Attacks/Breaches
10/14/2016
10:30 AM
Joe Levy
Joe Levy
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Encryption: A Backdoor For One Is A Backdoor For All

We need legislation that allows law enforcement to find criminals and terrorists without eroding our security and privacy.

Microsoft inadvertently proved why Apple's firm stance against unlocking an iPhone that belonged to one of the San Bernardino terrorists was the correct one. Apple's decision renewed the argument over how best to help law enforcement agencies ensure our collective security without violating an individual's right to privacy. Actually, that debate overshadowed a key reason why encryption backdoors are a bad idea — eventually, they will be discovered by the wrong people.

In August 2016, Microsoft accidentally leaked the "golden key" to its Secure Boot firmware, effectively allowing criminals to exploit the mistake to load malware onto any Windows device. The problem is backdoors for some invariably will mean backdoors for all, including repressive regimes, malicious insiders, foreign spies, and criminal hackers. As the world's leading cryptographers say, backdoors in encryption, authentication systems, or any element of security would subvert their effectiveness by introducing enormous risk of exploitation. And backdoors in reputable commercial software would not prevent bad actors from finding alternative forms of encryption to hide their activities.

There are other factors that support this position:

  1. Encryption protects the fundamental human rights to privacy and security. Encryption protects individuals from identity theft, extortion, and political or religious persecution. It protects organizations from industrial espionage and liability for data loss, and ensures the security of commerce. Backdoors in encryption would undermine freedom of speech and the freedom to conduct our affairs without interference or fear.
  2. Encryption is vital for our modern, Internet-driven global economy. Encryption is a key element of the communications technologies that foster economic growth and expand access to and participation in the global economy. Implementation, enforcement, and management of backdoors would be impractical and enormously costly to technology companies, stifling innovation and harming our global competitiveness.
  3. Encryption is essential for effective cybersecurity. Today's cyberattacks are becoming more complex, with advanced attackers using multiple points of entry to get around security. Encryption is the last line of defense in a cybersecurity strategy that requires multiple layers of protection.
  4. Terrorism should be fought without compromising the security and privacy of all. Technology companies, academia, governments, and law enforcement agencies should work together to find alternative solutions that will improve our collective security without compromising privacy.

The Alternatives
US intelligence and law enforcement communities still wrongly believe that encryption technologies handicap their investigations. They worry that end-to-end encryption in certain applications and on mobile devices lets terrorists and criminals conceal their communications from surveillance.

That argument fails when you consider that even in the absence of backdoors, our online activity leaves extensive digital exhaust, referred to as metadata, which can be used once legally obtained by law enforcement. Metadata is "data about data" — for example, a record that a chat conversation took place, rather than the contents of the conversation. While metadata discloses a lot less than actual data, it still discloses more than some would like.

This controversy was recently highlighted by The Intercept, which showed how Apple logs iMessage contacts and could share that information with police. But the collection of metadata isn't new and is fairly functionally essential to "critical" transactional systems; operations require logging and auditing, and telemetry and metadata are frequently analyzed to improve products and services. The combination of such metadata and lawful requests for assistance to technology and infrastructure companies could provide a trove of information without compromising the inherent security of products and services used daily by citizens who have not exceeded some appropriate threshold of probable cause. Furthermore, terrorist organizations and rogue nation-states are sophisticated when it comes to developing and using technology. There's nothing to stop them from creating their own encryption technologies that can't be cracked by law enforcement or tech companies, leaving only the law-abiding with the backdoored implementations. 

Defending the right to privacy requires us to not only lobby against passage of legislation but also identify alternatives — ones with fewer societal costs — for law enforcement to use while working to identify and apprehend terrorists and other criminals. Law enforcement should be able to use legal hacking, with these two key stipulations:

  1. Disclose vulnerabilities immediately. Law enforcement must alert a vendor to a bug or other issue it discovers as soon as possible. The time it takes for a vendor to develop and distribute a patch or other fix will provide a sufficient window for investigators. This will also benefit technology providers because it will help us make our products better and ensure the bad guys can't exploit these vulnerabilities.
  2. Establish clear rules of engagement. Exploitation should only be used to obtain information that a court-issued warrant stipulates. Judicial oversight would ensure that government is transparent to the public.

Government agencies must realize that a backdoor for one is a backdoor for all. Backdoors violate the public's trust and can help, not handicap, terrorists. For the same reason, security companies shouldn't build backdoors into their software — that would leave hospitals, businesses, banks, and consumers vulnerable. The approach should be to lawfully use technology to collect and analyze the ever-growing volumes of data that terrorists and other criminals create when they use social media networks, instant messaging clients, email, and even online video game chat rooms to distribute propaganda. 

Related Content:

Joe Levy joined Sophos as chief technology officer in February 2015. In this role he leads the company's technology strategy worldwide, driving product vision and innovation to both enhance and simplify IT security. Joe brings more than 20 years of leadership and development ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: No, no, no! Have a Unix CRON do the pop-up reminders!
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The Impact of a Security Breach 2017
The Impact of a Security Breach 2017
Despite the escalation of cybersecurity staffing and technology, enterprises continue to suffer data breaches and compromises at an alarming rate. How do these breaches occur? How are enterprises responding, and what is the impact of these compromises on the business? This report offers new data on the frequency of data breaches, the losses they cause, and the steps that organizations are taking to prevent them in the future.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.