Ozzie Ozzie Ozzie, oi oi oi! Tech zillionaire Ray's backdoor crypto for the Feds is Clipper chip v2

Lotus Notes man has a plan... and a patent

Analysis Those who cannot remember the past are condemned to repeat it, particularly if forgetfulness promises profit.

Ray Ozzie, former CTO of Microsoft and the designer of Lotus Notes, is old enough to recall the battle over the Clipper chip, an ill-fated NSA-backed effort from 1993 through 1996 to require a US-government-accessible backdoor in telecom devices.

Nonetheless, he has revisited that debate with a key escrow (a.k.a. key surrender) proposal – and a related patent – in which the authorities would hold the encryption keys necessary to access everyone else's encrypted mobile device data.

Crypto-gurus: Which idiots told the FBI that Feds-only backdoors in encryption are possible?


Despite the Clipper chip's inglorious end – it was sunk by technical flaws and political pushback – the idea never died. Authorities still want their private backdoor, even though longstanding technical impediments have yet to be resolved.

In recent years, demand for this magical portal has grown as cryptography improvements – prompted by the 2013 Edward Snowden-driven data dump about the scope of NSA spying – have made their way into commercial products and services.

The most widely publicized consequence of the tech industry's rush to encrypt everything was the FBI's brief inability to access a locked iPhone used by Syed Rizwan Farook during a 2015 mass shooting that killed 14 people. The US Justice Department demanded Apple's help unlocking the encrypted device, only to later back off because it was apparently able to gain access with the help of Cellebrite, an Israeli mobile forensics firm.

It turns out the answer to encryption is that imperfect people make imperfect technical systems and those flaws, sooner or later, can be exploited.

In law enforcement circles, later isn't always acceptable and therein lies the problem. FBI director Christopher Wray earlier this year said in 2017, the FBI was unable to access almost 7,800 locked and encrypted devices despite having the legal authority to do so. He called this "an urgent public safety issue for all of us."

Wray's predecessor, James Comey, said as much, though there are reports suggesting that the risks posed by encryption are exaggerated.

Ray of hope

Evidently seduced by the siren song of law enforcement officials lamenting the challenges of cracking today's phones, Ozzie has proposed a scheme to reconcile two seemingly incompatible goals: creating a secure data storage mechanism that can be insecure on demand.

His system sounds a lot like the Clipper chip, because it is: "...Ozzie’s proposal is a straightforward example of key escrow – a proposal that people have been making in various guises for many years," said Matthew Green, a computer science professor and cryptographer at Johns Hopkins University in the US, in a blog post published Thursday.

It also calls for a security chip that effectively bricks the device when activated by law enforcement, to prevent evidence tampering.

Green and a handful of other prominent security experts and cryptographers have weighed in on Ozzie's proposal and found it wanting, though with obvious deference to Ozzie's long history of technical accomplishment.

Green's assessment is that Ozzie's scheme won't work. He notes that Apple has tried to design the sort of secure processor that Ozzie's proposal would require and hasn't managed to do so after five years and considerable resources.

Or as Green put it on Twitter: "When you’re proposing a system that will affect the security of a billion Apple devices, and your proposal says 'assume a lock nobody can break,' you’d better have some plan for building such a lock."

Keys left under the doormat

Green was among the many prominent computer scientists who coauthored a 2015 report on the subject, "Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications."

That report concluded that law enforcement demands for exceptional access will make systems more insecure, imperil innovation, and pose problems for human rights.

Riana Pfefferkorn, a cryptography fellow at the Stanford Center for Internet and Society, made similar arguments.

Columbia University computer science professor Steve Bellovin also took issue with Ozzie's plan. He points out that flaws have already been identified and that the need for international coordination of key access makes the scheme implausible.

Bungling Microsoft singlehandedly proves that golden backdoor keys are a terrible idea


Robert Graham, CEO of Errata Security, said Ozzie's proposal doesn't bring anything new to the discussion. "He's only solving the part we already know how to solve," he explained in a blog post. "He's deliberately ignoring the stuff we don't know how to solve. We know how to make backdoors, we just don't know how to secure them."

In his own Twitter feed, Ozzie (estimated net worth: $650m) engaged in the debate, and in one instance touched on what's arguably the most important aspect of the controversy: "Is the phone just a locked file cabinet, or is it a core extension of our minds?"

From a legal standpoint, the distinction is important: authorities can demand access to one, but not the other (yet). The Feds can demand what's in a cabinet, but your thoughts in your brain are off limits.

Given what phone data says about our thoughts, our intentions and our activities, it's just not the same as ideas deliberately put to paper. It's a surveillance selfie of the mind.

And if we're obligated to produce that information on demand, we might as well just get rid of the Fifth Amendment protection against self-incrimination. ®

Other stories you might like

  • Man gets two years in prison for selling 200,000 DDoS hits
    Over 2,000 customers with malice on their minds

    A 33-year-old Illinois man has been sentenced to two years in prison for running websites that paying customers used to launch more than 200,000 distributed denial-of-services (DDoS) attacks.

    A US California Central District jury found the Prairie State's Matthew Gatrel guilty of one count each of conspiracy to commit wire fraud, unauthorized impairment of a protected computer and conspiracy to commit unauthorized impairment of a protected computer. He was initially charged in 2018 after the Feds shut down 15 websites offering DDoS for hire.

    Gatrel, was convicted of owning and operating two websites – DownThem.org and AmpNode.com – that sold DDoS attacks. The FBI said that DownThem sold subscriptions that allowed the more than 2,000 customers to run the attacks while AmpNode provided customers with the server hosting. AmpNode spoofed servers that could be pre-configured with DDoS attack scripts and attack amplifiers to launch simultaneous attacks on victims.

    Continue reading
  • Telegram adds paid tier as it cracks 700 million users
    Without so much as a mention of encryption, but with a pastel-hued emoji-heavy nod to ‘sustainable monetization’

    Messaging app Telegram, which came to prominence for offering end-to-end encryption that irritated governments, has celebrated passing 700 million active monthly users with a pastel-hued announcement: a paid Premium tier of service.

    A Sunday post celebrates the 700 million user milestone by announcing a $4.99/month tier. The Premium tier distinguishes itself from the freebie plebeian tier with the ability to upload 4GB files, unthrottled downloads that come as fast as users' carriers will allow, and the chance to follow up to 1000 channels, create up to 20 chat folders each containing up to 200 chats, and to run four accounts in the Telegram app.

    Paying punters will also get exclusive stickers and reactions and won't see ads once they sign up to hand over coin each month.

    Continue reading
  • Former chip research professor jailed for not disclosing Chinese patents
    This is how Beijing illegally accesses US tech, say Feds

    The former director of the University of Arkansas’ High Density Electronics Center, a research facility that specialises in electronic packaging and multichip technology, has been jailed for a year for failing to disclose Chinese patents for his inventions.

    Professor Simon Saw-Teong Ang was in 2020 indicted for wire fraud and passport fraud, with the charges arising from what the US Department of Justice described as a failure to disclose “ties to companies and institutions in China” to the University of Arkansas or to the US government agencies for which the High Density Electronics Center conducted research under contract.

    At the time of the indictment, then assistant attorney general for national security John C. Demers described Ang’s actions as “a hallmark of the China’s targeting of research and academic collaborations within the United States in order to obtain U.S. technology illegally.” The DoJ statement about the indictment said Ang’s actions had negatively impacted NASA and the US Air Force.

    Continue reading
  • Protecting data now as the quantum era approaches
    Startup QuSecure is the latest vendor to jump into the field with its as-a-service offering

    Analysis Startup QuSecure will this week introduce a service aimed at addressing how to safeguard cybersecurity once quantum computing renders current public key encryption technologies vulnerable.

    It's unclear when quantum computers will easily crack classical crypto – estimates range from three to five years to never – but conventional wisdom is that now's the time to start preparing to ensure data remains encrypted.

    A growing list of established vendors like IBM and Google and smaller startups – Quantum Xchange and Quantinuum, among others – have worked on this for several years. QuSecure, which is launching this week after three years in stealth mode, will offer a fully managed service approach with QuProtect, which is designed to not only secure data now against conventional threats but also against future attacks from nation-states and bad actors leveraging quantum systems.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Cheers ransomware hits VMware ESXi systems
    Now we can say extortionware has jumped the shark

    Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.

    ESXi, a bare-metal hypervisor used by a broad range of organizations throughout the world, has become the target of such ransomware families as LockBit, Hive, and RansomEXX. The ubiquitous use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtualized systems and connected devices and equipment, according to researchers with Trend Micro.

    "ESXi is widely used in enterprise settings for server virtualization," Trend Micro noted in a write-up this week. "It is therefore a popular target for ransomware attacks … Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices."

    Continue reading
  • Europe proposes tackling child abuse by killing privacy, strong encryption
    If we're gonna go through this again, can we just literally go back in time?

    Proposed European regulations that purport to curb child abuse by imposing mass surveillance would be a "disaster" for digital privacy and strong encryption, say cybersecurity experts.

    A number of options have been put forward for lawmakers to mull that aim to encourage or ensure online service providers and messaging apps tackle the "detection, removal, and reporting of previously-known and new child sexual abuse material and grooming."

    These options range from voluntary detection and reporting of child sexual abuse material (CSAM) and grooming, to legally mandating that service providers find and report such material using whatever detection technology they wish — essentially scanning all private communications and, if necessary, breaking end-to-end (E2E) encryption for everyone.

    Continue reading

Biting the hand that feeds IT © 1998–2022