[Cryptography] eliminating manufacturer's ability to backdoor users

[RB]

On Sun, Feb 21, 2016 at 8:10 AM, Allen <allenpmd at gmail.com> wrote:
> 1. The open source model, which if properly implemented can help users audit
> the software being installed on their device.
>
> 2. Requiring software to be signed by an organization that resides entirely
> within a legal jurisdiction that does not allow secret government-ordered
> spyware while providing the signing organization with a way to audit the
> contents of the software.
>
> I have a third potential method:
>
> 3. Distribute updates completely anonymously: the device would not connect
> to the manufacturer's website and identify itself either by transmitting an
> id or connecting from a monitored ip address or connecting in a way that an
> identification tag can be inserted into the stream by a proxy device.
> Instead, the device would connect completely anonymously.  One method would
> be to allow signed updates to be distributed to mirrors all over the world,
> and allow users to pick their mirrors.  Another or additional step would be
> to allow users to connect and download updates from the mirrors using tor.
> In order for this to work however, the update software and the software that
> is installed would have to be forbidden from accessing any identifying
> information on the device, otherwise, the government might be able to force
> the manufacturer to deliver a spyware payload to all devices but only
> install or activate the spyware if the device matches an identity check;
> essentially, this would be a backdoor on all devices that the government
> could force to be activated on only targeted devices.

While thinking of purely technical solutions to these problems may be
an entertaining thought project, the answers produced are typically so
esoteric as to make them completely unworkable in the real world.

No company is going to fully give up their secret sauce, nor would
they ever grant utter authority over said secret sauce to a third
party (with its own security problems) unless legally compelled to,
under dubious authority.  Never mind the FCC forbidding open radio
hardware in these devices.  Android is not an open system, but its
partial openness serves to illustrate the utter proliferation of
hardware configurations that openness produces.  Try to imagine
implementing something like Apple's secure enclave (and appropriate
signing thereof) in the Android bazaar.  This eliminates your first
two.

Eliminating individual machine identification (however impossible)
would be roundly rejected by manufacturers for many reasons, perhaps
the strongest of which would be preventing counterfeiting and other
means of fraud.  It also damages devices' and OSes' supportability,
contravenes network standards, and frankly reduces the profitability
of building hardware.  Unique identification is nearly inevitable in
such a heavily commoditized and price-sensitive market.

Apple is fighting the right fight, on both technical and legal fronts.
There is no purely technical (or purely legal) solution to this
problem that will actually work in the real world.  Technical and
legal means must work hand-in-hand, supporting and balancing one
another.

I completely understand your (and others') enthusiasm for purely
technological solutions, and even share a lot of it.  Just please
don't make the mistaken assumption that we can correct (or even fully
account for) meat with code.