Monday, October 6, 2014

Eliminate the Backdoor

Recently, there was a particularly brain-dead editorial in the Washington Post entitled Compromise needed on smartphone encryption.

Changing the name of a deliberately planted security hole from "backdoor" to "secure golden key" doesn't change the essential security problem. Even if you believe that your government can be trusted to never misuse the power of a backdoor, there is someone out there who will find it and use it for unintended purposes. There is no such thing as a "backdoor" that only law enforcement can use.

In 2005 the Ericsson switches used by Vodafone Greece were compromised. Software using the so-called "lawful interception" modules were exploited to intercept phone call from at least 100 government officials for seven months. Interestingly, the Greek Government did not request these modules be activated but they were still used by the, as yet, unidentified attacker.

In 2006 Telecom Italia users were wiretapped via exploits believed, at the time, to have been discovered during a penetration test. The provenance on this exploit is a little fuzzy -- I don't know for certain if it was deliberate backdoor or a programming error -- but it was found and, apparently, exploited.

In 2010 Chinese hackers discovered and exploited a backdoor into the Gmail system placed there by Google to comply with law enforcement intercept orders. The US government mandated that Google give law enforcement access and the Chinese discovered it then used it to gather private data.

Those are just some of the criminal uses of backdoors we know about.

There may be a good argument or two for not revealing an exploit that could be used against an enemy. I can only think of one and it is only passably good. There are, however, no good arguments I know of for deliberately creating a security hole in software -- no matter how much law enforcement wants it.

No comments:

Post a Comment

Off topic comments will be deleted. Comments with spelling or grammar errors may be deleted unless they have hoplophobic or statist content in which case they will be highlighted and ridiculed.

Note: Only a member of this blog may post a comment.