Interesting People mailing list archives
IP: good analysis Re: Unintended Consequences and a Nation Made Weaker (fwd)
From: David Farber <dave () farber net>
Date: Sun, 25 Nov 2001 15:18:19 -0500
From: "Jonathan S. Shapiro" <shap () eros-os org> To: <farber () cis upenn edu> David Lesher writes: > >In other words, in its efforts to protect the nation from > >terrorism, the federal government has in fact weakened the > >nation's IT infrastructure, and made us even more vulnerable to > >the bad guys. Far from protecting us, the FBI has only made a > >nation weaker. David is right, and the FBI approach on this is consistent with past policy: permit only weak cryptography in civilian use, prevent export of secure systems (destroying economic incentives to building them) and if this latest report is true, facilitate government-installed "back doors" into machines. News reports are sometimes false. If McAffee has facilitated penetration by the FBI, it is quite possibly the end of McAfee. Fortunately, it is still possible for McAffee to change its mind. Here are some of the problems I see *if* this report is true: Problems for McAffee: As a customer, I buy software from McAffee to protect my system. In doing so, I certainly do not authorize or facilitate the intrusion of any third party -- including the FBI. If McAffee has done this, some hacker will find a way to exploit this vulnerability, and some victim will argue in court -- correctly -- that (a) McAffee sold a product under blatantly false pretenses, (b) in doing so, McAffee conspired knowingly and willfully to diminish the security of the victim machine, and (c) McAffee therefore is a co-conspirator in the attack and should be prosecuted under both civil and criminal law. If it happened to *me*, I would argue that by installing a Trojan horse on my system without my permission McAffee violated federal law. As the total amount of money spent by McAffee customers to purchase the product exceeds $5,000, I suspect that essentially all of McAffee senior management would find themselves facing mandatory jail time. Problems for the FBI: While the intentions may be good, the FBI is now acting, without prior evidence of wrongdoing, to penetrate the machines of a large number of users nationwide. It doesn't matter whether they actually *use* this new interface. They have already broken the law by conspiring to have the vulnerability installed without a warrant. They will argue that this is analogous to phone tapping, but the two situations are very different. In the phone company case, the phone company consents (usually reluctantly) to install wiretap equipment in the switching system -- which is phone company equipment. What is happening here is an unlawful entry into my premesis by a private entity acting in conspiracy with law enforcement without due process anywhere. Here is a test: if the phone company said to you: "by the way, all of our phones come pre-equipped with phone taps to facilitate use by the FBI", would you buy the phone? Would you buy it, knowing that if the FBI can turn the tap on, so can anybody else with access to the phone system? Problems for Users: The really worrysome part to me in all of this is that the FBI is heading down the clipper path again. The only way this sort of mechanism can work is if it can be successfully mandated. If the FBI is serious, it follows that customers cannot be *permitted* to install secure systems. Ultimately, the problem with this is that technology is user-neutral. It doesn't care whether a connection to your machine is made by the FBI or your local hacker. This means that any system secure enough to safely run your business or manage your financial information in a hostile world must also be secure enough to prevent penetration by the FBI. We will shortly find ourselves in a situation where we must choose between protecting ourselves vs. letting law enforcement protect us. The problem is that in this world law enforcement *can't* protect us -- it simply cannot react fast enough. Being vulnerable isn't a good tradeoff. McAffee, methinks, has a serious problem. Jonathan S. Shapiro, Ph.D. Johns Hopkins University Information Security Institute
For archives see: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- IP: good analysis Re: Unintended Consequences and a Nation Made Weaker (fwd) David Farber (Nov 25)