Attacks/Breaches

10/14/2016
10:30 AM
Joe Levy
Joe Levy
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Encryption: A Backdoor For One Is A Backdoor For All

We need legislation that allows law enforcement to find criminals and terrorists without eroding our security and privacy.

Microsoft inadvertently proved why Apple's firm stance against unlocking an iPhone that belonged to one of the San Bernardino terrorists was the correct one. Apple's decision renewed the argument over how best to help law enforcement agencies ensure our collective security without violating an individual's right to privacy. Actually, that debate overshadowed a key reason why encryption backdoors are a bad idea — eventually, they will be discovered by the wrong people.

In August 2016, Microsoft accidentally leaked the "golden key" to its Secure Boot firmware, effectively allowing criminals to exploit the mistake to load malware onto any Windows device. The problem is backdoors for some invariably will mean backdoors for all, including repressive regimes, malicious insiders, foreign spies, and criminal hackers. As the world's leading cryptographers say, backdoors in encryption, authentication systems, or any element of security would subvert their effectiveness by introducing enormous risk of exploitation. And backdoors in reputable commercial software would not prevent bad actors from finding alternative forms of encryption to hide their activities.

There are other factors that support this position:

  1. Encryption protects the fundamental human rights to privacy and security. Encryption protects individuals from identity theft, extortion, and political or religious persecution. It protects organizations from industrial espionage and liability for data loss, and ensures the security of commerce. Backdoors in encryption would undermine freedom of speech and the freedom to conduct our affairs without interference or fear.
  2. Encryption is vital for our modern, Internet-driven global economy. Encryption is a key element of the communications technologies that foster economic growth and expand access to and participation in the global economy. Implementation, enforcement, and management of backdoors would be impractical and enormously costly to technology companies, stifling innovation and harming our global competitiveness.
  3. Encryption is essential for effective cybersecurity. Today's cyberattacks are becoming more complex, with advanced attackers using multiple points of entry to get around security. Encryption is the last line of defense in a cybersecurity strategy that requires multiple layers of protection.
  4. Terrorism should be fought without compromising the security and privacy of all. Technology companies, academia, governments, and law enforcement agencies should work together to find alternative solutions that will improve our collective security without compromising privacy.

The Alternatives
US intelligence and law enforcement communities still wrongly believe that encryption technologies handicap their investigations. They worry that end-to-end encryption in certain applications and on mobile devices lets terrorists and criminals conceal their communications from surveillance.

That argument fails when you consider that even in the absence of backdoors, our online activity leaves extensive digital exhaust, referred to as metadata, which can be used once legally obtained by law enforcement. Metadata is "data about data" — for example, a record that a chat conversation took place, rather than the contents of the conversation. While metadata discloses a lot less than actual data, it still discloses more than some would like.

This controversy was recently highlighted by The Intercept, which showed how Apple logs iMessage contacts and could share that information with police. But the collection of metadata isn't new and is fairly functionally essential to "critical" transactional systems; operations require logging and auditing, and telemetry and metadata are frequently analyzed to improve products and services. The combination of such metadata and lawful requests for assistance to technology and infrastructure companies could provide a trove of information without compromising the inherent security of products and services used daily by citizens who have not exceeded some appropriate threshold of probable cause. Furthermore, terrorist organizations and rogue nation-states are sophisticated when it comes to developing and using technology. There's nothing to stop them from creating their own encryption technologies that can't be cracked by law enforcement or tech companies, leaving only the law-abiding with the backdoored implementations. 

Defending the right to privacy requires us to not only lobby against passage of legislation but also identify alternatives — ones with fewer societal costs — for law enforcement to use while working to identify and apprehend terrorists and other criminals. Law enforcement should be able to use legal hacking, with these two key stipulations:

  1. Disclose vulnerabilities immediately. Law enforcement must alert a vendor to a bug or other issue it discovers as soon as possible. The time it takes for a vendor to develop and distribute a patch or other fix will provide a sufficient window for investigators. This will also benefit technology providers because it will help us make our products better and ensure the bad guys can't exploit these vulnerabilities.
  2. Establish clear rules of engagement. Exploitation should only be used to obtain information that a court-issued warrant stipulates. Judicial oversight would ensure that government is transparent to the public.

Government agencies must realize that a backdoor for one is a backdoor for all. Backdoors violate the public's trust and can help, not handicap, terrorists. For the same reason, security companies shouldn't build backdoors into their software — that would leave hospitals, businesses, banks, and consumers vulnerable. The approach should be to lawfully use technology to collect and analyze the ever-growing volumes of data that terrorists and other criminals create when they use social media networks, instant messaging clients, email, and even online video game chat rooms to distribute propaganda. 

Related Content:

Joe Levy joined Sophos as chief technology officer in February 2015. In this role he leads the company's technology strategy worldwide, driving product vision and innovation to both enhance and simplify IT security. Joe brings more than 20 years of leadership and development ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WSJ Report: Facebook Breach the Work of Spammers, Not Nation-State Actors
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/19/2018
Good Times in Security Come When You Least Expect Them
Joshua Goldfarb, Co-founder & Chief Product Officer, IDRRA ,  10/23/2018
Getting Up to Speed with "Always-On SSL"
Tim Callan, Senior Fellow, Comodo CA,  10/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.