X

Connect (X)

Search Results for: backdoors

People Making Bad Choices About Your Privacy

By Ernest Worthman, Executive Editor, AWT magazine, Senior Member, IEEE

“William Barr is an idiot.” Not my words, but I wholeheartedly agree the view recently expressed about our attorney general. However, I am glad that others see just how dangerous the leaders of this country are at this time.

The person who called him this was Max Eddy, a senior security analyst at infosec.exchange. He sees the danger in Barr’s ridiculous insistence that backdoors be added to encrypted communication systems, consequences be damned.

He is not alone. Barr’s lack of understanding of critical security in communications systems is in line with a handful of Republican senators and past heads of government security agencies; former FBI Director James Comey; the current Director, Christopher Wray; and former Attorney General Loretta Lynch, have all beaten the drum about wanting back doors to undermine end-to-end encryption.

I have written about backdoors often, even penned a paper on it. So, I will not go into that here. What I will go into is the latest related track of attacks on end-to-end encryption.

Three of today’s most dangerous congresspersons, all Republicans, of course, Lindsey Graham, Tom Cotton and Marsha Blackburn, (I’m surprised Mitch McConnel is not in on this) who say encryption is hindering U.S. law enforcement from catching criminals and terrorists – OMG, they want vendors to install a backdoor that can be used to circumvent end-to-end encryption!

The idiotic statements coming out of the Senate only show just how ignorant they are about so many things, security being only one of them. They are so worried about not having Russia-like control over the masses that they have lost touch with reality.

This started back, in earnest, when the flap between the FBI and Apple emerged over Apple’s refusal to unlock the phone of the terrorist who was involved in the 2015 mass shooting in San Bernardino, California. Syed Farook and Tashfeen Malik, his wife, shot up a regional center during a holiday party.

The FBI later found Farook’s iPhone and wanted to search it for information on the terrorist attack. That led to the FBI demanding that Apple unlock the device because the agency said it could not do it on its own.

Apple stood its ground and said they could not unlock the phone. Whether they could or could not is immaterial. For the record, I was in favor of accommodating the FBI’s request. However, that was then, this is now.

In retrospect, with the communistic mentality of the present administration, I am glad it went that way, then. Eventually, an Israeli company was given the task to compromise the terrorist’s iPhone and they were able to retrieve the data.

What kills me is that the government will not let this go. Most intelligent people should understand that such data, if critical to a criminal investigation, should be accessible. Just like camera video and audio. However, using Gestapo-like tactics to weaken such encryption used by Apple, Facebook, and others is not the right way to do it.  And with a backdoor that anybody can access with the right code.

That is why such end-to-end encryption is designed the way it is – to protect the consumer from anyone, including the government. If properly implemented even the provider of the hardware, or app, has no way to access the user information inside. The only one to be able to access the data is the owner.

This was set up this way for a reason. Does it make law enforcements job a bit more challenging? Of course, it does. It should not be easy for anyone, including law enforcement, to retrieve personal data. That is the purpose of end-to-end encryption.

It is a bit of a double-edged sword, however. There is certainly legitimacy in having law enforcement being able to acquire data that is used in illegal activities. But again, if you give the government an inch and they take a mile – especially the present government.

Hardly surprising, given the vehemence of this government to erode personal rights, some in Congress are trying to pass legislation to circumvent the privacy laws – again. And, as to be expected it is the Republicans – again.

This particular gang of three has introduced what they call the Lawful Access to Encrypted Data Act. The bill is being spun as a way to bolster national security interests by ending the use of “warrant-proof” encrypted technology by terrorists and other bad actors to conceal illicit behavior (and the rest of us, but they do not differentiate between us and the bad actors nor define the conditions that determine this).

Gotcha! This is a carte-blanch act that says once law enforcement has obtained the “necessary court authorizations” it requires tech companies to aid in obtaining such data – from anyone and any platform. Hmmm… I thought this is already the way it is. You want something, get a warrant. It has been that way for decades.

The same bill also gives the U.S. Attorney General the power to force U.S. technology companies into complying with the court order. For instance, the AG can demand the product provider supply a timeline of when access to the encrypted data will be available to federal investigators. Seems like Barr is determined to become the power Czar of this administration.

On the downside, the obvious cost would be user privacy. That cost is too high. We are already inundated with privacy breaches because there is no real legislation in place to protect us from, even the “good guys,” such as the FAAMG rat pack (Facebook, Apple, Amazon, Microsoft, and Google). In fact, it was just discovered that TikTok has been secretly spying on millions of iPhone users.

In order to give the government what it wants, it will open the floodgates to exactly the bad actors such encryption is intended to thwart – including our own government. We cannot assume that law enforcement will always act in the best interest of society. Administrations and laws will change, however, and what is protected today may be fair game tomorrow.

As well, even if, by the furthest stretch of one’s imagination, our government acts honorably, other governments do not. What is accessible by our government is, most certainly, accessible by other governments. They all have the same technology.

We also cannot assume that this bill and other actions will offer protections limiting access to the personal information of innocent individuals – something we know all too well from the National Security Agency’s massive spying operations in the past. Through both negligence and design, the NSA accessed much more information than it was supposed to have collected, including that of the U.S. citizens the agency is prohibited from spying on.

It is best said by Will Cathcart, of WhatsApp with this quote, “At a time when cyber threats from criminals, hackers and nation-states are on the rise, our nation’s leaders should not be calling on companies to weaken the encryption that allows us all to communicate privately and securely.”

Furthermore, the Electronic Privacy Information Center notes that these three republican musketeers are trying to weaken systems that are secure enough to keep government and law enforcement from using unauthorized access. Alan Butler, EPIC interim executive director, makes the point that one cannot have a backdoor accessible to government and law enforcement, exclusively. “That is not how encryption works,” he said. Well, duh! My point exactly with government ignorance around such topics.

In the end, the saddest thing is that even if all of this happens and now law enforcement can have access to any and all data in the name of security, there is little proof that such data will, all of a sudden, make us safer and stop bad actors. Crypto expert Klaus Schmeh did some back-of-the-napkin research and concluded that breaking encryption is not likely to yield better results for law enforcement.

So, it is time again to be afraid… very, very afraid.

The China Hawk Effect on the Semiconductor Biz

By Ernest Worthman, Executive Editor, AWT magazine, Senior Member, IEEE

Ern’s Perspective

Worthman

I have been involved in semiconductor industry for a number of years, now. I have many contacts there and do regular checkups with them on the health and welfare of the industry.

It is no secret that the last couple of years have not been particularly good for this industry. And, the Trump Administration’s spat with China is not helping. We will look at that a bit further on in this missive.

The industry is complex, and competition is stiff. This led to a freefall in Dynamic RAM and NAND memory pricing that started in late 2018 due to an oversupply of components. That, in turn, led to nearly a 13 percent decline in revenue.

There was a somewhat promising, rosier picture for 2020 but COVID-19 has put the kibosh on that. And, considering we are heading for a recession, there is a great void of unknowns once we pass the pandemic. All that has caused the industry to take a 15 percent hit for Q1. The chart gives an overview of the numbers and it is not particularly promising.

From a theoretical perspective, and wishful thinking among the players, there is a fairly wide window of opportunity available. However, nobody is placing bets on when or how fast the recovery will occur once all is said and done. And, sources are reticent to make anything other than vague predictions about what to expect.

The window of opportunity focuses, largely, on emerging technologies. A “what’s what” of platforms includes the Internet of Anything/Everything (IoX), autonomous vehicles, 5G, smart devices, artificial intelligence (AI), machine intelligence (MI) and several other emerging and expanding platforms (such as multi-gate semiconductors) that could jump-start the industry. That depends on several existing conditions improving and when that will occur to the point of some semblance of normalcy.

However, there is worry here in the United States about this government’s actions, going forward, with China. Many of this country’s semiconductor manufacturers are heavily invested with fabrication in China. And, this government’s position has them concerned. As well, a significant percentage of sales from the same goes to China.

There is a real set of serious challenges facing the United States from this pro-isolationist, in general, and anti-Chinese, in particular, position the United States is taking. A report by Boston Consulting Group (BCG) does a very good job of identifying the choke points and their implications on the U.S. semiconductor industry. And, the report is neutral, not trying to spin anything. The following are some observations from the report.

First, if the friction between China and the United States continues unabated, U.S. semiconductor companies’ business status in China will be compromised, risking the estimated $49 billion of revenue (22 percent of its total revenue) that the U.S. semiconductor industry derives from Chinese device manufacturers.

“Continuation of the bilateral conflict could jeopardize U.S. semiconductor companies’ ability to conduct business in China on an equal footing with their competitors, both Chinese and from other regions,” the report said. “The magnitude of the revenue at risk threatens the scale that the U.S. industry needs to sustain its virtuous circle of innovation and global leadership.”

In the worst case, the semiconductor trade war will lead to a decoupling of the U.S. and Chinese tech industries, which would apply to other technologies used in the semiconductor value chain, such as design tools and manufacturing equipment, damaging another area of U.S. leadership, according to the report.

This will be devastating for the United States and it will, likely, slip behind some other countries in cutting-edge technologies since a significant percentage of semiconductor earnings are reinvested in R&D. Loss of income translates directly into less money for R&D.

As well, the shift from purchasing U.S. semiconductor products will send Chinese money to U.S. competitors. That will make the competition even stiffer for U.S. suppliers around the globe because other countries will have more choices. That will also put pressure on prices.

For example, if 5G chip development accelerates in places like Korea, India, Vietnam and others with Chinese investments, the market will have many more, often less expensive, choices other than Qualcomm.

Chinese suppliers would capture approximately half of the revenue forgone by the U.S. industry, enabling China to increase its global market share to around 7 percent and raise its semiconductor design self-sufficiency from 14 percent to 25 percent. The other half of the revenue lost by U.S. semiconductor companies would flow to alternative suppliers from Europe or Asia,” according to the report.

If total decoupling were to occur, the results would be much more damaging. For example, China would also ban U.S. software and devices such as smartphones, P.C.s and data-center equipment, resulting in a significant decline in U.S. semiconductor revenue.

“We estimate that, in the medium to long term, the global share of U.S. semiconductor companies would drop from 48 percent to 30 percent. The United States would also lose its long-standing global leadership position in the industry,” according to the report.

There is, of course, the specter that some U.S technologies are so advanced that if China were to lose access to them, Chinese PCs, servers, and other ICT infrastructure devices might no longer be as competitive in international markets. The same for Chinese smartphones and other consumer electronics products, particularly in high-income economies. However, that would put Chinese technology in place of U.S. technology in China, which is a huge market. That, in turn, would generate revenue for Chinse R&D, both in China and elsewhere.

According to the report, unless the restrictions on U.S. semiconductor sales to China will do more damage to U.S. semiconductor companies than to China, resulting in U.S. dependence on foreign semiconductor suppliers.

“Similarly, a dramatically scaled-down U.S. semiconductor industry that no longer functioned as a global leader would not be able to fund the level of R&D investment required to fulfill needs for advanced semiconductors for critical defense and national security capabilities,” according to the report.

In the end, continuation down this path will have devastating effects on the U.S. semiconductor segment. How much and how devastating is unknown. And, couple that with the current and near-future economic downturn and the result could be an unrecoverable scenario for U.S. semiconductor players. That will not only hurt them but a wide array of segments from national security to consumer devices. It will also affect a wide array of both existing and emerging technologies.

The report implies some dire consequences for the semiconductor sector if the China hawks have their way. It goes as far as saying if the worst scenario comes to pass, the U.S. semiconductor segment will suffer irreparable damage to the point it may never recover.

Without a doubt it is in trouble. My main worry is that this administration will not understand the ramifications of pursuing the anti-China vector and thinking the results of decoupling can be made up with alternative vendors. That scenario will not come to pass.

The United States and China need to come up with a win-win strategy. The blame game, whether it is COVID-19 or fear of software backdoors, is not helping either side to move forward. On the backside of all of this, let us hope our government will undergo some changes that will remove the vindictiveness and ignorance we are currently witnessing.

Apple Versus the FBI — Round 2

By Ernest Worthman, AWT Exec. Editor, IEEE Sr. Member

Ern’s Perspective

Worthman

— Back when the first battle between Apple and the FBI emerged on the subject of data unlocking occurred, I had written several missives around this issue.

My opinion was then, as it is now, that Apple should have cooperated with the FBI and assisted them to retrieve the requested data to see if there is any incriminating evidence. Apple refused, citing 1) they do not have the ability to unlock the phone (which I thought was nonsense), 2) if they could, they would not because it would be a violation of privacy policies, and 3) it would compromise their OS integrity across the board.

I am not going to rehash the issue here because my position has not changed. Basically, my argument was, and is, that any such data should be treated as any other potential evidence (video, recorded conversations, wiretaps, etc.). Just because it is contained in a mobile device does not alter the basic premise that evidence should be accessible under legitimate conditions. Data is regularly retrieved from other types of computers, is it not? And, there is as much private data on these devices as a phone, on any given day.

We have many safeguards in place when it comes to evidence gathering and it makes no sense that digital data has any more, or less, special privileges than any other potential evidence. Privacy is a big thing, nowadays. However, it seems the arguments over privacy morph to suit the particular case. That, however, is a discussion for another day.

Back in 2015 when the San Bernardino, California, incident occurred, it brought to the center of the radar screen, the central issue of privacy versus evidence. That was in the days of the Obama administration. I do not recall that administration getting into the fray. Conversely, this administration has seen fit to tell Apple what to do.

I find this objectionable. This president has shown us, over and over, what a busybody he is when it comes to issues that are not really significant enough to warrant Presidential concern. The nuances of privacy vs. evidence are way over the head of the current administration and it should be left to the powers that understand its complexity. Trump, and now his attorney general, William Barr, hear something and suddenly, they are experts in what everybody is supposed to do.

What makes this even worse is the implication that Apple owes this administration, and it is “demanding” that Apple salute smartly and say “yes sir, happy to pay back the favor!” Hmmm… seems we have come to a place in this political environment where it is not about what is right, but about favors and payback – the kind where we have treated you special so now you must return the favor. And if you do not, it will affect how we treat you in the future – my, what an upstanding and moral compass this administration has.

I guess since Trump can blackmail the Ukrainian government by threatening to withhold aid, he believes the same tactic will work with U.S. companies. He implied that since he is helping Apple and giving them dispensation (although so far what I have seen is not all that impressive) on trade and so many other issues, they are supposed to roll over and obey his every whim.

What continues to bother me (and I am not alone) is how woefully ignorant Trump and Barr (and most other legislators) are when it comes to technology. Rather than pass the baton to those that understand this, they believe it is as simple as saying it and it will come to pass.

In the end, I must side with the government on this one, empirically, but not without reservation of methodology – not the approach, but the principle. On the other hand, I understand the implications of giving the government, especially this administration, ANY capabilities to access private data, especially what it is asking Apple to do concerning back doors.

The administration’s demand is that Apple create a “back door” that “authorized” agencies have access to – bad idea (see my article on back doors in fall 2019 issue of Applied Wireless Technology; www.aglmediagroup.com/?s=backdoors).

I must agree with Apple that such a solution would weaken the code and allow for all kinds of other bad actors to get into the game.

It is time to revisit how such data plays in the criminal and legal arenas. Some say that this data is no different than any other type of evidence and comes under present evidence gathering rules and regulations. Others say that such data, and the way it is collected requires new policies since it is more tightly bound to private and critical data than typical evidence vectors (video surveillance and phone taps, for example).

No matter how this evolves, however, it is NOT a good idea to open any doors to governmental access directly (i.e. allowing them to access the data versus a third party extracting it) – especially this administration. I think it is time for data repositories to revisit ways to unpack data so that if there is data that becomes critical evidence in nefarious activities, it can be provided without compromising other private and secure data within the data pack.

Fight Over Facebook’s WhatsApp Privacy Hearkens Back to Apple, FBI Scrap

By Ernest Worthman, Executive Editor, AWT Magazine, Life Member, IEEE

Many of us remember the scrap between the FBI and Apple concerning data the FBI was interested in obtaining from a suspected criminal. For the sake of clarity, it was when the FBI wanted to access a locked iPhone and Apple refused to cooperate. Eventually, a third party was able to hack the phone and release the data.

This became one of the defining moments in the digital transformation. It put a spotlight on the fact that there are much larger issues that loom around where, when and how data can be acquired and what it can be used for, both with and without the owner’s permission.

The bottom line in all of this is privacy. However, in this digital age, years-old privacy concepts, developed long before the dawn of the digital age, have become outdated. Most of the current privacy laws, policies, concepts, and the like, are, woefully, out of dates. They do not reflect the new vectors of the digital age.

And, as usual, our, and, to be fair, other governments, are, also, woefully ignorant about the current privacy ecosystem. The ability for social media, particularly, and other companies such as Amazon, Google, Yahoo, et al, to capture, use and manipulate data, is outside of much of the current privacy regulatory landscape – as is their ability to skirt governmental overwatch. Instead of tackling this head-on, and admitting they are not the experts, our government officials simply like to hear themselves talk and try to convince us that they are up to speed on privacy. Unfortunately, the actual comprehension needed by most legislators to tackle today’s privacy environment is beyond their event horizon of understanding.

The latest example is that of our government’s current attempt to compromise Facebook’s WhatsApp privacy and security platform. Facebook’s WhatsApp currently uses end-to-end encryption, and Facebook is planning to roll out that technology to Facebook Messenger users, as well. Such security makes it difficult to impossible to hack a device. Essentially, the government is asking, no demanding, that Facebook offer some sort of enablement to the government so it has access to messages suspected of being relevant in criminal investigations.

With all the noise around backdoors, of late, one would think that the Justice Department would be smarter than to ask Facebook to build a backdoor into the service so it can read messages when doing these criminal investigations. As a principle, it is valid, standalone, but with all that is going on around security in the global environment, it just seems a bit naïve that this is where the government’s mentality is. So, I reiterate, governments just seem not to have no clue as to how all this works in the digital age.

Here is the big problem with backdoors – and it is so fundamental, they should know it. Implementing them opens a Pandora’s Box of issues. While there are too many to go into detail on here, the global one is that a backdoor is breachable by anyone who can figure out the access parameters. It is not specific to only one entity, even if the entity is the only one given access capability. Backdoors simply make the technology inherently less secure. It is, essentially, designing a vulnerability into security features. It is only a matter of time before it is exposed by the bad actors lurking in the dark corners of society. And, do we really trust our government to stick to what they agree to, with backdoors?

So, why would the United Kingdom, the United States, and Australia all push such an agenda? Well, it all comes back to my common denominator, they really do not understand security and privacy. Such a request defies all logic in the current security and privacy landscape.

Some of the logic is laughable. For example, some text in the drafted document reads “Our technical experts are confident that we can do so while defending cyber security and supporting technological innovation.” Really? Just who are their “technical experts” that they think they can secure backdoors? It seems that politicians just do not live in the real world. Backdoors have never been designed for anything other than hardware and code manipulation (updates, code revisions, test, etc.) designing one for something like monitoring communications is ludicrous and akin to allowing the government to, clandestinely, eavesdrop on any, and all, conversations.

If we draw a parallel in a simpler example, doing this would be akin to encircling your home with the latest security system, having a professionally trained guard dog, a security service physically monitoring the premise, perimeter sensors, cameras, vibration sensors, audio sensors and the like. However, when the security is in place, we leave a window guarded with no more than a combination lock. It makes no sense.

Now, switching hats. Not that I believe law enforcement should not have access to suspect criminal digital data. I had taken the position that Apple should have worked with the FBI to retrieve the requested data. I reiterate this is the digital era. There are new mediums that need to be addressed, when it comes to privacy and security, using new methodologies, not decades-old precepts that never envisioned the issues that arise with this “new media.”

The challenges faced by 21st-century law enforcement need some support from the political arena. However, the political arena needs to come into the 21st century, first. Requesting something as ridiculous as a backdoor so law enforcement can have carte blanche to monitor every bit on every social media and other platform shows how woefully out of touch the Politbureau is.

The smart play is to get high-tech involved in drafting legislation and new technologies to be able to allow law enforcement, under tightly controlled conditions, to be able to acquire suspect data while still protecting the fundamental rights of citizens. It would do government well to create a “Department of Technical Competence” – a nonpartisan, politically autonomous agency, full of knowledgeable geeks that work on developing platforms to protect both the user and enable law enforcement to acquire evidence in the digital ecosystem (and lose the “technical experts” that believe backdoor can be secured).

There has to be a middle ground here. Neither the uninformed Washington bureaucrats that want the backdoor nor the radical left ACLU can have it their way. This is a brave new digital world and it is time to update both the policies and the policy makers.

 

Talk About Washington Bobbleheads!

By Ernest Worthman, Executive Editor, AWT Magazine, Senior Member, IEEE

For years now, Huawei equipment has been used in rural network hardware. And to date, as far as I have been able to determine, there has not been a single security leak from any of this hardware. Washington keeps the myth alive by regularly saying they have found something. But, to date, they are unable (or unwilling) to furnish proof. Either way, their position is, so far, not credible.

Is it possible that there are some logic bombs, such as backdoors, Trojans, rootkits or malware installed in this hardware just waiting for the proper moment to activate? Of course, it is. Perhaps it will launch all of our ICBMs one day. Or, perhaps it will disable all of our satellite communications. Or, perhaps it will disable the President’s Twitter account (one can only hope). The real coup would be, if it could be used to release the president’s personal tax records.

I doubt if China is the only perpetrator. I would be much more afraid of Russia or North Korea. However, it seems that the Administration has a single target on the radar screen for now, simply because this President is just an angry man. This is simply a personal vendetta from the President and his minions. They continue to use their positions to keep the myth alive.

The latest round comes from FCC Commissioner Geoffrey Starks, who used the CCA forum to put forth another administration-influenced speech that has no basis in fact. With all the Huawei hardware already in place, one would think, if there were issues, they would have surfaced by now. Moreover, with all the attention around this, Huawei would have to be the fools of the century to keep it up.

In his speech, Starks targeted the Chinese telecommunications industry on the whole, and Huawei in particular. However, my position is that the FCC has no business getting involved. The FCC’s mission statement is, and I quote “To be an agent of positive change, striving for continuous improvement in FCC’s management and program operations.” Nowhere does it say they are to be instrumental in determining who’s or what hardware is in involved, who the industry should buy from and what equipment should be banned.

Furthermore, they are not chartered to offer opinions, such as these, either, especially in this current, highly charged, political environment. All this does is continue to perpetuate an unsubstantiated parable. Even if it were proven true, they still have no business sticking their noses in here. It is the job of the United States Intelligence Community (USIC), and the legislature.

However, in following the Administration’s philosophy, the FCC is trying to get into the China game. First, they are exploring ideas on how to come up with a way to keep U.S. vendors from purchasing Huawei equipment. Second, they are trying to introduce an initiative which would offer federal dollars to search for, and remove, legacy Huawei equipment which might be in the network. Great! Another way the government is wasting my taxpayer dollars! How dare you, FCC, attempt to spend my taxes for something that you have no business sticking your nose in.

Huawei hardware has been in networks for a decade or more. It got there because it was good, cheap and they were willing to work with companies to give them what they needed. Now, all of a sudden, we are crying foul and trying to oust them? And, again, with no substantial evidence of wrongdoing.

Starks is suggesting every piece of equipment should be ripped and replaced (using my taxes). Although, it is unlikely that Congress will go along with it.

Lately, the windfall has gone to companies like Nokia and Ericsson, who have indicated they can create products and financing options for this initiative. But I have my suspicions. I do not see either of them bending over backwards to make cheap hardware. And, neither of these companies are American. Seems Donald Trump is talking out of both sides of his mouth when he states he wants American manufacturers to step up. Oh, what? That’s right, we have Qualcomm. However, they manufacture overseas (Shanghai) as well.

It is enough of a challenge for rural telcos to monetize their networks. Ripping out Huawei gear and replacing it with other manufacturers will do nothing but place an additional hardship on them. As well, Huawei has an incredible willingness to work with these smaller carriers. In the United States, where the landscape is all over the map (no pun intended), that is a significant benefit.

One has to wonder just how much of a political football this is, especially with the upcoming elections. There are so many more bad actors in the world trying to compromise the United States, it makes no sense that this government is leveling its barrels only at China. It goes to show just how little care the U.S. Government has for the fallout from such actions. It is one thing for the President to act like an impetuous child. It is another for the rest of the government to drink that Kool-Aid. I cannot wait for this administration to widen the circle and go after companies such as Alibaba, and other non- telecom Chinse manufacturers as it gets closer to the elections.

A generation made a change in the 1960, perhaps it is time for another generation to make a change in the 2000s.