Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Encryption

Was the US Telecom Breach Inevitable, Proving Backdoors Can't Be Secure? (theintercept.com) 21

America's 1994 "Communications Assistance for Law Enforcement Act" (or CALEA) created the security hole that helped enable a massive telecomm breach. But now America's FBI "is falling back on the same warmed-over, bad advice about encryption that it has trotted out for years," argues the Intercept: In response to the Salt Typhoon hack, attributed to state-backed hackers from China, the bureau is touting the long-debunked idea that federal agents could access U.S. communications without opening the door to foreign hackers. Critics say the FBI's idea, which it calls "responsibly managed encryption," is nothing more than a rebranding of a government backdoor. "It's not this huge about-face by law enforcement," said Andrew Crocker, the surveillance litigation director at the Electronic Frontier Foundation. "It's just the same, illogical talking points they have had for 30+ years, where they say, 'Encryption is OK, but we need to be able to access communications.' That is a circle that cannot be squared...."

In a blog post last month, encryption expert Susan Landau said CALEA had long been a "national security disaster waiting to happen... If you build a system so that it is easy to break into, people will do so — both the good guys and the bad. That's the inevitable consequence of CALEA, one we warned would come to pass — and it did," she said...

Sean Vitka, the policy director at the progressive group Demand Progress, said the hack has once again provided damning evidence that government backdoors cannot be secured. "If the FBI cannot keep their wiretap system safe, they absolutely cannot keep the skeleton key to all Apple phones safe," Vitka said.

Thanks to Slashdot reader mspohr for sharing the article.

Was the US Telecom Breach Inevitable, Proving Backdoors Can't Be Secure?

Comments Filter:
  • by jdawgnoonan ( 718294 ) on Saturday December 14, 2024 @09:48PM (#65014179)
    The US Government cannot afford the best IT guys and their archaic purity rules go further to ensure that they only have mediocre talent. I mean the government no ill, but they are basically well meaning idiots.
    • by Canberra1 ( 3475749 ) on Saturday December 14, 2024 @10:11PM (#65014219)
      The US govt does have excellent standards and advice -only the various departments do not follow it, and want to carve out cost/ convivence exceptions all the time. Homeland Security or CERT advice: Nope. NIST standards- Nope. Active Monitoring - Nope. Trusting commercial products/solutions that are untested and unworthy and not patched instantly - Fail. Now that FBI have been caught out again, they give the problem to PR spinmasters to cool the heat, and use lies/omissions to cover egregious incompetence's. Who signed off on the forensic audit of this backdoor vulnerability? These are the people that need firing. Also ask the question who did the last pentest report on said failure? Remove them off the panel consultant list.
      • by mysidia ( 191772 )

        Who signed off on the forensic audit of this backdoor vulnerability?

        It SHOULD be made a charge with formidable penalties both criminal and civil for government personnel to negligently sign off on an audit result that should apply excepting for a one-off incident where it can be proven the signer examined it with thorough due dilligence and had not overlooked multiple issues or glaring issues any diligent and qualified reviewer could not reasonably have missed.

  • by Baron_Yam ( 643147 ) on Saturday December 14, 2024 @10:13PM (#65014223)

    If you mandate the same lock be installed everywhere, eventually somebody will copy that key and have the same access you do.

    Anybody in IT or with a lick of common sense could have told them this. Many actually did. Nobody listens.

    • by mysidia ( 191772 )

      If you mandate the same lock be installed everywhere, eventually somebody will copy that key and have the same access you do.

      They could have deployed each lock with a different key and used public-key crypto both for negotiating authorization for backdoor operations, And for providing decryption keys for the response to backdoor requests.

      For example: If each payload is encrypted with a different symmetric key, and that symkey is written to a separate medium encrypted to an authorized public key.

      And th

  • We can imagine ways this could have been done somewhat securely and many disastrous ways it was probably done.

    Without knowing what the thing was it's hard to know if it was bound to fail, or if say a double agent stole the highest-order keys.

    • We can imagine ways this could have been done somewhat securely and many disastrous ways it was probably done.

      Without knowing what the thing was it's hard to know if it was bound to fail, or if say a double agent stole the highest-order keys.

      Very difficult to lock down the human element.

      Offering an employee $100,000 for their key is difficult to detect and track. Even a multiple key system (multiple employees) would fall to this type of exploit.

      A strong logging system might help (ie - always log who is using the feature, and verification with an associated court order ID), but sysadmins can still wipe logs, hand-edit log files, and so on.

      Maybe we should start with an open source signed logging system. Something block-chained, so that no individ

    • Is there even any single it? I don't see any government mandated access protocol.

  • A secure backdoor is like a healthy disease, or a perfect defect. A backdoor is malware per se, so any system with a backdoor must be considered pwn3d.

  • The next federal government coming in January is replete with people — including POTUS, several former congressmen, and others — that were surveilled by FBICIAHHSDOJ etc., for bullshit like the Russia collusion hoax. The next FBI director is among them. Awkward much?

    While I can't expect you to love Trump, one thing is absolutely certain: if there was ever the slightest chance in hell of even the least bit of resistance to these backdoor schemes, it's now, and it's almost certain to be the on

    • I would indeed expect criminals to want to eliminate tools that could expose them. However, these ones are beyond most consequences and have use for these tools to control those beneath them.

      I wouldn't hold my breath waiting for Trump to save you from government surveillance.q

  • Obviously (Score:4, Informative)

    by gweihir ( 88907 ) on Saturday December 14, 2024 @11:38PM (#65014311)

    Enough actual experts have thought and written about this. For decades. There really is no reason for doubt anymore. Backdoors cannot be reliably secured for the foreseeable future, period. And attackers will find any existing backdoor a big help for their efforts.

    This may eventually change. Maybe next century. Maybe later. Maybe never.

...there can be no public or private virtue unless the foundation of action is the practice of truth. - George Jacob Holyoake

Working...