| >criminal empires True, you can’t stop math but you can try to police it. You can regulate consumer access. Doing so means one less “gone dark” area, which makes LE job easier. >security exploits To your point about low level criminals: Now that the cat is out of the bag, yes, surveillance worked way better when people didn’t know about it. Yes, more sophisticated criminals will try to employ their own encryption. If I were in LE or the IC, I’d still rather not deal with the oceans of data produced by essentially unbreakable encryption via big tech. Will address point about uncapped value to an encryption exploit below. >Snowden-style leak Yes, which is why it is imperative to continually improve and audit such systems, including maybe removing such single points of failure as you noted, both from an insider threat perspective as well as from exploit discovery processes. It would be helpful to consider how to build recoverable encryption in a way that minimizes the risks of the existence of the exceptional access mechanism, from all angles: technical, social, etc |
Can you join me on a journey to build this hypothetical world to figure out how this addresses the Snowden leak?
Let's imagine a world where every single server had a registered backdoor key. This key also isn't the key itself. No, we're smart. It's instead used to sign one-time use, timestamped keys that give you access. We assume all these servers are also somehow always running the latest version of the software to implement the backdoor to address any exploits that may have been discovered.
We control access to this carefully so that you can only request a code & this is validated by all kinds of bureaucratic controls that are never violated for expediency & no mistakes ever needed. Also the system handing out codes itself doesn't even have the keys. It has a temporary key that can't generate valid signatures past its expiration. To regenerate, we go into a fortified secure vault that is air-gapped. This air-gapped system is used to generate a new key, burning it onto a CD-ROM. So your admin has to, on a monthly basis, go into the vault to generate some secret that can be used to continue backdoor access.
Now imagine your admin going into the vault on a monthly basis with a CD-ROM drive that gets burned is Snowden. You've now stolen the root keys for every machine out there.
Let's also remember a few things that are elided for this hypothetical world we've built. 1. I may have gotten some details wrong here, but this is really close to how OS updates are handled by Google & Apple. This is treated as one of the most secure ways to do software deployment at scale (we're not talking about one-off carefully controlled & vetted backdoors which are a wholly different problems). 2. Software deployment is hard. There's no world in which you will instantly deploy a security fix to your backdoor code. Some machines don't have good uptimes & others can be mostly invisible to the internet. Mobile operating systems are different as Google & Apple dictate the HW design. Google has struggled here more pulling vendors along to do the good security things. Are you proposing we standardize on Apple hardware for everything? 3. If you have the ability to deploy code to any random machine, that deployment mechanism is a target in and of itself. Since every US machine has to implement it in this hypothetical world, this is an attractive exploit. It's easier to secure but now the value of compromising it has increased exponentially. We haven't heard of any exploits of this but given the value already (& exponentially more if we're talking about every single system in the US), we're looking at threat actors with ridiculously deep bank accounts & access to technical expertise. 4. Timestamps are hard. You're talking about every single machine in the world. There's plenty running the wrong time. So someone changing the clock breaks your ability to backdoor (unless you ignore timestamps, but then your keys you're generating are reusable on that website at least). 5. Key rotation & management is insanely hard. You're talking about every machine in the US. Even every server. Mistakes will happen at this scale so your backdoor either won't work (best case) or you'll have unintended compromises (or likely both). 6. Complexity & security are diametrically opposed. The more complexity you add the less secure you are. Modern machines are already ridiculously complex. 7. Everyone outside of the US (including US companies that have servers abroad) will not implement the backdoors. But may implement the backdoors the other nation states will force them to adopt. Sure, it's great if you're the US forcing your way to gain advantage over other countries. How do you keep these systems segmented so that a backdoor from another country doesn't give you access to the US? Moreover, let's say the US implements an impenetrable system. Do you think other countries will care to do the same? Does the US share our tech with them at the risk of making it even easier to find flaws? Also how do we manage distribution of such software when there's a flaw?
No amount of advise to "invent better math" solves the fact that this isn't a technical problem. No amount of "build things better" solves the fact that software engineering is hard & we have 0 examples, even in "big tech" which invests billions here annually, of building truly secure systems that are actively trying to prevent any backdoor/exploit. Above all else, you're proposing a single point of failure for the entire US economy. You can use this to conduct industrial espionage at an even larger & easier scale than happens today or to take down critical infrastructure in a time of conflict.
Is there something I missed in my analysis? What part can we "do better" on that doesn't result in exposing a significant vulnerability?