What It's Like When the FBI Asks You to Backdoor Your Software (opens in new tab)

(securitywatch.pcmag.com)

101 pointsjcc8012y ago31 comments

31 comments

What a missed opportunity. The proper response would have been to "take it under contemplation", get his name & ID, and get as much documentation of the request as possible (enough to verify, does this guy actually work for the FBI, or is it some random "jokester" of the kind that hangs out at security conferences).

As it stands, it's basically one level up from an urban myth. Some guy asked her to do something shady at a security conference, and it's easy for the FBI to claim they don't know anything about it.

diydsp12y ago

> Her lecture concluded, she proceeded to grill the agent. "I asked if he had official paperwork for me, if this was an official request, who his boss was," said Sell. "He backed down very quickly."

fiatmoney12y ago

"Backed down" in this context seems to mean "went away politely without answering any questions". Leading with verification and diatribing afterwards leaves you with some documentation, or a strong implication that they're a troll. She just went in the wrong order, which is honestly understandable but leaves us with an unverifiable story.

2 more replies

GigabyteCoin12y ago

Sounds more like a marketing sham than a real FBI encounter to me.

Really? The FBI agent approached her and started talking to her before she had even removed her mic? And everybody (including the agent) heard?

Let me guess, she vehemently denied the offer? (I'll admit I didn't even bother to read past the second paragraph of this "article".)

I don't think so...

Patient012y ago

Yeah it reads like a PR puff piece. I am sure that is what it is. It follows the template described in http://www.paulgraham.com/submarine.html.

ds912y ago

I agree. A real FBI agent would have handed her a letter imposing a legal obligation to keep silent about the conversation, and she would be in jail now. In the alternative, it was a social engineering attack, and we're supposed to admire how they didn't fall for it.

More to the point, if it's possible for her company to compromise customers' communications unilaterally, then the service is insecure, regardless of what promises they make or what type of encryption they (claim to) use.

ediblenergy12y ago

'in addition to employing who Sell calls the "best crypto people," Sell said that individual messages are bound to their intended device. "Even in 20 years or 100 years, if the NSA miraculously breaks these [encryption] equations, they still wouldn't be able to read these messages."' uhh, right. And of course this awesome uncrackable crypto relies on private keys stored on teenagers iphones.

TwoBit12y ago

Or possibly that agent wasn't really an FBI agent but rather was somebody who wanted to test them.

elliotanderson12y ago

Bit of a risk, considering that impersonating a federal employee is a felony.

dalke12y ago

Impersonating a federal employee, as itself, is not a felony. Otherwise David Duchovny should have been arrested for impersonating an FBI agent in The X-Files and John Ratzenberger for impersonating a postal service employee in Cheers.

The law is in 18 U.S. Code sec. 912: Officer or employee of the United States:

> Whoever falsely assumes or pretends to be an officer or employee acting under the authority of the United States or any department, agency or officer thereof, and acts as such, or in such pretended character demands or obtains any money, paper, document, or thing of value, shall be fined under this title or imprisoned not more than three years, or both.

That is, 1) impersonating a federal employee, and 2) using that impersonation to get or demand something of value.

This account does not have the person actually getting information, nor demanding access, so does not appear to be felonious.

For example, suppose it was private citizen X impersonating an FBI agent to test Sell's resolve. The query was "if she'd be willing to install a backdoor into Wickr that would allow the FBI to retrieve information", not if citizen X (impersonating an FBI agent) can get that information.

That doesn't seem to be illegal according to the impersonation law.

1 more reply

fiatmoney12y ago

So is unauthorized access to a protected computer, yet a lot of that goes on at security conferences too.

1 more reply

lostcolony12y ago

"What it's like when the FBI asks you to backdoor your software" : You say 'No' in the most emphatic terms while giving him a dressing down like a boss, apparently.

vaadu12y ago

My guess is that shortly thereafter her tax and investment records were getting a good going over by the DOJ and IRS.

http://www.businessinsider.com/the-story-of-joseph-nacchio-a...

PhantomGremlin12y ago

I don't trust any of them. Period. It makes absolutely no sense to trust any of them. Not when peoples lives are at stake.

At this point, if I wanted to use my phone for any truly critical communication (e.g. like in middle eastern countries where lives are literally at stake), I'd only use open source software.

You could start a company that had the all of following people as founders:

  Ron Rivest
  Adi Shamir
  Leonard Adleman
  Phil Zimmermann
  Whitfield Diffie
  Martin Hellman
  Dan Bernstein
  Bruce Schneier
  Edward Snowden
  Keith Alexander
  Theo de Raadt

Even if every single one of those people were telling me to trust the software, I still wouldn't. Not without source.

Show me the source code. At first glance, I didn't see that option as available at the Wickr web site.

BTW stupid of Wickr to not obtain the wickr.com domain. I'll let people google for the real URL just to make my point.

willvarfar12y ago

How do you compile your code? (Thompson reflections on trusting trust)

And beyond source-code:

How do you shield your equipment? (tempest, also active attack)

How do you guard your equipment? (evil maid)

Real life is the triumph of convenience over security :(

PhantomGremlin12y ago

Convenience is exactly what I use in my real life. My texting security is whatever Apple implements in iMessage. I'd be a lot more paranoid if I were a "smuggler" or "revolutionary".

There's also the wrench cryptanalysis discussed in xkcd.com/538. For most people the mouseover text nails it:

  Actual actual reality: nobody cares about his secrets.

ds912y ago

The fact that you can't have complete security is not an argument for abdicating the effort, nor a valid criticism of anything that moves in the right direction. At least you can get to a better position in terms of (a) lower probability of compromise and (b) imposing more time and expense on the adversary.

FrankBooth12y ago

Sounds like a publicity stunt or a hoax.

lawnchair_larry12y ago

It doesn't sound like that to anyone who has worked in security. This is their routine MO.

FrankBooth12y ago

Right, that explains why we hear about this exact scenario playing out all the time... oh wait.

2 more replies

coldcode12y ago

Even if this story were true (which I have no way to verify) all it takes is an NSL, or for that matter a visit in the middle of the night to you and your family with lots of guns, and suddenly your business plan changes.

tedmcory12y ago

Never talk to cops. The end.

j / k navigate · click thread line to collapse

31 comments

fiatmoney12y ago

As it stands, it's basically one level up from an urban myth. Some guy asked her to do something shady at a security conference, and it's easy for the FBI to claim they don't know anything about it.

diydsp12y ago

> Her lecture concluded, she proceeded to grill the agent. "I asked if he had official paperwork for me, if this was an official request, who his boss was," said Sell. "He backed down very quickly."

fiatmoney12y ago

2 more replies

GigabyteCoin12y ago

Sounds more like a marketing sham than a real FBI encounter to me.

Really? The FBI agent approached her and started talking to her before she had even removed her mic? And everybody (including the agent) heard?

Let me guess, she vehemently denied the offer? (I'll admit I didn't even bother to read past the second paragraph of this "article".)

I don't think so...

Patient012y ago

Yeah it reads like a PR puff piece. I am sure that is what it is. It follows the template described in http://www.paulgraham.com/submarine.html.

ds912y ago

ediblenergy12y ago

TwoBit12y ago

Or possibly that agent wasn't really an FBI agent but rather was somebody who wanted to test them.

elliotanderson12y ago

Bit of a risk, considering that impersonating a federal employee is a felony.

dalke12y ago

The law is in 18 U.S. Code sec. 912: Officer or employee of the United States:

That is, 1) impersonating a federal employee, and 2) using that impersonation to get or demand something of value.

This account does not have the person actually getting information, nor demanding access, so does not appear to be felonious.

That doesn't seem to be illegal according to the impersonation law.

1 more reply

fiatmoney12y ago

So is unauthorized access to a protected computer, yet a lot of that goes on at security conferences too.

1 more reply

lostcolony12y ago

"What it's like when the FBI asks you to backdoor your software" : You say 'No' in the most emphatic terms while giving him a dressing down like a boss, apparently.

vaadu12y ago

My guess is that shortly thereafter her tax and investment records were getting a good going over by the DOJ and IRS.

http://www.businessinsider.com/the-story-of-joseph-nacchio-a...

PhantomGremlin12y ago

I don't trust any of them. Period. It makes absolutely no sense to trust any of them. Not when peoples lives are at stake.

At this point, if I wanted to use my phone for any truly critical communication (e.g. like in middle eastern countries where lives are literally at stake), I'd only use open source software.

You could start a company that had the all of following people as founders:

  Ron Rivest
  Adi Shamir
  Leonard Adleman
  Phil Zimmermann
  Whitfield Diffie
  Martin Hellman
  Dan Bernstein
  Bruce Schneier
  Edward Snowden
  Keith Alexander
  Theo de Raadt

Even if every single one of those people were telling me to trust the software, I still wouldn't. Not without source.

Show me the source code. At first glance, I didn't see that option as available at the Wickr web site.

BTW stupid of Wickr to not obtain the wickr.com domain. I'll let people google for the real URL just to make my point.

willvarfar12y ago

How do you compile your code? (Thompson reflections on trusting trust)

And beyond source-code:

How do you shield your equipment? (tempest, also active attack)

How do you guard your equipment? (evil maid)

Real life is the triumph of convenience over security :(

PhantomGremlin12y ago

Convenience is exactly what I use in my real life. My texting security is whatever Apple implements in iMessage. I'd be a lot more paranoid if I were a "smuggler" or "revolutionary".

There's also the wrench cryptanalysis discussed in xkcd.com/538. For most people the mouseover text nails it:

  Actual actual reality: nobody cares about his secrets.

ds912y ago

FrankBooth12y ago

Sounds like a publicity stunt or a hoax.

lawnchair_larry12y ago

It doesn't sound like that to anyone who has worked in security. This is their routine MO.

FrankBooth12y ago

Right, that explains why we hear about this exact scenario playing out all the time... oh wait.

2 more replies

coldcode12y ago

tedmcory12y ago

Never talk to cops. The end.

j / k navigate · click thread line to collapse