Hey, Saddam! Better Order Your iMac Fast! (Maybe.)

by John Martellaro

September 12th, 1999

 "I'm sick of the way the government sticks its nose into everything, now."

-- Robert A. Heinlein

"That government is best which governs least."

-- Thomas Jefferson

On August 27th, the Federal Communications Commission issued an order requiring all phone companies to modify their equipment so that more information would be available to agencies conducting electronic surveillance. One of the controversial elements of that order is that it must be possible to determine the location of any transmitting cell phone.

There is no indication, however, that those agencies conducting surveillance would be using this facility for all callers, all the time. It is presumed that a search warrant must be issued before this kind of "wiretapping" is authorized, and the agency must provide strong evidence that suggests criminal behavior.

Nevertheless, the incident raises the Jeffersonian question: Do we limit the excesses of Government by limiting their power, or do we do it by granting them lots of power and then expecting them to use it wisely? The answer to this question is left as an exercise for the student of history.

CALEA

In 1994, Congress passed the Communications Assistance for Law Enforcement Act (CALEA). This was in response to the FBI's stated concern that new digital electronic communication systems would make it impossible to conduct wiretaps. Mechanisms had been in place for many years that allowed law enforcement officials to eavesdrop on analog phone signals, but the fast emerging digital technology did not provide the same easy mechanism for lawful wiretaps. CALEA was intended to extend traditional capabilities to the new digital media.

The debate right now is that CALEA was never intended to include the ability to locate someone using a cell phone. My guess is that the FBI, currently having the ability to locate any telephone on a land line merely wishes to extend this capability to cell phones, in those cases where law enforcement is the motivation. The deadline for the implementation of this tracking feature is June 30, 2000.

Another issue related to CALEA is that the act appears to require carriers to design their equipment so that communications are withheld from the Government when the Government has no legal authority to monitor the transmission. In contrast the FCC has not yet required carriers to protect the privacy of Internet communications (even when not encrypted). Moreover, industry representatives said that designing their equipment to always protect privacy was "too hard."

Enter the DOJ

A week before all this, it was reported that the Department of Justice was going to ask Congress for the authority to allow their federal agents to break into any home or office, again with a lawful search warrant, seize passwords and secretly plant monitoring devices in computers suspect of illegal activities. The legislation is the Cyberspace Electronic Security Act (CESA) and you can read more about it here.

Once again the issue is not the lawful monitoring of computers used for illegal activities; the issue is the circumstances under which the Federal Government decides that a computer system and user qualify for this kind of attention. Clearly, ordinary users should have nothing to fear, and Jimmy Wilson in El Segundo need not worry about Federal agents breaking into his parent's house to plant eavesdropping devices into his iMac. But anyone who is familiar with the Federal Civil Asset Forfeiture Act knows that abuses make headlines equal to the successes in laws of this nature.

Some analysts see these two initiatives as building blocks for a massive surveillance system which could be abused. Others contend that these laws simply extend traditional law enforcement capabilities into Cyberspace. After all, just because a police officer has the authority to stop you from speeding doesn't mean that, after writing a ticket, he'll beat the crap out of you for the fun of it. Does the fact that such abuses, in fact, do occur mean that honorable police offers should be stripped of their authority to enforce traffic laws?

It's a very sticky issue.

Microsoft and the NSA Key

All of which brings me to the subject of the hidden keys in Microsoft Windows. You probably already read the story about Andrew Fernandez of the Cryptonym Corporation (in Canada) who was doing a security analysis of the Windows "CryptoAPI" architecture. He discovered, in Windows NT service pack #5, that crucial symbolic information had not been deleted in the build and that reference was made to an "NSA" key. Cryptonym published a press release on 31 August and jumped to the conclusion that NSA was actually in possession of the key required to break into any Windows computer, Win95, Win98, WinNT or Windows 2000. Immediately afterwards, Microsoft issued their own press release stating that neither the NSA nor anyone else is in possession of any key that would allow them to secretly enter a Windows computer. Read it for yourself.

Of course, the issue that Microsoft so neatly sidestepped is: What would their response be to a Federal Court order to supply the key to a Federal law enforcement agent?

The answer, again, is left as an exercise for the the judicially minded reader.

So the upshot of all this is that the Federal Government has energetically sought to obtain the legal means to wiretap and intercept communications of any kind when they suspect that criminal activity is going on with computers and the Internet. Then we find out that there are hidden keys in all copies of Windows which could allow access, provided a search warrant was issued. (Or, in the case of Saddam Hussein's personal Windows 98 machine, they just barge in, I guess.)

What does a Macintosh owner make of all this? Can we reasonably argue that since the Macintosh has only 10% of the market that the Federal Government is not interested in enforcing the law for those sleazeballs who use a Macintosh? If so, then if it became general knowledge by crooks that the Macintosh had no hidden keys, then it would quickly become the computer of choice for them. Conversely, if Microsoft was encouraged to incorporate such a back door into its operating system, then what about Apple Computer?

Aha! My OS is Open Source

In time, we'll know more about Apple's position with respect to all this. In any case, all this fuss makes a very powerful case for the Open Source operating system. You may not have the technical savvy to scan several megabytes of source code, but there are people who can, and they can make assertions about the security of the OS. Then you can download this free OS, say Linux, compile it yourself or use a digitally signed binary, and you have some assurance that your OS is secure from possible abuses of power by unethical Government agents -- or hackers privy to the special secrets.

Finally, Apple's handling of the G4 ROM block incident does them some damage. In another essay, I will talk about the ethics of that action, but the fact remains that every little abuse and ethical breach raises more and more questions about software that does not disclose what it really does.

Eventually, the only tenable market position is to make the operating system and all important software Open Source. Linux is pure of heart. Apple has started on that path. What about Microsoft? I doubt if they can change the direction of their ship. The iceberg is there, waiting, and Microsoft can do nothing about it but take the hit and take on water.

And we haven't even hit January 1, 2000, when according to InfoWorld (Sep 6, 1999, page 1 & 29), 200,000 different viruses will be launched against Windows.

So far, at least, Apple Computer, Inc. retains our trust and respect.

So far.