Task Force Report's Langauge Hints At Backdoors In Software

from the but-of-course dept

After looking over the White House intelligence task force's proposals to reform the way the US government does surveillance, we pointed out one oddity that hinted that the NSA may have been engaged in financial manipulation. Others have been combing through the report for other hints of things it might accidentally reveal, and Ed Felten (who I still think should have led the task force) has spotted another one, in how the report discusses the issue of backdoors in software. He notes that the wording is odd in the following bit:
Upon review, however, we are unaware of any vulnerability created by the US Government in generally available commercial software that puts users at risk of criminal hackers or foreign governments decrypting their data. Moreover, it appears that in the vast majority of generally used, commercially available encryption software, there is no vulnerability , or “backdoor,” that makes it possible for the US Government or anyone else to achieve unauthorized access.

[Footnote: Any cryptographic algorithm can become exploitable if implemented incorrectly or used improperly.]
A quick read of that might suggest that the panel did not find out about any such backdoors and that the NSA told them there were no such backdoors. But Felten notes that, especially given the NSA's almost pathological need to say things that appear to imply one thing, but which can be read to state the exact opposite, if the wording came from the NSA, it may be indicating the existence of backdoors of some kind.

Turning to the text, the most interesting feature is the difference between the first and second sentences, which have parallel structure but use different language. Here’s a chart laying out the differences:

First sentence Second sentence
unaware of any vulnerability in vast majority … no vulnerability
vulnerability created by USG [any vulnerability]
generally available commercial software generally used, commercially available … software
[any software] encryption software
puts users at risk of [non-USG exploit] [exploitable by USG] or anyone else
decrypting data unauthorized access

This structure leaves open the possibility that there are vulnerabilities known to and exploitable by the US Government (USG). These might fall into several categories:

  • vulnerabilities created by the USG that are exploitable only with the knowledge of a cryptographic key known only to the USG. An example would be the widely suspected backdoor in the NIST pseudorandom number generator standard.
  • vulnerabilities created by the USG that allow access to data by means other than decryption, for example by allowing remote access to data at rest, or by causing copies of data to be sent to NSA collection points.
  • vulnerabilities in software that is not generally available, such as internally developed software used by large companies to manage their data centers.
  • vulnerabilities that are in non-encryption software and were not created by the USG. These would be outside the scope of both sentences.
He goes further to note that the lack of definitions around "generally available commercial software" and "generally used, commercially available... software" leaves open a world of unanswered questions.
One wonders how the people who chose those phrases would classify critical open source software such as Linux or OpenSSL. Are these “commercial software”? Even if not “commercial software”, are they “commercially available”? I can see two possibilities here. Perhaps this is imprecise drafting by the panel who might have intended to cover all of the relevant software but, being less familiar with the technical community, might have missed this nuance. Or perhaps this is one of the NSA’s word games, meant to leave a loophole.
Some will, undoubtedly, argue that this is all nitpicking, and we should take the report at face value. However, given that nearly every time the NSA has been asked to discuss various programs, it seems to carefully parse its words in exactly this manner -- to imply one thing, while really meaning the exact opposite -- it seems that the NSA has lost the benefit of the doubt here, and it's perfectly reasonable to raise questions about what is truly meant by certain claims.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    DogBreath, Dec 20th, 2013 @ 10:41am

    The Task Force was just following standard procedure

    Some will, undoubtedly, argue that this is all nitpicking, and we should take the report at face value. However, given that nearly every time the NSA has been asked to discuss various programs, it seems to carefully parse its words in exactly this manner -- to imply one thing, while really meaning the exact opposite -- it seems that the NSA has lost the benefit of the doubt here, and it's perfectly reasonable to raise questions about what is truly meant by certain claims.

    And that "standard procedure" is and always will be:

    http://www.youtube.com/watch?v=i1pIGub6R6g

     

    reply to this | link to this | view in thread ]

  2. This comment has been flagged by the community. Click here to show it
     
    identicon
    out_of_the_blue, Dec 20th, 2013 @ 10:51am

    Sheesh. Just assume it's nailed down. Dithering wastes energy.

    You are in no way harmed by assuming the worst, that Microsoft, Apple, and Google fully co-operate with NSA by providing backdoors into OSs. Plenty of hints over the years. Almost impossible that NSA would overlook such an obvious and handy notion. -- BUT Mike is still keeping the uncertainty going! Mike has trouble stating a position for start, and of course since his precious Google would be next implicated, it's not likely that he'll be able to state yes or no until it's been in the WashPo.


    By the way: what's missing this year at Techdirt? Mike hasn't mentioned a holiday T-shirt sale! My bet is that he doesn't care because getting so much unearned income from kiting of the stock market as privately-owned Federal Reserve "buys" Treasury notes: down to "only" $900 billion a year now -- a tiny "tapering" that caused elation to break out on Wall Street. (And recursive "by the way": we don't KNOW whether ANY numbers are real: the Federal Reserve has never been audited!)

    Relevant reading: http://www.activistpost.com/2013/12/manipulations-rule-markets.html

    Or, could be that even Mike has at last recognized that selling T-shirts won't work. -- And if he NOW says "T-shirt sales are doing fine", so what? We've no way to verify!

    Mike may sell a few T-shirts with Techdirt logo, but I bet his lunch dates are open.

    06:50:21[h-501-3]

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Dec 20th, 2013 @ 10:55am

    Microsoft is handing NSA known Windows vulnerabilities BEFORE FIXING THEM [1] all the time. So they don't even need to have a "planted backdoor" in something like Windows, that could probably be discovered eventually - they just give them fresh ones every week, that NSA can use for about 6 months until Microsoft fixes them. That's more than enough for NSA.

    [1]- http://www.bloomberg.com/news/2013-06-14/u-s-agencies-said-to-swap-data-with-thousands-of-firms.html

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Dec 20th, 2013 @ 10:59am

    Re: Sheesh. Just assume it's nailed down. Dithering wastes energy.

    You are in no way harmed by assuming the worst

    Except inasmuch as it makes you a little more like OOTB.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Dec 20th, 2013 @ 11:07am

    The NSA has lost its creditability in the handling of the Snowden revelations. It has lied at every opportunity its had and squandered its believability.

    At this point every bit of data coming from the NSA, the administration, or politicians over favorability for the NSA also has to be examined under the same microscope. The DOJ has proven that words are to be molded as putty into the shape they need to continue or to justify some previously illegal method. It should be understood that every statement will contain a lie if not more than one, to cover its excesses.

    "In no way harmed" is not a good standard with people who hold this data given their lack of ability to determine what is ethical behavior. It probably should read "In no way can be proven by your specific knowledge".

     

    reply to this | link to this | view in thread ]

  6.  
    icon
    madasahatter (profile), Dec 20th, 2013 @ 11:52am

    Backdoors

    I almost certain there some degree of cooperation between various US IT companies and the NSA. Also, this would be true with other countries. The key is the degree of cooperation. Is it deliberating creating backdoors or allowing the NSA to use zero-bugs before they are fixed or generally known? Or is it more at arms length were the company cooperates when forced to by FISC orders?

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, Dec 20th, 2013 @ 12:46pm

    "Some will, undoubtedly, argue that this is all nitpicking"

    If you look at how they've nitpicked their way around the Constitution to imply that spying and data collecting was legal.. then why not go over it with the scanning transmission electron holography microscope

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Theodore Ts'o, Dec 20th, 2013 @ 1:29pm

    And what about hardware?

    As I pointed out earlier on G+, I find it very interesting that the report only talks about introducing backdoors in software, and says absolutely nothing about NSA introducing vulnerabilities in hardware.

    https://plus.google.com/+TheodoreTso/posts/EEemB13Qkxe

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Dec 20th, 2013 @ 4:42pm

    Re: Sheesh. Just assume it's nailed down. Dithering wastes energy.

    By the way: what's missing this year at Techdirt? Mike hasn't mentioned a holiday T-shirt sale!

    Wrong again, Blue. You're doing that an awful lot.

    http://www.techdirt.com/articles/20131128/18513425404/news-techdirt-insider-shop-bitcoins-black- friday-2013-holiday-bundle.shtml

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    Eldakka (profile), Dec 20th, 2013 @ 5:22pm

    unauthorized access

    ...there is no vulnerability , or “backdoor,” that makes it possible for the US Government or anyone else to achieve unauthorized access.


    If the access is approved by the various FISA rulings/congress approved programs that are used for data collection, or via the NSA internal processes, then isn't it, by definition, authorized? At least from an NSA perspective?

    Sure I may not have authorized the NSA to decrypt my data, but some other process, warrant, internal NSA process or whatnot may have authorized it.

     

    reply to this | link to this | view in thread ]

  11.  
    icon
    JackOfShadows (profile), Dec 20th, 2013 @ 11:03pm

    Ya know...

    ... every time I see one of these government agency or committee reports, it reads like an TOS/EULA 'cept we're the ones getting used or served.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Anonymous Coward, Dec 21st, 2013 @ 11:09am

    Windows

    Google Windows NSAKEY

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Just Sayin', Dec 22nd, 2013 @ 9:31am

    Re: Re: Sheesh. Just assume it's nailed down. Dithering wastes energy.

    Limited time offer that is still available, with unlimited quantities (I test ordered a very large number and it was willing to process if I hit the button). Safe to say exclusive is a very different thing in Mike's world.

    Oh wait, that would be just be nitpicking, right?

     

    reply to this | link to this | view in thread ]

  14.  
    icon
    Slinky (profile), Dec 23rd, 2013 @ 6:02am

    Re: Windows

    The NSA/USG will be interested in collecting all the data they can get access to, using whatever means to do that. 'They' will most likely target all software that is widely distributed. Like Microsoft Windows, Linux, Adobe and so on, that will also need regular updates. All Cloud-based software will ofcourse also be a target.

    Bruce Schneier points out that we need more encryption to at least make it more difficult for the NSA to do their snooping.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This