
What It's Like When the FBI Asks You to Backdoor Your Software - jcc80
http://securitywatch.pcmag.com/security/319544-what-it-s-like-when-the-fbi-asks-you-to-backdoor-your-software
======
fiatmoney
What a missed opportunity. The proper response would have been to "take it
under contemplation", get his name & ID, and get as much documentation of the
request as possible (enough to verify, does this guy actually work for the
FBI, or is it some random "jokester" of the kind that hangs out at security
conferences).

As it stands, it's basically one level up from an urban myth. Some guy asked
her to do something shady at a security conference, and it's easy for the FBI
to claim they don't know anything about it.

~~~
diydsp
> Her lecture concluded, she proceeded to grill the agent. "I asked if he had
> official paperwork for me, if this was an official request, who his boss
> was," said Sell. "He backed down very quickly."

~~~
fiatmoney
"Backed down" in this context seems to mean "went away politely without
answering any questions". Leading with verification and diatribing afterwards
leaves you with some documentation, or a strong implication that they're a
troll. She just went in the wrong order, which is honestly understandable but
leaves us with an unverifiable story.

~~~
mandelbulb
>she lectured him on topics ranging from the First and Fourth Amendments to
the Constitution, to George Washington's creation of a Post Office in the US.
"My ancestor was a drummer boy under Washington," Sell explained. "Washington
thought it was very important to have freedom of information and private
correspondence without government surveillance."

Don't forget that lecturing the FBI comes after verification and documentation
as well. If that was an FBI agent he probably concluded she was not a desired
partner.

------
GigabyteCoin
Sounds more like a marketing sham than a real FBI encounter to me.

Really? The FBI agent approached her and started talking to her before she had
even removed her mic? And everybody (including the agent) heard?

Let me guess, she vehemently denied the offer? (I'll admit I didn't even
bother to read past the second paragraph of this "article".)

I don't think so...

~~~
Patient0
Yeah it reads like a PR puff piece. I am sure that is what it is. It follows
the template described in
[http://www.paulgraham.com/submarine.html](http://www.paulgraham.com/submarine.html).

~~~
ds9
I agree. A real FBI agent would have handed her a letter imposing a legal
obligation to keep silent about the conversation, and she would be in jail
now. In the alternative, it was a social engineering attack, and we're
supposed to admire how they didn't fall for it.

More to the point, if it's possible for her company to compromise customers'
communications unilaterally, then the service is insecure, regardless of what
promises they make or what type of encryption they (claim to) use.

------
ediblenergy
'in addition to employing who Sell calls the "best crypto people," Sell said
that individual messages are bound to their intended device. "Even in 20 years
or 100 years, if the NSA miraculously breaks these [encryption] equations,
they still wouldn't be able to read these messages."' uhh, right. And of
course this awesome uncrackable crypto relies on private keys stored on
teenagers iphones.

------
TwoBit
Or possibly that agent wasn't really an FBI agent but rather was somebody who
wanted to test them.

~~~
elliotanderson
Bit of a risk, considering that impersonating a federal employee is a felony.

~~~
dalke
Impersonating a federal employee, as itself, is not a felony. Otherwise David
Duchovny should have been arrested for impersonating an FBI agent in The
X-Files and John Ratzenberger for impersonating a postal service employee in
Cheers.

The law is in 18 U.S. Code sec. 912: Officer or employee of the United States:

> Whoever falsely assumes or pretends to be an officer or employee acting
> under the authority of the United States or any department, agency or
> officer thereof, and acts as such, or in such pretended character demands or
> obtains any money, paper, document, or thing of value, shall be fined under
> this title or imprisoned not more than three years, or both.

That is, 1) impersonating a federal employee, and 2) using that impersonation
to get or demand something of value.

This account does not have the person actually getting information, nor
demanding access, so does not appear to be felonious.

For example, suppose it was private citizen X impersonating an FBI agent to
test Sell's resolve. The query was "if she'd be willing to install a backdoor
into Wickr that would allow the FBI to retrieve information", not if citizen X
(impersonating an FBI agent) can get that information.

That doesn't seem to be illegal according to the impersonation law.

~~~
DannyBee
Note that the "something of value" does not have to be tangible. Information
has been held sufficient. See United States v. Sheker, 618 F.2d 607, where all
that was done was ask about someone's location.

If this was done to ascertain information about the company, and their
willingness to participate in government surveillance, it is likely to be held
"a thing of value" under such precedent (which explicitly holds that things
with value in the broader senses of the word count under the statute)

As a pragmatic approach, it is unlikely you are going to be find judges
willing to let you slide on this kind of thing :)

~~~
dalke
Thank you for pointing that out. "I am not a lawyer" and all that, but I do
enjoy, oddly enough, reading judicial decisions.

That one says:

> We do not embrace the government's sweeping position that 18 U.S.C. 912
> extends to anything that has value to the defendant. Such a broad reading of
> "value" negates any limitation the word could imply. By the same token, we
> cannot accept Sheker's suggestion that 18 U.S.C. 912 covers only things
> having commercial value. Information can be a thing of value. Whaley v. U.
> S., 324 F.2d 356 (9th Cir. 1963). In normal English usage commercial worth
> is not the exclusive measure of value. For instance, state secrets might
> trade hands without cash consideration. Information obtained for political
> advantage might have value apart from its worth in dollars. In each case the
> information sought would have value to others, in addition to the seeker.
> Such is the case here. Stokes would see value in keeping his whereabouts
> unknown to Sheker. The criminal justice system, concerned with the safety of
> witnesses, has a similar interest.

(In Whaley, Whaley impersonated an agent of the F.B.I and got information
which he later paid paid $9, if I interpreted it correctly. Thus the
information definitely has commercial value. In Sheker, the judge extends that
to value other than commercial value.)

The information sought here is "is Sell (or Sell's company) willing to provide
a back-door to the FBI?" This is just after Sell stated publicly that the
"service wouldn't have a backdoor for anyone."

I honestly can't tell if this is a "thing of value."

If the answer is "yes", then I think that's a thing of value. That information
might be revealed later to embarrass or otherwise affect Sell's company.

If the answer is "no", then there's no value. The statement to the public is
the same as the statement to the alleged impersonator.

Given the context, it seems very likely that most people would have expected
Sell to say "no." Thus, the overall value is very low.

It can't be that asking a question where the answer isn't already 100% known
is illegal. The judge says that the law doesn't '[extend] to anything that has
value to the defendant'.

But I don't know how that line is drawn.

~~~
DannyBee
The line is essentially going to be drawn pragmatically in most cases, because
the precedent is so vague. Judges generally don't take kindly to people
impersonating agents, so i would expect a bit of stretch to find an issue.

For example, if you look, the judge says "We do not embrace the government's
sweeping position", but then in practice, did exactly this. They went to great
pains to find some way to ascribe "value" to the location of another human
being.

~~~
dalke
Yes, which is why I can't figure out how to interpret that case. It seems the
judge says you can't ask any questions, since any information has some value.

A police officer can ask questions of anyone, including "can I search this
bag?" The legal theory is that an officer is also a citizen, and any citizen
can ask that question, even of strangers.

Apparently the uniform and knowledge that it's a police officer isn't supposed
to make people feel any extra obligation towards the officer, compared to a
stranger.

But there has to be a limit to that, yes? Can the officer for money? Strangers
do that.

Anyway, were I to judge this matter, I would say that if a person would
reasonably give the same answer to a stranger as to an imposter, then there's
nothing of value.

Yeah, and I'm sure as Sunday that most judges won't agree with me.

------
lostcolony
"What it's like when the FBI asks you to backdoor your software" : You say
'No' in the most emphatic terms while giving him a dressing down like a boss,
apparently.

~~~
vaadu
My guess is that shortly thereafter her tax and investment records were
getting a good going over by the DOJ and IRS.

[http://www.businessinsider.com/the-story-of-joseph-
nacchio-a...](http://www.businessinsider.com/the-story-of-joseph-nacchio-and-
the-nsa-2013-6)

------
PhantomGremlin
I don't trust any of them. Period. It makes absolutely no sense to trust any
of them. Not when peoples lives are at stake.

At this point, if I wanted to use my phone for any truly critical
communication (e.g. like in middle eastern countries where lives are literally
at stake), I'd only use open source software.

You could start a company that had the all of following people as founders:

    
    
      Ron Rivest
      Adi Shamir
      Leonard Adleman
      Phil Zimmermann
      Whitfield Diffie
      Martin Hellman
      Dan Bernstein
      Bruce Schneier
      Edward Snowden
      Keith Alexander
      Theo de Raadt
    

Even if every single one of those people were telling me to trust the
software, I still wouldn't. Not without source.

Show me the source code. At first glance, I didn't see that option as
available at the Wickr web site.

BTW stupid of Wickr to not obtain the wickr.com domain. I'll let people google
for the real URL just to make my point.

~~~
willvarfar
How do you compile your code? (Thompson reflections on trusting trust)

And beyond source-code:

How do you shield your equipment? (tempest, also active attack)

How do you guard your equipment? (evil maid)

Real life is the triumph of convenience over security :(

~~~
PhantomGremlin
Convenience is exactly what I use in _my_ real life. My texting security is
whatever Apple implements in iMessage. I'd be a lot more paranoid if I were a
"smuggler" or "revolutionary".

There's also the wrench cryptanalysis discussed in xkcd.com/538\. For most
people the mouseover text nails it:

    
    
      Actual actual reality: nobody cares about his secrets.

------
FrankBooth
Sounds like a publicity stunt or a hoax.

~~~
lawnchair_larry
It doesn't sound like that to anyone who has worked in security. This is their
routine MO.

~~~
FrankBooth
Right, that explains why we hear about this exact scenario playing out all the
time... oh wait.

~~~
arca_vorago
Ok, while you are right that _this exact scenario_ (of an entity approaching a
dev in a public place while at a conference and asking them to weaken
something) does not happen very often, you need to understand that the person
you are replying to is saying that in general, it is well known and well
documented that various three letters have been active in weakening
implementations in all kinds of projects over the years. Remember the clipper
chip, Promis, OpenBSD's IPsec stack, NSA_key, or any of the more recent ones
we have heard of, and for every one of those there are probably 10 that adhere
to their NSL's or other forms of gag orders.

Your snarky and snide tone makes it seem like you think they never try to get
people to implement backdoors or weaken implimentations (for side-channels),
and I'm sure that's not what you meant, right?

------
coldcode
Even if this story were true (which I have no way to verify) all it takes is
an NSL, or for that matter a visit in the middle of the night to you and your
family with lots of guns, and suddenly your business plan changes.

------
tedmcory
Never talk to cops. The end.

