Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 

K. Brian Kelley - Databases, Infrastructure, and Security

IT Security, MySQL, Perl, SQL Server, and Windows technologies.

Why Government Required Backdoors Are a Bad Idea

I've heard the argument, "I've got nothing to hide. If it helps them catch the next guy, I'm all for it." Even if that's 100% true and even if every single person in goverment with access to the data is 100% genuine and sincere in doing his or her job, here are four issues that position misses.

 

The Bad Guys (Cyber Crime) Have Smart People

We know there are smart folks working for cyber criminals. Not all the folks working for them are smart. However, money is a powerful motivator and that does attract some very smart individuals. In some jurisdictions, criminal hacking activity is worn like a badge of honor and can get a person out of poverty. It's the same idea as why the drug culture is celebrated by some.

What the government is betting on, even if it's unintentionally, is that the bad guys aren't smart enough to find and exploit the same back doors. This is a bad assumption. We already see evidence that some of the malware exploits we see are very sophisticated. It's been assumed that there are backdoors. However, dedicating resources towards an assumption means pulling resources from what should be a sure thing for something that may not exist. As more and more stories come forward that say the backdoors are definitely there, it's now about assigning more resources towards what should be a bigger sure thing, and one that cannot be stopped.

Consider what we use computer systems for now. You might not have anything to hide from the government. However, do you want your banking login, you credit card number, etc., swiped by a criminal?

 

The Bad Guys (Cyber Crime) Can Get Lucky

The government is also betting that the bad guys won't "get lucky" and happen on to the backdoor and break it. Sometimes security vulnerabilities and bugs are found through a slightly uncommon use of a resource. All it takes is one of these and the backdoor is revealed and the criminals are in. And once they are in, they've got access to whatever you do on your computer.

 

Nation State Actors Can Allocate Nearly Unlimited Resources

A nation state actor can pull the code and decompile it and put a team of folks on the code to analyze it. They can take apart hardware components and, again, allocate a team, to figure out how it all works. If they suspect there's a backdoor, then that team will be looking for said backdoor. And nation state actors can put their own smart people on these teams. This has an appeal that cyber criminals can't generate - patriotism for one's nation when one isn't motivated by the money a cyber criminal can offer.

Why would they target a regular user? They could to provide a hop from inside the right county. They could to get info or access to somebody you do know.

 

Someone Could Decide to Sell Secrets

Fuchs provided information to the USSR from the British and American Manhattan projects. The Walkers provided classified information for years. A nation state actor can offer some big bucks. They can offer sex and drugs and appeal to other vices. That's why our intelligence folks constantly run counter-espionage stings. Would they run such activities if their was never anyone to catch? Exactly.  

Folks who are responsible for building the backdoors or who are knowledgeable to how they work or where they are can be turned and then the backdoor is no longer a secret. BTW, it doesn't just have to be a nation state actor. Organized crime has done this, too.

 

So given these four issues, government required backdoors are a risk to everyone's security. I can understand the mentality that leads to thinking it's a good idea. It becomes a type of tunnel vision that filters out the possible negative impacts. Even if you are of the mindset that you have nothing to hide (from the government), you still don't want those backdoors. And when you consider that the backdoors have been reported in encryption mechanisms as well, it's just bad all around. That's why security folks are making such a big deal out of all of this. Yes, we kind of shake our heads and go, "It was inevitable," however, that doesn't mean we have to like it or approve of it.

 

Comments

Posted by markjholmes on 11 September 2013

This even applies somewhere that people aren't realizing: individuals in government being used against each other.  Imagine just 20 people in a single government agency have this level of direct access.  Now, some disgruntled or financially-motivated person in that extremely-trusted set of 20 people pulls a James Bond move and sells information about these back doors to the highest bidder - perhaps, a semi-formal organization similar to Anonymous.  Now imagine an enemy state wants to get that information - not on the government itself, but to pressure the families of Congress, anyone in a high seat of influence and power.  I bet they can get Congress to pass any law they want, doing a million times more damage than just draining a few millionaires' bank accounts.  

The scary spy movies are intriguing because some of it can actually happen; not the high-tech stuff and surviving big explosions, but the social engineering.  Threaten my bank account and it's just money; threaten my family and I'll move mountains.

The keys to the castle should not be kept in one place; if a bank safe deposit box requires two keys inside a vault inside a locked building... if nuclear launch codes need multiple authentications... why would we put in intentional backdoors to every iPhone, Microsoft Windows, GMail, or whatever?  It's just not a good idea.  

Posted by Dscheypie on 17 September 2013

Your supposition in the text is that you can trust the government and the people working there. Rogue operators are probably not too seldom and get admired or hated in films. At least some may make use of the information by blackmailing. And it is impressive what information could get used for that. To avoid that: No more funny parties, no more private contacts to the opposite gender, strictly reduce your political and social engagement because it could become old fashioned and therefore blow into your face in future times...

Posted by lnardozi 61862 on 17 September 2013

To my mind, the biggest drawback of all is there are not two groups of people by birth - the Good Guys and the Bad Guys. Someone can be a Good Guy all his life and then... Bad Guy!

Which is no biggie if there's nothing there to exploit. Infinitely worse though if he's got the "Keys to the Kingdom" and you have no way to stop him except to whine impotently from a distance.

Posted by K. Brian Kelley on 17 September 2013

My supposition is based on the comments I've heard. Disregard the fact that something as simple as a bad divorce can turn someone from a "good guy" to a "bad guy" in a heartbeat, the point I was making that there are still 4 reasons you can never say this is a good idea. Even if you could assume that every single person with access to the data was only going to do what was absolutely necessary and proper with it (which you can't, see the recent audits on the NSA), you still have these problems.

Therefore, if someone wants to take the naive view that everyone in the government is totally on the up and up, you still have to conclude that the backdoors are a bad idea.

Posted by johntam on 17 September 2013

Also, there is another pitfall:  The backdoors may lead to a dumbing-down of our own smart people.  Criminals, knowing that common encryption schemes employ back doors, will use their smart people to design their own schemes that do NOT contain back doors.  

If the good guys are lulled into complacency with compromised encryption that does not need to be broken, then they just might be stymied by encryption that has no such easy way in.

Posted by antony-688446 on 17 September 2013

This all assumes that the consumer lives in the USA. That is a HUGE assumption. A small minority of the global population lives in the USA. What gives the US government the right to spy on the rest of the world? Time for everyone else to ban the sale of US technology until proven to be free of back-doors. Now that would be a really great thing for the US economy. No Apple, no Microsoft....

Posted by K. Brian Kelley on 17 September 2013

Antony, I agree, it's not a good feeling to know that the US is trying to spy on everyone else. The thing of it is, every nation is trying to do so to each other. The US has more wealth and has much of the Internet running through it to capitalize on, so it's ahead. However, if another nation had such an advantage, you can bet it would use it. And in that case, the backdoors would still be a problem to me.

Also, while in a fantasy world existing without Apple, Microsoft, IBM, Cisco, Juniper, Citrix, Palo Alto, and other companies like them would be fantastic as a form of protest, how well would that serve your country, your organization, and your personal career?

Leave a Comment

Please register or log in to leave a comment.