The CyberWire Daily Podcast 12.22.15
Dave Bittner: [00:00:03] Reports claim Iran's hackers probed US infrastructure. Juniper's backdoor: fixes and implications. Surveillance policy in China, the UK, and the US. And calls for a Manhattan project to break encryption fall on skeptical ears.
Dave Bittner: [00:00:20] This CyberWire podcast is made possible by the Johns Hopkins University Information Security Institute, providing the technical foundation and knowledge needed to meet our nation's growing demand for highly skilled professionals in the field of information, security, assurance, and privacy. Learn more online at isi.jhu.edu.
Dave Bittner: [00:00:42] I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, December 22nd, 2015. New Yorkers react to yesterday's report that in 2013, Iranian hackers gained access to control systems at a small dam in the downstate town of Rye. And the New Yorkers aren't happy. The Department of Homeland Security has declined to comment on the incident, but did note its continuing work with private and public sector partners to secure infrastructure. An AP report has also fingered Iranian cyber operators with multiple intrusions into the US electrical grid. These probes appear to have amounted to reconnaissance and data theft, as opposed to attempts to manipulate control systems.
Dave Bittner: [00:01:26] Administrators should patch the backdoor in Juniper's ScreenOS firewalls immediately if they haven't already done so. Unpatched systems are being actively scouted in the wild and attacks have begun hitting honeypots. No one yet knows – or at least no one who knows is saying – how the backdoor got there in the first place. Observers see potential for serious exploitation of unpatched systems.
Dave Bittner: [00:01:48] As debates over surveillance policy continue in several countries, analysts regard the Juniper backdoor as a cautionary tale for those who advocate crypto-backdoors to aid law enforcement and counterterror agencies. US presidential candidate Clinton called Saturday for a Manhattan-like project by government and industry that would enable investigative and intelligence services to access secure messages without compromising privacy or civil liberties. Few observers think such a project is feasible, but several current or aspiring policymakers repose great confidence in the tech community's powers of innovation.
Dave Bittner: [00:02:26] Manhattan-like project or not, Ed Snowden thinks secure app Telegram – said to be the ISIS app of choice for command-and-control – isn't really that secure. Telegram disputes Mr. Snowden's review.
Dave Bittner: [00:02:41] This CyberWire podcast is brought to you by the Digital Harbor Foundation, a nonprofit that works with youth and educators to foster learning, creativity, productivity, and community through technology education. Learn more at digitalharbor.org.
Dave Bittner: [00:03:02] Joining me is John Petrik, editor of the CyberWire. Let's talk encryption. There is a big debate going on with encryption, and it's only been amplified by the tragedies in Paris. There are two sides to this story.
John Petrik: [00:03:16] There are two sides of the story. In a lot of ways, this encryption debate is the second round of debate that's been running since the 1990s. The crypto wars version one were fought back in the days when encryption was actually treated by United States law as really kind of a weapon. And its export was restricted. You couldn't have it – you could no more have encryption than you would be permitted, for example, to own a machine gun. The lawyers who fought and won the case that basically ended the first round of the crypto wars said that – to their client, that we think it should be possible to whisper in someone's ear from a thousand miles away. And it was that kind of libertarian sentiment that animated the pro-encryption side back then and continues to do so now.
Dave Bittner: [00:04:05] I've heard two main arguments about encryption. On the one side, you have law enforcement saying that we need a backdoor, we need access. There are there are things hidden on bad guys' devices, there are things hidden on good guys' devices that would help us solve crimes. On the other hand, you have – it seems like the device manufacturers and other parties are saying people have a right to their privacy.
John Petrik: [00:04:31] Neither side is lunatic. When law enforcement says that there are serious bits of information hidden by encryption on bad guys' networks, on bad guys' devices, they're right. There is a lot of stuff hidden by encryption. And of course, encryption can be used to cloak all sorts of criminal activity. On the other hand, the people on the other side will argue – and they're also correct – that if there is such a thing as a natural or a legal right to privacy, it seems that the ability to secure your communications from eavesdropping by whomever is an important guarantor of that right.
John Petrik: [00:05:08] So really, when you look at the debate, there are ways in which it is strikingly similar to debates within American politics over gun control – also an issue over which neither side is lunatic. Both sides have their points. You've got – you're balancing a natural right to self-defense, let's say, against a natural right to safety. And how you adjudicate that is not at all obvious. So we might say that if you want to understand the pro-encryption side here, they're saying in effect that crypto doesn't kill people – people kill people.
Dave Bittner: [00:05:40] So why not have a backdoor? What are the technical limitations for why, you know, computer scientists can't provide law enforcement with some way – perhaps under a judge's order – to have access to devices.
John Petrik: [00:05:54] There's no technical reason why you can't put a backdoor into a device. And in fact, backdoors are discovered all the time in devices. Here's the problem with it, that the encryption people will tell you. Once you put a backdoor into a device, once you provide some way of subverting encryption and weakening encryption, what you've effectively done is you've weakened the whole Internet. That you make it not only possible and easier for law enforcement to get into your devices – you make it possible and easier for everybody to get into your devices.
Dave Bittner: [00:06:24] All right. It's a complex issue. John Petrik, editor of the CyberWire, thanks for joining us. We'll talk again soon.
Dave Bittner: [00:06:32] A note to our listeners, the CyberWire will be taking Thursday and Friday off for the Christmas holidays. We'll resume normal podcasting on Monday, December 28.
Dave Bittner: [00:06:41] And that's the CyberWire for links to all of today's stories, along with interviews, our glossary and more. Visit thecyberwire.com. The CyberWire podcast is produced by CyberPoint International, and our editor is John Petrik. Thanks for listening.