With software auto-update in a fully personalized digital world, there is no need for back doors. Were active defense to go in the direction of diversity compilers, comparing updates would be uninformative. --dan
You always have similar concerns with any closed source software (or even open source you haven't audited yourself). Or am I missing a new problem that occurs with auto-updates? On Mon, Dec 21, 2015 at 3:17 PM <dan@geer.org> wrote:
With software auto-update in a fully personalized digital world, there is no need for back doors.
Were active defense to go in the direction of diversity compilers, comparing updates would be uninformative.
--dan
On Mon, Dec 21, 2015 at 11:23:30PM +0000, nosphalot wrote:
You always have similar concerns with any closed source software (or even open source you haven't audited yourself). Or am I missing a new problem that occurs with auto-updates?
I presume the suggestion is that vendors can cooperate with LEAs to selectively send targets DIFFERENT and TROJANed updates because they know who they are via all the "telemetry" and marketing tracking they do and know which system is requesting updates and who it belongs to. This is a different kind of cooperation than simply handing over user data... or secretly sharing the fruits of their OWN spyware (keystroke loggers intended to collect data to optimize search or UIs for example). And because such bogus updates would be specifically targeted (maybe even with court ordered search warrants), it would presumably be less objectionable as some form of legal process might have determined that the system or software user is a "bad guy" legally subject to being provided with such malware. And normal users would not be. Obviously a defense is to determine if your system has a different update binary (or code images in memory), but Dan points out that the recent trend toward techniques such as address space randomization and perhaps even different binaries from different compilers and code optimizers (which reduces attack surfaces for traditional malware a lot) might also make it a lot more difficult to determine if the differences were just protective and the software images functionally equivalent if not identical at the binary level or whether some one of them contained backdoors or malware or trojans... not present in the normal release. This all WOULD provide backdoors only for targets, not the rest of us... but also make the vendor at least indirectly an untrusted party due to the potential that what appears to be a legitimate valid update from him might instead be a trojan from the government (some government, somewhere). Might be better than having every copy equipped with a backdoor, but also would of course be subject to various strategies of evasion... depending on whether it was possible to obtain generic off line update binaries (as it is now for the most part) anonymously.
On Mon, Dec 21, 2015 at 3:17 PM <dan@geer.org> wrote:
With software auto-update in a fully personalized digital world, there is no need for back doors.
Were active defense to go in the direction of diversity compilers, comparing updates would be uninformative.
--dan
-- Dave Emery N1PRE/AE, die@dieconsulting.com DIE Consulting, Weston, Mass 02493 "An empty zombie mind with a forlorn barely readable weatherbeaten 'For Rent' sign still vainly flapping outside on the weed encrusted pole - in celebration of what could have been, but wasn't and is not to be now either."
All valid points I wish I had thought of. The generic off line update could very easily detect the user once installed and update itself to a backdoored version as needed. On Mon, Dec 21, 2015, 4:09 PM David I. Emery <die@dieconsulting.com> wrote:
On Mon, Dec 21, 2015 at 11:23:30PM +0000, nosphalot wrote:
You always have similar concerns with any closed source software (or even open source you haven't audited yourself). Or am I missing a new problem that occurs with auto-updates?
I presume the suggestion is that vendors can cooperate with LEAs to selectively send targets DIFFERENT and TROJANed updates because they know who they are via all the "telemetry" and marketing tracking they do and know which system is requesting updates and who it belongs to.
This is a different kind of cooperation than simply handing over user data... or secretly sharing the fruits of their OWN spyware (keystroke loggers intended to collect data to optimize search or UIs for example).
And because such bogus updates would be specifically targeted (maybe even with court ordered search warrants), it would presumably be less objectionable as some form of legal process might have determined that the system or software user is a "bad guy" legally subject to being provided with such malware. And normal users would not be.
Obviously a defense is to determine if your system has a different update binary (or code images in memory), but Dan points out that the recent trend toward techniques such as address space randomization and perhaps even different binaries from different compilers and code optimizers (which reduces attack surfaces for traditional malware a lot) might also make it a lot more difficult to determine if the differences were just protective and the software images functionally equivalent if not identical at the binary level or whether some one of them contained backdoors or malware or trojans... not present in the normal release.
This all WOULD provide backdoors only for targets, not the rest of us... but also make the vendor at least indirectly an untrusted party due to the potential that what appears to be a legitimate valid update from him might instead be a trojan from the government (some government, somewhere).
Might be better than having every copy equipped with a backdoor, but also would of course be subject to various strategies of evasion... depending on whether it was possible to obtain generic off line update binaries (as it is now for the most part) anonymously.
On Mon, Dec 21, 2015 at 3:17 PM <dan@geer.org> wrote:
With software auto-update in a fully personalized digital world, there is no need for back doors.
Were active defense to go in the direction of diversity compilers, comparing updates would be uninformative.
--dan
-- Dave Emery N1PRE/AE, die@dieconsulting.com DIE Consulting, Weston, Mass 02493 "An empty zombie mind with a forlorn barely readable weatherbeaten 'For Rent' sign still vainly flapping outside on the weed encrusted pole - in celebration of what could have been, but wasn't and is not to be now either."
participants (3)
-
dan@geer.org
-
David I. Emery
-
nosphalot