LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

LWN.net Weekly Edition for June 20, 2013

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security quotes of the week

[Posted October 26, 2011 by jake]

From a technical perspective, it's simply wrong for a design to outsource a critical access control decision to a third party. My computer should decide what sites can turn on my camera and microphone, not one of Adobe's servers.

The policy side is even worse. What if the FBI wanted to bug you? Could they get a court order compelling Adobe to make an access control decision that would turn on your microphone?

-- Steven Bellovin

We've also been starting to think about the issues of law enforcement access that arose during the crypto wars and that came to light again with CAs. These issues are even more wicked with trusted boot. If the Turkish government compelled Microsoft to include the Tubitak key in Windows so their intelligence services could do man-in-the-middle attacks on Kurdish MPs' gmail, then I expect they'll also tell Microsoft to issue them a UEFI key to authenticate their keylogger malware. Hey, I removed the Tubitak key from my browser, but how do I identify and block all foreign governments' UEFI keys?
-- Ross Anderson
(Log in to post comments)

Security quotes of the week

Posted Oct 27, 2011 15:17 UTC (Thu) by drag (subscriber, #31333) [Link]

> The policy side is even worse. What if the FBI wanted to bug you? Could they get a court order compelling Adobe to make an access control decision that would turn on your microphone?

It's worse then you may think.

They will require by law that Adobe designs their software to provide this functionality. This is the typical thing they are trying to do for any sort of software that does VoIP or related type things.

Security quotes of the week

Posted Oct 28, 2011 11:02 UTC (Fri) by josh (subscriber, #17465) [Link]

That sounds like a problem which applies to all proprietary software. This suggests a rather obvious solution. :)

Security quotes of the week

Posted Oct 27, 2011 22:45 UTC (Thu) by dthurston (subscriber, #4603) [Link]

Note Steven Bellovin has posted an update; he had misunderstood Adobe's design a little at first.

Security quotes of the week

Posted Oct 28, 2011 11:02 UTC (Fri) by josh (subscriber, #17465) [Link]

Some of the comments on Ross Anderson's post seem misinformed to a disturbing degree.

Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds