Hot Topics
Cyberlaw Cybersecurity Featured Security Boulevard (Original) Spotlight 

Recent Cases Question Backdoor Encryption

Avatar photo by Mark Rasch on June 19, 2020

Recent events are calling into question the necessity of computer backdoors and the future of our personal privacy

U.S. law enforcement for decades has decried the “going dark” problem with computers and computer technologies. If anyone can secure their data from prying eyes, then bad guys can secure their data from the prying eyes of the government—bad guys such as terrorists and pedophiles. We need to outlaw encryption!! We need a government-owned backdoor!

However, recent details of Facebook’s voluntary cooperation with the FBI and security companies to develop a zero-day exploit to unmask a cyberstalker, coupled with congressional investigations of NSA-developed backdoor exploits in Juniper Networks devices call into question whether backdoors are even necessary. 

The fundamental purpose of Senator Lindsay Graham’s Eliminating Abusive and Rampant Neglect of Interactive Technologies Act (EARN IT Act)  is to force tech companies to “earn” the immunity provided by Section 230 of the Communications Decency Act, which currently shields them from liability for the acts of third parties. Specifically, EARN IT would require the creation of a national commission on online child sexual exploitation prevention “to develop recommended best practices that providers of interactive computer services may choose to implement to prevent, reduce, and respond to the online sexual exploitation of children, including the enticement, grooming, sex trafficking, and sexual abuse of children and the proliferation of online child sexual abuse material.” An internet company would have to “earn” the immunity currently provided under the CDA by certifying to the U.S. Attorney General that it is in compliance with the recommendations of the commission.

Of course, the industry is already doing a great deal to combat the creation, storage, sharing, selling and transmission of child sexual exploitation (CSE) materials and to work not only with law enforcement, the National Center for Missing and Exploited Children (NCMEC) and the so-called “Five Eyes” entities to share information. In fact, the technology coalition, made up of 18 of the largest tech companies, has pledged to establish a multimillion-dollar research fund to study patterns of abuse and build technological tools to prevent them.

The problem with the EARN IT act is that to “earn” the immunity under CDA 230, it is likely that the commission will require internet companies to crack down on anonymous accounts, pseudonymous accounts, access by TOR or other anonymizing technologies and, of course, prohibit or restrict the use of strong encryption. If you are a person sharing CSE materials, you probably don’t want law enforcement to know what you are doing. So you will probably encrypt these files (and your communications) at rest and in transmission. You know. Computer security. That’s what this bill will likely outlaw.

Claroty

Going Dark

Back in April 1983, the government wanted to mandate the installation of a Mykotronx MYK78T chip using the Skipjack algorithm in certain secure communications devices. The chip, known as the Clipper chip, would become the international standard for “secure” communications. Except that it wasn’t; among other things, it wasn’t secure. And deliberately so. The Clipper chip was designed to have a “backdoor” feature to permit U.S. government (intel and law enforcement) access to these “secure” communications. It wasn’t long before AT&T’s Matt Blaze published an article demonstrating the fundamental weakness of the escrowed key system deployed for Skipjack, and the entire Clipper program fell by the wayside.

This didn’t deter the government. Ever since, successive FBI directors, attorneys general and other law enforcement and intel agencies have decried what they call the “going dark” problem: the inability of law enforcement agents, equipped with lawful authority such as search warrants, interception orders or the authority to hack into remote computers, are unable to decrypt or force the decryption of communications and files they intercept. They refer to it as “warrant-proof” technologies. Law enforcement raises the specter of unbridled pedophiles, child kidnappers, terrorists, drug gangs and organized crime running through the Information Superhighway. Human sacrifice, dogs and cats living together … mass hysteria!

The solution? A backdoor for encryption. But not any old backdoor. This is a magic backdoor. One which, like Excalibur or Mjölnir, can only be wielded by one who is pure of heart and worthy. This magic key would require not only law enforcement and intelligence agencies acting legitimately within the scope of their authority to pursue lawful goals and objectives but also would require the blessing of a federal judge or magistrate (or some state equivalent) to be activated. It would be used in the rarest of circumstances—when a terrorist attack is imminent, a child about to be abducted or someone is unlawfully smoking a joint or filing for workers compensation when they are not truly “disabled.” A truly magical key.

A few recent events belie both the need and security of this magical key.

Facebook Cooperation

First, it has recently been reported that Facebook hired a private security firm at the cost of more than $100,000 to help the FBI conduct an investigation of a person who was using the online service to threaten, harass, intimidate and extort teenage girls. According to the report, Buster Hernandez, who went by the name “Brian Kil,” used Tails, a secure operating system that uses the TOR software to encrypt traffic and hide his true IP address, then used the anonymity to cyberstalk, threaten and commit revenge porn against his underage victims, repeatedly setting up new Facebook accounts to do so.

Facebook, with the security company, developed a zero-day attack on Tails that took advantage of a flaw in its video player to reveal the real IP address of the person viewing a video. Facebook also assigned an employee to track Hernandez’s activities for two years and developed a sophisticated AI program to look for accounts being created to reach out to kids. The AI program was able to connect Hernandez through his various IP addresses and identities to specific child victims.

Although the government complained about and ultimately sued Apple for refusing to deliberately cripple the security of its iPhones to help the government extract information from the deceased San Bernardino attacker, it ultimately was able to decrypt the contents of the phone using the old-fashioned means: hard work, time, energy and technology. In most cases where crypto is cracked, it’s often a combination of technology and mistakes by the person encrypting the device. What encryption does frustrate, however, is the ability of governments to intercept communications in real-time.

Juniper Networks

In December 2015, Juniper Networks announced that during an internal code review, it discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to its NetScreen devices and to decrypt VPN connections. The secret code, installed in versions of the ScreenOS going back as far as August 2012, essentially enables attackers to take complete control of firewalls and decrypt encrypted traffic running through VPNs through the firewalls. The exploit took advantage of research conducted by the NSA and other intelligence agencies into Dual Elliptical Curve and pseudorandom number generators. 

Sauce Goose, Sauce Gander

The government, through legislation such as the EARN IT Act and efforts to create encryption backdoors, is making a determination that the “good” uses of encryption (for data integrity, data security, reliability, authentication and overall privacy) are outweighed by the “bad” uses of encryption (crime, terror, child porn) and that it is essential to enable governments to combat the “bad” use of encryption even at the cost of the “good.” And the “good” is not so “good,” as it permits anonymous communications about protests and other things that governments would like to know about.

Overall, we have to decide whether we are willing to tolerate making it more difficult and expensive to investigate crime in return for making banking, health care and telecommunications more secure overall, or if we should weaken the security of everyone to be able to conduct surveillance on a few. Of course, that’s not how the Department of Justice would put it—the department believes there’s a magic technology that only works for good guys catching bad guys. That, I would love to see.

Recent Articles By Author
Avatar photo More from Mark Rasch
Mark Rasch , , , , , , , ,
Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 203 posts and counting.See all posts by mark

Application Security Check Up