US Government Has Apparently Demanded, And Obtained, Tech Companies' Source Code In The Past
from the ask-(FISC_)-and-ye-shall-receive dept
From Zack Whittaker at ZDNet comes the alarming revelation that it’s not just Apple looking at possibly having to turn over its source code and/or encryption keys to the government, much like what happened to Lavabit. Many other companies have done this previously as the result of orders granted by the nation’s most opaque, non-adversarial court.
The US government has made numerous attempts to obtain source code from tech companies in an effort to find security flaws that could be used for surveillance or investigations.
The government has demanded source code in civil cases filed under seal but also by seeking clandestine rulings authorized under the secretive Foreign Intelligence Surveillance Act (FISA), a person with direct knowledge of these demands told ZDNet. We’re not naming the person as they relayed information that is likely classified.
With these hearings held in secret and away from the public gaze, the person said that the tech companies hit by these demands are losing “most of the time.”
That’s hardly heartening. The DOJ would only go so far as to confirm this has happened before, likely because there’s no way to deny it. The documents from the Lavabit case have been made public — with the DOJ using a formerly-sealed document to hint at what could be in store for Apple if it refuses to write FBiOS for it.
Unfortunately, because of the secrecy surrounding the government’s requests for source code — and the court where those requests have been made — it’s extremely difficult to obtain outside confirmation. Whittaker contacted more than a dozen Fortune 500 companies about the unnamed official’s claims and received zero comments.
A few, however, flatly denied ever having handed over source code to the US government.
Cisco said in an emailed statement: “We have not and we will not hand over source code to any customers, especially governments.”
IBM referred to a 2014 statement saying that the company does not provide “software source code or encryption keys to the NSA or any other government agency for the purpose of accessing client data.” A spokesperson confirmed that the statement is still valid, but did not comment further on whether source code had been handed over to a government agency for any other reason.
Cisco is likely still stinging from leaked documents showing its unwitting participation in an NSA unboxing photo shoot and has undoubtedly decided to take a stronger stance against government meddling since that point. As for IBM, its statement is a couple of years old and contains a major qualifying statement.
Previously-leaked documents somewhat confirm the existence of court orders allowing the NSA to perform its own hardware/software surgery. Presumably, the introduction of backdoors and exploits is made much easier with access to source code. Whittaker points to a Kaspersky Lab’s apparent discovery of evidence pointing to the NSA being in possession of “several hard drive manufacturers'” source code — another indication that the government’s history of demanding source code from manufacturers and software creators didn’t begin (or end) with Lavabit.
The government may be able to talk the FISA court into granting these requests, given that its purview generally only covers foreign surveillance (except for all the domestic dragnets and “inadvertent” collections) and national security issues. The FBI’s open air battle with Apple has already proceeded far past the point that any quasi-hearing in front of the FISC would have. That’s the sort of thing an actually adversarial system — unlike the mostly-closed loop of the FISA court — tends to result in: a give-and-take played out (mostly) in public, rather than one party saying “we need this” and the other applying ink to the stamp.
Filed Under: doj, fbi, fisa, fisa court, fisc, privacy, security, signing keys, software, source code, tech companies
Comments on “US Government Has Apparently Demanded, And Obtained, Tech Companies' Source Code In The Past”
If they are willing to go this far they might as well nationalize the entire industry.
Re: Re:
Good idea, we can do with all sorts of other businesses too, to make sure everyone is doing their part..
O fucking wait? Is this Communist China? Looks like it!
Re: Re: Re:
All totalitarian authoritarian dystopias start to look the same after a while, don’t they?
If only there where software designed from the get go, to remain secure while the source code is OPEN to view by anyone… oh wait…
Re: Re:
Yes, open source has been having a wonderful time the past few years in the security sector.
There’s nothing wrong with open source, but it’s not a panacea that makes it automatically more secure than closed source. To the contrary, many people just assume that since anyone can look at it, that all the vulnerabilities must have been found and fixed by now.
Re: Re: Re:
It does have one advantage, it is much harder for anyone to deliberately introduce a backdoor, and it is much much easier to use the likes of wireshark to look at what the software is doing on the network, absent all those servers that proprietary OS’s want to talk to..
Re: open source
may not be the best answer but for some like me it is the only choice.i cannot read code but i do know others are looking at it and they may be looking at it more in the future as it might be our last choice.
br3n
I’m pissed off at this. This is borderline deputizing the U.S. tech industry. This is unconscionable and utterly disgusting.
Re: Re:
right there with you
Re: Re:
It is just another reason for companies like Apple to move both their headquarters and their Engineering overseas.
“We will not give source code to any government entity.”
Legally and/or technically speaking such responses don’t bsay anything about contractors working on behalf of the government, or commercial/nonprofit orgs created to front for the government.
Even if the FBI had gone to FISC, Apple could have just forced the issue and appealed the decision directly to the U.S. Supreme Court.
Re: Re:
Who would probably side with the FBI.
Re: Re:
How many such appeals do you know of?
Yeah, that’s what I thought.
Two Choices for the rest of us...
…but where would we move to?
Re: Two Choices for the rest of us...
We seem to be fresh out of new world continents.
> US Government Has Apparently Demanded, And Obtained, Tech Companies’ Source Code In The Past
I’m guessing that this happened in 1999 when the NSA banned Furbies from their premises in Maryland.
source code given - or taken?
What I would wonder is whether that source code was given by the company or merely taken by the government agencies. The average tech related manufacturing firm is ill placed to hold off a government sponsored breach. Also, it is rather easy to blame the Chinese because they are constantly pissing in everyone’s soup as it is.
Just because they have someone’s source code doesn’t mean the company [b]handed[/b] it to them.
Re: source code given - or taken?
We might have accidentally dropped a copy in their headquarters while visiting there, but we didn’t "hand" it to them.
DROPOUT JEEP
Via Schneier…
Schneier links to this leaked page, which carries a “10/01/08” marking.
Question: Presuming we believe in the authenticity of this material— how desirable would Apple’s source (iOS, and/or lower level down to VHDL/Verilog/etc) be to this reported development effort by NSA’s Tailored Access Operations (TAO) group?
Re: DROPOUT JEEP
“The NSA Has a Backdoor Called ‘DROPOUTJEEP’ for Nearly Complete Access to the Apple iPhone”, iClarified, Dec 30, 2013
Re: DROPOUT JEEP
Actually, Schneier indirectly links to a Dec 29, 2013 Spiegel Online story, “Shopping for Spy Gear: Catalog Advertises NSA Toolbox”, by Jacob Appelbaum, Judith Horchert and Christian Stöcker, which describes the document as coming from the “ANT” group:
Re: Re: DROPOUT JEEP
Oh, and for those who aren’t necessarily diving in to follow all the links here—
From Zack Whittaker’s ZDNet story (Mar 17, 2016) that Cushing linked in the article up above:
If I were an enemy of the US, how would I try to hurt it in the Information Age? I can think of no better way than to sow doubt as to the security of the software coming out of country isn’t worth buying. In doing that pretty much all companies writing software would become untrusted sourced there. Once that is known, globally, businesses, governments, and individual users would probably go hunting other companies to provide those desired softwares or start creating their own.
No wonder so many corporations are moving out of the US and using the tax dodge as the publicly faced reason if they can’t say the real reason.
Mistaken terminology
FISA court… FISA court…
Yeah, people really need to stop calling it a ‘court’, as it has as much to do with a typical court as the cheapest fast-food has with fancy cuisine. In the same way that both of the latter have food, and that’s about the only thing they have in common, the former both has people in judge outfits, and that’s about it.
The FISA ‘court’ isn’t adversarial, knows only what they are told and have no real interest in finding out more before ruling, works with secret interpretations of the law to create secret rulings… to call it a ‘court’ is to do a great disservice to actual courts.
Give it to them.
Give them the source code, encrypted of course,printed in the smallest font possible, just like Lavabit did. If the Government doesn’t like it just give them the 1 finger salute
& tell them to sit on it & rotate !
Re: Give it to them.
Much better, give it to them printed in 96 point type, on heavyweight paper, and literally bury them in paper.
Re: Re: Give it to them.
Even better if the pages are accidentally not numbered.
Re: Re: Re: Give it to them.
Playing games like that was Ladar Levison’s major mistake in the Lavabit case.
I can see why Levison hesitated before he shut down his company. It was what— ten years? personal investment. Anyone would hesitate before that step.
But Levison’s better move at the point where he had to turn over the private key, rather than printing out the key in minuscule, would have been to hand it over by openly publishing it on his website.
Re: Re: Re:2 Give it to them.
Doing as you suggest would have destroyed his reputation, as every Government in the world could then read all those messages that they had cached in case there was a breakthrough in decryption. Doing as he did warned everybody who used his service that the NSA had a way in.
Re: Re: Re:3 Give it to them.
He turned the private key over in electronic form two days after he turned it over on paper.
So what difference did the two days make—other than costing him $10,000 for contempt?
Re: Re: Re:3 Give it to them.
Perhaps it’s time to repeat Moxie Marlinspike’s criticism of the Lavabit architecture: “Op-ed: Lavabit’s primary security claim wasn’t actually true” (Ars Technica, Nov 5, 2013):
In fairness, Levinson’s response: “Op-ed: Lavabit’s founder responds to cryptographer’s criticism” (Ars Technica, Nov 7, 2013):
Re: Re: Re:4 Give it to them.
“It never occurred to me that the feds might demand Lavabit’s SSL key. It simply wasn’t part of my threat model.”
Wow, that’s a huge admission of failure. Kudos to Levinson for having the fortitude to give a mea culpa. Boos to Levinson for being so blind to one of the first threats he should have been considering (loss of keys to attackers).
Re: Re: Re:5 Give it to them.
The problem at the core of exchanging encrypted messages is exchanging base keys in a fashion that both ends can be sure that the keys are from who they purport to be. The same problem lies at the core of secure boot systems, can anybody be sure that one the certificates in the certificate does not belong to the NSA or other government agency.
Effectively, secure communications require people to manage the keys that they use, and gain keys via routes that they personally trust. Failing that, they could be exchanging messages via a third party who is reading all the traffic, and impersonating each end to the other end. It does not matter how secure the encryption is if a third party can insert themselves into the message exchange.
so whats the news?
Oh, hum. How is that news? Let’s put this info into context, remember the opening statement, some thing about lavabit being required to give the source code, to the US government? And relating this to Apple? So that bit has been fought and won by the gummit. So why does Apple still fight? After all, if one perused the news, from the mid November, of last year, one would find, if looking for black Friday adds, not much, but giveaway of the Apple source code to the Chinese government. Hmm, interesting! And a related article about, Hawaii producing a new Apple clone. Double interesting. So, are we supporting the Apple customers, or a foreign competitor? Oh, the reasons cited were a crackdown on muslem terrorists in southern and eastern China. Interesting? Compounded interesting.
Re: so whats the news?
Supporting links for that, please?
From the Apple SrVPSwEng Craig Federighi’s Mar 15, 2016 declaration at paragraph 6 (p.2: ln.25-6):
Meanwhile I have familiarized myself with this Jan 23, 2015 Quartz story by Heather Timmons, “Apple is reportedly giving the Chinese government access to its devices for ‘security checks’ ”.
Google Translate link for Beijing News Jan 21, 2015 story “Apple is willing to accept China’s position network security review”.
Re: Re: so whats the news?
“The Behind-the-Scenes Fight Between Apple and the FBI”, by Adam Satariano and Chris Strohm, Bloomberg, Mar 20, 2016
Global industry practices
“IBM Allows Chinese Government to Review Source Code”, by Eva Dou, Wall Street Journal, Oct. 16, 2015
“IBM allows Chinese Government to review source code: WSJ”, Reuters, Oct 16, 2015
Best case scenario.
Join with me for a moment is extreme cynicism. What is the best possible outcome for widespread NSA/FBI surveillance?
No, it’s not the NSA/FBI succeeding in forcing Apple to insert backdoors and discover pass codes for law enforcement. It’s for Apple to give every appearance of having won this dispute, while secretly cooperating with those agencies, actively or passively, for any of a number of reasons.
Why? Because a NSA/FBI win sends a message to terrorists and other wrongdoers (including corrupt corporations) that Apple platform is unsafe and requires that they take additional measures. A seeming win by Apple, accompanied by enormous publicity, would make them slack off in their precautions, thus making the work of NSA/FBI easier.
Indeed the very publicity given to this dispute and Apple’s seemingly hard stand could just as easily be taken as an indication that the company’s public opposition to NSA/FBI spying is accompanied by private cooperation. It is, after all, just the behavior one would expect if that were the case.
How might the NSA/FBI best reward Apple? By giving the company’s executives a stack of “get out of jail free” cards for corporate wrongdoing. Nothing could be more valuable not even money.
Re: Best case scenario.
Anyone who believes that a 4-digit pin can protect their secrets when the physical hardware has been captured by a major nation-state adversary who has time and determination……… ……… ……… well, anyone who believes that is not really thinking rationally.
In this case, the FBI/DoJ has been misstating material facts. It remains something of an open question for me whether particular individuals from those agencies have been intentionally misstating specific material facts.
Apple, in seeming conflict with the government in this case, manufactures the iPhone. If Apple implies that the device is fit for a particular purpose, don’t they have some sort of obligation to avoid concealing known defects which render it unfit for that purpose? One might perhaps argue that an intrinsically unlawful purpose cannot create liability in a manufacturer for concealing known defects.
Cisco's denial
I find Cisco’s denial here to be a little TOO specific for it’s own good:
“We have not and we will not hand over source code to any customers, especially governments”
I didn’t know that a court order was a “customer”. It rather looks like they are trying to be a little too clever about the wording. They don’t give the source code to customers – but for a court order, well…
You gotta wonder why they worded it that way!
Re: Cisco's denial
Cisco is a defense contractor, as well as a major supplier to the rest of the government. That’s pretty much all the leverage against them that’s needed.