UK government can secretly order backdoors in commercial software, imprison you for disclosing them


#1

[Read the post]


#2

Gosh-darn-it! Someone needs to get back on that Paranoid Linux distro!


#3

Probably also worth remembering: even if we were inclined to let Airstrip One stew in its own dystopia, there would appear to be no reason why the ‘compelled secret backdoor’ powers could not be used against any individual or company with enough connection to Britain that they can meaningfully be threatened, even if the eventual target of the attack is not in the UK.

Say, for instance, that pesky iPhone that the US feds have been fighting with Apple about. If Britain were in the mood to be a good Five Eyes Freedom Pal, they could use this law to…politely request…that Apple(who certainly has enough of a presence in the UK that they could likely be made agreeable) produce and sign a backdoored OS update; then pass that on to the feds of a different jurisdiction. If memory serves, the iOS signing mechanisms allow for per-device granularity(this is how ‘test’ apps signed only with developer keys but not blessed by Apple for distribution can run on a limited number of test devices), so they might not be able to just compel a universal backdoor update when Apple can argue that they can provide the requested access on a more granular level; but that’s what asking repeatedly is for.

Given that the UK is enough of a market that a fair few people with interesting signing keys have some sort of nexus through which they can be prosecuted there, the spillover could be considerable.

The most obvious candidates are online services, ISPs, and telcos in the UK; but the world is absolutely stuffed to the gills with hardware and software that will trust whatever binaries you feed it more than you trust your mother, so long as you can sign them properly. This suggests that even if you aren’t in the UK, and even if you are using equipment from a vendor that isn’t primarily in the UK, you could still be the recipient of a neatly gift-wrapped little software update that will cut through all but the most paranoid defenses like a thermic lance through butter on a hot day.


#4


#5

My read of this is that the software development industry in the UK is effectively dead. Except for…I dunno…what backdoored software would people be okay running?


#6

I agree. This will suck suck suck for Sophos.


#7

This must also mean that open source software cannot (in the UK) be audited since it might “illegally” expose a backdoor, and that people in the UK cannot (legally) read on foreign websites or newspapers that a backdoor is present in a given software.

People of the UK. Why did you vote for this?


#8

I was just wondering if software companies in the UK could declare their product open-source, and then shift to acting as “support teams” or whatever for that particular piece of open-source software?

Really, the whole damn thing is ridiculous, and I’m as baffled as @monostatos as to how this got through the gov’t.


#9

I didn’t. The local Labour candidate (who has voted in favour of this kind of crap before) got over 50% of the vote regardless of how I voted.


#10

Unfortunately, it’s probably partly also because the politicians literally don’t understand it themselves. I’m not giving them a get-out here, you realise, but it’s far simpler to believe in cock-up than conspiracy. This problem is exacerbated in confrontational governmental systems (like the UK and the US) where even mere suggestions that something might not be a good idea are treated as treason or heresy - or even as conspiracy themselves. And this then leads to fiascos like TPP, where negotiations conducted behind closed doors and in secret don’t even get as far as even hearing about possible problems, let alone addressing them.
I am moderately optimistic that this particular Bill is unravelling so fast that it won’t make it much past the scrutiny committee in its current form, but it’s good that its problems are at least being debated in public.


#11

A huge problem in the US with all three arms of the government. And my reading skills are failing me–I thought this had already been signed into effect. I hope the UK’s elected leaders will scrap this nonsense, pronto.

Of course, the US has led the way in promoting software backdoors…anyone remember the Clipper Chip fiasco? NSA developed a chip that would allow for backdooring of telecommunications info and (among other nutbag LEO types) demanded that it be inserted into all new telephones just in case Aunt Mary was communicating with Saddam Hussein or other bad guys.

-ahem-

Interestingly enough, some of the smart folks who resisted the Clipper Chip (involving luminaries such as Bruce Shneier and Matt Blaze) published “The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption” way back in 1997.

Lo and behold, they got back together and published “Keys Under Doormats: mandating insecurity by requiring government access to all data and communications” just this year. Both should be required reading for any UK leaders considering the Snooper’s Charter.


#12

Oh god, don’t! That is far too close for comfort.

The fight goes on i suppose. :no_mouth:


#13

Minesweeper?


#14

Pretty much–I was thinking games, but hell, games are just as networked and complex as MS Office is now and they offer just as large an attack surface as the standard office suite.


#15

I’m just glad I live in the U.S., where this sort of nonsense isn’t tolerated.


#16

Vodafone revealed last year that they were obliged to participate in mass surveillance - http://www.theguardian.com/business/2014/jun/06/vodafone-reveals-secret-wires-allowing-state-surveillance

At least at the time they were not breaking the law in revealing this.


#17

Most of us didn’t.


#18

Is the western world staffing some sort of contest for most twisted authoritarian dystopia?

Or is it “who can score the most rotations as Orwell turns over in his grave”?


#19

Until Hinkley Point C is running the rotating Orwell powers most of the UK. I’m sure the dystopian laws will be abolished as soon as security of electric supply is given.


#20

We didn’t vote for them. The main problem is far too few people bothered to vote for anyone else.