What The Intelligence Community Doesn't Get: Backdoor For 'The Good Guys' Is Always A Backdoor For The 'Bad Guys' As Well
from the get-with-the-program dept
Max Eddy, over at PC Mag, has a very interesting article about the experience of Nico Sell, of the company Wickr, talking about how an FBI agent casually approached her to ask if she’d install backdoors in her software allowing the FBI to retrieve information. As the article notes, this is how the FBI (much more so than the NSA) has acted towards many tech companies ever since attempts to mandate such backdoors by law failed (though, they’re still trying). Some companies — stupidly — agree to this, while many do not. Those that do may think they’re helping fight for “good,” but the reality is different. They’re opening up a huge liability on themselves, should the news of the backdoors ever get out, and at the same time, they’re making their own product invariably weaker. As Sell pointed out to the FBI guy, she’d seen hackers piggyback on “lawful intercept” machines and learned:
“It was very clear that a backdoor for the good guys is always a backdoor for the bad guys.”
Bruce Schneier, over at the Atlantic, recently made nearly the same point in talking about the massive costs of all of this NSA surveillance (as well as talking about the near total lack of benefits). There’s the cost of running these programs that are massive. There is the fact that these programs will be abused (they always are). There are the costs of destroying trust in various tech businesses (especially from foreign users and customers). But just as important is the fact that the NSA, FBI and others in the intelligence community are flat out weakening our national security by installing backdoors that malicious users can and will find and exploit:
The more we choose to eavesdrop on the Internet and other communications technologies, the less we are secure from eavesdropping by others. Our choice isn’t between a digital world where the NSA can eavesdrop and one where the NSA is prevented from eavesdropping; it’s between a digital world that is vulnerable to all attackers, and one that is secure for all users.
As Schneier points out, to fix this, we need to recognize that security is more important than surveillance. The surveillance apologists always claim that their goal is security. If so, they have a funny way of showing it. The “solution” they’ve drummed up hasn’t made us any more secure… it’s made us less secure.
Filed Under: backdoors, encryption, fbi, nsa, security, vulnerabilities
Comments on “What The Intelligence Community Doesn't Get: Backdoor For 'The Good Guys' Is Always A Backdoor For The 'Bad Guys' As Well”
Hey, Mike: "sunk (or fixed) costs" don't matter!
They don’t care about costs in money or our freedom. Especially not when the resources are skimmed off the very people under the tyranny. That’s part of the inherent evil of gov’t.
Google’s tailoring to YOU can selectively substitute, omit, and lie. You can’t trust anything on the net, neither what you see nor what you don’t see!
06:18:56[h-325-2]
Re: Hey, Mike: "sunk (or fixed) costs" don't matter!
Seriously, hire many different people are you because i have a really really really hard time reconciling ‘resources are skimmed off the very people under the tyranny’ with your typical ‘punitive tax rates!’ screed.
This is a good point, Mike.
I turned on the radio today mid-interview with someone (so didn’t catch who) defending the NSA and as usual saying Snowden’s leaks had harmed the U.S. since now the NSA tech exploits (for instance, those on the “shopping” list) are known to foreign agents.
What the idiot failed to realize is that harm was done by the NSA, not Snowden. The NSA forgot its mission to safeguard American technology in introducing these exploits, and the fact that foreign agents might use them is *exactly* the NSA’s fault. A tailored, warrant-driven program would have saved us all the headache of mismanaged and hobbled technology introducing vulnerabilities for the entire world to stumble upon.
Re: Re:
So glad someone else wrote about this. I heard the whole interview and that was an astonishing example of the “harm” caused by the Snowden leaks. My initial reaction was to say (out loud to myself) that this actually seems like a BENEFIT, not a cost. It provides a list of exploits that can now be closed. I don’t think that there’s anyone in the “real” world (i.e., outside the intelligence world) that would assume having exploits in the wild is a GOOD thing. That’s crazy.
The fact that there are whole industries that have grown up around securing systems shows that people value fewer exploits to more exploits. Heck, Google offers rewards. We have industries that pay for audits and certifications and code reviews.
Re: Re: Re:
NSA are too gagged to confess to you their “secret” strategy.
Eg, IT Security experts in ’90s might set NSA strategy as…
1, if RSA comms 100% secure for all, baddies keep secrets from NSA
2, if NSA must find a way to read RSA secrets, then backdoor
3, if must abandon backdoor if/when discovered, keep it secret
4, if backdoor leaked, change “secret” strategy (secretly)
5, if RSA falls out of favour, see 4.
6, tech changes so quickly, NSA saves cost if merely “secure enough” or “secure for now”
Hence backdoor security-as-obscurity “can be” a calculated risk. Based on available financing. If NSA isnt a revenue generator able to sustain itself, or fill government coffers.
In fact, Snowden has made the US more secure, by informing everyone about these security holes that were probably already being abused by foreign agents.
Really, hasn’t the NSA heard that security through obscurity isn’t actually security?
Re: Re:
Of course not. Their whole business centers around obscurity.
I want to add, though, that not only is it not actually security, it’s the exact opposite. “Security through obscurity” gives you the illusion of security without the reality of it. This puts you in a less secure position than if you didn’t engage in any security at all, but know it.
Hey Mike...
quick question… How do we tell the difference between the “good guys” and “bad guys”? I would trust the unknown bad guys to the well-known bad guys. At least with the unknown bad guys you have a fighting chance.
Re: Hey Mike...
It’s easy to tell the good guys from the bad guys….
They’re ALLL Bad Guys.
Good Guys went extinct decades ago.
Re: Re: Hey Mike...
The only way to remain on a “force” that’s been ultimately corrupted over time (i.e. police, etc.,) is to be or become corrupt yourself.
Re: Re: Re: Hey Mike...
Commissioner Gordon took a 3rd option (2nd option was to quit): get Batman to clear out the Corruption. Granted, if he hadn’t been Batman, he’d’ve been killed by the corrupted government.
Re: Hey Mike...
That’s easy. Anyone who wants to intrude on my systems or data without my permission are “bad guys”.
Re: Hey Mike...
Why are you asking Mike? Basic grammar would suggest the quotes around both phrases in that context denote the NSA/intelligence community speaking. So you should be asking then.
Re: Re: Hey Mike...
I asked Mike for his opinion as a discussion point here on HIS blog.
–
I would ask the NSA directly but I bet the answer would be:
Dear sir,
REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. Yours truly… NSA.
I’m not surprised the DoD doesn’t get this: They’ve always had problems with bad policies regarding backdoor access.
Maybe if all the tech companies install backdoors into their stuff the NSA will get a backdoor into themselves… which can be exploited by hackers. I wonder how hard it would be to modify their data to make the entire U.S. population appear as terrorists?
Re: too late
Isn’t it a bit too late for that?
Re: Re: too late
So I guess then you need to make everyone marked as not a terrorist except for the NSA’s staff. Put them all on no fly lists, sex offender registries, etc.
Sadly, I already know of companies having to remove older developer boxes (Dell 1950s and 2950s) due to known compromises now. The costs will add up, and eventually it will effect jobs right here in the US. I guess the only good thing is that these servers are from 2007 and delegated as test boxes now. I’m wondering if business isn’t going to be going to another provider though besides HP or Dell which were named in the reports.
Backdoors
The problem is the NSA has forgotten that backdoors can be discovered and used by the bad guys. But the bad guys will not tell anyone they have discovered the backdoor. So we are left with a situation were no one can say how long some bad guy has been snooping via the backdoor.
There seems to a certain arrogance or more accurately stupidity by the NSA. No one is smart enough to look for any backdoors or security holes and definitely not smart to use them seems to be their belief. My assumption is the bad guys know about most of the insecurities and backdoors and are actively exploiting them.
Security is NOT NSA's goal - penetration is.
The insatiable lust for information trumps (by far) any interest in the security of the nation.
for god’s sake stop bringing common sense (or any other sense, come to that) into the equation. if you put this lot together, (but without the power that their positions give them) they couldn’t make a damn good idiot!
Look what happened to Cisco. All their products have backdoors in them. I doubt the NSA reverse engineered all of Cisco’s binary blobbed firmware, in order to create those backdoors in their routers.
What probably happened, is Cisco allowed the US Gov access to the firmware source-code for their routers. The US Gov probably told Cisco is was vital they have access Cisco’s proprietary source code, for “national security” purposes.
Then the US Gov turns around and finds all kinds of bugs and exploits in Cisco’s secrete proprietary coding, and exploits their products to hell and back.
Never trust hidden proprietary source code, especially if that company is handing over that hidden code over to governments like it’s candy.
Wickr sounds like interesting privacy software. I like the idea of messages self destructing after a set time period. It’s too bad the application uses proprietary source code. That pretty much makes it useless as a privacy application, because it’s security cannot me easily audited.
Bipartisanhip
I doubt I am the only one who thinks the wide stance on backdoor access by both Dem and Republican “Representatives” is… curious.
“What The Intelligence Community Doesn’t Get: Backdoor For ‘The Good Guys’ Is Always A Backdoor For The ‘Bad Guys’ As Well”
Wait, there is more.
In security, always assume worst case scenario.
Mika Brzezinski’s vigania exam (which Alexander stole from her OBGYN for his collect-it-all program) is not only available to a terrorist wannabe on a dilaup in Somalia.
Gentlemen who redirected brand new CIA drone straight to their driveway in Iran the other day, have it too!
I wonder if that is the goal
Perhaps they want security to be weakened as well. So they can set up a feedback loop of power. Security is too weak we need more power! Which they then use to weaken security. Etc, etc, infinite boot stamping on a human face loop.
“It was very clear that a backdoor for the good guys is always a backdoor for the bad guys.”
“It was very clear that a backdoor for the *bad* guys is always a backdoor for the bad guys.”
Ftfy
NSA, Back-doors, Computers, Software, & Bitcoin
Bitcoin isn’t safe, either, if the NSA has a built-in “back-door” to every computer. Sure the network may be safe, but individual computers, are not. Plus, bitcoin is no different than FIAT currency – it’s value isn’t intrinsic, but only perceived.
The World is Waking Up to the New World Order
https://www.youtube.com/watch?v=vRpi74qczos
Re: NSA, Back-doors, Computers, Software, & Bitcoin
…which they don’t.
I think I don’t understand what you’re saying here. There appears to be a false dichotomy between the “network” and “individual computers.” The “network” is just the means by which individual computers talk to each other. Talking about the network being safe while individual computers are compromised makes little sense to me.
But ignoring that, if the network is actually safe then it doesn’t matter if individual computers are compromised because they can’t phone home over the network.