"Because I can log into my sshd, so can everyone else"...? We are not talking about weak crypto here (though AFAIK 5G crypto is designed to be decidedly not E2E), but rather access to the data processed by these systems. There is no particular reason why granting e.g. the NSA access to a stream of CDRs would immediately give others access.
I don't think anyone is saying immediately, but these are long-lived fairly static systems.
I'm going to assume that you probably update your server's SSHd at least semi-regularly and that if SSH turns out to be broken 20 years down the line, you will probably be switching to something better either manually or when you eventually replace your hardware and reinstall the OS.
This kind of infrastructure is meant to last for decades. Imagine if the original GSM contained a backdoor with the state-of-the-art crypto of the time. Would it still hold up today? Hell, you don't have to imagine - a mid-range smartphone these days can crack a lot of GSM traffic.
Besides that, there's also the problem that not only are these things usually not done with state-of-the-art tech, but leaks happen all the time and it only takes one mistake* for the privkeys to become known.
Why would the UK or Germany be interested in granting the NSA access? Those are some of the places where the US government is spending lots of effort to keep Huawei out.
So yes, any intervention like that seems to me to be less about "the Chinese can snoop" and more about "we can't".
If you're able to retrieve the private key, then yes, you're able to generate a working public key. If they even use a (pre-generated) private key. Often, passwords are even hard-coded in "firmware".
Back in the day calea compliance meant you had to provide network connectivity and a signaling mechanism to specify what you wanted to be replicated to you. That meant voice calls and in some cases defining a network acl for packets (I knew folks who had to implement at router manufacturers - it was a hack that reused some of their multicast code base). The key part was an operator couldn't login to a device to see a calea intercept in progress or who was targeted. However due to the nature of how the replication/intercept was implemented you could see the results of it. High cpu, traffic leaving the box that didn't make sense, etc. I know one vendor who actually provided the trigger to the govt in the form of a snmpv3 query (and the communtiy string was hard coded in the os/binary...).
just so we're clear, are we talking about lawful intercept (ie. capabilities built into the system so the telecom can comply with warrants), or dragnet or otherwise warantless surveillance? I'm not against "backdoors" for the former, but am against "backdoors" for the latter.
I mean, now you're just talking about intent, and thus have to trust that the intent is as claimed. Crypto doesn't discriminate on whether you have a warrant or not.
> Crypto doesn't discriminate on whether you have a warrant or not.
Actually, backdoors could be implemented to require a cryptographically signed warrant. Think e.g. lawful intercept on mobile network routers, US (or any other nation's) law could just add this as a requirement. You could even develop a complicated scheme to apply this to E2E crypto.
But of course skewing the RNG to be predictable, or implanting some hardware backdoor, is much easier and has the added bonus of being usable to spy not only on your own citizens, but also on other nations.
>Crypto doesn't discriminate on whether you have a warrant or not.
Okay, let's say the telecom equipment doesn't have a backdoor for lawful intercept. What happens if the telecom is served with a warrant? Are you expecting that the telecoms will refuse to cooperate with the authorities?
I'm not really making a statement about that. All I'm saying is that if you have a backdoor that can do the former, it must necessarily also be a backdoor that can do the latter.
They'd probably be able to co-operate anyway, but it'd require manual intervention by telco employees. What makes these US-mandated lawful intercept backdoors particularly nasty is that they provide an automatic way of exfiltrating data that is designed to conceal its use from employees - in essence, a built-in rootkit that compromises the integrity of telecoms systems even in countries that don't actually want this kind of backdoor. This isn't a hypothetical issue; the US has reactivated this feature to spy on politicians in countries that didn't actually want or need it on their exchanges in the first place.
"Or explaining why they allow those backdoors exist in the first place?"
Nobody that matters needs to be convinced of the value 'back doors'. Only a minority of the American public and privacy types are very concerned.
Certainly the other government agencies i.e. UK/Germany would take it as a given in terms of 'why' such back doors are there.
There's a reference above to the WaPo article yesterday revealing the longest-running and best surveillance program by the US. It was run out of Germany. The Germans were wary of using it too broadly, but they were otherwise fully behind it, and their intel agencies balked at closing it down.
It's not really even very political: certainly, Democrats would be 'mostly' onboard - there isn't really much of a political base against it other than perhaps the Libertarian crowd.
I should add, some major US industrialists like Apple and Google probably do care a lot, and they do matter and do have influence. But probably not enough.
So while many of us may disagree, it's not at the end of the day as controversial as we may think it is.
