[Cryptography] TAO, NSA crypto backdoor program

Jerry Leichter leichter at lrw.com
Thu Jan 2 17:47:08 EST 2014


On Jan 2, 2014, at 8:16 AM, Phillip Hallam-Baker wrote:
> Looking through the 'mail order catalogue', are we sure that all these capabilities are actual capabilities rather than projects attempting to create them?
In almost all cases, they give prices and discuss availability.  There's enough detail in the descriptions that one can make a reasonably educated guess whether the approach would work - and I saw no examples that set of *my* bullshit detector.  It all seemed reasonable enough.  (As an example, people are making a great deal out of the assertion that they claim a 100% success rate against iOS devices.  What's getting forgotten is the date:  2008.  That would be iOS 2.  iOS 3 wasn't released until mid-2009.  But in fact there were jailbreaks available, providing full access to the phone, for all versions of iOS 3 - and even much later.  Apple didn't start to get serious about keeping jailbreakers out until iOS 6.  (It's actually my guess that Apple did this deliberately, as a form of market research:  Had really innovative apps that worked only on jailbroken phones emerged, and had such phones become popular, Apple could have simply announced that they would provide greater access for legitimate developers.  But in fact jailbreaking remind the province of a very small group of people who were really clever at breaking into iOS, but showed little creativity in developing apps people cared about.  Eventually Apple decided to work at locking things down better.  People still break in, but it's gotten harder and Apple pushes out fixes much faster.)

Anyway, the grand goal - achieved repeatedly all the way through iOS 6.1.2 - is an untethered exploit.  The NSA claim for 2008 required physical access to the phone - at best a tethered exploit.  Easy stuff, in 2008.

(This says absolutely nothing about what they can do to iOS today.  I expect they can break in with little trouble - certainly with physical access, probably through a Web page or some other network-based hack.  But none of that is related to the plausibility of the reported 2008 attack.)
 
> They have no limits in their ambitions to spend public money. Whether the results perform as advertised is another matter. Wouldn't the war on terror be over by now?
You have to separate the technical means from the political ends.  I have little doubt that TAO and associated organizations, which are concerned with technical means and measures, have been extremely successful at gaining access to pretty much everything, everywhere, all the time.  *They* aren't tasked with achieving the political ends of finishing of terrorists or whatever, so they shouldn't be measured on that basis.

BTW, this isn't an "I was just following orders" defense.  We can argue about whether creating these devices is illegal - I'd say certainly not - or immoral - to me, a gray area; espionage has been both condemned and attacked forever, often by the same people at almost the same time.  Producing tools of espionage is at least as gray.  The stuff in this catalogue at least is aimed at particular individuals, not bulk surveillance of entire populations.  (I would have much more serious qualms about those who built the mass surveillance frameworks.)
                                                        -- Jerry




More information about the cryptography mailing list