Leaked Memo Says Apple Provides Backdoor To Governments

Voline writes "In a tweet early this morning, cybersecurity researcher Christopher Soghoian pointed to an internal memo of India's Military Intelligence that has been liberated by hackers and posted on the Net. The memo suggests that, "in exchange for the Indian market presence" mobile device manufacturers, including RIM, Nokia, and Apple (collectively defined in the document as "RINOA") have agreed to provide backdoor access on their devices. The Indian government then "utilized backdoors provided by RINOA" to intercept internal emails of the U.S.-China Economic and Security Review Commission, a U.S. government body with a mandate to monitor, investigate and report to Congress on 'the national security implications of the bilateral trade and economic relationship' between the U.S. and China. Manan Kakkar, an Indian blogger for ZDNet, has also picked up the story and writes that it may be the fruits of an earlier hack of Symantec. If Apple is providing governments with a backdoor to iOS, can we assume that they have also done so with Mac OS X?"

How Not to be Seen

[alphatel]

The next time you text "i hacked my xbox!" to your friend, expect federal prison for life.

It's all a big setup. The Patriot Act lets them investigate anything, anywhere, without a warrant. Now they are on your devices. Now any terrorist loses his rights as an American. The next war is at civil. No wonder the troops are coming back home.

Manan Kakkar could be less of an idiot

[Anonymous Coward]

It is so stupid of Manan Kakkar to have totally ignored the issue and come up with a centralised biased opinion against Apple with the statement: "If Apple is providing governments with a backdoor to iOS, can we assume that they have also done so with Mac OS X?."

Such an uninformed idiot to not have noticed, how serious the issue but rather wants to gain publicity by making this, big against Apple.

Ridiculous

... well that's one reason open source is superior

[Karmashock]

I'm not a huge open source guru. I have nothing against it and I use open source software all the time. But I'm not a zealot on the subject. Still... this is unacceptable. If I buy a bit of software from apple or microsoft, it has to be understood that I control the security. I bought the OS. I bought the machine. I own that license. if they're going behind my back to sell my security to a third party... then I consider that a breach of contract and I'm really not amused.

If this is valid... and it hasn't been confirmed yet... then anyone that signed that agreement is untrustworthy.

Nothing else to say on the matter.

Probably not just Apple

[Tangential]

Is there any reason to believe that governments wouldn't put pressure on all OS vendors, telecom providers, etc that wanted to sell into their countries to do something like that? I'd be very surprised if very many cellphones so in the USA don't have a way in for the Feds.

At the same time, if you are concerned about the possibility of backdoors, it's awfully easy to bury one in deep in some standard hardware component that user space processes and most of the OS don't normally interract with. Since most of our cellphones and PCs (and GPSs and media boxes and cameras and ...) originate in China, what are the odds that they are not all compromised?

Just stop trusting closed source software

[Anonymous Coward]

Just stop trusting closed source software and companies already!

Awesome headline.

[Anonymous Coward]

How RIM, Nokia and Apple becomes just Apple is beyond me. Magic?

Re:How Not to be Seen

[fred911]

PGP... it's way past time. Clinton was trying to mandate forced escrow keys for strong encryption years ago, first warning. Now, you can't place your trust in anyone but yourself to protect your privacy.

Only open source can be secure

[Jazari]

The only way to be reasonably sure of security is by using open source encryption (TrueCrypt, PGP). If you're only using a "black box" system to protect your information, you should expect that governments (and crime syndicates who can bribe individual government employees) will have access to your information.

What's surprising is that anyone with secrets worth protecting doesn't already know this, or hasn't already hired someone competent enough to tell them this.

News from a twit.

[slasho81]

This smells of bullshit. Now a tweet and a few images are considered legit news? Couldn't just one journalist or blogger pick up the phone and get the "RINOA" comment on the matter? Or is it just easier to post conspiracy-laden speculation ending with a giant question mark?

Re:... well that's one reason open source is super

[Anonymous Coward]

Unless you've personally verified every single line of code in the OS, you're not really better off. You've just hoping that others have verified every single line of code, and unless you've verified that they're all trustworthy, you're just hoping that's true, too.

...and in case anyone's thinking this is an astroturf troll, I use Linux, not Windows or Mac. I've exclusively used Linux for 11 years now.

Re:... well that's one reason open source is super

[Yvanhoe]

You know, your argumented and reasonable stance on this problem is what led many "open source zealots" like me into their present situation. In a functional legal environment you could use proprietary software and assume that such a breach of confidence would have so serious consequences for the companies involved that no one would dare to take the risk to put a backdoor in their software or to even make it possible. This is not however the case, this affair is one of many (CarrierIQ, Echelon, illegal-later-legalized wiretapping, Bluecoat, Amesys, etc...) and the only cure seems to use open source everywhere a backdoor could exist. And that means, mostly, everywhere.

Anyway, I like how you present it : "I'm not an open source zealot, I'm merely an opponent to secret backdoors"

Re:... well that's one reason open source is super

[Kikuchi]

If I buy a bit of software from apple or microsoft, it has to be understood that I control the security. I bought the OS. I bought the machine. I own that license.

HaHaHaHaHa, HoHoHoHoHo, HaHa, Hoooo....

Eh, turn your keyboard around, gullible is written under it.

Re:Awesome headline.

[paimin]

Not only that, it's "mobile device makers, including RIM, Nokia, and Apple". Who else? I smell Android fanboy.

Re:Probably not just Apple

[SuricouRaven]

I doubt many cellphones in the USA have backdoors for the government. Why would they need to, when the FBI, CIA and NSA all have access to direct fiber taps into the network backbone and presumably have been given the keys to go along with it? Backdoors in phones might be detected, but just getting the carriers to cooperate in permitting decryption and monitoring of network traffic is much safer - plus it lets them intercept the traffic of travelers who bring a phone purchased outside the US too.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Manan Kakkar could be less of an idiot

[Anonymous Coward]

Nice fanboi response. It has really become a religion.

Re:Manan Kakkar could be less of an idiot

[fastest fascist]

But how uninformed do you have to be to blame Kakkar for something he didn't write?

Re:... well that's one reason open source is super

[Opportunist]

Well, you're slightly better off. Unless you expect a global conspiracy where every person who ever read the code and would talk about it has been bought or silenced.

The key is that it's heaps harder to slip a backdoor into OSS simply because far more people can (and do) examine it. The chance that someone finds it and reports it is simply by some margin higher.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Not a surprise, but the issue is more complicated

[gweihir]

And face it, the worst is not the possible surveillance by the ones that originally placed this. These people did invest significantly to place and hide the backdoor. They will use information gained from it only sparingly, to protect the source. After all, if they are caught possessing information that they can only have gotten this way, the backdoor becomes worthless.

IMO the real problem is if the backdoor can be used by others that do not have to protect their investment or respect laws (however flimsy). For an example of surveillance software made by people without much of a clue about security, look to the German "Bundestrojaner", recently analyzed by the CCC. Severe flaws include no authentication or encryption on data transfer, a hard-coded AES key that seems to be the same in all instances used for command transfer (still no authentication), and data-transfer via a foreign server (which is likely illegal). In addition, these cretins are of course not liable if somebody uses their backdoor and likely will not even notice.

Same old story: For a few temporary small benefits, people are willing to accept enormous potential damage. That is my personal definition of evil.

On the protection side: Use reputed open-source. There is at least some chance that somebody will notice a backdoor and that the person will not be easy to silence. And once somebody has found such a problem, anybody can verify it. Not so with closed-source. There it would be a lot more difficult to find anything, and then to get taken seriously as others cannot easily verify a finding. Some postings here already demonstrate that problem. In addition, use restrictive firewall settings and encryption. Difficult to do in a mobile setting, I know, so as a last measure, do not trust any device not under your own system-administration. In particular, do not trust any mobile phone or similar system. You may also want to add markers to any document you do put on potentially backdoored devices, so you can identify the source. This last step also helps against insiders leaking data.

Of course, if your secrets are transient and not worth risking the backdoor for (even fore a 3rd party user of said backdoor), then you are probably reasonably secure. This should apply to most people for private use.

Re:How Not to be Seen

[amiga3D]

What does legality have to do with it?

"Liberated"?

[cbraescu1]

an internal memo of India's Military Intelligence that has been liberated by hackers

Let's set the record straight: that memo was stolen.

Re:How Not to be Seen

[Dunbal]

PGP... it's way past time.

Yeah that will work if they are reading your keystrokes.

Re:How Not to be Seen

[Anonymous Coward]

Everyone has done something illegal. They might not know it and it might not have been immoral. As long as you can monitor everything they do you can find a reason to send them to jail if they start to express 'undesirable' opinions.

Re:... well that's one reason open source is super

[gutnor]

No need for global conspiracy. You don't control what code is used to build your Android handset. The handset maker just tell you what base version they used and you need to trust them. Even on a vanilla Galaxy Nexus that would be trivial to slip a backdoor.

Re:... well that's one reason open source is super

[timholman]

Unless you've personally verified every single line of code in the OS, you're not really better off. You're just hoping that others have verified every single line of code, and unless you've verified that they're all trustworthy, you're just hoping that's true, too.

Exactly. Even the open source community is built on a massive foundation of blind trust, because perhaps one user in a hundred thousand will actually look at the source. Otherwise, no matter if it's open or closed, the average user says, "That looks neat, I'm gonna install that".

A personal anecdote: my open source theft recovery package for Macs has several thousand users. All of the source (with comments) is bundled with the installer, yet I often get questions from users about what the program does "under the hood", when they could easily learn the answer themselves by reading the source code.

The overwhelming majority of users seem to like open source because it's free, not because it is theoretically more secure. I might have been collecting private information from the users of my program for the past three years, and I often wonder if a single one of them would have bothered to check the source in all that time.

The best attack vector for any malware is incredibly simple: bundle it into something useful, and then give it away. You can guarantee that some people will install it (for the same reason they'll pick up and use a "lost" USB memory stick), because it is human nature to want to take advantage of something that is freely given.

Re:Only open source can be secure

[OneMadMuppet]

No. As soon as you decrypt anything to use/view it on a compromised system then that data is compromised, as is any other data using the same key. Anyone with secrets worth protecting shouldn't be storing them on a phone or accessing them from an insecure device.

Re:Probably not just Apple

[garaged]

It is a convenience for when carrier wont give real time access or cant do it, also not everythin passes thru carrier, and people can be tracked better when offline but phone still powered up

Re:... well that's one reason open source is super

[Bert64]

Even if a backdoor is discovered, there's no guarantee that credibility will be lost... A smart backdoor would look like a bug and could easily be explained away as such... Exploitable security holes are commonplace, who's to say some of them weren't originally designed as backdoors?

Not anymore (see NDAA)

[boorack]

Go read NDAA, shamelessly passed by Senate (both parties) and shamelessly signed by Obama little more than a week ago. It allows for indefinite military detention of people your lovely govt. calls "terrorists" without charges and without recourse to a court of law as they're free to ignore court orders. With NDAA passed, US is now officialy a police state of kind it used to install in some many Latin countries in the past. You can kiss your freedoms goodbye as your constitution now has been teared down along with all its amendments.

I doubt US millitary will use it to full extent at first as it would be a major PR disaster, but as time passes and popular anger at corporations/government grows you'll see more and more of people in jail just refusing to do that our corporate overlords want.

Re:... well that's one reason open source is super

[TeknoHog]

The key is that it's heaps harder to slip a backdoor into OSS simply because far more people can (and do) examine it. The chance that someone finds it and reports it is simply by some margin higher.

My thoughts exactly. If you think about this as a developer who wants to implement a backdoor, open source is much more risky for you. You'll have to be clever in order to hide it in plain sight, and there is still a good chance someone will find it. In contrast, when the software is closed, you can write the simplest possible backdoor, and not worry about being seen.

Re:Not anymore (see NDAA)

[amiga3D]

This is what I so dislike about President Obama. He's not even a good liberal. This is the kind of thing I would Expect from the Bush administration.

Re:... well that's one reason open source is super

[Bert64]

While most people cannot, or will not read the source code... It only takes one of them to read it and find a backdoor, and then tell the world.

If your really paranoid, you can read the code yourself or find someone you trust to do it for you. Personally i'd much rather trust a friend, or someone who is working explicitly *for me* than a company which has the primary goal of making profit at any expense.

Re:... well that's one reason open source is super

[Karmashock]

To everyone that's telling "oh you didn't buy it, you licensed it!" or "But you clicked OK on the EULA!" or any variation on that theme. I'm pretty confident I could effortlessly sue the silly pants off any company that did this to me... especially if I could show damages in court. What jury is going to sit there and say "oh, he clicked OK on the EULA..." From a legal standpoint, EULAs are almost worthless against consumers and I even question how effective they are against corporations. There are different legal standards here. A big corporation for example has a legal obligation to actually read everything to the last line and appreciate what all the various legal terms mean. One person that has no special legal knowledge can't be reasonably expected to sign such things.

The basis of legal contracts is that BOTH sides know, understand, and agree to the contract. If it can be demonstrated that either side could not be expected to reasonably know, understand, or agree to everything in a contract then the contract is invalid.

For example, if a blind man signs a 500 pages legal contract it's almost certainly invalid. To make such a contract valid there would have be documentation that made it clear throughout that the man read or understood the contract. That might mean having a notary read it and occasionally inital segments of the contract to signify that given portions had been communicated. Or it might mean giving the man a copy of the contract in braille or something.

The problem with EULAs is that no one reads them and worse no one can really be expected to read them. How many EULAs do you see in a day? I see about three on average and I think I've only read about two of them... and that was because I was bored.

EULAs mostly exist not to restrain consumers because they can't reasonably be applied to them. They exist to restrain other corporations who also use the software. Because other corporations don't have this protection. It's one of the big differences legally between small and large organizations. Small groups generally are given a lot of legal slack. Big companies have to make a point of dotting every i and crossing every t. They have to read all these EULAs. And while I bet they don't even do it, they would have a much harder time making the same legal argument in court that they simply don't have the reasonable expectation of reading or understanding such documents.

If Microsoft or Google did something that meant thousands of credit card numbers were stolen. Something where you could show damages. There is no EULA that would defend them. They'd get their silly pants sued off if it could be demonstrated that it was their fault.

Now if it was an issue of malware or something then they can probably successfully argue that end users have a responsibility to secure their systems and MS or Google didn't steal the numbers in any case or intentionally make them available. However, if MS and google intentionally used backdoors to get such information or sold the keys to those back doors to a third party that then used them to get the information. THEN those companies would be screwed sideways.

If the twentieth paragraph in the EULA says "oh by the way, we reserve the right to let third parties pilfer your data at will" it wouldn't stand in court.

Re:Awesome headline.

[whisper_jeff]

Apple generates page-views. RIM and Nokia do not.

Re:Not anymore (see NDAA)

[joebagodonuts]

Obama is Dubya V2.0. The folks who thought he was liberal got pwned.

Re:Awesome headline.

[Lord_Jeremy]

Isn't it also awesome how the Indian government turns into "governments."

They are all the same party

[Colin Smith]

Bush, Obama, Romney.

It no longer matters who you vote for, they are all owned.
 

Re:They are all the same party

[Loosifur]

My wife always asks me why I "throw away my vote" by voting for a third party. I ask her why she bothers to vote at all *unless* it's for a third party. Otherwise it's just picking between different flavors of vanilla.

the taxpayers own memos created by

[decora]

the government. how can it be considered stealing?

Re:How Not to be Seen

[sapphire wyvern]

Sounds like you need a US Code Repository, with bills published as changesets, but retaining the ability to pull a complete version of the legal framework that is actually in use.

Re:Awesome headline.

[AmiMoJo]

TFA was just badly worded. The leaked document makes it clear that it was just RIM, Nokia and Apple, or RINOA as they are abbreviated to. The backdoor would probably need to be at the OS level so it stands to reason that only companies which make mobile OSs are on the list, and Google is not there (nor is Microsoft).

I think Google got burned by their experience in China which turned out to be an impossible situation for them. It seems unlikely they would then jump into bed with India and give them what they refused the Chinese.

Re:How Not to be Seen

[Wootery]

Valid point: there's a Real Life workaround for crypto: force.

But it's still quite a big win: if they can't watch you without threatening you, they can't watch you without telling you.

Reality check

[joh]

There was a time when efficient encryption was considered a weapon and could not be exported from the US. This was given up later.

Looking back this was just logical. The point is that controlling what code is being exported is very hard and anyway coming up with good encryption is not that hard anyway. But once you have devices everywhere that can use end-to-end encryption of communications very easily and cheaply, everyone can use that and encrypted communication is basically out of control.

The only halfway practical way to deal with this is: Just allow all of this but make sure that you get access to the devices at a point BEFORE any encryption takes place (and after decryption).

I don't like the very idea, but on the other hand I really can't imagine any state or government to accept safe encryption in communications being the norm with no way to listen in. Democracy or not, but ubiquitous encrypted communication for everyone (including criminals, terrorists, whoever) is something that is impossible to accept for any government that sees controlling and policing as part of the job description.

They are all the same party: Said Nader

[cmholm]

Did I forget to wind my watch, or is it 2000 all over again? Picking between different flavors of vanilla, and a few trillion dollars, a few thousand lives, some wonderful Federal legislation, zero wage growth, zero oversight of the financial markets...

The problem is that to create real political change requires a hell of a lot more personal commitment than checking an alternative box every few years, or posting about Nader/Paul/Bo, etc.

Re:Not anymore (see NDAA)

[artor3]

Please, please, PLEASE stop spreading this lie. We can't run a country based on false information.

The NDAA is a military spending bill. It gets passed every year. For several years it has allowed the military to detain members of Al Qaeda, and no one had a problem with this. In the latest version, this was expanded to cover members of other terrorists organizations, but it still states that it cannot be applied to United States citizens or immigrants.

I know that doom and gloom is fun. It gets the blood pumping, and being outraged squirts some feel good chemicals into your brain. But stop spreading lies, and go read the damn thing. Claiming that the US is now a police state is the sort of lie I'd expect from Glen Beck; no different from claiming that the government subsidizing people meeting with their doctor to learn about Do Not Resuscitate orders is equivalent to the Holocaust.

Exactly. Revolution

[Colin Smith]

The problem is that to create real political change requires a hell of a lot more personal commitment than checking an alternative box every few years, or posting about Nader/Paul/Bo, etc.

Spot on. The political systems have degenerated to the point that revolution is required to make real changes.
 

Re:How Not to be Seen

[mosb1000]

If the government is corrupt, why would that corruption not extend to campaign finance reform?

Re:How Not to be Seen

[ohnocitizen]

Question: We've given way too much power to corporations and the government, and are about to be trapped in a fascist police state (where corporate and state power join... see SOPA et al for references). What can we do to welcome it with open arms?

Answer: Fight among ourselves, either choosing the corporate side (because in the libertarian fantasy world where govts have no regulatory power, bullies do step in and do what they want), or the government side (where the government has a police state to smash immigration, protests, etc).

Better Answer: Let's unite over what really matters: A system of government where votes count, money doesn't buy elections or politicians, and "we the people" actually do run the country. That means campaign finance reform. It means overturning Citizens United. It means getting rid of the electoral college. It means dumping primaries and instituting instant run-off voting. So we end up with a single national popular vote, with instant-run-off, no states getting to go first, and no vast sums of money polluting the discourse and purchasing politicians. That is what we fight for.

Re:How Not to be Seen

[CheerfulMacFanboy]

You only get thrown into federal prison for doing illegal things, in america, if your outside america you get drugs, stuck in nappies and an orange jumpsuit, abducted, flown to a foreign state know for torture, held and tortured then released in another country on the side of the road. all for having a name as come as Smith in the arab world. https://en.wikipedia.org/wiki/Khalid_El-Masri [wikipedia.org]

And that was a citizen of a member of nato.

You forgot to mention "get detained and interrogated months after you have been identified as not being the guy they are after.".

Re:Obama is OK in my book.

[Suddenly_Dead]

Despite what you might think of Obama.. He's just doing the best he can.

Bullfuckingshit. He signed NDAA and is likely going to sign SOPA and PIPA. That's not the "best he can". He got you a house, but the condition is that you and your countrymen can now be jailed indefinitely at his whim. Or, from what he's said, executed even on American soil. Hooray?

Re:How Not to be Seen

[Anonymous Coward]

The upside to that is he gets the satisfaction of putting that fucker away. The man that raped my 8-year-old daughter got out after two years because of good behavior, and now I have to decide between my little girl having a dad or knocking on his door, shooting him in his face, and then sitting down on his porch and calling the cops. It's been a year since he got out, and I still think about it every day. Fuck, every hour.