Task Force Report's Langauge Hints At Backdoors In Software

from the but-of-course dept

Upon review, however, we are unaware of any vulnerability created by the US Government in generally available commercial software that puts users at risk of criminal hackers or foreign governments decrypting their data. Moreover, it appears that in the vast majority of generally used, commercially available encryption software, there is no vulnerability , or “backdoor,” that makes it possible for the US Government or anyone else to achieve unauthorized access.



[Footnote: Any cryptographic algorithm can become exploitable if implemented incorrectly or used improperly.]

Turning to the text, the most interesting feature is the difference between the first and second sentences, which have parallel structure but use different language. Here’s a chart laying out the differences: First sentence Second sentence unaware of any vulnerability in vast majority … no vulnerability vulnerability created by USG [any vulnerability] generally available commercial software generally used, commercially available … software [any software] encryption software puts users at risk of [non-USG exploit] [exploitable by USG] or anyone else decrypting data unauthorized access This structure leaves open the possibility that there are vulnerabilities known to and exploitable by the US Government (USG). These might fall into several categories: vulnerabilities created by the USG that are exploitable only with the knowledge of a cryptographic key known only to the USG. An example would be the widely suspected backdoor in the NIST pseudorandom number generator standard.

vulnerabilities created by the USG that allow access to data by means other than decryption, for example by allowing remote access to data at rest, or by causing copies of data to be sent to NSA collection points.

vulnerabilities in software that is not generally available, such as internally developed software used by large companies to manage their data centers.

vulnerabilities that are in non-encryption software and were not created by the USG. These would be outside the scope of both sentences.

One wonders how the people who chose those phrases would classify critical open source software such as Linux or OpenSSL. Are these “commercial software”? Even if not “commercial software”, are they “commercially available”? I can see two possibilities here. Perhaps this is imprecise drafting by the panel who might have intended to cover all of the relevant software but, being less familiar with the technical community, might have missed this nuance. Or perhaps this is one of the NSA’s word games, meant to leave a loophole.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

After looking over the White House intelligence task force's proposals to reform the way the US government does surveillance, we pointed out one oddity that hinted that the NSA may have been engaged in financial manipulation. Others have been combing through the report for other hints of things it might accidentally reveal, and Ed Felten (who I still think should have led the task force ) has spotted another one, in how the report discusses the issue of backdoors in software . He notes that the wording is odd in the following bit:A quick read of that might suggest that the panel did not find out aboutsuch backdoors and that the NSA told them there were no such backdoors. But Felten notes that, especially given the NSA's almost pathological need to say things that appear to imply one thing, but which can be read to state the exact opposite, if the wording came from the NSA, it may be indicating the existence of backdoors of some kind.He goes further to note that the lack of definitions around "generally available commercial software" and "generally used, commercially available... software" leaves open a world of unanswered questions.Some will, undoubtedly, argue that this is all nitpicking, and we should take the report at face value. However, given that nearly every time the NSA has been asked to discuss various programs, it seems to carefully parse its words in exactly this manner -- to imply one thing, while really meaning the exact opposite -- it seems that the NSA has lost the benefit of the doubt here, and it's perfectly reasonable to raise questions about what is truly meant by certain claims.

Filed Under: backdoors, ed felten, encryption, nsa, software, task force