Adam Caudill

Security Leader, Researcher, Developer, Writer, & Photographer

A backdoor by any other name…

Yesterday James B. Comey, the Director of the FBI continued the propaganda campaign against encryption with a fresh batch of lies and misdirection. The FBI has been pushing to add backdoors to cryptosystems around the world – no matter how many people they put at risk in the process. Starting in the 1990’s, the FBI has been at the forefront of trying to make their job easier by endangering the world.

What Comey did today was to lay the foundation for a renewed push for a new, expansive, CALEA type law that would give governments access – via court orders or surreptitiously, to all of your data. In 2013 they were pushing for CALEA 2, which would have expanded their ability to secretly access your data in a massive way. Thankfully the Snowden documents put an end to that – at least for awhile.

I use the term governments instead of specifying the US Government very intentionally. Under CALEA, certain systems must be compliant to be sold in the US – so companies add support, and then ship them all over the world instead of supporting two versions. So the FBI’s desire to have easy access to anything they want puts people around the world at risk. But surely nobody would abuse this, right?

In 2004, thanks to support for this type of “lawful intercept” support, Vodaphone in Greece was hacked – tapping top government and civil leaders. Who did it still isn’t known, but many suspect that the US Government was behind it. Then there’s SOMALGET, the NSA program to collect all calls made in the Bahamas. The DEA was given access to their phone systems for the purposes of “lawful intercept” – again, a CALEA compliant setup, which was then used to collect everything they were able to get. These are just two high profile examples, there are many cases where researchers have found flaws in these systems, making them easy prey.

For years, it’s been made clear that such backdoors were disasters – and it’s not just CALEA compliance either. There’s the infamous Clipper chip which would encrypt voice calls, but allow the government to easily listen in – but thanks to fatal flaws, anyone else could as well.

Thanks to this, pretty much everybody agrees that backdoors are a bad idea, so the FBI had a great idea – call it something else!

A rose by any other name… #

Comey, deciding that he shouldn’t have to deal with reality, and that the best way to address the public was misdirection:

We aren’t seeking a back-door approach. We want to use the front door, with clarity and transparency, and with clear guidance provided by law.

And by “front door”, he means some new backdoor into everything.

He wants the ability to decrypt data, without having to get information from the suspect; which means adding a backdoor to systems, to allow them – and likely many others to get in. This is no different from the disastrous Clipper chip idea.

The FBI is trying to misdirect the public, lead them to believe in some magical, secure backdoor that is abuse-proof. But when such an idea is being pushed by an organization that has so much abuse and illegal activity in its history – should anyone trust what they say?

Putting enforcement first #

At one point Comey said something that I found shocking:

Are we so mistrustful of government—and of law enforcement—that we are willing to let bad guys walk away…

If you read the US Constitution, this is answered for him – in many places it is made clear, it’s better to let a criminal walk free than to infringe on the rights of the innocent. Preserving the rights of the people trumps everything.

For law enforcement, this isn’t about justice, or the rule of law – this is about their power, their ability to get what they want, when they want it. If they put people in harm’s way in the process, that’s a price they are willing to let the public pay.

Only one government? #

In the discussions about this, one major point keeps being missed – this isn’t just about the US Government, but about the governments all around the world. If companies are forced to add backdoors to products for the US market, you can bet that same backdoor will be shipped to every country they work in.

So the danger is global – but as this is something that can be used for intelligence, as CALEA has been used for in the past, I’m sure this fact hasn’t escaped the attention of planners at the NSA. For the NSA, a CALEA 2 style law would give them easy access to expand their already vast – and illegal – collection operations. It would be a dream come true.

There’s also another international component to this issue – many major tech companies operate in several countries, making them subject to local courts. What happens when they receive a court order for access to this backdoor and a gag order, to prevent them from talking about it? Suddenly American data will be at risk from foreign powers.

There are so many issues opened up when backdoors are added, that one could talk for days and still not cover all the ways it could be abused.

Lies and mistrust #

Perhaps it’s time to suggest that the post-Snowden pendulum has swung too far in one direction—in a direction of fear and mistrust.

It seems that Comey is surprised that people don’t trust the government, after lies, deception, and violations of law are revealed. How shocking.

The US Government has failed to uphold the Constitution, and technology companies have stepped up to provide a level of protection in the face of a Government that has ignored its obligations. I’m sure that the FBI would love to go back the old days – where we assume the government is doing the right thing while secretly violating the Constitution and ignoring international law. Anything to give them more power and control.

The New Crypto Wars #

In the 1990s, the first crypto war was fought, and many believed that the public had won. What we are seeing is, without question, that a new war has started. Apple’s decision to change the way they encrypt phones wasn’t what started it – the writing had been on the walls for some time, it was just the ammunition they were waiting to go on the attack.

Those that work with cryptography daily fighting to protect users, while the government is busy trying to protect what they want, over the rights and protection of the people. Expect it to get ugly.

It’s going to be a fight, and what happens in the next year or two will be critical. If the FBI wins, privacy dies.

Sorry for the ranty nature of this post – it’s an issue I feel strongly about, and something that we must take action on.

Adam Caudill

Related Posts

  • On NSA-Proof Security

    @KimZetter We need to distinguish between "proof against NSA dragnet", "proof against NSA PRISM", and "proof against NSA TAO". @runasand — zooko (@zooko) September 17, 2014 For a long time, “military grade encryption” has been a red flag for snake oil, over-hyped, under-performing garbage, so much so that it’s become a punchline. Anytime that phrase is seen, it’s assumed that the product is a joke – quite possibly doing more harm than good.

  • Crypto Crisis: Fear over Freedom

    Yesterday, President Obama spoke at SXSW on topics including the oft-discussed fight between Apple and the FBI – what he called for, while more thoughtful than some of the other comments that we have been hearing from Washington, was still tragically misinformed. He repeated the call for a compromise, and by compromise, he meant backdoors. Here, I feel I must paraphrase one of my favorite authors to properly express the magnitude of what’s being discussed here:

  • Battle Fronts in the Crypto War

    or, These aren’t the droids apps you are looking for… The Chinese government has passed new anti-terror legislation, drafts of which have been criticized for months due to broad language, and the massive privacy concerns. This legislation is a critical move in the global Crypto War – effectively giving the Chinese what the FBI has been seeking for well over a decade: a CALEA-style law, that mandates providers be able to supply law enforcement with decrypted data.

  • Much ado about Juniper

    Since this was published, more detailed information has become available: analysis of the SSH backdoor, the VPN backdoor, and the cryptography of the VPN backdoor. If you want a more detailed understanding of what was done, please take a moment to read these pages. The news is tearing through the information security community – Juniper seems to be on the lips of everyone now, let’s take a quick look at the information available:

  • The Door to Nowhere

    Today I was walking around, exploring the local downtown area, and I noticed a door. Or more accurately, what used to be a door, and the symbolism was too perfect to ignore. It’s a door to nowhere. A door once stood here, carefully built, thoughtfully placed, well crafted. Long ago someone decided that they didn’t want the door to exist anymore — so they filled it in. They made an attempt at reversing the decisions of the past to suit their desire at the moment — but they couldn’t.