在通信和互联网的影响
In previous statements, FBI director James Comey also expressed concern with encrypted communications, like iMessage, where the government can’t access the key. Businesses depend on secure communications on multiple levels, ranging from employee communications to secure transactions with partners and services.
With some of these systems the government can mandate backdoor access, forcing the provider like Apple or Facebook to keep records of communications, or at least have the ability to sniff communications when required.
But not all these systems are centralized. Enterprises commonly set up their own hosted communications systems since they don’t trust an external service providers or for regulatory reasons. If a tool like iMessage requires access, what about VPNs? Secure connections to websites and email servers? Secure messaging systems? Secure file transfer systems? Financial transaction systems that run over the Internet?
All of these rely on the exact same set of foundational technologies, and all are abused by criminals every day. Worrying they may be within regulatory scope isn’t much of a mental stretch.
There are thousands of systems and technologies out there, and few lines between those used by businesses and the general public. If the bad guys switch from the providers known to work with the government to the open source and commercial technologies used by business, those systems will likely also have to support government access. That means backdoors and recovery keys, since there isn’t any known alternative.
这把我们带回到同样的问题我们有with devices. We simply don’t havescalablemechanisms to support lawful access without reducing security. There is a very real risk that secure communications on multiple levels could be deeply compromised and result in real criminal losses. And that’s before we start worrying about foreign governments.
The impact on data centers and applications
The strongest encryption in the corporate world isn’t found in phones, but in data centers. Enterprises commonly use specialized security appliances designed as unbreakable safes for encryption keys and operations. TheseHardware Security Modules, or HSMs, secure banks, retailers, and even your iCloud Keychain backups. Access requires smart cards (sometimes multiple cards held by different employees), and physical tampering can trigger failsafe deletion of all the stored keys.
如果你不想买的HSM,你总是可以租一个来自多个主要云供应商之一。他们是不便宜,但提供最终的安全性,因为甚至不是云服务提供商可以访问您的数据。
That’s merely one example of the strong encryption tools absolutely essential for secure data centers and applications. This equipment and these tools aren’t the kinds of things you can pick up at Best Buy, but they are certainly within the budgets of terrorists and a range of criminals. They are more secure than iPhones and can easily be used to build storage and communications systems. We use them for encrypted financial and medical databases, secure file storage, or even to keep those little CVV codes on the back of your credit card safe.
If these tools remain legal for enterprise, the odds are they will be used by nefarious groups to avoid government monitoring of consumer tech. If businesses are required to add back doors and golden keys too, we once again undermine the foundation for digital security.
The decision is binary, not absolutist
The President and the director of the FBI have portrayed this conflict as one between privacy absolutists and government compromise. The issue is that the technology itself forces us to make a binary decision. There are no known techniques for providing lawful access to encrypted communications and storage at scale. The only way to allow government access is to reduce the security of foundational technologies used by business and government agencies, not merely individual citizens. That is math, not politics.
Further complicating the situation is that security constantly evolves, and we continue to adopt ever stronger technologies in more situations simply to stop the criminals, including hostile governments. These aren’t outlandish movie scenarios; they are the painful, expensive reality for every business in the world. The only difference between consumer, corporate, and government technologies are the price tags. Restrictions on these improvements could be catastrophic.
Last July a group of extremely well respected cryptographerspublished an excellent overview of the feasibility and security impact of government access。他们的结论是:
Even as citizens need law enforcement to protect themselves in the digital world, all policy-makers, companies, researchers, individuals, and law enforcement have an obligation to work to make our global information infrastructure more secure, trustworthy, and resilient. This report’s analysis of law enforcement demands for exceptional access to private communications and data shows that such access will open doors through which criminals and malicious nation-states can attack the very individuals law enforcement seeks to defend. The costs would be substantial, the damage to innovation severe, and the consequences to economic growth difficult to predict.
在我的经验都支持他们的研究结果。我想不出任何办法,以便对不会破坏全线数码防伪的基础刑事和国家安全的情况下,政府的访问。即使忽略了大量的复杂性,如果这些要求都在全球设立的,除非政府要求获得每一个可能的加密技术,这将是微不足道的罪犯和恐怖分子隐藏,同时显着提高了风险,几乎所有的企业和政府机构。
这个故事,“如何FBI与苹果有可能削弱企业和政府安全”最初发表Macworld 。
