9 C
London
Wednesday, September 20, 2017
Home Tags San Bernardino

Tag: San Bernardino

German automaker asked its US employee to perfect the cheat code, and he did it.
Current US and EU emissions testing is insufficient to confirm compliance.
The hacking tool was used by the FBI to break into the iPhone of one of the San Bernardino shooters last year, which led to a short but fierce legal case against Apple.
This isn't going to end well US President Donald Trump's pick for his Attorney General and head of the FBI will have security specialists nervous, since both believe breaking encryption is a good idea. Senator Jefferson Beauregard "Jeff" Sessions III (R‑AL) is Trump's pick for the top legal job in the US.
In congressional testimony, he outed himself as a committed backdoor man when it comes to encryption.
In the written testimony [PDF] to Senator Patrick Leahy, (D‑VT) he laid out his position. "Encryption serves many valuable and important purposes," Sessions wrote. "It is also critical, however, that national security and criminal investigators be able to overcome encryption, under lawful authority, when necessary to the furtherance of national security and criminal investigations." That's going to be bad news for people who favor strong encryption.

The finest minds in cryptography have repeatedly pointed out the impossibility of building a backdoor for law enforcement into secure encryption, since there's no way to stop others from finding and exploiting the Feds-only access.
If backdoors are mandated, then it could open up all our data to attackers.

Encryption is either strong or backdoored. Sessions' appointment is also going to cause Apple CEO Tim Cook and other tech execs to wear long faces.

During the San Bernardino iPhone case, Sessions was one of the main voices in Congress calling for Apple to create hacking tools for its own operating system and hand them over to the FBI. "Coming from a law enforcement background, I believe this is a more serious issue than Tim Cook understands," Sessions said at the time. "In a criminal case, or could be a life-and-death terrorist case, accessing a phone means the case is over.

Time and time again, that kind of information results in an immediate guilty plea, case over." Meanwhile, Trump has reportedly decided to keep James Comey as director of the FBI.

FBI bosses are appointed on 10-year terms to shield them from American politics and similar influences, although presidents can fire them. Republican-leaning Comey too thinks backdoors (or front doors as he likes to call them) are going to be essential for law enforcement to stop the communications channels of crooks and terrorists "going dark." Comey has said that he wants an adult conversation about encryption this year, and by adult he presumably means that anyone who opposes him is being childish. With the new AG getting his back, Comey might have more success than before in weakening encryption. ® Sponsored: Next gen cybersecurity.
Visit The Register's security hub
Enlarge / Leeor Ben-Peretz is the executive vice president of the Israeli firm Cellebrite.JACK GUEZ/AFP/Getty Images reader comments 38 Share this story On Thursday, Vice Motherboard reported that an unnamed source provided the site with 900GB of data hacked from Cellebrite, the well-known mobile phone data extraction company. Among other products, Cellebrite's UFED system offers "in-depth physical, file system, password, and logical extractions of evidentiary data," and is often the go-to product for law enforcement to pull data from seized phones and other devices. In a statement, Cellebrite called this hack "illegal" and noted that "the company is not aware of any specific increased risk to customers as a result of this incident; however, my.Cellebrite account holders are advised to change their passwords as a precaution." In addition, the trove of materials contains “customer support tickets” showing that the Israeli company sells its services to countries with questionable human rights records, including Turkey, Russia, and the United Arab Emirates. Cellebrite’s own website shows that the company works with numerous local, state, and federal law enforcement agencies, ranging from the Hartford, Connecticut police to the North Wales police in the United Kingdom. (The company reportedly aided the FBI to unlock the seized San Bernardino iPhone that became the center of a protracted legal battle.) However, little is known about the company’s business in many parts of the world. This would not be the first time that a digital surveillance company sold to unsavory regimes.
In 2015, data dumps from Hacking Team showed that it sold exploits to Egypt, Russia, Saudi Arabia, Bahrain, and the United Arab Emirates. Similarly, in 2014, documents leaked online showing that software created by the controversial UK-based Gamma Group International was used to spy on computers that appeared to be located in the US, the UK, Germany, Russia, Iran, and Bahrain.
Database pwned, cyber-forensics outfit admits The Israeli company that found fame when it was fingered as a potential source of hacking software used by the FBI to crack open an iPhone has itself been hacked. In a statement on its website, Cellebrite today admitted that an "external web server" containing the company's license management system had been accessed by an unknown third party.

The company is still investigating the extent of the hack, but it has advised all its customers to change their passwords. The biz says the database is an old one – it has migrated to a new system – but warned that basic contact information for people that were registered to receive notifications from the company has been accessed. Reportedly, as much as 900GB of information was taken. Such a database could prove valuable given Cellebrite's line of work: it specializes in mobile forensics.
In that capacity, the FBI apparently approached it in an effort to crack the iPhone of San Bernardino shooter Syed Farook. Farook was running version 9 of the iOS mobile software, which encrypted the phone's data and required a four-digit pin to access it.

Too many wrong tries effectively render the phone inoperable.

The FBI decided to use the case to have a very public fight with Apple over its security features, demanding that the iTunes giant give the FBI access to the phone. Apple refused, stating that it was effectively being told to break its own product, and the impasse became national news, with politicians dragged into the argument.
In the end, in a face-saving exercise, the FBI said it had found a third-party vendor that could access the phone, and backed down from what had by then become a legal challenge. Although neither the FBI nor Cellebrite ever confirmed the forensics company was the source of the hack, neither denied reports, either. Whatever biz bypassed the smartphone's security, it received as much as $1m for its troubles. With that amount of money flying about, it was inevitable that hackers would try to get into Cellebrite's systems. "Cellebrite actively maintains an ongoing information security program and is committed to safeguarding sensitive customer information using best-in-class security countermeasures," the company assured customers. "Once the investigation of this attack is complete, the company will take any appropriate steps necessary to harden its security posture to mitigate the risk of future breaches." The outfit, which is a subsidiary of the Japanese Sun Corporation but is based in Israel, said it was working with the authorities to try to track down the hackers. ® Sponsored: Flash enters the mainstream.
Visit The Register's storage hub
The report released by a bi-partisan study group underscores law enforcement’s need to decrypt data while highlighting the importance of supporting strong encryption. The United States needs to continue to support strong encryption or risk undermining the digital economy, according to a bi-partisan congressional report released Dec. 20.The Encryption Working Group Year-End Report, summarizes the conclusions of a nearly year-long investigation by members of the House of Representatives’ Judiciary Committee and Energy and Commerce Committee.While finding that “any measure that weakens encryption works against the national interest,” the report also concluded that Congress needs to consider legislation that could help law enforcement gain access to digital information during investigations and work with technology companies to find solutions.“Although federal law enforcement agencies told the [group] that they encourage the use of encryption for the protection of sensitive information including data retained by the federal government they cite the increased use of encryption by suspected criminals and victims of crime as a severe challenge to their public safety mission,” the group stated in the report. The members of Congress created the working group during the tense standoff between Apple and the FBI over the law enforcement agency’s demands for the consumer-technology giant to help decrypt an iPhone belonging to one of the killers in the San Bernardino mass shooting of 2015. The Encryption Working Group has met with numerous law enforcement and intelligence officials, technology industry experts and civil rights organizations on the topic of encryption and its impact on legitimate government activities.The group announced four conclusions in its report: strong encryption is in the national interest; if the U.S. weakens the encryption in IT products, companies in other countries will gain marketshare; the topic is complex with no simple solution for every situation; and that Congress should help technology companies and law enforcement agencies cooperate.Ten members of the Encryption Working Group signed off on the report, including Bob Goodlatte (R-VA), Fred Upton (R-MI), Frank Pallone, Jr. (D-NJ), John Conyers, Jr. (D-MI), Bill Johnson (R-OH), Yvette D.

Clarke (D- NY), Darrell Issa (R-CA), Zoe Lofgren (D-CA), James Sensenbrenner (R-WI) and Suzan DelBene (D-WA).

Two other members—Joe Kennedy (D-MA) and Adam Kinzinger (R-IL)—reportedly refused to put their names on the report.Technology companies lauded the findings, which amounted to confirming what most firms have argued repeatedly—weakening encryption, or providing a backdoor, just creates vulnerabilities.“Legislative mandates that undermine the technology would only serve to make everyone less secure,” Aaron Cooper, vice president of strategic policy initiatives with the Business Software Alliance, wrote in a blog post on the report. “At the same time, the report recognizes—and BSA strongly supports—the important work of law enforcement in protecting our safety and pursuing criminals.”The report recommends that Congress follow up on the findings in the future by developing legal means for law enforcement to access company information, improve law enforcement’s ability to access meta data, and build a legal framework to support exploitation for evidence and intelligence gathering.
EnlargeCary Bass-Deschenes reader comments 3 Share this story As a tumultuous 2016 draws to a close, one case distilled contemporary law enforcement, terrorism, encryption, and surveillance issues more than any other: the case popularly known as “FBI vs.

Apple.” The ordeal began on February 16 when a federal judge in Riverside, California, ordered Apple to help the government unlock and decrypt the seized iPhone 5C used by Syed Rizwan Farook.

Farook had shot up an office party in a terrorist attack in nearby San Bernardino in December 2015. Specifically, United States Magistrate Judge Sheri Pym mandated that Apple provide the FBI a custom firmware file, known as an IPSW file, that would likely enable investigators to brute force the passcode lockout currently on the phone, which was running iOS 9.

This order was unprecedented. Apple refused, and the two sides battled it out in court filings and the court of public opinion for weeks. But the day before they were set to argue before the judge in Riverside, prosecutors called it off.

They announced that federal investigators had found some mysterious way to access the contents of Farook’s phone, but provided hardly any details.
In April 2016, Ars reported that the FBI paid at least $1.3 million for a way to access the phone.

But getting into the phone seems to have resulted in little, if any, meaningful benefits. The underlying legal issue remains unresolved.
In May 2016, FBI Director James Comey noted that the government would likely bring further legal challenges in the near future.

The law is clearly struggling to keep up with the current realities of encryption.

These issues impact not only national security cases, but also more run-of-the-mill crimes. In short, many of the most profound questions of our time have yet to be resolved.

These include: what measures can the government take in order to mitigate encryption? What tools can the government employ in order to conduct legitimate investigations? Can a person or a company be compelled to hand over a password or fingerprint to unlock a phone or create new software to achieve that end? In years past, Ars has tried to predict what privacy-related cases would reach the Supreme Court.

Given that our track record has been abysmal, we’re going to take a slightly different approach this year.

Today, we’ll update the five surveillance-related cases that we thought would become huge in 2016.

Tomorrow, we’ll expand our outlook to include other important legal cases still ongoing in 2017 that touch on important tech issues. Not exactly an angel on top Case: United States v. MohamudStatus: 9th US Circuit Court of Appeals rejected appeal in December 2016 As with last year, we’ll begin with the story of a terrorism suspect who was convicted of attempting to blow up a Christmas tree lighting ceremony in Portland, Oregon, in 2010.

That case involved a Somali-American, Mohamed Osman Mohamud, who became a radicalized wannabe terrorist. Mohamud believed that he was corresponding with an Al-Qaeda sympathizer, and he was eventually introduced to another man who he believed was a weapons expert.

Both of those men were with the FBI. Mohamud thought it would be a good idea to target the ceremony on November 27, 2010. He was arrested possessing what he believed was a detonator, but it was, in fact, a dud. Earlier this month, the 9th US Circuit Court of Appeals rejected an effort to overturn Mohamed Osman Mohamud’s conviction on the grounds that the surveillance to initially identify the suspect did not require a warrant. Mohamud went to trial, was eventually found guilty, and was then sentenced to 30 years in prison. After the conviction, the government disclosed that it used surveillance under Section 702 of the FISA Amendments Act to collect and search Mohamud's e-mail.
Seeing this, Mohamud’s legal team attempted to re-open the case, but the 9th Circuit disagreed. As the 9th Circuit ruled: "The panel held that no warrant was required to intercept the overseas foreign national’s communications or to intercept a U.S. person’s communications incidentally." From here, Mohamud and his legal team could ask that the 9th Circuit re-hear the appeal with a full panel of judges (en banc), or they could appeal up to the Supreme Court.
If either court declines, the case is over, and the ruling stands. Slowly turning wheels of justice Case: United States v. HasbajramiStatus: Appeal pending in 2nd US Circuit Court of Appeals Similar to Mohamud, another notable terrorism case revolves around Section 702 surveillance.

As we reported at this time last year, Hasbajrami involves a United States person (citizen or legal resident) accused of attempting to provide support for terrorism-related activities.

According to the government, Agron Hasbajrami, an Albanian citizen and Brooklyn resident, traded e-mails with a Pakistan-based terror suspect back in 2011.

The terror suspect claimed to be involved in attacks against the US military in Afghanistan.

After he was apprehended, Hasbajrami pleaded guilty in 2013 to attempting to provide material support to terrorists. After he pleaded guilty, the government informed Hasbajrami that, like with Mohamud, it had used Section 702 surveillance against him, and the case was re-opened. Many cases that have tried to fight surveillance have fallen down for lack of standing. Hasbajrami’s case is different, however, because he can definitively prove that he was spied upon by the government. As his case neared trial in mid-2015, Hasbajrami pleaded guilty a second time.

But shortly thereafter, he moved to withdraw the plea again, which the judge rejected.
So the case progressed to the 2nd US Circuit Court of Appeals. Earlier this year, when we expected to see Hasbajrami’s first appellate filing, his new lawyers filed an application with the judge.

They asked that the case be held “in abeyance,” which essentially puts a kind of stay on the appeals process.

The 2nd Circuit agreed. The reason? Because US District Judge John Gleeson, then the judge at the lower-court level, issued a classified opinion “which directly relates to and impacts the issues to be raised on appeal.” United States v. Hasbajrami was delayed when Judge Gleeson stepped down from the bench in late February. While Judge Gleeson’s opinion was released (in a redacted form) to the defense attorneys, by September, defense attorneys argued again in filings to the new judge that they possess adequate security clearance and should be given access to this material, unredacted. As they wrote: In that context, the government repeatedly fails—in its argument as well as the authority it cites—to distinguish public release of the redacted portions from providing security-cleared defense counsel access to that material. Here, all Mr. Hasbajrami seeks is the latter.

Thus, the dangers of dissemination beyond to those already authorized to review classified information simply do not exist, and the government’s contentions with respect to national security serve as a red herring. The most recent entry in either the appellate or district court docket is an October 31 filing.
In it, defense attorneys inform the 2nd Circuit that they are still waiting for Chief US District Judge Dora Irizarry to rule on receiving the unredacted version. One of Hasbajrami’s attorneys is Joshua Dratel.

Dratel is famous for having defended (and still defending) Ross Ulbricht, the convicted mastermind behind the Silk Road drug marketplace website. The Free Encyclopedia Case: Wikimedia v. NSAStatus: Appeal pending in 4th US Circuit Court of Appeals Of course, Section 702 is just one of many ways the government is conducting surveillance beyond its intended target. Wikimedia v. NSA is one of several cases that has tried to target the “upstream” setup that allows the NSA to grab data directly off fiber optic cables. Wikimedia, which publishes Wikipedia, filed its case originally in March 2015.
In it, the company argues that the government is engaged in illegal and unconstitutional searches and seizures of these groups’ communications. But, in October 2015, US District Judge T.S.

Ellis III dismissed the case. He found that Wikimedia and the other plaintiffs had no standing and could not prove that they had been surveilled.

That action largely echoed a 2013 Supreme Court decision, Clapper v.

Amnesty International
. The plaintiffs filed their appeal to the 4th US Circuit Court of Appeals immediately.
In their February 2016 opening brief, which was written by top attorneys from the American Civil Liberties Union, they argue essentially that Wikipedia traffic had to have been captured in the National Security Agency’s snare because it’s one of the most-trafficked sites on the Internet. They wrote: In other words, even if the NSA were conducting Upstream surveillance on only a single circuit, it would be copying and reviewing the Wikimedia communications that traverse that circuit.

But the government has acknowledged monitoring multiple internet circuits—making it only more certain that Wikimedia’s communications are being copied and reviewed. Moreover, the NSA’s own documents indicate that it is copying and reviewing Wikimedia’s communications.

Taken together, these detailed factual allegations leave no doubt as to the plausibility of Wikimedia’s standing. The government, for its part, countered by saying that the 4th Circuit should uphold the district court’s ruling. Why? Because, as it argued in April 2016, Wikimedia’s argument is largely speculative. ... the facts do not support plaintiffs’ assumption that Wikimedia’s communications must traverse every fiber of every sub-cable such that, if the NSA is monitoring only one fiber or even one sub-cable, it still must be intercepting, copying, and reviewing Wikimedia’s communications. Beyond that, the government continued, even if Wikimedia’s communications were intercepted, the plaintiffs have not demonstrated how they have actually been injured, because a large portion of the NSA’s interception is done by machine. The government continued: Indeed, plaintiffs’ complaint generally fails to state a cognizable injury because, whatever the nature of the particular communications at issue, plaintiffs have made no allegation that interception, copying, and filtering for selectors involve any human review of the content of those communications. The two sides squared off at the 4th Circuit in Baltimore on December 8, 2016 for oral arguments.

A decision is expected within the next few months. Fast food, fast crimes Case: United States v.

Graham
Status: Decided en banc at 4th US Circuit Court of Appeals, cert petition filed to Supreme Court This case was a big hope for many civil libertarians and privacy activists.

An appeals court had initially rejected the thorny third-party doctrine and found that, because the two suspects voluntarily disclosed their own location to their mobile carrier via their phones, they did not have a reasonable expectation of privacy. But in May 2016, the 4th US Circuit Court of Appeals, in an en banc ruling, found in favor of the government.

The court concluded that police did not, in fact, need a warrant to obtain more than 200 days' worth of cell-site location information (CSLI) for two criminal suspects. As the court ruled: The Supreme Court may in the future limit, or even eliminate, the third-party doctrine.

Congress may act to require a warrant for CSLI.

But without a change in controlling law, we cannot conclude that the Government violated the Fourth Amendment in this case. This case dates back to February 5, 2011 when two men robbed a Burger King and a McDonald’s in Baltimore.

Ten minutes later, they were caught and cuffed by Baltimore City Police officers.

Eventually, Aaron Graham and Eric Jordan were charged with 17 federal counts of interstate robbery, including a pair of fast food robberies and another one at a 7-Eleven.

They also received charges for brandishing a firearm in furtherance of the crime. A Baltimore City Police detective first sought and obtained a search warrant for the two cell phones recovered during a search of the getaway car. Prosecutors later obtained a court order (a lesser standard than a warrant) granting disclosure of the defendants’ CSLI data for various periods totaling 14 days when the suspects were believed to have been involved in robberies.

The government next applied for (and received) a second application to another magistrate judge for a new set of CSLI data, covering a period of July 1, 2010 through February 6, 2011 (221 days). In August 2012, Graham and Jordan were found guilty on nearly all counts.

They were sentenced to 147 years in prison and 72 years, respectively. Meghan Skelton, Graham’s public defender, has filed an appeal with the Supreme Court, which has not yet decided whether it will hear the case. Who is the Dread Pirate Roberts? Cases: United States v. Ulbricht and United States v.

Bridges
Status: Appeals pending in 2nd US Circuit Court of Appeals, 9th US Circuit Court of Appeals, respectively While Section 702 surveillance and cell-site location information are important, there was one defendant who was defeated largely by snatching his laptop out of his hands: Ross Ulbricht.

The young Texan was convicted as being Dread Pirate Roberts, the creator of the notorious online drug market Silk Road. Later on in 2015, Ulbricht was given a double life sentence, despite emotional pleas from himself, his family, and friends for far less. 2016 kicked off with Ross Ulbricht’s formal appeal to the 2nd Circuit.

Ars described it as a “170-page whopper that revisits several of the evidentiary arguments that Ulbricht's lawyer made at trial.” These included theories that Ulbricht wasn’t Dread Pirate Roberts, and it attributed digital evidence found on Ulbricht’s computer to “vulnerabilities inherent to the Internet and digital data,” like hacking and fabrication of files.

According to the appeal, these “vulnerabilities” made “much of the evidence against Ulbricht inauthentic, unattributable to him, and/or ultimately unreliable.” Plus, corrupt federal agents Shaun Bridges and Carl Mark Force tarnished the case against Ulbricht, claimed his lawyer.

That lawyer is Joshua Dratel, who makes his second appearance on this list. The government responded with its own 186-page whopper on June 17, 2016.

After a lengthy recap of the entire case, United States Attorney Preet Bharara opened his arguments with a notable flaw in Ulbricht’s logic: But nowhere, either below or here, has Ulbricht explained, other than in the most conclusory way, how the corruption of two agents—who neither testified at his trial nor generated the evidence against him—tended to disprove that he was running Silk Road from his laptop. In short, the government argues, Ulbricht was caught red-handed, and the appeals court should uphold both the conviction and the sentence. The following month, federal prosecutors in San Francisco unsealed new court documents that make a strong case that former agent Bridges stole another $600,000 in bitcoins after he pleaded guilty. By August 2016, Bridges’ lawyer Davina Pujari filed what she herself said was a “legally frivolous” appeal to the 9th Circuit on behalf of her client, and she asked to be removed from the case.

Bridges’ case remains pending at the appellate level, and no oral arguments have been scheduled. (Pujari is still Bridges’ lawyer for now.) Bridges remains a prisoner at the Terre Haute Federal Correctional Institute in Indiana, where he is scheduled for release in 2021. Later in August, Ars chronicled the saga of how a San Francisco-based federal prosecutor joined forces with a dogged Internal Revenue Service special agent to bring Bridges and Force to justice. Meanwhile, Ulbricht’s lawyers, led by Joshua Dratel, faced off at the 2nd Circuit against federal prosecutors on October 6, 2016 to challenge Ulbricht’s conviction and sentence.

The court is expected to rule within the next few months.
The U.S. is better off supporting strong encryption that trying to weaken it, according to a new congressional report that stands at odds with the FBI’s push to install back doors into tech products. On Tuesday, a bipartisan congressional panel published a year-end report, advising the U.S. to explore other solutions to the encryption debate. “Any measure that weakens encryption works against the national interest,” the report said. Rather than build backdoors into tech products, law enforcement can consider exploiting flaws in secure products that already exist, the report said. The FBI resorted to this approach when it hired an unknown third-party to hack into the passcode-protected iPhone from the San Bernardino shooter. The agency’s director has suggested the FBI paid more than $1 million for the hacking tool involved. However, any legal hacking would raise other questions, like if and when a law enforcement agency should alert tech companies about these vulnerabilities, the report said. News agencies have already sued the FBI, demanding details over how it gained access to the San Bernardino shooter’s iPhone. Other measures Congress can explore include legally compelling criminal suspects to unlock their smartphones and finding better ways to use metadata analysis in law enforcement investigations. Tuesday’s report also emphasized the need for both the tech industry and law enforcement to foster cooperation, despite past tensions between the two sides. “This can no longer be an isolated or binary debate. There is no ‘us versus them,’” the report said. The FBI didn’t respond to a request for comment.
We want to have our cake and stuff our faces with it A bipartisan House working group on encryption has today come to the conclusion that encryption is vital to US national interests, even as it seeks to mitigate the problem the technology can pose for law enforcement. Citing the Federal Bureau of Investigation's effort earlier this year to force Apple to help the agency decrypt an iPhone used by one of the shooters in a 2015 terror attack in San Bernardino, California, the House Judiciary Committee & House Energy and Commerce Committee's Encryption Working Group (EWG) report explores the tension between authorities' desire for access to digital data and the increasingly necessary use of encryption to keep data secure. Fred Upton (R-MI), Frank Pallone, Jr (D-NJ), Bob Goodlatte (R-VA), and John Conyers (D-MI) presented the dossier. "The widespread adoption of encryption poses a real challenge to the law enforcement community and strong encryption is essential to both individual privacy and national security," their report reads. "A narrative that sets government agencies against private industry, or security interests against individual privacy, does not accurately reflect the complexity of the issue." Amid its effort to find a way to secure data while also preserving access for authorities, the EWG at least argues that encryption should not be subverted for convenience. "Congress should not weaken this vital technology because doing so works against the national interest," the report states. "However, it should not ignore and must address the legitimate concerns of the law enforcement and intelligence communities." In other words, encryption should not be weakened, but there may be times when it should be weakened.
So much for clarity of vision. A rival commission, set up by House Homeland Security Committee Chairman Michael McCaul (R-TX) and Senator Mark Warner (D-VA), frames encryption in similar terms.

As that commission's report, updated in September, noted, "Encryption plays a vital role in modern society, and increasingly widespread use of encryption in digital communications and data management has become a 'fact of life'." The European Union Agency for Network and Information Security (ENISA) recently adopted a similar stance, declaring, "The use of backdoors in cryptography is not a solution, as existing legitimate users are put at risk by the very existence of backdoors." The EWG offers four main findings: Any measure that weakens encryption works against the national interest. Encryption technology is a global technology that is widely and increasingly available around the world. The variety of stakeholders, technologies, and other factors create different and divergent challenges with respect to encryption and the 'going dark' phenomenon, and therefore there is no one-size-fits-all solution to the encryption challenge. Congress should foster cooperation between the law enforcement community and technology companies. While these observations may mute calls for backdoors, they don't really offer any way to resolve the seemingly incompatible goals of security and access. If a device is properly encrypted with an accepted algorithm, there are only a few ways to gain access to the data.

These include: A legal regime that can compel people to reveal passwords (third-party companies can already be compelled to reveal what they know). Technical methods or flaws that facilitate decryption. A key storage regime like iCloud that provides convenience in exchange for security. So when the EWG refers to cooperation between law enforcement and technology companies, that partnership, if mutual distrust can be overcome, might take the form of vulnerability sharing and encouraging people to entrust encryption keys to third-party providers. The EWG report also advises further exploration of the utility and limits of metadata as a way around encryption, the viability of "legal hacking," the constitutional implications of compelled disclosure of passwords, and the proper role of government in data privacy. Further discussion of these topics, while potentially useful, will need to be calibrated to the incoming administration. President-elect Trump has suggested he will take a less nuanced approach to encryption policy, having declared that Apple should have unlocked the iPhone in question. ® Sponsored: Want to know more about PAM? Visit The Register's hub

The Electronic Frontier Foundation aims to protect Web traffic by encrypting the entire Internet using HTTPS.

Chrome now puts a little warning marker in the Address Bar next to any non-secure HTTP address.

Encryption is important, and not only for Web surfing.
If you encrypt all of the sensitive documents on your desktop or laptop, a hacker or laptop thief won't be able to parley their possession into identity theft, bank account takeover, or worse.

To help you select an encryption product that's right for your computer, we've rounded up a collection of current products.

As we review more products in this area, we'll keep the list up to date.

No Back Doors

When the FBI needed information from the San Bernardino shooter's iPhone, they asked Apple for a back door to get past the encryption.

But no such back door existed, and Apple refused to create one.

The FBI had to hire hackers to get into the phone.

Why wouldn't Apple help? Because the moment a back door or similar hack exists, it becomes a target, a prize for the bad guys.
It will leak sooner or later.
In a talk at Black Hat this past summer, Apple's Ivan Krstic revealed that the company has done something similar in their cryptographic servers. Once the fleet of servers is up and running, they physically destroy the keys that would permit modification.

Apple can't update them, but the bad guys can't get in either.

All of the products in this roundup explicitly state that they have no back door, and that's as it should be.
It does mean that if you encrypt an essential document and then forget the encryption password, you've lost it for good.

Two Main Approaches

Back in the day, if you wanted to keep a document secret you could use a cipher to encrypt it and then burn the original. Or you could lock it up in a safe.

The two main approaches in encryption utilities parallel these options.

One type of product simply processes files and folders, turning them into impenetrable encrypted versions of themselves.

The other creates a virtual disk drive that, when open, acts like any other drive on your system. When you lock the virtual drive, all of the files you put into it are completely inaccessible.

Similar to the virtual drive solution, some products store your encrypted data in the cloud.

This approach requires extreme care, obviously.

Encrypted data in the cloud has a much bigger attack surface than encrypted data on your own PC.

Which is better? It really depends on how you plan to use encryption.
If you're not sure, take advantage of the 30-day free trial offered by each of these products to get a feel for the different options.

Secure Those Originals

After you copy a file into secure storage, or create an encrypted version of it, you absolutely need to wipe the unencrypted original. Just deleting it isn't sufficient, even if you bypass the Recycle Bin, because the data still exists on disk, and data recovery utilities can often get it back.

Some encryption products avoid this problem by encrypting the file in place, literally overwriting it on disk with an encrypted version.
It's more common, though, to offer secure deletion as an option.
If you choose a product that lacks this feature, you should find a free secure deletion tool to use along with it.

Overwriting data before deletion is sufficient to balk software-based recovery tools. Hardware-based forensic recovery works because the magnetic recording of data on a hard drive isn't actually digital.
It's more of a waveform.
In simple terms, the process involves nulling out the known data and reading around the edges of what's left.
If you really think someone (the feds?) might use this technique to recover your incriminating files, you can set your secure deletion tool to make more passes, overwriting the data beyond what even these techniques can recover.

Encryption Algorithms

An encryption algorithm is like a black box.

Dump a document, image, or other file into it, and you get back what seems like gibberish. Run that gibberish back through the box, with the same password, and you get back the original.

The U.S. government has settled on Advanced Encryption Standard (AES) as a standard, and all of the products gathered here support AES.

Even those that support other algorithms tend to recommend using AES.

If you're an encryption expert, you may prefer another algorithm, Blowfish, perhaps, or the Soviet government's GOST.

For the average user, however, AES is just fine.

Public Key Cryptography and Sharing

Passwords are important, and you have to keep them secret, right? Well, not when you use Public Key Infrastructure (PKI) cryptography.

With PKI, you get two keys. One is public; you can share it with anyone, register it in a key exchange, tattoo it on your forehead—whatever you like.

The other is private, and should be closely guarded.
If I want to send you a secret document, I simply encrypt it with your public key. When you receive it, your private key decrypts it.
Simple!

Using this system in reverse, you can create a digital signature that proves your document came from you and hasn't been modified. How? Just encrypt it with your private key.

The fact that your public key decrypts it is all the proof you need. PKI support is less common than support for traditional symmetric algorithms.

If you want to share a file with someone and your encryption tool doesn't support PKI, there are other options for sharing. Many products allow creation of a self-decrypting executable file. You may also find that the recipient can use a free, decryption-only tool.

What's the Best?

Right now there are three Editors' Choice products in the consumer-accessible encryption field.

The first is the easiest to use of the bunch, the next is the most secure, and the third is the most comprehensive.

AxCrypt Premium has a sleek, modern look, and when it's active you'll hardly notice it.

Files in its Secured Folders get encrypted automatically when you sign out, and it's one of the few that support public key cryptography.

CertainSafe Digital Safety Deposit Box goes through a multistage security handshake that authenticates you to the site and authenticates the site to you. Your files are encrypted, split into chunks, and tokenized.

Then each chunk gets stored on a different server.

A hacker who breached one server would get nothing useful.

Folder Lock can either encrypt files or simply lock them so nobody can access them.
It also offers encrypted lockers for secure storage.

Among its many other features are file shredding, free space shredding, secure online backup, and self-decrypting files.

The other products here also have their merits, too, of course. Read the capsules below and then click through to the full reviews to decide which one you'll use to protect your files. Have an opinion on one of the apps reviewed here, or a favorite tool we didn't mention? Let us know in the comments.

FEATURED IN THIS ROUNDUP

Photojournalists plead for secured data in professional cams Over 150 prominent filmmakers and photojournalists have asked leading camera makers to add support for data encryption to their devices. An open letter published on Wednesday by the Freedom of the Press Foundation – a group that includes Academy Award winners Laura Poitras and Alex Gibney – states that encryption is absent from all commercial cameras being sold today and that the technology is needed to protect both those capturing images and those depicted in them. "Without encryption capabilities, photographs and footage that we take can be examined and searched by the police, military, and border agents in countries where we operate and travel, and the consequences can be dire," the letter states. The list of camera makers contacted includes Canon, Fuji, Nikon, Olympus, and Sony. According to the Committee to Protect Journalists, the confiscation of cameras from journalists is so common that the organization cannot accurately track such incidents. Mobile phones often have passable cameras and also support the encryption of data at rest, for images and text messaging.

That makes them safer in theory than professional camera equipment in conflict zones and in confrontations with authorities. Against a well-funded, resourceful, or determined adversary, however, technical protection doesn't guarantee that encrypted data will remain secure. After attempting to pressure Apple into creating a special version of iOS that would allow it to gain access to an iPhone used by one of the San Bernardino shooters in 2015, the FBI ultimately gained access to the device with the help of a third party, through what's believed to be software vulnerability. What's more, US Border authorities have broad latitude to search electronic devices, and many countries have laws that can be used to compel individuals to disclose encryption keys.
So the availability of encryption doesn't mean it will be effective at shielding data from scrutiny. At a recent Hacks/Hackers event in San Francisco titled "Information Security for Journalists," Data Guild cofounder David Gutelius said that, with the possible exception of Signal, he wouldn't recommend any digital communication technology for journalists with serious security concerns involving nation-level adversaries.

Even Tor, a generally well-regarded network anonymity tool, can be compromised, he said. In an email to The Register, Trevor Timm, executive director of the Freedom of the Press Foundation, acknowledged that laws limiting encryption and border searches could diminish its effectiveness but emphasized that it should be an option. "Journalists – or anyone who uses a camera with encryption enabled – would always have the option to unlock it if they chose to, but right now they don't even have that choice, and that's the problem," said Timm. Jonathan Zdziarski, an iOS forensic researcher, in a series of Twitter posts on Wednesday voiced support for better encryption and stronger privacy protection but expressed doubt that camera makers, as they lose sales to smartphone makers, see the addition of encryption as a way to revive sales. "Until every journalist learns to encrypt their hard drive and use Signal, I'm not sure an encrypted camera will do them any good," said Zdziarski. And even then, it may not withstand the threat of rubber-hose cryptanalysis or a $5 wrench. ® Sponsored: Customer Identity and Access Management