Was the US Telecom Breach Inevitable, Proving Backdoors Can't Be Secure? (theintercept.com) 29
America's 1994 "Communications Assistance for Law Enforcement Act" (or CALEA) created the security hole that helped enable a massive telecomm breach. But now America's FBI "is falling back on the same warmed-over, bad advice about encryption that it has trotted out for years," argues the Intercept:
In response to the Salt Typhoon hack, attributed to state-backed hackers from China, the bureau is touting the long-debunked idea that federal agents could access U.S. communications without opening the door to foreign hackers. Critics say the FBI's idea, which it calls "responsibly managed encryption," is nothing more than a rebranding of a government backdoor. "It's not this huge about-face by law enforcement," said Andrew Crocker, the surveillance litigation director at the Electronic Frontier Foundation. "It's just the same, illogical talking points they have had for 30+ years, where they say, 'Encryption is OK, but we need to be able to access communications.' That is a circle that cannot be squared...."
In a blog post last month, encryption expert Susan Landau said CALEA had long been a "national security disaster waiting to happen... If you build a system so that it is easy to break into, people will do so — both the good guys and the bad. That's the inevitable consequence of CALEA, one we warned would come to pass — and it did," she said...
Sean Vitka, the policy director at the progressive group Demand Progress, said the hack has once again provided damning evidence that government backdoors cannot be secured. "If the FBI cannot keep their wiretap system safe, they absolutely cannot keep the skeleton key to all Apple phones safe," Vitka said.
Thanks to Slashdot reader mspohr for sharing the article.
In a blog post last month, encryption expert Susan Landau said CALEA had long been a "national security disaster waiting to happen... If you build a system so that it is easy to break into, people will do so — both the good guys and the bad. That's the inevitable consequence of CALEA, one we warned would come to pass — and it did," she said...
Sean Vitka, the policy director at the progressive group Demand Progress, said the hack has once again provided damning evidence that government backdoors cannot be secured. "If the FBI cannot keep their wiretap system safe, they absolutely cannot keep the skeleton key to all Apple phones safe," Vitka said.
Thanks to Slashdot reader mspohr for sharing the article.
The attitude of the government is a joke. (Score:4, Insightful)
Re:The attitude of the government is a joke. (Score:5, Informative)
Re: (Score:3)
You and three friends like to play golf. You select one person to call the golf course each Monday to make reserve a tee time for each Wednesday. You trust this person with this responsibility.
You are also a member of a bowling league. The league has a committee to organize a tournament, selecting which teams play each other, how the winner is selected, and what trophies are awarded. You probably trust the committee.
You have a city counsel that votes on how the utilities are repaired, how the streets ar
Re:The attitude of the government is a joke. (Score:4, Insightful)
Who signed off on the forensic audit of this backdoor vulnerability?
It SHOULD be made a charge with formidable penalties both criminal and civil for government personnel to negligently sign off on an audit result that should apply excepting for a one-off incident where it can be proven the signer examined it with thorough due dilligence and had not overlooked multiple issues or glaring issues any diligent and qualified reviewer could not reasonably have missed.
Re: (Score:2)
Um ...
The password only needs to be stolen one time. Yes, that's what the FBI will mean by excepting a "one-off". Because, they know and they promise, this time, back-door security will be different.
US justice/intelligence agencies can't and won't change.
Re: (Score:2)
The director has consistency chosen poorly.
The FBI will get blamed if they can't solve a crime. They will not get blamed because someone else used their back-door. The decision (by the director) is an almost forgone conclusion.
Re: The FBI director has chosen poorly (Score:2)
Thatâ(TM)s the catch 22. Thereâ(TM)s history way back, like pre WWII of law enforcement preventing security bugs in phones from being fixed, knowing the criminals used them too. Really, you could have lock down points where messages are unencrypted and re-encrypted in any network, and it is secure, but there is this way messier dynamic of wanting to leave holes in the chicken coop to see what will sneak in.
There's a key for every lock (Score:4, Insightful)
If you mandate the same lock be installed everywhere, eventually somebody will copy that key and have the same access you do.
Anybody in IT or with a lick of common sense could have told them this. Many actually did. Nobody listens.
Re: (Score:3)
If you mandate the same lock be installed everywhere, eventually somebody will copy that key and have the same access you do.
They could have deployed each lock with a different key and used public-key crypto both for negotiating authorization for backdoor operations, And for providing decryption keys for the response to backdoor requests.
For example: If each payload is encrypted with a different symmetric key, and that symkey is written to a separate medium encrypted to an authorized public key.
And th
Re: (Score:3)
The bad guys can't launch our nukes, because the systems to initiate launch are analog. There are no digital or automatic fallbacks for launching them. No alternatives or bypasses. Which is why it's always such a dumb and ridiculous concept when movies/TV have hackers or AI launch American nukes. It's literally not possible. There is no combination of hacks you can possibly make that would ever work. It wouldn't even matter if China played some sort of long con to get some microchip they've compromised into
What is it? (Score:2)
We can imagine ways this could have been done somewhat securely and many disastrous ways it was probably done.
Without knowing what the thing was it's hard to know if it was bound to fail, or if say a double agent stole the highest-order keys.
Difficult to lock down humans (Score:3)
We can imagine ways this could have been done somewhat securely and many disastrous ways it was probably done.
Without knowing what the thing was it's hard to know if it was bound to fail, or if say a double agent stole the highest-order keys.
Very difficult to lock down the human element.
Offering an employee $100,000 for their key is difficult to detect and track. Even a multiple key system (multiple employees) would fall to this type of exploit.
A strong logging system might help (ie - always log who is using the feature, and verification with an associated court order ID), but sysadmins can still wipe logs, hand-edit log files, and so on.
Maybe we should start with an open source signed logging system. Something block-chained, so that no individ
Re: (Score:2)
Offering an employee $100,000 for their key is difficult to detect and track.
A starting point would be to Not have keys most employees have access to worth 100k in the first place.
One obvious way would be to have a two or three-person rule. No one employee has access to the keys for the system. Should you need to operate the system, then you need to prepare a request for that system, and the system will Not accept it until 3 employees sign the request within a short period of time. At which t
Re: (Score:2)
Is there even any single it? I don't see any government mandated access protocol.
A contradiction in terms (Score:2)
A secure backdoor is like a healthy disease, or a perfect defect. A backdoor is malware per se, so any system with a backdoor must be considered pwn3d.
Deaf ears coming (Score:1)
The next federal government coming in January is replete with people — including POTUS, several former congressmen, and others — that were surveilled by FBICIAHHSDOJ etc., for bullshit like the Russia collusion hoax. The next FBI director is among them. Awkward much?
While I can't expect you to love Trump, one thing is absolutely certain: if there was ever the slightest chance in hell of even the least bit of resistance to these backdoor schemes, it's now, and it's almost certain to be the on
Re: (Score:3)
I would indeed expect criminals to want to eliminate tools that could expose them. However, these ones are beyond most consequences and have use for these tools to control those beneath them.
I wouldn't hold my breath waiting for Trump to save you from government surveillance.q
Obviously (Score:5, Informative)
Enough actual experts have thought and written about this. For decades. There really is no reason for doubt anymore. Backdoors cannot be reliably secured for the foreseeable future, period. And attackers will find any existing backdoor a big help for their efforts.
This may eventually change. Maybe next century. Maybe later. Maybe never.
Time to end the backdoor BS... (Score:2)
If the only way to catch the bad guys (no matter how bad they are) is to weaken security for everyone then I say let the bad guys go uncaught.