(Editor's Note :. The following is a guest blog by Julian Sanchez, Senior Fellow at 'Cato Institute It appeared originally on the site Cato Institute, February 20, 2015. the Cato Institute is a research organization on public policy - a think tank - dedicated to the principles of individual liberty, limited government, markets free and peace)
Julian Sanchez
senior Fellow Cato Institute
a the Intercept success story revealed Thursday that a joint team of pirates of the national security Agency and its British counterpart, the Government communications Headquarters (GCHQ), broke into the systems of one of the largest manufacturers SIM mobile phone card world to steal the encryption keys that provide wireless communications for hundreds of mobile carriers- including companies like AT & T, T-Mobile, Verizon and Sprint. To perform the heist, agencies, employees of the Dutch company Gemalto target, scouring emails and Facebook messages to obtain information that would allow them to undermine the SIM card manufacturer networks to surreptitious copies of keys before they are transmitted to the carriers. Many aspects of this should be extremely disturbing
First, this is a concrete reminder that, as the former director of the NSA recently recognized Michael Hayden, intelligence agencies do not spy on "bad people". they spy "interesting people." In this case, they spied extensively on respectful technicians of the law employed by a foreign company law abiding and hacked this company in apparent violation of Dutch law. We know that it was at hardly a single case a pirate, NSA touted in released documents Snowden there nearly a year on "sysadmins hunting", but it seems particularly poetic in the wake of the recent Sony hack, properly condemned by the US government. Dutch lawmakers named in the story are outraged, and they should be. citizens and companies in allied countries, engaged in any peaceful private fault, should not have to fear that the United States trying to break into their computers .
Second, the indiscriminate theft of mobile encryption keys bypasses one of the few checks on government surveillance allowing eavesdropping without the help of mobile phone operators. The typical pattern of wiretapping, the government has the support with some form of law specifying accounts or process lines are targeted for surveillance and the company then provides these communications to the government. As European telecommunications operator Vodafone leaked last summer, however, some governments insist on giving "direct access" to the flow of communication so that they can conduct their wiretapping without going through the carrier. The latter architecture, of course, is much more likely to abuse because it removes the non-governmental layer of truly independent review of the collection process. A spy agency who wanted to abuse his power under the old model by conducting wiretaps without lawful authority or invent pretexts to target political opponents, would at least have to fear that lawyers or technicians the telecommunications operator can detect something wrong. But any armed entity mobile encryption keys effectively has direct access: they can aspire cellular signals from the air and listen to all or part of the calls they intercept, subject only to internal controls or guarantees
There. are, to be sure, times when going to the door of the target legal process is not a viable option, because the company is outside the jurisdiction of the United States or our allies. Stealing bulk phone keys is definitely a much easier solution to this problem that the development of strategies tailored to interception is the specific target or specific uncooperative foreign carriers. Unfortunately, the most practical solution in this case is also a solution that gives the United States (or at least the intelligence community) a direct interest in the systematic uncertainty of the global communications infrastructure. We hear a lot lately about the value of sharing for information Cybersecurity: Well, here's a case where the NSA had information that US citizens and technology enterprises rely on to protect their communications was not only vulnerable, but had actually compromised. Their mission is supposed to be to help us secure our networks, but communications have chosen the easy solution to the problem of driving cellular telephone tapping, institutional incentives should do exactly the opposite.
Finally, it is a demonstration that the proposals to require telecommunications providers and device manufacturers to build law enforcement backdoors in their products is a terrible, terrible idea. As security experts have rightly insisted throughout, forcing companies to keep a key repository to unlock these backdoors makes the key repository itself a target of choice for the most sophisticated attackers as NSA and GCHQ. It would be both arrogant and reckless in the extreme to assume that only "good" attackers will be successful in these efforts
About the author :.
Julian Sanchez examines issues at the busy intersection of technology, privacy and civil liberties, with special emphasis on national security and intelligence monitoring. In addition to his work as a Senior Fellow at the Cato Institute, is the founding editor of the political blog Just security and contributing editor for Reason magazine. You can follow him on Twitter at @normative
0 Komentar