calls, Facebook chats, and other online communicationsand in "clear text," the industry lingo for unencrypted data. Backdoors, in other words, would make the Internet -- and especially its burgeoning social media sector -- "wiretappable."
This is one of the cyber threats I talked about last week: insecurities deliberately created in some mistaken belief that they will stop crime. Once you build a backdoor into a product, you need to ensure that only the good guys use that backdoor, and only when they should. We'd all be much more secure if the backdoor didn't exist at all.
Posted on October 7, 2011 at 6:01 AM
• 35 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
The argument against backdoors certainly applies to society as a whole, but it's applicability to the FBI relies on the assumption that the FBI is interested in protecting your privacy against bad guys or good guys acting improperly.
I'd argue that we should at least consider the possibility that the FBI is not interested in protecting our privacy in general. Which actually makes the argument against backdoors stronger. Not only is it a hard problem controlling the insecurities created by a backdoor, but it's entirely possible that those behind the backdoor have a low motivation to do so.
Remember the movie WARGAMES where there was an explanation of Backdoors?
That logic is quite common. Suppose there is a dispute between a purchaser of software, and the vendor supplying it. The vendor needs a way to force shut down use of their software, just in case.
Are you familiar with Manchurian Chips?
Hardware is generally thought to service both the official owner, and the customer, as in ATMs. With Manchurian Chips they also serve the criminal underworld.
I should add that I'm not suggesting the FBI isn't all that interested in protecting our privacy for malicious reasons. They are a law enforcement agency interested in tracking down and gathering evidence against criminals. While they may not be opposed to privacy for innocent people, it might not be their primary concern to go out of their way to protect it.
The FBI's been subcontracted out to Sony?
"While they may not be opposed to privacy for innocent people, it might not be their primary concern to go out of their way to protect it"
Whilst people might take comfort in the expression "Innocent. untill proven Guilty" they forget that only applies to the court not the investigation. As far as LEO's are concerned "You are guilty untill you can prove you are innocent", where innocent is a bar the hight of which is set by the politicians.
The same applies to the News Papers, provided it is salacious enough they will print any old nonsense as it is not the truth that people want to read. And thus the truth does not sells newspapers and the lies and innuendo set public opinion which tells the politicians what noises they should be making at the police and judiciary.
The recent case of Ms Fox should be sufficient warning to people of this.
It's not just personal privacy that's at stake, but corporate and government security. Sure, you can say that any person or entity who conducts business over skype or some other ostensibly slightly-secure medium deserves what it gets, but what's the alternative? Even if they get a proprietary system nominally insulated from the public, it's likely going to come from the same set of vendors and have the same back doors.
Question: has concealing backdoors become more difficult since traffic stopped taking a direct route from a lead node (e.g. a phone) to a switch, across a network owned by a handful of entities to another switch and thence to another leaf node? It seems to me that both the backdoored hardware and software and the control and data flows are far more exposed these days, but I might be wrong.
It should be Ms Knox not Ms Fox...
It shows even I'm susceptible to the presses "Foxy Knoxy"...
Clive, thanks for the correction, for a moment I thought I'd missed some important news involving Lance Corporal Jones.
On a serious note, the whole existence of backdoors must count as a very high risk indeed following their exploitation during the greek phone tapping scandal and Vodafone subsequently being fined €80 million.
It's an illustration of the difference in professional values. In another post a commentator said that essentially security=control. I think that view is wrong, appealing but wrong. The question that is asked in DHS is not "are we secure?" but "who's in control?"
There is a strong argument that we are more secure precisely when we are not in control. But then the purpose of most criminal laws is precisely to establish social order and control and so people tasked with upholding those laws are not going to find such arguments appealing.
Designing backdoors for LEAs is as much about "who's the boss" as it is about catching crooks.
The FBI seems to have forgotten that there are other countries with their own governments.
"Dear Skype, we know you are a luxembourg company and we know we have no jurisdiction but if you install a back door we will support your use in the USA" signed the FBI
"Dear Skype, we know you are a luxembourg company and we know we have no jurisdiction but if you install a back door we will support your use in the China" signed the Chinese
Repeat for country in country_list
Am I missing something, or are some commenters assuming that the biggest risk of the backdoor is misuse by its intended users, and overlooking the risks of use by company insiders and discovery of the backdoor by outsiders.
Isn't any intentional backdoor an application of security by obscurity -- a hope that the ill-intentioned will never find and exploit the intentional hole in our defenses?
The first rule of any government is to stay in power. To my knowledge there is not a single law that LEOs & the courts have not stretched, twisted and/or broken to get what they want. They operate in exactly the same way as crooked corporations do, that the fines they will pay be be far less than the profits they made breaking the law.
The White House, NSA, law enforcement, and the armed forces have all been acting illegally and/or under the protection of illegal laws since 2001. All in the name of the Safety Police.
These are the people we are supposed to trust? I don't think so. I think we as a nation and a poeple have given up too much of our own due process & protections under the guise of security theater.
The FBI would make a fortune through insider trading.
"The FBI would make a fortune through insider trading"
There is a certain degree of "corroborating evidence" to suggest that several Western/1st world LEO's or those associated with them have indeed made profit from insider information obtained whilst carrying out other activities.
Oh and this is over and above the "payed for info" type crimes it appears quite a number of the "UK's Finest" have been upto with News International and other Journo's and one presumes many others who might well be less savory (if that is possible).
One thing that was pointed out to me by some one who investigates money laudering etc was the colapse of BCCI, it was later found out that the UK regulators knew of it's imminent demise for some time, and there were various activities carried out by various "connected people" who moved their assets shortly before it became public and colappsed causing most others to lose most if not all of their assets. It appears there is sufficient evidence to get it in front of a judge however it appears the usual delaying and obsficating tactics have been put in place to so far prevent a proper open and fair evaluation of the evidence.
One such tactic is to refere the evidence back to the department responsible for starting a prosecution, that also just happens to be closely associated with the "insider activity".
As some may know in the US there has been evidence of evidence tampering in voting computers involving the NJ Attorney General, however the judge has sent the evidence uncovered by their investigation back to the NJ AG for evaluation as to if a prosecution should proceed,
"The FBI would make a fortune through insider trading"
The UK and US have both been caught using Echelon data for commercial advantages - although this was presumably 'officially' sanctioned.
"The UK and US have both been caught using Echelon data for commercial advantages - although this was presumably 'officially' sanctioned."
There can be a fine line between applying a feature to remove an unfair advantage such as bribery (such as when the US allegedly presented evidence of Airbus bribing Saudi officials in 1995) and applying a feature to add an unfair advantage such as insider knowledge (as when the US allegedly provided secret bidding information to US companies over a Brazilian radar contract).
can anyone provide a link/background on the echelon misuse?
@Jarrod - not saying that was right or wrong, but there is a slope between:
We are correcting an unfair advantage a foreign company has.
We are supporting a vital national industry.
We are supporting a local company that provides jobs in my voting district.
We are supporting a company that funds my election campaign.
We are supporting a company that will make me a director when I leave office.
And - I am selling info from a backdoor to the newspapers.
Isn't the FBI the same agency which was notorious up until at least the 1970's for blackmailing politicians using illegal wiretaps and such? Politicians who write laws which may or may not infringe upon individual rights?
It seems to me that somewhere around November last year, some cyber threats had appeared (detected by NSA/FBI), which somehow in presence of vulnerabilites had capability to destroy or damage some key IT infrastructures of NATO and its allies. I believe, for that reason FBI Director had visited Silicon Valley.
I think,FBI Director's meeting with Silicon Valley Executives publicly had made problem worse. Why? Because, this made the bad guys to start thinking differently and search better ways of communication. I believe, by now all companies are cooperating with FBI and bad guys already know it.
It is questionable whether FBI has successfully tested its own ways of delivering messages? FBI Director can deliver his message of keeping track of all communication differently. But, he never did...
I think you have to see things in a somewhat bigger perspective. For ten years now, the 9/11 event has been used as an excuse by a corporate, military and political elite to raise the executive branch and its TLA minions above the law. Stuff like this has nothing to do with trust or security, but everything with control.
Forget terrorism and other politically-laden crimes for a moment. Child pornography/abuse sticks in my mind. It is sickening how easy it is for child abusers to remain anonymous and how laborious (read: inefficient) it is for police to identify and prosecute them. Police sex-crimes units are often overwhelmed. Rightfully, something should be done to help them. Would warrant-access-only "back doors" in various internet-based services not help in a fair way -- similar to older kinds of wiretap? If not, any suggestions of a better way to fight child pornography/abuse?
Related news in Germany from CCC group
Summary: Constitutional court order said they could make malware specifically for internet telephony interception. The malware they used allowed for camera control, mic control & remote execution of arbitrary programs. Essentially, it was designed from the start to do the opposite of the court order & allow remote upgrade to a full trojan.
"Would warrant-access-only "back doors" in various internet-based services not help in a fair way -- similar to older kinds of wiretap?"
You seem to be turning things upside-down. The child-porn argument for the last decade has been used more and more as an excuse for warrantless and unconstitutional spying by the Bush administration, not to mention the surveillance powers granted by certain provisions in the Patriot Act and as per the secrertive interpretation given to them by the government. Child porn IS a serious problem, but it would be downright naive to believe that all the caring folks seeking to pass legislation et all under the "Protect the Children" flag are actually doing so just in the interest of the children.
But even if it were so, you are entirely missing the point that introducing backdoors in software, chips and infrastructures from a strictly security point of view is a bad practice that eventually backfires into everyone's face.
You are throwing the baby out with the bathwater. It is timorous to refuse to consider "back door" access to some types of media, for some types of investigations, subject to strict legal controls, simply because the broad concept could be abused by some person or agency. I clearly said "warrant-access-only". Warrantless wiretaps and the other objectionable and illegal things done in the name of the war on terror require that we apply oversight to and demand accountability from government, not that we completely ban any investigative method that could potentially be misused.
I think more than the US, China is a prime example of this. Considering how draconian Chinese control of Internet-borne information and access are, and yet they likely will allow certain applications such as Skype to be used, you can almost be assured they are allowing such apps *because* they have backdoor access.
Besides which, as Google has unwillingly illustrated, if you're big enough to have governments interested enough in your data to get court orders or perform proper leveraging, you're going to have built-in ways to gather this data...
I think the point is, why have a backdoor at all? If you have a backdoor, now you have a way in that can be circumvented, tricked, or abused. And abuse can be either real or simply perceived.
If you have an encrypted stream of data in Skype and want to allow a backdoor way to retrieve data from that stream, what do you do when some enterprising cryptographer at home discovers that she can reverse the backdoor and use it as well?
I seem to recall similar findings in Skype encryption about 5-6 years ago by Chinese researchers, but that was pretty quickly hushed up...
Anyway, "warrant-access-only" is a state that can be misunderstood or mistaken, and I'd agree with your desire to have more accountability over that process. But why add more risk to accomodate that stuff?
Points well taken...
But are the risks of an amateur cryptographer discovering and abusing a back door in Skype (to borrow your example) any different than the risks we already face from amateurs tapping into regular e-mail or cellphone conversations? (I am not a computer security expert so these are real questions.)
I probably come to this issue from a different angle. My main concern is: in those rare but real instances where police have a serious criminal (child pornographer, terrorist, or whatever) under surveillance, and he is known to be having important (for the investigation) communication over some encrypted web-based service, is there any investigative method that would work other than back doors? Could back doors not be designed in such a way that they are restricted to limited, legitimate uses like this?
I understand and share the concerns that sloppy back door solutions put us all at risk for the reasons outlined in the article. But from my point of view the problem of criminals hiding in plain sight also needs to be addressed. If carefully-designed and carefully-controlled back doors are not a solution to this, then what is?
"Could back doors not be designed in such a way that they are restricted to limited, legitimate uses like this?"
The simple answer is... no.
Same story with lock picking. If a single key can be made to open a lock... then that key can be made again and more than once. Yes it might be very difficult to make, but its possible.
The history of security on the internet shows that things will always be broken. Look at how many security flaws exist to date in software. (currently the feds list 48000+ http://web.nvd.nist.gov/view/vuln/search-results?... ) These are flaws that were never expected by the programmer, never caught by code review, and were released in their product by a company. And thats only whats known. It's highly doubtful that ANY backdoor could possibly be made that would be impervious to tampering.
Also never forget the geek factor. The challange of an 'unbreakable lock' is too much for some people. Using the typical 'hacker lore' here... With enough time, computing power, caffeine, and delivery pizza somebody in their dark basement surrounded by computer monitors will figure out how to do it.
Thanks for the reply, makes good sense. What I still don't get though is, are the security/privacy/lawful intercept issues surrounding back doors any different than those same issues surrounding any other technology (including locks and keys)? Isn't this just another thing that people use with an assumption of privacy that is not absolutely failsafe and that there are also rare legitimate occasions for the police to penetrate? Are the risks different because, unlike keys, if a hacker gets into an internet back door then he can run amok through the entire system, not just a single house?
Or do the concerns stem more from the principle of it: ie, the greater good is best served by not tampering with the internet privacy of the innocent majority even though a few criminals will then slip through the cracks?
My personal feelings on this, as a user of the internet for sensitive but not secret stuff (internet banking, personal Skype conversations, etc), is that I'm willing to accept the small risk (at least I assume it is small) that some hacker or government agency might misuse a back door and illegitimately violate my privacy, in return for the knowledge that police could (with a warrant!) intercept the communications of a serious criminal if they needed to.
I guess I would feel differently about this if I were, for example, a dissident in Burma relying on a secure internet link to communicate with supporters overseas. Then again, I would probably feel differently about this if I had not been exposed to some of the really terrible and illegal stuff that a few rotten individuals get away with by being invisible over the internet!
Finally, to take a different tack on it: is there some alternative thing or method that would make back doors unnecessary anyway -- as in, could criminal investigators get what they need without a back door? Getting a warrant to install keystroke loggers on all the computers used by the criminal, or something like that? (Like I said, not a technical expert here...)
I realize there are also very legitimate concerns about whether governments/police act in good faith, etc (I think that was Dirk Praet's point) but that is a different discussion. For the sake of this argument on the fundamental rights and wrongs of back doors I'm discussing them only in the context only of solid, legally-conducted criminal investigations.
Well there are a couple of responses to you... Let me first take a page from history.
-Experience hath shewn, that even under the best forms [of government] those entrusted with power have, in time, and by slow operations, perverted it into tyranny.-Thomas Jefferson
-The two enemies of the people are criminals and government, so let us tie the second down with the chains of the constitution so the second will not become the legalized version of the first.-Thomas Jefferson
One thing you always have to keep in mind that the moment you give the gov the ability to do something,.. it will inevitably be twisted and streched further than it was ever intended. After a while that becomes common place and then it gets stretched again,
So yea, right now it may seem ok in your eyes. But in another 5 years when other people are in office with other priorities and they have other objectives... well they only need to take it a step further... and then in another 5 years. At some point they will take it further than anyone wants (except them). Better to not start down that road than to have to fight after they have crossed the line.
2nd reply is this. Yes there are always design flaws and holes in security in systems. Its a fact of life. Inperfect people program imprefectly. Find me a perfect programmer... and i'll hire him. haha. The issue here is not to intentionally put in the possibility of more problems. As with the first answer. Better to avoid the inevitable problems by never going down that road than trying to deal with the fallout when it does go bad.
As for the issue of how to deal with criminals. Like programming no system will ever be perfect. No legal system will catch all the badguys all the time. When I was in college one of my professors asked me a question. Which would you rather have, a Legal system where 100% of the criminals are found guilty but 25% of innocent people are found guilty as well. Or a system where 100% of the innocent people are never found guilty, but 25% of the criminals are also not found guilty.
For myself, id rather the second.
Realize I'm not sayin that the 'big bad government' is out to get us. But people are flawed.
Now if you do consider big bad govs, Thats a total matter of perspective. You speak about these being used in "solid, legally-conducted criminal investigations." Well in Burma for instance... those people are under "solid, legally-conducted criminal investigations." The gov is so corrupt that it can legally do those things. So while you say 'thats wrong what Burma does', Burma feels its not doing anything wrong... in its mind, its trying to track down criminals. Remember One persons Freedom fighter is another's traitor engaging in treason.
Lastly, being a person who has freedom we will have to accept that criminals will get away and do bad things. Its the risk that we accept for the benefit of being free. To finish of, here is one more quote from history...
-If you want total security, go to prison. There you're fed, clothed, given medical care and so on. The only thing lacking... is freedom.
Dwight D. Eisenhower
Actually no I'm not going to end there. You can read the post on Bruce's Blog, but read the article about the German Trojan that was being used by the State of Bavaria. Pretty much what you see there is typical of what we are talking about. In life im sure you've experience total and complete utter incompetance with government organizations. (ever tried to get through renewing your drivers license eaisly, lol). Do you really want to trust these people with something so specific and technical? Everything is built by the lowest bidder.
Yes, I have had the driver's licence experience and it does not inspire confidence...
What this back door issue boils down to, it seems to me, is three problems:
1) Legal/ethical: many people don't trust the government to use the back door only against the bad guys.
2) Technical/competence: back doors might be poorly designed (or impossible to design safely), and/or the police might investigate the wrong person.
3) Criminal: some criminals are going to use the internet for nefarious things.
Many of the above comments assess #3 to be the smallest of these problems; personally I give #3 a bit more weight and would be inclined to accept a bit (not a lot!) more of risks #1 and #2.
But the thing that bugs me is that, in a 21st-century Western democratic country, we should not have to pick and choose which of these problems we are going to have to just suck up and live with. As a society we should demand reasonable solutions to all three. I can't believe that, if the right people were assigned to throw enough ingenuity at it, this dilemma could not be solved. How exactly to do it though, I have no idea.
...and yes I've been following the German trojan issue -- that is pretty much what we're talking about here! Interesting but kind of depressing...
*scrolls through endless sea of comments*
*sees NATO and FBI in bold in ragecomment*
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.