IP: good analysis Re: Unintended Consequences and a Nation Made Weaker (fwd)

[David Farber <dave () farber net>]

> From: "Jonathan S. Shapiro" <shap () eros-os org>
> To: <farber () cis upenn edu>
>
> David Lesher writes:
>
> > >In other words, in its efforts to protect the nation from
> > >terrorism, the federal government has in fact weakened the
> > >nation's IT infrastructure, and made us even more vulnerable to
> > >the bad guys.  Far from protecting us, the FBI has only made a
> > >nation weaker.
>
> David is right, and the FBI approach on this is consistent with past policy:
> permit only weak cryptography in civilian use, prevent export of secure
> systems (destroying economic incentives to building them) and if this latest
> report is true, facilitate government-installed "back doors" into machines.
>
> News reports are sometimes false. If McAffee has facilitated penetration by
> the FBI, it is quite possibly the end of McAfee. Fortunately, it is still
> possible for McAffee to change its mind. Here are some of the problems I see
> *if* this report is true:
>
> Problems for McAffee:
>
> As a customer, I buy software from McAffee to protect my system. In doing
> so, I certainly do not authorize or facilitate the intrusion of any third
> party -- including the FBI. If McAffee has done this, some hacker will find
> a way to exploit this vulnerability, and some victim will argue in court --
> correctly -- that (a) McAffee sold a product under blatantly false
> pretenses, (b) in doing so, McAffee conspired knowingly and willfully to
> diminish the security of the victim machine, and (c) McAffee therefore is a
> co-conspirator in the attack and should be prosecuted under both civil and
> criminal law. If it happened to *me*, I would argue that by installing a
> Trojan horse on my system without my permission McAffee violated federal
> law. As the total amount of money spent by McAffee customers to purchase the
> product exceeds $5,000, I suspect that essentially all of McAffee senior
> management would find themselves facing mandatory jail time.
>
> Problems for the FBI:
>
> While the intentions may be good, the FBI is now acting, without prior
> evidence of wrongdoing, to penetrate the machines of a large number of users
> nationwide. It doesn't matter whether they actually *use* this new
> interface. They have already broken the law by conspiring to have the
> vulnerability installed without a warrant. They will argue that this is
> analogous to phone tapping, but the two situations are very different. In
> the phone company case, the phone company consents (usually reluctantly) to
> install wiretap equipment in the switching system -- which is phone company
> equipment. What is happening here is an unlawful entry into my premesis by a
> private entity acting in conspiracy with law enforcement without due process
> anywhere.
>
> Here is a test: if the phone company said to you: "by the way, all of our
> phones come pre-equipped with phone taps to facilitate use by the FBI",
> would you buy the phone? Would you buy it, knowing that if the FBI can turn
> the tap on, so can anybody else with access to the phone system?
>
> Problems for Users:
>
> The really worrysome part to me in all of this is that the FBI is heading
> down the clipper path again. The only way this sort of mechanism can work is
> if it can be successfully mandated. If the FBI is serious, it follows that
> customers cannot be *permitted* to install secure systems.
>
> Ultimately, the problem with this is that technology is user-neutral. It
> doesn't care whether a connection to your machine is made by the FBI or your
> local hacker. This means that any system secure enough to safely run your
> business or manage your financial information in a hostile world must also
> be secure enough to prevent penetration by the FBI. We will shortly find
> ourselves in a situation where we must choose between protecting ourselves
> vs. letting law enforcement protect us.
>
> The problem is that in this world law enforcement *can't* protect us -- it
> simply cannot react fast enough. Being vulnerable isn't a good tradeoff.
>
> McAffee, methinks, has a serious problem.
>
>
> Jonathan S. Shapiro, Ph.D.
> Johns Hopkins University
> Information Security Institute


For archives see:
http://www.interesting-people.org/archives/interesting-people/