US Says It Doesn't Need a Court Order To Ask Tech Companies To Build Encryption Backdoors (gizmodo.com) 249
schwit1 shares a report from Gizmodo: According to statements from July released this weekend, intelligence officials told members of the Senate Intelligence Committee that there's no need for them to approach courts before requesting a tech company help willfully -- though they can always resort to obtaining a Foreign Intelligence Surveillance Court order if the company refuses. The documents show officials testified they had never needed to obtain such an FISC order, though they declined to tell the committee whether they had "ever asked a company to add an encryption backdoor," per ZDNet. Other reporting has suggested the FISC has the power to authorize government personnel to compel such technical assistance without even notifying the FISC of what exactly is required. Section 702 of the Foreign Intelligence Surveillance Act gives authorities additional powers to compel service providers to build backdoors into their products.
They are correct (Score:5, Insightful)
And companies don't need a court order to ignore them.
Re:They are correct (Score:4, Interesting)
And companies don't need a court order to ignore them.
You know the federal government has tens of millions of seat licenses of sales to keep your share prices high.
It would be a shame if something happened to that deal?
Re:They are correct (Score:4, Insightful)
And governments as well as corporations abroad have even more.
You can now choose between pissing off about 5% of your market share or 95% of your market share when it comes out that you bent over and sold the 95% out to the 5%.
Re: (Score:2)
Erh... this is the Germany of "Mutti" Merkel, not Big Daddy Adi.
Re: (Score:2)
and good luck selling to those folks abroad if you kept your export license because you installed backdoors for the US government.
Basically, US software companies are put at a serious disadvantage. The real question becomes, whose cryptographic software can you trust? Certainly not Russian or Chinese, I'd say, and I'm sure others would add to that list.
Re: They are correct (Score:2, Informative)
Just like Qwest?
Re: (Score:3)
Re: (Score:2)
Re:They are correct (Score:5, Insightful)
Yeah, until wikileaks releases said documents and your company goes under. Too much risk involved and the government doesn't exactly offer protection from such cases. The risks involved is higher than the government ruining your prospects, because now your reputation is tarnished forever, just like Blackberry. These government officials no longer hold the sway as they used too pre-2010. Threats of ruining your business now results in these people closing up shop and the government ends up with absolutely nothing, other than stifling innovation and security in the process. This approach is no longer viable.
Re: (Score:2)
Actually I predict a new software Si Valley in some country that won't require back-doors.
Parent company can remain in the US or can leave, but the subsidiary company (not just a division of the parent) exists outside of jurisdiction of these asshats.
The long game is that this likely *will* push the highest talent out of the US and into these haven countries. This generation will be here, but the newer generations will migrate elsewhere.
Re: (Score:2)
What country will be better than the US at not requiring back doors? I can't think of any that I'd trust.
Re:They are correct (Score:4, Interesting)
In particular, they'll lose the licenses necessary to export the goods, or to import them if manufactured overseas. They can also lose government sales. With abusive legal tactics such as "Patriot Act" orders, a company refusing to cooperate with orders for backdoors is vulnerable to extremely destructive legal and extra legal abuse from the FCC and from Homeland Security.
Re:They are correct (Score:4, Interesting)
Qwest [wikipedia.org] provides a case in point example of what happens when you refuse the request. That's a real nice company you have there, it'd be a real shame if something was to happen to it.
Re: (Score:2)
OTOH a Chinese company has been blackballed on nonspecific assertions, just like a .ru AV firm. .
Maybe they didn't build backdoors into their products...
Why would they need a court order (Score:5, Insightful)
when heavy-handed coercion will do the trick every time?
Re: (Score:3)
Re: (Score:2)
Sure you can choose your govt. Get dual citizenship and move
Re:Why would they need a court order (Score:4, Interesting)
If I don't like Facebook, which I don't, at-least I don't have to use it.
The problem, as always, is network effects. It was easy to avoid Microsoft too, right up until the point where you wanted to bid for a lucrative contract where the customer would only accept submissions using their complex Word template. Asking them for a copy in an open format would just have you marked as uncooperative and you'd lose automatically.
The same is increasingly true for Facebook. I don't use it, but an increasing number of companies use Facebook and Twitter as their primary method of providing customer support and provide discounts for people who like them on these platforms.
Re: (Score:3)
Just because you have an account doesn't mean you have to upload pics and statuses. If its your job, do what you have to do and no more. Then you aren't any more exposed than using any other web site including this one.
Re:Cannot choose the government (Score:4, Insightful)
SuperKendall blathered:
You can choose politicians, but by and large the party division is a sham and the "real" government marches on regardless. Witness how many federal government departments shut down under Trump: 0
What utter, driveling bullTrump.
Republicans are trying to impose tax "reform" that will benefit the rich and giant corporations at the expense of the poor and middle-class, and small businesses. Every Democrat in the Senate voted against their version, and almost every Democrat in the House voted against their even worse version. The Republican-led FCC is hellbent on repealing the net neutrality rules the Democrat-led version enacted. The Republican president is about to move the U.S. consulate in Israel from Tel Aviv to Jerusalem, which will further inflame anti-U.S. tensions in the region (and is guaranteed to spark a global wave of new terror attacks against U.S. citizens, as well as increase the number of fresh recruits for Daesh, et alia). The Republican-dominated Supreme Court has struck down every attempt Congress has made at campaign finance reform, and has granted corporations free reign to spend as much money as they choose to influence U.S. elections. The Republican head of the Department of Justice is determined to revive the incredibly wasteful and counterproductive "war on drugs" at the exact time that the de-criminalization/legalization of marijuana has gained majority support among voters of both parties. The Republican-led EPA is doing everything in its power to roll back the Clean Air and Clean Water acts (that were enacted under a Republican president).
The list just goes on and on.
"There's no difference between the two major parties" is an outright, boldfaced lie perpetrated by Republican spinmeisters in what has been a remarkably successful, concerted, long-term campaign to persuade prospective Democratic voters to stay away from the polls - while the Republican base reliably turns out to vote against its own best interests (because "conservative values").
Benjamin Disreali noted, "There are three kinds of lie: lies, damned lies, and statistics." Well, "there's no difference between the two major parties," is a damned lie - and you are a damned liar ...
Re: (Score:2, Insightful)
Republicans are trying to impose tax "reform" that will... ...change almost nothing in reality.
You claim to be Woke, but you have yet to Wake.
boil it down (Score:5, Interesting)
its boils down to:
"I want this. give it to me!"
"why? you have shown you can't be trusted with this. and, math also says its not possible."
"I don't care. I'll force you if you don't volunteer."
"looks like you want a fight. bring it."
and so on, and so on.
some companies will cave in, some will give the impression they are standing tall but actually do cave in. MAYBE there are actual companies that have enough power to say 'no' to the various governments, but I kind of doubt it.
its sad to see the schoolyard bully - who has a power complex - unwilling to give in. every few weeks or so, we have another story about how some official wants to have access to ALL your shit and he will simply stomp his feet, cry and whine until he gets it.
its a tiring process and such a waste of time and energy. and yet, here we are, revisiting this issue yet another time.
Re:boil it down (Score:5, Interesting)
Too which the response is, "fine, if I can't have it than, fuck you, you can't have it either". You do that by shifting the encryption coding bit to FOSS, as a network add on and they can try to stick the back door in free open source code, which you can locally compile and then add to you software than lacks a network connection module. The encrypted network connection module can be served up by anyone and if they really need to hack your computer, they can hand you a national security letter and demand you hack yourself or just fucking apply for a search warrant and get busy with cameras and wires and people in the field, no 'bullshit control freak spy a thon for you' more specifically them. There was a time due to US regulation I had to download 128 bit encryption from the internet and install it myself, so, so hard, to do it again, in fact the US government drove FOSS encryption.
Re: (Score:2)
And your ISPs terminate all your traffic for not complying, which they now can with the upcoming repeal of net neutrality.
Brave new world.
Re:boil it down (Score:5, Interesting)
Re: (Score:3)
In that particular case, the export restrictions also meant that the rest of the world couldn't have online banks. To resolve this problem, the rest of the world found their own solutions to those problems (most often in the form of a Java applet), and thus created their own software companies to do what the US wasn't able to do. The corporations duked it out, and eventually the export restrictions went away because it was extremely disadvantageous to American international business to have them in place. I
Re: (Score:3)
I am reminded of this saying: "a leader with no followers is just a guy taking a walk."
Re:boil it down (Score:4, Interesting)
It's usually held behind closed doors and handled, and if it isn't like the Apple issue, then there is a reason you and I don't know about. It will STILL get handled behind closed doors, the government will just have to give something up in return like looking the other way on Irish tax havens, etc.
restricting crypto (Score:2, Interesting)
It's usually not argued nearly that seriously. What CEO or corporation would argue with a government willingly knowing that the end result is going to be a cessation of government contracts, barring from export, and anything else the government has that they can legally do that are in there powers?
Export of what exactly?
For hardware, most things are made outside of the US, so they're actually "imported" by American consumers.
For software, you shift the crypto component offshore, and US customers "import" that component. OpenSSL (then SSLeay) actually began in Australia during the first 'Crypto War' of the 1990s to get around the US ITAR restrictions. Ditto for for OpenBSD: strong crypto coded in Canada. Debian had a "non-us" repo for strong crypto:
* https://wiki.debian.org/non-US
As did FreeBSD:
* http
Re: boil it down (Score:2)
...and anything else the government has that they can legally do that are in there powers?
"Legally?!" You're a funny guy.
Re: (Score:2)
What CEO or corporation would argue with a government willingly knowing that the end result is going to be a cessation of government contracts, barring from export, and anything else the government has that they can legally do that are in there powers?
I don't know, but it suggests that companies barred from government contracts or exports are probably the companies with integrity that you want to do business with.
Re: (Score:2, Interesting)
Compared to what?
Compared to the level of security that you need from an organisation holding information that, if public, could cripple your company. Most companies are fairly good at keeping their own secrets, because they understand the cost of not doing so.
Re: (Score:2)
It's a question of whose secret it is. Companies tend to not secure their customers' secrets well. The government tends not to secure company's secrets well.
Re:boil it down: End of Internet Connections (Score:2)
A lot of computer owners would probably wind up keeping certain computers completely off any network connected to the Internet if the government had the ability to force the of use backdoors.
That would be worse for the value of the Internet than anything else I can think of.
Re: (Score:2)
Already do.
I have three networks at my house:
* Internet connected (through IPFire and PiHole) LAN access (Wired/WiFi WPA2)
* Internet connected (through IPFire and PiHole) WiFi open (NO LAN access) labeled GuestMonitoredConnection
* Isolated. No Internet connection, different physical layer, no WiFi. Accessed through Bastion host that has IpKVM type connection to internal LAN. The bastion is able to RDP to all machines on isolated network, and it is connected to through use of a Raritan IPKvm on the LAN.
Re: (Score:2)
So your hacker access point is the WPA2. Hope you have logs.
Re: (Score:2)
Of course I have logs, I also have physical remoteness and a couple other measures (remember everything is moderated through IPFire, which supports RADIUS authentication).
Microsoft and the FBI? (Score:2, Informative)
Except they don't say no, remember Microsoft? Keen to get lots of surveillance contracts bent over backwards to give them disk encryption keys.
https://www.theguardian.com/world/2013/jul/11/microsoft-nsa-collaboration-user-data
" Microsoft helped the NSA to circumvent its encryption to address concerns that the agency would be unable to intercept web chats on the new Outlook.com portal; The agency already had pre-encryption stage access to email on Outlook.com, including Hotmail; The company worked with the
Bitlocker (Score:2)
Also bitlocker is 128 bit by default, and limited to 20 chars for the pw
Re: (Score:2)
I approximately never see this happening. People with rifles rarely shoot people at the top. I'm not going to condone assassination, but there's times when it seems like a few bullets in the right brain stems could have some very positive effects.
Buy Chinese (Score:5, Insightful)
They may be spying on you as well. But they won't be using what they get for any parallel construction.
Re: (Score:2, Insightful)
Yeah, this is why the intelligence community always freaks out about Chinese backdoors and such. This is their turf! Only they can spy on us!
Unless your job is handling classified material, then you have nothing to fear from the Chinese government going through every bit of data you ever generate. They literally have no way to harm you. On the other hand, the US government has not only the means but the motivation to harm you.
I remember some .ru email service was being promoted on Slashdot, and peop
Re: (Score:2)
I remember some .ru email service was being promoted on Slashdot, and people were shouting, "It's bugged by the KGB, don't use it!" Like, who cares? They're not going to care one whit about my life. The same with Kapersky anti-virus.
This implies that you believe all the politics theater that you see in the press about how adversarial the relationship between the US and Russia is. But it is both cooperative and competitive in the region of information. We share some information. It's not safe to assume that your government isn't getting your personal information from some other government, in exchange for providing them the same kind of information about their own citizens.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
FTFY
Re: (Score:2)
They also forward data, wholesale, as part of intelligence sharing about shared threats. There is a reasonably good, though self-serving, analysis at https://www.cia.gov/library/ce... [cia.gov] .
Re: (Score:2)
I don't believe that either should care about me, but I know which one is likely to cause more negative consequences for me if I end up being a false positive in their big data inference engines. I have a friend who had the same name as someone on the now-fly list (he doesn't anymore, because after a few years that added middle initials to the list) who can attest for how inconvenient it is to have even a low level of interest from the intelligence agencies in a country that you regularly visit or live in.
Re: (Score:2)
You have a point. What a sad, sad state of affairs.
Re: (Score:3)
Absolutely. If you are a government or a corporation, foreign spying is bad. If you are an individual, foreign spying is a whole lot more benign than domestic spying.
They are correct... (Score:3)
They did not need a court order to get Intel to install a backdoor into ME, AMD to install a backdoor into PSP, or Microsoft to install a backdoor into Windows 10, since they all did so quite willingly.
It is a shame consumers can no longer fully own their modern computers. And yet these government agencies refuse to cover any part of the cost of new computers which they have some control over.
Re: (Score:2)
No, that was achieved entirely by the Independent Coalition For The Continued Sales Of Tin Foil Hats!
Incidentally we're looking for a new acronym because ICFTCSOTFH doesn't really roll off the tongue.
Re: (Score:2)
There are plenty of ARM based systems available that don't contain these backdoors. Many use CPUs from non-US companies that are at least unlikely to have FIVE EYES backdoors in them, and some have extremely minimal ROMs that limit the scope for malware anyway. Plus those ROMs are real ROMs (not flash).
There are RISC V boards that can run Linux too. You still have to trust the fab didn't backdoor the design, but it's about as good as you can get short of making your own CPU out of twigs and string.
Re: (Score:2)
...and so it'll continue.
Let's say it'll cost $100 million to get the laws in place, and then to actually get all the tech companies to comply. Instead, just spend that money to 'motivate' those companies to do it for you without the laws and without the publicity.
Re: (Score:2)
Citation please.
There is *no* intentional back door in Intel ME up to version 9 (I left the company before 10 shipped, so can make no comment).
I am not gagged about not revealing anything via any NSL, and while I will respect my NDA with my former employer (even though the current CEO is a top shelf Asshat) I had full access to the source code, and had direct work with the authentication subsystem of the ME portion (NOT AMT) and I can categorically state that there was *NO* back door for any government in
Re: (Score:3, Informative)
The only country proven to have officially requested backdoors in equipment is the USA. Yet the USA spends money on getting Australia to refuse to buy from Huawei, to protect Cisco's mark
"It never hurts to ask!" (Score:5, Interesting)
Re: (Score:2)
Criminals will respond in a few ways.
What the GCHQ always warned about, going dark, just stopping using any collect it all communications after some other gov talks about collection too much.
Criminals will use expendable front groups to bait the networks and see what agency comes looking.
Telco work in the street. A new FBI utility pole surveillance cam was installed.
A small aircraft takes off at an airport, stays over a part o
Re: (Score:2)
Re: (Score:3)
But why would they?
Companies are run for short term gain... Deploying a backdoor could get you a short term injection of cash from the government for whom you created the backdoor.
Sure there is a risk the backdoor will be leaked in the future, but by then the people who made those decisions have taken their cash and run so they won't care.
Also even if a backdoor is discovered, it can usually be explained away as a bug. Even when obvious backdoors are found (see the recent juniper ssh backdoor) they can clai
Are these elected officials? (Score:2)
Re: (Score:2)
Yeah, because a Democrat would NEVER DREAM of such a thing [bankinfosecurity.com]. /sarcasm
Of course... (Score:3)
ASKING doesn't require a court order, and compliance is OPTIONAL .
So thats what PRISM had to hide (Score:2, Interesting)
If a company never refuses the gov, legal protections never had to be mentioned.
If the brand never says no the gov, they never have to tell their own legal department.
The Rules of Collect it all Club.
First rule of collect it all club, never tell an in house lawyer.
Someone yells whistleblower, goes bankrupt, sells out, the collection is over.
No lawyers, no admins.
One agency at a time.
Collection will go on as long as it has to.
If this is your first connection to the Coll
Why would they need a court order to ask? (Score:2)
I could ask a company to put a backdoor in their product if I wanted to. I might be laughed at, but I can certainly ask.
A court order is only required if you need to force the recipient to comply.
Re: (Score:2)
You need a court-order to ask, if what you are asking is actually illegal, not just morally reprehensible.
Re: (Score:2)
Re: (Score:2)
I think Abraham Lincoln said that.
Just keep voting for the establishment (Score:5, Interesting)
The important thing is to remember to know your place, stay in your class, respect your betters, and don't ever screw with the aristocracy. Don't even suggest taking their money away, that would be morally wrong. You learned that in grade school economics. Capitalism got you into this mess and only capitalism can get you out of this mess.
Can you tell I'm bitter and angry? I don't suppose there's anybody on this forum that can make an ounce of that anger go away, is there? Well guess what, there's millions of guys just like me. And guess what happens when there's too many of us? What happened in the 20s? How about the 40s? Anyone want to take a crack at proving me wrong and injecting a little hope into this thread?
Re: (Score:2)
Re: (Score:2)
Would you be so upset with what you have if your alternative is what people these days are getting under the rule of Kim Jong Un?
It will be far worse for them when Kim Jong Deux will seize power !
(sorry, french joke, I couldn't resist)
Re: (Score:2)
Personally, I am not upset with what I have when I look at what the US is like.
Greetings, Europe.
P.S.: If you keep looking down for something to compare yourself to, you'll not improve. Look up to know what to aspire to.
Re: (Score:2)
What a ridiculous perspective. Reminds me of a gag from The Onion: Oh, sure, if you're going to compare us to first-world countries, we're definitely not going to come out looking so good. [theonion.com]
That's why I said right wing (Score:2)
The real question (Score:2)
What we seem to have are people who keep asking for the impossible without understanding what's really at stake.
Just tell me who does (Score:2)
Oh they can "request" all they want. (Score:2)
I'm sure it'll be VASTLY entertaining when they get told to pound sand.
The second it's been found out one of these companies has compromised their encryption this way, it's The End for them.
You know what I find funny ? (Score:2)
https://yro.slashdot.org/story... [slashdot.org]
Note that this article is from a local unknown journal, with NOBODY confirming what it pretend is happening, to my knowledge not even the local CCC knows about it, and at least if it tries to put it as law there will be a PUBLIC DEBATE, and this is the Germany, not the US, people tend to really debate such things.
And here were have the US saying "fuck that we have above the law we can stamp you with FISC to have yo
Re: (Score:3)
It's a bit like if the US went and shot a person in public vs. North Korea doing it. In the US it would be an outrage. In NK, well, we kinda expect that by now.
Same here. Domestic spying, privacy elimination, trying to establish a Fascist regime... that's something we had come to expect from the US, hearing this from Germany is so odd and unfathomable.
In other news. (Score:2)
And US companies become untrusted internationally? (Score:2)
There was all this hand waving about the Chinese and Russians having backdoors to stuff sold in the US. How will the US having backdoors be any better, to any other government?
If it is a question of backdoors, then you might as well have low grade encryption, since it is probably not much better than the master key getting leaked?
Hackdoor software (Score:2)
give them all your data (Score:2)
Unfortunately ... (Score:2)
Unfortunately, the TLAs answer it ... "Just a second. Hold my beer."
Why is this still an issue? (Score:2)
Seriously, why is this an issue?
Public/private key cryptography has been proven secure. HTTPS is based on it, and it is strong enough for me to do banking on-line.
For cases like the police needing to get into an iPhone, all that needs to be done is to take the phone secret (say, an AES key or the phone unlock code) could be encrypted using Apple's public key, and this encrypted secret could be made public (or presented over the USB port). Nobody can do anything with it, except the people who hold the priv
Re: (Score:3)
Have I missed something?
Several things, actually. First, your scheme requires the ability to export the private key from the device (even if it is encrypted). This is poor security practice. The current trend—long overdue, and implemented in response to real security breaches—is to generate and store the private key in a tamper-resistant secure chip, with no external access to the key material. All operations involving the key occur inside the chip. This protects against vulnerabilities in the operating system as well
Re: (Score:2)
You missed a couple of things...
Why? If RSA and/or ECC are really "uncrackable", and is mathematically proven so, I fail to see the problem.
Absolutely true. However, it has to be tamper-resistant because this chip stores PLAIN-TEXT KEYS. If they keys are stored encrypted, the the key encryption key
What happened to WE THE PEOPLE ? (Score:2)
You in the XXX organization of government have no right to use official resources to ask third parties to do things that go against our interests.
Congress hasn't passed an act directing you to "ask" companies to embed concealed defects into their products that you sell to the people, therefore, you doing so is an ABUSE.
Now if your directors of departments want crypto backdoors in YOUR OWN GOODS that you buy for the use by that government department from those same companies, that's a different matt
"Fuck you, assholes." (Score:2)
Why should we expect open source to be any better? (Score:4, Interesting)
What makes you think that open source software is somehow any better?
As the Shellshock and Heartbleed bugs have proven, just because source code is available it doesn't mean that anyone actually looks at it. When major open source software projects have serious bugs in them that go undetected for years or even decades, it's doubtful that a well-hidden backdoor would be found.
Then there are projects like systemd and GNOME 3, which have introduced a lot of new code into many Linux systems. Has all of this code undergone a strenuous security review? I very much doubt it!
Even the OpenBSD project, which is perhaps the most stringent and careful open source project out there, has had scares in the past [marc.info].
So I don't think we should consider open source software to be any better. It could very well be much worse.
Re:Why should we expect open source to be any bett (Score:5, Insightful)
Some code hasn't been looked at in a long time. Correct. There could be back doors. Correct. There could be vulnerabilities (intentional or not). Correct.
Every software project, open source included, will have vulnerabilities discovered. There will be scares and exploits of open source like any other software. But yes, you can expect open source to be better. Because:
1) Very few major open source projects have any contributions that occur in a vacuum. Multiple eyes see every patch and for the most part, those multiple eyes are most often from people in multiple organizations with multiple day jobs and multiple personal goals/agendas. Aligning enough people's agendas to get a back door in would be difficult for any major open source project. Intentional vulnerabilities would be easier, but still not trivial. This isn't 20 years ago, people actively look at each patch with an eye towards whether it is introducing a vulnerability. This model is diametrically opposite of any closed source offering, where contributions are by one organization and at the sole control of whomever holds the purse strings.
2) If a vulnerability is suspected anywhere, you (and literally everyone else on the planet) have the option and ability to examine the source at any time. When you do want to investigate any particular piece of open source software, you don't need to decompile or reverse engineer something to do it. You don't have to fight the software in order to test it.
There have been (and will continue to be) vulnerabilities exposed from older open source code written when there was less oversight and less strenuous security testing, but if you want to compare this to the number of exploits (and in some cases intentional back doors) that have come to light in, say, Windows, from ancient code that has thunked it's way down from Windows 3.1, the score isn't even close. And it's not like Microsoft is performing strenuous reviews of their old code - these vulnerabilities have come to light often only from outside researchers performing painstaking and arduous external testing and reverse engineering.
So while you are correct in that open source will never be free of bugs or exploits - it's still written by people, as much as the nut jobs still decry that hard AI is just around the corner. But yes, in this it is just plain better than closed source.
Re: (Score:2)
I think the main difference is that in open source it'd take some extraordinary trick to create a backdoor or unofficial feature for any particular group or organization. Could you have Heartbleed-class bugs? Yes. But they're double edged swords, it could expose your enemies but unless you manage to roll out a massive, secret patch/firewall regime you'll be vulnerable too. How often does open source software secretly log data and send it off to a server in China? It just doesn't happen. Why is open-source D
Re: (Score:3)
What the Shellshock and Heartbleed bugs have proven is exactly the opposite of what you are saying. If they occurred in closed source software they would have never been found. Or they may be found but kept secret because it cost money to fix. Or they may be found but only the "currently supported" versions are patched, and people with old versions are just told to fork out more money to upgrade.
The name of the game is not there will never be vulnerabilities in the code. The name of the game is whether thos
Re: (Score:2)
So I question the plausibility of your conclusion that it's more likely a good person will find them first than bad.
It's borne out by the historical evidence, especially the 2 examples cited by the GP. Many of the examples where exploits are known by bad guys for a long time are in closed source, e.g. the Windows exploits from the Shadow Broker releases that allowed WannaCry to take down the UK's National Health Service.
Re:List of assumed backdoors (Score:5, Informative)
Re:List of assumed backdoors (Score:5, Interesting)
The radio coprocessor in cell phones typically has full "back door" access to the resources used by the main CPU and OS you interact with
This is not true on iOS devices. The connection between the baseband processor and main memory is quite restricted, because Apple's hardware team doesn't trust third-party IP cores and so locks them down. It's also not true for a few other SoCs, where the baseband core has its own private memory and communicates with the host via an on-chip serial interface. This was a very common way of implementing smartphone SoCs, because it meant that you could trivially validate that there was no way for the application core to modify the baseband core's state and so you could use the same baseband core on a bunch of SoCs without needing FCC approval for each one.
Re: (Score:2)
But the backdoor could also be hidden in the operating system. IOS is closed source so there's no way to know. I know some parts are open source but much is closed source so there is no way to do your own build to rule out a backdoor.
Re: (Score:3)
https://googleprojectzero.blogspot.com/2017/10/over-air-vol-2-pt-3-exploiting-wi-fi.html [blogspot.com]
This is literally the front page of Googles Project Zero blog right now.
Sure Apple makes it a bit more difficult than some other phones but the core weakness is not eliminated. People often confuse vulnerabilities and exploits. Having a closed source chip in your baseband IS a form of vulnerability... there may not be a working exploit that is currently known, and it may be difficult to accomplish but it remains a weakne
Re:Want to kill technology? This is how. (Score:5, Informative)
No tech company would put in a back door.
Well, CISCO did.
Any that does is basically saying "Don't buy our product" because, as soon as they do, GUESS WHAT..people won't buy it.
Cisco did that too. And Intel is currently trying to do this as well.
Look at what happened to Microsoft after the news about PRISM. Microsoft tried to make the camera a 'requirement' for all X-Box One games until a massive backlash happened. Microsoft backtracked and it basically killed the X-Box camera for gaming outside of a short list.
People won't buy a product with a built in back door. Companies won't make a product that people won't buy.
Yes, but only if they get think they will get caught. As any other criminal-minded entity, they of course assume they will not get caught...
Re: Want to kill technology? This is how. (Score:2)
Hi,
I represent the real estate agency T. Ermite & Mould, and I have a special offer just for you! Have you ever considered purchasing oceanfront property in scenic Phoenix, Arizona? Call now, we can't wait to speak with you!