Last week a group of computer security experts issued a warning about a proposed expansion of government spying know as CALEA II (Communications Assistance For Law Enforcement Assistance) being considered for “wire” tap expansion: CALEA II: Risks of Wiretap Modifications to Endpoints <read>
Abstract: The U.S. government is proposing to expand wiretap design laws broadly to Internet services , including voice over Internet protocol (VoIP) services and other peer – to – peer tools that allow communications in real – time directly between individuals. This report explains how mandating wiretap capabilities in endpoints poses serious security risks. Requiring software vendors to build intercept functionality into their products is unwise and will be ineffective, with the result being serious consequences for the economic well – being and national security of the United States
This is serious. The report if anything understates the risks. To me, this crux of the problem is summarized by the dangers to operating system end points:
All networks, software , and communication tools that support “lawful intercept” include features that are designed to breach the confidentiality of communications without detection by any party involved in the communication . When parties communicate using services with such features , there is a n increased likelihood that an unauthorized and/or malicious adversary with the right technical knowledge and access to the system could capture communications contents without detection. The general nature of CALEA – style mandates and the necessarily clandestine nature of intercept mechanisms increase security risks further.
The cleverest and most dangerous cyber – attackers are those who are able to not only compromise a system but also to evade detection. T hat is also precisely the objective of a government surveillance solution: to compromise communications without detection. W e know that communications networks and services are increasingly the subject of exploitation , often because of unintended and not very well – hidden vulnerabilities . Wiretap capabilities can be uniquely dangerous precisely because they are developed to be hidden, both in design and in application. Wiretaps are designed to be kept secret from both the parties involved in the communication and also from anyone else that does not have a “need to know” in order to execute the tap (including employees of the service provider who are on the alert for system compromises) . This requirement for obscurity increases the security risks further because it increases the possibility that a malicious communications intercept could be effectuated with low risk of discovery…
Furthermore, for the many products that are open source, it will be trivial for someone to build and redistribute software without the monitoring capability. This sort of “fork” is not exceptional, but rather common. The nature of Open Source software is that people take it, make small modifications, and redistribute. To provide two especially relevant examples, Iron is a fork of Google Chrome that focuses on improved privacy , and the Tor Project maintains its own version of Firefox that is designed to allow private anonymous communications on the Internet under extremely adversarial conditions, such as dissident users in Iran or China. If U.S. software vendors are forced to introduce wiretap capability , it seems certain that there will be non – U.S. forks of popular7open source communications packages that do not allow such access. Moreover, this likelihood of non – compliant forks being developed is not limited to open source software, but also potentially relevant to proprietary, closed – source products , albeit with more effort by the fork’s developers . For instance, just as it is possible to “jailbreak” proprietary phone operating system software by downloading a program that “tweaks” the software, disabling monitoring capability in wiretap – modified software may be as easy as clicking a link and running a small program that can disable intercept functionality.
It is important to understand that because these systems are built on open standards, modified software without lawful intercept capability will be able to interoperate with systems with the intercept capability and with unmodified systems. To take an extreme example, say that all U.S. – made Web browsers support CALEA II, thus allowing wiretapping of any WebRTC session. Two users who desire unmonitorable communications need only download secure foreign – made versions of one of the major browsers and they can make secure calls using exactly the same infrastructure as those that must use compliant versions . We should expect that any user who is concerned about monitoring — including many potential monitoring targets — would obtain and use a n unmonitorable version of a given product or service . Ironically, then, potential terrorists may easily be able to u se stronger security than the U.S. government, which is less likely to install non – U.S. forks of these programs.
So,
- The bad guys and all of us good guys can easily find ways of defeating the risk of compromise.
- But how many of us can be sure those safe versions actually are safe? They could block the government and open up our communications to others instead. Or maybe its just another trick version from the U.S.
- But the government and perhaps most businesses regulated by business would likely be required to not protective actions
- This would be a great tool for interfering with the electric grid, nuclear power plants, the communications grid, etc.
- How about insider trading? A great tool for learning all sorts of information which will effect interest rates, stock, or commodity prices.
If you believe that, in general, government can be incompetent, that makes this plan even less effective and more risky.
