Tag: San Bernardino
In congressional testimony, he outed himself as a committed backdoor man when it comes to encryption.
In the written testimony [PDF] to Senator Patrick Leahy, (D‑VT) he laid out his position. "Encryption serves many valuable and important purposes," Sessions wrote. "It is also critical, however, that national security and criminal investigators be able to overcome encryption, under lawful authority, when necessary to the furtherance of national security and criminal investigations." That's going to be bad news for people who favor strong encryption.
The finest minds in cryptography have repeatedly pointed out the impossibility of building a backdoor for law enforcement into secure encryption, since there's no way to stop others from finding and exploiting the Feds-only access.
If backdoors are mandated, then it could open up all our data to attackers.
Encryption is either strong or backdoored. Sessions' appointment is also going to cause Apple CEO Tim Cook and other tech execs to wear long faces.
During the San Bernardino iPhone case, Sessions was one of the main voices in Congress calling for Apple to create hacking tools for its own operating system and hand them over to the FBI. "Coming from a law enforcement background, I believe this is a more serious issue than Tim Cook understands," Sessions said at the time. "In a criminal case, or could be a life-and-death terrorist case, accessing a phone means the case is over.
Time and time again, that kind of information results in an immediate guilty plea, case over." Meanwhile, Trump has reportedly decided to keep James Comey as director of the FBI.
FBI bosses are appointed on 10-year terms to shield them from American politics and similar influences, although presidents can fire them. Republican-leaning Comey too thinks backdoors (or front doors as he likes to call them) are going to be essential for law enforcement to stop the communications channels of crooks and terrorists "going dark." Comey has said that he wants an adult conversation about encryption this year, and by adult he presumably means that anyone who opposes him is being childish. With the new AG getting his back, Comey might have more success than before in weakening encryption. ® Sponsored: Next gen cybersecurity.
Visit The Register's security hub
In 2015, data dumps from Hacking Team showed that it sold exploits to Egypt, Russia, Saudi Arabia, Bahrain, and the United Arab Emirates. Similarly, in 2014, documents leaked online showing that software created by the controversial UK-based Gamma Group International was used to spy on computers that appeared to be located in the US, the UK, Germany, Russia, Iran, and Bahrain.
The company is still investigating the extent of the hack, but it has advised all its customers to change their passwords. The biz says the database is an old one – it has migrated to a new system – but warned that basic contact information for people that were registered to receive notifications from the company has been accessed. Reportedly, as much as 900GB of information was taken. Such a database could prove valuable given Cellebrite's line of work: it specializes in mobile forensics.
In that capacity, the FBI apparently approached it in an effort to crack the iPhone of San Bernardino shooter Syed Farook. Farook was running version 9 of the iOS mobile software, which encrypted the phone's data and required a four-digit pin to access it.
Too many wrong tries effectively render the phone inoperable.
The FBI decided to use the case to have a very public fight with Apple over its security features, demanding that the iTunes giant give the FBI access to the phone. Apple refused, stating that it was effectively being told to break its own product, and the impasse became national news, with politicians dragged into the argument.
In the end, in a face-saving exercise, the FBI said it had found a third-party vendor that could access the phone, and backed down from what had by then become a legal challenge. Although neither the FBI nor Cellebrite ever confirmed the forensics company was the source of the hack, neither denied reports, either. Whatever biz bypassed the smartphone's security, it received as much as $1m for its troubles. With that amount of money flying about, it was inevitable that hackers would try to get into Cellebrite's systems. "Cellebrite actively maintains an ongoing information security program and is committed to safeguarding sensitive customer information using best-in-class security countermeasures," the company assured customers. "Once the investigation of this attack is complete, the company will take any appropriate steps necessary to harden its security posture to mitigate the risk of future breaches." The outfit, which is a subsidiary of the Japanese Sun Corporation but is based in Israel, said it was working with the authorities to try to track down the hackers. ® Sponsored: Flash enters the mainstream.
Visit The Register's storage hub
Clarke (D- NY), Darrell Issa (R-CA), Zoe Lofgren (D-CA), James Sensenbrenner (R-WI) and Suzan DelBene (D-WA).
Two other members—Joe Kennedy (D-MA) and Adam Kinzinger (R-IL)—reportedly refused to put their names on the report.Technology companies lauded the findings, which amounted to confirming what most firms have argued repeatedly—weakening encryption, or providing a backdoor, just creates vulnerabilities.“Legislative mandates that undermine the technology would only serve to make everyone less secure,” Aaron Cooper, vice president of strategic policy initiatives with the Business Software Alliance, wrote in a blog post on the report. “At the same time, the report recognizes—and BSA strongly supports—the important work of law enforcement in protecting our safety and pursuing criminals.”The report recommends that Congress follow up on the findings in the future by developing legal means for law enforcement to access company information, improve law enforcement’s ability to access meta data, and build a legal framework to support exploitation for evidence and intelligence gathering.
Apple.” The ordeal began on February 16 when a federal judge in Riverside, California, ordered Apple to help the government unlock and decrypt the seized iPhone 5C used by Syed Rizwan Farook.
Farook had shot up an office party in a terrorist attack in nearby San Bernardino in December 2015. Specifically, United States Magistrate Judge Sheri Pym mandated that Apple provide the FBI a custom firmware file, known as an IPSW file, that would likely enable investigators to brute force the passcode lockout currently on the phone, which was running iOS 9.
This order was unprecedented. Apple refused, and the two sides battled it out in court filings and the court of public opinion for weeks. But the day before they were set to argue before the judge in Riverside, prosecutors called it off.
They announced that federal investigators had found some mysterious way to access the contents of Farook’s phone, but provided hardly any details.
In April 2016, Ars reported that the FBI paid at least $1.3 million for a way to access the phone.
But getting into the phone seems to have resulted in little, if any, meaningful benefits. The underlying legal issue remains unresolved.
In May 2016, FBI Director James Comey noted that the government would likely bring further legal challenges in the near future.
The law is clearly struggling to keep up with the current realities of encryption.
These issues impact not only national security cases, but also more run-of-the-mill crimes. In short, many of the most profound questions of our time have yet to be resolved.
These include: what measures can the government take in order to mitigate encryption? What tools can the government employ in order to conduct legitimate investigations? Can a person or a company be compelled to hand over a password or fingerprint to unlock a phone or create new software to achieve that end? In years past, Ars has tried to predict what privacy-related cases would reach the Supreme Court.
Given that our track record has been abysmal, we’re going to take a slightly different approach this year.
Today, we’ll update the five surveillance-related cases that we thought would become huge in 2016.
Tomorrow, we’ll expand our outlook to include other important legal cases still ongoing in 2017 that touch on important tech issues. Not exactly an angel on top Case: United States v. MohamudStatus: 9th US Circuit Court of Appeals rejected appeal in December 2016 As with last year, we’ll begin with the story of a terrorism suspect who was convicted of attempting to blow up a Christmas tree lighting ceremony in Portland, Oregon, in 2010.
That case involved a Somali-American, Mohamed Osman Mohamud, who became a radicalized wannabe terrorist. Mohamud believed that he was corresponding with an Al-Qaeda sympathizer, and he was eventually introduced to another man who he believed was a weapons expert.
Both of those men were with the FBI. Mohamud thought it would be a good idea to target the ceremony on November 27, 2010. He was arrested possessing what he believed was a detonator, but it was, in fact, a dud. Earlier this month, the 9th US Circuit Court of Appeals rejected an effort to overturn Mohamed Osman Mohamud’s conviction on the grounds that the surveillance to initially identify the suspect did not require a warrant. Mohamud went to trial, was eventually found guilty, and was then sentenced to 30 years in prison. After the conviction, the government disclosed that it used surveillance under Section 702 of the FISA Amendments Act to collect and search Mohamud's e-mail.
Seeing this, Mohamud’s legal team attempted to re-open the case, but the 9th Circuit disagreed. As the 9th Circuit ruled: "The panel held that no warrant was required to intercept the overseas foreign national’s communications or to intercept a U.S. person’s communications incidentally." From here, Mohamud and his legal team could ask that the 9th Circuit re-hear the appeal with a full panel of judges (en banc), or they could appeal up to the Supreme Court.
If either court declines, the case is over, and the ruling stands. Slowly turning wheels of justice Case: United States v. HasbajramiStatus: Appeal pending in 2nd US Circuit Court of Appeals Similar to Mohamud, another notable terrorism case revolves around Section 702 surveillance.
As we reported at this time last year, Hasbajrami involves a United States person (citizen or legal resident) accused of attempting to provide support for terrorism-related activities.
According to the government, Agron Hasbajrami, an Albanian citizen and Brooklyn resident, traded e-mails with a Pakistan-based terror suspect back in 2011.
The terror suspect claimed to be involved in attacks against the US military in Afghanistan.
After he was apprehended, Hasbajrami pleaded guilty in 2013 to attempting to provide material support to terrorists. After he pleaded guilty, the government informed Hasbajrami that, like with Mohamud, it had used Section 702 surveillance against him, and the case was re-opened. Many cases that have tried to fight surveillance have fallen down for lack of standing. Hasbajrami’s case is different, however, because he can definitively prove that he was spied upon by the government. As his case neared trial in mid-2015, Hasbajrami pleaded guilty a second time.
But shortly thereafter, he moved to withdraw the plea again, which the judge rejected.
So the case progressed to the 2nd US Circuit Court of Appeals. Earlier this year, when we expected to see Hasbajrami’s first appellate filing, his new lawyers filed an application with the judge.
They asked that the case be held “in abeyance,” which essentially puts a kind of stay on the appeals process.
The 2nd Circuit agreed. The reason? Because US District Judge John Gleeson, then the judge at the lower-court level, issued a classified opinion “which directly relates to and impacts the issues to be raised on appeal.” United States v. Hasbajrami was delayed when Judge Gleeson stepped down from the bench in late February. While Judge Gleeson’s opinion was released (in a redacted form) to the defense attorneys, by September, defense attorneys argued again in filings to the new judge that they possess adequate security clearance and should be given access to this material, unredacted. As they wrote: In that context, the government repeatedly fails—in its argument as well as the authority it cites—to distinguish public release of the redacted portions from providing security-cleared defense counsel access to that material. Here, all Mr. Hasbajrami seeks is the latter.
Thus, the dangers of dissemination beyond to those already authorized to review classified information simply do not exist, and the government’s contentions with respect to national security serve as a red herring. The most recent entry in either the appellate or district court docket is an October 31 filing.
In it, defense attorneys inform the 2nd Circuit that they are still waiting for Chief US District Judge Dora Irizarry to rule on receiving the unredacted version. One of Hasbajrami’s attorneys is Joshua Dratel.
Dratel is famous for having defended (and still defending) Ross Ulbricht, the convicted mastermind behind the Silk Road drug marketplace website. The Free Encyclopedia Case: Wikimedia v. NSAStatus: Appeal pending in 4th US Circuit Court of Appeals Of course, Section 702 is just one of many ways the government is conducting surveillance beyond its intended target. Wikimedia v. NSA is one of several cases that has tried to target the “upstream” setup that allows the NSA to grab data directly off fiber optic cables. Wikimedia, which publishes Wikipedia, filed its case originally in March 2015.
In it, the company argues that the government is engaged in illegal and unconstitutional searches and seizures of these groups’ communications. But, in October 2015, US District Judge T.S.
Ellis III dismissed the case. He found that Wikimedia and the other plaintiffs had no standing and could not prove that they had been surveilled.
That action largely echoed a 2013 Supreme Court decision, Clapper v.
Amnesty International. The plaintiffs filed their appeal to the 4th US Circuit Court of Appeals immediately.
In their February 2016 opening brief, which was written by top attorneys from the American Civil Liberties Union, they argue essentially that Wikipedia traffic had to have been captured in the National Security Agency’s snare because it’s one of the most-trafficked sites on the Internet. They wrote: In other words, even if the NSA were conducting Upstream surveillance on only a single circuit, it would be copying and reviewing the Wikimedia communications that traverse that circuit.
But the government has acknowledged monitoring multiple internet circuits—making it only more certain that Wikimedia’s communications are being copied and reviewed. Moreover, the NSA’s own documents indicate that it is copying and reviewing Wikimedia’s communications.
Taken together, these detailed factual allegations leave no doubt as to the plausibility of Wikimedia’s standing. The government, for its part, countered by saying that the 4th Circuit should uphold the district court’s ruling. Why? Because, as it argued in April 2016, Wikimedia’s argument is largely speculative. ... the facts do not support plaintiffs’ assumption that Wikimedia’s communications must traverse every fiber of every sub-cable such that, if the NSA is monitoring only one fiber or even one sub-cable, it still must be intercepting, copying, and reviewing Wikimedia’s communications. Beyond that, the government continued, even if Wikimedia’s communications were intercepted, the plaintiffs have not demonstrated how they have actually been injured, because a large portion of the NSA’s interception is done by machine. The government continued: Indeed, plaintiffs’ complaint generally fails to state a cognizable injury because, whatever the nature of the particular communications at issue, plaintiffs have made no allegation that interception, copying, and filtering for selectors involve any human review of the content of those communications. The two sides squared off at the 4th Circuit in Baltimore on December 8, 2016 for oral arguments.
A decision is expected within the next few months. Fast food, fast crimes Case: United States v.
GrahamStatus: Decided en banc at 4th US Circuit Court of Appeals, cert petition filed to Supreme Court This case was a big hope for many civil libertarians and privacy activists.
An appeals court had initially rejected the thorny third-party doctrine and found that, because the two suspects voluntarily disclosed their own location to their mobile carrier via their phones, they did not have a reasonable expectation of privacy. But in May 2016, the 4th US Circuit Court of Appeals, in an en banc ruling, found in favor of the government.
The court concluded that police did not, in fact, need a warrant to obtain more than 200 days' worth of cell-site location information (CSLI) for two criminal suspects. As the court ruled: The Supreme Court may in the future limit, or even eliminate, the third-party doctrine.
Congress may act to require a warrant for CSLI.
But without a change in controlling law, we cannot conclude that the Government violated the Fourth Amendment in this case. This case dates back to February 5, 2011 when two men robbed a Burger King and a McDonald’s in Baltimore.
Ten minutes later, they were caught and cuffed by Baltimore City Police officers.
Eventually, Aaron Graham and Eric Jordan were charged with 17 federal counts of interstate robbery, including a pair of fast food robberies and another one at a 7-Eleven.
They also received charges for brandishing a firearm in furtherance of the crime. A Baltimore City Police detective first sought and obtained a search warrant for the two cell phones recovered during a search of the getaway car. Prosecutors later obtained a court order (a lesser standard than a warrant) granting disclosure of the defendants’ CSLI data for various periods totaling 14 days when the suspects were believed to have been involved in robberies.
The government next applied for (and received) a second application to another magistrate judge for a new set of CSLI data, covering a period of July 1, 2010 through February 6, 2011 (221 days). In August 2012, Graham and Jordan were found guilty on nearly all counts.
They were sentenced to 147 years in prison and 72 years, respectively. Meghan Skelton, Graham’s public defender, has filed an appeal with the Supreme Court, which has not yet decided whether it will hear the case. Who is the Dread Pirate Roberts? Cases: United States v. Ulbricht and United States v.
BridgesStatus: Appeals pending in 2nd US Circuit Court of Appeals, 9th US Circuit Court of Appeals, respectively While Section 702 surveillance and cell-site location information are important, there was one defendant who was defeated largely by snatching his laptop out of his hands: Ross Ulbricht.
The young Texan was convicted as being Dread Pirate Roberts, the creator of the notorious online drug market Silk Road. Later on in 2015, Ulbricht was given a double life sentence, despite emotional pleas from himself, his family, and friends for far less. 2016 kicked off with Ross Ulbricht’s formal appeal to the 2nd Circuit.
Ars described it as a “170-page whopper that revisits several of the evidentiary arguments that Ulbricht's lawyer made at trial.” These included theories that Ulbricht wasn’t Dread Pirate Roberts, and it attributed digital evidence found on Ulbricht’s computer to “vulnerabilities inherent to the Internet and digital data,” like hacking and fabrication of files.
According to the appeal, these “vulnerabilities” made “much of the evidence against Ulbricht inauthentic, unattributable to him, and/or ultimately unreliable.” Plus, corrupt federal agents Shaun Bridges and Carl Mark Force tarnished the case against Ulbricht, claimed his lawyer.
That lawyer is Joshua Dratel, who makes his second appearance on this list. The government responded with its own 186-page whopper on June 17, 2016.
After a lengthy recap of the entire case, United States Attorney Preet Bharara opened his arguments with a notable flaw in Ulbricht’s logic: But nowhere, either below or here, has Ulbricht explained, other than in the most conclusory way, how the corruption of two agents—who neither testified at his trial nor generated the evidence against him—tended to disprove that he was running Silk Road from his laptop. In short, the government argues, Ulbricht was caught red-handed, and the appeals court should uphold both the conviction and the sentence. The following month, federal prosecutors in San Francisco unsealed new court documents that make a strong case that former agent Bridges stole another $600,000 in bitcoins after he pleaded guilty. By August 2016, Bridges’ lawyer Davina Pujari filed what she herself said was a “legally frivolous” appeal to the 9th Circuit on behalf of her client, and she asked to be removed from the case.
Bridges’ case remains pending at the appellate level, and no oral arguments have been scheduled. (Pujari is still Bridges’ lawyer for now.) Bridges remains a prisoner at the Terre Haute Federal Correctional Institute in Indiana, where he is scheduled for release in 2021. Later in August, Ars chronicled the saga of how a San Francisco-based federal prosecutor joined forces with a dogged Internal Revenue Service special agent to bring Bridges and Force to justice. Meanwhile, Ulbricht’s lawyers, led by Joshua Dratel, faced off at the 2nd Circuit against federal prosecutors on October 6, 2016 to challenge Ulbricht’s conviction and sentence.
The court is expected to rule within the next few months.
So much for clarity of vision. A rival commission, set up by House Homeland Security Committee Chairman Michael McCaul (R-TX) and Senator Mark Warner (D-VA), frames encryption in similar terms.
As that commission's report, updated in September, noted, "Encryption plays a vital role in modern society, and increasingly widespread use of encryption in digital communications and data management has become a 'fact of life'." The European Union Agency for Network and Information Security (ENISA) recently adopted a similar stance, declaring, "The use of backdoors in cryptography is not a solution, as existing legitimate users are put at risk by the very existence of backdoors." The EWG offers four main findings: Any measure that weakens encryption works against the national interest. Encryption technology is a global technology that is widely and increasingly available around the world. The variety of stakeholders, technologies, and other factors create different and divergent challenges with respect to encryption and the 'going dark' phenomenon, and therefore there is no one-size-fits-all solution to the encryption challenge. Congress should foster cooperation between the law enforcement community and technology companies. While these observations may mute calls for backdoors, they don't really offer any way to resolve the seemingly incompatible goals of security and access. If a device is properly encrypted with an accepted algorithm, there are only a few ways to gain access to the data.
These include: A legal regime that can compel people to reveal passwords (third-party companies can already be compelled to reveal what they know). Technical methods or flaws that facilitate decryption. A key storage regime like iCloud that provides convenience in exchange for security. So when the EWG refers to cooperation between law enforcement and technology companies, that partnership, if mutual distrust can be overcome, might take the form of vulnerability sharing and encouraging people to entrust encryption keys to third-party providers. The EWG report also advises further exploration of the utility and limits of metadata as a way around encryption, the viability of "legal hacking," the constitutional implications of compelled disclosure of passwords, and the proper role of government in data privacy. Further discussion of these topics, while potentially useful, will need to be calibrated to the incoming administration. President-elect Trump has suggested he will take a less nuanced approach to encryption policy, having declared that Apple should have unlocked the iPhone in question. ® Sponsored: Want to know more about PAM? Visit The Register's hub
The Electronic Frontier Foundation aims to protect Web traffic by encrypting the entire Internet using HTTPS.
Chrome now puts a little warning marker in the Address Bar next to any non-secure HTTP address.
Encryption is important, and not only for Web surfing.
If you encrypt all of the sensitive documents on your desktop or laptop, a hacker or laptop thief won't be able to parley their possession into identity theft, bank account takeover, or worse.
To help you select an encryption product that's right for your computer, we've rounded up a collection of current products.
As we review more products in this area, we'll keep the list up to date.
No Back Doors
When the FBI needed information from the San Bernardino shooter's iPhone, they asked Apple for a back door to get past the encryption.
But no such back door existed, and Apple refused to create one.
The FBI had to hire hackers to get into the phone.
Why wouldn't Apple help? Because the moment a back door or similar hack exists, it becomes a target, a prize for the bad guys.
It will leak sooner or later.
In a talk at Black Hat this past summer, Apple's Ivan Krstic revealed that the company has done something similar in their cryptographic servers. Once the fleet of servers is up and running, they physically destroy the keys that would permit modification.
Apple can't update them, but the bad guys can't get in either.
All of the products in this roundup explicitly state that they have no back door, and that's as it should be.
It does mean that if you encrypt an essential document and then forget the encryption password, you've lost it for good.
Two Main Approaches
Back in the day, if you wanted to keep a document secret you could use a cipher to encrypt it and then burn the original. Or you could lock it up in a safe.
The two main approaches in encryption utilities parallel these options.
One type of product simply processes files and folders, turning them into impenetrable encrypted versions of themselves.
The other creates a virtual disk drive that, when open, acts like any other drive on your system. When you lock the virtual drive, all of the files you put into it are completely inaccessible.
Similar to the virtual drive solution, some products store your encrypted data in the cloud.
This approach requires extreme care, obviously.
Encrypted data in the cloud has a much bigger attack surface than encrypted data on your own PC.
Which is better? It really depends on how you plan to use encryption.
If you're not sure, take advantage of the 30-day free trial offered by each of these products to get a feel for the different options.
Secure Those Originals
After you copy a file into secure storage, or create an encrypted version of it, you absolutely need to wipe the unencrypted original. Just deleting it isn't sufficient, even if you bypass the Recycle Bin, because the data still exists on disk, and data recovery utilities can often get it back.
Some encryption products avoid this problem by encrypting the file in place, literally overwriting it on disk with an encrypted version.
It's more common, though, to offer secure deletion as an option.
If you choose a product that lacks this feature, you should find a free secure deletion tool to use along with it.
Overwriting data before deletion is sufficient to balk software-based recovery tools. Hardware-based forensic recovery works because the magnetic recording of data on a hard drive isn't actually digital.
It's more of a waveform.
In simple terms, the process involves nulling out the known data and reading around the edges of what's left.
If you really think someone (the feds?) might use this technique to recover your incriminating files, you can set your secure deletion tool to make more passes, overwriting the data beyond what even these techniques can recover.
An encryption algorithm is like a black box.
Dump a document, image, or other file into it, and you get back what seems like gibberish. Run that gibberish back through the box, with the same password, and you get back the original.
The U.S. government has settled on Advanced Encryption Standard (AES) as a standard, and all of the products gathered here support AES.
Even those that support other algorithms tend to recommend using AES.
If you're an encryption expert, you may prefer another algorithm, Blowfish, perhaps, or the Soviet government's GOST.
For the average user, however, AES is just fine.
Public Key Cryptography and Sharing
Passwords are important, and you have to keep them secret, right? Well, not when you use Public Key Infrastructure (PKI) cryptography.
With PKI, you get two keys. One is public; you can share it with anyone, register it in a key exchange, tattoo it on your forehead—whatever you like.
The other is private, and should be closely guarded.
If I want to send you a secret document, I simply encrypt it with your public key. When you receive it, your private key decrypts it.
Using this system in reverse, you can create a digital signature that proves your document came from you and hasn't been modified. How? Just encrypt it with your private key.
The fact that your public key decrypts it is all the proof you need. PKI support is less common than support for traditional symmetric algorithms.
If you want to share a file with someone and your encryption tool doesn't support PKI, there are other options for sharing. Many products allow creation of a self-decrypting executable file. You may also find that the recipient can use a free, decryption-only tool.
What's the Best?
Right now there are three Editors' Choice products in the consumer-accessible encryption field.
The first is the easiest to use of the bunch, the next is the most secure, and the third is the most comprehensive.
AxCrypt Premium has a sleek, modern look, and when it's active you'll hardly notice it.
Files in its Secured Folders get encrypted automatically when you sign out, and it's one of the few that support public key cryptography.
CertainSafe Digital Safety Deposit Box goes through a multistage security handshake that authenticates you to the site and authenticates the site to you. Your files are encrypted, split into chunks, and tokenized.
Then each chunk gets stored on a different server.
A hacker who breached one server would get nothing useful.
Folder Lock can either encrypt files or simply lock them so nobody can access them.
It also offers encrypted lockers for secure storage.
Among its many other features are file shredding, free space shredding, secure online backup, and self-decrypting files.
The other products here also have their merits, too, of course. Read the capsules below and then click through to the full reviews to decide which one you'll use to protect your files. Have an opinion on one of the apps reviewed here, or a favorite tool we didn't mention? Let us know in the comments.
FEATURED IN THIS ROUNDUP
That makes them safer in theory than professional camera equipment in conflict zones and in confrontations with authorities. Against a well-funded, resourceful, or determined adversary, however, technical protection doesn't guarantee that encrypted data will remain secure. After attempting to pressure Apple into creating a special version of iOS that would allow it to gain access to an iPhone used by one of the San Bernardino shooters in 2015, the FBI ultimately gained access to the device with the help of a third party, through what's believed to be software vulnerability. What's more, US Border authorities have broad latitude to search electronic devices, and many countries have laws that can be used to compel individuals to disclose encryption keys.
So the availability of encryption doesn't mean it will be effective at shielding data from scrutiny. At a recent Hacks/Hackers event in San Francisco titled "Information Security for Journalists," Data Guild cofounder David Gutelius said that, with the possible exception of Signal, he wouldn't recommend any digital communication technology for journalists with serious security concerns involving nation-level adversaries.
Even Tor, a generally well-regarded network anonymity tool, can be compromised, he said. In an email to The Register, Trevor Timm, executive director of the Freedom of the Press Foundation, acknowledged that laws limiting encryption and border searches could diminish its effectiveness but emphasized that it should be an option. "Journalists – or anyone who uses a camera with encryption enabled – would always have the option to unlock it if they chose to, but right now they don't even have that choice, and that's the problem," said Timm. Jonathan Zdziarski, an iOS forensic researcher, in a series of Twitter posts on Wednesday voiced support for better encryption and stronger privacy protection but expressed doubt that camera makers, as they lose sales to smartphone makers, see the addition of encryption as a way to revive sales. "Until every journalist learns to encrypt their hard drive and use Signal, I'm not sure an encrypted camera will do them any good," said Zdziarski. And even then, it may not withstand the threat of rubber-hose cryptanalysis or a $5 wrench. ® Sponsored: Customer Identity and Access Management
The president-elect and tech companies also appear to have differing views on issues such as immigration, outsourcing abroad, clean energy, net neutrality, encryption, surveillance and on restoring lost manufacturing jobs in the U.S. Trump, for example, was critical of Apple’s refusal to help the Department of Justice access information on the iPhone used by a San Bernardino, California, terrorist in an attack last December. “Boycott all Apple products until such time as Apple gives cellphone info to authorities regarding radical Islamic terrorist couple from Cal,” Trump tweeted in February.
Apple had said that helping the FBI crack the phone would require it to develop a new version of the iOS operating system and weaken its security in the bargain. During the campaign, Trump also said he would get Apple to make its computers in the U.S. instead of in other countries, as part of his agenda to bring jobs back stateside.
Apple claims on its website that its “products and innovations have led to almost 2 million U.S. jobs—from our engineers and retail employees to suppliers, manufacturers, and app developers.” Trump also picked on IBM in November, saying that it “laid off 500 workers in Minneapolis and moved their jobs to India and various other countries.” IBM said the statement was incorrect. Trump has meanwhile appointed two opponents of current net neutrality rules to his team charged with overseeing the transition in the Federal Communications Commission, leading to concerns that his administration may try to reverse rules passed last year to prevent providers from selectively blocking or throttling or offering paid prioritization of web traffic. The meeting on Wednesday could hence provide an opportunity for a rapprochement between the Trump transition team and key U.S. tech executives, though the president-elect may also use the opportunity to push his pet demands.
Trump may try to get pledges from companies like Apple and others to make products locally and keep manufacturing jobs in the country, in deals similar to one he struck recently with Carrier. He may also try to get commitments from companies to do IT and product design work locally rather than in locations like India. Oracle confirmed that its CEO Safra Catz would be attending the meeting.
Facebook, Apple, Microsoft and Google did not immediately comment over the weekend.
The Tor Browser is partially built on open source Firefox code, but also includes proxy code that encrypts and anonymizes users’ sessions as they move about the Internet. A Mozilla spokesperson issued a brief statement to Threatpost stating: “We have been made aware of the issue and are working on a fix. We will have more to say once the fix has been shipped.” Technical details pertaining to the zero-day are scant and limited to a post to the Tor mailing list site with the short description: “It consists of one HTML and one CSS file, both pasted below and also de-obscured.
The exact functionality is unknown but it’s getting access to ‘VirtualAlloc’ in ‘kernel32.dll’ and goes from there. Please fix ASAP.” Security professionals that have conducted preliminary analysis of the zero-day note that the payload delivered by the vulnerability has uncanny similarity to a 2013 zero-day used by the FBI. Similar to the 2013 FBI exploit, the Mozilla Firefox zero-day discovered Tuesday takes advantage of a memory corruption vulnerability allowing malicious code execution on Windows computers.
Impacted are versions of Firefox 41 through 50, according to the Tor-Talk post. A security researcher by the Twitter handle @TheWack0lian posted a comparison of 2013 shellcode used by the FBI to the 2016 shellcode and commented on Twitter “The shellcode used is almost exactly the same of the 2013 one.” The shellcode used is almost exactly the shellcode of the 2013 one https://t.co/6vuIzqp0rj …except it builds sockaddr_in on the stack. https://t.co/pWsUe4uHiZ — slipstream/RoL (@TheWack0lian) November 29, 2016 Dan Guido, security researcher and CEO of Trail of Bits, chimed in on Twitter Wednesday saying that “the vulnerability is also present on macOS, but the exploit does not include support for targeting any operating system but Windows.” The vulnerability is present on macOS, but the exploit does not include support for targeting any operating system but Windows. — Dan Guido (@dguido) November 30, 2016 The TorBrowser vulnerability revelation Tuesday dredges up issues surrounding the government’s stockpiling and use of zero day exploits.
In April, FBI Director James Comey revealed the agency paid an undisclosed third-party over a $1 million for a hacking tool that opened the iPhone 5c of the San Bernardino terrorist Syed Farook.
In May, Mozilla filed a motion with the U.S.
District Court in Tacoma, Wa., asking the government to disclose a vulnerability it exploited in the Tor Browser and Firefox in the 2013 case. The FBI did not return inquiries for comment for this story. The Tor malware calling home to a French IP address is puzzling though.
I'd be surprised to see a US federal judge authorize that. https://t.co/FiOPwRj0C7 — Christopher Soghoian (@csoghoian) November 29, 2016 Chris Soghoian, principal technologist with the American Civil Liberties Union, noted in a tweet that the zero-day malware discovered in the Tor on Wednesday is calling home to a French IP address, adding “I’d be surprised to see a US federal judge authorize that.” This story will be updated as more information becomes available.