Why The Government Can’t Be Trusted with Back Doors

backdoorHow would you feel if, in order to gain access to a known terrorist’s house, the government passed a law that required every lock manufacturer to create a master key that would unlock every locked door anywhere?  What if the police promised that they would only use the key on the one house?  What if they promised to keep the key safe and secure so it could never get into the hands of criminals?  Would you believe them?

There is a lot of discussion right now about our various governments and their law enforcement agencies complaining about how encrypted communications by criminals is making their jobs harder. Their answer, of course, is to get some sort of technical solution, a master key, if you will, that allows them and only them to decrypt these communications.

The current brouhaha with Apple about that iPhone of one of the San Bernardino terrorists is the current poster child for this movement.  This model of iPhone automatically encrypts the users contents (for everyone not just bad guys), and has to be successfully unlocked using a PIN code to access the information on the phone.  After 10 failed log-in attempts, the phone will automatically wipe the contents.  This feature is designed to protect iPhone owners from the repercussions of lost or stolen phones.

What the FBI wants is for Apple to provide a way to turn off the lockout and drive wipe after 10 attempts, so they can unlock the phone using brute force password cracking software.  Brute force cracking works because it tries every possible combination of characters.  It just takes a long time.  The FBI says they just want Apple to do this once, this time.  Apple says, once we show you how, you will be able to do the same thing over and over with other iPhones, and anyway, we intentionally don’t have a way to do this, for just this reason.

Sad part of the story, the county sheriff and FBI flubbed it up for themselves when they changed the password on the phone.

The public is fairly evenly split (50% FBI, 30% Apple, 20% undecided) on this issue.  Bill Gates has come out in favor of the FBI and the courts.  The Electronic Frontier Foundation stands firmly against the court rule and is opposed to cryptographic backdoors too.  You can read an interview with The General Counsel of the EFF on the WordFence blog.

The issue, to me, is not whether it is used once or many times.  The issue with me is that the government has a terrible track record of keeping these sorts of things secret.  Look at the cases of Bradley Manning and WikiLeaks, and Edward Snowden and the NSA.  Here top secret information was released into the wild by authorized employees.  Or the recent breach of the employee background check records of the Office of Personnel Management by the Chinese. Or the more recent leak of DHS and FBI employee records by another unknown hacker.

What is to say that some IT wonk in charge of keeping the secret backdoor keys secret just doesn’t post them online or sell them to the Russian cyber-crime underground or the Chinese army.  Or that a foreign government, like North Korea, does just hack in and steal them?  Or some teenager with mad skills and time on his or her hands.

Well certainly the government has learned from it’s mistakes and has better security in place, you say.  Take a look at this article about Homeland Security’s new $6 billion dollar “Einstein” firewall, that is unable to stop 94% of the common malware that a good off-the-shelf AV program (Kaspersky, BitDefender, Symantec) can do.  How’s that for security?

The government has a history of doing many things poorly and at great expense.  I am not in favor of granting them their wishes for the iPhone hack or the encryption master key, because they have butter fingers.  They don’t deserve to be trusted.  Just that simple.

ben franklinBut what about the terrorists and drug lords and criminals who use encryption?  I suggest that law enforcement needs to do a better job without weakening the security of all of us in the process.  Part of the reality of living in a society where there is individual liberty and freedom is that we have to assume a higher level of risk,  Democracy is more dangerous than other forms of government, and if you want to be free, you have to be willing to give up a lot of security.   Ben Franklin foresaw this moment over 200 years ago.  Let’s not let the government use fear to get us agree to let them become a tyrant now.

This comment from TechDirt Daily by Rich Kulawiec answers this issue and the larger one about the gutting of the Constitution and illegal actions of a government on it’s own citizens.

“We can’t surrender our civil liberties and give the terrorists victory that they actually seek.”

“This. A thousand times this. So much of what’s happened in the last 15 years, from spying on American citizens to invading Iraq to attempts to undermine cryptography to the TSA, has been a blind, foolish, knee-jerk reaction to what is in reality a tiny threat.”

“It took a while for me to realize this, but the 9/11 attacks were inconsequential (except for what they taught about asymmetric warfare and our military’s incompetence). They were awful for those affected, of course, but they were NOT an existential threat to the United States: they were a pinprick. We ourselves have done ten thousand times more damage in the intervening years — despite the complete absence of any other similar attacks.”

“And why there haven’t been any is really no mystery: Napoleon nailed this two centuries ago: “Never interrupt your enemy when he is making a mistake.” There’s really no need for any terrorist group to attack the United States when we’re doing such a thorough job on ourselves.”

“History will not treat us kindly if we manage to self-destruct in panic and fear over (almost) nothing.”

0

About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Senior Cybersecurity Engineer at Computer Integration Technologies, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment