What The Intelligence Community Doesn't Get: Backdoor For 'The Good Guys' Is Always A Backdoor For The 'Bad Guys' As Well

from the get-with-the-program dept

Thu, Jan 9th 2014 10:09am — Mike Masnick

Max Eddy, over at PC Mag, has a very interesting article about the experience of Nico Sell, of the company Wickr, talking about how an FBI agent casually approached her to ask if she'd install backdoors in her software allowing the FBI to retrieve information. As the article notes, this is how the FBI (much more so than the NSA) has acted towards many tech companies ever since attempts to mandate such backdoors by law failed (though, they're still trying). Some companies -- stupidly -- agree to this, while many do not. Those that do may think they're helping fight for "good," but the reality is different. They're opening up a huge liability on themselves, should the news of the backdoors ever get out, and at the same time, they're making their own product invariably weaker. As Sell pointed out to the FBI guy, she'd seen hackers piggyback on "lawful intercept" machines and learned:

"It was very clear that a backdoor for the good guys is always a backdoor for the bad guys."

Bruce Schneier, over at the Atlantic, recently made nearly the same point in talking about the massive costs of all of this NSA surveillance (as well as talking about the near total lack of benefits). There's the cost of running these programs that are massive. There is the fact that these programs will be abused (they always are). There are the costs of destroying trust in various tech businesses (especially from foreign users and customers). But just as important is the fact that the NSA, FBI and others in the intelligence community are flat out weakening our national security by installing backdoors that malicious users can and will find and exploit:

The more we choose to eavesdrop on the Internet and other communications technologies, the less we are secure from eavesdropping by others. Our choice isn't between a digital world where the NSA can eavesdrop and one where the NSA is prevented from eavesdropping; it's between a digital world that is vulnerable to all attackers, and one that is secure for all users.

As Schneier points out, to fix this, we need to recognize that security is more important than surveillance. The surveillance apologists always claim that their goal is security. If so, they have a funny way of showing it. The "solution" they've drummed up hasn't made us any more secure... it's made us less secure.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: backdoors, encryption, fbi, nsa, security, vulnerabilities

30 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

This comment has been flagged by the community. Click here to show it

out_of_the_blue, 9 Jan 2014 @ 10:19am

Hey, Mike: "sunk (or fixed) costs" don't matter!
They don't care about costs in money or our freedom. Especially not when the resources are skimmed off the very people under the tyranny. That's part of the inherent evil of gov't.
Google's tailoring to YOU can selectively substitute, omit, and lie. You can't trust anything on the net, neither what you see nor what you don't see!

06:18:56[h-325-2]
[ link to this | view in chronology ]
- Anonymous Coward, 9 Jan 2014 @ 12:50pm
  
  Re: Hey, Mike: "sunk (or fixed) costs" don't matter!
  Seriously, hire many different people are you because i have a really really really hard time reconciling 'resources are skimmed off the very people under the tyranny' with your typical 'punitive tax rates!' screed.
  [ link to this | view in chronology ]
Me, 9 Jan 2014 @ 10:27am

This is a good point, Mike.

I turned on the radio today mid-interview with someone (so didn't catch who) defending the NSA and as usual saying Snowden's leaks had harmed the U.S. since now the NSA tech exploits (for instance, those on the "shopping" list) are known to foreign agents.

What the idiot failed to realize is that harm was done by the NSA, not Snowden. The NSA forgot its mission to safeguard American technology in introducing these exploits, and the fact that foreign agents might use them is *exactly* the NSA's fault. A tailored, warrant-driven program would have saved us all the headache of mismanaged and hobbled technology introducing vulnerabilities for the entire world to stumble upon.
[ link to this | view in chronology ]
- mmm, 9 Jan 2014 @ 11:05am
  
  Re:
  So glad someone else wrote about this. I heard the whole interview and that was an astonishing example of the "harm" caused by the Snowden leaks. My initial reaction was to say (out loud to myself) that this actually seems like a BENEFIT, not a cost. It provides a list of exploits that can now be closed. I don't think that there's anyone in the "real" world (i.e., outside the intelligence world) that would assume having exploits in the wild is a GOOD thing. That's crazy.
  
  The fact that there are whole industries that have grown up around securing systems shows that people value fewer exploits to more exploits. Heck, Google offers rewards. We have industries that pay for audits and certifications and code reviews.
  [ link to this | view in chronology ]
  - Anonymous Coward, 9 Jan 2014 @ 8:43pm
    
    Re: Re:
    NSA are too gagged to confess to you their "secret" strategy.
    
    Eg, IT Security experts in '90s might set NSA strategy as...
    1, if RSA comms 100% secure for all, baddies keep secrets from NSA
    2, if NSA *must* find a way to read RSA secrets, then backdoor
    3, if must abandon backdoor if/when discovered, keep it secret
    4, if backdoor leaked, change "secret" strategy (secretly)
    5, if RSA falls out of favour, see 4.
    6, tech changes so quickly, NSA saves cost if merely "secure enough" or "secure for now"
    
    Hence *backdoor* security-as-obscurity "can be" a calculated risk. Based on available financing. If NSA isnt a revenue generator able to sustain itself, or fill government coffers.
    [ link to this | view in chronology ]
Anonymous Coward, 9 Jan 2014 @ 10:40am

In fact, Snowden has made the US more secure, by informing everyone about these security holes that were probably already being abused by foreign agents.

Really, hasn't the NSA heard that security through obscurity isn't actually security?
[ link to this | view in chronology ]
- John Fenderson (profile), 9 Jan 2014 @ 10:53am
  
  Re:
  Really, hasn't the NSA heard that security through obscurity isn't actually security?
  
  Of course not. Their whole business centers around obscurity.
  
  I want to add, though, that not only is it not actually security, it's the exact opposite. "Security through obscurity" gives you the illusion of security without the reality of it. This puts you in a less secure position than if you didn't engage in any security at all, but know it.
  [ link to this | view in chronology ]
weneedhelp (profile), 9 Jan 2014 @ 10:53am

Hey Mike...
quick question... How do we tell the difference between the "good guys" and "bad guys"? I would trust the unknown bad guys to the well-known bad guys. At least with the unknown bad guys you have a fighting chance.
[ link to this | view in chronology ]
- Dirkmaster (profile), 9 Jan 2014 @ 11:36am
  
  Re: Hey Mike...
  It's easy to tell the good guys from the bad guys....
  
  They're ALLL Bad Guys.
  
  Good Guys went extinct decades ago.
  [ link to this | view in chronology ]
  - Handle, 9 Jan 2014 @ 2:02pm
    
    Re: Re: Hey Mike...
    The only way to remain on a "force" that's been ultimately corrupted over time (i.e. police, etc.,) is to be or become corrupt yourself.
    [ link to this | view in chronology ]
    - Lurker Keith, 9 Jan 2014 @ 3:24pm
      
      Re: Re: Re: Hey Mike...
      Commissioner Gordon took a 3rd option (2nd option was to quit): get Batman to clear out the Corruption. Granted, if he hadn't been Batman, he'd've been killed by the corrupted government.
      [ link to this | view in chronology ]
- John Fenderson (profile), 9 Jan 2014 @ 11:50am
  
  Re: Hey Mike...
  That's easy. Anyone who wants to intrude on my systems or data without my permission are "bad guys".
  [ link to this | view in chronology ]
- Anonymous Coward, 9 Jan 2014 @ 12:54pm
  
  Re: Hey Mike...
  Why are you asking Mike? Basic grammar would suggest the quotes around both phrases in that context denote the NSA/intelligence community speaking. So you should be asking then.
  [ link to this | view in chronology ]
  - weneedhelp (profile), 10 Jan 2014 @ 10:39am
    
    Re: Re: Hey Mike...
    I asked Mike for his opinion as a discussion point here on HIS blog.
    -
    I would ask the NSA directly but I bet the answer would be:
    Dear sir,
    REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. REDACTED. Yours truly... NSA.
    [ link to this | view in chronology ]
dfed (profile), 9 Jan 2014 @ 11:17am

I'm not surprised the DoD doesn't get this: They've always had problems with bad policies regarding backdoor access.
[ link to this | view in chronology ]
Anonymous Coward, 9 Jan 2014 @ 11:25am

Maybe if all the tech companies install backdoors into their stuff the NSA will get a backdoor into themselves... which can be exploited by hackers. I wonder how hard it would be to modify their data to make the entire U.S. population appear as terrorists?
[ link to this | view in chronology ]
- Lurker Keith, 9 Jan 2014 @ 3:20pm
  
  too late
  Isn't it a bit too late for that?
  [ link to this | view in chronology ]
  - Anonymous Coward, 10 Jan 2014 @ 3:27am
    
    Re: too late
    So I guess then you need to make everyone marked as not a terrorist except for the NSA's staff. Put them all on no fly lists, sex offender registries, etc.
    [ link to this | view in chronology ]
Anonymous Coward, 9 Jan 2014 @ 11:35am

Sadly, I already know of companies having to remove older developer boxes (Dell 1950s and 2950s) due to known compromises now. The costs will add up, and eventually it will effect jobs right here in the US. I guess the only good thing is that these servers are from 2007 and delegated as test boxes now. I'm wondering if business isn't going to be going to another provider though besides HP or Dell which were named in the reports.
[ link to this | view in chronology ]
madasahatter (profile), 9 Jan 2014 @ 11:37am

Backdoors
The problem is the NSA has forgotten that backdoors can be discovered and used by the bad guys. But the bad guys will not tell anyone they have discovered the backdoor. So we are left with a situation were no one can say how long some bad guy has been snooping via the backdoor.

There seems to a certain arrogance or more accurately stupidity by the NSA. No one is smart enough to look for any backdoors or security holes and definitely not smart to use them seems to be their belief. My assumption is the bad guys know about most of the insecurities and backdoors and are actively exploiting them.
[ link to this | view in chronology ]
Applesauce, 9 Jan 2014 @ 11:38am

Security is NOT NSA's goal - penetration is.
The insatiable lust for information trumps (by far) any interest in the security of the nation.
[ link to this | view in chronology ]
Anonymous Coward, 9 Jan 2014 @ 12:11pm

for god's sake stop bringing common sense (or any other sense, come to that) into the equation. if you put this lot together, (but without the power that their positions give them) they couldn't make a damn good idiot!
[ link to this | view in chronology ]
Anonymous Coward, 9 Jan 2014 @ 5:12pm

Look what happened to Cisco. All their products have backdoors in them. I doubt the NSA reverse engineered all of Cisco's binary blobbed firmware, in order to create those backdoors in their routers.

What probably happened, is Cisco allowed the US Gov access to the firmware source-code for their routers. The US Gov probably told Cisco is was vital they have access Cisco's proprietary source code, for "national security" purposes.

Then the US Gov turns around and finds all kinds of bugs and exploits in Cisco's secrete proprietary coding, and exploits their products to hell and back.

Never trust hidden proprietary source code, especially if that company is handing over that hidden code over to governments like it's candy.
[ link to this | view in chronology ]
Anonymous Coward, 9 Jan 2014 @ 5:30pm

Wickr sounds like interesting privacy software. I like the idea of messages self destructing after a set time period. It's too bad the application uses proprietary source code. That pretty much makes it useless as a privacy application, because it's security cannot me easily audited.
[ link to this | view in chronology ]
Tom Stone, 9 Jan 2014 @ 6:11pm

Bipartisanhip
I doubt I am the only one who thinks the wide stance on backdoor access by both Dem and Republican "Representatives" is... curious.
[ link to this | view in chronology ]
Linux fella here, 9 Jan 2014 @ 6:52pm

"What The Intelligence Community Doesn't Get: Backdoor For 'The Good Guys' Is Always A Backdoor For The 'Bad Guys' As Well"

Wait, there is more.

In security, always assume worst case scenario.

Mika Brzezinski's vigania exam (which Alexander stole from her OBGYN for his collect-it-all program) is not only available to a terrorist wannabe on a dilaup in Somalia.

Gentlemen who redirected brand new CIA drone straight to their driveway in Iran the other day, have it too!
[ link to this | view in chronology ]
Anonymous Coward, 10 Jan 2014 @ 3:29am

I wonder if that is the goal
Perhaps they want security to be weakened as well. So they can set up a feedback loop of power. Security is too weak we need more power! Which they then use to weaken security. Etc, etc, infinite boot stamping on a human face loop.
[ link to this | view in chronology ]
Anonymous Coward, 10 Jan 2014 @ 7:07am

"It was very clear that a backdoor for the good guys is always a backdoor for the bad guys."

"It was very clear that a backdoor for the *bad* guys is always a backdoor for the bad guys."

Ftfy
[ link to this | view in chronology ]
Anon, 10 Jan 2014 @ 6:26pm

NSA, Back-doors, Computers, Software, & Bitcoin
Bitcoin isn't safe, either, if the NSA has a built-in "back-door" to every computer. Sure the network may be safe, but individual computers, are not. Plus, bitcoin is no different than FIAT currency - it's value isn't intrinsic, but only perceived.

The World is Waking Up to the New World Order
https://www.youtube.com/watch?v=vRpi74qczos
[ link to this | view in chronology ]
- John Fenderson (profile), 12 Jan 2014 @ 12:01pm
  
  Re: NSA, Back-doors, Computers, Software, & Bitcoin
  if the NSA has a built-in "back-door" to every computer
  
  ...which they don't.
  
  Sure the network may be safe, but individual computers, are not
  
  I think I don't understand what you're saying here. There appears to be a false dichotomy between the "network" and "individual computers." The "network" is just the means by which individual computers talk to each other. Talking about the network being safe while individual computers are compromised makes little sense to me.
  
  But ignoring that, if the network is actually safe then it doesn't matter if individual computers are compromised because they can't phone home over the network.
  [ link to this | view in chronology ]