It has long been suspected that the U.S. government has consistently installed back door programs, remote access programs or other vulnerabilities in U.S. hardware, software, supply chain, telecommunications devices, and well, just about everything.

Oh, and they are also beaming signals directly into your brain.  Except that one of these statements is a delusional fantasy.

The Snowden documents reveal generally that the NSA and other government agencies were, in fact, attempting to both create and exploit vulnerabilities in order to obtain access to communications – typically but not exclusively from overseas providers.

While many U.S. ISP’s have denied assisting the government in installing “back door” programs, or deny deliberately weakening security or failing to repair zero day attacks at the behest of the NSA, these denials are all capable of semantic parsing.

If the Director of the NSA can testify in response to a direct question by a U.S. Senator that the NSA does not “deliberately” “collect” “any” information on “millions” of “Americans,” by redefining each of those words (particularly “collect”) to mean that NSA analysts are taking custody of such records, but not examining them, and therefore not really “collecting” them, then in the words of Lewis Carrol’s Humpty Dumpty, “words mean precisely what I want them to mean…”

The problem with the possibility of back door hardware or software is not that it isn’t useful for surveillance.  It is.  Or that it won’t help both law enforcement and the intelligence community.   It will.  But at the cost of confidence of the world in the infrastructure, hardware, software, routers, hubs, and other devices made by U.S. companies.

Just as a DoD component wouldn’t consider installing a router from a Chinese company, can we really expect a country concerned about privacy or security to install Cisco routers with a vague assurance from Cisco that there are no back doors on the router?

As Keenan Winn’s Col. “Bat” Guano explained to Peter Sellers’ Group Captain Lionel Mandrake after he destroyed a vending machine in order to use a pay phone (remember pay phones) to warn the White House about an impending nuclear assault, “Now you have to answer to the Coca Cola company.”

So the same U.S. Senator who called out the NSA Director on his doublespeak has now introduced legislation to make sure that there are no “back doors” on any U.S products.

Senator Ron Wyden (D. Or.) announced on December 4  the introduction of the “Secure Data Act” which would prohibit federal agencies from mandating the deployment of vulnerabilities in data security technologies.  The bill, if passed and signed,  would state that “no agency [except as required by CALEA – a law that mandates Telco’s assist law enforcement in wiretaps] may mandate that a manufacturer, developer, or seller of covered products design or alter the security functions in its product or service to allow the surveillance of any user of such product or service, or to allow the physical search of such product, by any agency.”

OK.  I am now confident that there are not going to be any more back doors.  Aren’t you?

Except for that little word “mandates.”  “Oh,” says the NSA.  “CISCO doesn’t HAVE to make its router accessible to use, but it would be a shame should anything happen to your nice government contract over here.”  Not a mandate – just a suggestion.  Or what if it is a requirement in a government contract?  You don’t HAVE to do it – just don’t bid on the contract.  Oh, and that FCC license approval?  “Fuggeddaboutit.”  Remember Quest Communications CEO testifying that his company was threatened with loss of contracts and revenue if they didn’t do what the NSA demanded?   But it’s not a mandate.  It’s just a very strong “suggestion.”

The proposed law has few if any teeth.  It has no criminal enforcement, nobody goes to jail if it is violated.  And even if there is a compulsion, the facts related to it are likely to be classified for national security purposes.  So, if a law enforcement and/or intelligence agency compels you to install a back door, in the worlds of Peter Venkman, “who you gonna call?”

Plus there are times when we really DO want a back door.  Take Stuxnet.  Whether it was the U.S. or not, it was still super cool, and set back the Iranian nuclear program by either a couple of decades or a couple of hours.  Hard to say.  But cool anyway.

And the law only applies to installed back doors.  It wouldn’t apply for example to an inherent vulnerability that the NSA tells the company not to fix.  Or one that the NSA doesn’t tell the company about.  Lots of ways around this one.

So if you are worried about the NSA installing back doors on hardware or software, I’m afraid that Sen. Wyden’s bill probably won’t help much.  If you are worried about the NSA beaming waves into your skull, may I suggest a lovely aluminum foil hat?  Oh, and always wear it shiny side out.  It doesn’t work the other way.  I know.  I have tried it.

Leave a Reply