What It's Like When the FBI Asks You to Backdoor Your Software(securitywatch.pcmag.com) |
What It's Like When the FBI Asks You to Backdoor Your Software(securitywatch.pcmag.com) |
As it stands, it's basically one level up from an urban myth. Some guy asked her to do something shady at a security conference, and it's easy for the FBI to claim they don't know anything about it.
Really? The FBI agent approached her and started talking to her before she had even removed her mic? And everybody (including the agent) heard?
Let me guess, she vehemently denied the offer? (I'll admit I didn't even bother to read past the second paragraph of this "article".)
I don't think so...
More to the point, if it's possible for her company to compromise customers' communications unilaterally, then the service is insecure, regardless of what promises they make or what type of encryption they (claim to) use.
The law is in 18 U.S. Code sec. 912: Officer or employee of the United States:
> Whoever falsely assumes or pretends to be an officer or employee acting under the authority of the United States or any department, agency or officer thereof, and acts as such, or in such pretended character demands or obtains any money, paper, document, or thing of value, shall be fined under this title or imprisoned not more than three years, or both.
That is, 1) impersonating a federal employee, and 2) using that impersonation to get or demand something of value.
This account does not have the person actually getting information, nor demanding access, so does not appear to be felonious.
For example, suppose it was private citizen X impersonating an FBI agent to test Sell's resolve. The query was "if she'd be willing to install a backdoor into Wickr that would allow the FBI to retrieve information", not if citizen X (impersonating an FBI agent) can get that information.
That doesn't seem to be illegal according to the impersonation law.
http://www.businessinsider.com/the-story-of-joseph-nacchio-a...
At this point, if I wanted to use my phone for any truly critical communication (e.g. like in middle eastern countries where lives are literally at stake), I'd only use open source software.
You could start a company that had the all of following people as founders:
Ron Rivest
Adi Shamir
Leonard Adleman
Phil Zimmermann
Whitfield Diffie
Martin Hellman
Dan Bernstein
Bruce Schneier
Edward Snowden
Keith Alexander
Theo de Raadt
Show me the source code. At first glance, I didn't see that option as available at the Wickr web site.
BTW stupid of Wickr to not obtain the wickr.com domain. I'll let people google for the real URL just to make my point.
And beyond source-code:
How do you shield your equipment? (tempest, also active attack)
How do you guard your equipment? (evil maid)
Real life is the triumph of convenience over security :(
There's also the wrench cryptanalysis discussed in xkcd.com/538. For most people the mouseover text nails it:
Actual actual reality: nobody cares about his secrets.Don't forget that lecturing the FBI comes after verification and documentation as well. If that was an FBI agent he probably concluded she was not a desired partner.
Your snarky and snide tone makes it seem like you think they never try to get people to implement backdoors or weaken implimentations (for side-channels), and I'm sure that's not what you meant, right?
I would not view it as outside the realm of possibility.
If this was done to ascertain information about the company, and their willingness to participate in government surveillance, it is likely to be held "a thing of value" under such precedent (which explicitly holds that things with value in the broader senses of the word count under the statute)
As a pragmatic approach, it is unlikely you are going to be find judges willing to let you slide on this kind of thing :)
That one says:
> We do not embrace the government's sweeping position that 18 U.S.C. 912 extends to anything that has value to the defendant. Such a broad reading of "value" negates any limitation the word could imply. By the same token, we cannot accept Sheker's suggestion that 18 U.S.C. 912 covers only things having commercial value. Information can be a thing of value. Whaley v. U. S., 324 F.2d 356 (9th Cir. 1963). In normal English usage commercial worth is not the exclusive measure of value. For instance, state secrets might trade hands without cash consideration. Information obtained for political advantage might have value apart from its worth in dollars. In each case the information sought would have value to others, in addition to the seeker. Such is the case here. Stokes would see value in keeping his whereabouts unknown to Sheker. The criminal justice system, concerned with the safety of witnesses, has a similar interest.
(In Whaley, Whaley impersonated an agent of the F.B.I and got information which he later paid paid $9, if I interpreted it correctly. Thus the information definitely has commercial value. In Sheker, the judge extends that to value other than commercial value.)
The information sought here is "is Sell (or Sell's company) willing to provide a back-door to the FBI?" This is just after Sell stated publicly that the "service wouldn't have a backdoor for anyone."
I honestly can't tell if this is a "thing of value."
If the answer is "yes", then I think that's a thing of value. That information might be revealed later to embarrass or otherwise affect Sell's company.
If the answer is "no", then there's no value. The statement to the public is the same as the statement to the alleged impersonator.
Given the context, it seems very likely that most people would have expected Sell to say "no." Thus, the overall value is very low.
It can't be that asking a question where the answer isn't already 100% known is illegal. The judge says that the law doesn't '[extend] to anything that has value to the defendant'.
But I don't know how that line is drawn.
For example, if you look, the judge says "We do not embrace the government's sweeping position", but then in practice, did exactly this. They went to great pains to find some way to ascribe "value" to the location of another human being.
A police officer can ask questions of anyone, including "can I search this bag?" The legal theory is that an officer is also a citizen, and any citizen can ask that question, even of strangers.
Apparently the uniform and knowledge that it's a police officer isn't supposed to make people feel any extra obligation towards the officer, compared to a stranger.
But there has to be a limit to that, yes? Can the officer for money? Strangers do that.
Anyway, were I to judge this matter, I would say that if a person would reasonably give the same answer to a stranger as to an imposter, then there's nothing of value.
Yeah, and I'm sure as Sunday that most judges won't agree with me.