US Government Has Apparently Demanded, And Obtained, Tech Companies' Source Code In The Past

from the ask-(FISC_)-and-ye-shall-receive dept

From Zack Whittaker at ZDNet comes the alarming revelation that it’s not just Apple looking at possibly having to turn over its source code and/or encryption keys to the government, much like what happened to Lavabit. Many other companies have done this previously as the result of orders granted by the nation’s most opaque, non-adversarial court.

The US government has made numerous attempts to obtain source code from tech companies in an effort to find security flaws that could be used for surveillance or investigations.

The government has demanded source code in civil cases filed under seal but also by seeking clandestine rulings authorized under the secretive Foreign Intelligence Surveillance Act (FISA), a person with direct knowledge of these demands told ZDNet. We’re not naming the person as they relayed information that is likely classified.

With these hearings held in secret and away from the public gaze, the person said that the tech companies hit by these demands are losing “most of the time.”

That’s hardly heartening. The DOJ would only go so far as to confirm this has happened before, likely because there’s no way to deny it. The documents from the Lavabit case have been made public — with the DOJ using a formerly-sealed document to hint at what could be in store for Apple if it refuses to write FBiOS for it.

Unfortunately, because of the secrecy surrounding the government’s requests for source code — and the court where those requests have been made — it’s extremely difficult to obtain outside confirmation. Whittaker contacted more than a dozen Fortune 500 companies about the unnamed official’s claims and received zero comments.

A few, however, flatly denied ever having handed over source code to the US government.

Cisco said in an emailed statement: “We have not and we will not hand over source code to any customers, especially governments.”

IBM referred to a 2014 statement saying that the company does not provide “software source code or encryption keys to the NSA or any other government agency for the purpose of accessing client data.” A spokesperson confirmed that the statement is still valid, but did not comment further on whether source code had been handed over to a government agency for any other reason.

Cisco is likely still stinging from leaked documents showing its unwitting participation in an NSA unboxing photo shoot and has undoubtedly decided to take a stronger stance against government meddling since that point. As for IBM, its statement is a couple of years old and contains a major qualifying statement.

Previously-leaked documents somewhat confirm the existence of court orders allowing the NSA to perform its own hardware/software surgery. Presumably, the introduction of backdoors and exploits is made much easier with access to source code. Whittaker points to a Kaspersky Lab’s apparent discovery of evidence pointing to the NSA being in possession of “several hard drive manufacturers'” source code — another indication that the government’s history of demanding source code from manufacturers and software creators didn’t begin (or end) with Lavabit.

The government may be able to talk the FISA court into granting these requests, given that its purview generally only covers foreign surveillance (except for all the domestic dragnets and “inadvertent” collections) and national security issues. The FBI’s open air battle with Apple has already proceeded far past the point that any quasi-hearing in front of the FISC would have. That’s the sort of thing an actually adversarial system — unlike the mostly-closed loop of the FISA court — tends to result in: a give-and-take played out (mostly) in public, rather than one party saying “we need this” and the other applying ink to the stamp.

Filed Under: , , , , , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “US Government Has Apparently Demanded, And Obtained, Tech Companies' Source Code In The Past”

Subscribe: RSS Leave a comment
42 Comments
Anonymous Coward says:

Re: Re:

Yes, open source has been having a wonderful time the past few years in the security sector.
There’s nothing wrong with open source, but it’s not a panacea that makes it automatically more secure than closed source. To the contrary, many people just assume that since anyone can look at it, that all the vulnerabilities must have been found and fixed by now.

David (profile) says:

source code given - or taken?

What I would wonder is whether that source code was given by the company or merely taken by the government agencies. The average tech related manufacturing firm is ill placed to hold off a government sponsored breach. Also, it is rather easy to blame the Chinese because they are constantly pissing in everyone’s soup as it is.

Just because they have someone’s source code doesn’t mean the company [b]handed[/b] it to them.

Anonymous Coward says:

DROPOUT JEEP

Via Schneier

DROPOUTJEEP

(TS//SI//REL) DROPOUTJEEP is a STRAITBIZARRE based software implant for the Apple iPhone operating system and uses the CHIMNEYPOOL framework. DROPOUTJEEP is compliant with the FREEFLOW project, therefore it is supported in the TURBULENCE architecture.

(TS//SI//REL) DROPOUTJEEP is a software implant for the Apple iPhone that utilizes modular mission applications to provide specific SIGINT functionality. This functionality includes the ability to remotely push/pull files from the device, SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower location, etc. Command, control, and data exfiltration can occur over SMS messaging or a GPRS data connection. All communications with the implant will be covert and encrypted.

(TS//SI//REL) The initial release of DROPOUTJEEP will focus on installing the implant via close access methods. A remote installation capability will be pursued for a future release.

Unit Cost: $0

Status: (U) In development

Schneier links to this leaked page, which carries a “10/01/08” marking.

Question: Presuming we believe in the authenticity of this material— how desirable would Apple’s source (iOS, and/or lower level down to VHDL/Verilog/etc) be to this reported development effort by NSA’s Tailored Access Operations (TAO) group?

Anonymous Coward says:

Re: DROPOUT JEEP

The NSA Has a Backdoor Called ‘DROPOUTJEEP’ for Nearly Complete Access to the Apple iPhone”, iClarified, Dec 30, 2013

 . . . The NSA claims in their QUANTUMTHEORY documents that every attempt to implant iOS will always succeed. This leads [Jacob “@ioerror”] Applebaum to question whether Apple assisted them in installing this backdoor:

They literally claim that anytime they target an iOS device that it will succeed for implantation. Either they have a huge collection of exploits that work against Apple products, meaning that they are hoarding information about critical systems that American companies produce and sabotaging them, or Apple sabotaged it themselves. Not sure which one it is. I’d like to believe that since Apple didn’t join the PRISM program until after Steve Jobs died, that maybe it’s just that they write shitty software. We know that’s true.

Anonymous Coward says:

Re: DROPOUT JEEP

NSA’s Tailored Access Operations (TAO) group

Actually, Schneier indirectly links to a Dec 29, 2013 Spiegel Online story, “Shopping for Spy Gear: Catalog Advertises NSA Toolbox”, by Jacob Appelbaum, Judith Horchert and Christian Stöcker, which describes the document as coming from the “ANT” group:

Master Carpenters

The specialists at ANT, which presumably stands for Advanced or Access Network Technology, could be described as master carpenters for the NSA’s department for Tailored Access Operations (TAO).

Anonymous Coward says:

Re: Re: DROPOUT JEEP

Oh, and for those who aren’t necessarily diving in to follow all the links here—

From Zack Whittaker’s ZDNet story (Mar 17, 2016) that Cushing linked in the article up above:

 . . . Top secret NSA documents leaked by whistleblower Edward Snowden, reported in German magazine Der Spiegel in late-2013, have suggested some hardware and software makers were compelled to hand over source code to assist in government surveillance.&nbpsp;. . .

Anonymous Coward says:

If I were an enemy of the US, how would I try to hurt it in the Information Age? I can think of no better way than to sow doubt as to the security of the software coming out of country isn’t worth buying. In doing that pretty much all companies writing software would become untrusted sourced there. Once that is known, globally, businesses, governments, and individual users would probably go hunting other companies to provide those desired softwares or start creating their own.

No wonder so many corporations are moving out of the US and using the tax dodge as the publicly faced reason if they can’t say the real reason.

That One Guy (profile) says:

Mistaken terminology

FISA court… FISA court

Yeah, people really need to stop calling it a ‘court’, as it has as much to do with a typical court as the cheapest fast-food has with fancy cuisine. In the same way that both of the latter have food, and that’s about the only thing they have in common, the former both has people in judge outfits, and that’s about it.

The FISA ‘court’ isn’t adversarial, knows only what they are told and have no real interest in finding out more before ruling, works with secret interpretations of the law to create secret rulings… to call it a ‘court’ is to do a great disservice to actual courts.

Anonymous Coward says:

Re: Re: Re: Give it to them.

Playing games like that was Ladar Levison’s major mistake in the Lavabit case.

I can see why Levison hesitated before he shut down his company. It was what— ten years? personal investment. Anyone would hesitate before that step.

But Levison’s better move at the point where he had to turn over the private key, rather than printing out the key in minuscule, would have been to hand it over by openly publishing it on his website.

Anonymous Coward says:

Re: Re: Re:2 Give it to them.

But Levison’s better move at the point where he had to turn over the private key, rather than printing out the key in minuscule, would have been to hand it over by openly publishing it on his website.

Doing as you suggest would have destroyed his reputation, as every Government in the world could then read all those messages that they had cached in case there was a breakthrough in decryption. Doing as he did warned everybody who used his service that the NSA had a way in.

Anonymous Coward says:

Re: Re: Re:3 Give it to them.

destroyed his reputation

Perhaps it’s time to repeat Moxie Marlinspike’s criticism of the Lavabit architecture: “Op-ed: Lavabit’s primary security claim wasn’t actually true” (Ars Technica, Nov 5, 2013):

It’s not clear whether the Lavabit crew consciously understood the system’s shortcomings and chose to misrepresent them, or if it really believed it built something based on can’t rather than won’t. One way or the other, in the security world, a product that uses the language of cryptography to fundamentally misrepresent its capabilities is the basic definition of snake oil.

In fairness, Levinson’s response: “Op-ed: Lavabit’s founder responds to cryptographer’s criticism” (Ars Technica, Nov 7, 2013):

It never occurred to me that the feds might demand Lavabit’s SSL key. It simply wasn’t part of my threat model. If I were to highlight one of my personal failings in this ordeal, it would be that oversight.

John Fenderson (profile) says:

Re: Re: Re:4 Give it to them.

“It never occurred to me that the feds might demand Lavabit’s SSL key. It simply wasn’t part of my threat model.”

Wow, that’s a huge admission of failure. Kudos to Levinson for having the fortitude to give a mea culpa. Boos to Levinson for being so blind to one of the first threats he should have been considering (loss of keys to attackers).

Anonymous Coward says:

Re: Re: Re:5 Give it to them.

The problem at the core of exchanging encrypted messages is exchanging base keys in a fashion that both ends can be sure that the keys are from who they purport to be. The same problem lies at the core of secure boot systems, can anybody be sure that one the certificates in the certificate does not belong to the NSA or other government agency.
Effectively, secure communications require people to manage the keys that they use, and gain keys via routes that they personally trust. Failing that, they could be exchanging messages via a third party who is reading all the traffic, and impersonating each end to the other end. It does not matter how secure the encryption is if a third party can insert themselves into the message exchange.

jim says:

so whats the news?

Oh, hum. How is that news? Let’s put this info into context, remember the opening statement, some thing about lavabit being required to give the source code, to the US government? And relating this to Apple? So that bit has been fought and won by the gummit. So why does Apple still fight? After all, if one perused the news, from the mid November, of last year, one would find, if looking for black Friday adds, not much, but giveaway of the Apple source code to the Chinese government. Hmm, interesting! And a related article about, Hawaii producing a new Apple clone. Double interesting. So, are we supporting the Apple customers, or a foreign competitor? Oh, the reasons cited were a crackdown on muslem terrorists in southern and eastern China. Interesting? Compounded interesting.

Anonymous Coward says:

Re: so whats the news?

… news, from the mid November, of last year, one would find … giveaway of the Apple source code to the Chinese government.

Supporting links for that, please?

From the Apple SrVPSwEng Craig Federighi’s Mar 15, 2016 declaration at paragraph 6 (p.2: ln.25-6):

Apple has also not provided any government with its proprietary iOS source code.

Meanwhile I have familiarized myself with this Jan 23, 2015 Quartz story by Heather Timmons, “Apple is reportedly giving the Chinese government access to its devices for ‘security checks’ ”.

While there was no other information available on the paper’s website, the tweet echoes a report in the Beijing News (link in Chinese) that Apple chief executive Tim Cook informed Lu last month that Apple would let China’s State Internet Information Office conduct “security checks” on all products that it sells on the mainland.

Google Translate link for Beijing News Jan 21, 2015 story “Apple is willing to accept China’s position network security review”.

Anonymous Coward says:

Re: Re: so whats the news?

Apple would let China’s State Internet Information Office conduct “security checks” on all products that it sells on the mainland.

The Behind-the-Scenes Fight Between Apple and the FBI”, by Adam Satariano and Chris Strohm, Bloomberg, Mar 20, 2016

 . . . Apple gave the Federal Bureau of Investigation early access to iOS 8 so it could study how the new system would change evidence-gathering techniques, according to people familiar with the software’s development.

Anonymous Coward says:

Global industry practices

IBM Allows Chinese Government to Review Source Code”, by Eva Dou, Wall Street Journal, Oct. 16, 2015

 . . . Chinese media reported that IBM Senior Vice President Steve Mills disclosed the source-code sharing in a speech in Beijing Thursday, saying that IBM needed government support to continue its growth in China. Mr. Mills’ remarks couldn’t be immediately confirmed. . . .

In 2010, years before Mr. Snowden’s disclosures intensified Beijing’s efforts, Microsoft said it would share source code for Windows 7 and other products with the Chinese government. . . .

But U.S. companies have largely resisted pressure from Beijing to share source code. . . .

IBM allows Chinese Government to review source code: WSJ”, Reuters, Oct 16, 2015

International Business Machines Corp has agreed to let China review some product source code in a secure room, the Wall Street Journal reported, citing two people briefed on the practice.

Michael W. Perry (user link) says:

Best case scenario.

Join with me for a moment is extreme cynicism. What is the best possible outcome for widespread NSA/FBI surveillance?

No, it’s not the NSA/FBI succeeding in forcing Apple to insert backdoors and discover pass codes for law enforcement. It’s for Apple to give every appearance of having won this dispute, while secretly cooperating with those agencies, actively or passively, for any of a number of reasons.

Why? Because a NSA/FBI win sends a message to terrorists and other wrongdoers (including corrupt corporations) that Apple platform is unsafe and requires that they take additional measures. A seeming win by Apple, accompanied by enormous publicity, would make them slack off in their precautions, thus making the work of NSA/FBI easier.

Indeed the very publicity given to this dispute and Apple’s seemingly hard stand could just as easily be taken as an indication that the company’s public opposition to NSA/FBI spying is accompanied by private cooperation. It is, after all, just the behavior one would expect if that were the case.

How might the NSA/FBI best reward Apple? By giving the company’s executives a stack of “get out of jail free” cards for corporate wrongdoing. Nothing could be more valuable not even money.

Anonymous Coward says:

Re: Best case scenario.

… sends a message…

Anyone who believes that a 4-digit pin can protect their secrets when the physical hardware has been captured by a major nation-state adversary who has time and determination……… ……… ………       well, anyone who believes that is not really thinking rationally.

In this case, the FBI/DoJ has been misstating material facts. It remains something of an open question for me whether particular individuals from those agencies have been intentionally misstating specific material facts.

Apple, in seeming conflict with the government in this case, manufactures the iPhone. If Apple implies that the device is fit for a particular purpose, don’t they have some sort of obligation to avoid concealing known defects which render it unfit for that purpose? One might perhaps argue that an intrinsically unlawful purpose cannot create liability in a manufacturer for concealing known defects.

Whatever (profile) says:

Cisco's denial

I find Cisco’s denial here to be a little TOO specific for it’s own good:

“We have not and we will not hand over source code to any customers, especially governments”

I didn’t know that a court order was a “customer”. It rather looks like they are trying to be a little too clever about the wording. They don’t give the source code to customers – but for a court order, well…

You gotta wonder why they worded it that way!

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...