Showing posts with label backdoors. Show all posts
Showing posts with label backdoors. Show all posts

18 May 2017

Tell the UK Government: No Backdoors in Crypto

The UK government seems to be pressing ahead with its idiotic plans to backdoor crypto. There is a (secret) consultation on the subject that closes tomorrow - write to investigatorypowers@homeoffice.gsi.gov.uk.  Here's what I've just sent:

I am writing in connection with UK government proposals to force tech companies and Internet providers to create government backdoors to encrypted communications.

Speaking as a journalist who has been writing about every aspect of computer technology for 35 years, and about the Internet for 20 years (https://en.wikipedia.org/wiki/Glyn_Moody), I cannot emphasise too strongly that this would be a very unwise and dangerous move.

There is no such thing as a safe backdoor that is only available to the authorities.  If a weakness is created in a program or service, it can be found be third parties.  That is hard, but not impossible, especially for well-funded state actors.

Even more likely is that details of backdoors will be leaked.  The recent experience of the WannaCry ransomware attack, which is based on an NSA exploit that was leaked earlier, show how devastating this kind of subversion can be.

There is another powerful reason not to force companies operating in the UK to weaken their security.  First, US companies may simply water down protections for UK users, while protecting those in the rest of the world.  Obviously that would leave UK users particularly vulnerable to attack, and make them prime targets.

Secondly, if British companies are forced to provide backdoors in their products, then no government or company elsewhere in the world will use UK software, since there will always be a risk that it contains intentional security flaws.  This is the surest way to sabotage the UK software industry, and to ensure that computer startups are located anywhere but in the UK.

As well as being harmful, moves to weaken the security of encrypted products are also unnecessary.  As recent events have confirmed, terrorists rarely use encryption, and when they do, they make mistakes that allow the security services to access communications.  Indeed, there are many ways to obtain access and information even when encryption is used, as a recent paper explained (https://www.schneier.com/blog/archives/2017/03/new_paper_on_en.html).

To summarise, the many and mighty harms caused by weakening encryption vastly outweigh any illusory benefits.  The UK government would be ill-advised to take this route.

23 November 2013

Nigeria Closer To Bringing In Comprehensive Internet And Phone Spying System, Probably Complete With Third-Party Backdoors

One of the unfortunate consequences of the revelations about NSA spying on just about everyone is that it creates a false impression that such activities are really quite normal these days, and nothing much to worry about. This probably encourages nations that don't carry out such comprehensive snooping on their populations to think about doing so. In Nigeria, for example, a proposal is making its way through the legislative process that would grant the Nigerian government wide-ranging surveillance powers, as reported here by Premium Times: 

On Techdirt.

Twenty-Year-Old Requirement For 'Real-time, Full-time' Eavesdropping On Canadian Mobiles Revealed

Even if it now seems likely that Linus Torvalds wasn't approached to add a backdoor to Linux, there are plenty of others that were asked and acquiesced, as this story from The Globe and Mail in Canada makes clear: 

On Techdirt.

Linus Torvalds Admits He Was Approached By US Government To Insert Backdoor Into Linux -- Or Does He?

Windows 8+TPM: Germany Warns of 'Loss of Control'

Last year, I wrote about some serious issues with Microsoft's Secure Boot Technology in Windows 8. It seems that the German government has started to wake up to problems with Windows 8, as this headline in Die Zeit attests:

On Open Enterprise blog.