""" IBM referred to a 2014 statement saying that the company does not provide "software source code or encryption keys to the NSA or any other government agency for the purpose of accessing client data."
A spokesperson ... did not comment further on whether source code had been handed over to a government agency for any other reason. """
I'm glad the author pressed them further ("for any other reason"). So many times we see such statements like this from companies but nobody bothers to ask the obvious (to me) follow-up question.
Well, the obvious one is that IBM Federal Systems does an enormous amount of system-building (including programming) for the Federal government. I would presume that the Feds get the code for every one of those contracts. There are probably others.
Trying to list all the circumstances when the Feds get IBM source code, without having it look like the Feds just get everything, might be problematic...
I assure the Feds don 'think get the source code. Vast swaths of leadership in government are unaware there is a difference between compiled code and source.
There's a difference between providing some source code and providing the entire source code. I do not believe anyone outside of Microsoft has access to the entire source code.
Not a single person inside Microsoft would have access to it either, because some parts of the system have other companies' trade secrets, like HDCP keys or hardware drivers.
My point exactly, no one person has access and even if they did, the keys are the truly sensitive components that no one person probably has access to directly.
In terms on encryption, it is well-known that security by obscurity is a bad idea. A well-designed encryption system should be safe even if it open-source. E.g. PGP. Having the source code should not help one bit.
However, access to the OS source code does let people search for various yet-undiscovered exploits, and use them for evil.
Serious question, would source code be useful to a government agency? Is there enough knowledge and expertise that exists outside of the organization that builds the software to be able to make much use of software as complex as iOS?
This is one of the oldest conspiracy theories on the Internet. It has been comprehensively and repeatedly debunked. It doesn't even make sense as a backdoor, given its function. Here's the best link on HN about it:
That was just a naming convention. When asked why it was called NSAKEY, Microsoft said this:
>This is simply an unfortunate name. The NSA performs the technical review for all US cryptographic export requests. The keys in question are the ones that allow us to ensure compliance with the NSA's technical review. Therefore, they came to be known within Microsoft as "the NSA keys", and this was used as a variable name for one of the keys. However, Microsoft holds these keys and does not share them with anyone, including the NSA.
Wow.. How come nobody is bringing THIS up whenever the FBI tries to assure us that the bypass they want from Apple will never get leaked into the wrong hands?
The NSA can apparently find vulnerabilities in iOS without the source code so I would assume they could find (more of) them more easily with the source code.
Well first they ask for iOS source code, then they ask for the update or app signing key (kind of how they asked for Lavabit's SSL key). Then the real fun begins.
However, it's a little funny that the US gov uses the Lavabit case as an example - Lavabit shut down to avoid giving it the key.
Documentation and getting to build/use it feels to me like support, and I feel that needs to be billable. The source code is the raw product, which is also of value/crown jewels. But it is easier to give it to someone, then to support it.
So can the government force companies to assist them and to what extent? From the article it is suggested that Dell, Huawei, and Juniper have already done so.
But how where they compensated, because engineering time is not cheap, or where they given software backdoors and told to integrate them.
I don't think we will ever know. But would be interesting to know how managers had to explain to the bean counters, that limited resources was spent on project "top secret" instead of a real project making money.
They get paid. Telecoms do as well, they actually have billing schedules for wiretaps.
> ...managers had to explain to the bean counters...
You've got it backwards, the lawyers explain to the executives who then explain to the department head who then explains to a manager who then explains to a senior team leader who then assigns the work. At the end of the telephone game it looks like any other incomprehensible contract requirement.
It's hard and really expensive, I don't think any big company would like to do that.
For large shops, source code building is non-trivial. It may require proprietary toolchains, metadata stored in some other dbs, or specific hardware / environments.
And the toolchain may even not work outside the shop, e.g., depending on internal infras.
Related: There's currently a proposal ("Reg AT") from the CFTC (which regulates futures trading in the US) that would require all algorithmic traders to provide routine access to their source code, without a court order.
... or voting machines.
I must say I don't particularly like the rather unpleasant arguments that almost make themselves from those particular facts. That money indeed is considered more important than both safety and fair voting.
All it takes is one brave soul to gain standing and the entire FISA system goes belly up in a real court. As long as everyone cooperates the farce goes on. Generally people who work at big companies and get these NSLs (likely lawyers) are unlikely to be that person.
Unfortunately, establishing standing is the hard part of the equation. And by hard, I mean effectively impossible. Clapper showed that quite clearly. And even in those instances where it might be possible, the DOJ will drop the case in question before they risk an undesirable ruling.
There are layers below Linux, which unfortunately are often proprietary. Do you have the source code for your computer's firmware? For your hard disk's firmware? For your CPU's microcode? If you don't have all of these (and more), the playing field has not been completely leveled.
It's not about the source but the private keys. See my other comment here. The same problem is real with the Linux distribution and the owners of the distributions too. Nobody reads the source of everything that is changed with every signed update.
A spokesperson ... did not comment further on whether source code had been handed over to a government agency for any other reason. """
I'm glad the author pressed them further ("for any other reason"). So many times we see such statements like this from companies but nobody bothers to ask the obvious (to me) follow-up question.