On Wed, Jan 1, 2014 at 3:55 AM, Saku Ytti <saku@ytti.fi> wrote:
Is this legal? Can NSA walk in to US based company and legally coerce to install such backdoor? If not, what is the incentive for private company to cooperate?
As evidenced by "Lavabit"; apparently, one thing that they CAN do is issue an order to the US based company to release their secret cryptography keys such as RSA secret keys to the government, including the secret keys that correspond to the public keys on their X509 certificates; possibly including certificates used for code signing and code distribution to users. AND maintain confidentiality that they were required to release keys. Recall, Lavabit was deemed in violation of the order: due to halting their service, after being forced to release the cryptography keys. The RSA secret keys can then be used to forge the company's signature on a payload containing a malicious copy of the firmware or operating system. And perform man in the middle attacks against web sites, and other software update infrastructure --- in order to distributed tampered with software with forged code signatures. -- -JH