The backdoor policy fallacy

Here’s a story that may sound familiar to you, because it actually is.

Picture Joe the contractor. Joe is just an average Joe, maybe like you and me…It was a sweltering day. The air shimmered over the concrete floor of the small construction site. Joe wiped his brow with the shirt he had taken off a few minutes earlier.He was pretty content with the progress he had made. Maybe one more day and the bricklayers could finish the outer walls.

Joe was building a store house for his supplies and tools. Being a plumber he had no fancy equipment’s, but could not afford to lose either his stock or his tools; it would put him out of business or it would put him into an insurmountable debt.

He sat down to take a break and thought back to his conversation with his neighbour from across the road. His name was Edward, and he used to work for a strange company. Something to do with snooping, breaking and entering. Joe had no idea if any of what they did was legal, but he surmised that it had to be since nobody from that company ever got arrested and the company managed to stay out of the news pretty well. When Joe told Edward that he was to build the store house, Edward asked him lots of questions on what he planned to do about securing the place.

Edward seemed to know a lot about which kind of criminal would make a specific effort to break into the store house to get at his things.It turned out that most precautions were quite easy to implement and so Joe modified his design plans accordingly. But then they came to the subject of locks. This was where Edward’s eyes began to burn with a fire.”Do not use any locks approved by my company!” he said. “All these locks have a little pin inside that you can flip with a specifically bent paperclip and then the lock will just open.”Joe never had heard of that and asked Edward if it was common knowledge on how to bend the paperclip. Edward’s countenance flushed into the crimson when he started a long litany on how the simple knowledge that you could bypass the key was enough for criminals to start analysing the locks and creating their own paperclip warping technology.

“And this is not even the worst of it. At some point this knowledge will be spread to others with less resources and from there to little school going hoodlums and from there to every little kid that wants to see what behind lock number 1 was!”

Joe kind of lost him, but what he understood was that it is just a matter of time when little Hector from two blocks away would be taking a look see into his store house. Hector was a nosey little fellow.

That evening, while he let his bath run, Edward briefly came back into his mind. “Funny, I never see the guy around anymore,” thought Joe. “I sure hope they don’t add these paperclip unlockers in every lock. Otherwise I have no choice but sleeping with my tools or letting the little Hectors run off with it whenever they want.” “Edward said something about the bad guys not being able to ‘ensconce’,just another fancy word for holing up, themselves since the law could open any locks, but that surely could not mean that billions of people around the world should be just as ‘unsafe’ as the few bad guys…”

Now we should leave Joe while he unwinds and enjoys some hard earned R&R time, maybe it is time to look at the practices from the electronic world. Using convoluted reasoning and massive amounts of FUD, people are being told that agencies like the NSA having ‘backdoors’ in cryptographic algorithms or implementations is a security precaution. But, just as in Joe’s story, just the knowledge of a loophole being in place makes the whole cryptography merely a method of wasting energy (no matter how efficient an algorithm, it uses CPU cycles and therefore it uses power).

Finding something when you know it exists is ridiculously easier than maybe finding something when you do not know whether or not it exists at all. If something like in Joe’s story would be real, you would expect a massive outcry and resistance, wouldn’t you? Well, the story of Joe is not far fetched at all, since the TSA already has that exact scenario in place for years. Except that they ‘do’ allow you to protect yourself with stronger locks which are not TSA approved, under the proviso that they might wreck your whole luggage if they want to sniff your underwear.

In the electronic world, this scenario, if allowed to become an accepted reality, is even more disastrous. There is simply no protection against the millions of bad guys on the internet (and they have hundreds of millions of autonomous bots coming at you as well) if we cripple encryption.

Finance, communications, medical data, tax information, private photo’s,music, video, transport, memories and more, the electronic ‘us’ is thereal ‘us’, deserving just as much safety as the physical ‘us’. And all of this just so a few keyboard cowboys can take credit for a couple of, purported, prevented terrorist attacks.

Personally, I am more terrified by a world that has flawed-by-design crypto than a world where I have a chance to be victim of a terroristattack; the chance of becoming an electronic victim nears 100% whilst the chance of becoming a terrorist victim still stays well below 1%.Where once only specific systems were hotspots of electronic conflict, we now see that almost any device, almost any peripheral, is being employed in the activities of the illegal gathering of information.

by Adrianus Warmenhoven, Security Evangelist at RedSocks

Back to overview