Wednesday, February 24, 2016

The USG backdoor definition double standard - Juniper vs. Apple

I wanted to make another quick point in the FBI vs. Apple debate that I haven’t yet heard anyone else make.  Fancy that – I’ve had an original idea.  There are two key points to keep in mind as we begin this discussion:
  1. The FBI keeps saying that they aren’t looking for a backdoor.  The FBI just needs a capability that intentionally weakens security features in a product made by a US manufacturer.  
  2. The FBI wants Apple to weaken the security of the iPhone in question for the purposes of intelligence collection. Recall that this is not a law enforcement matter (the suspects are dead).
My memory is sometimes a little short, but I seem to remember a few months ago when it was discovered that an unknown actor placed a crypto backdoor in the Juniper code base.  I'm not talking about the SSH backdoor (CVE-2015-7755), I'd like to intentionally remove that from the debate.  But for the crypto backdoor (CVE-2015-7756) I see an obvious parallel.

Let's review the facts about the Juniper crypto backdoor:
  1. The software weakened security features designed to protect customers who used the device. But it definitely wasn't a backdoor because it didn't directly allow the unknown party access to the device.
  2. Though we don't know who planted the software, it is almost universally agreed upon that it was placed by a nation state for the purposes of intelligence collection.
When comparing these two points looking for similarities, the FBI was drawing a blank. So I brought in Ray Charles to take look and even he can see that there's a clear parallel here.

Okay, so the first point is ridiculous.  You can't seriously say that the Juniper software wasn't a backdoor.  It was an encryption backdoor.  It allowed an attacker to reveal data that customers wanted to keep secret.  In fact, they bought the Juniper devices specifically to keep their data protected from unauthorized viewing.  Then an unknown party put a backdoor in the software for the purposes of enabling intelligence collection.  

I seem to remember some people being really mad about this, including many of our elected representatives.  In fact, congress wants answers about the Juniper backdoor.  I'm really curious why so few elected officials are being vocal about the FBI order to Apple.  If an unknown attacker had the same capability that FBI is asking for, they almost certainly wouldn't be silent.  If China drafted a court order to get an iPhone backdoor, um I mean intentional software weakness, the US certainly wouldn't be silent.  This is a double standard of language if I've ever seen one.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.