Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/14/2016
10:30 AM
Joe Levy
Joe Levy
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Encryption: A Backdoor For One Is A Backdoor For All

We need legislation that allows law enforcement to find criminals and terrorists without eroding our security and privacy.

Microsoft inadvertently proved why Apple's firm stance against unlocking an iPhone that belonged to one of the San Bernardino terrorists was the correct one. Apple's decision renewed the argument over how best to help law enforcement agencies ensure our collective security without violating an individual's right to privacy. Actually, that debate overshadowed a key reason why encryption backdoors are a bad idea — eventually, they will be discovered by the wrong people.

In August 2016, Microsoft accidentally leaked the "golden key" to its Secure Boot firmware, effectively allowing criminals to exploit the mistake to load malware onto any Windows device. The problem is backdoors for some invariably will mean backdoors for all, including repressive regimes, malicious insiders, foreign spies, and criminal hackers. As the world's leading cryptographers say, backdoors in encryption, authentication systems, or any element of security would subvert their effectiveness by introducing enormous risk of exploitation. And backdoors in reputable commercial software would not prevent bad actors from finding alternative forms of encryption to hide their activities.

There are other factors that support this position:

  1. Encryption protects the fundamental human rights to privacy and security. Encryption protects individuals from identity theft, extortion, and political or religious persecution. It protects organizations from industrial espionage and liability for data loss, and ensures the security of commerce. Backdoors in encryption would undermine freedom of speech and the freedom to conduct our affairs without interference or fear.
  2. Encryption is vital for our modern, Internet-driven global economy. Encryption is a key element of the communications technologies that foster economic growth and expand access to and participation in the global economy. Implementation, enforcement, and management of backdoors would be impractical and enormously costly to technology companies, stifling innovation and harming our global competitiveness.
  3. Encryption is essential for effective cybersecurity. Today's cyberattacks are becoming more complex, with advanced attackers using multiple points of entry to get around security. Encryption is the last line of defense in a cybersecurity strategy that requires multiple layers of protection.
  4. Terrorism should be fought without compromising the security and privacy of all. Technology companies, academia, governments, and law enforcement agencies should work together to find alternative solutions that will improve our collective security without compromising privacy.

The Alternatives
US intelligence and law enforcement communities still wrongly believe that encryption technologies handicap their investigations. They worry that end-to-end encryption in certain applications and on mobile devices lets terrorists and criminals conceal their communications from surveillance.

That argument fails when you consider that even in the absence of backdoors, our online activity leaves extensive digital exhaust, referred to as metadata, which can be used once legally obtained by law enforcement. Metadata is "data about data" — for example, a record that a chat conversation took place, rather than the contents of the conversation. While metadata discloses a lot less than actual data, it still discloses more than some would like.

This controversy was recently highlighted by The Intercept, which showed how Apple logs iMessage contacts and could share that information with police. But the collection of metadata isn't new and is fairly functionally essential to "critical" transactional systems; operations require logging and auditing, and telemetry and metadata are frequently analyzed to improve products and services. The combination of such metadata and lawful requests for assistance to technology and infrastructure companies could provide a trove of information without compromising the inherent security of products and services used daily by citizens who have not exceeded some appropriate threshold of probable cause. Furthermore, terrorist organizations and rogue nation-states are sophisticated when it comes to developing and using technology. There's nothing to stop them from creating their own encryption technologies that can't be cracked by law enforcement or tech companies, leaving only the law-abiding with the backdoored implementations. 

Defending the right to privacy requires us to not only lobby against passage of legislation but also identify alternatives — ones with fewer societal costs — for law enforcement to use while working to identify and apprehend terrorists and other criminals. Law enforcement should be able to use legal hacking, with these two key stipulations:

  1. Disclose vulnerabilities immediately. Law enforcement must alert a vendor to a bug or other issue it discovers as soon as possible. The time it takes for a vendor to develop and distribute a patch or other fix will provide a sufficient window for investigators. This will also benefit technology providers because it will help us make our products better and ensure the bad guys can't exploit these vulnerabilities.
  2. Establish clear rules of engagement. Exploitation should only be used to obtain information that a court-issued warrant stipulates. Judicial oversight would ensure that government is transparent to the public.

Government agencies must realize that a backdoor for one is a backdoor for all. Backdoors violate the public's trust and can help, not handicap, terrorists. For the same reason, security companies shouldn't build backdoors into their software — that would leave hospitals, businesses, banks, and consumers vulnerable. The approach should be to lawfully use technology to collect and analyze the ever-growing volumes of data that terrorists and other criminals create when they use social media networks, instant messaging clients, email, and even online video game chat rooms to distribute propaganda. 

Related Content:

Joe Levy joined Sophos as chief technology officer in February 2015. In this role he leads the company's technology strategy worldwide, driving product vision and innovation to both enhance and simplify IT security. Joe brings more than 20 years of leadership and development ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10100
PUBLISHED: 2019-07-16
NASA CFITSIO prior to 3.43 is affected by: Buffer Overflow. The impact is: arbitrary code execution. The component is: over 40 source code files were changed. The attack vector is: remote unauthenticated attacker. The fixed version is: 3.43.
CVE-2019-10100
PUBLISHED: 2019-07-16
BigTree-CMS commit b2eff67e45b90ca26a62e971e8f0d5d0d70f23e6 and earlier is affected by: Improper Neutralization of Script-Related HTML Tags in a Web Page. The impact is: Any Javascript code can be executed. The component is: users management page. The attack vector is: Insert payload into users' pro...
CVE-2019-10100
PUBLISHED: 2019-07-16
PluckCMS 4.7.4 and earlier is affected by: CWE-434 Unrestricted Upload of File with Dangerous Type. The impact is: get webshell. The component is: data/inc/images.php line36. The attack vector is: modify the MIME TYPE on HTTP request to upload a php file. The fixed version is: after commit 09f0ab871...
CVE-2019-13612
PUBLISHED: 2019-07-16
MDaemon Email Server 19 skips SpamAssassin checks by default for e-mail messages larger than 2 MB (and limits checks to 10 MB even with special configuration), which is arguably inconsistent with currently popular message sizes. This might interfere with risk management for malicious e-mail, if a cu...
CVE-2019-10100
PUBLISHED: 2019-07-16
Zammad GmbH Zammad 2.3.0 and earlier is affected by: Cross Site Scripting (XSS) - CWE-80. The impact is: Execute java script code on users browser. The component is: web app. The attack vector is: the victim must open a ticket. The fixed version is: 2.3.1, 2.2.2 and 2.1.3.