As the astonishing news that the NSA spent $250M/year on a sabotage program directed against commercial security systems spreads, more details keep emerging. A long and interesting story on Mashable includes an interview with Peter Biddle, an ex-Microsoft security engineer who worked extensively on BitLocker, a full-disk encryption tool with a good reputation that was called into question by the latest leaks. Biddle (disclosure: a friend of mine) describes how he was approached to add a backdoor to BitLocker, and how he rebuffed various government agencies.
In the case of Microsoft, according to the engineers, the requests came in the course of multiple meetings with the FBI. These kinds of meetings were standard at Microsoft, according to both Biddle and another former Microsoft engineer who worked on the BitLocker team, who wanted to remain anonymous due to the sensitivity of the matter.
"I had more meetings with more agencies that I can remember or count," said Biddle.
Biddle said these meetings were so frequent, and with so many different agencies, he doesn't specifically remember if it was the FBI that asked for a backdoor. But the anonymous Microsoft engineer we spoke with confirmed that it was, in fact, the FBI.
During a meeting, an agent complained about BitLocker and expressed his frustration.
"Fuck, you guys are giving us the shaft," the agent said, according to Biddle and the Microsoft engineer, who were both present at the meeting. (Though Biddle insisted he didn't remember which agency he spoke with, he said he remembered this particular exchange.)
Biddle wasn't intimidated. "No, we're not giving you the shaft, we're merely commoditizing the shaft," he responded.
--------------------
Posted by Cowicide: Speaking of encryption... I had an interesting "response" from Apple. This is what I posted at Apple's official tech support "discussions" forum:
Has anyone proved or disproved that Apple's DMG format is lacking a backdoor to allow the ATF, NSA, FBI, DEA, etc. access to the data within them?
I'm not suggesting that I believe the AES encryption itself has an
issue, I want to know if anyone has been able to independently verify
that Apple's implementation with DMG is lacking a backdoor that can
bypass AES.
We already know there's a backdoor for iPhones that Apple will access
for law enforcement.
http://news.cnet.com/8301-13578_3-57...ypt-iphones/11
Is an Apple DMG also subverted with a backdoor as well?
Technews site article
