What The Intelligence Community Doesn't Get: Backdoor For 'The Good Guys' Is Always A Backdoor For The 'Bad Guys' As Well

from the get-with-the-program dept

Max Eddy, over at PC Mag, has a very interesting article about the experience of Nico Sell, of the company Wickr, talking about how an FBI agent casually approached her to ask if she'd install backdoors in her software allowing the FBI to retrieve information. As the article notes, this is how the FBI (much more so than the NSA) has acted towards many tech companies ever since attempts to mandate such backdoors by law failed (though, they're still trying). Some companies -- stupidly -- agree to this, while many do not. Those that do may think they're helping fight for "good," but the reality is different. They're opening up a huge liability on themselves, should the news of the backdoors ever get out, and at the same time, they're making their own product invariably weaker. As Sell pointed out to the FBI guy, she'd seen hackers piggyback on "lawful intercept" machines and learned:
"It was very clear that a backdoor for the good guys is always a backdoor for the bad guys."
Bruce Schneier, over at the Atlantic, recently made nearly the same point in talking about the massive costs of all of this NSA surveillance (as well as talking about the near total lack of benefits). There's the cost of running these programs that are massive. There is the fact that these programs will be abused (they always are). There are the costs of destroying trust in various tech businesses (especially from foreign users and customers). But just as important is the fact that the NSA, FBI and others in the intelligence community are flat out weakening our national security by installing backdoors that malicious users can and will find and exploit:
The more we choose to eavesdrop on the Internet and other communications technologies, the less we are secure from eavesdropping by others. Our choice isn't between a digital world where the NSA can eavesdrop and one where the NSA is prevented from eavesdropping; it's between a digital world that is vulnerable to all attackers, and one that is secure for all users.
As Schneier points out, to fix this, we need to recognize that security is more important than surveillance. The surveillance apologists always claim that their goal is security. If so, they have a funny way of showing it. The "solution" they've drummed up hasn't made us any more secure... it's made us less secure.


Reader Comments (rss)

(Flattened / Threaded)

  1. This comment has been flagged by the community. Click here to show it
     
    identicon
    out_of_the_blue, Jan 9th, 2014 @ 10:19am

    Hey, Mike: "sunk (or fixed) costs" don't matter!

    They don't care about costs in money or our freedom. Especially not when the resources are skimmed off the very people under the tyranny. That's part of the inherent evil of gov't.

    Google's tailoring to YOU can selectively substitute, omit, and lie. You can't trust anything on the net, neither what you see nor what you don't see!

    06:18:56[h-325-2]

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Me, Jan 9th, 2014 @ 10:27am

    This is a good point, Mike.

    I turned on the radio today mid-interview with someone (so didn't catch who) defending the NSA and as usual saying Snowden's leaks had harmed the U.S. since now the NSA tech exploits (for instance, those on the "shopping" list) are known to foreign agents.

    What the idiot failed to realize is that harm was done by the NSA, not Snowden. The NSA forgot its mission to safeguard American technology in introducing these exploits, and the fact that foreign agents might use them is *exactly* the NSA's fault. A tailored, warrant-driven program would have saved us all the headache of mismanaged and hobbled technology introducing vulnerabilities for the entire world to stumble upon.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 10:40am

    In fact, Snowden has made the US more secure, by informing everyone about these security holes that were probably already being abused by foreign agents.

    Really, hasn't the NSA heard that security through obscurity isn't actually security?

     

    reply to this | link to this | view in thread ]

  4.  
    icon
    John Fenderson (profile), Jan 9th, 2014 @ 10:53am

    Re:

    Really, hasn't the NSA heard that security through obscurity isn't actually security?


    Of course not. Their whole business centers around obscurity.

    I want to add, though, that not only is it not actually security, it's the exact opposite. "Security through obscurity" gives you the illusion of security without the reality of it. This puts you in a less secure position than if you didn't engage in any security at all, but know it.

     

    reply to this | link to this | view in thread ]

  5.  
    icon
    weneedhelp (profile), Jan 9th, 2014 @ 10:53am

    Hey Mike...

    quick question... How do we tell the difference between the "good guys" and "bad guys"? I would trust the unknown bad guys to the well-known bad guys. At least with the unknown bad guys you have a fighting chance.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    mmm, Jan 9th, 2014 @ 11:05am

    Re:

    So glad someone else wrote about this. I heard the whole interview and that was an astonishing example of the "harm" caused by the Snowden leaks. My initial reaction was to say (out loud to myself) that this actually seems like a BENEFIT, not a cost. It provides a list of exploits that can now be closed. I don't think that there's anyone in the "real" world (i.e., outside the intelligence world) that would assume having exploits in the wild is a GOOD thing. That's crazy.

    The fact that there are whole industries that have grown up around securing systems shows that people value fewer exploits to more exploits. Heck, Google offers rewards. We have industries that pay for audits and certifications and code reviews.

     

    reply to this | link to this | view in thread ]

  7.  
    icon
    dfed (profile), Jan 9th, 2014 @ 11:17am

    I'm not surprised the DoD doesn't get this: They've always had problems with bad policies regarding backdoor access.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 11:25am

    Maybe if all the tech companies install backdoors into their stuff the NSA will get a backdoor into themselves... which can be exploited by hackers. I wonder how hard it would be to modify their data to make the entire U.S. population appear as terrorists?

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 11:35am

    Sadly, I already know of companies having to remove older developer boxes (Dell 1950s and 2950s) due to known compromises now. The costs will add up, and eventually it will effect jobs right here in the US. I guess the only good thing is that these servers are from 2007 and delegated as test boxes now. I'm wondering if business isn't going to be going to another provider though besides HP or Dell which were named in the reports.

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    Dirkmaster (profile), Jan 9th, 2014 @ 11:36am

    Re: Hey Mike...

    It's easy to tell the good guys from the bad guys....

    They're ALLL Bad Guys.

    Good Guys went extinct decades ago.

     

    reply to this | link to this | view in thread ]

  11.  
    icon
    madasahatter (profile), Jan 9th, 2014 @ 11:37am

    Backdoors

    The problem is the NSA has forgotten that backdoors can be discovered and used by the bad guys. But the bad guys will not tell anyone they have discovered the backdoor. So we are left with a situation were no one can say how long some bad guy has been snooping via the backdoor.

    There seems to a certain arrogance or more accurately stupidity by the NSA. No one is smart enough to look for any backdoors or security holes and definitely not smart to use them seems to be their belief. My assumption is the bad guys know about most of the insecurities and backdoors and are actively exploiting them.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Applesauce, Jan 9th, 2014 @ 11:38am

    Security is NOT NSA's goal - penetration is.

    The insatiable lust for information trumps (by far) any interest in the security of the nation.

     

    reply to this | link to this | view in thread ]

  13.  
    icon
    John Fenderson (profile), Jan 9th, 2014 @ 11:50am

    Re: Hey Mike...

    That's easy. Anyone who wants to intrude on my systems or data without my permission are "bad guys".

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 12:11pm

    for god's sake stop bringing common sense (or any other sense, come to that) into the equation. if you put this lot together, (but without the power that their positions give them) they couldn't make a damn good idiot!

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 12:50pm

    Re: Hey, Mike: "sunk (or fixed) costs" don't matter!

    Seriously, hire many different people are you because i have a really really really hard time reconciling 'resources are skimmed off the very people under the tyranny' with your typical 'punitive tax rates!' screed.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 12:54pm

    Re: Hey Mike...

    Why are you asking Mike? Basic grammar would suggest the quotes around both phrases in that context denote the NSA/intelligence community speaking. So you should be asking then.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Handle, Jan 9th, 2014 @ 2:02pm

    Re: Re: Hey Mike...

    The only way to remain on a "force" that's been ultimately corrupted over time (i.e. police, etc.,) is to be or become corrupt yourself.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Lurker Keith, Jan 9th, 2014 @ 3:20pm

    too late

    Isn't it a bit too late for that?

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Lurker Keith, Jan 9th, 2014 @ 3:24pm

    Re: Re: Re: Hey Mike...

    Commissioner Gordon took a 3rd option (2nd option was to quit): get Batman to clear out the Corruption. Granted, if he hadn't been Batman, he'd've been killed by the corrupted government.

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 5:12pm

    Look what happened to Cisco. All their products have backdoors in them. I doubt the NSA reverse engineered all of Cisco's binary blobbed firmware, in order to create those backdoors in their routers.

    What probably happened, is Cisco allowed the US Gov access to the firmware source-code for their routers. The US Gov probably told Cisco is was vital they have access Cisco's proprietary source code, for "national security" purposes.

    Then the US Gov turns around and finds all kinds of bugs and exploits in Cisco's secrete proprietary coding, and exploits their products to hell and back.

    Never trust hidden proprietary source code, especially if that company is handing over that hidden code over to governments like it's candy.

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 5:30pm

    Wickr sounds like interesting privacy software. I like the idea of messages self destructing after a set time period. It's too bad the application uses proprietary source code. That pretty much makes it useless as a privacy application, because it's security cannot me easily audited.

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Tom Stone, Jan 9th, 2014 @ 6:11pm

    Bipartisanhip

    I doubt I am the only one who thinks the wide stance on backdoor access by both Dem and Republican "Representatives" is... curious.

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Linux fella here, Jan 9th, 2014 @ 6:52pm

    "What The Intelligence Community Doesn't Get: Backdoor For 'The Good Guys' Is Always A Backdoor For The 'Bad Guys' As Well"

    Wait, there is more.

    In security, always assume worst case scenario.

    Mika Brzezinski's vigania exam (which Alexander stole from her OBGYN for his collect-it-all program) is not only available to a terrorist wannabe on a dilaup in Somalia.

    Gentlemen who redirected brand new CIA drone straight to their driveway in Iran the other day, have it too!

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 8:43pm

    Re: Re:

    NSA are too gagged to confess to you their "secret" strategy.

    Eg, IT Security experts in '90s might set NSA strategy as...
    1, if RSA comms 100% secure for all, baddies keep secrets from NSA
    2, if NSA *must* find a way to read RSA secrets, then backdoor
    3, if must abandon backdoor if/when discovered, keep it secret
    4, if backdoor leaked, change "secret" strategy (secretly)
    5, if RSA falls out of favour, see 4.
    6, tech changes so quickly, NSA saves cost if merely "secure enough" or "secure for now"

    Hence *backdoor* security-as-obscurity "can be" a calculated risk. Based on available financing. If NSA isnt a revenue generator able to sustain itself, or fill government coffers.

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Anonymous Coward, Jan 10th, 2014 @ 3:27am

    Re: too late

    So I guess then you need to make everyone marked as not a terrorist except for the NSA's staff. Put them all on no fly lists, sex offender registries, etc.

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Anonymous Coward, Jan 10th, 2014 @ 3:29am

    I wonder if that is the goal

    Perhaps they want security to be weakened as well. So they can set up a feedback loop of power. Security is too weak we need more power! Which they then use to weaken security. Etc, etc, infinite boot stamping on a human face loop.

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    Anonymous Coward, Jan 10th, 2014 @ 7:07am

    "It was very clear that a backdoor for the good guys is always a backdoor for the bad guys."

    "It was very clear that a backdoor for the *bad* guys is always a backdoor for the bad guys."

    Ftfy

     

    reply to this | link to this | view in thread ]

  28.  
    icon
    weneedhelp (profile), Jan 10th, 2014 @ 10:39am

    Re: Re: Hey Mike...

    I asked Mike for his opinion as a discussion point here on HIS blog.
    -
    I would ask the NSA directly but I bet the answer would be:
    Dear sir,
    REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. Yours truly... NSA.

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    Anon, Jan 10th, 2014 @ 6:26pm

    NSA, Back-doors, Computers, Software, & Bitcoin

    Bitcoin isn't safe, either, if the NSA has a built-in "back-door" to every computer. Sure the network may be safe, but individual computers, are not. Plus, bitcoin is no different than FIAT currency - it's value isn't intrinsic, but only perceived.

    The World is Waking Up to the New World Order
    https://www.youtube.com/watch?v=vRpi74qczos

     

    reply to this | link to this | view in thread ]

  30.  
    icon
    John Fenderson (profile), Jan 12th, 2014 @ 12:01pm

    Re: NSA, Back-doors, Computers, Software, & Bitcoin

    if the NSA has a built-in "back-door" to every computer


    ...which they don't.

    Sure the network may be safe, but individual computers, are not


    I think I don't understand what you're saying here. There appears to be a false dichotomy between the "network" and "individual computers." The "network" is just the means by which individual computers talk to each other. Talking about the network being safe while individual computers are compromised makes little sense to me.

    But ignoring that, if the network is actually safe then it doesn't matter if individual computers are compromised because they can't phone home over the network.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This