If anybody from the NSA reads this, I have a serious question.
Have you all scanned what Snowden stole/liberated (whatever floats your boat) for government backdoor and/or “master password” references? Were there any government backdoor and/or “master password” references stored in the systems he had access to?
OK, in English now… for a long time there have been rumors of backdoor and/or “master passwords” for all computer systems. With a certain password for a certain system, an “authorized” person could get full access.
There really are “master passwords” currently in place for PC BIOS systems, all vehicle-embedded systems, and even on all iPhones. (Seriously. It’s not a secret that “alpine” works for full SSH access on all iPhones.)
To make things even more interesting, since 1984 there have been ways to put backdoor and/or “master passwords” into compilers so not even programmers who make applications on their own would know such a backdoor and/or “master password” was put into the app they just created.
Cool, huh?
You do need a specialized program to access each of these systems, sometimes you also need local access to the device, and most of the Google-able backdoor and/or “master passwords” that show up are for things like maintenance and root-level hijinks, not “watch what people are doing live” kinds of things.
Regardless, I would bet there’s just a few backdoor and/or “master passwords” reserved for the government that are already embedded in some critical systems. I would also bet with the right password combination, a “watch what people are doing live” kind of thing could be set up with no problem.
All theoretically, of course.
Snowden stole/liberated somewhere between “too much” and “oh dear God” levels of data from the NSA. Now all that data was classified information. Communications. Transfers. Notes. Reports. Stuff not meant to see the light of day for some reason or other (justified or not).
I’m thinking things like this were in the pile of data…
- Senator John Doe thinks Ambassador Moe Howard has a funny haircut, smells bad and isn’t too smart. This should remain classified because we need to make nice with Ambassador Howard for now, but if it got out, no big deal. Doe and Howard could work it out over a golf game and some scotch.
- Senator John Doe is on the top secret Kinetic Intelligent Satellite Striker (KISS) committee – well, that’s bad, but not world-ending. There’s not much hard proof about this project, the locations are all buttoned down, and there’s nothing other countries can act on directly.
- Senator John Doe used the password “BOHONKUS” to access files from a Dell Latitude E5430 system on an ambassador’s laptop from a country currently designated as “hostile”.
That last one? Clearly naming the government backdoor and/or “master password” for a specific system and purpose?
If that gets out, it can be used by ANYONE. Anywhere. Anytime. You can kiss EVERYTHING that backdoor and/or “master password” is embedded in goodbye forever.
Plan on everyone using that backdoor password, and by everyone I mean especially…
- The Chinese “we’re not hackers – we’re just curious” brigade
- Russia
- North Korea
- ISIS
- Bored Americans
As an extra bonus, there’s no resetting a backdoor and/or “master password” on most embedded systems without local “hands on” access. No way to erase it. No way to change it. No way to block it.
I don’t know if Snowden would or would not release something like this if he found it in his data pile, but I guarantee a hostile government with access to this information would use it without question.
Which brings me back around to my question for the NSA.
Has the NSA scanned what Snowden stole/liberated for government backdoor and/or “master password” references? Were there any government backdoor and/or “master password” references stored in the systems Snowden had access to?
Finally, if there are backdoor and/or “master password” references in the pile of data Snowden has, what is the worst case scenario if a hostile entity uses this password to access the system(s) it is embedded in?
It’s going to be a terrible thing to admit to the U.S., but if there is a backdoor and/or “master password” reference of any kind in Snowden’s data pile, we need to do something about it right now.
The alternative would be far, FAR worse.
Any compromised systems for private citizens or commercial businesses would need to be updated as soon as possible.
Any compromised military systems would need to be taken offline IMMEDIATELY and kept out of active service until they have all been secured.
And NSA, going forward, if you’re going to ignore that “unreasonable search and something or other” part of the Constitution and put in backdoor and/or “master passwords” on some systems, please install VERY secure backdoor and/or “master passwords” that require multi-factor authentication that can be changed or be deleted if necessary.
The back door needs to be more secure than the front door.
At the bare minimum, I suggest a DIFFERENT password for different series of devices and/or software with something like a random key fob authentication system for each.
For example…
- The backdoor password for Dell laptops model A with serial numbers 00001-10500 would be DWW-TATANKA.BUFFALO synced to key fob series ALPHA-9.
- The backdoor password for Dell laptops model G with serial numbers 00001 – 10500 would be CJLP-TEA.EARL.GREY.HOT synced to key fob series ALPHA-3.
- The backdoor password for accessing everything the “Angry Birds” app sends to the NSA would be HONEY-WHERE.IS.MY.SUPER.SUIT synced to key fob series BETA-111
- Etc.
Make a different password string for each manufacturer’s series and each manufacturer’s model numbers. Tie all of that into a version of a key fob multi-factor authentication generator for final access.
After this update, to access a system’s backdoor, you would not only need the “master password” embedded in the device, you would also need the randomly synced password that would be generated on the key fob to proceed.
Worst case – if a master backdoor password is compromised or stolen by a future Snowden, it would be useless in and of itself without the key fob generator to finish “opening the door” and it would only be valid on a limited set of systems. If both a master backdoor password and its’ correlating key fob system were compromised, you would only risk access to a limited series of systems.
That’s the minimum recommended civil-rights violations per serving. Seriously. No more single word passwords for an entire warehouse of systems or for all software made with compiler X.
I know there’s insanely more complex ways of implementing backdoor access, but depending on the “audience” using the backdoor passwords, the NSA guys need to keep it accessible by the non-tech-savant crowd and reasonably quick as well.
Systems from the 80s, 90s and 2000 era are still out there. Applications built and modified on top of existing systems in this time period are legion. Only the NSA knows if there’s really such a thing as backdoor single-word-passwords and where they might be installed at.
To quote Forrest Gump, “that’s all I got to say about that.”
Now back to silly cat photos, already in progress.
Pingback: Much ado about nothing : why no law enforcement agency needs a “master backdoor” | Royce Eddington
Pingback: FOSCAM cameras compromised. Affected models should be disconnected. | Royce Eddington