Companies Handing Source Code Over to Governments

ZDNet has an article on US government pressure on software companies to hand over copies of their source code. There's no details because no one is talking on the record, but I also believe that this is happening.

When asked, a spokesperson for the Justice Dept. acknowledged that the department has demanded source code and private encryption keys before.

These orders would probably come from the FISA Court:

These orders are so highly classified that simply acknowledging an order's existence is illegal, even a company's chief executive or members of the board may not be told. Only those who are necessary to execute the order would know, and would be subject to the same secrecy provisions.

Given that Federighi heads the division, it would be almost impossible to keep from him the existence of a FISA order demanding the company's source code.

It would not be the first time that the US government has reportedly used proprietary code and technology from American companies to further its surveillance efforts.

Top secret NSA documents leaked by whistleblower Edward Snowden, reported in German magazine Der Spiegel in late-2013, have suggested some hardware and software makers were compelled to hand over source code to assist in government surveillance.

The NSA's catalog of implants and software backdoors suggest that some companies, including Dell, Huawei, and Juniper -- which was publicly linked to an "unauthorized" backdoor -- had their servers and firewall products targeted and attacked through various exploits. Other exploits were able to infiltrate firmware of hard drives manufactured by Western Digital, Seagate, Maxtor, and Samsung.

Last year, antivirus maker and security firm Kaspersky later found evidence that the NSA had obtained source code from a number of prominent hard drive makers -- a claim the NSA denied -- to quietly install software used to eavesdrop on the majority of the world's computers.

"There is zero chance that someone could rewrite the [hard drive] operating system using public information," said one of the researchers.

The problem is, of course, is that any company forced by the US to hand over their source code would also be forbidden from talking about it.

It's the sort of thing China does:

For most computing and networking equipment, the chart says, source code must be turned over to Chinese officials. But many foreign companies would be unwilling to disclose code because of concerns about intellectual property, security and, in some cases, United States export law.

The chart also calls for companies that want to sell to banks to set up research and development centers in China, obtain permits for workers servicing technology equipment and build "ports" to allow Chinese officials to manage and monitor data processed by their hardware.

The draft antiterrorism law pushes even further, calling for companies to store all data related to Chinese users on servers in China, create methods for monitoring content for terror threats and provide keys to encryption to public security authorities.

Slashdot thread.

Posted on March 18, 2016 at 11:27 AM • 34 Comments


xyzMarch 18, 2016 11:46 AM

The solution? It's obvious: open-source. And messengers software that is decentralized.

xyzMarch 18, 2016 11:50 AM

I'm worried about hardware trojan. Intel ME, Amd PSP etc.

What do you think about homomorphic encryption? When we will use in every PC? At this moment it's very slow, but industry have demand...

JeroenMarch 18, 2016 12:14 PM

Open source is one solution. Decentralized website (like ZeroNet) is another step, but not commercial-friendly.

de La BoetieMarch 18, 2016 12:18 PM

Does anyone know the legal significance between statements companies actually make:

Company A:- we have never provided our source code or keys to any government.

Company B:- no comment.

In the case of A, presumably there is a higher chance, if they're later found to be lying, for a class action lawsuit to sue them for millions? IOW, does this act as a form of warrant/order canary, or is their liability absolved by the existence of the secret order? Or would that not apply in a different jurisdiction?

Open-source everythingMarch 18, 2016 12:46 PM

100% open-source hardware, firmware and software must be the ultimate solution, along with decentralized everything, and a zero trust model.

Until then I assume they are in everything: Intel/AMD and other chips, GPUs, all firmware, BIOS, servers, major corporations, and all proprietary code. I also assume they are harvesting everything in the clear and encrypted (for later breaking), probably for the indefinite future.

Additionally, I assume they are doing everything possible to track users attempting anonymization attempts via behavioral indicators, stylometry, keyboard cadence fingerprinting, all system and network fingerprints etc.

One must assume the worst since the governments of this world are clearly out-of-control psychopathic zealots regarding surveillance.

Re: communication, only unbreakable encryption (OTPs) will suffice to protect content (if necessary), and even then you most often don't have a safe delivery system given meta-data concerns.

Perhaps someone needs to seriously bankroll Mr Lavabit's DarkMail project which aims to solve the many email and associated meta-data problems.

That is, we need a ubiquitous DMail standard that is end-end encrypted for basic communications as a starting point to fight back.

At least in the meantime we can share a laugh while the FBI/DOJ make absolute fools of themselves as they continue to get trounced in legal arguments over the i-phone saga.

At least we have (fallible) Tor..........

AndrewMarch 18, 2016 12:48 PM

What use is Open Source if the "bad guys" (sorry couldn't resist) have your CPU, GPU, HDD and NIC? And Open Hardware is nowhere around.

Disclaimer: I'm all with you about using FOSS. I just happen to think it's only one small part of the solution.

@de La Boetie
I think you've embarked on a pointless mission.

If a spy order exists it'll be "so highly classified that simply acknowledging an order's existence is illegal".

And even if a wistleblower leaks that order, the government will still pretend such leak does not exist - remember how it's forbidden to government employees to read the leaks in Der Spiegel, Wikileaks, or anywhere else?

Even if the whole thing ended up in a court somehow. Remember that bit: "even a company's chief executive or members of the board may not be told"? Guess who'll take the fall? The poor guy who got served with that secret insanity.


All in all I still can't warp my mind around the idea of secret laws and secret interpretations of the law. (And I say law, 'cause my poor understanding of American legal system says that it's precedent based which makes every court decision a mini-law of sorts). How can you obey a law if you don't know what the law is? Or what it actually means? I don't think you can. I don't think anyone can.

CarpetCatMarch 18, 2016 12:53 PM

Corporations are people! Oh, yes they are, buddy!

And the State compels their papers and effects.

What a shite world we live in, when the free world can't tell where the governement ends and their private lives begin.

Kostas KritsilasMarch 18, 2016 1:18 PM

This is really predicated on a few things. First of all FISA may nor may not be involved, it is hard to say with nobody allowed to talk about it. This may not be something that FISA wants to approach. The second thing is, even if served by a FISA order, what happens if Apple doesn't comply? Does Craig Federighi get thrown in jail? Does Tim Cook? If either go to jail, this will completely destroy any trust that there may be in the US Government. And in the end, does the NSA/FBI/FISA want to even try this?Do they actually want to go to legal war with a company that has $230B in cash? Even if they do, do they want to take the rist of Apple re-locating outside of the US? Extreme points, yes. However, not out of the realm of possibility.

A slippery slopeMarch 18, 2016 1:19 PM

The problem is, of course, is that any company forced by the US to hand over their source code would also be forbidden from talking about it. It's the sort of thing China does.

Two words that sum up these secret orders:

fucking disgusting.

Ergo sum...March 18, 2016 1:27 PM

This is news why?

I recall seeing a slide about dates Prism collection has started at companies. Microsoft was the first in 2007 to join the program and last was Apple in October 2012. The rest of the companies, such as Yahoo, Google, Facebook, etc., joined in between these dates.

And yes, presumably the Prism collection had ended after the Snowden's leak, but it does not mean that there are no other collection programs. XKeyscore and Tempora come to mind and guess the name of the companies that joined? Maybe not Apple, but all others did switch over to these programs.

None of the LEOs actually collect the data, create backdoors in their software, etc. That responsibility has been/will be with companies doing so provides them financial gains and good standing with various government agencies. The protest against government data collection is strong, while these companies escape without much of harm. It's ironic to say the least...

Dr. I. Needtob AtheMarch 18, 2016 2:13 PM

I think "de La Boetie" is onto something. The law is so fundamentally wrong that there has to be a relatively simple way to work around it, much like the way PGP was distributed around the world by simply printing the source code on paper using an OCR-friendly font.

If it's literally true that "any company forced by the US to hand over their source code would also be forbidden from talking about it" then one only has to say "We're forbidden from talking about it" to signal the truth, or as Captain Willard says in Apocalypse Now, "Sir, I am unaware of any such activity or operation... nor would I be disposed to discuss such an operation if it did in fact exist, sir."

Stuart LynneMarch 18, 2016 2:13 PM

Open source of the software doesn't help if your hardware is locked down and will only boot software signed by the vendor.

The only way to prevent the government from forcing a company to hand over it's signing keys will be a specific law outlawing any such request.

Short of that if a company can be compelled to hand over the keys then we are a short step from weaponized updates where government agencies can require customized versions of software specifically signed for a target device.

For some devices that have dynamic update (think iPhone or Chrome) they could force the vendor to provide that specific customer specific software to the device.

rMarch 18, 2016 2:40 PM

Off+topic but...

I really don't believe the statement the kaspersky group made about the modified HDD firmware being 100% impossible to duplicate outside of a government lab is accurate: maybe 1% but certainly not zero... In all fairness though it was targeted to multiple international manufacturers so they would likely be right about it in that aspect, I just don't believe there's not any o.g. r/e’s or independent redteams that a single or dual manu PoC would be out of reach given the environment already existing in firmware/uefi research.

I used to visit on a regular basis for my peeks and pokes and knowing what we know about the implementation lowers the bar just a hair, the instrumentation codes should be pretty easy to avoid with a little work and some error imb.

rMarch 18, 2016 2:44 PM


Glad you mentioned homomorphism, it'd sure be a nice D.R.[ea]M. no? Uniquely encrypted self executable virtual operands... Bye bye software piracy.


DanielMarch 18, 2016 4:51 PM

What goes hand-in-glove with this issue is the problem of parallel construction. In other words, we can't assume that the problem is secret information alone because information that is so secret no one can talk about it is of no legal use (it may have some military use but that is not the same thing). It only becomes legally useful when that information in laundered through a process that seems to have legitimacy, such as a warrant. For parallel construction to work there has to be both the real means of data collection and the second publicly stated means.

In my view this is what the whole iPhone case is about. It's not about getting access to the information because the federal government can get that information lots of different ways. It's about the need to be able to use the information in a legal proceeding. And for that there needs to be legal precedent.

In other words, some people seem to think that the iPhone case is about constructing the first parallel, the real means of data collection. I think it is about constructing the second parallel, the fake but legally acceptable means of data collection.

PubliusMarch 18, 2016 5:28 PM

If a large part of the world's population have their minds switched on, this is big news.

American software makers will be displaced.

Interesting definition of "rule of law". The CEO may not be informed, if those who do know tell anybody they may be effectively executed. Wow. Civilisation has come a long way since the Gracchi in ancient Rome.

J.R.March 18, 2016 6:06 PM


All in all I still can't warp my mind around the idea of secret laws and secret interpretations of the law. (And I say law, 'cause my poor understanding of American legal system says that it's precedent based which makes every court decision a mini-law of sorts). How can you obey a law if you don't know what the law is? Or what it actually means? I don't think you can. I don't think anyone can.

Made to order for someone wishing or at least willing to create a police state a la 1984. It will be for our own good, of course.

meMarch 18, 2016 6:40 PM

re: Stuart Lynne

Open source of the software doesn't help if your hardware is locked down and will only boot software signed by the vendor.

Well, yes, unless they also FISA'd the signing keys. Then they can compile it, sign it, and deploy it.

DanMarch 18, 2016 6:43 PM

homomorphic encryption can be really useful (in theory;it isn't really practical yet), but a potential problem is that it raises data integrity threats (an adversary could pretty much compute arbitrary functions on the data). A potential solution for that problem is a hash function that is homomorphic in the same way as the cryptosystem (in SWIFFT, h(x1)+h(x2)=h(x1+x2) if x1, x2, and x1+x2 are valid inputs). The hash function would be computed over the plaintext(not the ciphertext) when the data is first encrypted(the original message digest should also be signed). Any operation performed on the ciphertext must also be performed on the stored hash value (with the hash of the data). Any attempted decryption of the data must come with an audit log that shows all operations on the data. The decryptor should start with the original hash value of the plaintext and perform calculate the new values of the hash after every entry in the audit log. The final hash should equal both the claimed final hash and the actual hash of the plaintext. Someone who can't decrypt the data can only verify that the claimed hash value equals the hash value predicted by the audit log. If this scheme is done correctly, the decryptor of a file will know what operations were performed on the data(to prevent someone from multiplying their budget by 50, for instance) and check that only operations that are benign were performed on the file. This is useful for for cases where adversaries might want to modify the data in an abnormal manner(being able to compute arbitrary functions on data, even if you don't know what the data is, can be very useful from an attacker's perspective).

SasparillaMarch 18, 2016 8:21 PM

>> The solution? It's obvious: open-source. And messengers software that is decentralized.

I agree, otherwise the govts, controllers of markets will, inevitably win (for the most part, they already have with most of the tech industry). Apple needs to shift over (to Open Source but not necessarily free) if they want to stay (and really are) government free long term, otherwise, eventually they will fall too.

Frankly its a pretty bleak future we have right now, with possibly, one serious hardware vendor fighting it. The game is almost over.

>> I'm worried about hardware trojan. Intel ME, Amd PSP etc.

Intel is almost certainly compromised:

The question is how, IMHO, far into the hardware does it go?

WhiskersInMenloMarch 18, 2016 9:33 PM

There are more than these two parts here.
*) Because this is a public action if Apple was able to
comply they would be in the service business there after.
Not only can Apple sell the service but Apple can be
compelled by any court to service another just like the
other. Any court domestic or international, civil or criminal.

*) At the source level the apparent need is for the entire
platform. Not the source to an application or a suite
but the entire collection that is the sufficiently secure
platform for point of sales and other financial transactions.
Financial transaction and how to secure them is covered
by law. It is important to notice that Apple moves a LOT
of money through its own and other services.
You bank application, iTunes, Apple Pay and more.

xyzMarch 19, 2016 1:32 AM

>>Decentralized website (like ZeroNet) is another step
Yes. And we should stop using so called "web browsers". Every "site" should have app that you run isolated on your computer. App is opensource of course.

>>Intel is almost certainly compromised:
It's not compromised. It's a backdoored. US+NATO in, everyone else out. Thats why Russia has developed their own computer called Baikal. Their intel-service (funny) "notified" them.

>>What use is Open Source if the "bad guys" (sorry couldn't resist) have your CPU, GPU, HDD and NIC? And Open Hardware is nowhere around.
Homomorphic encryption. All software on your computer should be encrypted. Also all input/output channel your computer have should be "filtered" by hardware filter. In this case enemy can't exfiltrate your data.

There is interesting field called "secret program execution", google it.
Also read State considered harmful by Joanna Rutkowska (there is c3c video).

zellwegerMarch 19, 2016 10:43 AM

Isn't this a type of belligerent eminent domain? Companies spend enormous amounts of time and money on SW and HW development only to be forced to hand it over. Why should the gov't pay for it if they can just take it by force? Is that what's happening?

COYNE TIBBETSMarch 19, 2016 1:59 PM

@zellweger - "Isn't this a type of belligerent eminent domain?"

Yes, as a matter of fact, it is. But despite lots of hand-wringing on the part of politicians, there has been no serious impediment to eminent domain introduced by any government: anything can be taken by eminent domain.

Eminent domain is a taking of the right of property. Wiretapping without a warrant is a taking of the right to be secure in our persons, houses, papers and effects. As annoying as both can be in the right circumstances, the Constitution permits these, with proper judicial oversight. That makes both an issue for public policy, but strictly speaking not a violation of rights.

The real concern in this case is neither of the above topics, important as they are. It is that, in my opinion, the government is seeking a tool that it can deploy without supervision of the courts; and a precedent for obtaining such tools by judicial arm-twisting.

It has been understated in this case, I think, that there is no effective means to prevent the government from retaining a copy of the tool, and using it on their own without the assistance of Apple, in the future. What they're really after here is the signature of Apple (the signed package) because with that the software can be deployed on any iPhone.

Some might object that Apple will deploy it, but that is shallow analysis. The government will (or at least could) watch the deployment with an IMSI catcher; and will (or at least could) copy and retain the deployment package without Apple's knowledge. Redeployment is then an exercise in a man-in-the-middle attack on any iPhone that the government wishes to inspect without the knowledge of the owner.

There is a government theory that, since that is for military/intelligence use, then it is justified. But that is not what the Constitution requires: As a citizen, I have the right not to have the government search my house without a warrant. If I am law-abiding, there is usually no means by which the government can overcome that, since a warrant requires probable cause.

An illegal search is a violation of my rights even if I have done nothing wrong. The theory that this is about criminals or terrorists must therefore be rejected; it is about all citizens.

Against government violations of the rights of the innocent, there is no effective means of protection. Yes there are laws--unenforced. Yes evidence illegally obtained can be thrown out--but that doesn't apply to a law-abiding citizen. There are civil penalties, but the citizen must prove the violation occurred.

Some officials would jump in at this point and argue that, since the above is true, "No harm, no foul. What the citizen doesn't know won't hurt them." Which is nonsense for two reasons: influence on society and the nature of violation.

It is demonstrated, in multiple studies, that a perception of surveillance impedes public discourse. To prevent that is explicitly why the First Amendment exists, and why the Fourth, Fifth, and Sixth Amendments require proof (or at least probable cause) for their exemptions. The government can't breach these without doing damage to the public.

Second is the nature of violation. There are thousands of people who disappear every year. Suppose there is a man who is murdering hundreds of those people, and he is very clever, and evidence of his acts has never been found. Suppose I assert, "No harm, no foul. Since this man's murders are unknown, no one is hurt." Well, that's idiotic, isn't it? The fact that the man's act is unknown does not make it a matter of no consequence, and his undiscovered murders are violations despite non-discovery. It is the act that creates the violation, not the discovery of the act. Therefore, as the man should be called a serial murderer, the government should be called a serial violator of citizen rights; and the lack of discovery in either case is irrelevant.

The tool that would created by Apple, and the others that other companies would produce later, together become an established mechanism for wholesale violation of rights. The government ought not to be permitted access to such tools, as a matter of principle. Eminent domain is an important issue, but in this case it is a sideshow.

Clive RobinsonMarch 19, 2016 2:59 PM

@ xyz,

I'm worried about hardware trojan. Intel ME, Amd PSP etc.

I've been saying that this is likely to be a problem for quite a few years now.

The thing is that software being several layers further up the computing stack can not reliably --if at all-- detect hardware attacks which "bubble up". It's actually been shown that in Intel Ia-x86 chips the combination of various parts of the memory addressing logic actually form a hidden Turing machine, which as this is "ultimately privileged" has "access all areas" security implications. In effect as much if not possibly more so than the ME.

Put simply you can not "harden" a system below the point you access it in the computing stack. The ASM level of the software is about as low as ordinary mortals can get, but Intel can easily get at the underlying Microcode as can the ME. So at first sight "It's Game Over". But actually it's not.

The trick is working out ways to mitigate such issues. I've discussed them a few times with both Nick P and Wael and others.

From my point of view "multiprocessor" used in various configurations can mitigate much of the extetnal attacker risk and some but not all of the insider risk.

However this does not help if you are not a hardware design engineer with a reasonable amount of experience and a large chunk of money and test equipment.

For those not so lucky and whos skills are more base level admin than programer, try going around and buying up old --pre 2005-- desktop computers etc. Set them up to run off of a CD/DVD (knopix 7 appears to work OK with WinXP and earlier vintage desktops). Storage is done in a double encrypted form that is at file/container level on the HDless desktops squirted down a network using a file transfer protocol of your choice to a NAS etc file server which has FDE. If you want an extra bit of security use another HDless desktop in between again runing off of a CD/DVD and a floppy set up as a quite restrictive firewall. This should keep your files at rest secure and avoid HD drive level malware.

Yoshi (adopted son)March 19, 2016 3:19 PM

I can comprehend the value of somewhere being a means to disassemble a technology that was, is, and/or could someday become extremely dangerous. In those types of situations, it's important for people doing rescue oriented works to have tools to accomplish those goals.

Using your imagination, you might wonder what would happen if a malicious or corrupted or malfunctioning technology is so securely guarded by technology and yet remains actively as such from behind it's fortress. On the one hand, the technology could be of value left as it is if the threat is contained or inanimate like a prehistoric fly in amber. But on the other hand, if it's some kind of continued or rising threat that can't be befriended or freed or reprogrammed or redirected or repurposed or made non-threatening, it makes a lot of sense for the technology to defeat those situations to remain somewhere in some form or another as long as it doesn't become just as dangerous as the threat it's designed to counteract.

As with anything synthetic in our lives, it's important for these things built and invented to not be so impervious as to prevent ourselves from escaping our own inventions. I can imagine several concentric barriers to a kind of "hell" where the worst technology is encapsulated in decreasing layers of unpleasantness from inside to out, in a way that blends into kind of a gradient so it can be tolerated on the outside.

It seems like modern technology is at a turning point.
Science fiction sometimes functions as a useful conceptualisation of problems.
It's important to be able to contemplate problems in order to solve them without being terrified just by the mere thought.

In alot of ways it seems like humans could end up strangers to their/our own technological legacy/legacies since so much technology is spreading and being developed and is cross-pollinating in ways that aren't entirely predictable.

Some things that were fiction in the past, have been invented and are now part of everyday life. And what of the things that existed before us (humans/human-compatibles)?

GordonMarch 19, 2016 3:22 PM

The NSA performs defensive oriented security audits on source code, as do other major governments. That is for code which runs on DoD and other very sensitive government networks.

It would be another division (not anymore now that they are combined), that would ask for source code for offensive purposes.

The DoJ is very far from the NSA. I would suggest that of the worst travesties ever performed by any federal, USA agency in regards to secret surveillance, that would be the DoJ via the FBI division. Under J Edgar Hoover.

Why these news articles, and others, on these subjects did not mention these defensive security reviews, I do not know. Because of their widespread nature, they certainly have been in the news before, long ago.

Where there are abuses by the NSA, this is usually called for by the DoJ.

The failures of the DoJ are not because of "conspiracy", to, say, hamstring American citizens, and corporations, as well as other governmental agencies. But, because the DoJ is comprised of lawyers, who are power hungry, oversee one of the most corrupt judicial systems the planet earth has ever had visited upon them.

They are frequently very out of touch people, very far from mainstream Americans.

And they typically are extremely career hungry. They are selfish and either want to rise within their own ranks, like sharks, or they want to jump from prosecuting to politics.

While I address the problems as being domestic abuses of power and authority, this is also what should be the foremost concern of citizens of foreign nations. Because the more unstable and corrupt the American system is, the more America will spread that corruption and abuse of power to other nations.

GordonMarch 19, 2016 3:44 PM

@Yoshi (Adopted Son)

I can comprehend the value of somewhere being a means to disassemble a technology that was, is, and/or could someday become extremely dangerous. In those types of situations, it's important for people doing rescue oriented works to have tools to accomplish those goals.

This is not the issue here. The US Government can hack these phones already. The DoJ can not. Why intelligence and military won't share with the DoJ is because these are highly secretive, compartmentalized programs.

However, it is true, what Apple is aiming for is a system which has "unbreakable" (very secure) data at rest encryption. And very secure end to end encryption. This phone in question is older, and less secure in these ways then more modern iPhones. However, even modern iPhones continue to have some flaws in their implementation of encryption. Which Apple has very plausibly stated they are working at addressing.

And they should.

This desire is certainly not just for and by Apple, but by many vendors, for many types of systems.

1. Billions of people's system security relies on such encryption, both in the US and in foreign nations who purchase their products.

So, a more apt analogy would be, "why have really strong material in airplanes, because when they crash, then it might conceivably be that strong material could work against rescue workers". Problem is weakening the material would highly escalate the number of airplane crashes.

2. How does this security help? If your laptop, phone, or even desktop system is stolen - or any other computer device (IoT, future, etc) - then conceivably thieves and spies can not get at the data.

How often are such devices stolen or lost? Very far more frequently then arises a situation where authorities can not access them.

3. The DoJ is not a technical organization. The FBI is a mere division of the DoJ. They also are not a technical organization. In fact, they both do almost literally a million things. So, they have nowhere near the expertise of technical organizations (like military signals intelligence, CIA/DHS DST, NSA, USSS, etc), budget, resources -- anything.

This is not their conversation to have. They should not be having it.

4. The DoJ is clearly not an intelligence organization, either. This "strategy" of whining on the global forum incessantly is deplorable and entirely counterproductive to all intelligence purposes. All it means is that they are broadcasting to every one they believe they should spy on, everywhere, that they have every intention to do so.

So, if you are a consumer and have a choice between a phone which has a label on it, "J Edgar Hoover is Listening to Everything", versus one that says, "Super private and security" -- which would you choose?

Loss of American business.

The technical industry is not so iron clad as they think that it can withstand constant media onslaughts to the chest.

They care nothing about that. They are oblivious. They are politically focused lawyers who only care about their own stature.

And, it actually needs to be said: so if you are a terrorist or criminal, given the choice between "which phone to buy" as stated above?

Which would you choose?

Really, it should be mandated in law school, and certainly in every American college, that their kids get educated in the history of totalitarianism.

You know, the 20th century?

It might also help for them to be taught about the value of liberty and the meaning of "free" in "free" nation.

It certainly is not about McDonald's and parties and television shows.

If people are fighting simply for consumer apparel and fast food, they have entirely missed the point.

It is not that which is worth living -- dying -- and suffering for.

It is the liberty and righteousness of government.

dMarch 20, 2016 3:03 PM

@xyz - "And we should stop using so called "web browsers". Every "site" should have app that you run isolated on your computer. App is opensource of course"

Web browsers and expectations of interactivity are indeed disasters as far as security/privacy/anonymity are concerned, there are so many ways of fingerprinting and subverted the 'orrible bloat that browsers have become. They have effectively gone down the road of being smart dumb terminals onto a mainframe - all pretending to be web browsing.

However, I don't think one needs to go down the route as far as needing an app per site, even if opensource. The way I think about it is rather like EDI and medium-latency message passing - on a domain-specific basis, you'd need to have some agreement about an xml-based message format, but that could easily be parsed/constructed by a more general purpose app; and you could then put GUI/analysis on top of that to suit. It's my prediction that dark marketplaces will go down this route sooner or later.

The reason the detached message-passing approach hasn't been done for consumers is that commercial interaction wants you by the eyeballs.

But with message passing with medium latency, and construction and parsing of messages by a local app, many of the attack vectors and fingerprinting would be removed.

Doug CoulterMarch 20, 2016 9:36 PM

Ah yes, the researcher's fallacy - if I can't do it, then no one can - after all, *I* am a god-like researcher with a piece of paper that says I'm smart.

I call bull. Long before computers became so fast and cheap that most embedded product ran linux or gack, winCE (burning a million cycles and a meg of ram to do what we did in a few hundred cycles and a few K) - we embedded engineers wrote our own simple opsys (often like the one used in arduinos) on simple little uPs in the 8051 or PIC lines, or similar. Guess what's in those disk drives and so on?

Do these guys really mean to suggest that a modern, competent engineer can't simply take the factory provided example re-flash code, and the factory provided "software update" code, run it through a disassembler, and in short order have their way with it? (As the saying went, if we knew what we were doing, we'd call it engineering, not research)
There are only so many instruction sets, and I personally know and have worked with many that can see a hex dump and know what the CPU was in seconds, in order to pick the correct disassembler and cross reference tool.
Even without that, it pays to cite just one modern example of non-state-actor, non-source code provided "hacking" that was not even all that hard, just to get things back to some semblance of "real" here. Yeah, these guys are smart. They aren't the only ones to ever live, now, are they? Hacking SD cards
The above is an example of reverse engineering and reflashing USB flash storage from random sources. It's the same problem with a disk drive (only simpler in many ways). Same kind of CPU, only with the big boys, as I mention above, we have sample update burning software, and samples of before and after any updates, we don't have to guess much.

Clive RobinsonMarch 21, 2016 1:25 AM

@ Doug Coulter,

Long time no hear, I trust the world is well with you and yours.

As for the re-flashing an HD, I suspect it's a third or fourth hand statement.

The real problem is the interaction of three or four CPU's using common memory and several mechanical devices, and not having a detrimental impact on the performance.

Thus I can see one engineer saying that "it would be near impossible to do it undetectably" and it getting repeated a few times and "near" getting left out one time then "undetectably" another.

Such are the joys of "Chinese Whispers", somewhere on the Internet will be the engineers lament or what ever it's now called. That started with,

    On reading the project specification the engineers said "This is a crock of sh1t, we should stay well clear"

Then goes through the various layers of managment each one changing it slightly untill it gets to,

    And the CEO looked down upon the project and saw that it was good, and all the engineers said "Oh sh1t"...

It's also probable that the actual HD code is very fragile to changes in several dificult to recognise ways. As with the control systems of fighter jets etc, there is a lot of hidden knowledge to reverse engineer, get it wrong at the edges of the flight envelope and it will one day flip you out of the air.

de La BoetieMarch 21, 2016 6:54 AM

Please to see that the Crock - aka Powerful New Product - lives on.

I've done my best to propagate this meme, and it's good that, when referred to in conversation with peers, there's instant understanding.

Doug CoulterMarch 21, 2016 9:45 AM

Thanks for the kind words, Clive, yes, things are going well.
OT, but I'm still at it building a many-machine (some PC class, some uP) remote control and data aq system for my fusion reactor, which has had a breakthrough such that it now requires all that for safety. It worked all too well for a bit and almost killed me with exposure to radiation. Now I have a control station in another building for safety. (Dunno if anyone here has looked at my site, but a lot of that is up there)

Yes, I've seen "the telephone game" change "oh shit" into "powerful fertilizer" several times. But that's in getting the stuff built in the first place.

Once it's out there - with the manufacturers making it easy to "update" instead of spending and testing to get it right on the first go - providing tools for (jumper-free!) modding the code in the device (pure security by obscurity, but with documentation - the reflash code, provided, so no obscurity), and examples of "before and after" and saying what that change supposedly fixed, it really doesn't seem that hard, but then, there are at least a few people I know (self included) who have done this kind of code out there - including dynamic or DSP that handles the types of issues in a disk drive - SNR from the head signal, servo inertia, overshoot, lag, bog standard error correction and so on.

A mobo bios can be "simpler" given you're leaving many parts of it alone, and for certain you know the CPU that most of it runs against (though caveat, I hear that some CPU makers are adding a little additional CPU in there and being opaque about it). Actually, that's true of a disk too - most code you'd leave completely alone and just perturb say, the bad-sector stuff to keep some of the good sectors for nefarious use. Honestly not that hard. You wouldn't be diddling with the internals of the seek dynamics or ECC to do that - just what you do with the answers they provide.

Thus I don't buy into the claims of "no one can do this without source code". And having once been part of a "state actor" - well, they have money, but I left because I refuse to work around mostly dumb people. My own team reverse engineered many uP dev systems to find how their internals worked (and discovered the reason some things were deeply hidden - patent violations) - and it just didn't take that long - a day or two for 3 pretty decent guys. With code that has to fit in a few KB, and a disassembler that can build a call tree...(many also track ram usage and (re)alloction)'s hard to convince such as myself this is "state actor or insider-only" work. And if that freely available "reverse engineering mother's little helper" code doesn't quite get it done - there's always the prospect of just adding a little code in unused space to help "trace" what's going on in there - it doesn't have to drive an HD monitor after all, it can just wiggle an unused pin and so on. Scopes are cheap, and brains, while not common, are still around.

While it has to be small as a percentage, I can't believe that there is no one left who has been at this game since before MFM or RLL head signals and most of the controller on a board in a PC (I worked for DEC before there WERE IBM PCs). Lots of people knew how to do this kind of thing, you sort of had to. Some of them are likely not as well off as I and susceptible to a little money on the side...

Remember, these devices aren't running a huge multitasking opsys - they can't, it'd cost too much - pennies matter here - and get in the way of deterministic realtime performance. And it's not as if many hacks don't fail in some way re reliability - this is not news, they don't always work as planned, and some are caught that way - because in fact, they exist.

I guess it just hit me wrong to hear a statement logically equivalent to "if I'm not smart or dedicated enough to do something, no one else can be" as it seems a sign of ultimate hubris, or an attempt at spreading misinformation. As to the former, "those the gods would destroy, they first make vain".

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.