In light of the furore around the NSA and PRISM, a new report from the Citizen Lab is calling for a cut down on the use of backdoors when coding software.
In his report, titled “Shutting the Backdoor,” researcher Ron Deibert wrote national governments are increasingly turning to the private sector to watch their citizens’ movements online. Deibert, who heads the Citizen Lab at the University of Toronto, described how governments have been asking Facebook Inc., Microsoft Corp., Google Inc., and other major companies with stockpiles of consumer data to open backdoors in their technical systems.
While Deibert noted backdoors are usually “special methods of bypassing normal authentication procedures to secretly access computing systems,” he also extended that definition to incidents where the state asks for modifications to intrude on communications for security reasons. That includes lawful intercept mechanisms which are already coded into software, as well as under the radar “splitters” that fork copies of data streams to other destinations. It even includes any time the private sector informally shares data with security services.
While backdoors have been part of software for years, they’ve only really surfaced in the public consciousness thanks to Edward Snowden’s disclosures about the NSA and the PRISM program, Deibert notes. Not only have they kickstarted a slew of debates about individuals’ right to privacy, as well about the possible misuse of power on the part of national governments, but they’ve also raised some questions of security, he writes.
“Building backdoors into devices and infrastructure may be useful to law enforcement and intelligence agencies, but it also provides a built-in vulnerability for those who would otherwise seek to exploit them and in doing so actually contributes to insecurity for the whole of society that depends on that infrastructure,” Deibert wrote.
By deliberately putting vulnerabilities into code, companies are actually opening up their systems to potential hackers. Plus, the longer backdoors are around, the more vulnerable they can become over time as attack capabilities improve and as more people become aware about them. Rather than inserting backdoors into code, the better approach would be to make systems as secure as possible, he wrote.
“Building insecurities into the communications infrastructure that surrounds us may be a shortcut for law enforcement and intelligence, but is it one worth making relative to the vulnerabilities that are created for all of society?” Deibert wrote in his report. “Those lawful access provisions that are still required should be infrequent and strictly controlled with rigorous oversight and public accountability provisions. Direct tapping of entire services wholesale should be eliminated.”
He added better alternatives would be to build the best possible encryption systems, as well as bringing about a general adoption of standards like the “https by default” and “two factor authentication.” Open source software would also be an option, as an online security community could check to ensure companies haven’t secretly added special backdoor privileges to their programs.
Still, backdoors may not be as serious a concern as people have supposed, says G. Mark Hardy, president of the National Security Corporation. He has developed information security plans for four U.S. military commands, and he wrote the requirements for communication security encryption for one of its satellite programs.
Backdoors have been around about as long as software has been around, with many of them just being there for software developers to ensure their programs are running properly, Hardy says, adding he feels people are just starting to take notice now, though they didn’t seem to care much about that in the past.
“Backdoors by themselves aren’t necessarily bad or evil, but they do exist in many applications for either testing purposes or to be able to do ongoing verification that things are working correctly. The problem occurs when third parties access backdoors and the applications contain sensitive information, and now you, the consumer, are not aware of the fact,” he says.
“In my opinion, backdoors are not your biggest concern. The NSA doesn’t steal credit card numbers. The NSA doesn’t do identity theft and ruin your credit. Organized crime does. And organized crime, as well as other groups, actively seek exploits by which they can achieve financial gain.”
Hardy adds that in many cases, hackers gain access through programming errors, and not necessarily through backdoors. He adds he feels a lot of the news coming out of the NSA is really just rumours and speculation.
“I have not seen tangible evidence of backdoors being inserted into code by government agencies, but that is what the buzz is about,” he says.
While it’s almost impossible to write perfect code, completely free of errors, users need to keep their systems up-to-date, patch regularly, and avoid using free services where they can. Free services may not charge the user directly, but they may rely on a freemium model or push ads.
If security professionals do choose to use backdoors, they should only use well-known, published encryption algorithms that have been tried and tested, instead of proprietary algorithms, he says. For example, the Data Encryption Standard (DES) has been around for more than 30 years, with banks now using triple DES to transfer data.
Ultimately, Hardy says he feels citizens need to understand there is a need to protect national security.
“If there is a concern that the law is written more broadly than a citizen is comfortable with, there’s a way to address that. Contact your elected representative and ask for the law to be changed,” he says. “But be careful what you ask for, because the awareness of threats at a high level is not the same as the awareness of threats at the average citizen level.”
On the other side, in his report, Deibert calls for more oversight on backdoors and how they’re being used.
“Shutting the backdoor is … an urgent public policy matter for all liberal democratic countries. Rather than sacrifice cyberspace at the altar of security, law enforcement and intelligence agencies should be encouraged to develop alternative modes of data collection strictly within the framework of the rule of law,” he wrote.