Hacker News new | comments | show | ask | jobs | submit login
What It's Like When the FBI Asks You to Backdoor Your Software (pcmag.com)
101 points by jcc80 1377 days ago | hide | past | web | 31 comments | favorite

What a missed opportunity. The proper response would have been to "take it under contemplation", get his name & ID, and get as much documentation of the request as possible (enough to verify, does this guy actually work for the FBI, or is it some random "jokester" of the kind that hangs out at security conferences).

As it stands, it's basically one level up from an urban myth. Some guy asked her to do something shady at a security conference, and it's easy for the FBI to claim they don't know anything about it.

> Her lecture concluded, she proceeded to grill the agent. "I asked if he had official paperwork for me, if this was an official request, who his boss was," said Sell. "He backed down very quickly."

"Backed down" in this context seems to mean "went away politely without answering any questions". Leading with verification and diatribing afterwards leaves you with some documentation, or a strong implication that they're a troll. She just went in the wrong order, which is honestly understandable but leaves us with an unverifiable story.

>she lectured him on topics ranging from the First and Fourth Amendments to the Constitution, to George Washington's creation of a Post Office in the US. "My ancestor was a drummer boy under Washington," Sell explained. "Washington thought it was very important to have freedom of information and private correspondence without government surveillance."

Don't forget that lecturing the FBI comes after verification and documentation as well. If that was an FBI agent he probably concluded she was not a desired partner.

Sounds more like a marketing sham than a real FBI encounter to me.

Really? The FBI agent approached her and started talking to her before she had even removed her mic? And everybody (including the agent) heard?

Let me guess, she vehemently denied the offer? (I'll admit I didn't even bother to read past the second paragraph of this "article".)

I don't think so...

Yeah it reads like a PR puff piece. I am sure that is what it is. It follows the template described in http://www.paulgraham.com/submarine.html.

I agree. A real FBI agent would have handed her a letter imposing a legal obligation to keep silent about the conversation, and she would be in jail now. In the alternative, it was a social engineering attack, and we're supposed to admire how they didn't fall for it.

More to the point, if it's possible for her company to compromise customers' communications unilaterally, then the service is insecure, regardless of what promises they make or what type of encryption they (claim to) use.

'in addition to employing who Sell calls the "best crypto people," Sell said that individual messages are bound to their intended device. "Even in 20 years or 100 years, if the NSA miraculously breaks these [encryption] equations, they still wouldn't be able to read these messages."' uhh, right. And of course this awesome uncrackable crypto relies on private keys stored on teenagers iphones.

Or possibly that agent wasn't really an FBI agent but rather was somebody who wanted to test them.

Bit of a risk, considering that impersonating a federal employee is a felony.

Impersonating a federal employee, as itself, is not a felony. Otherwise David Duchovny should have been arrested for impersonating an FBI agent in The X-Files and John Ratzenberger for impersonating a postal service employee in Cheers.

The law is in 18 U.S. Code sec. 912: Officer or employee of the United States:

> Whoever falsely assumes or pretends to be an officer or employee acting under the authority of the United States or any department, agency or officer thereof, and acts as such, or in such pretended character demands or obtains any money, paper, document, or thing of value, shall be fined under this title or imprisoned not more than three years, or both.

That is, 1) impersonating a federal employee, and 2) using that impersonation to get or demand something of value.

This account does not have the person actually getting information, nor demanding access, so does not appear to be felonious.

For example, suppose it was private citizen X impersonating an FBI agent to test Sell's resolve. The query was "if she'd be willing to install a backdoor into Wickr that would allow the FBI to retrieve information", not if citizen X (impersonating an FBI agent) can get that information.

That doesn't seem to be illegal according to the impersonation law.

Note that the "something of value" does not have to be tangible. Information has been held sufficient. See United States v. Sheker, 618 F.2d 607, where all that was done was ask about someone's location.

If this was done to ascertain information about the company, and their willingness to participate in government surveillance, it is likely to be held "a thing of value" under such precedent (which explicitly holds that things with value in the broader senses of the word count under the statute)

As a pragmatic approach, it is unlikely you are going to be find judges willing to let you slide on this kind of thing :)

Thank you for pointing that out. "I am not a lawyer" and all that, but I do enjoy, oddly enough, reading judicial decisions.

That one says:

> We do not embrace the government's sweeping position that 18 U.S.C. 912 extends to anything that has value to the defendant. Such a broad reading of "value" negates any limitation the word could imply. By the same token, we cannot accept Sheker's suggestion that 18 U.S.C. 912 covers only things having commercial value. Information can be a thing of value. Whaley v. U. S., 324 F.2d 356 (9th Cir. 1963). In normal English usage commercial worth is not the exclusive measure of value. For instance, state secrets might trade hands without cash consideration. Information obtained for political advantage might have value apart from its worth in dollars. In each case the information sought would have value to others, in addition to the seeker. Such is the case here. Stokes would see value in keeping his whereabouts unknown to Sheker. The criminal justice system, concerned with the safety of witnesses, has a similar interest.

(In Whaley, Whaley impersonated an agent of the F.B.I and got information which he later paid paid $9, if I interpreted it correctly. Thus the information definitely has commercial value. In Sheker, the judge extends that to value other than commercial value.)

The information sought here is "is Sell (or Sell's company) willing to provide a back-door to the FBI?" This is just after Sell stated publicly that the "service wouldn't have a backdoor for anyone."

I honestly can't tell if this is a "thing of value."

If the answer is "yes", then I think that's a thing of value. That information might be revealed later to embarrass or otherwise affect Sell's company.

If the answer is "no", then there's no value. The statement to the public is the same as the statement to the alleged impersonator.

Given the context, it seems very likely that most people would have expected Sell to say "no." Thus, the overall value is very low.

It can't be that asking a question where the answer isn't already 100% known is illegal. The judge says that the law doesn't '[extend] to anything that has value to the defendant'.

But I don't know how that line is drawn.

The line is essentially going to be drawn pragmatically in most cases, because the precedent is so vague. Judges generally don't take kindly to people impersonating agents, so i would expect a bit of stretch to find an issue.

For example, if you look, the judge says "We do not embrace the government's sweeping position", but then in practice, did exactly this. They went to great pains to find some way to ascribe "value" to the location of another human being.

Yes, which is why I can't figure out how to interpret that case. It seems the judge says you can't ask any questions, since any information has some value.

A police officer can ask questions of anyone, including "can I search this bag?" The legal theory is that an officer is also a citizen, and any citizen can ask that question, even of strangers.

Apparently the uniform and knowledge that it's a police officer isn't supposed to make people feel any extra obligation towards the officer, compared to a stranger.

But there has to be a limit to that, yes? Can the officer for money? Strangers do that.

Anyway, were I to judge this matter, I would say that if a person would reasonably give the same answer to a stranger as to an imposter, then there's nothing of value.

Yeah, and I'm sure as Sunday that most judges won't agree with me.

So is unauthorized access to a protected computer, yet a lot of that goes on at security conferences too.

I guess, according to your logic, anything goes then at these conferences?

Many of the people at those conferences aren't afraid to 'color outside the lines,' and impersonating an FBI agent could fall under the umbrella of social engineering, which is another hot topic at security conferences.

I would not view it as outside the realm of possibility.

I'm sorry, if I may ask, what is the use of the answer to your question?

"What it's like when the FBI asks you to backdoor your software" : You say 'No' in the most emphatic terms while giving him a dressing down like a boss, apparently.

My guess is that shortly thereafter her tax and investment records were getting a good going over by the DOJ and IRS.


I don't trust any of them. Period. It makes absolutely no sense to trust any of them. Not when peoples lives are at stake.

At this point, if I wanted to use my phone for any truly critical communication (e.g. like in middle eastern countries where lives are literally at stake), I'd only use open source software.

You could start a company that had the all of following people as founders:

  Ron Rivest
  Adi Shamir
  Leonard Adleman
  Phil Zimmermann
  Whitfield Diffie
  Martin Hellman
  Dan Bernstein
  Bruce Schneier
  Edward Snowden
  Keith Alexander
  Theo de Raadt
Even if every single one of those people were telling me to trust the software, I still wouldn't. Not without source.

Show me the source code. At first glance, I didn't see that option as available at the Wickr web site.

BTW stupid of Wickr to not obtain the wickr.com domain. I'll let people google for the real URL just to make my point.

How do you compile your code? (Thompson reflections on trusting trust)

And beyond source-code:

How do you shield your equipment? (tempest, also active attack)

How do you guard your equipment? (evil maid)

Real life is the triumph of convenience over security :(

Convenience is exactly what I use in my real life. My texting security is whatever Apple implements in iMessage. I'd be a lot more paranoid if I were a "smuggler" or "revolutionary".

There's also the wrench cryptanalysis discussed in xkcd.com/538. For most people the mouseover text nails it:

  Actual actual reality: nobody cares about his secrets.

The fact that you can't have complete security is not an argument for abdicating the effort, nor a valid criticism of anything that moves in the right direction. At least you can get to a better position in terms of (a) lower probability of compromise and (b) imposing more time and expense on the adversary.

Sounds like a publicity stunt or a hoax.

It doesn't sound like that to anyone who has worked in security. This is their routine MO.

Right, that explains why we hear about this exact scenario playing out all the time... oh wait.

Ok, while you are right that this exact scenario (of an entity approaching a dev in a public place while at a conference and asking them to weaken something) does not happen very often, you need to understand that the person you are replying to is saying that in general, it is well known and well documented that various three letters have been active in weakening implementations in all kinds of projects over the years. Remember the clipper chip, Promis, OpenBSD's IPsec stack, NSA_key, or any of the more recent ones we have heard of, and for every one of those there are probably 10 that adhere to their NSL's or other forms of gag orders.

Your snarky and snide tone makes it seem like you think they never try to get people to implement backdoors or weaken implimentations (for side-channels), and I'm sure that's not what you meant, right?

Even if this story were true (which I have no way to verify) all it takes is an NSL, or for that matter a visit in the middle of the night to you and your family with lots of guns, and suddenly your business plan changes.

Never talk to cops. The end.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact