Sophos says: #nobackdoors!

Forget ransomware, forget the Internet of Things, forget all the other computer security stories of recent days…

…except for the red-hot topic of 2016, #nobackdoors.

Simply put, IT backdoors are deliberately-programmed weaknesses that give you a way to sidestep computer security when it suits you.

A bit like hiding a spare key to your house under the doormat, in case you lose your regular key while you’re out shopping.

You know you’re making a mockery of the good-quality lock you bought to give you better security in the first place…

…but, hey, as long as no one thinks to look under the mat, you should be OK.

Sadly, everyone knows to look under the doormat, so your well-chosen lock is as good as useless.

That’s exactly the same risk that we face if we accept programmatic backdoors in computer security products.

And it’s why, whenever we write about backdoors on Naked Security, our readers generally groan in collective dismay, leaving comments along the lines of, “What were they thinking?” or “Why did anyone ever imagine that could end well?”

Why, indeed!

Examples of tricks used to implement password backdoors include:

  • Programming a hard-wired, “secret” password into the authentication software so that there is always a guaranteed way in.
  • Getting device vendors to generate two passwords for every unit sold. You get one of them, which you can change, but the vendor keeps the other one somewhere, and you can neither change it nor delete it.
  • Deliberately weakening an encryption algorithm so that it’s just secure enough to stop an average attacker from cracking it, but just weak enough that a serious adversary, such as the NSA or the PLA, could crack it if needed.

All of these approaches carry obvious and massive risks:

  • Hard-wired passwords are like a key under the doormat. As soon as someone reveals the secret, all security bets are off.
  • Vendor-stored passwords are simply an technological “sword of Damocles” hanging over your head. At any time, some or all of the password database could be stolen in a data breach, sold off by crooked insiders, or acquired by court order. You simply can’t tell what security you have, if any.
  • Weakened encryption systems get weaker over time as computers get faster. Cracking times fall year-by-year until they’re within reach of the average cybercrime gang, and ultimately even of a determined loner at home.

In the plainly-spoken words of the Information Technology Industry Council: “Weakening security with the aim of advancing security simply does not make sense.”

We agree, and that’s why we’ve published our own #nobackdoors page right on the Sophos website.

Standing up for #nobackdoors is especially important right now, as Apple prepares to fight a US court order that as good as demands the company to come up with a backdoor to allow the FBI to access a passworded iPhone that’s part of a serious criminal investigation.

It’s a socially and emotionally charged case, because the FBI only wants to “backdoor” a single iPhone, and it’s one that was used by Syed Rizwan Farook.

Farook isn’t around to reveal the password himself: he was shot dead, along with his wife, after killing 14 people and seriously wounding 22 in a mass shooting in San Bernardino, California, on 2 December 2015.

Nevertheless, Apple is determined to stand its ground, arguing that to create a programmatic backdoor, even in a dramatic case like this, would open a password-cracking Pandora’s Box.

To backdoor one iPhone would effectively betray all of Apple’s many millions of law-abiding customers, and pave the way for similar writs against other American companies and their customers.

Unsurprisingly, other American companies, including Google, WhatsApp and Microsoft, are backing Apple and saying, #nobackdoors.

And so is Sophos, because weakening security with the aim of advancing security simply does not make sense.