Coffeehouse Thread

17 posts

UK.Gov wants Backdoor in Vista

Back to Forum: Coffeehouse
  • User profile image
    Badgerguy

    According to a BBC Article here, our government here in the UK is in talks with Microsoft over the possibility of putting a backdoor in Windows Vista to allow the authorities to circumvent the hard drive encryption technologies that will be in Windows Vista.

    This seems a little familiar - I remember the 'Key Escrow' problem from a few years ago, although I'm sketchy on the details of that.

    The article mentions nothing of any response from Microsoft on this - hence I'm posting here.

    I think we need to know very much in advance, and in very clear terms what Microsoft's stance is on this.  I'm fairly sure that any attempt to put a backdoor in Windows would NOT go down very well.

  • User profile image
    koorb

    Kind of makes it difficult to catch paedophiles if they are all using encrypted hard drives.

  • User profile image
    Tom Servo

    What's the point in a backdoor, if it'll be a known fact that will make criminals use alternative disk encryption solutions? gg nextmap.

  • User profile image
    sbc

    If the government can get in, then it would be no problem for others (skilled crackers, or even 'script kiddies' when someone writes a tool to do it) to do the same. If there is a backdoor, people will find it.

  • User profile image
    ScanIAm

    koorb wrote:
    Kind of makes it difficult to catch paedophiles if they are all using encrypted hard drives.


    Paedophiles use transportation, so we'd better lock up all forms of transportation.

    Paedophiles eat food, so we'd better ban all food.

    Paedophiles breathe air....

    Here's an idea:  Catch paedophiles without screwing the rest of us out of the ability to encrypt private data.

  • User profile image
    Maurits
  • User profile image
    Mike Dimmick

    Love the bad journalism in that article:

    BBC News wrote:
    The system uses BitLocker Drive Encryption through a chip called TPM (Trusted Platform Module) in the computer's motherboard.

    It is partly aimed at preventing people from downloading unlicensed films or media.



    It has nothing at all to do with that. If the supplied software checked the contents of all media against some MPAA database before playing (possible) then users would download other software which didn't. There's no need for a TPM to do this, except that it could be used as a key to identify the user checking it.

    BBC News wrote:
    The committee heard that suspects could claim to have lost their encryption key - although juries could decide to let this count this against them in the same way as refusing to answer questions in a police interview.


    The TPM stores the key. Presumably the system can be configured so that a password, or other token, is required to release the key for decryption.

    BBC News wrote:
    Critics say the companies behind most trusted computing want to use digital rights management to ensure users cannot use programs they have not approved.


    Not this old line again. Yes, it would be possible to do this, but it would produce a system on which you couldn't run older code. Microsoft isn't in the business of requiring all new code - they're normally criticised for bending over backwards to maintain backward compatibility. Again, it wouldn't require a TPM - this can be done today with an OS which verified digital signatures on all code before launching it. Microsoft already has one - Windows Mobile for Smartphone can be configured in such a way that all code must be signed in order to run. Some phone networks are using this feature.

  • User profile image
    lars

    If I understand the situation correctly it’s already a crime in the UK to refuse to hand over your crypto keys or passwords when told to do so by the police. It’s basically a question if you have the right to keep secrets.

    Cryptography with backdoors, no matter who holds the keys, is pointless. Not that such an arrangement would be revolutionary. *cough*nsa_key*cough* Cool

  • User profile image
    Karim

    Badgerguy wrote:
    According to a BBC Article here, our government here in the UK is in talks with Microsoft over the possibility of putting a backdoor in Windows Vista to allow the authorities to circumvent the hard drive encryption technologies that will be in Windows Vista.

    This seems a little familiar - I remember the 'Key Escrow' problem from a few years ago, although I'm sketchy on the details of that.

    The article mentions nothing of any response from Microsoft on this - hence I'm posting here.

    I think we need to know very much in advance, and in very clear terms what Microsoft's stance is on this.  I'm fairly sure that any attempt to put a backdoor in Windows would NOT go down very well.


    Am I just cynical, or does it escape most people the Trusted Computing Group will make things easier for law enforcement?

    Does no one find it a little strange that Vista is just about feature-complete, coming out later this year, and now Governments are saying They need to make some low-level, fundamental changes in the way Vista works?  The house is almost done, Microsoft is picking out bathroom fixtures and shades of paint, and the Government wants a hole drilled in the foundation?

    You know how this story will play out already.  You do.  The Government will say they need a backdoor, Microsoft will take the high road and say, "No we can't do that, that would be wrong, we believe in privacy, freedom, the American Way," etc. etc.  Cue the flag-waving Wagg-Ed Press Release.  Rah-rah Microsoft standing up to The Man, rah-rah Privacy.  Woo yay.

    There it will stalemate, and then everyone loses interest.  Cue next controversy.

    The "backdoor" story is so much Steve Gibsonesque smoke-and-mirrors designed to distract you from the real story, which is: They don't need a backdoor. 

    All They need is the TPM chip.  Which presumably They have when They have the hard disk.

    Ideally, there should be no way for the TPM or its software components to be subverted, and with the exception of physical attacks against the TPM (a possibility acknowledged by the TCG), this is largely the case.

    ...

    The TCG condemns abuses of the TPM, and we believe the people in the working groups are well-meaning individuals. We certainly wouldn't blame the TCG for outsiders' misuse of its work, but the group's position is that such abuse is beyond the scope of its charter.

    ...

    Protected data can't be extracted from the TPM. This one has a grain of truth. The TPM makes extracting protected information much more difficult, and the TCG encourages, but doesn't require, hardware protection mechanisms for the TPM.  The TPM specification requires that a TPM be capable of passing FIPS-140-2, but if your organization needs active hardware protection mechanisms, look for a TPM that has passed the appropriate FIPS-140-2 certification.

    (from http://www.networkingpipeline.com/security/showArticle.jhtml?articleId=60404783)

    Do you know what FIPS-140-2 specifies?  "Tamper evident physical security or pick resistant locks."  Not tamper-resistant -- that's FIPS 140 Level 3 -- but tamper-evident.  Meaning a thin, easily-broken piece of plastic reading "Please do not remove."

    The same piece of plastic They're going to rip off right before They suck your Trusted Root Key off your TPM chip.  Big Smile

    Still, Microsoft notes that a skilled person can attack the TPM from hardware. Thus, someone who steals a laptop might be able to use the PC equivalent of a video game console mod chip to bypass the TPM protections and recover data. The hardware necessary for this attack is inexpensive, but the skill and time required are fairly great. It may therefore be the case that TPM-based file or disk encryption will provide adequate protection for laptops against opportunistic or non-targeted attack. As even the Trusted Computing Group acknowledges, the TPM is not intended to protect against a skilled hardware attacker. If hardware attacks against the TPM become cheap and readily available, the kind of protection TPM-based trusted computing offers to a stolen laptop -- or a colocated machine with sensitive data -- may appear increasingly inadequate. In Microsoft's view, it is still likely strong enough to deter casual thieves from getting at sensitive information, because they are not likely to try to make sophisticated attempts to break a stolen system's security policy. On the other hand, law enforcement agents or corporate spies might well develop automated means of defeating this kind of security.

    (from http://www.eff.org/deeplinks/archives/003804.php)

    "Might well develop."  Heh.

    So yeah, while everyone gets worked up into a lather about Governments requesting "backdoors,"  and the villagers angrily wave their pitchforks and torches at the Castle until the "threat" goes away, no one mentions all your new computers have TPM chips, and no one is telling you, all your base belong to Them, we've all already been 0wned. 

  • User profile image
    ScanIAm

    It's kind of funny.  On most sites, discussions usually degrade once someone mentions H!tler.  On C9, it's Steve Gibson.

    I'll be encrypting my important data, anyway.

  • User profile image
    W3bbo

    ScanIAm wrote:
    I'll be encrypting my important data, anyway.


    Using PGP6 no-doubt.

  • User profile image
    pwzeus

    any one read digital fortress?

    kinda remind me of that Big Smile

  • User profile image
    Badgerguy

    Karim wrote:

    You know how this story will play out already.  You do.  The Government will say they need a backdoor, Microsoft will take the high road and say, "No we can't do that, that would be wrong, we believe in privacy, freedom, the American Way," etc. etc.  Cue the flag-waving Wagg-Ed Press Release.  Rah-rah Microsoft standing up to The Man, rah-rah Privacy.  Woo yay.


    You're probably right - I very much hope you are, but that doesn't mean we quietly let this story pass and all look like we don't care about our privacy and security.

    It's only through kicking up a fuss, shouting about it and generally making noise that the higher powers understand what we think!

    We need to make sure it is understood that backdoors are a BAD idea.

  • User profile image
    W3bbo

    Badgerguy wrote:
    It's only through kicking up a fuss, shouting about it and generally making noise that the higher powers understand what we think!

    We need to make sure it is understood that backdoors are a BAD idea.


    It's like dealing with the **AA, we're in the minority and we're in the know. Those two things are bad since the powers-that-be might portray us as some kind of 'conspiracy nuts' (or in the **AA's case "pirates and terrorists!")

    Actually, all of a sudden it doesn't seem so out-wordly to imagine our government labelling all of those who value their privacy over "national security".

  • User profile image
    ScanIAm

    W3bbo wrote:
    ScanIAm wrote: I'll be encrypting my important data, anyway.


    Using PGP6 no-doubt.


    Nope, ROT-14 Smiley

  • User profile image
    brian.​shapiro

    well badgerguy (african snake) the UK government would not be able to do more than they would now, which is look at your disk if its in their custody. its just that vista will have an option to encrypt your disk for you, and the UK wants a backdoor to allow their law enforcement to get past this to do what they can do right now. this would not really be an added intrusion by the government. so i wouldn't worry about that. though i think its a bad idea to put in a back door

  • User profile image
    Stephen

    lars wrote:
    If I understand the situation correctly it’s already a crime in the UK to refuse to hand over your crypto keys or passwords when told to do so by the police. It’s basically a question if you have the right to keep secrets.

    Cryptography with backdoors, no matter who holds the keys, is pointless. Not that such an arrangement would be revolutionary. *cough*nsa_key*cough*


    "I refuse to on the grounds of self incrimination (The 5th)"

    Honestly if I am that screwed I won't give them the keys to make my *ss owned for 'x' amount of extra years as a guest of Her Maj'

Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.